Extend digest_auth_fail_response for algorithm specification

- Add algorithm parameter to digest_auth_fail_response constructor
  (defaults to MD5 for backward compatibility)
- Use MHD_queue_auth_fail_response2() to specify the algorithm in
  the WWW-Authenticate challenge header
- Add separate MD5 and SHA256 test resources for deterministic testing
- Add SHA256 digest auth tests alongside existing MD5 tests

This enables server-driven algorithm selection, where the server
requests a specific digest algorithm in the challenge and curl
responds using that algorithm.

Author: etr

src/digest_auth_fail_response.cpp

@@ -30,7 +30,13 @@ struct MHD_Response;
 namespace httpserver {
 
 int digest_auth_fail_response::enqueue_response(MHD_Connection* connection, MHD_Response* response) {
-    return MHD_queue_auth_fail_response(connection, realm.c_str(), opaque.c_str(), response, reload_nonce ? MHD_YES : MHD_NO);
+    return MHD_queue_auth_fail_response2(
+        connection,
+        realm.c_str(),
+        opaque.c_str(),
+        response,
+        reload_nonce ? MHD_YES : MHD_NO,
+        static_cast<MHD_DigestAuthAlgorithm>(algorithm));
 }
 
 }  // namespace httpserver

src/httpserver/digest_auth_fail_response.hpp

@@ -45,11 +45,14 @@ class digest_auth_fail_response : public string_response {
              const std::string& opaque = "",
              bool reload_nonce = false,
              int response_code = http::http_utils::http_ok,
-             const std::string& content_type = http::http_utils::text_plain):
+             const std::string& content_type = http::http_utils::text_plain,
+             http::http_utils::digest_algorithm algorithm =
+                 http::http_utils::digest_algorithm::MD5):
          string_response(content, response_code, content_type),
          realm(realm),
          opaque(opaque),
-         reload_nonce(reload_nonce) { }
+         reload_nonce(reload_nonce),
+         algorithm(algorithm) { }
 
      digest_auth_fail_response(const digest_auth_fail_response& other) = default;
      digest_auth_fail_response(digest_auth_fail_response&& other) noexcept = default;
@@ -64,6 +67,8 @@ class digest_auth_fail_response : public string_response {
      std::string realm = "";
      std::string opaque = "";
      bool reload_nonce = false;
+     http::http_utils::digest_algorithm algorithm =
+         http::http_utils::digest_algorithm::MD5;
 };
 
 }  // namespace httpserver

test/integ/authentication.cpp

@@ -175,23 +175,49 @@ static const unsigned char PRECOMPUTED_HA1_SHA256[32] = {
     0x20, 0x7e, 0x02, 0xd7, 0xc4, 0xbd, 0x8a, 0x05
 };
 
-class digest_ha1_resource : public http_resource {
+class digest_ha1_md5_resource : public http_resource {
  public:
      shared_ptr<http_response> render_GET(const http_request& req) {
          if (req.get_digested_user() == "") {
              return std::make_shared<digest_auth_fail_response>(
-                 "FAIL", "examplerealm", MY_OPAQUE, true);
+                 "FAIL", "examplerealm", MY_OPAQUE, true,
+                 httpserver::http::http_utils::http_ok,
+                 httpserver::http::http_utils::text_plain,
+                 httpserver::http::http_utils::digest_algorithm::MD5);
          }
          bool reload_nonce = false;
-         // Try MD5 first (default), then SHA-256 if that fails
-         if (!req.check_digest_auth_ha1("examplerealm", PRECOMPUTED_HA1_MD5, 16, 300, &reload_nonce,
+         if (!req.check_digest_auth_ha1("examplerealm", PRECOMPUTED_HA1_MD5,
+                 httpserver::http::http_utils::md5_digest_size, 300, &reload_nonce,
                  httpserver::http::http_utils::digest_algorithm::MD5)) {
-             // Try SHA-256
-             if (!req.check_digest_auth_ha1("examplerealm", PRECOMPUTED_HA1_SHA256, 32, 300, &reload_nonce,
-                     httpserver::http::http_utils::digest_algorithm::SHA256)) {
-                 return std::make_shared<digest_auth_fail_response>(
-                     "FAIL", "examplerealm", MY_OPAQUE, reload_nonce);
-             }
+             return std::make_shared<digest_auth_fail_response>(
+                 "FAIL", "examplerealm", MY_OPAQUE, reload_nonce,
+                 httpserver::http::http_utils::http_ok,
+                 httpserver::http::http_utils::text_plain,
+                 httpserver::http::http_utils::digest_algorithm::MD5);
+         }
+         return std::make_shared<string_response>("SUCCESS", 200, "text/plain");
+     }
+};
+
+class digest_ha1_sha256_resource : public http_resource {
+ public:
+     shared_ptr<http_response> render_GET(const http_request& req) {
+         if (req.get_digested_user() == "") {
+             return std::make_shared<digest_auth_fail_response>(
+                 "FAIL", "examplerealm", MY_OPAQUE, true,
+                 httpserver::http::http_utils::http_ok,
+                 httpserver::http::http_utils::text_plain,
+                 httpserver::http::http_utils::digest_algorithm::SHA256);
+         }
+         bool reload_nonce = false;
+         if (!req.check_digest_auth_ha1("examplerealm", PRECOMPUTED_HA1_SHA256,
+                 httpserver::http::http_utils::sha256_digest_size, 300, &reload_nonce,
+                 httpserver::http::http_utils::digest_algorithm::SHA256)) {
+             return std::make_shared<digest_auth_fail_response>(
+                 "FAIL", "examplerealm", MY_OPAQUE, reload_nonce,
+                 httpserver::http::http_utils::http_ok,
+                 httpserver::http::http_utils::text_plain,
+                 httpserver::http::http_utils::digest_algorithm::SHA256);
          }
          return std::make_shared<string_response>("SUCCESS", 200, "text/plain");
      }
@@ -277,12 +303,92 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_wrong_pass)
     ws.stop();
 LT_END_AUTO_TEST(digest_auth_wrong_pass)
 
-LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1)
+LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_md5)
+    webserver ws = create_webserver(PORT)
+        .digest_auth_random("myrandom")
+        .nonce_nc_size(300);
+
+    digest_ha1_md5_resource digest_ha1;
+    LT_ASSERT_EQ(true, ws.register_resource("base", &digest_ha1));
+    ws.start(false);
+
+#if defined(_WINDOWS)
+    curl_global_init(CURL_GLOBAL_WIN32);
+#else
+    curl_global_init(CURL_GLOBAL_ALL);
+#endif
+
+    std::string s;
+    CURL *curl = curl_easy_init();
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
+#if defined(_WINDOWS)
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "examplerealm/myuser:mypass");
+#else
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "myuser:mypass");
+#endif
+    curl_easy_setopt(curl, CURLOPT_URL, "localhost:" PORT_STRING "/base");
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
+    curl_easy_setopt(curl, CURLOPT_TIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
+    curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
+    res = curl_easy_perform(curl);
+    LT_ASSERT_EQ(res, 0);
+    LT_CHECK_EQ(s, "SUCCESS");
+    curl_easy_cleanup(curl);
+
+    ws.stop();
+LT_END_AUTO_TEST(digest_auth_with_ha1_md5)
+
+LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_md5_wrong_pass)
+    webserver ws = create_webserver(PORT)
+        .digest_auth_random("myrandom")
+        .nonce_nc_size(300);
+
+    digest_ha1_md5_resource digest_ha1;
+    LT_ASSERT_EQ(true, ws.register_resource("base", &digest_ha1));
+    ws.start(false);
+
+#if defined(_WINDOWS)
+    curl_global_init(CURL_GLOBAL_WIN32);
+#else
+    curl_global_init(CURL_GLOBAL_ALL);
+#endif
+
+    std::string s;
+    CURL *curl = curl_easy_init();
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
+#if defined(_WINDOWS)
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "examplerealm/myuser:wrongpass");
+#else
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "myuser:wrongpass");
+#endif
+    curl_easy_setopt(curl, CURLOPT_URL, "localhost:" PORT_STRING "/base");
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
+    curl_easy_setopt(curl, CURLOPT_TIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
+    curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
+    res = curl_easy_perform(curl);
+    LT_ASSERT_EQ(res, 0);
+    LT_CHECK_EQ(s, "FAIL");
+    curl_easy_cleanup(curl);
+
+    ws.stop();
+LT_END_AUTO_TEST(digest_auth_with_ha1_md5_wrong_pass)
+
+LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_sha256)
     webserver ws = create_webserver(PORT)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300);
 
-    digest_ha1_resource digest_ha1;
+    digest_ha1_sha256_resource digest_ha1;
     LT_ASSERT_EQ(true, ws.register_resource("base", &digest_ha1));
     ws.start(false);
 
@@ -315,14 +421,14 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1)
     curl_easy_cleanup(curl);
 
     ws.stop();
-LT_END_AUTO_TEST(digest_auth_with_ha1)
+LT_END_AUTO_TEST(digest_auth_with_ha1_sha256)
 
-LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_wrong_pass)
+LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_sha256_wrong_pass)
     webserver ws = create_webserver(PORT)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300);
 
-    digest_ha1_resource digest_ha1;
+    digest_ha1_sha256_resource digest_ha1;
     LT_ASSERT_EQ(true, ws.register_resource("base", &digest_ha1));
     ws.start(false);
 
@@ -355,7 +461,7 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_wrong_pass)
     curl_easy_cleanup(curl);
 
     ws.stop();
-LT_END_AUTO_TEST(digest_auth_with_ha1_wrong_pass)
+LT_END_AUTO_TEST(digest_auth_with_ha1_sha256_wrong_pass)
 
 #endif