commit 4c2ac7ef582505c780d957b96ee951e835d0e4e4
author Hanno Becker <hanno.becker@arm.com> Tue Nov 21 18:22:53 2017 +0000
committer Hanno Becker <hanno.becker@arm.com> Tue Nov 21 18:28:35 2017 +0000
tree bd95c17216d03052cfa847621b2305eab9383d74
parent 563423fb21d6d5dcbdd616af496038e2209c6f65

Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT

include/mbedtls/config.h

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index fa935c7..6082d46 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1374,6 +1374,9 @@
  *          (2) the peer is an Mbed TLS stack that doesn't use the fixed
  *          implementation yet (version number <= 2.6.0).
  *
+ * \deprecated This option is deprecated and will likely be removed in a
+ *             future version of Mbed TLS.
+ *
  * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
  *
  * Requires: MBEDTLS_SSL_TRUNCATED_HMAC

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3cd1d62..8bab913 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -721,6 +721,13 @@
              * HMAC implementation which also truncates the key
              * (Mbed TLS versions from 1.3 to 2.6.0) */
             mac_key_len = transform->maclen;
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT is deprecated and should only be \
+    enabled temporarily when (1) the use of truncated HMAC is essential in order \
+    to save bandwidth, and (2) the peer is an Mbed TLS stack that doesn not use the \
+    fixed implementation yet (version number <= 2.6.0).
+#endif
 #endif
         }
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */