Enable support for psa opaque DHE-PSK key exchange on the server side
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 1adfe3e..5fa5643 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -4083,12 +4083,6 @@
return( ret );
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Opaque PSKs are currently only supported for PSK-only. */
- if( ssl_use_opaque_psk( ssl ) == 1 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif
-
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index bc2aa68..46c6b76 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2207,21 +2207,6 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
{
- /* Ensure that the chosen ciphersuite is PSK-only; we must know
- * the ciphersuite in advance to set the correct policy for the
- * PSK key slot. This limitation might go away in the future. */
- if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
- ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK &&
- ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) ||
- opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
- {
- mbedtls_printf( "opaque PSKs are only supported in conjunction \
- with forcing TLS 1.2 and a PSK-only, RSA-PSK, ECDHE-PSK \
- ciphersuites through the 'force_ciphersuite' option.\n" );
- ret = 2;
- goto usage;
- }
-
/* Determine KDF algorithm the opaque PSK will be used in. */
#if defined(MBEDTLS_SHA384_C)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )