initial remove of MBEDTLS_USE_PSA_CRYPTO

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2026-04-14 08:47:42 -07:00 · 2025-05-07 14:21:20 +01:00
parent d6f881e8ca
commit 4bb98be277
24 changed files with 33 additions and 346 deletions
--- a/programs/fuzz/fuzz_client.c
+++ b/programs/fuzz/fuzz_client.c
@@ -78,12 +78,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    mbedtls_ctr_drbg_init(&ctr_drbg);
    mbedtls_entropy_init(&entropy);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
                              (const unsigned char *) pers, strlen(pers)) != 0) {
@@ -179,9 +177,7 @@ exit:
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_ssl_config_free(&conf);
    mbedtls_ssl_free(&ssl);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #else
    (void) Data;
--- a/programs/fuzz/fuzz_dtlsclient.c
+++ b/programs/fuzz/fuzz_dtlsclient.c
@@ -61,12 +61,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    mbedtls_ctr_drbg_init(&ctr_drbg);
    mbedtls_entropy_init(&entropy);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
                              (const unsigned char *) pers, strlen(pers)) != 0) {
@@ -124,9 +122,7 @@ exit:
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_ssl_config_free(&conf);
    mbedtls_ssl_free(&ssl);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #else
    (void) Data;
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -58,12 +58,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    mbedtls_ssl_config_init(&conf);
    mbedtls_ssl_cookie_init(&cookie_ctx);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
                              (const unsigned char *) pers, strlen(pers)) != 0) {
@@ -166,9 +164,7 @@ exit:
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_ssl_config_free(&conf);
    mbedtls_ssl_free(&ssl);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #else
    (void) Data;
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -67,12 +67,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
    mbedtls_ssl_ticket_init(&ticket_ctx);
 #endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
                              (const unsigned char *) pers, strlen(pers)) != 0) {
@@ -194,19 +192,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 exit:
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
    mbedtls_ssl_ticket_free(&ticket_ctx);
-#endif
+#endif /* (MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) */
    mbedtls_entropy_free(&entropy);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_ssl_config_free(&conf);
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
    mbedtls_x509_crt_free(&srvcert);
    mbedtls_pk_free(&pkey);
-#endif
+#endif /* (MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) */
    mbedtls_ssl_free(&ssl);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif
-#else
+#else /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
    (void) Data;
    (void) Size;
 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
--- a/programs/fuzz/fuzz_x509crl.c
+++ b/programs/fuzz/fuzz_x509crl.c
@@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    unsigned char buf[4096];

    mbedtls_x509_crl_init(&crl);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    ret = mbedtls_x509_crl_parse(&crl, Data, Size);
 #if !defined(MBEDTLS_X509_REMOVE_INFO)
    if (ret == 0) {
        ret = mbedtls_x509_crl_info((char *) buf, sizeof(buf) - 1, " ", &crl);
    }
-#else
+#else /* MBEDTLS_X509_REMOVE_INFO */
    ((void) ret);
    ((void) buf);
 #endif /* !MBEDTLS_X509_REMOVE_INFO */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 exit:
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    mbedtls_x509_crl_free(&crl);
-#else
+#else /* MBEDTLS_X509_CRL_PARSE_C */
    (void) Data;
    (void) Size;
-#endif
+#endif /* MBEDTLS_X509_CRL_PARSE_C */

    return 0;
 }
--- a/programs/fuzz/fuzz_x509crt.c
+++ b/programs/fuzz/fuzz_x509crt.c
@@ -12,12 +12,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    unsigned char buf[4096];

    mbedtls_x509_crt_init(&crt);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    ret = mbedtls_x509_crt_parse(&crt, Data, Size);
 #if !defined(MBEDTLS_X509_REMOVE_INFO)
    if (ret == 0) {
@@ -28,15 +26,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    ((void) buf);
 #endif /* !MBEDTLS_X509_REMOVE_INFO */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 exit:
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    mbedtls_x509_crt_free(&crt);
-#else
+#else /* MBEDTLS_X509_CRT_PARSE_C */
    (void) Data;
    (void) Size;
-#endif
+#endif /* MBEDTLS_X509_CRT_PARSE_C */

    return 0;
 }
--- a/programs/fuzz/fuzz_x509csr.c
+++ b/programs/fuzz/fuzz_x509csr.c
@@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
    unsigned char buf[4096];

