sha256, sha512_256: switch to wolfCrypt API

Replacing the OpenSSL-like compatibility interface, and syncing with existing API use within lib/wolfssl.c for SHA-256. Ref: https://www.wolfssl.com/documentation/manuals/wolfssl/group__SHA.html Follow-up to 28f0932073 #21077 Follow-up to 988b352f91 #21078 Closes #21090
2026-04-11 12:01:42 +08:00 · 2026-03-24 23:00:02 +01:00 · 2026-03-24 23:00:02 +01:00 · ff3251a538
commit ff3251a538
parent 988b352f91
2 changed files with 66 additions and 71 deletions
--- a/lib/curl_sha512_256.c
+++ b/lib/curl_sha512_256.c
@ -31,9 +31,9 @@
 * 1. USE_OPENSSL
 * 2. USE_WOLFSSL
 * 3. USE_GNUTLS
- * 4. USE_MBEDTLS
- * 5. USE_RUSTLS
- * 6. USE_WIN32_CRYPTO
+ * 4. USE_MBEDTLS (TBD)
+ * 5. USE_RUSTLS (TBD)
+ * 6. USE_WIN32_CRYPTO (TBD)
 * Skip the backend if it does not support the required algorithm */

 #ifdef USE_OPENSSL
@ -64,17 +64,15 @@
 #      endif
 #    endif
 #  endif
-#elif defined(USE_WOLFSSL)
-#  include <wolfssl/version.h>
-#  if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX >= 0x05000000
+#endif /* USE_OPENSSL */
+
+#if !defined(HAS_SHA512_256_IMPLEMENTATION) && defined(USE_WOLFSSL)
 #  include <wolfssl/options.h>
-#    include <wolfssl/openssl/evp.h>
 #  ifndef WOLFSSL_NOSHA512_256
-#      define USE_OPENSSL_SHA512_256          1
+#    define USE_WOLFSSL_SHA512_256          1
 #    define HAS_SHA512_256_IMPLEMENTATION   1
 #  endif
 #endif
-#endif

 #if !defined(HAS_SHA512_256_IMPLEMENTATION) && defined(USE_GNUTLS)
 #  include <nettle/sha.h>
@ -101,11 +99,7 @@
 /**
 * Context type used for SHA-512/256 calculations
 */
-#ifdef USE_OPENSSL
 typedef EVP_MD_CTX *Curl_sha512_256_ctx;
-#else
-typedef WOLFSSL_EVP_MD_CTX *Curl_sha512_256_ctx;
-#endif

 /**
 * Initialise structure for SHA-512/256 calculation.
@ -118,36 +112,21 @@ static CURLcode Curl_sha512_256_init(void *context)
 {
  Curl_sha512_256_ctx * const ctx = (Curl_sha512_256_ctx *)context;

-#ifdef USE_OPENSSL
  *ctx = EVP_MD_CTX_create();
-#else
-  *ctx = wolfSSL_EVP_MD_CTX_new();
-#endif
  if(!*ctx)
    return CURLE_OUT_OF_MEMORY;

-#ifdef USE_OPENSSL
  if(EVP_DigestInit_ex(*ctx, EVP_sha512_256(), NULL)) {
    /* Check whether the header and this file use the same numbers */
    DEBUGASSERT(EVP_MD_CTX_size(*ctx) == CURL_SHA512_256_DIGEST_SIZE);
    /* Check whether the block size is correct */
    DEBUGASSERT(EVP_MD_CTX_block_size(*ctx) == CURL_SHA512_256_BLOCK_SIZE);
-#else
-  if(wolfSSL_EVP_DigestInit_ex(*ctx, wolfSSL_EVP_sha512_256(), NULL)) {
-    /* Check whether the header and this file use the same numbers */
-    DEBUGASSERT(wolfSSL_EVP_MD_CTX_size(*ctx) == CURL_SHA512_256_DIGEST_SIZE);
-    /* wolfSSL_EVP_MD_CTX_block_size() returns zero as of v5.9.0 */
-#endif

    return CURLE_OK; /* Success */
  }

  /* Cleanup */
-#ifdef USE_OPENSSL
  EVP_MD_CTX_destroy(*ctx);
-#else
-  wolfSSL_EVP_MD_CTX_free(*ctx);
-#endif
  return CURLE_FAILED_INIT;
 }

@ -165,11 +144,7 @@ static CURLcode Curl_sha512_256_update(void *context,
 {
  Curl_sha512_256_ctx * const ctx = (Curl_sha512_256_ctx *)context;

-#ifdef USE_OPENSSL
  if(!EVP_DigestUpdate(*ctx, data, length))
-#else
-  if(!wolfSSL_EVP_DigestUpdate(*ctx, data, length))
-#endif
    return CURLE_SSL_CIPHER;

  return CURLE_OK;
@ -199,24 +174,46 @@ static CURLcode Curl_sha512_256_finish(unsigned char *digest, void *context)
    memcpy(digest, tmp_digest, CURL_SHA512_256_DIGEST_SIZE);
  explicit_memset(tmp_digest, 0, sizeof(tmp_digest));
 #else /* !NEED_NETBSD_SHA512_256_WORKAROUND */
-#ifdef USE_OPENSSL
  ret = EVP_DigestFinal_ex(*ctx, digest, NULL) ? CURLE_OK : CURLE_SSL_CIPHER;
-#else
-  ret = wolfSSL_EVP_DigestFinal_ex(*ctx, digest, NULL) ?
-    CURLE_OK : CURLE_SSL_CIPHER;
-#endif
 #endif /* NEED_NETBSD_SHA512_256_WORKAROUND */

