wolfSSL · rizlik · May 19, 2026 · May 20, 2026
diff --git a/.github/workflows/cryptocb-only.yml b/.github/workflows/cryptocb-only.yml
@@ -33,6 +33,19 @@ jobs:
           # the software path via cryptocb.
           - name: SHA256
             cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA256
+          # WOLF_CRYPTO_CB_ONLY_SHA512: strips software SHA-512 family (SHA-384,
+          # SHA-512/224, SHA-512/256, SHA-512); swdev handles every variant
+          # explicitly via cryptocb.
+          - name: SHA512
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA512
+          # Same as SHA512 but tells swdev to refuse the SHA-384 / SHA-512/224 /
+          # SHA-512/256 variant callbacks (WOLFSSL_SWDEV_SHA512_GENERAL_ONLY). That
+          # forces the cryptocb dispatcher's fallback-to-plain-SHA-512-with-
+          # truncation path. The SHA512 entry above instead has swdev handle
+          # every variant end-to-end, so the dispatcher fallback is otherwise
+          # uncovered.
+          - name: SHA512_via_general
+            cppflags: -DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLFSSL_SWDEV_SHA512_GENERAL_ONLY
           # WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the
           # software path via cryptocb.
           - name: AES
@@ -51,7 +64,8 @@ jobs:
           - name: ALL
             cppflags: >-
               -DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA
-              -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_AES
+              -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_SHA512
+              -DWOLF_CRYPTO_CB_ONLY_AES
     name: make check (${{ matrix.name }})
     if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
     runs-on: ubuntu-24.04

diff --git a/tests/api.c b/tests/api.c
@@ -30768,7 +30768,8 @@ static int test_SSL_CIPHER_get_xxx(void)
 
 #if defined(WOLF_CRYPTO_CB) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \
     (!defined(WOLF_CRYPTO_CB_ONLY_SHA256) && !defined(WOLF_CRYPTO_CB_ONLY_AES) && \
-     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA))
+     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA) && \
+     !defined(WOLF_CRYPTO_CB_ONLY_SHA512))
 
 static int load_pem_key_file_as_der(const char* privKeyFile, DerBuffer** pDer,
     int* keyFormat)
@@ -31772,7 +31773,8 @@ static int test_wc_CryptoCb(void)
     EXPECT_DECLS;
 #if defined(WOLF_CRYPTO_CB) && \
     (!defined(WOLF_CRYPTO_CB_ONLY_SHA256) && !defined(WOLF_CRYPTO_CB_ONLY_AES) && \
-     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA))
+     !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLF_CRYPTO_CB_ONLY_RSA) && \
+     !defined(WOLF_CRYPTO_CB_ONLY_SHA512))
     /* TODO: Add crypto callback API tests */
 
 #ifdef HAVE_IO_TESTS_DEPENDENCIES

diff --git a/tests/api/test_sha512.c b/tests/api/test_sha512.c
@@ -874,3 +874,110 @@ int test_wc_Sha384_Flags(void)
     return EXPECT_RESULT();
 }
 