    mbedtls_x509_csr_init(&csr);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    ret = mbedtls_x509_csr_parse(&csr, Data, Size);
 #if !defined(MBEDTLS_X509_REMOVE_INFO)
    if (ret == 0) {
        ret = mbedtls_x509_csr_info((char *) buf, sizeof(buf) - 1, " ", &csr);
    }
-#else
+#else /* !MBEDTLS_X509_REMOVE_INFO */
    ((void) ret);
    ((void) buf);
 #endif /* !MBEDTLS_X509_REMOVE_INFO */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 exit:
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    mbedtls_x509_csr_free(&csr);
-#else
+#else /* MBEDTLS_X509_CSR_PARSE_C */
    (void) Data;
    (void) Size;
-#endif
+#endif /* MBEDTLS_X509_CSR_PARSE_C */

    return 0;
 }
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -257,14 +257,12 @@ int main(int argc, char *argv[])
    mbedtls_ctr_drbg_init(&ctr_drbg);
    memset(buf, 0, sizeof(buf));

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc < 2) {
 usage:
@@ -473,9 +471,7 @@ exit:
    mbedtls_pk_free(&key);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_exit(exit_code);
 }
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -55,14 +55,12 @@ int main(int argc, char *argv[])
    mbedtls_ctr_drbg_init(&ctr_drbg);
    mbedtls_pk_init(&pk);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc != 3) {
        mbedtls_printf("usage: mbedtls_pk_sign <key_file> <filename>\n");
@@ -139,9 +137,7 @@ exit:
    mbedtls_pk_free(&pk);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_ERROR_C)
    if (exit_code != MBEDTLS_EXIT_SUCCESS) {
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -47,14 +47,12 @@ int main(int argc, char *argv[])

    mbedtls_pk_init(&pk);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc != 3) {
        mbedtls_printf("usage: mbedtls_pk_verify <key_file> <filename>\n");
@@ -115,9 +113,7 @@ int main(int argc, char *argv[])

 exit:
    mbedtls_pk_free(&pk);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_ERROR_C)
    if (exit_code != MBEDTLS_EXIT_SUCCESS) {
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -57,14 +57,12 @@ int main(int argc, char *argv[])
    mbedtls_pk_init(&pk);
    mbedtls_ctr_drbg_init(&ctr_drbg);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc != 3) {
        mbedtls_printf("usage: rsa_sign_pss <key_file> <filename>\n");
@@ -153,9 +151,7 @@ exit:
    mbedtls_pk_free(&pk);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_exit(exit_code);
 }
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -51,14 +51,12 @@ int main(int argc, char *argv[])

    mbedtls_pk_init(&pk);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc != 3) {
        mbedtls_printf("usage: rsa_verify_pss <key_file> <filename>\n");
@@ -131,9 +129,7 @@ int main(int argc, char *argv[])

 exit:
    mbedtls_pk_free(&pk);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_exit(exit_code);
 }
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -9,9 +9,7 @@

 #include "ssl_test_lib.h"

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
 #include "test/psa_crypto_helpers.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

 #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
 int main(void)
@@ -145,7 +143,7 @@ int main(void)
 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 #define USAGE_IO ""
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #define USAGE_KEY_OPAQUE \
    "    key_opaque=%%d       Handle your private key as if it were opaque\n" \
    "                        default: 0 (disabled)\n"
@@ -172,7 +170,6 @@ int main(void)
    "    psk=%%s              default: \"\" (disabled)\n"     \
    "                          The PSK values are in hex, without 0x.\n" \
    "    psk_identity=%%s     default: \"Client_identity\"\n"
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #define USAGE_PSK_SLOT                          \
    "    psk_opaque=%%d       default: 0 (don't use opaque static PSK)\n"     \
    "                          Enable this to store the PSK configured through command line\n" \
@@ -185,7 +182,6 @@ int main(void)
    "                          with prepopulated key slots instead of importing raw key material.\n"
 #else
 #define USAGE_PSK_SLOT ""
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
 #else
 #define USAGE_PSK ""
@@ -309,14 +305,9 @@ int main(void)
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #define USAGE_ECJPAKE \
    "    ecjpake_pw=%%s           default: none (disabled)\n"   \
    "    ecjpake_pw_opaque=%%d    default: 0 (disabled)\n"
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-#define USAGE_ECJPAKE \
-    "    ecjpake_pw=%%s           default: none (disabled)\n"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #define USAGE_ECJPAKE ""
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -488,9 +479,7 @@ struct options {
    const char *crt_file;       /* the file with the client certificate     */
    const char *key_file;       /* the file with the client key             */
    int key_opaque;             /* handle private key as if it were opaque  */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    int psk_opaque;
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
    int ca_callback;            /* Use callback for trusted certificate list */
 #endif
@@ -498,9 +487,7 @@ struct options {
    const char *psk;            /* the pre-shared key                       */
    const char *psk_identity;   /* the pre-shared key identity              */
    const char *ecjpake_pw;     /* the EC J-PAKE password                   */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    int ecjpake_pw_opaque;      /* set to 1 to use the opaque method for setting the password */
-#endif
    int ec_max_ops;             /* EC consecutive operations limit          */
    int force_ciphersuite[2];   /* protocol/ciphersuite to use, or all      */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -824,16 +811,12 @@ int main(int argc, char *argv[])

    const char *pers = "ssl_client2";

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
    mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT;
    psa_algorithm_t alg = 0;
    psa_key_attributes_t key_attributes;
 #endif
    psa_status_t status;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    psa_status_t status;
-#endif

    rng_context_t rng;
    mbedtls_ssl_context ssl;
@@ -850,9 +833,7 @@ int main(int argc, char *argv[])
    mbedtls_x509_crt clicert;
    mbedtls_pk_context pkey;
    mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
-#endif
 #endif  /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
    char *p, *q;
    const int *list;
@@ -877,10 +858,9 @@ int main(int argc, char *argv[])
        MBEDTLS_TLS_SRTP_UNSET
    };
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */
-#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */

 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
    mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
@@ -907,7 +887,6 @@ int main(int argc, char *argv[])
    memset((void *) alpn_list, 0, sizeof(alpn_list));
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
    status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
@@ -915,7 +894,6 @@ int main(int argc, char *argv[])
        ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
        goto exit;
    }
-#endif  /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
    mbedtls_test_enable_insecure_external_rng();
 #endif  /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
@@ -942,17 +920,13 @@ int main(int argc, char *argv[])
    opt.key_opaque          = DFL_KEY_OPAQUE;
    opt.key_pwd             = DFL_KEY_PWD;
    opt.psk                 = DFL_PSK;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    opt.psk_opaque          = DFL_PSK_OPAQUE;
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
    opt.ca_callback         = DFL_CA_CALLBACK;
 #endif
    opt.psk_identity        = DFL_PSK_IDENTITY;
    opt.ecjpake_pw          = DFL_ECJPAKE_PW;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    opt.ecjpake_pw_opaque   = DFL_ECJPAKE_PW_OPAQUE;
-#endif
    opt.ec_max_ops          = DFL_EC_MAX_OPS;
    opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -1127,7 +1101,7 @@ usage:
        } else if (strcmp(p, "key_pwd") == 0) {
            opt.key_pwd = q;
        }
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
        else if (strcmp(p, "key_opaque") == 0) {
            opt.key_opaque = atoi(q);
        }
@@ -1152,11 +1126,9 @@ usage:
        else if (strcmp(p, "psk") == 0) {
            opt.psk = q;
        }
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        else if (strcmp(p, "psk_opaque") == 0) {
            opt.psk_opaque = atoi(q);
        }
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
        else if (strcmp(p, "ca_callback") == 0) {
            opt.ca_callback = atoi(q);
@@ -1167,11 +1139,9 @@ usage:
        } else if (strcmp(p, "ecjpake_pw") == 0) {
            opt.ecjpake_pw = q;
        }
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
            opt.ecjpake_pw_opaque = atoi(q);
        }
-#endif
        else if (strcmp(p, "ec_max_ops") == 0) {
            opt.ec_max_ops = atoi(q);
        } else if (strcmp(p, "force_ciphersuite") == 0) {
@@ -1500,7 +1470,6 @@ usage:
    }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (opt.psk_opaque != 0) {
        if (opt.psk == NULL) {
            mbedtls_printf("psk_opaque set but no psk to be imported specified.\n");
@@ -1515,7 +1484,6 @@ usage:
            goto usage;
        }
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (opt.force_ciphersuite[0] > 0) {
        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@@ -1550,7 +1518,6 @@ usage:
            }
        }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
        if (opt.psk_opaque != 0) {
            /* Determine KDF algorithm the opaque PSK will be used in. */
@@ -1562,7 +1529,6 @@ usage:
            alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
        }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    }

