update to latest release of wolfssl (5.9.1)#29
Open
gasbytes wants to merge 5 commits into
Open
Conversation
gasbytes
force-pushed
the
update-wolfssl-version
branch
3 times, most recently
from
2ab5e6a to
f649f70
Compare
- updated build.rs to build the bindings to the latest release; - updated the wc_sha_* shas to use the update wc_HashType_Wc_hash_*; - updated ecc ids; - per wolfSSL#24 (comment) refactored the eddsa.rs file in order to import the key using the asn parsing directly from wolfcrypt, with proper slicing since the private key gets imported full size (64) instead of 32.
gasbytes
force-pushed
the
update-wolfssl-version
branch
5 times, most recently
from
175c87e to
f5699f5
Compare
- Also removed --enable-all since it was pretty much useless; - If blinding is enabled, set the rng and associate it with the private key; This was necessary since starting from 5.9.1 curve blinding is enabled by default on pure-c builds (no asm is selected). This change prevents a -173 failure when deriving a secret with curve25519.
gasbytes
force-pushed
the
update-wolfssl-version
branch
from
f5699f5 to
b3ec7ca
Compare
Decode pkcs#8v2 keys via DecodeAsymKey and strip the BIT STRING prefix from the embedded public key, avoiding wc_Ed25519PrivateKeyDecode's BAD_FUNC_ARG (-173) on RFC 5958 keys
gasbytes
force-pushed
the
update-wolfssl-version
branch
from
b1b6706 to
2980ab2
Compare
holtrop-wolfssl
previously approved these changes
Jun 4, 2026
|
Reviewed — looks good. The EdDSA rewrite replacing hand-rolled DER parsing with DecodeAsymKey is a clear improvement, and the build-time blinding detection is clean. No concerns with the changes. @gasbytes please go ahead and merge when ready. |
There was a problem hiding this comment.
Pull request overview
Updates the vendored wolfSSL/wolfCrypt integration to target wolfSSL 5.9.1, adjusting FFI constant names and key-handling behavior so the Rust provider continues to build and interoperate correctly (including PKCS#8 v2 ED25519 keys and Curve25519 blinding configurations).
Changes:
- Bump wolfSSL source download/build to
v5.9.1-stable, update SHA256, and remove--enable-allfrom the configure flags. - Update wolfCrypt constant usage to the newer enum/identifier names (hash types and ECC curve IDs) across signing/verification and tests.
- Add Curve25519 RNG attachment plumbing for blinding-enabled builds and switch ED25519 PKCS#8 parsing to
DecodeAsymKeywith public-key normalization.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfcrypt-rs/src/lib.rs | Adds a curve25519_set_rng wrapper that becomes a no-op when curve25519 blinding support isn’t compiled in. |
| wolfcrypt-rs/build.rs | Updates wolfSSL version/SHA; emits a cfg for curve25519 blinding based on generated bindings; removes --enable-all. |
| rustls-wolfcrypt-provider/tests/e2e.rs | Updates test server path to the new wolfSSL version and adjusts curve ID constants. |
| rustls-wolfcrypt-provider/src/verify/rsapkcs1.rs | Updates FFI key pointer cast to match updated wolfCrypt signature API expectations. |
| rustls-wolfcrypt-provider/src/verify/ecdsa.rs | Updates ECC curve IDs to the new identifier names. |
| rustls-wolfcrypt-provider/src/sign/rsa.rs | Updates FFI key pointer cast for RSA signature generation. |
| rustls-wolfcrypt-provider/src/sign/eddsa.rs | Switches ED25519 PKCS#8 parsing to DecodeAsymKey and normalizes embedded public-key encodings. |
| rustls-wolfcrypt-provider/src/sign/ecdsa.rs | Updates ECC curve IDs to the new identifier names. |
| rustls-wolfcrypt-provider/src/kx/x25519.rs | Attaches an RNG to Curve25519 private keys to support blinding builds; improves shared-secret error reporting. |
| rustls-wolfcrypt-provider/src/kx/sec521r1.rs | Updates ECC curve IDs to the new identifier names. |
| rustls-wolfcrypt-provider/src/kx/sec384r1.rs | Updates ECC curve IDs to the new identifier names. |
| rustls-wolfcrypt-provider/src/kx/sec256r1.rs | Updates ECC curve IDs to the new identifier names. |
| rustls-wolfcrypt-provider/src/hmac/mod.rs | Updates HMAC hash-type constants to the newer wolfCrypt hash-type enum values. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…rsing Since "uncompressed point" is technically wrong for ed25519 keys
holtrop-wolfssl
approved these changes
Jun 5, 2026
julek-wolfssl
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.