sha256: support delegating to wolfSSL API#21078
Conversation
|
Might as well bump the minimum version IMHO! |
|
According to tests, 5.0.0 is the current minimum required → PR #21080 |
There was a problem hiding this comment.
Pull request overview
This PR updates lib/sha256.c to delegate SHA-256 hashing to wolfSSL’s API when building with USE_WOLFSSL, aligning wolfSSL behavior more closely with the existing OpenSSL-backed implementation.
Changes:
- Add a wolfSSL-backed SHA-256 implementation path (via the OpenSSL-compat EVP interface) alongside the existing OpenSSL EVP path.
- Update the documented SSL-backend branch ordering to include
USE_WOLFSSL. - Split EVP context allocation / digest init-update-final between OpenSSL and wolfSSL APIs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #if defined(USE_OPENSSL) || defined(USE_WOLFSSL) | ||
| #ifdef USE_OPENSSL | ||
| #include <openssl/evp.h> | ||
| #else | ||
| #include <wolfssl/options.h> | ||
| #include <wolfssl/openssl/evp.h> | ||
| #endif |
There was a problem hiding this comment.
The new USE_WOLFSSL path unconditionally includes <wolfssl/openssl/evp.h> and calls wolfSSL_EVP_* APIs. wolfSSL’s OpenSSL-compat/EVP layer is not guaranteed to be enabled in all supported wolfSSL builds (e.g., builds without --enable-opensslextra), and curl’s configure currently only feature-detects a few OpenSSL-compat symbols (DES/BIO/etc). This risks build/link failures for otherwise-supported wolfSSL configurations.
Suggestion: add configure/CMake feature checks for the specific wolfSSL_EVP_* symbols used here (or a LIBWOLFSSL_VERSION_HEX guard), and fall back to the internal SHA-256 implementation when those symbols are unavailable (or switch to the native wolfCrypt SHA-256 API which is always present).
| struct ossl_sha256_ctx { | ||
| #ifdef USE_OPENSSL | ||
| EVP_MD_CTX *openssl_ctx; | ||
| #else | ||
| WOLFSSL_EVP_MD_CTX *openssl_ctx; | ||
| #endif |
There was a problem hiding this comment.
In the OpenSSL/wolfSSL shared branch, the field name openssl_ctx is now misleading for the USE_WOLFSSL build where it actually holds a wolfSSL EVP context. Consider renaming it to something backend-neutral (e.g., evp_ctx/md_ctx) to avoid confusion when maintaining the dual-backend code.
Offered by wolfSSL v3.11.0+ (2017-05-04).
(Can be made work in v3.10.2 (2017-02-13) by including
<wolfssl/wolfcrypt/types.h>, which looks like a wolfSSL early implementation issue.)