esp: fix error return in esp_check_icv_hmac.

philljj · danielinux · commit 664e9a0efb92 · 2026-04-22T19:33:11.000+02:00
diff --git a/src/wolfesp.c b/src/wolfesp.c
@@ -1160,6 +1160,9 @@ esp_check_icv_hmac(const wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
 
     /* compare the first N bits depending on truncation type. */
     rc = esp_const_memcmp(icv, hash, esp_sa->icv_len);
+    if (rc) {
+        rc = -1;
+    }
     return rc;
 }
 
@@ -1649,7 +1652,7 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
     }
 
     if (esp_sa->icv_len) {
-        int       err = 0;
+        int err = 0;
 
         switch (esp_sa->auth) {
         case ESP_AUTH_MD5_RFC2403:
@@ -1664,7 +1667,6 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
                 if (err == 0) {
                     memcpy(icv, hash, esp_sa->icv_len);
                 }
-
             }
             break;
         #if defined(WOLFSSL_AESGCM_STREAM)

Original file line number	Diff line number	Diff line change
`@@ -1160,6 +1160,9 @@ esp_check_icv_hmac(const wolfIP_esp_sa * esp_sa, uint8_t * esp_data,`
`1160`	`1160`
`1161`	`1161`	`/* compare the first N bits depending on truncation type. */`
`1162`	`1162`	`rc = esp_const_memcmp(icv, hash, esp_sa->icv_len);`
	`1163`	`+ if (rc) {`
	`1164`	`+ rc = -1;`
	`1165`	`+ }`
`1163`	`1166`	`return rc;`
`1164`	`1167`	`}`
`1165`	`1168`
`@@ -1649,7 +1652,7 @@ esp_transport_wrap(struct wolfIP_ip_packet ip, uint16_t ip_len)`
`1649`	`1652`	`}`
`1650`	`1653`
`1651`	`1654`	`if (esp_sa->icv_len) {`
`1652`		`- int err = 0;`
	`1655`	`+ int err = 0;`
`1653`	`1656`
`1654`	`1657`	`switch (esp_sa->auth) {`
`1655`	`1658`	`case ESP_AUTH_MD5_RFC2403:`
`@@ -1664,7 +1667,6 @@ esp_transport_wrap(struct wolfIP_ip_packet ip, uint16_t ip_len)`
`1664`	`1667`	`if (err == 0) {`
`1665`	`1668`	`memcpy(icv, hash, esp_sa->icv_len);`
`1666`	`1669`	`}`
`1667`		`-`
`1668`	`1670`	`}`
`1669`	`1671`	`break;`
`1670`	`1672`	`#if defined(WOLFSSL_AESGCM_STREAM)`