Enable support for psa opaque RSA-PSK key exchange on the server side Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

commit: aeb710fec5f9bdf6906486cea6513b7c47349af3 [log] [tgz]
author: Przemek Stekiel <przemyslaw.stekiel@mobica.com> Wed Apr 06 11:40:30 2022 +0200
committer: Przemek Stekiel <przemyslaw.stekiel@mobica.com> Fri Apr 22 14:52:28 2022 +0200
tree: 5e6281cf5ee099819304442f0bfddb8d1f3648e2
parent: 8e0495e0f4f6645071e71ba287c89eedb2086786 [diff] [blame]
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 6fd916f..05d382b 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c

@@ -4047,18 +4047,19 @@
             return( ret );
         }
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-        /* Opaque PSKs are currently only supported for PSK-only. */
-        if( ssl_use_opaque_psk( ssl ) == 1 )
-            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif
-
         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
             return( ret );
         }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        /* For opaque PSKs, we perform the PSK-to-MS derivation automatically
+         * and skip the intermediate PMS. */
+        if( ssl_use_opaque_psk( ssl ) == 1 )
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque RSA-PSK" ) );
+        else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
                         ciphersuite_info->key_exchange ) ) != 0 )
         {
commit	aeb710fec5f9bdf6906486cea6513b7c47349af3	[log] [tgz]
author	Przemek Stekiel <przemyslaw.stekiel@mobica.com>	Wed Apr 06 11:40:30 2022 +0200
committer	Przemek Stekiel <przemyslaw.stekiel@mobica.com>	Fri Apr 22 14:52:28 2022 +0200
tree	5e6281cf5ee099819304442f0bfddb8d1f3648e2
parent	8e0495e0f4f6645071e71ba287c89eedb2086786 [diff] [blame]