From 1039ba5c98b35ffc8edc9a45e4b6d13f681f3c45 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Tue, 5 Apr 2022 10:03:24 +0200
Subject: [PATCH] Check if not using Opaque PSK in ECHDE-PSK PSA version of
 ssl_parse_client_key_exchange()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 7b6efb1cc7..327109cd84 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -4046,6 +4046,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
         psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
         uint8_t ecpoint_len;
 
+        /* Opaque PSKs are currently only supported for PSK-only. */
+        if( ssl_use_opaque_psk( ssl ) == 1 )
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+
         mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 
         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )