From 76bb753054cf84827ed5196593a6244538b54a8d Mon Sep 17 00:00:00 2001
From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Date: Thu, 21 Nov 2024 12:33:46 +0100
Subject: [PATCH] Fix max. label length in key material exporter

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 include/mbedtls/ssl.h            | 2 +-
 library/ssl_tls.c                | 6 +++---
 tests/suites/test_suite_ssl.data | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 57669a4db5..cc9da3417d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -5790,7 +5790,7 @@ int  mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
  * \param key_len     Length of the key to generate in bytes, must be at most
  *                    MBEDTLS_SSL_EXPORT_MAX_KEY_LEN (8160).
  * \param label       Label for which to generate the key of length label_len.
- * \param label_len   Length of label in bytes. Must be at most 250 in TLS 1.3.
+ * \param label_len   Length of label in bytes. Must be at most 249 in TLS 1.3.
  * \param context     Context of the key. Can be NULL if context_len or use_context is 0.
  * \param context_len Length of context. Must be < 2^16 in TLS 1.2.
  * \param use_context Indicates if a context should be used in deriving the key.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0c3fc8415f..d964611e16 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -10124,13 +10124,13 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
     const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
     const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
 
-    /* The length of the label must be at most 250 bytes to fit into the HkdfLabel
+    /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
      * struct as defined in RFC 8446, Section 7.1.
      *
      * The length of the context is unlimited even though the context field in the
-     * struct can only hold up to 256 bytes. This is because we place a *hash* of
+     * struct can only hold up to 255 bytes. This is because we place a *hash* of
      * the context in the field. */
-    if (label_len > 250) {
+    if (label_len > 249) {
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
 
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 98af39873c..4d091847dc 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3509,7 +3509,7 @@ ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32 + 1:
 
 TLS 1.3 Keying Material Exporter: Label too long
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1
-ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:251:10
+ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:250:10
 
 TLS 1.3 Keying Material Exporter: Handshake not done
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1