@@ -6158,7 +6158,13 @@ int wh_Client_Sha512UpdateResponse(whClientContext* ctx, wc_Sha512* sha)
61586158
61596159 ret = _getCryptoResponse (dataPtr , WC_HASH_TYPE_SHA512 , (uint8_t * * )& res );
61606160 if (ret >= 0 ) {
6161- if (res -> hashType != (uint32_t )sha -> hashType ) {
6161+ /* Family check, not variant match: SHA-512/t shares block size and
6162+ * compression with SHA-512, and the client supplies the variant IV
6163+ * in resumeState.hash — so a server missing SHA-512/t support still
6164+ * returns a correct intermediate state. */
6165+ if (res -> hashType != WC_HASH_TYPE_SHA512 &&
6166+ res -> hashType != WC_HASH_TYPE_SHA512_224 &&
6167+ res -> hashType != WC_HASH_TYPE_SHA512_256 ) {
61626168 return WH_ERROR_ABORTED ;
61636169 }
61646170 memcpy (sha -> digest , res -> hash , WC_SHA512_DIGEST_SIZE );
@@ -6238,11 +6244,13 @@ int wh_Client_Sha512FinalResponse(whClientContext* ctx, wc_Sha512* sha,
62386244 if (ret >= 0 ) {
62396245 /* keep hashtype before initialization */
62406246 hashType = sha -> hashType ;
6241- /* Detect server/client mismatch (e.g. client built with SHA512_256
6242- * support but server not — server would fall back to plain SHA512 and
6243- * return a digest that does not correspond to the requested variant).
6244- */
6245- if (res -> hashType != (uint32_t )hashType ) {
6247+ /* Family check, not variant match: SHA-512/t shares block size and
6248+ * compression with SHA-512; the client supplies the variant IV in
6249+ * resumeState.hash and the switch below truncates by hashType, so a
6250+ * server missing SHA-512/t support still yields a correct digest. */
6251+ if (res -> hashType != WC_HASH_TYPE_SHA512 &&
6252+ res -> hashType != WC_HASH_TYPE_SHA512_224 &&
6253+ res -> hashType != WC_HASH_TYPE_SHA512_256 ) {
62466254 return WH_ERROR_ABORTED ;
62476255 }
62486256 /* reset the state of the sha context (without blowing away devId and
@@ -6462,7 +6470,13 @@ int wh_Client_Sha512DmaUpdateResponse(whClientContext* ctx, wc_Sha512* sha)
64626470 ret =
64636471 _getCryptoResponse (dataPtr , WC_HASH_TYPE_SHA512 , (uint8_t * * )& resp );
64646472 if (ret >= 0 ) {
6465- if (resp -> hashType != (uint32_t )sha -> hashType ) {
6473+ /* Family check, not variant match: SHA-512/t shares block size and
6474+ * compression with SHA-512, and the client supplies the variant IV
6475+ * in resumeState.hash — so a server missing SHA-512/t support still
6476+ * returns a correct intermediate state. */
6477+ if (resp -> hashType != WC_HASH_TYPE_SHA512 &&
6478+ resp -> hashType != WC_HASH_TYPE_SHA512_224 &&
6479+ resp -> hashType != WC_HASH_TYPE_SHA512_256 ) {
64666480 ret = WH_ERROR_ABORTED ;
64676481 }
64686482 else {
@@ -6561,11 +6575,14 @@ int wh_Client_Sha512DmaFinalResponse(whClientContext* ctx, wc_Sha512* sha,
65616575 if (ret >= 0 ) {
65626576 /* keep hashtype before initialization */
65636577 hashType = sha -> hashType ;
6564- /* Detect server/client mismatch (e.g. client built with SHA512_256
6565- * support but server not — server would fall back to plain SHA512
6566- * and return a digest that does not correspond to the requested
6567- * variant). */
6568- if (resp -> hashType != (uint32_t )hashType ) {
6578+ /* Family check, not variant match: SHA-512/t shares block size and
6579+ * compression with SHA-512; the client supplies the variant IV in
6580+ * resumeState.hash and the switch below truncates by hashType, so a
6581+ * server missing SHA-512/t support still yields a correct digest.
6582+ */
6583+ if (resp -> hashType != WC_HASH_TYPE_SHA512 &&
6584+ resp -> hashType != WC_HASH_TYPE_SHA512_224 &&
6585+ resp -> hashType != WC_HASH_TYPE_SHA512_256 ) {
65696586 return WH_ERROR_ABORTED ;
65706587 }
65716588 /* reset the state of the sha context (without blowing away devId
0 commit comments