commit e952a30d47c2e88315682ccc9a07d0e1c025d9ef
author Neil Armstrong <narmstrong@baylibre.com> Tue May 03 10:22:14 2022 +0200
committer Neil Armstrong <narmstrong@baylibre.com> Wed May 04 11:08:41 2022 +0200
tree 9a0f6efa0ad9667366ebacdd99cae799ef601c1f
parent 61f237afb7b34f643a3d5ee1bcf4d6487c965eb3

Remove RAW PSK when MBEDTLS_USE_PSA_CRYPTO is selected

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 85cfa48..ba8be94 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1527,10 +1527,10 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
         return( 1 );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
+#else
     if( conf->psk != NULL )
         return( 1 );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     return( 0 );
 }
@@ -1550,12 +1550,7 @@
         }
         conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
     }
-    /* This and the following branch should never
-     * be taken simultaenously as we maintain the
-     * invariant that raw and opaque PSKs are never
-     * configured simultaneously. As a safeguard,
-     * though, `else` is omitted here. */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
     if( conf->psk != NULL )
     {
         mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@@ -1564,6 +1559,7 @@
         conf->psk = NULL;
         conf->psk_len = 0;
     }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     /* Remove reference to PSK identity, if any. */
     if( conf->psk_identity != NULL )
@@ -1668,8 +1664,7 @@
         }
         ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
     }
-    else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
     if( ssl->handshake->psk != NULL )
     {
         mbedtls_platform_zeroize( ssl->handshake->psk,
@@ -1677,6 +1672,7 @@
         mbedtls_free( ssl->handshake->psk );
         ssl->handshake->psk_len = 0;
     }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
 
 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
@@ -3304,12 +3300,13 @@
         }
         ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
     }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
     if( handshake->psk != NULL )
     {
         mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
         mbedtls_free( handshake->psk );
     }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
@@ -4508,7 +4505,7 @@
         }
         conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
     }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#else
     if( conf->psk != NULL )
     {
         mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@@ -4516,6 +4513,7 @@
         conf->psk = NULL;
         conf->psk_len = 0;
     }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     if( conf->psk_identity != NULL )
     {
@@ -5185,30 +5183,6 @@
     return( 0 );
 }
 
-
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) &&                   \
-    defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED )
-static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
-{
-    if( ssl->conf->f_psk != NULL )
-    {
-        /* If we've used a callback to select the PSK,
-         * the static configuration is irrelevant. */
-        if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
-            return( 1 );
-
-        return( 0 );
-    }
-
-    if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
-        return( 1 );
-
-    return( 0 );
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO &&
-          MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
 /*
  * Compute master secret if needed
  *
@@ -5281,8 +5255,7 @@
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) &&                   \
     defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-    if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 &&
-        ssl_use_opaque_psk( ssl ) == 1 )
+    if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 )
     {
         /* Perform PSK-to-MS expansion in a single step. */
         psa_status_t status;