-#ifdef USE_OPENSSL
  EVP_MD_CTX_destroy(*ctx);
-#else
-  wolfSSL_EVP_MD_CTX_free(*ctx);
-#endif
  *ctx = NULL;

  return ret;
 }

+#elif defined(USE_WOLFSSL_SHA512_256)
+#include <wolfssl/wolfcrypt/sha512.h>
+
+#define CURL_SHA512_256_DIGEST_SIZE WC_SHA512_256_DIGEST_SIZE
+#define CURL_SHA512_256_BLOCK_SIZE  WC_SHA512_256_BLOCK_SIZE
+
+typedef struct wc_Sha512 Curl_sha512_256_ctx;
+
+static CURLcode Curl_sha512_256_init(void *ctx)
+{
+  if(wc_InitSha512_256(ctx))
+    return CURLE_FAILED_INIT;
+  return CURLE_OK;
+}
+
+static CURLcode Curl_sha512_256_update(void *ctx,
+                                       const unsigned char *data,
+                                       size_t length)
+{
+  if(wc_Sha512_256Update(ctx, data, (word32)length))
+    return CURLE_SSL_CIPHER;
+  return CURLE_OK;
+}
+
+static CURLcode Curl_sha512_256_finish(unsigned char *digest, void *ctx)
+{
+  if(wc_Sha512_256Final(ctx, digest))
+    return CURLE_SSL_CIPHER;
+  return CURLE_OK;
+}
+
 #elif defined(USE_GNUTLS_SHA512_256)

 #define CURL_SHA512_256_BLOCK_SIZE  SHA512_256_BLOCK_SIZE
--- a/lib/sha256.c
+++ b/lib/sha256.c
@ -50,41 +50,23 @@
 * file even if multiple backends are enabled at the same time.
 */

-#if defined(USE_OPENSSL) || defined(USE_WOLFSSL)
 #ifdef USE_OPENSSL
 #include <openssl/evp.h>
-#else
-#include <wolfssl/options.h>
-#include <wolfssl/openssl/evp.h>
-#endif

 struct ossl_sha256_ctx {
-#ifdef USE_OPENSSL
  EVP_MD_CTX *openssl_ctx;
-#else
-  WOLFSSL_EVP_MD_CTX *openssl_ctx;
-#endif
 };
 typedef struct ossl_sha256_ctx my_sha256_ctx;

 static CURLcode my_sha256_init(void *in)
 {
  my_sha256_ctx *ctx = (my_sha256_ctx *)in;
-#ifdef USE_OPENSSL
  ctx->openssl_ctx = EVP_MD_CTX_create();
-#else
-  ctx->openssl_ctx = wolfSSL_EVP_MD_CTX_new();
-#endif
  if(!ctx->openssl_ctx)
    return CURLE_OUT_OF_MEMORY;

-#ifdef USE_OPENSSL
  if(!EVP_DigestInit_ex(ctx->openssl_ctx, EVP_sha256(), NULL)) {
    EVP_MD_CTX_destroy(ctx->openssl_ctx);
-#else
-  if(!wolfSSL_EVP_DigestInit_ex(ctx->openssl_ctx, EVP_sha256(), NULL)) {
-    wolfSSL_EVP_MD_CTX_free(ctx->openssl_ctx);
-#endif
    return CURLE_FAILED_INIT;
  }
  return CURLE_OK;
@ -95,23 +77,39 @@ static void my_sha256_update(void *in,
                             unsigned int length)
 {
  my_sha256_ctx *ctx = (my_sha256_ctx *)in;
-#ifdef USE_OPENSSL
  EVP_DigestUpdate(ctx->openssl_ctx, data, length);
-#else
-  wolfSSL_EVP_DigestUpdate(ctx->openssl_ctx, data, length);
-#endif
 }

 static void my_sha256_final(unsigned char *digest, void *in)
 {
  my_sha256_ctx *ctx = (my_sha256_ctx *)in;
-#ifdef USE_OPENSSL
  EVP_DigestFinal_ex(ctx->openssl_ctx, digest, NULL);
  EVP_MD_CTX_destroy(ctx->openssl_ctx);
-#else
-  wolfSSL_EVP_DigestFinal_ex(ctx->openssl_ctx, digest, NULL);
-  wolfSSL_EVP_MD_CTX_free(ctx->openssl_ctx);
-#endif
+}
+
+#elif defined(USE_WOLFSSL)
+#include <wolfssl/options.h>
+#include <wolfssl/wolfcrypt/sha256.h>
+
+typedef struct wc_Sha256 my_sha256_ctx;
+
+static CURLcode my_sha256_init(void *in)
+{
+  if(wc_InitSha256(in))
+    return CURLE_FAILED_INIT;
+  return CURLE_OK;
+}
+
+static void my_sha256_update(void *in,
+                             const unsigned char *data,
+                             unsigned int length)
+{
+  (void)wc_Sha256Update(in, data, (word32)length);
+}
+
+static void my_sha256_final(unsigned char *digest, void *in)
+{
+  (void)wc_Sha256Final(in, digest);
 }

 #elif defined(USE_GNUTLS)