Disable truncated HMAC by default

This commit is contained in:
Manuel Pégourié-Gonnard 2015-05-06 17:39:23 +01:00
parent 1028b74cff
commit 662c6e8cdd
4 changed files with 4 additions and 9 deletions

View file

@ -85,6 +85,7 @@ Default behavior changes
enabled in the default configuration, this is only noticeable if using a enabled in the default configuration, this is only noticeable if using a
custom config.h custom config.h
* Default DHM parameters server-side upgraded from 1024 to 2048 bits. * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
* Negotiation of truncated HMAC is now disabled by default on server too.
Reauirement changes Reauirement changes
* The minimum MSVC version required is now 2010 (better C99 support). * The minimum MSVC version required is now 2010 (better C99 support).

View file

@ -1863,8 +1863,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
/** /**
* \brief Activate negotiation of truncated HMAC * \brief Activate negotiation of truncated HMAC
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client, * (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
* MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.)
* *
* \param conf SSL configuration * \param conf SSL configuration
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or

View file

@ -6618,11 +6618,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
} }
#endif #endif
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( endpoint == MBEDTLS_SSL_IS_SERVER )
conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
#endif
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =

View file

@ -626,8 +626,8 @@ run_test "Truncated HMAC: client enabled, server default" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \ trunc_hmac=1" \
0 \ 0 \
-S "dumping 'computed mac' (20 bytes)" \ -s "dumping 'computed mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)" -S "dumping 'computed mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server disabled" \ run_test "Truncated HMAC: client enabled, server disabled" \
"$P_SRV debug_level=4 trunc_hmac=0" \ "$P_SRV debug_level=4 trunc_hmac=0" \