Prevent PSK cipher suite downgrade in certificate mode

Certificate-mode contexts (with a private key) could negotiate PSK
suites, skipping Certificate/CertificateVerify and bypassing certificate
authentication. Fix is_cipher_suite_compatible() to reject PSK suites
when a private key is present, and filter PSK suites from
dtls12_cipher_suites() when no PskResolver is configured.

Also fixes pre-existing clippy lints (items_after_test_module in
server.rs, needless_borrows_for_generic_args in kx_group.rs,
redundant_pattern_matching in cross_matrix.rs) and runs cargo fmt.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jaredwolff

src/config.rs

@@ -56,7 +56,10 @@ impl fmt::Debug for Config {
             .field("mtu", &self.mtu)
             .field("max_queue_rx", &self.max_queue_rx)
             .field("max_queue_tx", &self.max_queue_tx)
-            .field("require_client_certificate", &self.require_client_certificate)
+            .field(
+                "require_client_certificate",
+                &self.require_client_certificate,
+            )
             .field("use_server_cookie", &self.use_server_cookie)
             .field("flight_start_rto", &self.flight_start_rto)
             .field("flight_retries", &self.flight_retries)
@@ -212,16 +215,22 @@ impl Config {
     /// Returns all provider-supported DTLS 1.2 cipher suites when no filter
     /// is set. When a filter is set via the builder's `dtls12_cipher_suites`
     /// method, only suites in both the provider and the filter are returned.
+    ///
+    /// PSK cipher suites are excluded when no [`PskResolver`] is configured,
+    /// preventing a certificate-mode endpoint from negotiating a PSK suite
+    /// and inadvertently skipping certificate authentication.
     pub fn dtls12_cipher_suites(
         &self,
     ) -> impl Iterator<Item = &'static dyn SupportedDtls12CipherSuite> + '_ {
         let filter = self.dtls12_cipher_suites.as_ref();
+        let has_psk = self.psk_resolver.is_some();
         self.crypto_provider
             .supported_cipher_suites()
             .filter(move |cs| match filter {
                 Some(list) => list.contains(&cs.suite()),
                 None => true,
             })
+            .filter(move |cs| has_psk || !cs.suite().is_psk())
     }
 
     /// Allowed DTLS 1.3 cipher suites, filtered by the config's allow-list.
@@ -286,7 +295,10 @@ impl fmt::Debug for ConfigBuilder {
             .field("mtu", &self.mtu)
             .field("max_queue_rx", &self.max_queue_rx)
             .field("max_queue_tx", &self.max_queue_tx)
-            .field("require_client_certificate", &self.require_client_certificate)
+            .field(
+                "require_client_certificate",
+                &self.require_client_certificate,
+            )
             .field("use_server_cookie", &self.use_server_cookie)
             .field("flight_start_rto", &self.flight_start_rto)
             .field("flight_retries", &self.flight_retries)
@@ -786,11 +798,40 @@ mod tests {
     fn no_filter_returns_all() {
         let config = Config::default();
         // Default provider should have at least 2 DTLS 1.2 and 2 DTLS 1.3 suites
+        // (PSK suites are excluded without a resolver, so only non-PSK count)
         assert!(config.dtls12_cipher_suites().count() >= 2);
         assert!(config.dtls13_cipher_suites().count() >= 2);
         assert!(config.kx_groups().count() >= 2);
     }
 
+    #[test]
+    fn psk_suites_excluded_without_resolver() {
+        let config = Config::default();
+        assert!(
+            config.dtls12_cipher_suites().all(|cs| !cs.suite().is_psk()),
+            "PSK suites should be excluded when no PskResolver is configured"
+        );
+    }
+
+    #[test]
+    fn psk_suites_included_with_resolver() {
+        struct DummyResolver;
+        impl PskResolver for DummyResolver {
+            fn resolve(&self, _identity: &[u8]) -> Option<Vec<u8>> {
+                None
+            }
+        }
+
+        let config = Config::builder()
+            .with_psk_resolver(Arc::new(DummyResolver))
+            .build()
+            .expect("config with PSK resolver should build");
+        assert!(
+            config.dtls12_cipher_suites().any(|cs| cs.suite().is_psk()),
+            "PSK suites should be included when a PskResolver is configured"
+        );
+    }
+
     #[test]
     fn filter_with_explicit_provider() {
         #[cfg(feature = "aws-lc-rs")]

src/crypto/aws_lc_rs/cipher_suite.rs

@@ -258,7 +258,9 @@ impl SupportedDtls12CipherSuite for PskAes128Ccm8 {
     }
 
     fn create_cipher(&self, key: &[u8]) -> Result<Box<dyn Cipher>, String> {
-        Ok(Box::new(crate::crypto::ccm_cipher::AesCcm8Cipher::new(key)?))
+        Ok(Box::new(crate::crypto::ccm_cipher::AesCcm8Cipher::new(
+            key,
+        )?))
     }
 }
 

src/crypto/rust_crypto/cipher_suite.rs

@@ -308,7 +308,9 @@ impl SupportedDtls12CipherSuite for PskAes128Ccm8 {
     }
 
     fn create_cipher(&self, key: &[u8]) -> Result<Box<dyn Cipher>, String> {
-        Ok(Box::new(crate::crypto::ccm_cipher::AesCcm8Cipher::new(key)?))
+        Ok(Box::new(crate::crypto::ccm_cipher::AesCcm8Cipher::new(
+            key,
+        )?))
     }
 }
 

src/crypto/rust_crypto/kx_group.rs

@@ -47,7 +47,7 @@ impl EcdhKeyExchange {
         match group {
             NamedGroup::X25519 => {
                 use rand_core::OsRng;
-                let secret = x25519_dalek::EphemeralSecret::random_from_rng(&mut OsRng);
+                let secret = x25519_dalek::EphemeralSecret::random_from_rng(OsRng);
                 let public_key_obj = x25519_dalek::PublicKey::from(&secret);
                 buf.clear();
                 buf.extend_from_slice(public_key_obj.as_bytes());

src/dtls12/client.rs

@@ -714,9 +714,7 @@ impl State {
         };
 
         let hint_range = match &ske.params {
-            crate::dtls12::message::ServerKeyExchangeParams::Psk(psk) => {
-                psk.hint_range.clone()
-            }
+            crate::dtls12::message::ServerKeyExchangeParams::Psk(psk) => psk.hint_range.clone(),
             _ => {
                 return Err(Error::UnexpectedMessage(
                     "ECDHE ServerKeyExchange in PSK path".to_string(),
@@ -1238,9 +1236,7 @@ fn handshake_create_client_key_exchange(body: &mut Buf, engine: &mut Engine) ->
                 .psk_resolver()
                 .ok_or_else(|| Error::SecurityError("No PSK resolver configured".to_string()))?
                 .resolve(&identity)
-                .ok_or_else(|| {
-                    Error::SecurityError("PSK resolver returned no key".to_string())
-                })?;
+                .ok_or_else(|| Error::SecurityError("PSK resolver returned no key".to_string()))?;
 
             // Set the PSK and compute pre-master secret
             let crypto = engine.crypto_context_mut();

src/dtls12/context.rs

@@ -582,8 +582,8 @@ impl CryptoContext {
                 .private_key
                 .as_ref()
                 .is_some_and(|pk| sig_alg == pk.algorithm()),
-            // PSK suite: no certificate needed
-            None => true,
+            // PSK suite: only compatible in PSK mode (no private key)
+            None => self.private_key.is_none(),
         }
     }
 