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -1786,7 +1752,6 @@ usage:
        goto exit;
    }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (opt.key_opaque != 0) {
        psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE;
        psa_key_usage_t usage = 0;
@@ -1805,7 +1770,6 @@ usage:
            }
        }
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_printf(" ok (key type: %s)\n",
                   strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ?
@@ -2006,7 +1970,6 @@ usage:
 #endif

 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (opt.psk_opaque != 0) {
        key_attributes = psa_key_attributes_init();
        psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
@@ -2027,7 +1990,6 @@ usage:
            goto exit;
        }
    } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    if (psk_len > 0) {
        ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len,
                                   (const unsigned char *) opt.psk_identity,
@@ -2098,7 +2060,6 @@ usage:

 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    if (opt.ecjpake_pw != DFL_ECJPAKE_PW) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) {
            psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;

@@ -2124,7 +2085,6 @@ usage:
            }
            mbedtls_printf("using opaque password\n");
        } else
-#endif  /* MBEDTLS_USE_PSA_CRYPTO */
        {
            if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl,
                                                           (const unsigned char *) opt.ecjpake_pw,
@@ -3206,13 +3166,10 @@ exit:
    mbedtls_x509_crt_free(&clicert);
    mbedtls_x509_crt_free(&cacert);
    mbedtls_pk_free(&pkey);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_destroy_key(key_slot);
-#endif
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
    if (opt.psk_opaque != 0) {
        /* This is ok even if the slot hasn't been
         * initialized (we might have jumed here
@@ -3229,11 +3186,9 @@ exit:
            }
        }
    }
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
-          MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */

-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    /*
     * In case opaque keys it's the user responsibility to keep the key valid
     * for the duration of the handshake and destroy it at the end
@@ -3252,9 +3207,8 @@ exit:
            psa_destroy_key(ecjpake_pw_slot);
        }
    }
-#endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
+#endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
    const char *message = mbedtls_test_helper_is_psa_leaking();
    if (message) {
        if (ret == 0) {
@@ -3262,14 +3216,11 @@ exit:
        }
        mbedtls_printf("PSA memory leak detected: %s\n",  message);
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

    /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
     * resources are freed by rng_free(). */
-#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \
    !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
    mbedtls_psa_crypto_free();
-#endif

    rng_free(&rng);

--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -53,9 +53,7 @@ int main(void)
 #include <windows.h>
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
 #include "test/psa_crypto_helpers.h"
-#endif

 #include "mbedtls/pk.h"
 #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER)
@@ -205,7 +203,7 @@ int main(void)
 #else
 #define USAGE_IO ""
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #define USAGE_KEY_OPAQUE \
    "    key_opaque=%%d       Handle your private keys as if they were opaque\n" \
    "                        default: 0 (disabled)\n"
@@ -248,7 +246,6 @@ int main(void)
    "                          The PSK values are in hex, without 0x.\n" \
    "                          id1,psk1[,id2,psk2[,...]]\n"             \
    "    psk_identity=%%s     default: \"Client_identity\"\n"
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #define USAGE_PSK_SLOT                          \
    "    psk_opaque=%%d       default: 0 (don't use opaque static PSK)\n"     \
    "                          Enable this to store the PSK configured through command line\n" \
@@ -270,7 +267,6 @@ int main(void)
    "                          with prepopulated key slots instead of importing raw key material.\n"
 #else
 #define USAGE_PSK_SLOT ""
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
 #else
 #define USAGE_PSK ""
@@ -419,14 +415,9 @@ int main(void)
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #define USAGE_ECJPAKE \
    "    ecjpake_pw=%%s           default: none (disabled)\n"   \
    "    ecjpake_pw_opaque=%%d    default: 0 (disabled)\n"
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-#define USAGE_ECJPAKE \
-    "    ecjpake_pw=%%s           default: none (disabled)\n"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #define USAGE_ECJPAKE ""
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -641,10 +632,8 @@ struct options {
    int async_private_delay1;   /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
    int async_private_delay2;   /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
    int async_private_error;    /* inject error in async private callback */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    int psk_opaque;
    int psk_list_opaque;
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
    int ca_callback;            /* Use callback for trusted certificate list */
 #endif
@@ -652,9 +641,7 @@ struct options {
    const char *psk_identity;   /* the pre-shared key identity              */
    char *psk_list;             /* list of PSK id/key pairs for callback    */
    const char *ecjpake_pw;     /* the EC J-PAKE password                   */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    int ecjpake_pw_opaque;      /* set to 1 to use the opaque method for setting the password */
-#endif
    int force_ciphersuite[2];   /* protocol/ciphersuite to use, or all      */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    int tls13_kex_modes;        /* supported TLS 1.3 key exchange modes     */
@@ -962,9 +949,7 @@ struct _psk_entry {
    const char *name;
    size_t key_len;
    unsigned char key[MBEDTLS_PSK_MAX_LEN];
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_svc_key_id_t slot;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    psk_entry *next;
 };

