commit aeb710fec5f9bdf6906486cea6513b7c47349af3
author Przemek Stekiel <przemyslaw.stekiel@mobica.com> Wed Apr 06 11:40:30 2022 +0200
committer Przemek Stekiel <przemyslaw.stekiel@mobica.com> Fri Apr 22 14:52:28 2022 +0200
tree 5e6281cf5ee099819304442f0bfddb8d1f3648e2
parent 8e0495e0f4f6645071e71ba287c89eedb2086786

Enable support for psa opaque RSA-PSK key exchange on the server side

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

programs/ssl/ssl_server2.c

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a91af0e..13e3406 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2210,10 +2210,13 @@
             /* Ensure that the chosen ciphersuite is PSK-only; we must know
              * the ciphersuite in advance to set the correct policy for the
              * PSK key slot. This limitation might go away in the future. */
-            if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
-                opt.min_version != MBEDTLS_SSL_VERSION_TLS1_2 )
+            if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
+                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ||
+                opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
             {
-                mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
+                mbedtls_printf( "opaque PSKs are only supported in conjunction \
+                                 with forcing TLS 1.2 and a PSK-only, RSA-PSK \
+                                 ciphersuites through the 'force_ciphersuite' option.\n" );
                 ret = 2;
                 goto usage;
             }