mbedtls/library
Hanno Becker 64f0aed966 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-12-01 10:18:22 +00:00
..
.gitignore
aes.c
aesni.c
arc4.c
asn1parse.c Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-12 17:45:29 +01:00
asn1write.c Fix potential double free in cert writing code 2015-12-10 11:24:35 +01:00
base64.c Add comment to integer overflow fix in base64.c 2017-02-20 21:51:18 +00:00
bignum.c Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-2.1' into mbedtls-2.1 2017-06-08 19:51:19 +02:00
blowfish.c
camellia.c
ccm.c
certs.c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 19:08:23 +02:00
cipher_wrap.c
cipher.c Fix integer overflows in buffer bound checks 2017-02-20 21:49:01 +00:00
CMakeLists.txt Update version number to 2.1.9 2017-08-10 11:51:47 +01:00
ctr_drbg.c Fix integer overflows in buffer bound checks 2017-02-20 21:49:01 +00:00
debug.c Fix macroization of inline in C++ 2015-10-05 11:41:36 +01:00
des.c
dhm.c Backport 2.1: Check rc of mbedtls_mpi_fill_random 2017-07-20 01:25:53 +02:00
ecdh.c
ecdsa.c
ecp_curves.c ECP: Prevent freeing a buffer on stack 2017-02-28 18:56:35 +00:00
ecp.c Backport 2.1: Check rc of mbedtls_mpi_fill_random 2017-07-20 01:25:53 +02:00
entropy_poll.c
entropy.c Rename time and index parameter to avoid name conflict. 2017-07-28 22:14:55 +01:00
error.c Only return VERIFY_FAILED from a single point 2017-07-28 12:20:48 +01:00
gcm.c Backport 2.1: check if iv is zero in gcm. 2017-07-20 00:30:44 +02:00
havege.c
hmac_drbg.c
Makefile Make ar invocation more portable 2016-01-08 14:52:14 +01:00
md2.c Fix integer overflows in buffer bound checks 2017-02-20 21:49:01 +00:00
md4.c
md5.c
md_wrap.c
md.c
memory_buffer_alloc.c Fixes memory leak in memory_buffer_alloc.c debug 2016-05-05 17:51:09 +01:00
net.c Clarify Comments and Fix Typos (#651) 2017-02-25 19:44:47 +00:00
oid.c Fix typo in an OID name 2015-11-02 05:58:10 +09:00
padlock.c
pem.c Fix unused variable/function compilation warnings 2017-02-25 19:48:32 +00:00
pk_wrap.c Fix data loss in unsigned int cast in PK 2017-02-25 20:37:43 +00:00
pk.c Fix data loss in unsigned int cast in PK 2017-02-25 20:37:43 +00:00
pkcs5.c
pkcs11.c
pkcs12.c Fix stack buffer overflow in pkcs12 2015-09-28 19:47:50 +02:00
pkparse.c Clarify Comments and Fix Typos (#651) 2017-02-25 19:44:47 +00:00
pkwrite.c Fix other occurrences of same bounds check issue 2015-11-02 10:43:03 +09:00
platform.c
ripemd160.c
rsa.c Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-2.1-restricted' into mbedtls-2.1-restricted 2017-06-08 20:33:53 +02:00
sha1.c
sha256.c
sha512.c
ssl_cache.c
ssl_ciphersuites.c Undo API change 2017-06-20 19:33:51 +01:00
ssl_cli.c Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog. 2017-09-30 23:49:01 +01:00
ssl_cookie.c Backport 2.1:Resource leak in ssl_cookie and mutex 2017-03-02 21:11:16 +00:00
ssl_srv.c Parse Signature Algorithm ext when renegotiating 2017-10-11 13:58:08 +01:00
ssl_ticket.c
ssl_tls.c Don't truncate MAC key when truncated HMAC is negotiated 2017-12-01 10:18:22 +00:00
threading.c Fix bug in threading sample implementation #667 2017-05-15 13:22:51 +01:00
timing.c
version_features.c Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature 2016-10-13 10:35:34 +01:00
version.c
x509_create.c Fix other occurrences of same bounds check issue 2015-11-02 10:43:03 +09:00
x509_crl.c Fix potential integer overflow parsing DER CRL 2017-07-26 17:56:42 +01:00
x509_crt.c Improve comments 2017-07-28 12:20:48 +01:00
x509_csr.c Prevent signed integer overflow in CSR parsing 2017-07-26 17:59:20 +01:00
x509.c Correctly handle leap year in x509_date_is_valid() 2017-10-12 21:03:01 +01:00
x509write_crt.c Rename time and index parameter to avoid name conflict. 2017-07-28 22:14:55 +01:00
x509write_csr.c Add missing bounds check in X509 DER write funcs 2016-10-11 16:52:06 +01:00
xtea.c