Remove RAW PSK when MBEDTLS_USE_PSA_CRYPTO is selected
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 6a2a18f..a1bd919 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -653,9 +653,10 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
uint8_t psk_opaque_is_internal;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
unsigned char *psk; /*!< PSK from the callback */
size_t psk_len; /*!< Length of PSK from callback */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
@@ -1321,6 +1322,12 @@
static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
const unsigned char **psk, size_t *psk_len )
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ (void) ssl;
+ *psk = NULL;
+ *psk_len = 0;
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+#else
if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
{
*psk = ssl->handshake->psk;
@@ -1341,6 +1348,7 @@
}
return( 0 );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 85cfa48..ba8be94 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1527,10 +1527,10 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
+#else
if( conf->psk != NULL )
return( 1 );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );
}
@@ -1550,12 +1550,7 @@
}
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
- /* This and the following branch should never
- * be taken simultaenously as we maintain the
- * invariant that raw and opaque PSKs are never
- * configured simultaneously. As a safeguard,
- * though, `else` is omitted here. */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
if( conf->psk != NULL )
{
mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@@ -1564,6 +1559,7 @@
conf->psk = NULL;
conf->psk_len = 0;
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Remove reference to PSK identity, if any. */
if( conf->psk_identity != NULL )
@@ -1668,8 +1664,7 @@
}
ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
- else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
if( ssl->handshake->psk != NULL )
{
mbedtls_platform_zeroize( ssl->handshake->psk,
@@ -1677,6 +1672,7 @@
mbedtls_free( ssl->handshake->psk );
ssl->handshake->psk_len = 0;
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
@@ -3304,12 +3300,13 @@
}
ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
if( handshake->psk != NULL )
{
mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
mbedtls_free( handshake->psk );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
@@ -4508,7 +4505,7 @@
}
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
if( conf->psk != NULL )
{
mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@@ -4516,6 +4513,7 @@
conf->psk = NULL;
conf->psk_len = 0;
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk_identity != NULL )
{
@@ -5185,30 +5183,6 @@
return( 0 );
}
-
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED )
-static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
-{
- if( ssl->conf->f_psk != NULL )
- {
- /* If we've used a callback to select the PSK,
- * the static configuration is irrelevant. */
- if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
- return( 1 );
-
- return( 0 );
- }
-
- if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
- return( 1 );
-
- return( 0 );
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO &&
- MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
/*
* Compute master secret if needed
*
@@ -5281,8 +5255,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
- if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 &&
- ssl_use_opaque_psk( ssl ) == 1 )
+ if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 )
{
/* Perform PSK-to-MS expansion in a single step. */
psa_status_t status;
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index e2c347e..0d2bd0e 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -62,12 +62,12 @@
return( 0 );
}
- if( conf->psk != NULL && conf->psk_len != 0 )
- return( 1 );
-
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
+#else
+ if( conf->psk != NULL && conf->psk_len != 0 )
+ return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 7f725a1..f7cceed 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -160,12 +160,13 @@
if( conf->psk_identity_len == 0 || conf->psk_identity == NULL )
return( 0 );
- if( conf->psk != NULL && conf->psk_len != 0 )
- return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
+#else
+ if( conf->psk != NULL && conf->psk_len != 0 )
+ return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );