WOLF_CRYPTO_CB_ONLY_SHA256: strip software SHA-256 and dispatch via swdev

Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.

Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.

Add wc_swdev support for SHA-256 for testing.

Author: rizlik

.github/workflows/cryptocb-only.yml

@@ -28,6 +28,13 @@ jobs:
           # software path via cryptocb.
           - name: RSA
             cppflags: -DWOLF_CRYPTO_CB_ONLY_RSA
+          # WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides
+          # the software path via cryptocb.  SHA-224 piggybacks on the SHA-256
+          # software core so it is incompatible with this strip and must be
+          # explicitly disabled (it is default-on on x86_64/aarch64).
+          - name: SHA256
+            extra_config: --disable-sha224
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA256
     name: make check (${{ matrix.name }})
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04

tests/api.c

@@ -28472,6 +28472,7 @@ static int test_SSL_CIPHER_get_xxx(void)
 }
 
 #if defined(WOLF_CRYPTO_CB) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \
+    !defined(WOLF_CRYPTO_CB_ONLY_SHA256) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA)
 
 static int load_pem_key_file_as_der(const char* privKeyFile, DerBuffer** pDer,
@@ -29475,6 +29476,7 @@ static int test_wc_CryptoCb(void)
 {
     EXPECT_DECLS;
 #if defined(WOLF_CRYPTO_CB) && \
+    !defined(WOLF_CRYPTO_CB_ONLY_SHA256) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA)
     /* TODO: Add crypto callback API tests */
 

tests/swdev/swdev.c

@@ -13,6 +13,9 @@
 #ifdef HAVE_ECC
 #include <wolfssl/wolfcrypt/ecc.h>
 #endif
+#ifndef NO_SHA256
+#include <wolfssl/wolfcrypt/sha256.h>
+#endif
 
 static int swdev_initialized = 0;
 
@@ -120,6 +123,62 @@ static int swdev_ecc_get_sig_size(wc_CryptoInfo* info)
 }
 #endif /* HAVE_ECC */
 
+#ifndef NO_SHA256
+/* Copy hash state between caller's wc_Sha256 and swdev's shadow, leaving
+ * admin fields (heap, devId, devCtx, W, async, HW ctx) per-side. */
+static void swdev_sha256_copy_state(wc_Sha256* dst, const wc_Sha256* src)
+{
+    XMEMCPY(dst->digest, src->digest, sizeof(dst->digest));
+    XMEMCPY(dst->buffer, src->buffer, sizeof(dst->buffer));
+    dst->buffLen = src->buffLen;
+    dst->loLen   = src->loLen;
+    dst->hiLen   = src->hiLen;
+#ifdef WC_C_DYNAMIC_FALLBACK
+    dst->sha_method = src->sha_method;
+#endif
+#ifdef WOLFSSL_HASH_FLAGS
+    dst->flags = src->flags;
+#endif
+}
+
+/* Run the op on a per-call shadow wc_Sha256 owned by swdev, copying state
+ * in and out around it. The caller's struct, allocated by libwolfssl with
+ * the software init stripped, can't be used directly. */
+static int swdev_sha256(wc_CryptoInfo* info)
+{
+    wc_Sha256* sha256 = info->hash.sha256;
+    wc_Sha256 shadow;
+    int ret;
+
+    if (sha256 == NULL)
+        return BAD_FUNC_ARG;
+
+    ret = wc_InitSha256(&shadow);
+    if (ret != 0)
+        return ret;
+
+    swdev_sha256_copy_state(&shadow, sha256);
+
+    if (info->hash.in != NULL) {
+        ret = wc_Sha256Update(&shadow, info->hash.in, info->hash.inSz);
+        if (ret != 0)
+            goto out;
+    }
+
+    if (info->hash.digest != NULL) {
+        ret = wc_Sha256Final(&shadow, info->hash.digest);
+        if (ret != 0)
+            goto out;
+    }
+
+    swdev_sha256_copy_state(sha256, &shadow);
+
+out:
+    wc_Sha256Free(&shadow);
+    return ret;
+}
+#endif /* !NO_SHA256 */
+
 WC_SWDEV_EXPORT int wc_SwDev_Callback(int devId, wc_CryptoInfo* info,
     void* ctx)
 {
@@ -164,6 +223,15 @@ WC_SWDEV_EXPORT int wc_SwDev_Callback(int devId, wc_CryptoInfo* info,
         default:
             return CRYPTOCB_UNAVAILABLE;
         }
+#endif
+#ifndef NO_SHA256
+    case WC_ALGO_TYPE_HASH:
+        switch (info->hash.type) {
+        case WC_HASH_TYPE_SHA256:
+            return swdev_sha256(info);
+        default:
+            return CRYPTOCB_UNAVAILABLE;
+        }
 #endif
     default:
         return CRYPTOCB_UNAVAILABLE;

tests/swdev/user_settings.h

@@ -15,6 +15,7 @@
 
 #undef WOLF_CRYPTO_CB_ONLY_RSA
 #undef WOLF_CRYPTO_CB_ONLY_ECC
+#undef WOLF_CRYPTO_CB_ONLY_SHA256
 
 #ifndef WOLF_CRYPTO_CB
     #error "wc_swdev requires the main build to define WOLF_CRYPTO_CB"

wolfcrypt/src/cryptocb.c

@@ -52,6 +52,7 @@ Crypto Callback Build Options:
  *                      and SHA-512 operations.
  * WOLF_CRYPTO_CB_ONLY_ECC: Use only callbacks for ECC          default: off
  * WOLF_CRYPTO_CB_ONLY_RSA: Use only callbacks for RSA          default: off
+ * WOLF_CRYPTO_CB_ONLY_SHA256: Use only callbacks for SHA-256   default: off
  */
 
 #include <wolfssl/wolfcrypt/libwolfssl_sources.h>

wolfcrypt/src/sha256.c

@@ -60,6 +60,10 @@ on the specific device platform.
 
 #if !defined(NO_SHA256) && !defined(WOLFSSL_RISCV_ASM)
 
+#if defined(WOLF_CRYPTO_CB_ONLY_SHA256) && defined(WOLFSSL_SHA224)
+    #error "WOLF_CRYPTO_CB_ONLY_SHA256 is incompatible with WOLFSSL_SHA224"
+#endif
+
 #if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
     /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
     #define FIPS_NO_WRAPPERS
@@ -1205,6 +1209,7 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
 
 #ifdef NEED_SOFT_SHA256
 
+#ifndef WOLF_CRYPTO_CB_ONLY_SHA256
     static const FLASH_QUALIFIER ALIGN32 word32 K[64] = {
         0x428A2F98L, 0x71374491L, 0xB5C0FBCFL, 0xE9B5DBA5L, 0x3956C25BL,
         0x59F111F1L, 0x923F82A4L, 0xAB1C5ED5L, 0xD807AA98L, 0x12835B01L,
@@ -1580,6 +1585,7 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
 
         return ret;
     }
+#endif /* !WOLF_CRYPTO_CB_ONLY_SHA256 */
 
 #if defined(WOLFSSL_KCAPI_HASH)
     /* implemented in wolfcrypt/src/port/kcapi/kcapi_hash.c */
@@ -1609,6 +1615,9 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
             /* fall-through when unavailable */
         }
     #endif
+    #ifdef WOLF_CRYPTO_CB_ONLY_SHA256
+        return NO_VALID_DEVID;
+    #else
     #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
         if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
         #if defined(HAVE_INTEL_QA)
@@ -1618,9 +1627,11 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
     #endif /* WOLFSSL_ASYNC_CRYPT */
 
         return Sha256Update(sha256, data, len);
+    #endif /* !WOLF_CRYPTO_CB_ONLY_SHA256 */
     }
 #endif
 
+#ifndef WOLF_CRYPTO_CB_ONLY_SHA256
     static WC_INLINE int Sha256Final(wc_Sha256* sha256)
     {
         int ret;
@@ -1771,9 +1782,11 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
 
         return ret;
     }
+#endif /* !WOLF_CRYPTO_CB_ONLY_SHA256 */
 
 #if !defined(WOLFSSL_KCAPI_HASH)
 
+#ifndef WOLFSSL_NO_HASH_RAW
     int wc_Sha256FinalRaw(wc_Sha256* sha256, byte* hash)
     {
     #ifdef LITTLE_ENDIAN_ORDER
@@ -1797,6 +1810,7 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
 
         return 0;
     }
+#endif /* !WOLFSSL_NO_HASH_RAW */
 
     int wc_Sha256Final(wc_Sha256* sha256, byte* hash)
     {
@@ -1818,6 +1832,9 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
         }
     #endif
 
+    #ifdef WOLF_CRYPTO_CB_ONLY_SHA256
+        return NO_VALID_DEVID;
+    #else
     #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
         if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
         #if defined(HAVE_INTEL_QA)
@@ -1841,9 +1858,11 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
         XMEMCPY(hash, sha256->digest, WC_SHA256_DIGEST_SIZE);
 
         return InitSha256(sha256);  /* reset state */
+    #endif /* !WOLF_CRYPTO_CB_ONLY_SHA256 */
     }
 
-#if defined(OPENSSL_EXTRA) || defined(HAVE_CURL)
+#if (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && \
+    !defined(WOLF_CRYPTO_CB_ONLY_SHA256)
 /* Apply SHA256 transformation to the data                */
 /* @param sha  a pointer to wc_Sha256 structure           */
 /* @param data data to be applied SHA256 transformation   */
@@ -1867,7 +1886,8 @@ static WC_INLINE int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
     }
 #endif /* OPENSSL_EXTRA || HAVE_CURL */
 
