Adapt remaining guards to FFDH

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2025-04-10 06:44:28 +00:00 · 2023-06-15 16:48:19 +02:00 · 2023-06-15 16:48:19 +02:00 · 8c0a95374f
commit 8c0a95374f
parent ce05f54283
3 changed files with 17 additions and 12 deletions
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@ -185,7 +185,8 @@ static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_ALPN */

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
-    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || defined(PSA_WANT_ALG_FFDH)
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \
+    (defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(PSA_WANT_ALG_FFDH))
 /*
 * Function for writing a supported groups (TLS 1.3) or supported elliptic
 * curves (TLS 1.2) extension.
@ -257,7 +258,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
    for (; *group_list != 0; group_list++) {
        MBEDTLS_SSL_DEBUG_MSG(1, ("got supported group(%04x)", *group_list));

-#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(PSA_WANT_ALG_ECDH)
        if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
             mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) ||
            (mbedtls_ssl_conf_is_tls12_enabled(ssl->conf) &&
@ -273,7 +274,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
                                      mbedtls_ssl_get_curve_name_from_tls_id(*group_list),
                                      *group_list));
        }
-#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* PSA_WANT_ALG_ECDH */
 #if defined(PSA_WANT_ALG_FFDH)
        if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
             mbedtls_ssl_tls13_named_group_is_dhe(*group_list))) {
@ -314,7 +315,8 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
    return 0;
 }
 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
-          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || PSA_WANT_ALG_FFDH */
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED ||
+          (MBEDTLS_SSL_PROTO_TLS1_3 && PSA_WANT_ALG_FFDH) */

 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_client_hello_cipher_suites(
@ -606,7 +608,8 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
 #endif

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
-    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || defined(PSA_WANT_ALG_FFDH)
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \
+    (defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(PSA_WANT_ALG_FFDH))
    if (
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        (propose_tls13 &&
@ -623,7 +626,8 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
        p += output_len;
    }
 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
-          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || PSA_WANT_ALG_FFDH */
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED ||
+          (MBEDTLS_SSL_PROTO_TLS1_3 && PSA_WANT_ALG_FFDH) */

 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
    if (
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4214,12 +4214,13 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
    mbedtls_ssl_buffering_free(ssl);
 #endif /* MBEDTLS_SSL_PROTO_DTLS */

-#if defined(PSA_WANT_ALG_ECDH) && \
+#if (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \
    (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
    if (handshake->ecdh_psa_privkey_is_external == 0) {
        psa_destroy_key(handshake->ecdh_psa_privkey);
    }
-#endif /* PSA_WANT_ALG_ECDH && (MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
+#endif /* (PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH) &&
+          (MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    mbedtls_ssl_transform_free(handshake->transform_handshake);
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -776,7 +776,7 @@ static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
    return (int) tls_version;
 }

-#if defined(PSA_WANT_ALG_ECDH)
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
 /*
 *
 * From RFC 8446:
@ -832,7 +832,7 @@ static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
    return 0;

 }
-#endif /* PSA_WANT_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

 #define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1

@ -1541,7 +1541,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
                break;
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

-#if defined(PSA_WANT_ALG_ECDH)
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
            case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
                MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));

@ -1560,7 +1560,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
                }

                break;
-#endif /* PSA_WANT_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/

 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
            case MBEDTLS_TLS_EXT_KEY_SHARE: