From adb30b945390fb57292611d46bc37a786fd8b49a Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Tue, 21 Nov 2017 17:20:17 +0000
Subject: [PATCH] Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
 option

Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
---
 include/mbedtls/config.h | 15 ++++++++++-----
 library/ssl_tls.c        |  2 +-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index b174d8a2f..b8980f20f 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1186,12 +1186,17 @@
 /**
  * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
  *
- * Fallback to old, non-conforming implementation of the truncated
- * HMAC extension which also truncates the HMAC key.
+ * Fallback to old (pre-2.1.10), non-conforming implementation of the truncated
+ * HMAC extension which also truncates the HMAC key. Note that this option is
+ * only meant for a transitory upgrade period and is likely to be removed in
+ * a future version of the library.
  *
- * \warning This should only be enabled temporarily when the use
- *          of truncated HMAC is mandatory *and* the peer is an Mbed TLS
- *          stack that doesn't use the fixed implementation yet.
+ * \warning The old implementation is non-compliant and has a security weakness
+ *          (2^80 brute force attack on the HMAC key used for a single,
+ *          uninterrupted connection). This should only be enabled temporarily
+ *          when (1) the use of truncated HMAC is essential in order to save
+ *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
+ *          the fixed implementation yet (pre-2.1.10).
  *
  * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
  *
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f0cc95f9c..c72ee1dc0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -719,7 +719,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
 
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
             /* Fall back to old, non-compliant version of the truncated
-             * HMAC implementation which also truncates the key. */
+             * HMAC implementation which also truncates the key (pre 2.1.10) */
             mac_key_len = transform->maclen;
 #endif
         }