diff --git a/configure.ac b/configure.ac index 45db5abc1..017f0b4cc 100644 --- a/configure.ac +++ b/configure.ac @@ -326,7 +326,7 @@ AC_ARG_ENABLE([tls13-draft18], # TLS v1.3 AC_ARG_ENABLE([tls13], - [AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: disabled)])], + [AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: enabled)])], [ ENABLED_TLS13=$enableval ], [ ENABLED_TLS13=yes ] ) @@ -334,11 +334,6 @@ if test "x$FIPS_VERSION" = "xv1" then ENABLED_TLS13="no" fi -if test "$ENABLED_TLS13" = "yes" || test "$ENABLED_TLS13_DRAFT18" = "yes" -then - AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS" -fi - # Post-handshake Authentication AC_ARG_ENABLE([postauth], @@ -3142,6 +3137,19 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE" fi +# TLS 1.3 Requires either ECC, CURVE25519, CURVE448 or DH +if test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && test "x$ENABLED_CURVE448" = "xno" && test "x$ENABLED_DH" = "xno" +then + # disable TLS 1.3 + ENABLED_TLS13=no + ENABLED_TLS13_DRAFT18=no +fi +if test "$ENABLED_TLS13" = "yes" || test "$ENABLED_TLS13_DRAFT18" = "yes" +then + AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS" +fi + + # Session Ticket Extension AC_ARG_ENABLE([session-ticket], [AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])], diff --git a/src/tls.c b/src/tls.c index af9c7fc10..864474905 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3744,7 +3744,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, && !defined(HAVE_FFDHE) #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \ Use --enable-ecc in the configure script or define HAVE_ECC. \ - Alternatively use FFDHE for DH ciperhsuites. + Alternatively use FFDHE for DH ciphersuites. #endif static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name, @@ -3901,7 +3901,7 @@ static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); } -#endif +#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ #ifndef NO_WOLFSSL_SERVER @@ -3933,7 +3933,8 @@ static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore) #endif } -#endif +#endif /* !NO_WOLFSSL_SERVER */ + #ifndef NO_WOLFSSL_CLIENT static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list) @@ -4117,7 +4118,7 @@ int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl) return 0; } -#endif +#endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */ #if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12) /* Set the highest priority common FFDHE group on the server as compared to @@ -4267,7 +4268,7 @@ int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported) return BAD_FUNC_ARG; } -#endif +#endif /* HAVE_SUPPORTED_CURVES */ #ifndef NO_WOLFSSL_SERVER @@ -9756,8 +9757,6 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) { int ret = WOLFSSL_SUCCESS; #ifdef WOLFSSL_TLS13 - int i; - #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) if (ssl->options.resuming && ssl->session.namedGroup != 0) { return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup, @@ -9765,7 +9764,9 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) } #endif +#ifdef HAVE_SUPPORTED_CURVES if (ssl->numGroups != 0) { + int i; for (i = 0; i < ssl->numGroups; i++) { ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap); if (ret != WOLFSSL_SUCCESS) @@ -9773,6 +9774,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) } return WOLFSSL_SUCCESS; } +#endif /* HAVE_SUPPORTED_CURVES */ #endif /* WOLFSSL_TLS13 */ #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) diff --git a/src/tls13.c b/src/tls13.c index 88d99023a..db3284254 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -4198,7 +4198,7 @@ static int SendTls13EncryptedExtensions(WOLFSSL* ssl) ssl->keys.encryptionOn = 1; -#ifndef WOLFSSL_NO_SERVER_GROUPS_EXT +#if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0) return ret; #endif