+#if defined(WOLF_CRYPTO_CB) && defined(WOLFSSL_SHA384) && \
+    defined(WOLFSSL_SHA512) && !defined(NO_SHA2_CRYPTO_CB)
+
+#include <wolfssl/wolfcrypt/cryptocb.h>
+
+#define TEST_CRYPTOCB_SHA384_FALLBACK_DEVID 2
+
+typedef struct {
+    int sha384Seen;
+    int sha512Seen;
+} Sha384FallbackCbCtx;
+
+static int sha384_fallback_dev_cb(int devIdArg, wc_CryptoInfo* info, void* ctx)
+{
+    Sha384FallbackCbCtx* cbCtx = (Sha384FallbackCbCtx*)ctx;
+    int i;
+
+    (void)devIdArg;
+
+    if (info == NULL || cbCtx == NULL)
+        return BAD_FUNC_ARG;
+
+    if (info->algo_type != WC_ALGO_TYPE_HASH)
+        return CRYPTOCB_UNAVAILABLE;
+
+    if (info->hash.type == WC_HASH_TYPE_SHA384) {
+        cbCtx->sha384Seen++;
+        return CRYPTOCB_UNAVAILABLE;
+    }
+
+    if (info->hash.type == WC_HASH_TYPE_SHA512) {
+        cbCtx->sha512Seen++;
+        if (info->hash.digest != NULL) {
+            for (i = 0; i < WC_SHA512_DIGEST_SIZE; i++)
+                info->hash.digest[i] = (byte)(0x80 + i);
+        }
+        /* Simulate a real SHA-512 backend leaving the SHA-512 IV in the
+         * caller's state buffer so the SHA-384 fallback path is forced to
+         * reset it back to the SHA-384 IV. */
+        if (info->hash.sha512 != NULL) {
+            for (i = 0; i < (int)(sizeof(info->hash.sha512->digest) /
+                                  sizeof(info->hash.sha512->digest[0])); i++) {
+                info->hash.sha512->digest[i] = W64LIT(0xdeadbeefcafebabe);
+            }
+        }
+        return 0;
+    }
+
+    return CRYPTOCB_UNAVAILABLE;
+}
+#endif
+
+int test_wc_CryptoCb_Sha384_Sha512Fallback(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLF_CRYPTO_CB) && defined(WOLFSSL_SHA384) && \
+    defined(WOLFSSL_SHA512) && !defined(NO_SHA2_CRYPTO_CB)
+    wc_Sha384 sha;
+    wc_Sha384 refSha;
+    Sha384FallbackCbCtx cbCtx;
+    byte hash[WC_SHA384_DIGEST_SIZE];
+    byte devCtxMarker = 0;
+    int i;
+
+    XMEMSET(&sha, 0, sizeof(sha));
+    sha.devId = INVALID_DEVID;
+    sha.devCtx = NULL;
+    XMEMSET(&refSha, 0, sizeof(refSha));
+    XMEMSET(&cbCtx, 0, sizeof(cbCtx));
+    XMEMSET(hash, 0, sizeof(hash));
+
+    /* Reference struct used to capture the freshly-initialised SHA-384 IV
+     * state, against which we verify the test struct after Final. */
+    ExpectIntEQ(wc_InitSha384_ex(&refSha, HEAP_HINT, INVALID_DEVID), 0);
+
+    ExpectIntEQ(wc_CryptoCb_RegisterDevice(
+        TEST_CRYPTOCB_SHA384_FALLBACK_DEVID, sha384_fallback_dev_cb, &cbCtx),
+        0);
+
+    ExpectIntEQ(wc_InitSha384_ex(&sha, HEAP_HINT,
+        TEST_CRYPTOCB_SHA384_FALLBACK_DEVID), 0);
+    sha.devCtx = &devCtxMarker;
+
+    ExpectIntEQ(wc_Sha384Final(&sha, hash), 0);
+
+    ExpectIntEQ(cbCtx.sha384Seen, 1);
+    ExpectIntEQ(cbCtx.sha512Seen, 1);
+
+    /* devId and devCtx must be preserved across the SHA-512 fallback. */
+    ExpectIntEQ(sha.devId, TEST_CRYPTOCB_SHA384_FALLBACK_DEVID);
+    ExpectPtrEq(sha.devCtx, &devCtxMarker);
+
+    for (i = 0; i < WC_SHA384_DIGEST_SIZE; i++)
+        ExpectIntEQ(hash[i], (byte)(0x80 + i));
+
+    /* The SHA-512 fallback leaves the SHA-512 IV in the state buffer; the
+     * fallback must reset it back to the SHA-384 IV so the struct is ready
+     * to hash a new message. */
+    ExpectIntEQ(XMEMCMP(sha.digest, refSha.digest, sizeof(sha.digest)), 0);
+
+    wc_Sha384Free(&sha);
+    wc_Sha384Free(&refSha);
+    wc_CryptoCb_UnRegisterDevice(TEST_CRYPTOCB_SHA384_FALLBACK_DEVID);
+#endif
+    return EXPECT_RESULT();
+}
+
diff --git a/tests/api/test_sha512.h b/tests/api/test_sha512.h
@@ -66,6 +66,7 @@ int test_wc_Sha384_other(void);
 int test_wc_Sha384Copy(void);
 int test_wc_Sha384GetHash(void);
 int test_wc_Sha384_Flags(void);
+int test_wc_CryptoCb_Sha384_Sha512Fallback(void);
 
 #define TEST_SHA512_DECLS                               \
     TEST_DECL_GROUP("sha512", test_wc_InitSha512),      \
@@ -103,15 +104,16 @@ int test_wc_Sha384_Flags(void);
     TEST_DECL_GROUP("sha512_256", test_wc_Sha512_256Transform), \
     TEST_DECL_GROUP("sha512_256", test_wc_Sha512_256_Flags)
 
-#define TEST_SHA384_DECLS                               \
-    TEST_DECL_GROUP("sha384", test_wc_InitSha384),      \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384Update),    \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384Final),     \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384FinalRaw),  \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384_KATs),     \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384_other),    \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384Copy),      \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384GetHash),   \
-    TEST_DECL_GROUP("sha384", test_wc_Sha384_Flags)
+#define TEST_SHA384_DECLS                                              \
+    TEST_DECL_GROUP("sha384", test_wc_InitSha384),                     \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384Update),                   \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384Final),                    \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384FinalRaw),                 \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384_KATs),                    \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384_other),                   \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384Copy),                     \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384GetHash),                  \
+    TEST_DECL_GROUP("sha384", test_wc_Sha384_Flags),                   \
+    TEST_DECL_GROUP("sha384", test_wc_CryptoCb_Sha384_Sha512Fallback)
 
 #endif /* WOLFCRYPT_TEST_SHA512_H */