Merge pull request #8318 from dgarske/CID444418

Fix for finishedSz checking with TLSv1.3 and `WOLFSSL_HAVE_TLS_UNIQUE` (CID444418)
2025-07-29 18:27:29 +02:00 · 2024-12-24 15:41:25 -07:00
parent 17c17cde13 e1baf27831
commit f57f044b39
1 changed files with 3 additions and 3 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@ -10867,12 +10867,12 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
    }

    if (sniff == NO_SNIFF) {
-        ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);

-        if (finishedSz > WOLFSSL_MAX_8BIT) {
+        ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
+    #ifdef WOLFSSL_HAVE_TLS_UNIQUE
+        if (finishedSz > TLS_FINISHED_SZ_MAX) {
            return BUFFER_ERROR;
        }
-    #ifdef WOLFSSL_HAVE_TLS_UNIQUE
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
            XMEMCPY(ssl->serverFinished, mac, finishedSz);
            ssl->serverFinished_len = (byte)finishedSz;