From f216f0d5d4f69621d7d913a98a5655b5a9941af5 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 11 Jun 2021 22:41:46 +0200
Subject: [PATCH] Fix missing state check for tls12_prf output

Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/psa_key_derivation-bad_workflow.txt |  3 +++
 library/psa_crypto.c                            | 11 +++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 ChangeLog.d/psa_key_derivation-bad_workflow.txt

diff --git a/ChangeLog.d/psa_key_derivation-bad_workflow.txt b/ChangeLog.d/psa_key_derivation-bad_workflow.txt
new file mode 100644
index 000000000..7fd03e6c9
--- /dev/null
+++ b/ChangeLog.d/psa_key_derivation-bad_workflow.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
+     about missing inputs.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 339370e40..e36c82ff2 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3785,6 +3785,17 @@ static psa_status_t psa_key_derivation_tls12_prf_read(
     psa_status_t status;
     uint8_t offset, length;
 
+    switch( tls12_prf->state )
+    {
+        case PSA_TLS12_PRF_STATE_LABEL_SET:
+            tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
+            break;
+        case PSA_TLS12_PRF_STATE_OUTPUT:
+            break;
+        default:
+            return( PSA_ERROR_BAD_STATE );
+    }
+
     while( output_length != 0 )
     {
         /* Check if we have fully processed the current block. */