Fix misuse of MD API in SSL constant-flow HMAC
The sequence of calls starts-update-starts-update-finish is not a
guaranteed valid way to abort an operation and start a new one. Our
software implementation just happens to support it, but alt
implementations may very well not support it.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt
new file mode 100644
index 0000000..57ffa02
--- /dev/null
+++ b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
+ (when the encrypt-then-MAC extension is not in use) with some ALT
+ implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
+ the affected side to wrongly reject valid messages. Fixes #4118.
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 54a7be0..1352b49 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -1241,6 +1241,9 @@
MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
}
+ /* The context needs to finish() before it starts() again */
+ MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
+
/* Now compute HASH(okey + inner_hash) */
MD_CHK( mbedtls_md_starts( ctx ) );
MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );