feat(hash): add server-side Tier D checksums for WebDAV and FTP

WebDAV/Nextcloud now expose oc:checksums via a metadata-only Depth:0
PROPFIND in a new supports_checksum()/checksum(), parsed into the
canonical lowercase keys every hashsum/lsjson/provider_checksum
consumer expects (empty map, never a content download, on servers
that do not advertise it). The Depth:1 listing PROPFIND is left
unchanged: carrying the prop there 400s some Apache mod_dav configs,
so correctness wins over the zero-round-trip optimisation.

FTP already issued the FEAT-detected HASH/XMD5/XCRC/XSHA1 but emitted
non-canonical labels (SHA-256, MD5, ...) that no consumer matched;
they now map through canonical_hash_key, digests lowercased.

5 deterministic unit tests; full lib suite 1603/0, clippy clean.
Live-validated byte-identical on a Nextcloud lab box; plain mod_dav
cleanly omits.

Co-Authored-By: aeroftp[bot] <aeroftp[bot]@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

src-tauri/src/providers/ftp.rs

@@ -1565,6 +1565,33 @@ impl StorageProvider for FtpProvider {
 // FTP Hash/Checksum Commands (B3)
 // =============================================================================
 
+/// Map an FTP server's hash-algorithm label (the leading token of a
+/// RFC-draft `HASH` reply, or the implied algo of `XMD5`/`XCRC`/`XSHA1`)
+/// to the canonical lowercase key shared by every
+/// `StorageProvider::checksum()` impl and the `hashsum` / `lsjson --hash`
+/// consumers. Separators and case vary across servers (`SHA-256`,
+/// `sha256`, `SHA256`), so the label is normalised before matching; an
+/// unrecognised label degrades to its lowercased, separator-stripped form
+/// rather than being dropped (still server-side, just an exotic algo).
+fn canonical_hash_key(server_algo: &str) -> String {
+    let norm: String = server_algo
+        .chars()
+        .filter(|c| c.is_ascii_alphanumeric())
+        .collect::<String>()
+        .to_ascii_uppercase();
+    match norm.as_str() {
+        "SHA256" => "sha256",
+        "SHA512" => "sha512",
+        "SHA384" => "sha384",
+        "SHA1" => "sha1",
+        "MD5" => "md5",
+        "CRC32" => "crc32",
+        "ADLER32" => "adler32",
+        _ => return norm.to_ascii_lowercase(),
+    }
+    .to_string()
+}
+
 impl FtpProvider {
     /// Compute a remote file checksum using the best available command.
     /// Returns a map like {"MD5": "abc123..."} or {"CRC32": "..."} etc.
@@ -1607,15 +1634,22 @@ impl FtpProvider {
             // e.g. "SHA-256 0-EOF abc123def456 /path/to/file.txt"
             let parts: Vec<&str> = body.splitn(4, ' ').collect();
             if parts.len() >= 3 {
-                let algo = parts[0]; // actual algorithm from server
-                let hash = parts[2];
-                result.insert(algo.to_string(), hash.to_string());
+                result.insert(
+                    canonical_hash_key(parts[0]),
+                    parts[2].trim().to_ascii_lowercase(),
+                );
             } else {
-                result.insert(default_algo.to_string(), body.trim().to_string());
+                result.insert(
+                    canonical_hash_key(default_algo),
+                    body.trim().to_ascii_lowercase(),
+                );
             }
         } else {
             // XMD5/XCRC/XSHA1: response is just the hex hash
-            result.insert(default_algo.to_string(), body.trim().to_string());
+            result.insert(
+                canonical_hash_key(default_algo),
+                body.trim().to_ascii_lowercase(),
+            );
         }
 
         Ok(result)
@@ -1846,6 +1880,20 @@ mod tests {
         assert_eq!(entry.name, "Projects");
         assert!(entry.is_dir);
     }
+
+    #[test]
+    fn ftp_hash_keys_canonicalised() {
+        // RFC-draft HASH labels and the X* family map to the same
+        // lowercase keys every checksum() consumer expects.
+        assert_eq!(canonical_hash_key("SHA-256"), "sha256");
+        assert_eq!(canonical_hash_key("sha256"), "sha256");
+        assert_eq!(canonical_hash_key("SHA-512"), "sha512");
+        assert_eq!(canonical_hash_key("SHA-1"), "sha1");
+        assert_eq!(canonical_hash_key("MD5"), "md5");
+        assert_eq!(canonical_hash_key("CRC32"), "crc32");
+        // Unknown algo degrades, never dropped.
+        assert_eq!(canonical_hash_key("Whirlpool"), "whirlpool");
+    }
 }
 
 /// Dangerous TLS certificate verifier that accepts all certificates.

src-tauri/src/providers/webdav.rs

@@ -1551,6 +1551,56 @@ fn local_name(raw: &[u8]) -> String {
     }
 }
 
+/// Canonical lowercase key for an ownCloud/Nextcloud `oc:checksums`
+/// algorithm label, matching every `StorageProvider::checksum()` impl
+/// and the `hashsum` / `lsjson --hash` consumers. Unknown labels degrade
+/// to a lowercased, separator-stripped form (still a real server-side
+/// digest, just an exotic algo) rather than being dropped.
+fn canonical_checksum_key(algo: &str) -> String {
+    let norm: String = algo
+        .chars()
+        .filter(|c| c.is_ascii_alphanumeric())
+        .collect::<String>()
+        .to_ascii_uppercase();
+    match norm.as_str() {
+        "SHA256" => "sha256",
+        "SHA512" => "sha512",
+        "SHA384" => "sha384",
+        "SHA1" => "sha1",
+        "MD5" => "md5",
+        "CRC32" => "crc32",
+        "ADLER32" => "adler32",
+        _ => return norm.to_ascii_lowercase(),
+    }
+    .to_string()
+}
+
+/// Parse an `<oc:checksums><oc:checksum>` payload into canonical
+/// `{key: hexdigest}` pairs. The element is a single string of
+/// whitespace-separated `ALGO:HEXDIGEST` tokens, e.g.
+/// `"SHA1:f1d2d2... MD5:900150... ADLER32:024d0127"`. Tokens without a
+/// `:`, with an empty digest, or with a non-hex digest are skipped so a
+/// malformed entry can never poison the map. Returns an empty map for
+/// every WebDAV server that does not emit `oc:checksums` (the
+/// server-side-or-omit contract: no content is ever downloaded).
+fn parse_oc_checksums(raw: &str) -> HashMap<String, String> {
+    let mut out = HashMap::new();
+    for token in raw.split_whitespace() {
+        let Some((algo, digest)) = token.split_once(':') else {
+            continue;
+        };
+        let digest = digest.trim().to_ascii_lowercase();
+        if digest.is_empty() || !digest.bytes().all(|b| b.is_ascii_hexdigit()) {
+            continue;
+        }
+        let key = canonical_checksum_key(algo);
+        if !key.is_empty() {
+            out.entry(key).or_insert(digest);
+        }
+    }
+    out
+}
+
 #[async_trait]
 impl StorageProvider for WebDavProvider {
     fn as_any_mut(&mut self) -> &mut dyn std::any::Any {
@@ -2372,6 +2422,71 @@ impl StorageProvider for WebDavProvider {
         }
     }
 
