From 702dfbcf1374ad4af09df291b4dad217ee78ef72 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 Nov 2017 16:35:46 +0000 Subject: [PATCH] Improve documentation of truncated HMAC fallback option --- include/mbedtls/config.h | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6082d46b8..6a04d6e65 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1366,13 +1366,17 @@ /** * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT * - * Fallback to old, non-conforming implementation of the truncated - * HMAC extension which also truncates the HMAC key. + * Fallback to old (pre-2.7), non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. Note that this option is + * only meant for a transitory upgrade period and is likely to be removed in + * a future version of the library. * - * \warning This should only be enabled temporarily when (1) the use of - * truncated HMAC is essential in order to save bandwidth, and - * (2) the peer is an Mbed TLS stack that doesn't use the fixed - * implementation yet (version number <= 2.6.0). + * \warning The old implementation is non-compliant and has a security weakness + * (2^80 brute force attack on the HMAC key used for a single, + * uninterrupted connection). This should only be enabled temporarily + * when (1) the use of truncated HMAC is essential in order to save + * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use + * the fixed implementation yet (pre-2.7). * * \deprecated This option is deprecated and will likely be removed in a * future version of Mbed TLS.