Depend on ECJPAKE key exchange, not module

This is more consistent, as it doesn't make any sense for a user to be able to set up an EC J-PAKE password with TLS if the corresponding key exchange is disabled. Arguably this is what we should de for other key exchanges as well instead of depending on ECDH_C etc, but this is an independent issue, so let's just do the right thing with the new key exchange and fix the other ones later. (This is a marginal issue anyway, since people who disable all ECDH key exchange are likely to also disable ECDH_C in order to minimize footprint.)
2025-08-08 17:42:09 +03:00 · 2015-09-16 10:05:04 +02:00
parent ddf97a6c92
commit eef142d753
5 changed files with 18 additions and 18 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -209,7 +209,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
-    defined(MBEDTLS_ECJPAKE_C)
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
                                                     unsigned char *buf,
                                                     size_t *olen )
@@ -278,9 +278,9 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,

    *olen = 6;
 }
-#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */

-#if defined(MBEDTLS_ECJPAKE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
                                        unsigned char *buf,
                                        size_t *olen )
@@ -320,7 +320,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,

    *olen = kkpp_len + 4;
 }
-#endif /* MBEDTLS_ECJPAKE_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */

 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
@@ -821,7 +821,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
 #endif

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
-    defined(MBEDTLS_ECJPAKE_C)
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
    ext_len += olen;

@@ -829,7 +829,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
    ext_len += olen;
 #endif

-#if defined(MBEDTLS_ECJPAKE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
    ext_len += olen;
 #endif