+    fn supports_checksum(&self) -> bool {
+        // ownCloud/Nextcloud expose server-side digests via the
+        // `oc:checksums` PROPFIND prop; every other WebDAV server simply
+        // omits it, in which case `checksum()` returns an empty map and
+        // consumers omit / fall back. The probe is a metadata PROPFIND,
+        // never a content download: the server-side-or-omit contract.
+        true
+    }
+
+    async fn checksum(&mut self, path: &str) -> Result<HashMap<String, String>, ProviderError> {
+        if !self.connected {
+            return Err(ProviderError::NotConnected);
+        }
+
+        const PROPFIND_BODY: &str = r#"<?xml version="1.0" encoding="utf-8"?>
+                <d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns">
+                    <d:prop>
+                        <oc:checksums/>
+                    </d:prop>
+                </d:propfind>"#;
+
+        // Mirror `stat()`'s file-first / collection-retry: a file must be
+        // requested without a trailing slash, while a slash-less
+        // collection can be 301'd by Apache to a scheme-downgraded URL
+        // that strips auth (see `collection_path`).
+        let collection_form = Self::collection_path(path);
+        let mut attempts: Vec<&str> = vec![path];
+        if collection_form != path {
+            attempts.push(collection_form.as_str());
+        }
+
+        for attempt in attempts {
+            let response = self
+                .request(webdav_methods::propfind(), attempt)
+                .header("Depth", "0")
+                .header("Content-Type", "application/xml")
+                .body(PROPFIND_BODY)
+                .send()
+                .await
+                .map_err(|e| ProviderError::NetworkError(e.to_string()))?;
+
+            match response.status() {
+                StatusCode::OK | StatusCode::MULTI_STATUS => {
+                    let xml = response
+                        .text()
+                        .await
+                        .map_err(|e| ProviderError::ParseError(e.to_string()))?;
+                    let props = self.extract_xml_properties(&xml);
+                    return Ok(props
+                        .get("checksum")
+                        .map(|s| parse_oc_checksums(s))
+                        .unwrap_or_default());
+                }
+                // Ambiguous path type: retry in collection form.
+                StatusCode::NOT_FOUND | StatusCode::UNAUTHORIZED => continue,
+                // Any other status: the server cannot answer the prop.
+                // Treat as "no server-side hash" (omit) rather than an
+                // error that would fail a listing or trigger a download.
+                _ => return Ok(HashMap::new()),
+            }
+        }
+
+        Ok(HashMap::new())
+    }
+
     async fn size(&mut self, path: &str) -> Result<u64, ProviderError> {
         let entry = self.stat(path).await?;
         Ok(entry.size)
@@ -3211,4 +3326,48 @@ mod tests {
         t.server_root = Some("/".to_string());
         assert_eq!(t.resolve_root("/aeroftp-utest"), "/aeroftp-utest");
     }
+
+    #[test]
+    fn oc_checksums_parsed_to_canonical_lowercase_keys() {
+        // Real Nextcloud/ownCloud shape: space-separated ALGO:HEX tokens.
+        let m = parse_oc_checksums(
+            "SHA1:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 \
+             MD5:900150983cd24fb0d6963f7d28e17f72 ADLER32:024d0127",
+        );
+        assert_eq!(
+            m.get("sha1").map(String::as_str),
+            Some("f1d2d2f924e986ac86fdf7b36c94bcdf32beec15")
+        );
+        assert_eq!(
+            m.get("md5").map(String::as_str),
+            Some("900150983cd24fb0d6963f7d28e17f72")
+        );
+        assert_eq!(m.get("adler32").map(String::as_str), Some("024d0127"));
+        // No canonical key is upper-cased or dash-separated.
+        assert!(m.keys().all(|k| k == &k.to_ascii_lowercase()));
+    }
+
+    #[test]
+    fn oc_checksums_canonicalises_separators_and_case() {
+        let m = parse_oc_checksums("SHA-256:ABCDEF01 sha512:00FF");
+        assert_eq!(m.get("sha256").map(String::as_str), Some("abcdef01"));
+        assert_eq!(m.get("sha512").map(String::as_str), Some("00ff"));
+    }
+
+    #[test]
+    fn oc_checksums_skips_malformed_and_empty() {
+        // No colon, empty digest, non-hex digest, and the empty string.
+        assert!(parse_oc_checksums("").is_empty());
+        assert!(parse_oc_checksums("SHA1 MD5: SHA256:zz_not_hex").is_empty());
+        // A single good token among malformed ones still survives.
+        let m = parse_oc_checksums("garbage MD5:0a1b BAD:");
+        assert_eq!(m.len(), 1);
+        assert_eq!(m.get("md5").map(String::as_str), Some("0a1b"));
+    }
+
+    #[test]
+    fn unknown_algo_degrades_not_dropped() {
+        let m = parse_oc_checksums("WHIRLPOOL:dead");
+        assert_eq!(m.get("whirlpool").map(String::as_str), Some("dead"));
+    }
 }