Disable truncated HMAC by default

parent 1028b74c
......@@ -85,6 +85,7 @@ Default behavior changes
enabled in the default configuration, this is only noticeable if using a
custom config.h
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
* Negotiation of truncated HMAC is now disabled by default on server too.
Reauirement changes
* The minimum MSVC version required is now 2010 (better C99 support).
......
......@@ -1863,8 +1863,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
/**
* \brief Activate negotiation of truncated HMAC
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client,
* MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.)
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
*
* \param conf SSL configuration
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
......
......@@ -6618,11 +6618,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
}
#endif
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( endpoint == MBEDTLS_SSL_IS_SERVER )
conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
#endif
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
......
......@@ -626,8 +626,8 @@ run_test "Truncated HMAC: client enabled, server default" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \
0 \
-S "dumping 'computed mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)"
-s "dumping 'computed mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server disabled" \
"$P_SRV debug_level=4 trunc_hmac=0" \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment