--enable-ech conflicts with --enable-harden-tls: HAVE_TRUNCATED_HMAC forced on

[cpsource]

Version

5.9.0

Description

Enabling ECH (--enable-ech) alongside --enable-harden-tls fails to build with:

#error "Truncated HMAC Extension not allowed"

This happens because --enable-ech requires TLS extensions (ENABLED_TLSX), and the TLSX bundle unconditionally forces HAVE_TRUNCATED_HMAC on at configure.ac:7743:

if test "x$ENABLED_TLSX" = "xyes"
then
    ENABLED_SNI=yes
    ENABLED_MAX_FRAGMENT=yes
    ENABLED_TRUNCATED_HMAC=yes    # <-- forced on
    ENABLED_ALPN=yes

This conflicts with WOLFSSL_HARDEN_TLS which prohibits truncated HMAC per RFC 9325 Section 4.6 (settings.h:4747).

Workaround

Pass CFLAGS="-DWOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC" to suppress the error. Truncated HMAC is compiled in but does not weaken ECH itself.

Suggested fix

The TLSX bundle should not force HAVE_TRUNCATED_HMAC when WOLFSSL_HARDEN_TLS is active. Either:

1. Skip setting ENABLED_TRUNCATED_HMAC=yes when --enable-harden-tls is also set, or
2. Break the TLSX bundle into individual extensions so ECH can pull in only what it needs (SNI, ALPN) without dragging in truncated HMAC.

Reproduce

./configure --enable-harden-tls --enable-ech
make

[cpsource]

Proposed Fix

In configure.ac, the TLSX bundle now conditionally skips HAVE_TRUNCATED_HMAC when --enable-harden-tls is active. The change wraps the truncated HMAC enablement in an ENABLED_HARDEN_TLS check:

 if test "x$ENABLED_TLSX" = "xyes"
 then
     ENABLED_SNI=yes
     ENABLED_MAX_FRAGMENT=yes
-    ENABLED_TRUNCATED_HMAC=yes
     ENABLED_ALPN=yes
     ENABLED_TRUSTED_CA=yes
     ENABLED_ENCRYPT_THEN_MAC=yes
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_ALPN -DHAVE_TRUSTED_CA"
+    if test "x$ENABLED_HARDEN_TLS" = "xno"
+    then
+        ENABLED_TRUNCATED_HMAC=yes
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_TRUNCATED_HMAC"
+    fi

Behavior

• --enable-harden-tls NOT set: TLSX bundle works exactly as before (truncated HMAC included)
• --enable-harden-tls IS set: TLSX bundle omits truncated HMAC, respecting RFC 9325
• No CFLAGS="-DWOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC" workaround needed

This also benefits other TLSX consumers (nginx, haproxy, lighty, etc.) when combined with --enable-harden-tls.

Testing

Verified all three configurations build, pass make check, and run a TLS 1.3 client/server test:

• ./configure --enable-harden-tls --enable-ech — now succeeds (previously failed)
• ./configure --enable-ech — still includes HAVE_TRUNCATED_HMAC (backward compat)
• ./configure --enable-harden-tls --enable-tlsx — correctly omits truncated HMAC