fix: restore SHA-512 variant IV after generic fallback

After the SHA-512/224 and /256 fallback to the generic SHA-512 callback,
restore the variant initial state so the object is reset for reuse, and
exercise the path in cryptocb_test.
This commit is contained in:
Marco Oliverio
2026-06-02 09:05:04 +02:00
parent 4c0c093fe9
commit 40a6a04d23
3 changed files with 72 additions and 1 deletions
+47 -1
View File
@@ -50,6 +50,15 @@ Crypto Callback Build Options:
* Algorithm-specific callback options:
* NO_SHA2_CRYPTO_CB: Disable crypto callbacks for SHA-384 default: off
* and SHA-512 operations.
* WOLF_CRYPTO_CB_NO_SHA512_FALLBACK: default: off
* Do not fall back to the generic SHA-512
* callback for SHA-384, SHA-512/224 and
* SHA-512/256 when no variant-specific
* callback is registered. Required for
* backends whose hash context has no
* digest[] state field or that keep the
* hash state on the device (auto-enabled
* for Renesas FSPSM).
* WOLF_CRYPTO_CB_ONLY_ECC: Use only callbacks for ECC default: off
* WOLF_CRYPTO_CB_ONLY_RSA: Use only callbacks for RSA default: off
* WOLF_CRYPTO_CB_ONLY_SHA256: Use only callbacks for SHA-256 default: off
@@ -2061,7 +2070,9 @@ int wc_CryptoCb_Sha512Hash(wc_Sha512* sha512, const byte* in,
}
if (dev && dev->cb) {
#ifndef WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
byte localHash[WC_SHA512_DIGEST_SIZE];
#endif
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_HASH;
@@ -2078,6 +2089,9 @@ int wc_CryptoCb_Sha512Hash(wc_Sha512* sha512, const byte* in,
ret = wc_CryptoCb_TranslateErrorCode(ret);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
#ifdef WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
return ret;
#endif
}
#endif
#if !defined(WOLFSSL_NOSHA512_256)
@@ -2087,16 +2101,48 @@ int wc_CryptoCb_Sha512Hash(wc_Sha512* sha512, const byte* in,
ret = wc_CryptoCb_TranslateErrorCode(ret);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
#ifdef WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
return ret;
#endif
}
#endif
cryptoInfo.hash.type = WC_HASH_TYPE_SHA512;
#ifndef WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
/* use local buffer if not full size */
if (digest != NULL && digestSz != WC_SHA512_DIGEST_SIZE)
cryptoInfo.hash.digest = localHash;
#endif
ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
ret = wc_CryptoCb_TranslateErrorCode(ret);
if (ret == 0 && digest != NULL && digestSz != WC_SHA512_DIGEST_SIZE)
#ifndef WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
if (ret == 0 && digest != NULL && digestSz != WC_SHA512_DIGEST_SIZE) {
XMEMCPY(digest, localHash, digestSz);
#if !defined(WOLFSSL_NOSHA512_224)
if (digestSz == WC_SHA512_224_DIGEST_SIZE) {
sha512->digest[0] = W64LIT(0x8c3d37c819544da2);
sha512->digest[1] = W64LIT(0x73e1996689dcd4d6);
sha512->digest[2] = W64LIT(0x1dfab7ae32ff9c82);
sha512->digest[3] = W64LIT(0x679dd514582f9fcf);
sha512->digest[4] = W64LIT(0x0f6d2b697bd44da8);
sha512->digest[5] = W64LIT(0x77e36f7304c48942);
sha512->digest[6] = W64LIT(0x3f9d85a86a1d36c8);
sha512->digest[7] = W64LIT(0x1112e6ad91d692a1);
}
#endif
#if !defined(WOLFSSL_NOSHA512_256)
if (digestSz == WC_SHA512_256_DIGEST_SIZE) {
sha512->digest[0] = W64LIT(0x22312194fc2bf72c);
sha512->digest[1] = W64LIT(0x9f555fa3c84c64c2);
sha512->digest[2] = W64LIT(0x2393b86b6f53b151);
sha512->digest[3] = W64LIT(0x963877195940eabd);
sha512->digest[4] = W64LIT(0x96283ee2a88effe3);
sha512->digest[5] = W64LIT(0xbe5e1e2553863992);
sha512->digest[6] = W64LIT(0x2b0199fc2c85b8aa);
sha512->digest[7] = W64LIT(0x0eb72ddc81c52ca2);
}
#endif
}
#endif /* !WOLF_CRYPTO_CB_NO_SHA512_FALLBACK */
return ret;
}
+12
View File
@@ -74443,6 +74443,18 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void)
#ifdef WOLFSSL_SHA512
if (ret == 0)
ret = sha512_test();
#if !defined(WOLFSSL_NOSHA512_224) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
/* exercises the SHA-512/224 fallback to the generic SHA-512 callback,
* including object reuse after Final */
if (ret == 0)
ret = sha512_224_test();
#endif
#if !defined(WOLFSSL_NOSHA512_256) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
if (ret == 0)
ret = sha512_256_test();
#endif
#ifdef WOLFSSL_SHA3
if (ret == 0)
ret = sha3_test();
+13
View File
@@ -1189,6 +1189,19 @@
/* settings in user_settings.h */
#endif
#if defined(WOLFSSL_RENESAS_RSIP) && !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
/* The Renesas FSPSM hash context has no software digest[] state field and
* the device computes each SHA-512 variant (SHA-384, SHA-512/224,
* SHA-512/256) natively. Disable the cryptocb fallback that reuses the
* generic SHA-512 callback for the variants: it relies on a digest[] IV in
* the context (absent here, so it would not compile) and assumes the
* backend exposes its hash state, which a device that keeps state
* internally does not. */
#ifndef WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
#define WOLF_CRYPTO_CB_NO_SHA512_FALLBACK
#endif
#endif
#if defined(WOLFSSL_LWIP_NATIVE) || \
defined(HAVE_LWIP_NATIVE) /* using LwIP native TCP socket */
#undef WOLFSSL_USER_IO