From 28916ac8feb83852de9f94f7d2dcb6857d17991d Mon Sep 17 00:00:00 2001
From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Date: Tue, 29 Oct 2024 18:49:30 +0100
Subject: [PATCH] Increase allowed output size of HKDF-Expand-Label

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 library/ssl_tls13_keys.c         | 12 +++++-------
 library/ssl_tls13_keys.h         | 12 +++++-------
 tests/suites/test_suite_ssl.data |  2 +-
 3 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index ef897e88be..895176d0c6 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -107,15 +107,13 @@ static void ssl_tls13_hkdf_encode_label(
 
     unsigned char *p = dst;
 
-    /* Add the size of the expanded key material.
-     * We're hardcoding the high byte to 0 here assuming that we never use
-     * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
-#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
-#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
-    value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
+    /* Add the size of the expanded key material. */
+#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX
+#error "The desired key length must fit into an uint16 but \
+    MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX"
 #endif
 
-    *p++ = 0;
+    *p++ = MBEDTLS_BYTE_1(desired_length);
     *p++ = MBEDTLS_BYTE_0(desired_length);
 
     /* Add label incl. prefix */
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index a4b012f36e..31ffe4481e 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -70,13 +70,11 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
     PSA_HASH_MAX_SIZE
 
 /* Maximum desired length for expanded key material generated
- * by HKDF-Expand-Label.
- *
- * Warning: If this ever needs to be increased, the implementation
- * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
- * adjusted since it currently assumes that HKDF key expansion
- * is never used with more than 255 Bytes of output. */
-#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
+ * by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size
+ * bytes of key material where hash_size is the output size of the
+ * underlying hash function. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \
+    (255 * MBEDTLS_TLS1_3_MD_MAX_SIZE)
 
 /**
  * \brief            The \c HKDF-Expand-Label function from
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index ad0d2851f3..2f3b1ebee6 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3373,7 +3373,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1
 
 TLS 1.3 Keying Material Exporter: Consistent results, large keys
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3
-ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX:0
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:1024:0
 
 TLS 1.3 Keying Material Exporter: Uses label
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3