Skip to content

Enable support for mandatory PSKs#10745

Merged
douzzer merged 1 commit into
wolfSSL:masterfrom
Frauschi:mandatory_psk
Jul 3, 2026
Merged

Enable support for mandatory PSKs#10745
douzzer merged 1 commit into
wolfSSL:masterfrom
Frauschi:mandatory_psk

Conversation

@Frauschi

@Frauschi Frauschi commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Add new APIs, wolfSSL_CTX_require_psk() / wolfSSL_require_psk(), to require that an external Pre-Shared Key is negotiated for a (D)TLS 1.3 handshake to succeed. When set on an endpoint that has a PSK callback registered, a handshake that completes without negotiating an external PSK is aborted with the new error PSK_MISSING_ERROR instead of falling back to a certificate handshake.

This is relevant for external PSKs only (not session tickets) to make sure the PSKs are used as an additional security factor (together with (EC)DHE key exchange). Session-ticket resumption is exempt, and to preserve forward secrecy, a pure psk_ke handshake is rejected with PSK_KEY_ERROR. When used with WOLFSSL_CERT_WITH_EXTERN_PSK, it also makes sure that peers are properly authenticated with both the PSK and via certificates.

The new APIs sit alongside the existing wolfSSL_[CTX_]no_dhe_psk() / wolfSSL_[CTX_]only_dhe_psk() PSK options and do not depend on certificate support, so the feature is also usable in NO_CERTS (PSK-only) builds. They apply to (D)TLS 1.3 only and return BAD_FUNC_ARG for a non-TLS-1.3 context.

In (D)TLS 1.2 the use of a PSK is encoded directly in the negotiated cipher suite, so a mandatory PSK is enforced simply by restricting the cipher suite list to (preferably (EC)DHE-)PSK suites.

Fixes zd#22012.

Testing

Added unit tests for the new option.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@Frauschi Frauschi self-assigned this Jun 22, 2026
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m3

  • FLASH: .text +12 B (+0.0%, 122,125 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +18 B (+0.0%, 199,774 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .rodata +16 B, .text +320 B (+0.0%, 769,236 B / 1,048,576 B, total: 73% used)

gcc-arm-cortex-m4-pq

  • FLASH: .rodata +24 B, .text +128 B (+0.1%, 278,792 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .rodata +24 B, .text +256 B (+0.1%, 324,456 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +18 B, .text +192 B (+0.1%, 235,600 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +18 B (+0.0%, 199,774 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m7-pq

  • FLASH: .rodata +24 B, .text +128 B (+0.1%, 279,368 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +18 B, .text +128 B (+0.1%, 235,600 B / 262,144 B, total: 90% used)

linuxkm-standard

@Frauschi Frauschi force-pushed the mandatory_psk branch 2 times, most recently from a2ced8c to cddfe34 Compare June 22, 2026 14:37
@Frauschi

Copy link
Copy Markdown
Contributor Author

Jenkins retest this please

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10745

Scan targets checked: wolfcrypt-rs-bugs, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

Add a new option to require that an external Pre-Shared Key is negotiated
for a handshake to succeed, configured via the new APIs
wolfSSL_CTX_require_psk()/wolfSSL_require_psk(). When set, a handshake
that completes without negotiating an external PSK is aborted with
PSK_MISSING_ERROR instead of falling back to a certificate handshake, so
the PSK acts as an additional security factor.

This is a TLS 1.3 / DTLS 1.3 feature. In (D)TLS 1.2 the use of a PSK is
determined by the negotiated cipher suite, so a mandatory PSK is instead
configured there by restricting the cipher suite list to PSK suites; the
new APIs therefore reject non-TLS-1.3 contexts with BAD_FUNC_ARG.

To keep the requirement fail-closed, the APIs also disable version
downgrade on the object so a downgrade-capable context (e.g. one created
from a v23 method) cannot silently fall back to (D)TLS 1.2 and complete
without a PSK; a peer that does not support (D)TLS 1.3 fails to connect.

The requirement applies to external PSKs only (not session tickets):
session-ticket resumption is exempt. To preserve forward secrecy a
mandatory external PSK must also use an (EC)DHE key exchange; a pure
psk_ke handshake is rejected with PSK_KEY_ERROR. When used with
WOLFSSL_CERT_WITH_EXTERN_PSK, it also ensures that peers are properly
authenticated with both the PSK and via certificates.

The new APIs live alongside the existing wolfSSL_[CTX_]no_dhe_psk()/
only_dhe_psk() PSK options and do not depend on certificate support, so
the feature is usable in NO_CERTS (PSK-only) builds.

Added unit tests for the new APIs and enforcement.
@douzzer douzzer merged commit a543bc4 into wolfSSL:master Jul 3, 2026
306 of 307 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants