Drop support for compatibility with our own previous buggy implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2025-11-03 20:22:59 -05:00 · 2021-02-19 13:40:25 +01:00 · 2021-02-19 13:40:25 +01:00 · 2012ed7560
commit 2012ed7560
parent 06b07fb839
7 changed files with 1 additions and 70 deletions
--- a/ChangeLog.d/remove_obsolete_tls_features.txt
+++ b/ChangeLog.d/remove_obsolete_tls_features.txt
@ -1,3 +1,4 @@
 API changes
   * Drop support for parsing SSLv2 ClientHello (MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
   * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
+   * Drop support for compatibility with our own previous buggy implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@ -1597,30 +1597,6 @@
 */
 #define MBEDTLS_SSL_TRUNCATED_HMAC

-/**
- * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
- *
- * Fallback to old (pre-2.7), non-conforming implementation of the truncated
- * HMAC extension which also truncates the HMAC key. Note that this option is
- * only meant for a transitory upgrade period and is likely to be removed in
- * a future version of the library.
- *
- * \warning The old implementation is non-compliant and has a security weakness
- *          (2^80 brute force attack on the HMAC key used for a single,
- *          uninterrupted connection). This should only be enabled temporarily
- *          when (1) the use of truncated HMAC is essential in order to save
- *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
- *          the fixed implementation yet (pre-2.7).
- *
- * \deprecated This option is deprecated and will likely be removed in a
- *             future version of Mbed TLS.
- *
- * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
- *
- * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
- */
-//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-
 /**
 * \def MBEDTLS_THREADING_ALT
 *
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -81,10 +81,6 @@
 #error "MBEDTLS_DHM_C defined, but not all prerequisites"
 #endif

-#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
-#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_CMAC_C) && \
    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
 #error "MBEDTLS_CMAC_C defined, but not all prerequisites"
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1924,30 +1924,6 @@
 */
 #define MBEDTLS_SSL_TRUNCATED_HMAC

-/**
- * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
- *
- * Fallback to old (pre-2.7), non-conforming implementation of the truncated
- * HMAC extension which also truncates the HMAC key. Note that this option is
- * only meant for a transitory upgrade period and will be removed in a future
- * version of the library.
- *
- * \warning The old implementation is non-compliant and has a security weakness
- *          (2^80 brute force attack on the HMAC key used for a single,
- *          uninterrupted connection). This should only be enabled temporarily
- *          when (1) the use of truncated HMAC is essential in order to save
- *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
- *          the fixed implementation yet (pre-2.7).
- *
- * \deprecated This option is deprecated and will be removed in a
- *             future version of Mbed TLS.
- *
- * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
- *
- * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
- */
-//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-
 /**
 * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 *
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -998,13 +998,6 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
        if( trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
        {
            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
-
-#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
-            /* Fall back to old, non-compliant version of the truncated
-             * HMAC implementation which also truncates the key
-             * (Mbed TLS versions from 1.3 to 2.6.0) */
-            mac_key_len = transform->maclen;
-#endif
        }
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */

--- a/library/version_features.c
+++ b/library/version_features.c
@ -552,9 +552,6 @@ static const char * const features[] = {
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
    "MBEDTLS_SSL_TRUNCATED_HMAC",
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
-#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
-    "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
-#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
    "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH",
 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@ -1529,14 +1529,6 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */

-#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
-    if( strcmp( "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", config ) == 0 )
-    {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT );
-        return( 0 );
-    }
-#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
-
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
    if( strcmp( "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH", config ) == 0 )
    {