Add fallback to non-compliant truncated HMAC for compatibiltiy

In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to temporarily fall back to the old, non-compliant implementation of the truncated HMAC extension.
2017-11-20 16:36:41 +00:00 · 2017-11-20 16:36:41 +00:00 · e89353a6b4
commit e89353a6b4
parent 8d19bcf37f
3 changed files with 28 additions and 0 deletions
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -77,6 +77,10 @@
 #error "MBEDTLS_DHM_C defined, but not all prerequisites"
 #endif

+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_CMAC_C) && \
    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
 #error "MBEDTLS_CMAC_C defined, but not all prerequisites"
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1363,6 +1363,22 @@
 */
 #define MBEDTLS_SSL_TRUNCATED_HMAC

+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+ *
+ * Fallback to old, non-conforming implementation of the truncated
+ * HMAC extension which also truncates the HMAC key.
+ *
+ * \warning This should only be enabled temporarily when the use
+ *          of truncated HMAC is mandatory *and* the peer is an Mbed TLS
+ *          stack that doesn't use the fixed implementation yet.
+ *
+ * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
+ *
+ * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
+ */
+//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+
 /**
 * \def MBEDTLS_THREADING_ALT
 *
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -713,7 +713,15 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
         * so we only need to adjust the length here.
         */
        if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        {
            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+            /* Fall back to old, non-compliant version of the truncated
+             * HMAC implementation which also truncates the key. */
+            mac_key_len = transform->maclen;
+#endif
+        }
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */

        /* IV length */