Make truncated hmac a runtime option server-side
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 6d8626c..534525a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -629,7 +629,8 @@
((void) buf);
- ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+ if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
+ ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
return( 0 );
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ea34f66..eda3d6d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3782,6 +3782,11 @@
if( endpoint == SSL_IS_CLIENT )
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
#endif
+
+#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
+ if( endpoint == SSL_IS_SERVER )
+ ssl->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+#endif
}
void ssl_set_authmode( ssl_context *ssl, int authmode )
@@ -4203,9 +4208,6 @@
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
{
- if( ssl->endpoint != SSL_IS_CLIENT )
- return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
ssl->trunc_hmac = truncate;
return( 0 );