diff --git a/src/hash/clu_hash_setup.c b/src/hash/clu_hash_setup.c index dcb00f11..ab3d56f2 100644 --- a/src/hash/clu_hash_setup.c +++ b/src/hash/clu_hash_setup.c @@ -159,6 +159,14 @@ int wolfCLU_hashSetup(int argc, char** argv) size = WC_SHA512_DIGEST_SIZE; #endif +#ifndef NO_CODING + /* base64 enc/dec are not fixed-size digests; force size to 0 so + * wolfCLU_hash computes the output size from the input rather than + * inheriting the blake2b default. */ + if (XSTRCMP(alg, "base64enc") == 0 || XSTRCMP(alg, "base64dec") == 0) + size = 0; +#endif + /* hashing function */ ret = wolfCLU_hash(bioIn, bioOut, alg, size); wolfSSL_BIO_free(bioIn); diff --git a/tests/hash/blake2b-expect.hex b/tests/hash/blake2b-expect.hex new file mode 100644 index 00000000..b0ad52df --- /dev/null +++ b/tests/hash/blake2b-expect.hex @@ -0,0 +1 @@ +f959d994c3efa0ff765700f1d3044cddc7c425d68ba29ded1a5132ea648b947744fc7395a2740a2774feb086b34314a038411244a43420e238091dd688f47383 diff --git a/tests/hash/hash-test.py b/tests/hash/hash-test.py index af06b517..a9ed262d 100644 --- a/tests/hash/hash-test.py +++ b/tests/hash/hash-test.py @@ -54,6 +54,29 @@ def test_sha512(self): self.assertEqual(r.returncode, 0, r.stderr) self.assertEqual(r.stdout.strip(), _read_expected("sha512-expect.hex")) + def test_blake2b(self): + """blake2b via -hash. Regression: wolfCLU gated blake2b on the legacy + HAVE_BLAKE2 macro, which current wolfSSL replaced with HAVE_BLAKE2B, so + `-hash blake2b` returned "Invalid algorithm" on modern wolfSSL.""" + r = run_wolfssl("-hash", "blake2b", "-in", CERT_FILE) + if "Invalid algorithm" in (r.stdout + r.stderr): + self.skipTest("blake2b not enabled in this wolfSSL build") + self.assertEqual(r.returncode, 0, r.stderr) + self.assertEqual(r.stdout.strip(), _read_expected("blake2b-expect.hex")) + + def test_hash_base64_large(self): + """base64enc/base64dec via -hash on input whose base64 output exceeds + 64 bytes must succeed. Regression: on blake2-enabled builds the output + size defaulted to BLAKE2B_OUTBYTES (64) for the base64 sub-command, so + encoding anything larger failed with a buffer error. ca-cert.pem is + well over 48 bytes, so its base64 output is > 64 bytes.""" + enc = run_wolfssl("-hash", "base64enc", "-in", CERT_FILE) + blob = enc.stdout + enc.stderr + if "Invalid algorithm" in blob or "No coding support" in blob: + self.skipTest("base64 coding not enabled in this build") + self.assertEqual(enc.returncode, 0, enc.stderr) + self.assertGreater(len(enc.stdout.strip()), 128, enc.stderr) + class HashShortcutTest(unittest.TestCase): """Tests using the shortcut subcommands (md5, sha256, etc.).""" diff --git a/wolfclu/clu_header_main.h b/wolfclu/clu_header_main.h index 57d245ce..1f84e059 100644 --- a/wolfclu/clu_header_main.h +++ b/wolfclu/clu_header_main.h @@ -104,6 +104,15 @@ extern "C" { #include #endif +/* wolfSSL renamed the BLAKE2 feature macro HAVE_BLAKE2 -> HAVE_BLAKE2B and + * now #undefs the legacy HAVE_BLAKE2 in settings.h. wolfCLU's blake2b support + * keys off HAVE_BLAKE2, so map it back when only HAVE_BLAKE2B is defined to + * keep blake2b (and the base64 hash sub-command) working against current + * wolfSSL. */ +#if defined(HAVE_BLAKE2B) && !defined(HAVE_BLAKE2) + #define HAVE_BLAKE2 +#endif + #ifdef HAVE_BLAKE2 #include #endif