@@ -976,7 +961,6 @@ static int psk_free(psk_entry *head)
    psk_entry *next;

    while (head != NULL) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        psa_status_t status;
        mbedtls_svc_key_id_t const slot = head->slot;

@@ -986,7 +970,6 @@ static int psk_free(psk_entry *head)
                return status;
            }
        }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

        next = head->next;
        mbedtls_free(head);
@@ -1052,11 +1035,9 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
    while (cur != NULL) {
        if (name_len == strlen(cur->name) &&
            memcmp(name, cur->name, name_len) == 0) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
            if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) {
                return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot);
            } else
-#endif
            return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len);
        }

@@ -1302,7 +1283,6 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl)
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
 static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot,
                                           psa_algorithm_t alg,
@@ -1326,7 +1306,6 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot,
    return PSA_SUCCESS;
 }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 static int report_cid_usage(mbedtls_ssl_context *ssl,
@@ -1543,10 +1522,8 @@ int main(int argc, char *argv[])
    io_ctx_t io_ctx;
    unsigned char *buf = 0;
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_algorithm_t alg = 0;
    mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    unsigned char psk[MBEDTLS_PSK_MAX_LEN];
    size_t psk_len = 0;
    psk_entry *psk_info = NULL;
@@ -1574,10 +1551,8 @@ int main(int argc, char *argv[])
    mbedtls_x509_crt srvcert2;
    mbedtls_pk_context pkey2;
    mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
    mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
-#endif
    int key_cert_init = 0, key_cert_init2 = 0;
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
@@ -1609,10 +1584,9 @@ int main(int argc, char *argv[])
    unsigned char *context_buf = NULL;
    size_t context_buf_len = 0;
 #endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */
-#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */

 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
    uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
@@ -1621,9 +1595,7 @@ int main(int argc, char *argv[])
    int i;
    char *p, *q;
    const int *list;
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
    psa_status_t status;
-#endif
    unsigned char eap_tls_keymaterial[16];
    unsigned char eap_tls_iv[8];
    const char *eap_tls_label = "client EAP encryption";
@@ -1684,7 +1656,6 @@ int main(int argc, char *argv[])
    mbedtls_ssl_cookie_init(&cookie_ctx);
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
    status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
@@ -1692,7 +1663,6 @@ int main(int argc, char *argv[])
        ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
        goto exit;
    }
-#endif  /* MBEDTLS_USE_PSA_CRYPTO */
 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
    mbedtls_test_enable_insecure_external_rng();
 #endif  /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
@@ -1731,19 +1701,15 @@ int main(int argc, char *argv[])
    opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2;
    opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR;
    opt.psk                 = DFL_PSK;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    opt.psk_opaque          = DFL_PSK_OPAQUE;
    opt.psk_list_opaque     = DFL_PSK_LIST_OPAQUE;
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
    opt.ca_callback         = DFL_CA_CALLBACK;
 #endif
    opt.psk_identity        = DFL_PSK_IDENTITY;
    opt.psk_list            = DFL_PSK_LIST;
    opt.ecjpake_pw          = DFL_ECJPAKE_PW;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    opt.ecjpake_pw_opaque   = DFL_ECJPAKE_PW_OPAQUE;
-#endif
    opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    opt.tls13_kex_modes     = DFL_TLS1_3_KEX_MODES;
@@ -1924,7 +1890,7 @@ usage:
        } else if (strcmp(p, "key_pwd") == 0) {
            opt.key_pwd = q;
        }
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
        else if (strcmp(p, "key_opaque") == 0) {
            opt.key_opaque = atoi(q);
        }
@@ -1973,13 +1939,11 @@ usage:
        else if (strcmp(p, "psk") == 0) {
            opt.psk = q;
        }
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        else if (strcmp(p, "psk_opaque") == 0) {
            opt.psk_opaque = atoi(q);
        } else if (strcmp(p, "psk_list_opaque") == 0) {
            opt.psk_list_opaque = atoi(q);
        }
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
        else if (strcmp(p, "ca_callback") == 0) {
            opt.ca_callback = atoi(q);
@@ -1992,11 +1956,9 @@ usage:
        } else if (strcmp(p, "ecjpake_pw") == 0) {
            opt.ecjpake_pw = q;
        }
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
            opt.ecjpake_pw_opaque = atoi(q);
        }
-#endif
        else if (strcmp(p, "force_ciphersuite") == 0) {
            opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q);

