From f9a5a3a3ef34e63dc197156e9a5f57842859ca04 Mon Sep 17 00:00:00 2001
From: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
Date: Sun, 29 Dec 2024 08:05:34 +1100
Subject: [PATCH] gh-128192: support HTTP sha-256 digest authentication as per
 RFC-7617 (GH-128193)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

support sha-256 digest authentication

Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
 Doc/library/urllib.request.rst                |  3 +++
 Doc/whatsnew/3.14.rst                         |  8 ++++++
 Lib/test/test_urllib2.py                      | 25 ++++++++++++++++---
 Lib/urllib/request.py                         |  7 ++++--
 Misc/ACKS                                     |  1 +
 ...-12-23-11-14-07.gh-issue-128192.02mEhD.rst |  2 ++
 6 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2024-12-23-11-14-07.gh-issue-128192.02mEhD.rst

diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
index 3c07dc4adf434a..b3efde3f189566 100644
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -411,6 +411,9 @@ The following classes are provided:
    :ref:`http-password-mgr` for information on the interface that must be
    supported.
 
+   .. versionchanged:: 3.14
+      Added support for HTTP digest authentication algorithm ``SHA-256``.
+
 
 .. class:: HTTPDigestAuthHandler(password_mgr=None)
 
diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst
index 935c61c474e889..2767fd3ca48b29 100644
--- a/Doc/whatsnew/3.14.rst
+++ b/Doc/whatsnew/3.14.rst
@@ -646,6 +646,14 @@ unittest
   (Contributed by Jacob Walls in :gh:`80958`.)
 
 
+urllib
+------
+
+* Upgrade HTTP digest authentication algorithm for :mod:`urllib.request` by
+  supporting SHA-256 digest authentication as specified in :rfc:`7616`.
+  (Contributed by Calvin Bui in :gh:`128193`.)
+
+
 uuid
 ----
 
diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
index 4a9e653515be5b..96d91c1f1c2f8a 100644
--- a/Lib/test/test_urllib2.py
+++ b/Lib/test/test_urllib2.py
@@ -1962,10 +1962,29 @@ def test_parse_proxy(self):
 
         self.assertRaises(ValueError, _parse_proxy, 'file:/ftp.example.com'),
 
-    def test_unsupported_algorithm(self):
-        handler = AbstractDigestAuthHandler()
+
+class TestDigestAlgorithms(unittest.TestCase):
+    def setUp(self):
+        self.handler = AbstractDigestAuthHandler()
+
+    def test_md5_algorithm(self):
+        H, KD = self.handler.get_algorithm_impls('MD5')
+        self.assertEqual(H("foo"), "acbd18db4cc2f85cedef654fccc4a4d8")
+        self.assertEqual(KD("foo", "bar"), "4e99e8c12de7e01535248d2bac85e732")
+
+    def test_sha_algorithm(self):
+        H, KD = self.handler.get_algorithm_impls('SHA')
+        self.assertEqual(H("foo"), "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33")
+        self.assertEqual(KD("foo", "bar"), "54dcbe67d21d5eb39493d46d89ae1f412d3bd6de")
+
+    def test_sha256_algorithm(self):
+        H, KD = self.handler.get_algorithm_impls('SHA-256')
+        self.assertEqual(H("foo"), "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae")
+        self.assertEqual(KD("foo", "bar"), "a765a8beaa9d561d4c5cbed29d8f4e30870297fdfa9cb7d6e9848a95fec9f937")
+
+    def test_invalid_algorithm(self):
         with self.assertRaises(ValueError) as exc:
-            handler.get_algorithm_impls('invalid')
+            self.handler.get_algorithm_impls('invalid')
         self.assertEqual(
             str(exc.exception),
             "Unsupported digest authentication algorithm 'invalid'"
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index c5a6a18a32bba1..0d1b594b8cf20b 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1048,7 +1048,7 @@ def http_error_407(self, req, fp, code, msg, headers):
 
 
 class AbstractDigestAuthHandler:
-    # Digest authentication is specified in RFC 2617.
+    # Digest authentication is specified in RFC 2617/7616.
 
     # XXX The client does not inspect the Authentication-Info header
     # in a successful response.
@@ -1176,11 +1176,14 @@ def get_authorization(self, req, chal):
         return base
 
     def get_algorithm_impls(self, algorithm):
+        # algorithm names taken from RFC 7616 Section 6.1
         # lambdas assume digest modules are imported at the top level
         if algorithm == 'MD5':
             H = lambda x: hashlib.md5(x.encode("ascii")).hexdigest()
-        elif algorithm == 'SHA':
+        elif algorithm == 'SHA':  # non-standard, retained for compatibility.
             H = lambda x: hashlib.sha1(x.encode("ascii")).hexdigest()
+        elif algorithm == 'SHA-256':
+            H = lambda x: hashlib.sha256(x.encode("ascii")).hexdigest()
         # XXX MD5-sess
         else:
             raise ValueError("Unsupported digest authentication "
diff --git a/Misc/ACKS b/Misc/ACKS
index 086930666822ad..c6e53317b37d78 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -258,6 +258,7 @@ Colm Buckley
 Erik de Bueger
 Jan-Hein Bührman
 Marc Bürg
+Calvin Bui
 Lars Buitinck
 Artem Bulgakov
 Dick Bulterman
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-23-11-14-07.gh-issue-128192.02mEhD.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-23-11-14-07.gh-issue-128192.02mEhD.rst
new file mode 100644
index 00000000000000..b80ab715ffc7db
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-23-11-14-07.gh-issue-128192.02mEhD.rst
@@ -0,0 +1,2 @@
+Upgrade HTTP digest authentication algorithm for :mod:`urllib.request` by
+supporting SHA-256 digest authentication as specified in :rfc:`7616`.