Fix key_len check in TLS-Exporter

The length of the generated key must fit into a uint16_t, so it must not be larger than 0xffff. Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-07-30 22:43:08 +03:00 · 2024-08-12 13:20:46 +02:00
parent 77a447ba97
commit 1466bf8897
1 changed files with 1 additions and 1 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -10111,7 +10111,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
    const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
    const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
-    if (key_len > 0xff || label_len > 250) {
+    if (key_len > 0xffff || label_len > 250) {
        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
    }