-#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_FULL_HASH)
+#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_FULL_HASH) && \
+    !defined(WOLF_CRYPTO_CB_ONLY_SHA256)
     /* One block will be used from data.
      * hash must be big enough to hold all of digest output.
      */

wolfcrypt/test/test.c

@@ -5665,7 +5665,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t sha256_test(void)
 #undef LARGE_HASH_TEST_INPUT_SZ
 #endif /* NO_LARGE_HASH_TEST */
 
-#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_FULL_HASH)
+#if defined(WOLFSSL_HAVE_LMS) && !defined(WOLFSSL_LMS_FULL_HASH) && \
+    !defined(WOLF_CRYPTO_CB_ONLY_SHA256)
     {
         WOLFSSL_SMALL_STACK_STATIC const unsigned char
             data_hb[WC_SHA256_BLOCK_SIZE] = {
@@ -68106,6 +68107,52 @@ static wc_test_ret_t ecc_onlycb_test(myCryptoDevCtx *ctx)
 }
 #endif
 
+#ifdef WOLF_CRYPTO_CB_ONLY_SHA256
+/* Exercise SHA-256 dispatch under CB_ONLY_SHA256: cb-handled then cb-delegated. */
+static wc_test_ret_t sha256_onlycb_test(myCryptoDevCtx *ctx)
+{
+    wc_test_ret_t ret = 0;
+#if !defined(NO_SHA256)
+    wc_Sha256 sha;
+    byte      hash[WC_SHA256_DIGEST_SIZE];
+    const byte in[] = "abc";
+
+    ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    /* cb handles the op, expects 0(success) */
+    ctx->exampleVar = 99;
+    ret = wc_Sha256Update(&sha, in, (word32)sizeof(in) - 1);
+    if (ret != 0)
+        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_onlycb);
+    ret = wc_Sha256Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_onlycb);
+
+    /* cb delegates to software, expects NO_VALID_DEVID(failure) */
+    ctx->exampleVar = 1;
+    ret = wc_Sha256Update(&sha, in, (word32)sizeof(in) - 1);
+    if (ret != WC_NO_ERR_TRACE(NO_VALID_DEVID)) {
+        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_onlycb);
+    } else {
+        ret = 0;
+    }
+    ret = wc_Sha256Final(&sha, hash);
+    if (ret != WC_NO_ERR_TRACE(NO_VALID_DEVID)) {
+        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_onlycb);
+    } else {
+        ret = 0;
+    }
+
+exit_onlycb:
+    wc_Sha256Free(&sha);
+#endif /* !NO_SHA256 */
+    (void)ctx;
+    return ret;
+}
+#endif /* WOLF_CRYPTO_CB_ONLY_SHA256 */
+
 /* Example crypto dev callback function that calls software version */
 static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
 {
@@ -68727,6 +68774,15 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
 
             /* set devId to invalid, so software is used */
             info->hash.sha256->devId = INVALID_DEVID;
+            #if defined(WOLF_CRYPTO_CB_ONLY_SHA256)
+            #ifdef DEBUG_WOLFSSL
+            printf("CryptoDevCb: exampleVar %d\n", myCtx->exampleVar);
+            #endif
+            if (myCtx->exampleVar == 99) {
+                info->hash.sha256->devId = devIdArg;
+                return 0;
+            }
+            #endif
 
             if (info->hash.in != NULL) {
                 ret = wc_Sha256Update(
@@ -69857,6 +69913,12 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void)
         ret = ecc_onlycb_test(&myCtx);
     PRIVATE_KEY_LOCK();
 #endif
+#if defined(WOLF_CRYPTO_CB_ONLY_SHA256) && !defined(WOLFSSL_SWDEV)
+    PRIVATE_KEY_UNLOCK();
+    if (ret == 0)
+        ret = sha256_onlycb_test(&myCtx);
+    PRIVATE_KEY_LOCK();
+#endif
 #ifdef WOLFSSL_HAVE_MLKEM
     if (ret == 0)
         ret = mlkem_test();

wolfssl/wolfcrypt/sha256.h

@@ -102,6 +102,12 @@
 #define WOLFSSL_NO_HASH_RAW
 #endif
 
+/* no raw hash access when software transform is stripped */
+#if defined(WOLF_CRYPTO_CB_ONLY_SHA256)
+#undef  WOLFSSL_NO_HASH_RAW
+#define WOLFSSL_NO_HASH_RAW
+#endif
+
 #define SHA256_NOINLINE WC_NO_INLINE
 
 #if !defined(NO_OLD_SHA_NAMES)