Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option

Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
This commit is contained in:
Hanno Becker 2017-11-21 17:20:17 +00:00
parent 8e75b6ce56
commit adb30b9453
2 changed files with 11 additions and 6 deletions

View File

@ -1186,12 +1186,17 @@
/** /**
* \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
* *
* Fallback to old, non-conforming implementation of the truncated * Fallback to old (pre-2.1.10), non-conforming implementation of the truncated
* HMAC extension which also truncates the HMAC key. * HMAC extension which also truncates the HMAC key. Note that this option is
* only meant for a transitory upgrade period and is likely to be removed in
* a future version of the library.
* *
* \warning This should only be enabled temporarily when the use * \warning The old implementation is non-compliant and has a security weakness
* of truncated HMAC is mandatory *and* the peer is an Mbed TLS * (2^80 brute force attack on the HMAC key used for a single,
* stack that doesn't use the fixed implementation yet. * uninterrupted connection). This should only be enabled temporarily
* when (1) the use of truncated HMAC is essential in order to save
* bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
* the fixed implementation yet (pre-2.1.10).
* *
* Uncomment to fallback to old, non-compliant truncated HMAC implementation. * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
* *

View File

@ -719,7 +719,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
/* Fall back to old, non-compliant version of the truncated /* Fall back to old, non-compliant version of the truncated
* HMAC implementation which also truncates the key. */ * HMAC implementation which also truncates the key (pre 2.1.10) */
mac_key_len = transform->maclen; mac_key_len = transform->maclen;
#endif #endif
} }