Adapt guards, dependencies + optimizations
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
diff --git a/ChangeLog.d/ffdh-tls-1-3.txt b/ChangeLog.d/ffdh-tls-1-3.txt
index 139b762..d358f9b 100644
--- a/ChangeLog.d/ffdh-tls-1-3.txt
+++ b/ChangeLog.d/ffdh-tls-1-3.txt
@@ -1,2 +1,2 @@
Features
- * Add usage of FFDH keys in TLS 1.3.
+ * Add support for FFDH key exchange in TLS 1.3.
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 163d0a0..257a696 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -185,7 +185,7 @@
#endif /* MBEDTLS_SSL_ALPN */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || defined(PSA_WANT_ALG_FFDH)
/*
* Function for writing a supported groups (TLS 1.3) or supported elliptic
* curves (TLS 1.2) extension.
@@ -274,6 +274,7 @@
*group_list));
}
#endif /* MBEDTLS_ECP_LIGHT */
+#if defined(PSA_WANT_ALG_FFDH)
if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
mbedtls_ssl_tls13_named_group_is_dhe(*group_list))) {
const char *ffdh_group = NULL;
@@ -308,6 +309,7 @@
MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
ffdh_group, *group_list));
}
+#endif /* PSA_WANT_ALG_FFDH */
}
/* Length of named_group_list */
@@ -337,7 +339,7 @@
return 0;
}
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
- MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || PSA_WANT_ALG_FFDH */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_client_hello_cipher_suites(
@@ -629,7 +631,7 @@
#endif
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || defined(PSA_WANT_ALG_FFDH)
if (
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
(propose_tls13 &&
@@ -645,7 +647,8 @@
}
p += output_len;
}
-#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || PSA_WANT_ALG_FFDH */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if (
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1d44ccf..c46f041 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4949,7 +4949,7 @@
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
#endif
-#if defined(MBEDTLS_DHM_C)
+#if defined(PSA_WANT_ALG_FFDH)
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index c7b677e..dcf3087 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -25,8 +25,6 @@
#include "test/psa_crypto_helpers.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
-#include "mbedtls/dhm.h"
-
#if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
int main(void)
{
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 88e328e..f4b2959 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -12353,6 +12353,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups (ffdhe2048)" \
"$P_SRV debug_level=5 force_version=tls13 curves=ffdhe2048" \
"$P_CLI debug_level=5 force_version=tls13 curves=ffdhe2048" \
@@ -12367,6 +12368,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups (ffdhe3072)" \
"$P_SRV debug_level=4 force_version=tls13 curves=ffdhe3072" \
"$P_CLI debug_level=4 force_version=tls13 curves=ffdhe3072" \
@@ -12381,6 +12383,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups (ffdhe4096)" \
"$P_SRV debug_level=4 force_version=tls13 curves=ffdhe4096" \
"$P_CLI debug_level=4 force_version=tls13 curves=ffdhe4096" \
@@ -12395,6 +12398,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups (ffdhe6144)" \
"$P_SRV debug_level=4 force_version=tls13 curves=ffdhe6144" \
"$P_CLI debug_level=4 force_version=tls13 curves=ffdhe6144" \
@@ -12409,6 +12413,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups (ffdhe8192)" \
"$P_SRV debug_level=4 force_version=tls13 curves=ffdhe8192" \
"$P_CLI debug_level=4 force_version=tls13 curves=ffdhe8192" \
@@ -12423,6 +12428,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups - no match(server: ffdhe2048 client: secp384r1)" \
"$P_SRV debug_level=4 force_version=tls13 curves=ffdhe2048" \
"$P_CLI debug_level=4 force_version=tls13 curves=secp384r1" \
@@ -12436,6 +12442,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Test ffdh groups - no match(server: secp384r1 client: ffdhe2048)" \
"$P_SRV debug_level=4 force_version=tls13 curves=secp384r1" \
"$P_CLI debug_level=4 force_version=tls13 curves=ffdhe2048" \