Skip to content

fix: restore blake2b and base64 in hash command#264

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/blake2b-base64-hash-macro
Open

fix: restore blake2b and base64 in hash command#264
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/blake2b-base64-hash-macro

Conversation

@MarkAtwood

Copy link
Copy Markdown

Problem

wolfSSL renamed the BLAKE2 feature macro HAVE_BLAKE2HAVE_BLAKE2B and now #undefs the legacy HAVE_BLAKE2 in settings.h. wolfCLU still keys its blake2b support — and the blake2.h include in clu_header_main.h — off HAVE_BLAKE2, so against current wolfSSL:

  • wolfssl -hash blake2b returns "Invalid algorithm" (blake2b hashing is unavailable)
  • the blake2b benchmark and help/usage entries silently disappear

Fix

  • clu_header_main.h: map HAVE_BLAKE2 back from HAVE_BLAKE2B (after wolfSSL's options.h is included, before the blake2.h include), so every existing HAVE_BLAKE2 guard works again against both old and new wolfSSL. One shim covers all sites (hash, benchmark, help, header include).
  • clu_hash_setup.c: re-enabling blake2 re-exposes a latent bug — size defaults to BLAKE2B_OUTBYTES (64) and the base64enc/base64dec algorithms never reset it, so their output buffer was capped at 64 bytes and encoding/decoding anything larger failed with a buffer error. Force size = 0 for base64 so wolfCLU_hash computes the size from the input.

Tests

tests/hash/hash-test.py:

  • test_blake2b — validates -hash blake2b against an openssl blake2b512 vector (blake2b previously had no test, which is why the macro regression went unnoticed).
  • test_hash_base64_largebase64enc on input whose base64 output exceeds 64 bytes must succeed (guards the coupled sizing bug).

Verified by build + run on Ubuntu 24.04 against current wolfSSL: full make check is green (25/25), the hash suite is 12/12. Confirmed the base64 test fails when the blake2b shim is applied without the sizing fix, so it genuinely gates the regression.

Fixes #263

wolfSSL renamed the BLAKE2 feature macro HAVE_BLAKE2 to HAVE_BLAKE2B and
now #undefs the legacy HAVE_BLAKE2 in settings.h. wolfCLU still keys its
blake2b support (and the blake2.h include) off HAVE_BLAKE2, so against
current wolfSSL `wolfssl -hash blake2b` returned "Invalid algorithm" and
the blake2b benchmark/help entries disappeared.

Map HAVE_BLAKE2 back from HAVE_BLAKE2B in clu_header_main.h so all existing
HAVE_BLAKE2 guards work again against both old and new wolfSSL.

Re-enabling blake2 re-exposes a latent bug in the hash sub-command: `size`
defaults to BLAKE2B_OUTBYTES (64), and the base64enc/base64dec algorithms
never reset it, so their output buffer was capped at 64 bytes and encoding
or decoding anything larger failed with a buffer error. Force size to 0 for
base64enc/base64dec so wolfCLU_hash computes the output size from the input.

Add regression coverage in tests/hash/hash-test.py: blake2b (validated
against an openssl blake2b512 vector) and base64enc on input whose output
exceeds 64 bytes. blake2b previously had no test, which is why the macro
regression went unnoticed.

Fixes wolfSSL#263
Copilot AI review requested due to automatic review settings July 9, 2026 22:26

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Restores -hash blake2b support (and related help/benchmark exposure) when building wolfCLU against newer wolfSSL versions that renamed HAVE_BLAKE2HAVE_BLAKE2B, and fixes a coupled base64 output-sizing regression that becomes visible once BLAKE2 is re-enabled.

Changes:

  • Add a compatibility shim mapping HAVE_BLAKE2B back to HAVE_BLAKE2 before including blake2.h.
  • Ensure base64enc/base64dec force size = 0 so wolfCLU_hash() recomputes the correct output buffer size.
  • Add regression tests + expected vector for blake2b and large base64 output.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
wolfclu/clu_header_main.h Defines HAVE_BLAKE2 when only HAVE_BLAKE2B is present to restore legacy guards on modern wolfSSL.
src/hash/clu_hash_setup.c Resets size for base64 algorithms to avoid inheriting the blake2b default output size.
tests/hash/hash-test.py Adds regression tests for blake2b hashing and large base64 encoding.
tests/hash/blake2b-expect.hex Adds expected blake2b digest output fixture for the new test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/hash/hash-test.py
Comment on lines +57 to +65
def test_blake2b(self):
"""blake2b via -hash. Regression: wolfCLU gated blake2b on the legacy
HAVE_BLAKE2 macro, which current wolfSSL replaced with HAVE_BLAKE2B, so
`-hash blake2b` returned "Invalid algorithm" on modern wolfSSL."""
r = run_wolfssl("-hash", "blake2b", "-in", CERT_FILE)
if "Invalid algorithm" in (r.stdout + r.stderr):
self.skipTest("blake2b not enabled in this wolfSSL build")
self.assertEqual(r.returncode, 0, r.stderr)
self.assertEqual(r.stdout.strip(), _read_expected("blake2b-expect.hex"))
Comment thread tests/hash/hash-test.py
Comment on lines +67 to +78
def test_hash_base64_large(self):
"""base64enc/base64dec via -hash on input whose base64 output exceeds
64 bytes must succeed. Regression: on blake2-enabled builds the output
size defaulted to BLAKE2B_OUTBYTES (64) for the base64 sub-command, so
encoding anything larger failed with a buffer error. ca-cert.pem is
well over 48 bytes, so its base64 output is > 64 bytes."""
enc = run_wolfssl("-hash", "base64enc", "-in", CERT_FILE)
blob = enc.stdout + enc.stderr
if "Invalid algorithm" in blob or "No coding support" in blob:
self.skipTest("base64 coding not enabled in this build")
self.assertEqual(enc.returncode, 0, enc.stderr)
self.assertGreater(len(enc.stdout.strip()), 128, enc.stderr)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

hash blake2b command broken with current wolfSSL (gated on removed HAVE_BLAKE2 macro)

3 participants