fix: restore blake2b and base64 in hash command#264
Open
MarkAtwood wants to merge 1 commit into
Open
Conversation
wolfSSL renamed the BLAKE2 feature macro HAVE_BLAKE2 to HAVE_BLAKE2B and now #undefs the legacy HAVE_BLAKE2 in settings.h. wolfCLU still keys its blake2b support (and the blake2.h include) off HAVE_BLAKE2, so against current wolfSSL `wolfssl -hash blake2b` returned "Invalid algorithm" and the blake2b benchmark/help entries disappeared. Map HAVE_BLAKE2 back from HAVE_BLAKE2B in clu_header_main.h so all existing HAVE_BLAKE2 guards work again against both old and new wolfSSL. Re-enabling blake2 re-exposes a latent bug in the hash sub-command: `size` defaults to BLAKE2B_OUTBYTES (64), and the base64enc/base64dec algorithms never reset it, so their output buffer was capped at 64 bytes and encoding or decoding anything larger failed with a buffer error. Force size to 0 for base64enc/base64dec so wolfCLU_hash computes the output size from the input. Add regression coverage in tests/hash/hash-test.py: blake2b (validated against an openssl blake2b512 vector) and base64enc on input whose output exceeds 64 bytes. blake2b previously had no test, which is why the macro regression went unnoticed. Fixes wolfSSL#263
Contributor
There was a problem hiding this comment.
Pull request overview
Restores -hash blake2b support (and related help/benchmark exposure) when building wolfCLU against newer wolfSSL versions that renamed HAVE_BLAKE2 → HAVE_BLAKE2B, and fixes a coupled base64 output-sizing regression that becomes visible once BLAKE2 is re-enabled.
Changes:
- Add a compatibility shim mapping
HAVE_BLAKE2Bback toHAVE_BLAKE2before includingblake2.h. - Ensure
base64enc/base64decforcesize = 0sowolfCLU_hash()recomputes the correct output buffer size. - Add regression tests + expected vector for blake2b and large base64 output.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
wolfclu/clu_header_main.h |
Defines HAVE_BLAKE2 when only HAVE_BLAKE2B is present to restore legacy guards on modern wolfSSL. |
src/hash/clu_hash_setup.c |
Resets size for base64 algorithms to avoid inheriting the blake2b default output size. |
tests/hash/hash-test.py |
Adds regression tests for blake2b hashing and large base64 encoding. |
tests/hash/blake2b-expect.hex |
Adds expected blake2b digest output fixture for the new test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+57
to
+65
| def test_blake2b(self): | ||
| """blake2b via -hash. Regression: wolfCLU gated blake2b on the legacy | ||
| HAVE_BLAKE2 macro, which current wolfSSL replaced with HAVE_BLAKE2B, so | ||
| `-hash blake2b` returned "Invalid algorithm" on modern wolfSSL.""" | ||
| r = run_wolfssl("-hash", "blake2b", "-in", CERT_FILE) | ||
| if "Invalid algorithm" in (r.stdout + r.stderr): | ||
| self.skipTest("blake2b not enabled in this wolfSSL build") | ||
| self.assertEqual(r.returncode, 0, r.stderr) | ||
| self.assertEqual(r.stdout.strip(), _read_expected("blake2b-expect.hex")) |
Comment on lines
+67
to
+78
| def test_hash_base64_large(self): | ||
| """base64enc/base64dec via -hash on input whose base64 output exceeds | ||
| 64 bytes must succeed. Regression: on blake2-enabled builds the output | ||
| size defaulted to BLAKE2B_OUTBYTES (64) for the base64 sub-command, so | ||
| encoding anything larger failed with a buffer error. ca-cert.pem is | ||
| well over 48 bytes, so its base64 output is > 64 bytes.""" | ||
| enc = run_wolfssl("-hash", "base64enc", "-in", CERT_FILE) | ||
| blob = enc.stdout + enc.stderr | ||
| if "Invalid algorithm" in blob or "No coding support" in blob: | ||
| self.skipTest("base64 coding not enabled in this build") | ||
| self.assertEqual(enc.returncode, 0, enc.stderr) | ||
| self.assertGreater(len(enc.stdout.strip()), 128, enc.stderr) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
wolfSSL renamed the BLAKE2 feature macro
HAVE_BLAKE2→HAVE_BLAKE2Band now#undefs the legacyHAVE_BLAKE2insettings.h. wolfCLU still keys its blake2b support — and theblake2.hinclude inclu_header_main.h— offHAVE_BLAKE2, so against current wolfSSL:wolfssl -hash blake2breturns "Invalid algorithm" (blake2b hashing is unavailable)Fix
clu_header_main.h: mapHAVE_BLAKE2back fromHAVE_BLAKE2B(after wolfSSL'soptions.his included, before theblake2.hinclude), so every existingHAVE_BLAKE2guard works again against both old and new wolfSSL. One shim covers all sites (hash, benchmark, help, header include).clu_hash_setup.c: re-enabling blake2 re-exposes a latent bug —sizedefaults toBLAKE2B_OUTBYTES(64) and thebase64enc/base64decalgorithms never reset it, so their output buffer was capped at 64 bytes and encoding/decoding anything larger failed with a buffer error. Forcesize = 0for base64 sowolfCLU_hashcomputes the size from the input.Tests
tests/hash/hash-test.py:test_blake2b— validates-hash blake2bagainst anopenssl blake2b512vector (blake2b previously had no test, which is why the macro regression went unnoticed).test_hash_base64_large—base64encon input whose base64 output exceeds 64 bytes must succeed (guards the coupled sizing bug).Verified by build + run on Ubuntu 24.04 against current wolfSSL: full
make checkis green (25/25), the hash suite is 12/12. Confirmed the base64 test fails when the blake2b shim is applied without the sizing fix, so it genuinely gates the regression.Fixes #263