The line

*currentout++ = hex2num(first) << 4 + hex2num(second);

does the wrong thing because the precedence of the operations implies

*currentout++ = hex2num(first) << (4 + hex2num(second));

and not the correct

*currentout++= (hex2num(first) << 4) + hex2num(second);

Alternatively | can be used instead of +

*currentout++= hex2num(first) << 4 | hex2num(second);

but parenthesis don't harm.

Luckily that piece of code is in fact never executed because canonicalize_string is called by http_get in such a way that it is applied only to the string /generate-ac, i.e. it is not applied to the whole path including parameters, which most likely contain url-escaped characters.