Skip to content

[Bug]: TLS 1.2 constant time HMAC computation fails with SHA384 #9447

New issue
New issue
Closed
Closed
[Bug]: TLS 1.2 constant time HMAC computation fails with SHA384#9447
Assignees
JacobBarthelmehSparkiDevkareem-wolfssl
Labels
bug
@max-ag

Description

@max-ag
max-ag
opened on Nov 19, 2025

Contact Details

No response

Version

v5.8.0-stable

Description

Hmac_UpdateFinal_CT in src/tls.c:939 produces incorrect HMAC output for TLS 1.2 cipher suites using SHA-384 (didn't test with SHA-512, but I suspect the same issue).

Observations:

  • Small messages (<100 bytes): Works correctly
  • Large messages (>100 bytes): Wrong HMAC output
  • SHA-256 with any message size: Works correctly
  • Issue in multi-block processing specific to SHA-384 parameters (128-byte blocks, 48-byte digest)

Target: Probably irrelevant with this issue, but building on Ubuntu 24.04 (WSL).

Reproduction steps

bug_report_test.zip

mkdir build && cd build
cmake ..
cmake --build .
./bug_report_test

Expected Output:

========================================
wolfSSL HMAC-SHA384 Bug in TLS 1.2
========================================

Test 1 (Small message - PASS):
  Content: 32 bytes, Padding: 7 bytes, Record: 88 bytes
  Normal:  e68026b24242bf4d3d843c3f41acdc65...
  CT HMAC: e68026b24242bf4d3d843c3f41acdc65...
  Result: ✅ PASS (outputs match)

Test 2 (Larger message - FAIL):
  Content: 100 bytes, Padding: 5 bytes, Record: 154 bytes
  Normal:  3bc534aa8e1627cf939709c8fb5d9c07...
  CT HMAC: 123118093eac776ba730cdad9bcb2309...
  Result: ❌ FAIL (outputs differ)

========================================
Summary:
Hmac_UpdateFinal_CT produces incorrect
output for TLS 1.2 with SHA-384 cipher
suites (SHA-256 works fine).
========================================

Relevant log output

Metadata
Metadata
Assignees
Labels
bug
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions