mbedtls/library
Hanno Becker 81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
..
.gitignore
aes.c Export mbedtls_aes_(en/de)crypt to retain for API compatibility 2017-07-27 21:44:33 +01:00
aesni.c
arc4.c Adds casts to zeroize functions to allow building as C++ 2016-05-23 14:29:32 +01:00
asn1parse.c Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 13:54:14 +01:00
asn1write.c Add mbedtls_asn1_write_len() support for 3 and 4 byte lengths 2016-08-25 15:42:27 +01:00
base64.c Add comment to integer overflow fix in base64.c 2017-02-15 23:31:07 +02:00
bignum.c Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development 2017-06-08 19:48:03 +02:00
blowfish.c Adds casts to zeroize functions to allow building as C++ 2016-05-23 14:29:32 +01:00
camellia.c Address user reported coverity issues. 2016-06-07 14:52:35 +01:00
ccm.c Adds casts to zeroize functions to allow building as C++ 2016-05-23 14:29:32 +01:00
certs.c Undo API change from SHA1 deprecation 2017-07-27 21:44:33 +01:00
cipher_wrap.c
cipher.c Fix integer overflows in buffer bound checks 2017-02-15 23:31:07 +02:00
cmac.c Rename time and index parameter to avoid name conflict. 2017-07-28 22:28:08 +01:00
CMakeLists.txt Update version number to 2.6.0 2017-08-10 11:51:16 +01:00
ctr_drbg.c Fix integer overflows in buffer bound checks 2017-02-15 23:31:07 +02:00
debug.c Fix compiler warning in debug.c 2017-02-15 09:08:26 +00:00
des.c Adds casts to zeroize functions to allow building as C++ 2016-05-23 14:29:32 +01:00
dhm.c Check return code of mbedtls_mpi_fill_random 2017-07-27 21:44:33 +01:00
ecdh.c
ecdsa.c
ecjpake.c
ecp_curves.c ECP: Add module and function level replacement options. 2017-05-11 22:42:14 +01:00
ecp.c Check return code of mbedtls_mpi_fill_random 2017-07-27 21:44:33 +01:00
entropy_poll.c Renames null entropy source function for clarity 2016-06-12 00:31:33 +01:00
entropy.c Rename time and index parameter to avoid name conflict. 2017-07-28 22:28:08 +01:00
error.c Only return VERIFY_FAILED from a single point 2017-07-06 11:58:41 +02:00
gcm.c fix for issue 1118: check if iv is zero in gcm. 2017-07-27 21:44:33 +01:00
havege.c Fixes warnings found by Clang static analyser 2016-05-23 23:18:26 +01:00
hmac_drbg.c
Makefile Added cmac.o to libary/Makefile 2016-10-13 13:51:09 +01:00
md2.c Fix integer overflows in buffer bound checks 2017-02-15 23:31:07 +02:00
md4.c
md5.c
md_wrap.c
md.c
memory_buffer_alloc.c
net_sockets.c Fix typo and bracketing in macro args 2017-10-12 23:21:37 +01:00
oid.c Removing in compile time unused entries from oid_ecp_grp list 2016-09-04 15:14:38 +01:00
padlock.c
pem.c Fix unused variable/function compilation warnings 2017-02-15 22:54:42 +02:00
pk_wrap.c Fix data loss in unsigned int cast in PK 2017-05-11 21:55:17 +01:00
pk.c Fix data loss in unsigned int cast in PK 2017-05-11 21:55:17 +01:00
pkcs5.c Fix output of PKCS#5 and RIPEMD-160 self tests 2016-08-25 16:36:35 +01:00
pkcs11.c
pkcs12.c
pkparse.c Clarify Comments and Fix Typos (#651) 2017-02-15 09:08:26 +00:00
pkwrite.c
platform.c Rename macro SETUP_ALT to SETUP_TEARDOWN_ALT 2017-07-27 21:44:33 +01:00
ripemd160.c Fix output of PKCS#5 and RIPEMD-160 self tests 2016-08-25 16:36:35 +01:00
rsa.c Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted 2017-06-08 20:31:06 +02:00
sha1.c Adds casts to zeroize functions to allow building as C++ 2016-05-23 14:29:32 +01:00
sha256.c Use allocated memory for SHA self tests 2016-10-13 15:10:14 +01:00
sha512.c Use allocated memory for SHA self tests 2016-10-13 15:10:14 +01:00
ssl_cache.c Fix naked call to time() with platform call 2017-07-28 23:46:43 +01:00
ssl_ciphersuites.c Undo API change 2017-07-27 21:44:33 +01:00
ssl_cli.c Always print gmt_unix_time in TLS client 2017-10-06 11:59:13 +01:00
ssl_cookie.c Fix resource leak when using mutex and ssl_cookie 2017-03-02 12:26:11 +00:00
ssl_srv.c Parse Signature Algorithm ext when renegotiating 2017-10-12 23:21:37 +01:00
ssl_ticket.c Puts platform time abstraction into its own header 2016-07-13 14:46:18 +01:00
ssl_tls.c Don't truncate MAC key when truncated HMAC is negotiated 2017-11-20 16:25:50 +00:00
threading.c Remove mutexes from ECP hardware acceleration 2017-07-27 21:44:32 +01:00
timing.c
version_features.c Checked names 2017-07-27 21:44:33 +01:00
version.c
x509_create.c
x509_crl.c Fix potential integer overflow parsing DER CRL 2017-07-27 21:44:34 +01:00
x509_crt.c Fix potential integer overflow parsing DER CRT 2017-07-27 21:44:34 +01:00
x509_csr.c Prevent signed integer overflow in CSR parsing 2017-07-27 21:44:34 +01:00
x509.c Correctly handle leap year in x509_date_is_valid() 2017-10-12 23:21:37 +01:00
x509write_crt.c Rename time and index parameter to avoid name conflict. 2017-07-28 22:28:08 +01:00
x509write_csr.c Add missing bounds check in X509 DER write funcs 2016-10-11 14:07:48 +01:00
xtea.c