commit 3e1291866d50de06be5201163b876b0ed21da39f
author Max Fillinger <maximilian.fillinger@foxcrypto.com> Tue Oct 29 19:18:54 2024 +0100
committer Max Fillinger <maximilian.fillinger@foxcrypto.com> Fri Mar 28 17:06:48 2025 +0100
tree fada28470dab4802db2414ed24ad7377336b6235
parent 28916ac8feb83852de9f94f7d2dcb6857d17991d

Fix output size check for key material exporter

HKDF-Expand can produce at most 255 * hash_size bytes of key material,
so this limit applies to the TLS 1.3 key material exporter.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 8383ead..e377289 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -5401,7 +5401,8 @@
  *
  * \param ssl         SSL context from which to export keys. Must have finished the handshake.
  * \param out         Output buffer of length at least key_len bytes.
- * \param key_len     Length of the key to generate in bytes. Must be < 2^16 in TLS 1.3.
+ * \param key_len     Length of the key to generate in bytes. In TLS 1.3, this can be at most
+ *                    8160 if SHA256 is used as hash function or 12240 if SHA384 is used.
  * \param label       Label for which to generate the key of length label_len.
  * \param label_len   Length of label in bytes. Must be < 251 in TLS 1.3.
  * \param context     Context of the key. Can be NULL if context_len or use_context is 0.