From c1032a8cb6c88386fe15077db774cd3303c61b8b Mon Sep 17 00:00:00 2001
From: jordan <jordan@wolfssl.com>
Date: Mon, 20 Oct 2025 22:05:41 -0500
Subject: [PATCH] KDF onestep: hashOutSz err check.

---
 wolfcrypt/src/kdf.c   | 2 +-
 wolfcrypt/test/test.c | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c
index 5fc92604b..5f57f64c7 100644
--- a/wolfcrypt/src/kdf.c
+++ b/wolfcrypt/src/kdf.c
@@ -1385,7 +1385,7 @@ int wc_KDA_KDF_onestep(const byte* z, word32 zSz, const byte* fixedInfo,
         return BAD_FUNC_ARG;
 
     hashOutSz = wc_HashGetDigestSize(hashType);
-    if (hashOutSz == WC_NO_ERR_TRACE(HASH_TYPE_E))
+    if (hashOutSz <= 0)
         return BAD_FUNC_ARG;
 
     /* According to SP800_56C, table 1, the max input size (max_H_inputBits)
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 5e6993b54..620ae1737 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -1466,6 +1466,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t nist_sp80056c_kdf_test(void)
         WC_HASH_TYPE_SHA256, output, 16);
     if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
         return WC_TEST_RET_ENC_NC;
+    ret = wc_KDA_KDF_onestep((byte*)"secret", sizeof("secret"), NULL, 0, 16,
+        WC_HASH_TYPE_NONE, output, 16);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
+        return WC_TEST_RET_ENC_NC;
 
     /* allow empty FixedInfo */
     ret = wc_KDA_KDF_onestep((byte*)"secret", sizeof("secret"), NULL, 0, 16,