@@ -2367,7 +2329,6 @@ usage:
        goto exit;
    }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (opt.psk_opaque != 0) {
        if (strlen(opt.psk) == 0) {
            mbedtls_printf("psk_opaque set but no psk to be imported specified.\n");
@@ -2397,7 +2358,6 @@ usage:
            goto usage;
        }
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (opt.force_ciphersuite[0] > 0) {
        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@@ -2427,7 +2387,6 @@ usage:
            opt.min_version = ciphersuite_info->min_tls_version;
        }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
        if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) {
            /* Determine KDF algorithm the opaque PSK will be used in. */
@@ -2439,7 +2398,6 @@ usage:
            alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
        }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
    }

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -2732,7 +2690,6 @@ usage:
 #endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
    }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (opt.key_opaque != 0) {
        psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE;
        psa_key_usage_t psa_usage = 0;
@@ -2768,7 +2725,6 @@ usage:
            }
        }
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_printf(" ok (key types: %s, %s)\n",
                   key_cert_init ? mbedtls_pk_get_name(&pkey) : "none",
@@ -3182,7 +3138,6 @@ usage:
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)

    if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        if (opt.psk_opaque != 0) {
            /* The algorithm has already been determined earlier. */
            status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len);
@@ -3199,7 +3154,6 @@ usage:
                goto exit;
            }
        } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
        if (psk_len > 0) {
            ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len,
                                       (const unsigned char *) opt.psk_identity,
@@ -3213,7 +3167,6 @@ usage:
    }

    if (opt.psk_list != NULL) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        if (opt.psk_list_opaque != 0) {
            psk_entry *cur_psk;
            for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) {
@@ -3227,7 +3180,6 @@ usage:
                }
            }
        }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

        mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info);
    }
@@ -3384,7 +3336,6 @@ reset:

 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    if (opt.ecjpake_pw != DFL_ECJPAKE_PW) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
        if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) {
            psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;

@@ -3410,7 +3361,6 @@ reset:
            }
            mbedtls_printf("using opaque password\n");
        } else
-#endif  /* MBEDTLS_USE_PSA_CRYPTO */
        {
            if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl,
                                                           (const unsigned char *) opt.ecjpake_pw,
@@ -4253,11 +4203,9 @@ exit:
    mbedtls_pk_free(&pkey);
    mbedtls_x509_crt_free(&srvcert2);
    mbedtls_pk_free(&pkey2);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_destroy_key(key_slot);
    psa_destroy_key(key_slot2);
 #endif
-#endif

 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
    for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) {
@@ -4269,8 +4217,7 @@ exit:
    }
 #endif

-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
    if (opt.psk_opaque != 0) {
        /* This is ok even if the slot hasn't been
         * initialized (we might have jumed here
@@ -4284,11 +4231,9 @@ exit:
                           (int) status);
        }
    }
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
-          MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */

-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    /*
     * In case opaque keys it's the user responsibility to keep the key valid
     * for the duration of the handshake and destroy it at the end
@@ -4307,9 +4252,8 @@ exit:
            psa_destroy_key(ecjpake_pw_slot);
        }
    }
-#endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
+#endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
    const char *message = mbedtls_test_helper_is_psa_leaking();
    if (message) {
        if (ret == 0) {
@@ -4317,12 +4261,10 @@ exit:
        }
        mbedtls_printf("PSA memory leak detected: %s\n",  message);
    }
-#endif

    /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
     * resources are freed by rng_free(). */
-#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \
-    && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
+#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
    mbedtls_psa_crypto_free();
 #endif

