commit d7a7a23308e8725f00b847bfd6a169299610a3fd
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Sun Feb 05 10:26:49 2023 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Feb 21 15:39:12 2023 +0100
tree 0dfc336933bc107468485d0074de28e912dd8aed
parent 537f231fd92e6b9c8946892dfc280fe44336a0ce

Use reset_checksum in reset_transcript_for_hrr

This function was manually resetting just the hash that would be used;
it's simpler to just call the function that resets all hashes. This also
avoids calling low-level code from TLS 1.3.

While at it, remove the guards about SHA-256 || SHA-384 that were around
update_checksum, as they are redundant: update_checksum already has
appropriate guards (and TLS 1.3 already depends on one of those tow
hashes being present anyway).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/ssl_tls13_generic.c

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 4fb73f9..214f3ff 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1399,37 +1399,9 @@
 
     hash_len += 4;
 
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-    if (ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
-        MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-256 handshake transcript",
-                              hash_transcript, hash_len);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-        psa_hash_abort(&ssl->handshake->fin_sha256_psa);
-        psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
-#else
-        mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
-#endif
-    }
-#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-    if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
-        MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-384 handshake transcript",
-                              hash_transcript, hash_len);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-        psa_hash_abort(&ssl->handshake->fin_sha384_psa);
-        psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
-#else
-        mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
-#endif
-    }
-#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
-    defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    /* Reset running hash and replace it with a hash of the transcript */
+    mbedtls_ssl_reset_checksum(ssl);
     ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
-#endif \
-    /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
 
     return ret;
 }