Update docs, README, and changelog for PSK support

jaredwolff · claude · jaredwolff · commit 8c1ad4bda5c7 · 2026-03-10T21:03:05.000-04:00
- Remove "Not supported: PSK cipher suites" from README and lib.rs
- Add all 4 PSK suites to cryptography surface in README and lib.rs
- Add Dtls::new_12_psk to version selection section
- Add PSK client example with PskResolver to lib.rs and README
- Add "psk" keyword to Cargo.toml
- Add PSK entries to CHANGELOG.md under Unreleased

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Unreleased
 
+  * Add PSK (Pre-Shared Key) cipher suites for DTLS 1.2 (RFC 4279)
+    * `PSK_AES128_CCM_8` (0xC0A8)
+    * `PSK_AES128_GCM_SHA256` (0x00A8)
+    * `PSK_AES256_GCM_SHA384` (0x00A9)
+    * `PSK_CHACHA20_POLY1305_SHA256` (0xCCAB)
+  * Add `Dtls::new_12_psk()` constructor for PSK-only sessions
+  * Add `PskResolver` trait and PSK config builder methods
+  * Fix client to handle optional ServerKeyExchange in PSK handshakes (RFC 4279 §2)
+
 # 0.4.3
 
   * Fix server auto-sensing DTLS version with fragmented ClientHello #87
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2024"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/algesten/dimpl"
 readme = "README.md"
-keywords = ["dtls", "tls", "webrtc"]
+keywords = ["dtls", "tls", "webrtc", "psk"]
 categories = ["network-programming", "cryptography", "security"]
 
 # MSRV
diff --git a/README.md b/README.md
@@ -22,8 +22,9 @@ verification and SRTP key export yourself.
 
 ### Version selection
 
-Three constructors control which DTLS version is used:
-- [`Dtls::new_12`][new_12] — explicit DTLS 1.2
+Four constructors control which DTLS version is used:
+- [`Dtls::new_12`][new_12] — explicit DTLS 1.2 (certificate‑based)
+- [`Dtls::new_12_psk`][new_12_psk] — explicit DTLS 1.2 (PSK, no certificates)
 - [`Dtls::new_13`][new_13] — explicit DTLS 1.3
 - [`Dtls::new_auto`][new_auto] — auto‑sense: the first
   incoming ClientHello determines the version (based on the
@@ -34,6 +35,11 @@ Three constructors control which DTLS version is used:
   - `ECDHE_ECDSA_AES256_GCM_SHA384`
   - `ECDHE_ECDSA_AES128_GCM_SHA256`
   - `ECDHE_ECDSA_CHACHA20_POLY1305_SHA256`
+- **PSK cipher suites (TLS 1.2 over DTLS)**
+  - `PSK_AES128_CCM_8`
+  - `PSK_AES128_GCM_SHA256`
+  - `PSK_AES256_GCM_SHA384`
+  - `PSK_CHACHA20_POLY1305_SHA256`
 - **Cipher suites (TLS 1.3 over DTLS)**
   - `TLS_AES_128_GCM_SHA256`
   - `TLS_AES_256_GCM_SHA384`
@@ -44,7 +50,6 @@ Three constructors control which DTLS version is used:
 - **DTLS‑SRTP**: Exports keying material for `SRTP_AEAD_AES_256_GCM`,
   `SRTP_AEAD_AES_128_GCM`, and `SRTP_AES128_CM_SHA1_80` ([RFC 5764], [RFC 7714]).
 - **Extended Master Secret** ([RFC 7627]) is negotiated and enforced (DTLS 1.2).
-- Not supported: PSK cipher suites.
 
 ### Certificate model
 During the handshake the engine emits
@@ -131,6 +136,38 @@ let dtls = mk_dtls_client();
 let _ = example_event_loop(dtls);
 ```
 
+## Example (PSK client)
+
+```rust
+use std::sync::Arc;
+use std::time::Instant;
+
+use dimpl::{Config, Dtls, PskResolver};
+
+struct MyPsk;
+
+impl PskResolver for MyPsk {
+    fn resolve(&self, identity: &[u8]) -> Option<Vec<u8>> {
+        if identity == b"device-01" {
+            Some(b"shared-secret-key".to_vec())
+        } else {
+            None
+        }
+    }
+}
+
+let config = Arc::new(
+    Config::builder()
+        .with_psk_identity(b"device-01".to_vec())
+        .with_psk_resolver(Arc::new(MyPsk))
+        .build()
+        .unwrap(),
+);
+
+let mut dtls = Dtls::new_12_psk(config, Instant::now());
+dtls.set_active(true); // client role
+```
+
 #### MSRV
 Rust 1.85.0
 
@@ -139,6 +176,7 @@ Rust 1.85.0
 - Renegotiation is not implemented (WebRTC does full restart).
 
 [new_12]: https://docs.rs/dimpl/latest/dimpl/struct.Dtls.html#method.new_12
+[new_12_psk]: https://docs.rs/dimpl/latest/dimpl/struct.Dtls.html#method.new_12_psk
 [new_13]: https://docs.rs/dimpl/latest/dimpl/struct.Dtls.html#method.new_13
 [new_auto]: https://docs.rs/dimpl/latest/dimpl/struct.Dtls.html#method.new_auto
 [peer_cert]: https://docs.rs/dimpl/latest/dimpl/enum.Output.html#variant.PeerCert
diff --git a/src/lib.rs b/src/lib.rs
@@ -137,6 +137,38 @@
 //! # }
 //! ```
 //!
+//! ## Example (PSK client)
+//!
+//! ```rust,no_run
+//! use std::sync::Arc;
+//! use std::time::Instant;
+//!
+//! use dimpl::{Config, Dtls, PskResolver};
+//!
+//! struct MyPsk;
+//!
+//! impl PskResolver for MyPsk {
+//!     fn resolve(&self, identity: &[u8]) -> Option<Vec<u8>> {
+//!         if identity == b"device-01" {
+//!             Some(b"shared-secret-key".to_vec())
+//!         } else {
+//!             None
+//!         }
+//!     }
+//! }
+//!
+//! let config = Arc::new(
+//!     Config::builder()
+//!         .with_psk_identity(b"device-01".to_vec())
+//!         .with_psk_resolver(Arc::new(MyPsk))
+//!         .build()
+//!         .unwrap(),
+//! );
+//!
+//! let mut dtls = Dtls::new_12_psk(config, Instant::now());
+//! dtls.set_active(true); // client role
+//! ```
+//!
 //! ### MSRV
 //! Rust 1.85.0
 //!
