Ensure HMAC_Init_ex reinitializes data properly (#2806)

### Description of changes: 
I discovered this edge case when working with an older Ruby version.
This discrepancy only exists in older versions since Ruby openssl
migrated from using the `HMAC_CTX` APIs to use the `EVP` layer in 3.1:
ruby/ruby@b91f62f.


[`test_reset_keep_key`](https://github.com/ruby/ruby/blame/cf4a034d59913fb71a7dd1b052164984be4a3d14/test/openssl/test_hmac.rb#L37-L43)
was failing since we were MACing the data twice. It turns out the call
to `h1.reset` wasn't working properly and this was due to our
implementation of `HMAC_Init_ex` not reinitializing the data input when
only `HMAC_Update` had been called. According to the original function
contract, `HMAC_Init_ex` should reinitialize the inputted data, but the
computed key should still be preserved.

This is a minor edge case due to how older versions of Ruby were
consuming `HMAC_CTX`. [Their
call](https://github.com/ruby/ruby/blob/ruby_2_7/ext/openssl/ossl_hmac.c#L167-L174)
to `HMAC_Final` was called upon a copy of the original `HMAC_CTX`. The
original `HMAC_CTX` was always within a `HMAC_Update` state and AWS-LC
was not properly reinitializing these cases.

### Call-outs:
N/A

### Testing:
New tests

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Author: samuel40791765

crypto/fipsmodule/hmac/hmac.c

@@ -371,17 +371,24 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
                  const EVP_MD *md, ENGINE *impl) {
   assert(impl == NULL);
 
+  GUARD_PTR(ctx);
+
   if (HMAC_STATE_READY_NEEDS_INIT == ctx->state ||
       HMAC_STATE_PRECOMPUTED_KEY_EXPORT_READY == ctx->state) {
     ctx->state = HMAC_STATE_INIT_NO_DATA;  // Mark that init has been called
   }
 
-  if (HMAC_STATE_INIT_NO_DATA == ctx->state) {
+  if (hmac_ctx_is_initialized(ctx)) {
     // TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is
     // ambiguous between using the empty key and reusing the previous key. There
     // exist callers which intend the latter, but the former is an awkward edge
     // case. Fix to API to avoid this.
     if (key == NULL && (md == NULL || md == ctx->md)) {
+      if(HMAC_STATE_IN_PROGRESS == ctx->state) {
+        // Reinitialize |md_ctx| from |i_ctx| to start fresh with the same key. This
+        // is the same behavior as Openssl.
+        OPENSSL_memcpy(&ctx->md_ctx, &ctx->i_ctx, sizeof(ctx->i_ctx));
+      }
       // If nothing is changing then we can return without doing any further work.
       return 1;
     }

crypto/hmac_extra/hmac_test.cc

@@ -635,3 +635,48 @@ TEST(HMACTest, HandlesNullOutputParameters) {
   ASSERT_TRUE(HMAC_Update(ctx.get(), &input[0], sizeof(input)));
   ASSERT_FALSE(HMAC_Final(ctx.get(), nullptr, &mac_len));
 }
+
+TEST(HMACTest, InitExResetsContext) {
+  bssl::ScopedHMAC_CTX ctx;
+  bssl::ScopedHMAC_CTX ctx_copy;
+
+  const EVP_MD *digest = EVP_sha256();
+
+  const uint8_t key1[] = "test_key_1";
+  const uint8_t data1[] = "first_message";
+
+  uint8_t mac1[EVP_MAX_MD_SIZE];
+  uint8_t mac2[EVP_MAX_MD_SIZE];
+  uint8_t mac3[EVP_MAX_MD_SIZE];
+  unsigned mac_len;
+
+  // First HMAC computation with |key1| and |data1|.
+  ASSERT_TRUE(HMAC_Init_ex(ctx.get(), key1, sizeof(key1), digest, nullptr));
+  ASSERT_TRUE(HMAC_Update(ctx.get(), data1, sizeof(data1)));
+  // Copy to |ctx_copy| and finalize that to preserve |HMAC_STATE_IN_PROGRESS|
+  // in |ctx|.
+  ASSERT_TRUE(HMAC_CTX_copy(ctx_copy.get(), ctx.get()));
+  ASSERT_TRUE(HMAC_Final(ctx_copy.get(), mac1, &mac_len));
+
+  // Reset context with NULL |key|/|digest| - should reuse previous key and
+  // reset state. This tests that |HMAC_Init_ex| properly resets even after
+  // Update/Final.
+  ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr));
+  ASSERT_TRUE(HMAC_Update(ctx.get(), data1, sizeof(data1)));
+  ASSERT_TRUE(HMAC_Final(ctx.get(), mac2, &mac_len));
+
+  // |mac1| and |mac2| should be the same (same key reused, context reset).
+  EXPECT_EQ(Bytes(mac1, mac_len), Bytes(mac2, mac_len));
+
+  // Reset |ctx| with NULL |key| but explicit digest - should reuse previous
+  // key and reset state.
+  ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, digest, nullptr));
+  ASSERT_TRUE(HMAC_Update(ctx.get(), data1, sizeof(data1)));
+  // Copy to |ctx_copy| and finalize that to preserve |HMAC_STATE_IN_PROGRESS|
+  // in |ctx|.
+  ASSERT_TRUE(HMAC_CTX_copy(ctx_copy.get(), ctx.get()));
+  ASSERT_TRUE(HMAC_Final(ctx_copy.get(), mac3, &mac_len));
+
+  // |mac1| and |mac3| should be the same (same key reused, context reset).
+  EXPECT_EQ(Bytes(mac1, mac_len), Bytes(mac3, mac_len));
+}

include/openssl/hmac.h

@@ -108,10 +108,12 @@ OPENSSL_EXPORT void HMAC_CTX_cleanse(HMAC_CTX *ctx);
 OPENSSL_EXPORT void HMAC_CTX_free(HMAC_CTX *ctx);
 
 // HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash
-// function and |key| as the key. For a non-initial call, |md| may be NULL, in
-// which case the previous hash function will be used. If the hash function has
-// not changed and |key| is NULL, |ctx| reuses the previous key. It returns one
-// on success or zero on allocation failure.
+// function and |key| as the key. This function resets |HMAC_CTX| to a
+// fresh state, even if |HMAC_Update| or |HMAC_Final| have been called
+// previously. For a non-initial call, |md| may be NULL, in which case the
+// previous hash function will be used. If the hash function has not changed and
+// |key| is NULL, |ctx| reuses the previous key and resets to a clean state
+// ready for new data. It returns one on success or zero on allocation failure.
 //
 // WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL
 // |key| but repeating the previous |md| reuses the previous key rather than the