TLS hmac: handle truncated mac in Hmac_UpdateFinal_CT()

src/internal.c

@@ -15421,7 +15421,7 @@ int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int macSz,
      * either increment the size by (macSz + padLen + 1) before use or check on
      * the size to make sure is valid. */
     ret = ssl->hmac(ssl, verify, input, pLen - macSz - padLen - 1, padLen,
-                                                                    content, 1, PEER_ORDER);
+                                                        content, 1, PEER_ORDER);
     good |= MaskMac(input, pLen, ssl->specs.hash_size, verify);
 
     /* Non-zero on failure. */

src/tls.c

@@ -870,13 +870,13 @@ static int Hmac_OuterHash(Hmac* hmac, unsigned char* mac)
  * returns 0 on success, otherwise failure.
  */
 static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
-                               word32 sz, byte* header)
+                               word32 sz, int macLen, byte* header)
 {
     byte         lenBytes[8];
     int          i, j;
     unsigned int k;
     int          blockBits, blockMask;
-    int          lastBlockLen, macLen, extraLen, eocIndex;
+    int          lastBlockLen, extraLen, eocIndex;
     int          blocks, safeBlocks, lenBlock, eocBlock;
     unsigned int maxLen;
     int          blockSz, padSz;
@@ -889,7 +889,6 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
         case WC_SHA:
             blockSz = WC_SHA_BLOCK_SIZE;
             blockBits = 6;
-            macLen = WC_SHA_DIGEST_SIZE;
             padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1;
             break;
     #endif /* !NO_SHA */
@@ -898,7 +897,6 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
         case WC_SHA256:
             blockSz = WC_SHA256_BLOCK_SIZE;
             blockBits = 6;
-            macLen = WC_SHA256_DIGEST_SIZE;
             padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1;
             break;
     #endif /* !NO_SHA256 */
@@ -907,7 +905,6 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
         case WC_SHA384:
             blockSz = WC_SHA384_BLOCK_SIZE;
             blockBits = 7;
-            macLen = WC_SHA384_DIGEST_SIZE;
             padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1;
             break;
     #endif /* WOLFSSL_SHA384 */
@@ -916,7 +913,6 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
         case WC_SHA512:
             blockSz = WC_SHA512_BLOCK_SIZE;
             blockBits = 7;
-            macLen = WC_SHA512_DIGEST_SIZE;
             padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1;
             break;
     #endif /* WOLFSSL_SHA512 */
@@ -1225,7 +1221,7 @@ int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
     #endif
             {
                 ret = Hmac_UpdateFinal_CT(&hmac, digest, in,
-                                              sz + hashSz + padSz + 1, myInner);
+                                      sz + hashSz + padSz + 1, hashSz, myInner);
             }
 #else
             ret = Hmac_UpdateFinal(&hmac, digest, in, sz + hashSz + padSz + 1,

wolfssl/test.h

@@ -2043,7 +2043,7 @@ static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identit
     }
 }
 
-
+#ifdef WOLFSSL_TLS13
 static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
         const char* hint, char* identity, unsigned int id_max_len,
         unsigned char* key, unsigned int key_max_len, const char** ciphersuite)
@@ -2100,6 +2100,7 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
 
     return 32;   /* length of key in octets or 0 for error */
 }
+#endif
 
 #if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \
        !defined(NO_FILESYSTEM)