From 31e5c0dd537a588db754b3ea11fb21d6f8dfa1f8 Mon Sep 17 00:00:00 2001 From: jackctj117 Date: Wed, 18 Mar 2026 10:00:28 -0600 Subject: [PATCH 1/2] Guard SHA client hash block-transfer loops to propagate errors instead of silently overwriting them --- src/wh_client_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/wh_client_crypto.c b/src/wh_client_crypto.c index 7f5d2d35..89ec444a 100644 --- a/src/wh_client_crypto.c +++ b/src/wh_client_crypto.c @@ -4417,7 +4417,7 @@ int wh_Client_Sha256(whClientContext* ctx, wc_Sha256* sha256, const uint8_t* in, } /* Process as many full blocks from the input data as we can */ - while ((inLen - i) >= WC_SHA256_BLOCK_SIZE) { + while (ret == 0 && (inLen - i) >= WC_SHA256_BLOCK_SIZE) { memcpy(sha256BufferBytes, in + i, WC_SHA256_BLOCK_SIZE); ret = _xferSha256BlockAndUpdateDigest(ctx, sha256, 0); i += WC_SHA256_BLOCK_SIZE; @@ -4707,7 +4707,7 @@ int wh_Client_Sha224(whClientContext* ctx, wc_Sha224* sha224, const uint8_t* in, } /* Process as many full blocks from the input data as we can */ - while ((inLen - i) >= WC_SHA224_BLOCK_SIZE) { + while (ret == 0 && (inLen - i) >= WC_SHA224_BLOCK_SIZE) { memcpy(sha224BufferBytes, in + i, WC_SHA224_BLOCK_SIZE); ret = _xferSha224BlockAndUpdateDigest(ctx, sha224, 0); i += WC_SHA224_BLOCK_SIZE; @@ -4988,7 +4988,7 @@ int wh_Client_Sha384(whClientContext* ctx, wc_Sha384* sha384, const uint8_t* in, } /* Process as many full blocks from the input data as we can */ - while ((inLen - i) >= WC_SHA384_BLOCK_SIZE) { + while (ret == 0 && (inLen - i) >= WC_SHA384_BLOCK_SIZE) { memcpy(sha384BufferBytes, in + i, WC_SHA384_BLOCK_SIZE); ret = _xferSha384BlockAndUpdateDigest(ctx, sha384, 0); i += WC_SHA384_BLOCK_SIZE; @@ -5268,7 +5268,7 @@ int wh_Client_Sha512(whClientContext* ctx, wc_Sha512* sha512, const uint8_t* in, } /* Process as many full blocks from the input data as we can */ - while ((inLen - i) >= WC_SHA512_BLOCK_SIZE) { + while (ret == 0 && (inLen - i) >= WC_SHA512_BLOCK_SIZE) { memcpy(sha512BufferBytes, in + i, WC_SHA512_BLOCK_SIZE); ret = _xferSha512BlockAndUpdateDigest(ctx, sha512, 0); i += WC_SHA512_BLOCK_SIZE; From 0ff1550e7d5687f55afdb4a0dff28471ce1ccdd7 Mon Sep 17 00:00:00 2001 From: jackctj117 Date: Wed, 18 Mar 2026 12:21:07 -0600 Subject: [PATCH 2/2] final guard fix --- src/wh_client_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/wh_client_crypto.c b/src/wh_client_crypto.c index 89ec444a..181eaa7a 100644 --- a/src/wh_client_crypto.c +++ b/src/wh_client_crypto.c @@ -4433,7 +4433,7 @@ int wh_Client_Sha256(whClientContext* ctx, wc_Sha256* sha256, const uint8_t* in, /* Caller invoked SHA finalize: * wc_CryptoCb_Sha256Hash(sha256, NULL, 0, * hash) */ - if (out != NULL) { + if (ret == 0 && out != NULL) { ret = _xferSha256BlockAndUpdateDigest(ctx, sha256, 1); /* Copy out the final hash value */ @@ -4723,7 +4723,7 @@ int wh_Client_Sha224(whClientContext* ctx, wc_Sha224* sha224, const uint8_t* in, /* Caller invoked SHA finalize: * wc_CryptoCb_Sha224Hash(sha224, NULL, 0, * hash) */ - if (out != NULL) { + if (ret == 0 && out != NULL) { ret = _xferSha224BlockAndUpdateDigest(ctx, sha224, 1); /* Copy out the final hash value */ @@ -5004,7 +5004,7 @@ int wh_Client_Sha384(whClientContext* ctx, wc_Sha384* sha384, const uint8_t* in, /* Caller invoked SHA finalize: * wc_CryptoCb_Sha384Hash(sha384, NULL, 0, * hash) */ - if (out != NULL) { + if (ret == 0 && out != NULL) { ret = _xferSha384BlockAndUpdateDigest(ctx, sha384, 1); /* Copy out the final hash value */ @@ -5284,7 +5284,7 @@ int wh_Client_Sha512(whClientContext* ctx, wc_Sha512* sha512, const uint8_t* in, /* Caller invoked SHA finalize: * wc_CryptoCb_Sha512Hash(sha512, NULL, 0, * hash) */ - if (out != NULL) { + if (ret == 0 && out != NULL) { ret = _xferSha512BlockAndUpdateDigest(ctx, sha512, 1); /* Copy out the final hash value */