From 7fa4302a806d8afd6ff28cfa4e3158a790968888 Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Fri, 14 Aug 2015 12:49:30 -0700
Subject: [PATCH] disable static PSK cipher suites by default

---
 examples/echoclient/echoclient.c |  2 ++
 examples/echoserver/echoserver.c |  2 ++
 wolfssl/internal.h               | 10 +++++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c
index bbf82ea9e..257648762 100644
--- a/examples/echoclient/echoclient.c
+++ b/examples/echoclient/echoclient.c
@@ -143,6 +143,8 @@ void echoclient_test(void* args)
         CyaSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
         #ifdef HAVE_NULL_CIPHER
             defaultCipherList = "PSK-NULL-SHA256";
+        #elif defined(HAVE_AESGCM) && !defined(NO_DH)
+            defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
         #else
             defaultCipherList = "PSK-AES128-CBC-SHA256";
         #endif
diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
index cb512f4d8..1a3581069 100644
--- a/examples/echoserver/echoserver.c
+++ b/examples/echoserver/echoserver.c
@@ -210,6 +210,8 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
         CyaSSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
         #ifdef HAVE_NULL_CIPHER
             defaultCipherList = "PSK-NULL-SHA256";
+        #elif defined(HAVE_AESGCM) && !defined(NO_DH)
+            defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
         #else
             defaultCipherList = "PSK-AES128-CBC-SHA256";
         #endif
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 87162e935..79829f3a1 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -293,6 +293,7 @@ typedef byte word24[3];
         #endif
     #endif
 
+#if defined(WOLFSSL_STATIC_PSK)
     #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS)
         #if !defined(NO_SHA)
             #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
@@ -317,6 +318,7 @@ typedef byte word24[3];
             #endif
         #endif
     #endif
+#endif
 
     #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER)
         #if !defined(NO_RSA)
@@ -329,7 +331,7 @@ typedef byte word24[3];
                 #endif
             #endif
         #endif
-        #if !defined(NO_PSK)
+        #if !defined(NO_PSK) && defined(WOLFSSL_STATIC_PSK)
             #if !defined(NO_SHA)
                 #define BUILD_TLS_PSK_WITH_NULL_SHA
             #endif
@@ -574,7 +576,8 @@ typedef byte word24[3];
 
 #if defined(BUILD_TLS_RSA_WITH_AES_128_CBC_SHA) || \
     defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) || \
-    defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
+    defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) || \
+    defined(BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256)
     #undef  BUILD_AES
     #define BUILD_AES
 #endif
@@ -582,7 +585,8 @@ typedef byte word24[3];
 #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \
-    defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256)
+    defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \
+    defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256)
     #define BUILD_AESGCM
 #endif