Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT

2024-10-18 19:21:11 +00:00 · 2017-11-21 18:22:53 +00:00 · 2017-11-21 18:22:53 +00:00 · 4c2ac7ef58
parent 563423fb21
commit 4c2ac7ef58
2 changed files with 10 additions and 0 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1374,6 +1374,9 @@
 *          (2) the peer is an Mbed TLS stack that doesn't use the fixed
 *          implementation yet (version number <= 2.6.0).
 *
+ * \deprecated This option is deprecated and will likely be removed in a
+ *             future version of Mbed TLS.
+ *
 * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
 *
 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -721,6 +721,13 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
             * HMAC implementation which also truncates the key
             * (Mbed TLS versions from 1.3 to 2.6.0) */
            mac_key_len = transform->maclen;
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT is deprecated and should only be \
+    enabled temporarily when (1) the use of truncated HMAC is essential in order \
+    to save bandwidth, and (2) the peer is an Mbed TLS stack that doesn not use the \
+    fixed implementation yet (version number <= 2.6.0).
+#endif
 #endif
        }
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */