From: Nicky Mouha <nmouha@users.noreply.github.com>
Date: Sat, 24 May 2025 16:15:54 +0000 (-0400)
Subject: Regression test for incorrect HMAC API usage
X-Git-Tag: openssl-3.4.2~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4987369bcbedbdfda9ae7f4178e59e8296c4fc21;p=thirdparty%2Fopenssl.git

Regression test for incorrect HMAC API usage

Fixes #13210

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/27692)

(cherry picked from commit a5d1eadde1d566b528cfe495953300cd9f9fe1e9)
---

diff --git a/test/hmactest.c b/test/hmactest.c
index 28aba7f6309..62f17908757 100644
--- a/test/hmactest.c
+++ b/test/hmactest.c
@@ -214,6 +214,29 @@ static int test_hmac_single_shot(void)
     return 1;
 }
 
+/* https://github.com/openssl/openssl/issues/13210 */
+static int test_hmac_final_update_fail(void)
+{
+    HMAC_CTX *ctx = NULL;
+    unsigned char buf[EVP_MAX_MD_SIZE];
+    unsigned int len;
+    int ret = 0;
+
+    /* HMAC_Update() after HMAC_Final() must return an error. */
+    if (!TEST_ptr(ctx = HMAC_CTX_new()))
+        goto err;
+    if (!TEST_true(HMAC_Init_ex(ctx, test[5].key, test[5].key_len, EVP_sha256(), NULL))
+        || !TEST_true(HMAC_Update(ctx, test[5].data, test[5].data_len))
+        || !TEST_true(HMAC_Final(ctx, buf, &len))
+        || !TEST_false(HMAC_Update(ctx, test[5].data, test[5].data_len))
+        || !TEST_false(HMAC_Final(ctx, buf, &len)))
+        goto err;
+
+    ret = 1;
+err:
+    HMAC_CTX_free(ctx);
+    return ret;
+}
 
 static int test_hmac_copy(void)
 {
@@ -435,6 +458,7 @@ int setup_tests(void)
     ADD_TEST(test_hmac_single_shot);
     ADD_TEST(test_hmac_bad);
     ADD_TEST(test_hmac_run);
+    ADD_TEST(test_hmac_final_update_fail);
     ADD_TEST(test_hmac_copy);
     ADD_TEST(test_hmac_copy_uninited);
     ADD_ALL_TESTS(test_hmac_chunks,