Withdraw support for SHA-512-256 in HTTP Digest.

I was dubious about it to begin with, when I found that RFC 7616's example seemed to be treating it as a 256-bit truncation of SHA-512, and not the thing FIPS 180-4 section 6.7 specifies as "SHA-512/256" (which also changes the initial hash state). Having failed to get a clarifying response from the RFC authors, I had the idea this morning of testing other HTTP clients to see what _they_ thought that hash function meant, and then at least I could go with an existing in-practice consensus. There is no in-practice consensus. Firefox doesn't support that algorithm at all (but they do support SHA-256); wget doesn't support anything that RFC 7616 added to the original RFC 2617. But the prize for weirdness goes to curl, which does accept the name "SHA-512-256" and ... treats it as an alias for SHA-256! So I think the situation among real clients is too confusing to even try to work with, and I'm going to stop adding to it. PuTTY will follow Firefox's policy: if a proxy server asks for SHA-256 digests we'll happily provide them, but if they ask for SHA-512-256 we'll refuse on the grounds that it's not clear enough what it means.
2025-06-30 19:12:48 -05:00 · 2021-11-27 11:41:00 +00:00
parent 53f7da8ce7
commit 44055cd36e
6 changed files with 111 additions and 11 deletions
--- a/test/cryptsuite.py
+++ b/test/cryptsuite.py
@ -3212,6 +3212,14 @@ class standard_test_vectors(MyTestBase):
        # that they think it's just a 256-bit truncation of SHA-512,
        # and not the version defined in FIPS 180-4 which also uses
        # a different initial hash state), and username hashing.
+        #
+        # We don't actually support SHA-512-256 in the top-level proxy
+        # client code (see the comment in proxy/cproxy.h). However,
+        # this internal http_digest_response function still provides
+        # it, simply so that we can run this test case from the RFC,
+        # because it's the only provided test case for username
+        # hashing, and this confirms that we've got the preimage right
+        # for the username hash.
        params = ["J\u00E4s\u00F8n Doe".encode("UTF-8"),
                  "Secret, or not?", "api@example.org",
                  "GET", "/doe.json", "auth",
--- a/test/testcrypt-enum.h
+++ b/test/testcrypt-enum.h
@ -138,7 +138,7 @@ END_ENUM_TYPE(fptype)
 * invent a separate one for testcrypt, reuse the existing names.
 */
 BEGIN_ENUM_TYPE(httpdigesthash)
-    #define DECL_ARRAY(id, str, alg, bits) ENUM_VALUE(str, id)
+    #define DECL_ARRAY(id, str, alg, bits, accepted) ENUM_VALUE(str, id)
    HTTP_DIGEST_HASHES(DECL_ARRAY)
    #undef DECL_ARRAY
 END_ENUM_TYPE(httpdigesthash)