diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index fa72454e5..bc77b216f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -77,6 +77,10 @@ #error "MBEDTLS_DHM_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC) +#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_CMAC_C) && \ !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) #error "MBEDTLS_CMAC_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 47c719640..de49d3af9 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1363,6 +1363,22 @@ */ #define MBEDTLS_SSL_TRUNCATED_HMAC +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + * + * Fallback to old, non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. + * + * \warning This should only be enabled temporarily when the use + * of truncated HMAC is mandatory *and* the peer is an Mbed TLS + * stack that doesn't use the fixed implementation yet. + * + * Uncomment to fallback to old, non-compliant truncated HMAC implementation. + * + * Requires: MBEDTLS_SSL_TRUNCATED_HMAC + */ +//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + /** * \def MBEDTLS_THREADING_ALT * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index eda49d656..62de5f274 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -713,7 +713,15 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * so we only need to adjust the length here. */ if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) + { transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; + +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + /* Fall back to old, non-compliant version of the truncated + * HMAC implementation which also truncates the key. */ + mac_key_len = transform->maclen; +#endif + } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ /* IV length */