HMAC added to dgst by aidankeefe2022 · Pull Request #257 · wolfSSL/wolfCLU

aidankeefe2022 · 2026-06-23T16:21:11Z

Added new flags to the dgst sub command.
Created 3 helper functions to make the HMAC and sign/verify functionalities easy to read and use.
Added end-to-end tests for HMAC RFC Vectors using hex key and plain text key.
Changed input to allow for data to be passed to stdin for dgst.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #257

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #257

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #257

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #257

Scan targets checked: wolfclu-bugs, wolfclu-src

No new issues found in the changed files. ✅

Copilot

Pull request overview

Adds HMAC support to the existing dgst subcommand (alongside sign/verify), including new CLI flags, a streaming HMAC helper, and end-to-end RFC vector tests. It also updates dgst input handling so data can be supplied via stdin when no positional input file is present.

Changes:

Add -hmac / -mackey flags to dgst and update help text + stdin/positional input handling.
Introduce a streaming HMAC implementation (wolfCLU_hmacHash) and an HMAC dispatch helper in dgst setup.
Add end-to-end Python tests covering RFC vectors, output-to-file behavior, and key parsing edge cases.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
`wolfclu/clu_optargs.h`	Adds new option IDs for `dgst` HMAC flags.
`wolfclu/clu_header_main.h`	Exposes the new `wolfCLU_hmacHash()` API (with updated includes/docs).
`src/tools/clu_funcs.c`	Implements streaming HMAC helper used by `dgst`.
`src/sign-verify/clu_dgst_setup.c`	Extends `dgst` to support HMAC mode and stdin input dispatch.
`tests/dgst/dgst-test.py`	Adds HMAC RFC vector and behavior tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

billphipps

Copilot comments are pretty good. A few minor nits, but this looks like a great addition!

billphipps · 2026-06-24T14:26:35Z

+    /* wc_HashType values are not contiguous, so map each one explicitly.
+     * Cast to int so unrelated hash types don't trip -Wswitch-enum. */
+    switch ((int)alg) {
+        case WC_HASH_TYPE_MD5:


Do you need to check for NO_MD5 or other conditional compilation flags?

--enable-wolfclu option for wolfSSL turns on MD5 so we are good for now! And for the other hash alg guards it is a pretty pervasive issue Ill probably make a separate PR that guards all of the hash algs because it touches a lot of files. --disable-hmac won't build with --enable-wolfclu so we are safe there.

billphipps · 2026-06-24T14:42:47Z

+/* return WOLFCLU_SUCCESS on success */
+int wolfCLU_dgst_setup(int argc, char** argv)
+{
+#ifndef WOLFCLU_NO_FILESYSTEM


Hrmm... If the input is stdin, the output is stdout, and all key materials are on command line, why do we need a filesystem? Ok to punt to a later feature request

Very true! This is an upgrade we could make across a ton of functionalities so if it comes up in the future it would be easy to do it all at once.

billphipps · 2026-06-24T14:45:26Z

+        *sep = '\0';     /* terminate the type token */
+        macKeyVal = sep + 1; /* value is the remainder, ':' included */
+
+        if (XSTRCMP(hmacKey, "hexkey") == 0) {


consider using XSTRNCMP since you know the length of "hexkey"

billphipps · 2026-06-24T14:48:45Z

+    WOLFCLU_LOG(WOLFCLU_L0, "\t-mackey     key:value for plain text "
+                                        "hexkey:value to have value encoded\n");


Suggested change

WOLFCLU_LOG(WOLFCLU_L0, "\t-mackey key:value for plain text "

"hexkey:value to have value encoded\n");

WOLFCLU_LOG(WOLFCLU_L0, "\t-mackey key:value for plain text hmac key"

"hexkey:value for hex-encoded hmac key\n");

added invalid argument tests increased plain test key size for FIPs build fix arg name conflict github fixes skoll fixes

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #257

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

aidankeefe2022 · 2026-06-24T17:18:58Z

Jenkins retest this please

aidankeefe2022 requested a review from wolfSSL-Fenrir-bot June 23, 2026 16:21

aidankeefe2022 self-assigned this Jun 23, 2026

wolfSSL-Fenrir-bot reviewed Jun 23, 2026

View reviewed changes