ssl_client2: Enable support for TLS 1.2 RSA-PSK opaque ciphersuite

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2025-01-29 12:32:48 +00:00 · 2022-04-05 17:29:28 +02:00 · 2022-04-05 17:29:28 +02:00 · fc72e428ed
commit fc72e428ed
parent f2534ba69b
1 changed files with 7 additions and 4 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1406,13 +1406,16 @@ int main( int argc, char *argv[] )
 #if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
        if( opt.psk_opaque != 0 )
        {
-            /* Ensure that the chosen ciphersuite is PSK-only; we must know
+            /* Ensure that the chosen ciphersuite is PSK-only or rsa-psk; we must know
             * the ciphersuite in advance to set the correct policy for the
             * PSK key slot. This limitation might go away in the future. */
-            if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
-                opt.min_version != MBEDTLS_SSL_VERSION_TLS1_2 )
+            if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
+                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ||
+                opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
            {
-                mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
+                mbedtls_printf( "opaque PSKs are only supported in conjunction \
+                                 with forcing TLS 1.2 and a PSK-only, RSA-PSK \
+                                 ciphersuites through the 'force_ciphersuite' option.\n" );
                ret = 2;
                goto usage;
            }