From e9256c5f4632d66aaa38082e2e6cf73068cf5d4d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2018 16:17:52 +0100 Subject: [PATCH] Note incompatibility of truncated HMAC extension in ChangeLog The change in the truncated HMAC extension aligns Mbed TLS with the standard, but breaks interoperability with previous versions. Indicate this in the ChangeLog, as well as how to restore the old behavior. --- ChangeLog | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index f4e71221b..0f4df6525 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,16 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.1.10 branch released 2017-xx-xx +Default behavior changes + * The truncated HMAC extension now conforms to RFC 6066. This means + that when both sides of a TLS connection negotiate the truncated + HMAC extension, Mbed TLS can now interoperate with other + compliant implementations, but this breaks interoperability with + prior versions of Mbed TLS. To restore the old behavior, enable + the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in + config.h. Found by Andreas Walz (ivESK, Offenburg University of + Applied Sciences). + Security * Fix heap corruption in implementation of truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, @@ -10,12 +20,10 @@ Security corrupt 6 bytes on the peer's heap, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. - * Fix implementation of truncated HMAC extension leading to - compatibility problems with non Mbed TLS peers and allowing - an offline 2^80 brute force attack on the HMAC key of a single, - uninterrupted (excluding session resumption) connection. - Found by Andreas Walz (ivESK, Offenburg University of Applied - Sciences). + * Fix implementation of the truncated HMAC extension. The previous + implementation allowed an offline 2^80 brute force attack on the + HMAC key of a single, uninterrupted connection (with no + resumption of the session). Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records