Add HA1-based digest authentication support

etr · etr · commit 2a4e0ea125ed · 2026-01-30T11:58:57.000-08:00
Adds check_digest_auth_ha1() method that accepts pre-computed HA1 hash
bytes instead of plaintext password. This allows secure storage of
password hashes rather than plaintext passwords.

Changes:
- Add digest_algorithm enum (MD5, SHA256) without AUTO since
  libmicrohttpd cannot auto-detect algorithm from raw hash bytes
- Add md5_digest_size and sha256_digest_size constants
- Add check_digest_auth_ha1() to http_request
- Add integration tests for HA1-based digest authentication
diff --git a/src/http_request.cpp b/src/http_request.cpp
@@ -58,6 +58,35 @@ bool http_request::check_digest_auth(const std::string& realm, const std::string
     *reload_nonce = false;
     return true;
 }
+
+bool http_request::check_digest_auth_ha1(
+    const std::string& realm,
+    const unsigned char* digest,
+    size_t digest_size,
+    int nonce_timeout,
+    bool* reload_nonce,
+    http::http_utils::digest_algorithm algo) const {
+    std::string_view digested_user = get_digested_user();
+
+    int val = MHD_digest_auth_check_digest2(
+        underlying_connection,
+        realm.c_str(),
+        digested_user.data(),
+        digest,
+        digest_size,
+        nonce_timeout,
+        static_cast<MHD_DigestAuthAlgorithm>(algo));
+
+    if (val == MHD_INVALID_NONCE) {
+        *reload_nonce = true;
+        return false;
+    } else if (val == MHD_NO) {
+        *reload_nonce = false;
+        return false;
+    }
+    *reload_nonce = false;
+    return true;
+}
 #endif  // HAVE_DAUTH
 
 std::string_view http_request::get_connection_value(std::string_view key, enum MHD_ValueKind kind) const {
diff --git a/src/httpserver/http_request.hpp b/src/httpserver/http_request.hpp
@@ -33,6 +33,7 @@
 
 #include <stddef.h>
 #include <algorithm>
+#include <array>
 #include <iosfwd>
 #include <limits>
 #include <map>
@@ -254,6 +255,25 @@ class http_request {
 
 #ifdef HAVE_DAUTH
      bool check_digest_auth(const std::string& realm, const std::string& password, int nonce_timeout, bool* reload_nonce) const;
+
+     /**
+      * Check digest authentication using a pre-computed HA1 hash.
+      * The HA1 hash is computed as: hash(username:realm:password) using the specified algorithm.
+      * @param realm The authentication realm.
+      * @param digest Pointer to the pre-computed HA1 hash bytes.
+      * @param digest_size Size of the digest (16 for MD5, 32 for SHA-256).
+      * @param nonce_timeout Nonce validity timeout in seconds.
+      * @param reload_nonce Output: set to true if nonce should be regenerated.
+      * @param algo The digest algorithm (defaults to MD5).
+      * @return true if authenticated, false otherwise.
+      */
+     bool check_digest_auth_ha1(
+         const std::string& realm,
+         const unsigned char* digest,
+         size_t digest_size,
+         int nonce_timeout,
+         bool* reload_nonce,
+         http::http_utils::digest_algorithm algo = http::http_utils::digest_algorithm::MD5) const;
 #endif  // HAVE_DAUTH
 
      friend std::ostream &operator<< (std::ostream &os, http_request &r);
diff --git a/src/httpserver/http_utils.hpp b/src/httpserver/http_utils.hpp
@@ -117,6 +117,16 @@ class http_utils {
          IPV6 = 16
      };
 
+#ifdef HAVE_DAUTH
+     enum class digest_algorithm {
+         MD5 = MHD_DIGEST_ALG_MD5,
+         SHA256 = MHD_DIGEST_ALG_SHA256
+     };
+
+     static constexpr size_t md5_digest_size = 16;
+     static constexpr size_t sha256_digest_size = 32;
+#endif  // HAVE_DAUTH
+
      static const uint16_t http_method_connect_code;
      static const uint16_t http_method_delete_code;
      static const uint16_t http_method_get_code;
diff --git a/test/integ/authentication.cpp b/test/integ/authentication.cpp
@@ -157,6 +157,46 @@ LT_END_AUTO_TEST(base_auth_fail)
 //  Also skip if libmicrohttpd was built without digest auth support
 #if !defined(_WINDOWS) && defined(HAVE_DAUTH)
 
