commit 28916ac8feb83852de9f94f7d2dcb6857d17991d
author Max Fillinger <maximilian.fillinger@foxcrypto.com> Tue Oct 29 18:49:30 2024 +0100
committer Max Fillinger <maximilian.fillinger@foxcrypto.com> Fri Mar 28 17:06:48 2025 +0100
tree aed726b43aed78c30be6c3055fe3d28daa2bf1d7
parent cf007ca8bba163c73f947eafaa527e2b94073f75

Increase allowed output size of HKDF-Expand-Label

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>

library/ssl_tls13_keys.c

diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index ef897e8..895176d 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -107,15 +107,13 @@
 
     unsigned char *p = dst;
 
-    /* Add the size of the expanded key material.
-     * We're hardcoding the high byte to 0 here assuming that we never use
-     * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
-#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
-#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
-    value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
+    /* Add the size of the expanded key material. */
+#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX
+#error "The desired key length must fit into an uint16 but \
+    MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX"
 #endif
 
-    *p++ = 0;
+    *p++ = MBEDTLS_BYTE_1(desired_length);
     *p++ = MBEDTLS_BYTE_0(desired_length);
 
     /* Add label incl. prefix */

library/ssl_tls13_keys.h

diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index a4b012f..31ffe44 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -70,13 +70,11 @@
     PSA_HASH_MAX_SIZE
 
 /* Maximum desired length for expanded key material generated
- * by HKDF-Expand-Label.
- *
- * Warning: If this ever needs to be increased, the implementation
- * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
- * adjusted since it currently assumes that HKDF key expansion
- * is never used with more than 255 Bytes of output. */
-#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
+ * by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size
+ * bytes of key material where hash_size is the output size of the
+ * underlying hash function. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \
+    (255 * MBEDTLS_TLS1_3_MD_MAX_SIZE)
 
 /**
  * \brief            The \c HKDF-Expand-Label function from

tests/suites/test_suite_ssl.data

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index ad0d285..2f3b1eb 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3373,7 +3373,7 @@
 
 TLS 1.3 Keying Material Exporter: Consistent results, large keys
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3
-ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX:0
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:1024:0
 
 TLS 1.3 Keying Material Exporter: Uses label
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3