ECJPAKE: always use MD light

This enables access to all available hashes, instead of the previous
situation where you had to choose by including MD_C or not.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index bfbf9de..b84aaee 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -89,7 +89,8 @@
 
 /* Auto-enable MBEDTLS_MD_LIGHT if some module needs it.
  */
-#if defined(MBEDTLS_PEM_PARSE_C) || \
+#if defined(MBEDTLS_ECJPAKE_C) || \
+    defined(MBEDTLS_PEM_PARSE_C) || \
     defined(MBEDTLS_RSA_C)
 #define MBEDTLS_MD_LIGHT
 #endif
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index ffaeccb..4f214cf 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -374,12 +374,10 @@
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
 
-/* Use of EC J-PAKE in TLS requires SHA-256.
- * This will be taken from MD if it is present, or from PSA if MD is absent.
- * Note: MBEDTLS_ECJPAKE_C depends on MBEDTLS_MD_C || MBEDTLS_PSA_CRYPTO_C. */
+/* Use of EC J-PAKE in TLS requires SHA-256. */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
-    !( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) &&          \
-    !( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) )
+    !(defined(MBEDTLS_SHA256_C) || \
+      (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256)))
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
 
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index bf88f61..0940cb6 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -993,9 +993,13 @@
  * might still happen. For this reason, this is disabled by default.
  *
  * Requires: MBEDTLS_ECJPAKE_C
- *           SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C)
+ *           SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
  *           MBEDTLS_ECP_DP_SECP256R1_ENABLED
  *
+ * \warning If SHA-256 is provided only by a PSA driver, you must call
+ * psa_crypto_init() before the first hanshake (even if
+ * MBEDTLS_USE_PSA_CRYPTO is disabled).
+ *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
  *      MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
@@ -2504,13 +2508,8 @@
  *
  * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
  *
- * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
- * before doing any EC J-PAKE operations.
- *
- * \warning When building with MBEDTLS_MD_C, all hashes used with this
- * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C,
- * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by
- * this module in builds where MBEDTLS_MD_C is disabled.
+ * \warning If using a hash that is only provided by PSA drivers, you must
+ * call psa_crypto_init() before doing any EC J-PAKE operations.
  */
 #define MBEDTLS_ECJPAKE_C
 
diff --git a/library/ecjpake.c b/library/ecjpake.c
index 36c1327..d3836ac 100644
--- a/library/ecjpake.c
+++ b/library/ecjpake.c
@@ -30,18 +30,6 @@
 #include "mbedtls/platform_util.h"
 #include "mbedtls/error.h"
 
-/* We use MD first if it's available (for compatibility reasons)
- * and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
-#if !defined(MBEDTLS_MD_C)
-#include "psa/crypto.h"
-#include "mbedtls/psa_util.h"
-#if !defined(MBEDTLS_ECJPAKE_ALT)
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
-                                                           psa_to_md_errors,              \
-                                                           psa_generic_status_to_mbedtls)
-#endif /* !MBEDTLS_ECJPAKE_ALT */
-#endif /* !MBEDTLS_MD_C */
-
 #include "hash_info.h"
 
 #include <string.h>
@@ -66,19 +54,8 @@
                                         const unsigned char *input, size_t ilen,
                                         unsigned char *output)
 {
-#if defined(MBEDTLS_MD_C)
     return mbedtls_md(mbedtls_md_info_from_type(md_type),
                       input, ilen, output);
-#else
-    psa_algorithm_t alg = mbedtls_psa_translate_md(md_type);
-    psa_status_t status;
-    size_t out_size = PSA_HASH_LENGTH(alg);
-    size_t out_len;
-
-    status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
-
-    return PSA_TO_MBEDTLS_ERR(status);
-#endif /* !MBEDTLS_MD_C */
 }
 
 /*
@@ -142,15 +119,9 @@
 
     ctx->role = role;
 
-#if defined(MBEDTLS_MD_C)
     if ((mbedtls_md_info_from_type(hash)) == NULL) {
         return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
     }
-#else
-    if (mbedtls_psa_translate_md(hash) == MBEDTLS_MD_NONE) {
-        return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
-    }
-#endif
 
     ctx->md_type = hash;
 
diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function
index d5c0f07..20f1bf8 100644
--- a/tests/suites/test_suite_ecjpake.function
+++ b/tests/suites/test_suite_ecjpake.function
@@ -109,6 +109,8 @@
     mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
     mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1;
 
+    MD_PSA_INIT();
+
     mbedtls_ecjpake_init(&ctx);
 
     TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
@@ -118,14 +120,19 @@
                                      valid_group,
                                      buf, len));
 exit:
-    return;
+    MD_PSA_DONE();
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
 void ecjpake_selftest()
 {
+    MD_PSA_INIT();
+
     TEST_ASSERT(mbedtls_ecjpake_self_test(1) == 0);
+
+exit:
+    MD_PSA_DONE();
 }
 /* END_CASE */
 
@@ -137,6 +144,8 @@
     const size_t pw_len = 0;
     int any_role = MBEDTLS_ECJPAKE_CLIENT;
 
+    MD_PSA_INIT();
+
     mbedtls_ecjpake_init(&corrupt_ctx);
     TEST_ASSERT(mbedtls_ecjpake_setup(&corrupt_ctx, any_role,
                                       MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw,
@@ -148,6 +157,7 @@
 
 exit:
     mbedtls_ecjpake_free(&corrupt_ctx);
+    MD_PSA_DONE();
 }
 /* END_CASE */
 
@@ -158,6 +168,8 @@
     const unsigned char *pw = NULL;
     const size_t pw_len = 0;
 
+    MD_PSA_INIT();
+
     mbedtls_ecjpake_init(&ctx);
 
     TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, role,
@@ -168,6 +180,7 @@
 
 exit:
     mbedtls_ecjpake_free(&ctx);
+    MD_PSA_DONE();
 }
 /* END_CASE */
 
@@ -178,6 +191,8 @@
     const unsigned char *pw = NULL;
     const size_t pw_len = 0;
 
+    MD_PSA_INIT();
+
     mbedtls_ecjpake_init(&ctx);
 
     TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_CLIENT,
@@ -194,6 +209,7 @@
 
 exit:
     mbedtls_ecjpake_free(&ctx);
+    MD_PSA_DONE();
 }
 /* END_CASE */
 
@@ -204,6 +220,8 @@
     const unsigned char *pw = NULL;
     const size_t pw_len = 0;
 
+    MD_PSA_INIT();
+
     mbedtls_ecjpake_init(&ctx);
 
     TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_SERVER,
@@ -220,5 +238,6 @@
 
 exit:
     mbedtls_ecjpake_free(&ctx);
+    MD_PSA_DONE();
 }
 /* END_CASE */