@@ -614,3 +614,72 @@ impl CryptoContext {
         )
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::Config;
+
+    #[test]
+    fn certificate_mode_rejects_psk_suites() {
+        let cert = crate::certificate::generate_self_signed_certificate().expect("generate cert");
+        let config = Arc::new(Config::default());
+        let ctx = CryptoContext::new(cert.certificate, cert.private_key, config);
+
+        for suite in Dtls12CipherSuite::supported() {
+            if suite.is_psk() {
+                assert!(
+                    !ctx.is_cipher_suite_compatible(*suite),
+                    "Certificate-mode context must reject PSK suite {:?}",
+                    suite
+                );
+            }
+        }
+    }
+
+    #[test]
+    fn certificate_mode_accepts_ecdhe_suites() {
+        let cert = crate::certificate::generate_self_signed_certificate().expect("generate cert");
+        let config = Arc::new(Config::default());
+        let ctx = CryptoContext::new(cert.certificate, cert.private_key, config);
+
+        // At least one ECDHE_ECDSA suite should be compatible
+        assert!(
+            Dtls12CipherSuite::supported()
+                .iter()
+                .filter(|s| !s.is_psk())
+                .any(|s| ctx.is_cipher_suite_compatible(*s)),
+            "Certificate-mode context must accept at least one ECDHE suite"
+        );
+    }
+
+    #[test]
+    fn psk_mode_rejects_certificate_suites() {
+        let config = Arc::new(Config::default());
+        let ctx = CryptoContext::new_psk(config);
+
+        for suite in Dtls12CipherSuite::supported() {
+            if !suite.is_psk() {
+                assert!(
+                    !ctx.is_cipher_suite_compatible(*suite),
+                    "PSK-mode context must reject certificate suite {:?}",
+                    suite
+                );
+            }
+        }
+    }
+
+    #[test]
+    fn psk_mode_accepts_psk_suites() {
+        let config = Arc::new(Config::default());
+        let ctx = CryptoContext::new_psk(config);
+
+        assert!(
+            Dtls12CipherSuite::supported()
+                .iter()
+                .filter(|s| s.is_psk())
+                .any(|s| ctx.is_cipher_suite_compatible(*s)),
+            "PSK-mode context must accept at least one PSK suite"
+        );
+    }
+}

src/dtls12/message/client_key_exchange.rs

@@ -115,12 +115,16 @@ impl ClientPskKeys {
         let (input, identity_len) = nom::number::complete::be_u16(input)?;
         let (input, identity_slice) = take(identity_len as usize)(input)?;
 
-        let relative_offset =
-            identity_slice.as_ptr() as usize - original_input.as_ptr() as usize;
+        let relative_offset = identity_slice.as_ptr() as usize - original_input.as_ptr() as usize;
         let start = base_offset + relative_offset;
         let end = start + identity_slice.len();
 
-        Ok((input, ClientPskKeys { identity_range: start..end }))
+        Ok((
+            input,
+            ClientPskKeys {
+                identity_range: start..end,
+            },
+        ))
     }
 
     pub fn serialize(&self, buf: &[u8], output: &mut Buf) {

src/dtls12/message/server_key_exchange.rs

@@ -43,9 +43,7 @@ impl ServerKeyExchange {
             ServerKeyExchangeParams::Ecdh(ecdh_params) => {
                 ecdh_params.serialize(buf, output, with_signature)
             }
-            ServerKeyExchangeParams::Psk(psk_params) => {
-                psk_params.serialize(buf, output)
-            }
+            ServerKeyExchangeParams::Psk(psk_params) => psk_params.serialize(buf, output),
         }
     }
 
@@ -140,12 +138,16 @@ impl PskParams {
         let (input, hint_len) = nom::number::complete::be_u16(input)?;
         let (input, hint_slice) = take(hint_len as usize)(input)?;
 
-        let relative_offset =
-            hint_slice.as_ptr() as usize - original_input.as_ptr() as usize;
+        let relative_offset = hint_slice.as_ptr() as usize - original_input.as_ptr() as usize;
         let start = base_offset + relative_offset;
         let end = start + hint_slice.len();
 
-        Ok((input, PskParams { hint_range: start..end }))
+        Ok((
+            input,
+            PskParams {
+                hint_range: start..end,
+            },
+        ))
     }
 
     pub fn serialize(&self, buf: &[u8], output: &mut Buf) {