From e75342345cd30c4fb0c8cea16469781d6b4796e4 Mon Sep 17 00:00:00 2001 From: jordan Date: Fri, 10 Apr 2026 09:35:37 -0500 Subject: [PATCH] esp: use hash array in esp_transport_wrap icv calculation. --- src/wolfesp.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/wolfesp.c b/src/wolfesp.c index 6f6aac6..56b1251 100644 --- a/src/wolfesp.c +++ b/src/wolfesp.c @@ -1145,6 +1145,7 @@ esp_check_icv_hmac(const wolfIP_esp_sa * esp_sa, uint8_t * esp_data, int rc = 0; const uint8_t * icv = NULL; byte hash[WC_SHA256_DIGEST_SIZE]; + memset(hash, 0, sizeof(hash)); rc = esp_calc_icv_hmac(hash, esp_sa, esp_data, esp_len); if (rc) { @@ -1357,7 +1358,8 @@ esp_transport_unwrap(struct wolfIP_ip_packet *ip, uint32_t * frame_len) } if (err) { - ESP_LOG("error: icv check failed\n"); + ESP_LOG("error: icv check (auth=%d, icv_len=%d) failed: %d\n", + esp_sa->auth, esp_sa->icv_len, err); return -1; } } @@ -1643,15 +1645,22 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len) } if (esp_sa->icv_len) { - uint8_t * icv = NULL; int err = 0; switch (esp_sa->auth) { case ESP_AUTH_MD5_RFC2403: case ESP_AUTH_SHA1_RFC2404: case ESP_AUTH_SHA256_RFC4868: - icv = ip->data + icv_offset; - err = esp_calc_icv_hmac(icv, esp_sa, ip->data, payload_len); + { + uint8_t * icv = NULL; + byte hash[WC_SHA256_DIGEST_SIZE]; + memset(hash, 0, sizeof(hash)); + icv = ip->data + icv_offset; + err = esp_calc_icv_hmac(hash, esp_sa, ip->data, payload_len); + if (err == 0) { + memcpy(icv, hash, esp_sa->icv_len); + } + } break; #if defined(WOLFSSL_AESGCM_STREAM) case ESP_AUTH_GCM_RFC4106: