From fc72e428ed559fce570e5e9324325d18f11860e6 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 5 Apr 2022 17:29:28 +0200
Subject: [PATCH] ssl_client2: Enable support for TLS 1.2 RSA-PSK opaque
 ciphersuite

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 programs/ssl/ssl_client2.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index cd6098682e..66cf622aa4 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1406,13 +1406,16 @@ int main( int argc, char *argv[] )
 #if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
         if( opt.psk_opaque != 0 )
         {
-            /* Ensure that the chosen ciphersuite is PSK-only; we must know
+            /* Ensure that the chosen ciphersuite is PSK-only or rsa-psk; we must know
              * the ciphersuite in advance to set the correct policy for the
              * PSK key slot. This limitation might go away in the future. */
-            if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
-                opt.min_version != MBEDTLS_SSL_VERSION_TLS1_2 )
+            if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
+                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ||
+                opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
             {
-                mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
+                mbedtls_printf( "opaque PSKs are only supported in conjunction \
+                                 with forcing TLS 1.2 and a PSK-only, RSA-PSK \
+                                 ciphersuites through the 'force_ciphersuite' option.\n" );
                 ret = 2;
                 goto usage;
             }