From 0da8f4c35b01e961b89d48b30ec4055130843592 Mon Sep 17 00:00:00 2001
From: Mark Atwood <mark@wolfssl.com>
Date: Wed, 6 May 2026 17:30:53 -0700
Subject: [PATCH 1/2] feat: add copy() to SHA256 and SHA384 via
 wc_Sha256Copy/wc_Sha384Copy

---
 wrapper/rust/wolfssl-wolfcrypt/src/sha.rs | 36 +++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs b/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs
index 2de688b39d2..5698adccaa6 100644
--- a/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs
+++ b/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs
@@ -635,6 +635,24 @@ impl SHA256 {
         }
         Ok(())
     }
+
+    /// Copy the SHA-256 state into a new instance (O(1) clone via wc_Sha256Copy).
+    ///
+    /// Returns a new `SHA256` context with identical internal state,
+    /// allowing the same computation to be continued independently.
+    ///
+    /// # Returns
+    ///
+    /// Returns either `Ok(sha256)` containing the copied instance or `Err(e)`
+    /// containing the wolfSSL library error code value.
+    pub fn copy(&self) -> Result<Self, i32> {
+        let mut dst: core::mem::MaybeUninit<sys::wc_Sha256> = core::mem::MaybeUninit::uninit();
+        let rc = unsafe { sys::wc_Sha256Copy(&self.wc_sha256 as *const _ as *mut _, dst.as_mut_ptr()) };
+        if rc != 0 {
+            return Err(rc);
+        }
+        Ok(SHA256 { wc_sha256: unsafe { dst.assume_init() } })
+    }
 }
 
 #[cfg(sha256)]
@@ -846,6 +864,24 @@ impl SHA384 {
         }
         Ok(())
     }
+
+    /// Copy the SHA-384 state into a new instance (O(1) clone via wc_Sha384Copy).
+    ///
+    /// Returns a new `SHA384` context with identical internal state,
+    /// allowing the same computation to be continued independently.
+    ///
+    /// # Returns
+    ///
+    /// Returns either `Ok(sha384)` containing the copied instance or `Err(e)`
+    /// containing the wolfSSL library error code value.
+    pub fn copy(&self) -> Result<Self, i32> {
+        let mut dst: core::mem::MaybeUninit<sys::wc_Sha384> = core::mem::MaybeUninit::uninit();
+        let rc = unsafe { sys::wc_Sha384Copy(&self.wc_sha384 as *const _ as *mut _, dst.as_mut_ptr()) };
+        if rc != 0 {
+            return Err(rc);
+        }
+        Ok(SHA384 { wc_sha384: unsafe { dst.assume_init() } })
+    }
 }
 
 #[cfg(sha384)]

From 93286f4e5c5515e5c4d3ea58f4e613ce09db2789 Mon Sep 17 00:00:00 2001
From: Mark Atwood <mark@wolfssl.com>
Date: Thu, 7 May 2026 08:45:57 -0700
Subject: [PATCH 2/2] Rust wrapper: impl Clone for SHA256 and SHA384 via
 wc_Sha256/384Copy

---
 wrapper/rust/wolfssl-wolfcrypt/src/sha.rs | 48 ++++++++++++-----------
 1 file changed, 26 insertions(+), 22 deletions(-)

diff --git a/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs b/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs
index 5698adccaa6..d64a22b3e75 100644
--- a/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs
+++ b/wrapper/rust/wolfssl-wolfcrypt/src/sha.rs
@@ -636,22 +636,24 @@ impl SHA256 {
         Ok(())
     }
 
-    /// Copy the SHA-256 state into a new instance (O(1) clone via wc_Sha256Copy).
+}
+
+#[cfg(sha256)]
+impl Clone for SHA256 {
+    /// Clone the SHA-256 state into a new independent instance via `wc_Sha256Copy`.
     ///
-    /// Returns a new `SHA256` context with identical internal state,
-    /// allowing the same computation to be continued independently.
+    /// Allows the same in-progress computation to be continued independently
+    /// from the same point, e.g. for transcript snapshotting in TLS.
     ///
-    /// # Returns
+    /// # Panics
     ///
-    /// Returns either `Ok(sha256)` containing the copied instance or `Err(e)`
-    /// containing the wolfSSL library error code value.
-    pub fn copy(&self) -> Result<Self, i32> {
+    /// Panics if the underlying `wc_Sha256Copy` call fails (should not occur
+    /// under normal conditions).
+    fn clone(&self) -> Self {
         let mut dst: core::mem::MaybeUninit<sys::wc_Sha256> = core::mem::MaybeUninit::uninit();
         let rc = unsafe { sys::wc_Sha256Copy(&self.wc_sha256 as *const _ as *mut _, dst.as_mut_ptr()) };
-        if rc != 0 {
-            return Err(rc);
-        }
-        Ok(SHA256 { wc_sha256: unsafe { dst.assume_init() } })
+        assert_eq!(rc, 0, "wc_Sha256Copy failed: {rc}");
+        SHA256 { wc_sha256: unsafe { dst.assume_init() } }
     }
 }
 
@@ -865,22 +867,24 @@ impl SHA384 {
         Ok(())
     }
 
-    /// Copy the SHA-384 state into a new instance (O(1) clone via wc_Sha384Copy).
+}
+
+#[cfg(sha384)]
+impl Clone for SHA384 {
+    /// Clone the SHA-384 state into a new independent instance via `wc_Sha384Copy`.
     ///
-    /// Returns a new `SHA384` context with identical internal state,
-    /// allowing the same computation to be continued independently.
+    /// Allows the same in-progress computation to be continued independently
+    /// from the same point, e.g. for transcript snapshotting in TLS.
     ///
-    /// # Returns
+    /// # Panics
     ///
-    /// Returns either `Ok(sha384)` containing the copied instance or `Err(e)`
-    /// containing the wolfSSL library error code value.
-    pub fn copy(&self) -> Result<Self, i32> {
+    /// Panics if the underlying `wc_Sha384Copy` call fails (should not occur
+    /// under normal conditions).
+    fn clone(&self) -> Self {
         let mut dst: core::mem::MaybeUninit<sys::wc_Sha384> = core::mem::MaybeUninit::uninit();
         let rc = unsafe { sys::wc_Sha384Copy(&self.wc_sha384 as *const _ as *mut _, dst.as_mut_ptr()) };
-        if rc != 0 {
-            return Err(rc);
-        }
-        Ok(SHA384 { wc_sha384: unsafe { dst.assume_init() } })
+        assert_eq!(rc, 0, "wc_Sha384Copy failed: {rc}");
+        SHA384 { wc_sha384: unsafe { dst.assume_init() } }
     }
 }