mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-09 17:45:32 +00:00
Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to temporarily fall back to the old, non-compliant implementation of the truncated HMAC extension.
This commit is contained in:
parent
e9dcb843b2
commit
053b3459d4
|
@ -77,6 +77,10 @@
|
||||||
#error "MBEDTLS_DHM_C defined, but not all prerequisites"
|
#error "MBEDTLS_DHM_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||||
|
#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
|
||||||
#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
|
#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -1183,6 +1183,22 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_SSL_TRUNCATED_HMAC
|
#define MBEDTLS_SSL_TRUNCATED_HMAC
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
|
||||||
|
*
|
||||||
|
* Fallback to old, non-conforming implementation of the truncated
|
||||||
|
* HMAC extension which also truncates the HMAC key.
|
||||||
|
*
|
||||||
|
* \warning This should only be enabled temporarily when the use
|
||||||
|
* of truncated HMAC is mandatory *and* the peer is an Mbed TLS
|
||||||
|
* stack that doesn't use the fixed implementation yet.
|
||||||
|
*
|
||||||
|
* Uncomment to fallback to old, non-compliant truncated HMAC implementation.
|
||||||
|
*
|
||||||
|
* Requires: MBEDTLS_SSL_TRUNCATED_HMAC
|
||||||
|
*/
|
||||||
|
//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_THREADING_ALT
|
* \def MBEDTLS_THREADING_ALT
|
||||||
*
|
*
|
||||||
|
|
|
@ -714,7 +714,15 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
* so we only need to adjust the length here.
|
* so we only need to adjust the length here.
|
||||||
*/
|
*/
|
||||||
if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
|
if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
|
||||||
|
{
|
||||||
transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
|
transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
|
||||||
|
/* Fall back to old, non-compliant version of the truncated
|
||||||
|
* HMAC implementation which also truncates the key. */
|
||||||
|
mac_key_len = transform->maclen;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
/* IV length */
|
/* IV length */
|
||||||
|
|
Loading…
Reference in a new issue