From e3461bbd0599547740651279daec0861ade63ff0 Mon Sep 17 00:00:00 2001
From: Evgeny Grin <k2k@narod.ru>
Date: Thu, 8 Feb 2024 10:31:12 +0100
Subject: [PATCH] digest: support SHA-512/256

Also fix the tests. New implementation tested with GNU libmicrohttpd.
The new numbers in tests are real SHA-512/256 numbers (not just some
random ;) numbers ).
---
 lib/vauth/digest.c  | 41 ++++++++++++++++++++++++++++++++---------
 tests/data/test2060 |  3 ++-
 tests/data/test2062 |  3 ++-
 tests/data/test2065 |  3 ++-
 tests/data/test2068 |  3 ++-
 5 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index 416da0fcc7..417ee111f9 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -38,6 +38,7 @@
 #include "curl_hmac.h"
 #include "curl_md5.h"
 #include "curl_sha256.h"
+#include "curl_sha512_256.h"
 #include "vtls/vtls.h"
 #include "warnless.h"
 #include "strtok.h"
@@ -150,7 +151,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */
     msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]);
 }
 
-/* Convert sha256 chunk to RFC7616 -suitable ascii string */
+/* Convert sha256 or SHA-512/256 chunk to RFC7616 -suitable ascii string */
 static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */
                                      unsigned char *dest) /* 65 bytes */
 {
@@ -601,10 +602,20 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg,
           digest->algo = ALGO_SHA256;
         else if(strcasecompare(content, "SHA-256-SESS"))
           digest->algo = ALGO_SHA256SESS;
-        else if(strcasecompare(content, "SHA-512-256"))
+        else if(strcasecompare(content, "SHA-512-256")) {
+#ifdef CURL_HAVE_SHA512_256
           digest->algo = ALGO_SHA512_256;
-        else if(strcasecompare(content, "SHA-512-256-SESS"))
+#else  /* ! CURL_HAVE_SHA512_256 */
+          return CURLE_NOT_BUILT_IN;
+#endif /* ! CURL_HAVE_SHA512_256 */
+        }
+        else if(strcasecompare(content, "SHA-512-256-SESS")) {
+#ifdef CURL_HAVE_SHA512_256
           digest->algo = ALGO_SHA512_256SESS;
+#else  /* ! CURL_HAVE_SHA512_256 */
+          return CURLE_NOT_BUILT_IN;
+#endif /* ! CURL_HAVE_SHA512_256 */
+        }
         else
           return CURLE_BAD_CONTENT_ENCODING;
       }
@@ -957,12 +968,24 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
                                            outptr, outlen,
                                            auth_digest_md5_to_ascii,
                                            Curl_md5it);
-  DEBUGASSERT(digest->algo <= ALGO_SHA512_256SESS);
-  return auth_create_digest_http_message(data, userp, passwdp,
-                                         request, uripath, digest,
-                                         outptr, outlen,
-                                         auth_digest_sha256_to_ascii,
-                                         Curl_sha256it);
+
+  if(digest->algo <= ALGO_SHA256SESS)
+    return auth_create_digest_http_message(data, userp, passwdp,
+                                           request, uripath, digest,
+                                           outptr, outlen,
+                                           auth_digest_sha256_to_ascii,
+                                           Curl_sha256it);
+#ifdef CURL_HAVE_SHA512_256
+  if(digest->algo <= ALGO_SHA512_256SESS)
+    return auth_create_digest_http_message(data, userp, passwdp,
+                                           request, uripath, digest,
+                                           outptr, outlen,
+                                           auth_digest_sha256_to_ascii,
+                                           Curl_sha512_256it);
+#endif /* CURL_HAVE_SHA512_256 */
+
+  /* Should be unreachable */
+  return CURLE_BAD_CONTENT_ENCODING;
 }
 
