vtls: more large buffer support and error checks for SHA-256#21771
Closed
vszakats wants to merge 11 commits into
Closed
vtls: more large buffer support and error checks for SHA-256#21771vszakats wants to merge 11 commits into
vszakats wants to merge 11 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves the robustness of the TLS backend SHA-256 helper implementations used by libcurl’s VTLS layer (notably for pinned public key hashing), by handling very large inputs for backends with 32-bit update APIs and tightening low-level digest error handling.
Changes:
- Update GnuTLS+nettle and wolfSSL SHA-256 helpers to process inputs in chunks, supporting 4GiB+ digest inputs.
- Add success checks for OpenSSL low-level digest update/final calls, and pass
NULLtoEVP_DigestFinal_ex()when the digest length output is not needed. - Normalize argument naming in low-level
sha256sumfunctions (input/len).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| lib/vtls/wolfssl.c | Chunk wolfSSL SHA-256 updates to support 32-bit length APIs and check update/final return codes. |
| lib/vtls/openssl.c | Add return-value checks around OpenSSL digest update/final and adjust EVP_DigestFinal_ex() usage. |
| lib/vtls/gtls.c | Chunk nettle SHA-256 updates to avoid unsigned-int length truncation for large inputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
vszakats
force-pushed
the
vtls-sha256-size_t
branch
from
f6b9d2b to
d1cfd39
Compare
vszakats
changed the title
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
- gnutls: support 4GiB+ SHA-256 digest inputs. - openssl: check success of low-level update/finish digest calls. - openssl: pass NULL to `EVP_DigestFinal_ex()` instead of discarding returned value. - wolfssl: support 4GiB+ SHA-256 digest inputs. - wolfssl: check success of low-level update/finish digest calls. - sync and tidy up argument names in low-level sha256_sum functions. Closes curl#21771
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
EVP_DigestFinal_ex()instead of discardingreturned value.