Don't select a PSK ciphersuite if no key available

include/polarssl/ssl_ciphersuites.h

@@ -215,6 +215,7 @@ pk_type_t ssl_get_ciphersuite_sig_pk_alg( const ssl_ciphersuite_t *info );
 #endif
 
 int ssl_ciphersuite_uses_ec( const ssl_ciphersuite_t *info );
+int ssl_ciphersuite_uses_psk( const ssl_ciphersuite_t *info );
 
 #ifdef __cplusplus
 }

library/ssl_ciphersuites.c

@@ -1210,4 +1210,19 @@ int ssl_ciphersuite_uses_ec( const ssl_ciphersuite_t *info )
     }
 }
 
+int ssl_ciphersuite_uses_psk( const ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case POLARSSL_KEY_EXCHANGE_PSK:
+        case POLARSSL_KEY_EXCHANGE_RSA_PSK:
+        case POLARSSL_KEY_EXCHANGE_DHE_PSK:
+        case POLARSSL_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+
 #endif

library/ssl_srv.c

@@ -1394,6 +1394,16 @@ static int ssl_parse_client_hello( ssl_context *ssl )
                     continue;
 #endif
 
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
+                /* If the ciphersuite requires a pre-shared key and we don't
+                 * have one, skip it now rather than failing later */
+                if( ssl_ciphersuite_uses_psk( ciphersuite_info ) &&
+                    ssl->f_psk == NULL &&
+                    ( ssl->psk == NULL || ssl->psk_identity == NULL ||
+                      ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
+                    continue;
+#endif
+
 #if defined(POLARSSL_X509_CRT_PARSE_C)
                 /*
                  * Final check: if ciphersuite requires us to have a