+// Pre-computed MD5 hash of "myuser:examplerealm:mypass"
+// printf "myuser:examplerealm:mypass" | md5sum
+// 6ceef750e0130d6528b938c3abd94110
+static const unsigned char PRECOMPUTED_HA1_MD5[16] = {
+    0x6c, 0xee, 0xf7, 0x50, 0xe0, 0x13, 0x0d, 0x65,
+    0x28, 0xb9, 0x38, 0xc3, 0xab, 0xd9, 0x41, 0x10
+};
+
+// Pre-computed SHA-256 hash of "myuser:examplerealm:mypass"
+// printf "myuser:examplerealm:mypass" | sha256sum
+// d4ff5b1795b23b4c625975959f3276526f3f4f4ef7d22083207e02d7c4bd8a05
+static const unsigned char PRECOMPUTED_HA1_SHA256[32] = {
+    0xd4, 0xff, 0x5b, 0x17, 0x95, 0xb2, 0x3b, 0x4c,
+    0x62, 0x59, 0x75, 0x95, 0x9f, 0x32, 0x76, 0x52,
+    0x6f, 0x3f, 0x4f, 0x4e, 0xf7, 0xd2, 0x20, 0x83,
+    0x20, 0x7e, 0x02, 0xd7, 0xc4, 0xbd, 0x8a, 0x05
+};
+
+class digest_ha1_resource : public http_resource {
+ public:
+     shared_ptr<http_response> render_GET(const http_request& req) {
+         if (req.get_digested_user() == "") {
+             return std::make_shared<digest_auth_fail_response>(
+                 "FAIL", "examplerealm", MY_OPAQUE, true);
+         }
+         bool reload_nonce = false;
+         // Try MD5 first (default), then SHA-256 if that fails
+         if (!req.check_digest_auth_ha1("examplerealm", PRECOMPUTED_HA1_MD5, 16, 300, &reload_nonce,
+                 httpserver::http::http_utils::digest_algorithm::MD5)) {
+             // Try SHA-256
+             if (!req.check_digest_auth_ha1("examplerealm", PRECOMPUTED_HA1_SHA256, 32, 300, &reload_nonce,
+                     httpserver::http::http_utils::digest_algorithm::SHA256)) {
+                 return std::make_shared<digest_auth_fail_response>(
+                     "FAIL", "examplerealm", MY_OPAQUE, reload_nonce);
+             }
+         }
+         return std::make_shared<string_response>("SUCCESS", 200, "text/plain");
+     }
+};
+
 LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth)
     webserver ws = create_webserver(PORT)
         .digest_auth_random("myrandom")
@@ -237,6 +277,86 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_wrong_pass)
     ws.stop();
 LT_END_AUTO_TEST(digest_auth_wrong_pass)
 
+LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1)
+    webserver ws = create_webserver(PORT)
+        .digest_auth_random("myrandom")
+        .nonce_nc_size(300);
+
+    digest_ha1_resource digest_ha1;
+    LT_ASSERT_EQ(true, ws.register_resource("base", &digest_ha1));
+    ws.start(false);
+
+#if defined(_WINDOWS)
+    curl_global_init(CURL_GLOBAL_WIN32);
+#else
+    curl_global_init(CURL_GLOBAL_ALL);
+#endif
+
+    std::string s;
+    CURL *curl = curl_easy_init();
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
+#if defined(_WINDOWS)
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "examplerealm/myuser:mypass");
+#else
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "myuser:mypass");
+#endif
+    curl_easy_setopt(curl, CURLOPT_URL, "localhost:" PORT_STRING "/base");
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
+    curl_easy_setopt(curl, CURLOPT_TIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
+    curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
+    res = curl_easy_perform(curl);
+    LT_ASSERT_EQ(res, 0);
+    LT_CHECK_EQ(s, "SUCCESS");
+    curl_easy_cleanup(curl);
+
+    ws.stop();
+LT_END_AUTO_TEST(digest_auth_with_ha1)
+
+LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_wrong_pass)
+    webserver ws = create_webserver(PORT)
+        .digest_auth_random("myrandom")
+        .nonce_nc_size(300);
+
+    digest_ha1_resource digest_ha1;
+    LT_ASSERT_EQ(true, ws.register_resource("base", &digest_ha1));
+    ws.start(false);
+
+#if defined(_WINDOWS)
+    curl_global_init(CURL_GLOBAL_WIN32);
+#else
+    curl_global_init(CURL_GLOBAL_ALL);
+#endif
+
+    std::string s;
+    CURL *curl = curl_easy_init();
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
+#if defined(_WINDOWS)
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "examplerealm/myuser:wrongpass");
+#else
+    curl_easy_setopt(curl, CURLOPT_USERPWD, "myuser:wrongpass");
+#endif
+    curl_easy_setopt(curl, CURLOPT_URL, "localhost:" PORT_STRING "/base");
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
+    curl_easy_setopt(curl, CURLOPT_TIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 150L);
+    curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
+    curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
+    res = curl_easy_perform(curl);
+    LT_ASSERT_EQ(res, 0);
+    LT_CHECK_EQ(s, "FAIL");
+    curl_easy_cleanup(curl);
+
+    ws.stop();
+LT_END_AUTO_TEST(digest_auth_with_ha1_wrong_pass)
+
 #endif
 
 // Simple resource for centralized auth tests
