Skip to content

Pre-shared key (PSK) #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from

Conversation

markasoftware
Copy link

This adds support for custom user PSKs. Example usage (from added test in ssl.rs):

let client_ctx = ContextBuilder::new(client_method)
    .unwrap_or_else(|e| panic!("new({client_method:?}): {e}"))
    .with_pre_shared_key(&[1, 2, 3, 4])
    .with_secure_renegotiation()
    .unwrap()
    .build();

Then do the same on the server side and you're off to the races!

One tradeoff/simplification I made: In general, the client can provide a "client identity" string to the server which is transmitted in the ClientHello, and the server can choose which PSK it uses based on the client identity. That functionality is not supported by this PR, which only allows specifying a single fixed PSK buffer on both client and server.

To support the general case, the wolfSSL api, like the OpenSSL api, doesn't take a fixed buffer but rather takes a callback function that writes the PSK into a mutable buffer. I created global callback functions, and then use wolfSSL_{get,set}_psk_callback_ctx to pass the PSK buffer into the callback. This means we have to own the memory for the PSK buffer since we can only store a pointer to it in the WOLFSSL object, so I added the PSK buffer as an extra field on the context and session.

I'm a C++ dev by trade and this is my first time contributing to a Rust project so I'm happy to take advice!

Resolves #237

@markasoftware markasoftware requested a review from a team as a code owner April 13, 2025 21:59
@CLAassistant
Copy link

CLAassistant commented Apr 13, 2025

CLA assistant check
All committers have signed the CLA.

@markasoftware
Copy link
Author

Just updated this significantly, to allow setting custom server/client callbacks in addition to fixed PSK. Happy to answer questions on the implementation, it's a bit hairy in parts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support TLS pre-shared keys
2 participants