added the cipher suites PSK-NULL-SHA256 and PSK-AES128-CBC-SHA256

cyassl/internal.h

@@ -161,6 +161,9 @@ void c32to24(word32 in, word24 out);
 #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS)
     #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
     #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
+    #ifndef NO_SHA256
+        #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
+    #endif
 #endif
 
 #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER)
@@ -170,6 +173,9 @@ void c32to24(word32 in, word24 out);
     #endif
     #if !defined(NO_PSK)
         #define BUILD_TLS_PSK_WITH_NULL_SHA
+        #ifndef NO_SHA256
+        	#define BUILD_TLS_PSK_WITH_NULL_SHA256
+        #endif
     #endif
 #endif
 
@@ -281,7 +287,9 @@ enum {
     TLS_RSA_WITH_AES_128_CBC_SHA      = 0x2F,
     TLS_RSA_WITH_NULL_SHA             = 0x02,
     TLS_PSK_WITH_AES_256_CBC_SHA      = 0x8d,
+    TLS_PSK_WITH_AES_128_CBC_SHA256   = 0xae,
     TLS_PSK_WITH_AES_128_CBC_SHA      = 0x8c,
+    TLS_PSK_WITH_NULL_SHA256          = 0xb0,
     TLS_PSK_WITH_NULL_SHA             = 0x2c,
     SSL_RSA_WITH_RC4_128_SHA          = 0x05,
     SSL_RSA_WITH_RC4_128_MD5          = 0x04,

src/internal.c

@@ -870,6 +870,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
     }
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
+    if (tls && havePSK) {
+        suites->suites[idx++] = 0; 
+        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256;
+    }
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
     if (tls && havePSK) {
         suites->suites[idx++] = 0; 
@@ -877,6 +884,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
     }
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
+    if (tls & havePSK) {
+        suites->suites[idx++] = 0;
+        suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256;
+    }
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
     if (tls & havePSK) {
         suites->suites[idx++] = 0;
@@ -4544,6 +4558,10 @@ const char* const cipher_names[] =
     "DHE-RSA-AES256-SHA",
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
+    "PSK-AES128-CBC-SHA256",
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
     "PSK-AES128-CBC-SHA",
 #endif
@@ -4552,6 +4570,10 @@ const char* const cipher_names[] =
     "PSK-AES256-CBC-SHA",
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
+    "PSK-NULL-SHA256",
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
     "PSK-NULL-SHA",
 #endif
@@ -4756,6 +4778,10 @@ int cipher_name_idx[] =
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
+    TLS_PSK_WITH_AES_128_CBC_SHA256,    
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
     TLS_PSK_WITH_AES_128_CBC_SHA,    
 #endif
@@ -4764,6 +4790,10 @@ int cipher_name_idx[] =
     TLS_PSK_WITH_AES_256_CBC_SHA,
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
+    TLS_PSK_WITH_NULL_SHA256,
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
     TLS_PSK_WITH_NULL_SHA,
 #endif
@@ -6850,6 +6880,11 @@ int SetCipherList(Suites* s, const char* list)
                 return 1;
             break;
 
+        case TLS_PSK_WITH_AES_128_CBC_SHA256 :
+            if (requirement == REQUIRES_PSK)
+                return 1;
+            break;
+
         case TLS_PSK_WITH_AES_128_CBC_SHA :
             if (requirement == REQUIRES_PSK)
                 return 1;
@@ -6860,6 +6895,11 @@ int SetCipherList(Suites* s, const char* list)
                 return 1;
             break;
 
+        case TLS_PSK_WITH_NULL_SHA256 :
+            if (requirement == REQUIRES_PSK)
+                return 1;
+            break;
+
         case TLS_PSK_WITH_NULL_SHA :
             if (requirement == REQUIRES_PSK)
                 return 1;

src/keys.c

@@ -668,6 +668,23 @@ int SetCipherSpecs(CYASSL* ssl)
         break;
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
+    case TLS_PSK_WITH_AES_128_CBC_SHA256 :
+        ssl->specs.bulk_cipher_algorithm = aes;
+        ssl->specs.cipher_type           = block;
+        ssl->specs.mac_algorithm         = sha256_mac;
+        ssl->specs.kea                   = psk_kea;
+        ssl->specs.hash_size             = SHA256_DIGEST_SIZE;
+        ssl->specs.pad_size              = PAD_SHA;
+        ssl->specs.static_ecdh           = 0;
+        ssl->specs.key_size              = AES_128_KEY_SIZE;
+        ssl->specs.block_size            = AES_BLOCK_SIZE;
+        ssl->specs.iv_size               = AES_IV_SIZE;
+
+        ssl->options.usingPSK_cipher     = 1;
+        break;
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
     case TLS_PSK_WITH_AES_128_CBC_SHA :
         ssl->specs.bulk_cipher_algorithm = aes;
@@ -702,6 +719,23 @@ int SetCipherSpecs(CYASSL* ssl)
         break;
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
+    case TLS_PSK_WITH_NULL_SHA256 :
+        ssl->specs.bulk_cipher_algorithm = cipher_null;
+        ssl->specs.cipher_type           = stream;
+        ssl->specs.mac_algorithm         = sha256_mac;
+        ssl->specs.kea                   = psk_kea;
+        ssl->specs.hash_size             = SHA256_DIGEST_SIZE;
+        ssl->specs.pad_size              = PAD_SHA;
+        ssl->specs.static_ecdh           = 0;
+        ssl->specs.key_size              = 0;
+        ssl->specs.block_size            = 0;
+        ssl->specs.iv_size               = 0;
+
+        ssl->options.usingPSK_cipher     = 1;
+        break;
+#endif
+
 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
     case TLS_PSK_WITH_NULL_SHA :
         ssl->specs.bulk_cipher_algorithm = cipher_null;

src/ssl.c

@@ -2696,7 +2696,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
             return SSL_FATAL_ERROR;
         }
 
-		#ifndef NO_CERTS
+        #ifndef NO_CERTS
             /* in case used set_accept_state after init */
             if (!havePSK && (ssl->buffers.certificate.buffer == NULL ||
                              ssl->buffers.key.buffer == NULL)) {
@@ -2705,7 +2705,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
                 CYASSL_ERROR(ssl->error);
                 return SSL_FATAL_ERROR;
             }
-		#endif
+        #endif
 
         #ifdef HAVE_ECC
             /* in case used set_accept_state after init */
@@ -5411,10 +5411,16 @@ int CyaSSL_set_compression(CYASSL* ssl)
                     return "TLS_RSA_WITH_NULL_SHA";
                 case TLS_RSA_WITH_NULL_SHA256 :
                     return "TLS_RSA_WITH_NULL_SHA256";
+                case TLS_PSK_WITH_AES_128_CBC_SHA256 :
+                    return "TLS_PSK_WITH_AES_128_CBC_SHA256";
                 case TLS_PSK_WITH_AES_128_CBC_SHA :
                     return "TLS_PSK_WITH_AES_128_CBC_SHA";
                 case TLS_PSK_WITH_AES_256_CBC_SHA :
                     return "TLS_PSK_WITH_AES_256_CBC_SHA";
+                case TLS_PSK_WITH_NULL_SHA256 :
+                    return "TLS_PSK_WITH_NULL_SHA256";
+                case TLS_PSK_WITH_NULL_SHA :
+                    return "TLS_PSK_WITH_NULL_SHA";
                 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
                     return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
                 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :

tests/test-psk-null.conf

@@ -28,3 +28,13 @@
 -v 3
 -l PSK-NULL-SHA
 
+# server TLSv1.2 PSK-NULL-SHA256
+-s
+-v 3
+-l PSK-NULL-SHA256
+
+# client TLSv1.2 PSK-NULL-SHA256
+-s
+-v 3
+-l PSK-NULL-SHA256
+

tests/test-psk.conf

@@ -58,3 +58,13 @@
 -v 3
 -l PSK-AES256-CBC-SHA
 
+# server TLSv1.2 PSK-AES128-SHA256
+-s
+-v 3
+-l PSK-AES128-CBC-SHA256
+
+# client TLSv1.2 PSK-AES128-SHA256
+-s
+-v 3
+-l PSK-AES128-CBC-SHA256
+