ssl_client.c: Fix key share code guards
In TLS 1.3 key sharing is not restricted to key
exchange with certificate authentication. It
happens in the PSK and ephemeral key exchange
mode as well where there is no certificate
authentication.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 769a8f2..33c02e6 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -434,7 +434,7 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_ECDH_C)
if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len );
@@ -442,7 +442,11 @@
return( ret );
p += output_len;
}
+#endif /* MBEDTLS_ECDH_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
{
ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 2586c6d..204c448 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1897,16 +1897,14 @@
named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
- defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
size_t *out_len );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED ||
- MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
/*
* Return supported signature algorithms.
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 88cd22a..f701215 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -159,8 +159,6 @@
}
#endif /* MBEDTLS_SSL_ALPN */
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
{
uint16_t group_id = ssl->handshake->offered_group_id;
@@ -584,8 +582,6 @@
return( ret );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
/*
* ssl_tls13_parse_cookie_ext()
* Parse cookie extension in Hello Retry Request
@@ -699,7 +695,6 @@
return( ret );
p += ext_len;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
@@ -707,7 +702,6 @@
return( ret );
p += ext_len;
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
*out_len = p - buf;
@@ -1093,7 +1087,6 @@
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
goto cleanup;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
@@ -1116,7 +1109,6 @@
goto cleanup;
}
break;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
default:
MBEDTLS_SSL_DEBUG_MSG(
@@ -1271,7 +1263,6 @@
static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
{
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
@@ -1296,9 +1287,6 @@
ret = ssl_tls13_reset_key_share( ssl );
if( ret != 0 )
return( ret );
-#else
- ((void) ssl);
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
return( 0 );
}