TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 76bb753054cf84827ed5196593a6244538b54a8d^! / .
commit76bb753054cf84827ed5196593a6244538b54a8d[log] [tgz]
authorMax Fillinger <maximilian.fillinger@foxcrypto.com>Thu Nov 21 12:33:46 2024 +0100
committerMax Fillinger <maximilian.fillinger@foxcrypto.com>Wed Apr 16 11:24:50 2025 +0200
tree5c51d948cd168af2c45005b4c0c6b8244c6bdea5
parent97a287953ffc35a17cc67b5697e5856c623f8bb2 [diff]
Fix max. label length in key material exporter

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 57669a4..cc9da34 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -5790,7 +5790,7 @@
  * \param key_len     Length of the key to generate in bytes, must be at most
  *                    MBEDTLS_SSL_EXPORT_MAX_KEY_LEN (8160).
  * \param label       Label for which to generate the key of length label_len.
- * \param label_len   Length of label in bytes. Must be at most 250 in TLS 1.3.
+ * \param label_len   Length of label in bytes. Must be at most 249 in TLS 1.3.
  * \param context     Context of the key. Can be NULL if context_len or use_context is 0.
  * \param context_len Length of context. Must be < 2^16 in TLS 1.2.
  * \param use_context Indicates if a context should be used in deriving the key.

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0c3fc84..d964611 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -10124,13 +10124,13 @@
     const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
     const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
 
-    /* The length of the label must be at most 250 bytes to fit into the HkdfLabel
+    /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
      * struct as defined in RFC 8446, Section 7.1.
      *
      * The length of the context is unlimited even though the context field in the
-     * struct can only hold up to 256 bytes. This is because we place a *hash* of
+     * struct can only hold up to 255 bytes. This is because we place a *hash* of
      * the context in the field. */
-    if (label_len > 250) {
+    if (label_len > 249) {
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
 

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 98af398..4d09184 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data

@@ -3509,7 +3509,7 @@
 
 TLS 1.3 Keying Material Exporter: Label too long
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1
-ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:251:10
+ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:250:10
 
 TLS 1.3 Keying Material Exporter: Handshake not done
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1