 /*
diff --git a/tests/data/test2060 b/tests/data/test2060
index dc4223ec61..e1632a387d 100644
--- a/tests/data/test2060
+++ b/tests/data/test2060
@@ -67,6 +67,7 @@ http
 !SSPI
 crypto
 proxy
+sha512-256
 </features>
 <name>
 HTTP POST --digest with PUT, resumed upload, modified method, SHA-512-256 and userhash=false
@@ -92,7 +93,7 @@ Content-Length: 0
 
 GET http://%HOSTIP:%HTTPPORT/%TESTNUMBER HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
-Authorization: Digest username="auser", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="3ce1e25ffa611bdbe90e2ab367b9602fa223db9f6de76ac667f0d6157e2178a6", algorithm=SHA-512-256
+Authorization: Digest username="auser", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="691867f4a06c79fd0a175c1857e3df7015f6fff3ce8676497d2f1f805b5a8eca", algorithm=SHA-512-256
 Content-Range: bytes 2-4/5
 User-Agent: curl/%VERSION
 Accept: */*
diff --git a/tests/data/test2062 b/tests/data/test2062
index b6a1e01f93..039354382d 100644
--- a/tests/data/test2062
+++ b/tests/data/test2062
@@ -54,6 +54,7 @@ http
 <features>
 !SSPI
 crypto
+sha512-256
 </features>
 <name>
 HTTP with RFC7616 SHA-512-256 Digest authorization and userhash=false
@@ -73,7 +74,7 @@ Accept: */*
 
 GET /%TESTNUMBER HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
-Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/%TESTNUMBER", response="2af735ec3508f4dff99248ffbbe9de9002bfd7cc770cfa2b026cb334042a54e3", algorithm=SHA-512-256
+Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/%TESTNUMBER", response="9d3256ee6526ec40dd48743bb48e51ee9baba587c78f15c3a86166242150af98", algorithm=SHA-512-256
 User-Agent: curl/%VERSION
 Accept: */*
 
diff --git a/tests/data/test2065 b/tests/data/test2065
index 0b794302df..4f3a510744 100644
--- a/tests/data/test2065
+++ b/tests/data/test2065
@@ -54,6 +54,7 @@ http
 <features>
 !SSPI
 crypto
+sha512-256
 </features>
 <name>
 HTTP with RFC7616 Digest authorization with bad password, SHA-512-256 and userhash=false
@@ -73,7 +74,7 @@ Accept: */*
 
 GET /%TESTNUMBER HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
-Authorization: Digest username="testuser", realm="testrealm", nonce="2053604145", uri="/%TESTNUMBER", response="5a5f20b0e601aeddc6f96422c2332d49ff431c49ab143b5f836ef76e9ac78f5e", algorithm=SHA-512-256
+Authorization: Digest username="testuser", realm="testrealm", nonce="2053604145", uri="/%TESTNUMBER", response="0373a49d7d352ff54884faaf762fc6c89281b4112ad8fcbbe1d1ee52dcf7a802", algorithm=SHA-512-256
 User-Agent: curl/%VERSION
 Accept: */*
 
diff --git a/tests/data/test2068 b/tests/data/test2068
index 429e5d5660..32afd26290 100644
--- a/tests/data/test2068
+++ b/tests/data/test2068
@@ -52,6 +52,7 @@ http
 <features>
 !SSPI
 crypto
+sha512-256
 </features>
 <name>
 HTTP POST --digest with SHA-512-256, userhash=false and user-specified Content-Length header
@@ -76,7 +77,7 @@ Content-Type: application/x-www-form-urlencoded
 
 POST /%TESTNUMBER HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
-Authorization: Digest username="auser", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="4bc9c97a72f1856bcec9b0e1518c6b7ee28773f91357d56840bdc30bd89ca68f", algorithm=SHA-512-256
+Authorization: Digest username="auser", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="0ba2f7ec8045446588eea82bb0c3812aedb05f4eac8883ea65040a52e9c5629e", algorithm=SHA-512-256
 User-Agent: curl/%VERSION
 Accept: */*
 Content-Length: 11
-- 
2.47.3