AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix misuse of MD API in SSL constant-flow HMAC

Browse Source 
The sequence of calls starts-update-starts-update-finish is not a
guaranteed valid way to abort an operation and start a new one. Our
software implementation just happens to support it, but alt
implementations may very well not support it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2021-05-17 12:28:08 +02:00
parent 5605911fd3
commit 5ca21db813
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.d/fix-ssl-cf-hmac-alt.txt Normal file
View File

@ -0,0 +1,5 @@
Bugfix
* Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118.

3
library/ssl_msg.c
View File

@ -1164,6 +1164,9 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
} }
/* The context needs to finish() before it starts() again */
MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
/* Now compute HASH(okey + inner_hash) */ /* Now compute HASH(okey + inner_hash) */
MD_CHK( mbedtls_md_starts( ctx ) ); MD_CHK( mbedtls_md_starts( ctx ) );
MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );