From fb39f15fa1fac02bb963cd8f9eb700725009453a Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Fri, 25 Mar 2022 14:36:28 +0100
Subject: [PATCH] ssl_tls.c: Use ETM status only in CBC mode case

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_tls.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0177add1f4..2ff324925b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7450,9 +7450,9 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
             goto end;
         }
 
-        if( ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ||
-              transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) &&
-            transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
+        if( ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) ||
+            ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) &&
+              ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) ) )
             /* mbedtls_ct_hmac() requires the key to be exportable */
             psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
                                                   PSA_KEY_USAGE_VERIFY_HASH );