Disable truncated HMAC by default
This commit is contained in:
parent
1028b74cff
commit
662c6e8cdd
4 changed files with 4 additions and 9 deletions
|
@ -85,6 +85,7 @@ Default behavior changes
|
||||||
enabled in the default configuration, this is only noticeable if using a
|
enabled in the default configuration, this is only noticeable if using a
|
||||||
custom config.h
|
custom config.h
|
||||||
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
|
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
|
||||||
|
* Negotiation of truncated HMAC is now disabled by default on server too.
|
||||||
|
|
||||||
Reauirement changes
|
Reauirement changes
|
||||||
* The minimum MSVC version required is now 2010 (better C99 support).
|
* The minimum MSVC version required is now 2010 (better C99 support).
|
||||||
|
|
|
@ -1863,8 +1863,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co
|
||||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||||
/**
|
/**
|
||||||
* \brief Activate negotiation of truncated HMAC
|
* \brief Activate negotiation of truncated HMAC
|
||||||
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client,
|
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
|
||||||
* MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.)
|
|
||||||
*
|
*
|
||||||
* \param conf SSL configuration
|
* \param conf SSL configuration
|
||||||
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
|
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
|
||||||
|
|
|
@ -6618,11 +6618,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
|
||||||
if( endpoint == MBEDTLS_SSL_IS_SERVER )
|
|
||||||
conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
||||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
|
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
|
||||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
|
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
|
||||||
|
|
|
@ -626,8 +626,8 @@ run_test "Truncated HMAC: client enabled, server default" \
|
||||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
|
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
|
||||||
trunc_hmac=1" \
|
trunc_hmac=1" \
|
||||||
0 \
|
0 \
|
||||||
-S "dumping 'computed mac' (20 bytes)" \
|
-s "dumping 'computed mac' (20 bytes)" \
|
||||||
-s "dumping 'computed mac' (10 bytes)"
|
-S "dumping 'computed mac' (10 bytes)"
|
||||||
|
|
||||||
run_test "Truncated HMAC: client enabled, server disabled" \
|
run_test "Truncated HMAC: client enabled, server disabled" \
|
||||||
"$P_SRV debug_level=4 trunc_hmac=0" \
|
"$P_SRV debug_level=4 trunc_hmac=0" \
|
||||||
|
|
Loading…
Reference in a new issue