Skip to content

Add HMAC-BLAKE2b and HMAC-BLAKE2s API functions #9642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
holtrop-wolfssl wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add HMAC-BLAKE2b and HMAC-BLAKE2s API functions #9642

holtrop-wolfssl wants to merge 5 commits into from
+747 −19

Conversation

@holtrop-wolfssl
Copy link
Contributor

@holtrop-wolfssl holtrop-wolfssl commented Jan 12, 2026

Description

Add HMAC-BLAKE2b and HMAC-BLAKE2s API functions

Testing

Added unit tests with two KAT vectors for each HMAC-BLAKE2b and HMAC-BLAKE2s. Verified KAT vectors with both OpenSSL and Rust blake2 crate.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@holtrop-wolfssl holtrop-wolfssl self-assigned this Jan 12, 2026
@holtrop-wolfssl
Copy link
Contributor Author

holtrop-wolfssl commented Jan 12, 2026

retest this please (org.jenkinsci.plugins.workflow.support.steps.AgentOfflineException: Unable to create live FilePath for wolf-linux-cloud-node-02zun3; wolf-linux-cloud-node-02zun3 was marked offline: Connection was broken)

@holtrop-wolfssl holtrop-wolfssl marked this pull request as ready for review January 12, 2026 18:50
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 12, 2026

🛟 Devin Lifeguard found 2 likely issues in this PR

  • use-forcezero snippet snippet: Replace both XMEMSET(x_key, 0, BLAKE2B_BLOCKBYTES); / XMEMSET(i_hash, 0, BLAKE2B_OUTBYTES); (and the corresponding BLAKE2s lines) with ForceZero(x_key, BLAKE2B_BLOCKBYTES); and ForceZero(i_hash, BLAKE2B_OUTBYTES);.
  • limit-stack-usage snippet snippet: Move x_key and i_hash (and optionally the state) to heap-allocated buffers using the WOLFSSL_SMALL_STACK pattern (e.g., XMALLOC / XFREE) to keep per-call stack usage under 100 bytes.

@holtrop-wolfssl
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

SparkiDev
SparkiDev reviewed Jan 12, 2026
View reviewed changes
@holtrop-wolfssl
Copy link
Contributor Author

holtrop-wolfssl commented Jan 13, 2026

🛟 Devin Lifeguard found 2 likely issues in this PR

  • use-forcezero snippet snippet: Replace both XMEMSET(x_key, 0, BLAKE2B_BLOCKBYTES); / XMEMSET(i_hash, 0, BLAKE2B_OUTBYTES); (and the corresponding BLAKE2s lines) with ForceZero(x_key, BLAKE2B_BLOCKBYTES); and ForceZero(i_hash, BLAKE2B_OUTBYTES);.
  • limit-stack-usage snippet snippet: Move x_key and i_hash (and optionally the state) to heap-allocated buffers using the WOLFSSL_SMALL_STACK pattern (e.g., XMALLOC / XFREE) to keep per-call stack usage under 100 bytes.

@holtrop-wolfssl please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@douzzer / @SparkiDev - I had mostly copied and adapted @douzzer's kernel implementation for this. But would it make sense to you two to fix either/both of these Devin suggestions?

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 14, 2026

🛟 Devin Lifeguard found 2 likely issues in this PR

  • use-forcezero snippet snippet: Insert ForceZero(x_key, sizeof(x_key)); just before the return ret; statement in both wc_Blake2bHmacFinal() and wc_Blake2sHmacFinal() to securely clear the key material.
  • limit-stack-usage snippet snippet: Move the 128-byte x_key buffers and the Blake2b state struct in wc_Blake2bHmacInit/Final and wc_Blake2bHmac to heap memory using the WOLFSSL_SMALL_STACK pattern (e.g., #ifdef WOLFSSL_SMALL_STACK byte* x_key = (byte*)XMALLOC(BLAKE2B_BLOCKBYTES, heap, DYNAMIC_TYPE_TMP_BUFFER); and XFREE() before return).

@holtrop-wolfssl
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

SparkiDev
SparkiDev requested changes Jan 14, 2026
View reviewed changes
wolfssl/wolfcrypt/blake2.h
WOLFSSL_API int wc_Blake2bUpdate(Blake2b* b2b, const byte* data, word32 sz);
WOLFSSL_API int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz);
WOLFSSL_API int wc_Blake2bHmacInit(Blake2b * b2b,
const byte * key, size_t key_len);
Copy link
Contributor

@SparkiDev SparkiDev Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The convention is * .
Also the convention in the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SparkiDev SparkiDev SparkiDev requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@holtrop-wolfssl holtrop-wolfssl

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@holtrop-wolfssl @SparkiDev @wolfSSL-Bot