--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -83,13 +83,11 @@ void rng_init(rng_context_t *rng)

 int rng_seed(rng_context_t *rng, int reproducible, const char *pers)
 {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (reproducible) {
        mbedtls_fprintf(stderr,
-                        "MBEDTLS_USE_PSA_CRYPTO does not support reproducible mode.\n");
+                        "reproducible mode is not supported.\n");
        return -1;
    }
-#endif
 #if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
    /* The PSA crypto RNG does its own seeding. */
    (void) rng;
@@ -217,7 +215,6 @@ int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2)
    return 0;
 }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
                             psa_algorithm_t *psa_alg1,
                             psa_algorithm_t *psa_alg2,
@@ -301,7 +298,6 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor
    return 0;
 }
 #endif /* MBEDTLS_PK_C */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
 int ca_callback(void *data, mbedtls_x509_crt const *child,
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -14,9 +14,8 @@
 #include "mbedtls/md.h"

 #undef HAVE_RNG
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) &&         \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) ||                \
-    defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG))
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \
+    defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
 #define HAVE_RNG
 #elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
 #define HAVE_RNG
@@ -55,10 +54,8 @@
 #include "mbedtls/base64.h"
 #include "test/certs.h"

-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
 #include "psa/crypto.h"
 #include "mbedtls/psa_util.h"
-#endif

 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
 #include "mbedtls/memory_buffer_alloc.h"
@@ -108,7 +105,7 @@ void my_debug(void *ctx, int level,
 mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
+#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
 /* If MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is defined, the SSL test programs will use
 * mbedtls_psa_get_random() rather than entropy+DRBG as a random generator.
 *
@@ -121,14 +118,6 @@ mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
 *   where the test programs use the PSA RNG while the PSA RNG is itself based
 *   on entropy+DRBG, and at least one configuration where the test programs
 *   do not use the PSA RNG even though it's there.
- *
- * A simple choice that meets the constraints is to use the PSA RNG whenever
- * MBEDTLS_USE_PSA_CRYPTO is enabled. There's no real technical reason the
- * choice to use the PSA RNG in the test programs and the choice to use
- * PSA crypto when TLS code needs crypto have to be tied together, but it
- * happens to be a good match. It's also a good match from an application
- * perspective: either PSA is preferred for TLS (both for crypto and for
- * random generation) or it isn't.
 */
 #define MBEDTLS_TEST_USE_PSA_CRYPTO_RNG
 #endif
@@ -213,7 +202,6 @@ int rng_get(void *p_rng, unsigned char *output, size_t output_len);
 */
 int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 /** Parse given opaque key algorithms to obtain psa algs and usage
 *  that will be passed to mbedtls_pk_wrap_as_opaque().
 *
@@ -259,9 +247,8 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
 int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2,
                      psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id);
 #endif /* MBEDTLS_PK_C */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
 /* The test implementation of the PSA external RNG is insecure. When
 * MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, before using any PSA crypto
 * function that makes use of an RNG, you must call
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -152,14 +152,12 @@ int main(int argc, char *argv[])
    memset(&cacrl, 0, sizeof(mbedtls_x509_crl));
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc < 2) {
 usage:
@@ -446,9 +444,7 @@ exit:
 #endif
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_exit(exit_code);
 }
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -162,14 +162,12 @@ int main(int argc, char *argv[])
    memset(buf, 0, sizeof(buf));
    mbedtls_entropy_init(&entropy);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc < 2) {
 usage:
@@ -502,9 +500,7 @@ exit:
    mbedtls_pk_free(&key);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    cur = opt.san_list;
    while (cur != NULL) {
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -326,14 +326,12 @@ int main(int argc, char *argv[])
    memset(buf, 0, sizeof(buf));
    memset(serial, 0, sizeof(serial));

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc < 2) {
 usage:
@@ -1026,9 +1024,7 @@ exit:
    mbedtls_pk_free(&loaded_issuer_key);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_exit(exit_code);
 }
--- a/programs/x509/crl_app.c
+++ b/programs/x509/crl_app.c
@@ -60,14 +60,12 @@ int main(int argc, char *argv[])
     */
    mbedtls_x509_crl_init(&crl);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_status_t status = psa_crypto_init();
    if (status != PSA_SUCCESS) {
        mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
                        (int) status);
        goto exit;
    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    if (argc < 2) {
 usage:
@@ -124,9 +122,7 @@ usage:

 exit:
    mbedtls_x509_crl_free(&crl);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_psa_crypto_free();
-#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_exit(exit_code);
 }
--- a/Show More
+++ b/Show More