Guard configuration-specific code

A large block of code is only reachable if MBEDTLS_PK_USE_PSA_EC_DATA is enabled, i.e. if MBEDTLS_USE_PSA_CRYPTO is enabled with driver-only ECC. Compilers are likely to figure it out, but still, for clarity and robustness, do guard that block of code with the appropriate conditional compilation guard. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-14 16:20:51 +00:00 · 2023-12-18 20:38:38 +01:00 · 2023-12-18 20:38:38 +01:00 · dc49258c8a
commit dc49258c8a
parent 29c4017007
1 changed files with 13 additions and 8 deletions
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@ -2631,13 +2631,8 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
            ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
            ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);

-            if (pk_type == MBEDTLS_PK_OPAQUE) {
-                /* Opaque key is created by the user (externally from Mbed TLS)
-                 * so we assume it already has the right algorithm and flags
-                 * set. Just copy its ID as reference. */
-                ssl->handshake->xxdh_psa_privkey = pk->priv_id;
-                ssl->handshake->xxdh_psa_privkey_is_external = 1;
-            } else {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            if (pk_type != MBEDTLS_PK_OPAQUE) {
                /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
                 * module and only have ECDSA capabilities. Since we need
                 * them for ECDH later, we export and then re-import them with
@ -2665,10 +2660,20 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
                /* Set this key as owned by the TLS library: it will be its duty
                 * to clear it exit. */
                ssl->handshake->xxdh_psa_privkey_is_external = 0;
-            }

+                ret = 0;
+                break;
+            }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+            /* Opaque key is created by the user (externally from Mbed TLS)
+             * so we assume it already has the right algorithm and flags
+             * set. Just copy its ID as reference. */
+            ssl->handshake->xxdh_psa_privkey = pk->priv_id;
+            ssl->handshake->xxdh_psa_privkey_is_external = 1;
            ret = 0;
            break;
+
 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
        case MBEDTLS_PK_ECKEY:
        case MBEDTLS_PK_ECKEY_DH: