Fix key_len check in TLS-Exporter

The length of the generated key must fit into a uint16_t, so it must not be larger than 0xffff. Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-09-24 05:00:45 -04:00 · 2024-08-12 13:20:46 +02:00 · 2024-08-12 13:20:46 +02:00 · 91cff4406b
commit 91cff4406b
parent 81dfc8830b
1 changed files with 1 additions and 1 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -8987,7 +8987,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
    const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
    const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;

-    if (key_len > 0xff || label_len > 250) {
+    if (key_len > 0xffff || label_len > 250) {
        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
    }