From: Andreas Henriksson <andreas@fatal.se>
Date: Sat, 26 Apr 2025 20:09:29 +0200
Subject: Backport auth tests for CVE-2025-32910

Forward-ported from bullseye-security.
---
 tests/auth-test.c | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/tests/auth-test.c b/tests/auth-test.c
index 6fb1e4a..88478ee 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1549,14 +1549,26 @@ do_cancel_after_retry_test (void)
         soup_test_session_abort_unref (session);
 }
 
+//from upstream commit 9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8
+static gboolean
+on_digest_authenticate (SoupMessage *msg,
+                        SoupAuth    *auth,
+                        gboolean     retrying,
+                        gpointer     user_data)
+{
+        g_assert_false (retrying);
+        soup_auth_authenticate (auth, "user", "good");
+        return TRUE;
+}
+
 static void
 on_request_read_for_missing_params (SoupServer        *server,
-                                      SoupServerMessage *msg,
+                                      SoupMessage *msg,
+                                      SoupClientContext *client,
                                       gpointer           user_data)
 {
         const char *auth_header = user_data;
-        SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
-        soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+        soup_message_headers_replace (msg->response_headers, "WWW-Authenticate", auth_header);
 }
 
 static void
@@ -1567,7 +1579,7 @@ do_missing_params_test (gconstpointer auth_header)
         SoupServer *server;
         SoupAuthDomain *digest_auth_domain;
         gint status;
-        GUri *uri;
+        SoupURI *uri;
 
         server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
 	soup_server_add_handler (server, NULL,
@@ -1586,16 +1598,16 @@ do_missing_params_test (gconstpointer auth_header)
                           G_CALLBACK (on_request_read_for_missing_params),
                           (gpointer)auth_header);
 
-        session = soup_test_session_new (NULL);
+        session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
         msg = soup_message_new_from_uri ("GET", uri);
-        g_signal_connect (msg, "authenticate",
+        g_signal_connect (session, "authenticate",
                           G_CALLBACK (on_digest_authenticate),
                           NULL);
 
-        status = soup_test_session_send_message (session, msg);
+        status = soup_session_send_message (session, msg);
 
         g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
-	g_uri_unref (uri);
+	soup_uri_free (uri);
 	soup_test_server_quit_unref (server);
 }