Enable support for psa opaque DHE-PSK key exchange on the client side

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2025-07-28 00:21:48 +03:00 · 2022-04-19 12:22:38 +02:00
parent b6a0503dda
commit b293aaa61b
3 changed files with 22 additions and 28 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1406,22 +1406,6 @@ int main( int argc, char *argv[] )
 #if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
        if( opt.psk_opaque != 0 )
        {
-            /* Ensure that the chosen ciphersuite is PSK-only, rsa-psk
-               or ecdhe-psk; we must know the ciphersuite in
-               advance to set the correct policy for the
-             * PSK key slot. This limitation might go away in the future. */
-            if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
-                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK &&
-                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) ||
-                opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
-            {
-                mbedtls_printf( "opaque PSKs are only supported in conjunction \
-                                 with forcing TLS 1.2 and a PSK-only, RSA-PSK \
-                                 ciphersuites through the 'force_ciphersuite' option.\n" );
-                ret = 2;
-                goto usage;
-            }
-
            /* Determine KDF algorithm the opaque PSK will be used in. */
 #if defined(MBEDTLS_SHA384_C)
            if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )