From: Ingo Franzki Date: Fri, 6 Jun 2025 12:20:38 +0000 (+0200) Subject: s390x: Fix HMAC to fail update or final call when already finalized X-Git-Tag: openssl-3.4.2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=659f40622bc94fa383a59106ff15864837e2dd3a;p=thirdparty%2Fopenssl.git s390x: Fix HMAC to fail update or final call when already finalized After commit a5d1eadde1d566b528cfe495953300cd9f9fe1e9 the test step 'test_hmac_final_update_fail' of 'test_hmac' fails. Return an error when update or final is used after the context has already been finalized. Flag 'iimp' (intermediate-input-message-part) must be 1 to allow an update or final call. If iimp is 0, then the context has already been finalized. Signed-off-by: Ingo Franzki Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27781) (cherry picked from commit 339ced70da1206bf090c3de981093b99cfa0d39a) --- diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c index 02e1cd1dd65..ac202615630 100644 --- a/crypto/hmac/hmac_s390x.c +++ b/crypto/hmac/hmac_s390x.c @@ -14,6 +14,7 @@ #include "hmac_local.h" #include "openssl/obj_mac.h" #include "openssl/evp.h" +#include "openssl/err.h" #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) # include #endif @@ -189,6 +190,11 @@ int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len) { size_t remain, num; + if (ctx->plat.s390x.iimp != 1) { + ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); + return 0; + } + if (len == 0) return 1; @@ -250,6 +256,11 @@ int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) void *result; unsigned int res_len; + if (ctx->plat.s390x.iimp != 1) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + ctx->plat.s390x.iimp = 0; /* last block */ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);