From d2df573e2be1dd82cc08ee0d55ec97276f88194a Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 4 Dec 2025 16:31:00 -0800
Subject: [PATCH] KDF Fix

1. While checking the version of wolfSSL used with wolfSSH, also check
   that wolfSSL has the wolfSSH required options configured. This clears
   up a guard issue around the function `wc_SSH_KDF()`. The change makes
   sure wolfSSH falls back on its own version of the function if
   wolfSSL's isn't present.
---
 src/internal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 5c553c6b7..48803c5c8 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -48,7 +48,7 @@
 #include <wolfssl/wolfcrypt/hmac.h>
 #include <wolfssl/wolfcrypt/signature.h>
 
-#if (LIBWOLFSSL_VERSION_HEX >= WOLFSSL_V5_0_0) \
+#if (LIBWOLFSSL_VERSION_HEX >= WOLFSSL_V5_0_0) && defined(WOLFSSL_WOLFSSH) \
     && ((defined(HAVE_FIPS) && FIPS_VERSION_GE(5,2)) \
         || defined(WOLFSSH_NO_NISTP256_MLKEM768_SHA256))
     #include <wolfssl/wolfcrypt/kdf.h>
@@ -2330,7 +2330,7 @@ int GenerateKey(byte hashId, byte keyId,
                 const byte* h, word32 hSz,
                 const byte* sessionId, word32 sessionIdSz,
                 byte doKeyPad)
-#if (LIBWOLFSSL_VERSION_HEX >= WOLFSSL_V5_0_0) \
+#if (LIBWOLFSSL_VERSION_HEX >= WOLFSSL_V5_0_0) && defined(WOLFSSL_WOLFSSH) \
     && ((defined(HAVE_FIPS) && FIPS_VERSION_GE(5,2)) \
         || defined(WOLFSSH_NO_NISTP256_MLKEM768_SHA256))
 /* Cannot use the SSH KDF with ML-KEM. With ML-KEM, doKeyPad must be false,