Summary
wolfssl hash blake2b returns "Invalid algorithm" (exit 255) when wolfCLU is built against any current wolfSSL. The blake2b support is gated on the legacy HAVE_BLAKE2 macro, which current wolfSSL no longer defines — it was renamed to HAVE_BLAKE2B / HAVE_BLAKE2S. As a result wolfCLU's entire blake2b path compiles out.
Reproduction (clean build)
# wolfSSL (current master/release)
./configure --enable-blake2 --enable-base64encode && make && sudo make install
# -> defines HAVE_BLAKE2B / HAVE_BLAKE2S; settings.h #undefs bare HAVE_BLAKE2
# wolfCLU against it
./configure && make
printf 'abc' > in.txt
./wolfssl hash blake2b -in in.txt
# Invalid algorithm (exit 255)
Expected (matches openssl dgst -blake2b512):
ba80a53f981c4d0d6a2797b69f12f6e94c212f14685ac4b74b12bb6fdbffa2d17d87c5392aab792dc252d5de4533cc9518d38aa8dbf1925ab92386edd4009923
Root cause
- wolfCLU gates blake2b on
#ifdef HAVE_BLAKE2:
src/hash/clu_hash_setup.c:53 (the "blake2b" alg-name entry)
src/hash/clu_hash.c:37 (Blake2b hash;) and :104 (the blake2b dispatch)
- wolfCLU's
configure.ac does not define HAVE_BLAKE2 itself — it relies on wolfSSL's headers to provide it.
- Current wolfSSL
#undefs the bare macro in wolfssl/wolfcrypt/settings.h (legacy BLAKE gate, ~line 5543) in favor of HAVE_BLAKE2B / HAVE_BLAKE2S, which is what --enable-blake2 now defines.
Net: HAVE_BLAKE2 is never defined for wolfCLU, so all #ifdef HAVE_BLAKE2 regions are dead and blake2b is unavailable.
Fix
Gate blake2b on HAVE_BLAKE2B (the macro wolfSSL actually defines today), rather than the removed HAVE_BLAKE2.
Coupled defect — must be fixed in the same change
Re-enabling the path re-exposes a latent output-size bug in the same dead region:
src/hash/clu_hash_setup.c:71-72 sets size = BLAKE2B_OUTBYTES; (64) under the blake2 #ifdef.
- The per-algorithm default-size block (
clu_hash_setup.c:136-163) has no case for base64enc / base64dec, so size stays 64 for those.
- In
src/hash/clu_hash.c, the base64enc/base64dec paths only recompute the correct buffer size inside if (size == 0), so with size == 64 the output buffer is capped at 64 bytes and Base64_Encode/Base64_Decode return BUFFER_E ("Base64 encode/decode failed", exit 255) for any output > 64 bytes.
So simply switching HAVE_BLAKE2 → HAVE_BLAKE2B would restore blake2b and un-bury this broken base64 sizing. Add a base64enc/base64dec case to the default-size block that leaves size = 0 (so the proper-sizing path runs), or avoid initializing size to BLAKE2B_OUTBYTES for non-blake2 algorithms.
Impact
blake2b hashing via the wolfCLU CLI is non-functional against any modern wolfSSL. No crash / memory-safety issue — a hard "Invalid algorithm" (blake2b) or "Base64 ... failed" (base64, once re-enabled) error.
Verified by clean build + run on Ubuntu 24.04 against current wolfSSL master.
Summary
wolfssl hash blake2breturns "Invalid algorithm" (exit 255) when wolfCLU is built against any current wolfSSL. The blake2b support is gated on the legacyHAVE_BLAKE2macro, which current wolfSSL no longer defines — it was renamed toHAVE_BLAKE2B/HAVE_BLAKE2S. As a result wolfCLU's entire blake2b path compiles out.Reproduction (clean build)
Expected (matches
openssl dgst -blake2b512):ba80a53f981c4d0d6a2797b69f12f6e94c212f14685ac4b74b12bb6fdbffa2d17d87c5392aab792dc252d5de4533cc9518d38aa8dbf1925ab92386edd4009923Root cause
#ifdef HAVE_BLAKE2:src/hash/clu_hash_setup.c:53(the"blake2b"alg-name entry)src/hash/clu_hash.c:37(Blake2b hash;) and:104(theblake2bdispatch)configure.acdoes not defineHAVE_BLAKE2itself — it relies on wolfSSL's headers to provide it.#undefs the bare macro inwolfssl/wolfcrypt/settings.h(legacy BLAKE gate, ~line 5543) in favor ofHAVE_BLAKE2B/HAVE_BLAKE2S, which is what--enable-blake2now defines.Net:
HAVE_BLAKE2is never defined for wolfCLU, so all#ifdef HAVE_BLAKE2regions are dead andblake2bis unavailable.Fix
Gate blake2b on
HAVE_BLAKE2B(the macro wolfSSL actually defines today), rather than the removedHAVE_BLAKE2.Coupled defect — must be fixed in the same change
Re-enabling the path re-exposes a latent output-size bug in the same dead region:
src/hash/clu_hash_setup.c:71-72setssize = BLAKE2B_OUTBYTES;(64) under the blake2#ifdef.clu_hash_setup.c:136-163) has no case forbase64enc/base64dec, sosizestays 64 for those.src/hash/clu_hash.c, the base64enc/base64dec paths only recompute the correct buffer size insideif (size == 0), so withsize == 64the output buffer is capped at 64 bytes andBase64_Encode/Base64_DecodereturnBUFFER_E("Base64 encode/decode failed", exit 255) for any output > 64 bytes.So simply switching
HAVE_BLAKE2→HAVE_BLAKE2Bwould restore blake2b and un-bury this broken base64 sizing. Add abase64enc/base64deccase to the default-size block that leavessize = 0(so the proper-sizing path runs), or avoid initializingsizetoBLAKE2B_OUTBYTESfor non-blake2 algorithms.Impact
blake2b hashing via the wolfCLU CLI is non-functional against any modern wolfSSL. No crash / memory-safety issue — a hard "Invalid algorithm" (blake2b) or "Base64 ... failed" (base64, once re-enabled) error.
Verified by clean build + run on Ubuntu 24.04 against current wolfSSL master.