Add a value barrier to EVP_sha256_final_with_secret_suffix too

In https://boringssl-review.googlesource.com/c/boringssl/+/85628, we
added a value barrier to is_last_block because Clang had started undoing
the constant-time for those few operations. This is part of the Lucky 13
mitigation the legacy TLS CBC_SHA ciphers.

Turned out the legacy TLS CBC_SHA256 ciphers had the same problem. But
because we didn't have EVP_AEAD-level tests for them, this went
unnoticed.

Thanks to Alex Gaynor for noticing that the two functions were
inconsistently barriered and prompting me to check this.

Change-Id: I57f80d0d918a529afdbf207abab51707288a3750
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/93188
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/cipher/tls_cbc.cc b/crypto/cipher/tls_cbc.cc
index 08eb73d..f0c5764 100644
--- a/crypto/cipher/tls_cbc.cc
+++ b/crypto/cipher/tls_cbc.cc
@@ -305,8 +305,10 @@
 
     input_idx += SHA256_CBLOCK - block_start;
 
-    // Fill in the length if this is the last block.
-    crypto_word_t is_last_block = constant_time_eq_w(i, last_block);
+    // Fill in the length if this is the last block. Use a value barrier to
+    // prevent Clang from compiling the conditional select as a jump.
+    crypto_word_t is_last_block =
+        value_barrier_w(constant_time_eq_w(i, last_block));
     for (size_t j = 0; j < 4; j++) {
       block[SHA256_CBLOCK - 4 + j] |= is_last_block & length_bytes[j];
     }