From d10efd38ef27e2ee7c6ffc9091e0c92b8eaaa832 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 9 Jul 2026 15:24:35 -0700 Subject: [PATCH] fix: restore blake2b and base64 in hash command wolfSSL renamed the BLAKE2 feature macro HAVE_BLAKE2 to HAVE_BLAKE2B and now #undefs the legacy HAVE_BLAKE2 in settings.h. wolfCLU still keys its blake2b support (and the blake2.h include) off HAVE_BLAKE2, so against current wolfSSL `wolfssl -hash blake2b` returned "Invalid algorithm" and the blake2b benchmark/help entries disappeared. Map HAVE_BLAKE2 back from HAVE_BLAKE2B in clu_header_main.h so all existing HAVE_BLAKE2 guards work again against both old and new wolfSSL. Re-enabling blake2 re-exposes a latent bug in the hash sub-command: `size` defaults to BLAKE2B_OUTBYTES (64), and the base64enc/base64dec algorithms never reset it, so their output buffer was capped at 64 bytes and encoding or decoding anything larger failed with a buffer error. Force size to 0 for base64enc/base64dec so wolfCLU_hash computes the output size from the input. Add regression coverage in tests/hash/hash-test.py: blake2b (validated against an openssl blake2b512 vector) and base64enc on input whose output exceeds 64 bytes. blake2b previously had no test, which is why the macro regression went unnoticed. Fixes wolfSSL/wolfCLU#263 --- src/hash/clu_hash_setup.c | 8 ++++++++ tests/hash/blake2b-expect.hex | 1 + tests/hash/hash-test.py | 23 +++++++++++++++++++++++ wolfclu/clu_header_main.h | 9 +++++++++ 4 files changed, 41 insertions(+) create mode 100644 tests/hash/blake2b-expect.hex diff --git a/src/hash/clu_hash_setup.c b/src/hash/clu_hash_setup.c index dcb00f11..ab3d56f2 100644 --- a/src/hash/clu_hash_setup.c +++ b/src/hash/clu_hash_setup.c @@ -159,6 +159,14 @@ int wolfCLU_hashSetup(int argc, char** argv) size = WC_SHA512_DIGEST_SIZE; #endif +#ifndef NO_CODING + /* base64 enc/dec are not fixed-size digests; force size to 0 so + * wolfCLU_hash computes the output size from the input rather than + * inheriting the blake2b default. */ + if (XSTRCMP(alg, "base64enc") == 0 || XSTRCMP(alg, "base64dec") == 0) + size = 0; +#endif + /* hashing function */ ret = wolfCLU_hash(bioIn, bioOut, alg, size); wolfSSL_BIO_free(bioIn); diff --git a/tests/hash/blake2b-expect.hex b/tests/hash/blake2b-expect.hex new file mode 100644 index 00000000..b0ad52df --- /dev/null +++ b/tests/hash/blake2b-expect.hex @@ -0,0 +1 @@ +f959d994c3efa0ff765700f1d3044cddc7c425d68ba29ded1a5132ea648b947744fc7395a2740a2774feb086b34314a038411244a43420e238091dd688f47383 diff --git a/tests/hash/hash-test.py b/tests/hash/hash-test.py index af06b517..a9ed262d 100644 --- a/tests/hash/hash-test.py +++ b/tests/hash/hash-test.py @@ -54,6 +54,29 @@ def test_sha512(self): self.assertEqual(r.returncode, 0, r.stderr) self.assertEqual(r.stdout.strip(), _read_expected("sha512-expect.hex")) + def test_blake2b(self): + """blake2b via -hash. Regression: wolfCLU gated blake2b on the legacy + HAVE_BLAKE2 macro, which current wolfSSL replaced with HAVE_BLAKE2B, so + `-hash blake2b` returned "Invalid algorithm" on modern wolfSSL.""" + r = run_wolfssl("-hash", "blake2b", "-in", CERT_FILE) + if "Invalid algorithm" in (r.stdout + r.stderr): + self.skipTest("blake2b not enabled in this wolfSSL build") + self.assertEqual(r.returncode, 0, r.stderr) + self.assertEqual(r.stdout.strip(), _read_expected("blake2b-expect.hex")) + + def test_hash_base64_large(self): + """base64enc/base64dec via -hash on input whose base64 output exceeds + 64 bytes must succeed. Regression: on blake2-enabled builds the output + size defaulted to BLAKE2B_OUTBYTES (64) for the base64 sub-command, so + encoding anything larger failed with a buffer error. ca-cert.pem is + well over 48 bytes, so its base64 output is > 64 bytes.""" + enc = run_wolfssl("-hash", "base64enc", "-in", CERT_FILE) + blob = enc.stdout + enc.stderr + if "Invalid algorithm" in blob or "No coding support" in blob: + self.skipTest("base64 coding not enabled in this build") + self.assertEqual(enc.returncode, 0, enc.stderr) + self.assertGreater(len(enc.stdout.strip()), 128, enc.stderr) + class HashShortcutTest(unittest.TestCase): """Tests using the shortcut subcommands (md5, sha256, etc.).""" diff --git a/wolfclu/clu_header_main.h b/wolfclu/clu_header_main.h index 57d245ce..1f84e059 100644 --- a/wolfclu/clu_header_main.h +++ b/wolfclu/clu_header_main.h @@ -104,6 +104,15 @@ extern "C" { #include #endif +/* wolfSSL renamed the BLAKE2 feature macro HAVE_BLAKE2 -> HAVE_BLAKE2B and + * now #undefs the legacy HAVE_BLAKE2 in settings.h. wolfCLU's blake2b support + * keys off HAVE_BLAKE2, so map it back when only HAVE_BLAKE2B is defined to + * keep blake2b (and the base64 hash sub-command) working against current + * wolfSSL. */ +#if defined(HAVE_BLAKE2B) && !defined(HAVE_BLAKE2) + #define HAVE_BLAKE2 +#endif + #ifdef HAVE_BLAKE2 #include #endif