Use TLS v1.3 PSK callback in extension allow for one call in client

New compile time option WOLFSSL_PSK_ONE_ID. Indicates one identity available. No need for client to call callback when generating binder - already cached.
2025-07-29 18:27:29 +02:00 · 2019-05-17 08:01:40 +10:00
parent 013e4429da
commit 1ce8e227d2
3 changed files with 34 additions and 2 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1662,6 +1662,20 @@ AC_ARG_ENABLE([psk],
    [ ENABLED_PSK=no ]
    )

+# Single PSK identity
+AC_ARG_ENABLE([psk-one-id],
+    [AS_HELP_STRING([--enable-psk-one-id],[Enable PSK (default: disabled)])],
+    [ ENABLED_PSK_ONE_ID=$enableval ],
+    [ ENABLED_PSK_ONE_ID=no ]
+    )
+if test "$ENABLED_PSK_ONE_ID" = "yes"
+then
+    if test "$ENABLED_PSK" = "no"
+    then
+        ENABLED_PSK="yes"
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSK_ONE_ID"
+fi

 # ERROR STRINGS
 AC_ARG_ENABLE([errorstrings],
--- a/src/tls.c
+++ b/src/tls.c
@ -9595,14 +9595,28 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
            }
        #endif
        #ifndef NO_PSK
-            if (ssl->options.client_psk_cb != NULL) {
+            if (ssl->options.client_psk_cb != NULL ||
+                                     ssl->options.client_psk_tls13_cb != NULL) {
                /* Default ciphersuite. */
                byte cipherSuite0 = TLS13_BYTE;
                byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
+                const char* cipherName = NULL;

-                ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
+                if (ssl->options.client_psk_tls13_cb != NULL) {
+                    ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(
+                        ssl, ssl->arrays->server_hint,
+                        ssl->arrays->client_identity, MAX_PSK_ID_LEN,
+                        ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName);
+                    if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
+                                                           &cipherSuite) != 0) {
+                        return PSK_KEY_ERROR;
+                    }
+                }
+                else {
+                    ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
                        ssl->arrays->server_hint, ssl->arrays->client_identity,
                        MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
+                }
                if (ssl->arrays->psk_keySz == 0 ||
                                     ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
                    return PSK_KEY_ERROR;
--- a/src/tls13.c
+++ b/src/tls13.c
@ -2394,6 +2394,7 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
 #endif
 #ifndef NO_PSK
    if (!psk->resumption) {
+    #ifndef WOLFSSL_PSK_ONE_ID
        const char* cipherName = NULL;
        byte cipherSuite0 = TLS13_BYTE, cipherSuite = WOLFSSL_DEF_PSK_CIPHER;

@ -2422,6 +2423,9 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
                                              psk->cipherSuite != cipherSuite) {
            return PSK_KEY_ERROR;
        }
+    #else
+        /* PSK information loaded during setting of default TLS extensions. */
+    #endif
    }
 #endif