esp: use hash array in esp_transport_wrap icv calculation.#99
Merged
danielinux merged 1 commit intowolfSSL:masterfrom Apr 10, 2026
Merged
esp: use hash array in esp_transport_wrap icv calculation.#99danielinux merged 1 commit intowolfSSL:masterfrom
danielinux merged 1 commit intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Improves ESP transport-mode packet wrapping by avoiding in-place HMAC ICV calculation when the configured ICV length is truncated, preventing writes beyond the ICV field in the packet buffer.
Changes:
- Compute HMAC into a dedicated full-size hash buffer in
esp_transport_wrap, then copy onlyesp_sa->icv_lenbytes into the packet’s ICV field. - Add more detailed logging on ICV verification failures in
esp_transport_unwrap.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
danielinux
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Use a dedicated hash array for calculating icv in esp_transport_wrap, instead of writing icv in place. Then copy truncated size to ip data buffer.
The buffer is sized for
esp_sa->icv_lenwhich might be truncated and not have room for full hash.Fixes F-2021.