@@ -132,6 +132,9 @@ static mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t
132132 bool server_side , bool do_handshake_on_connect , mp_obj_t server_hostname ,
133133 mp_obj_t client_id );
134134
135+ // Helper function to check if a ciphersuite uses PSK
136+ static bool ciphersuite_uses_psk (const mbedtls_ssl_ciphersuite_t * info );
137+
135138/******************************************************************************/
136139// Helper functions.
137140
@@ -472,14 +475,11 @@ static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite)
472475 return mp_const_none ;
473476 }
474477
475- // Check if this is a PSK ciphersuite name
476- if (strncmp (ciphername , "PSK-" , 4 ) == 0 ||
477- strncmp (ciphername , "TLS-PSK-" , 8 ) == 0 ||
478- strncmp (ciphername , "TLS_PSK_" , 8 ) == 0 ) {
479-
480- // Try to look up the ciphersuite ID
481- const int id = mbedtls_ssl_get_ciphersuite_id (ciphername );
482- if (id != 0 ) {
478+ // Try to look up the ciphersuite using mbedtls API
479+ const mbedtls_ssl_ciphersuite_t * info = mbedtls_ssl_ciphersuite_from_string (ciphername );
480+ if (info != NULL ) {
481+ // Check if this is a PSK ciphersuite
482+ if (ciphersuite_uses_psk (info )) {
483483 // Enable PSK mode
484484 ssl_context -> use_psk = true;
485485
@@ -488,7 +488,20 @@ static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite)
488488 if (ssl_context -> ciphersuites == NULL ) {
489489 mp_raise_OSError (MP_ENOMEM );
490490 }
491- ssl_context -> ciphersuites [0 ] = id ;
491+ ssl_context -> ciphersuites [0 ] = mbedtls_ssl_ciphersuite_get_id (info );
492+ ssl_context -> ciphersuites [1 ] = 0 ; // Terminating zero
493+
494+ // Configure the ciphersuite
495+ mbedtls_ssl_conf_ciphersuites (& ssl_context -> conf , (const int * )ssl_context -> ciphersuites );
496+ return mp_const_none ;
497+ } else {
498+ // Not a PSK ciphersuite, but it's a valid ciphersuite name
499+ // Fall through to handle it as a regular single ciphersuite
500+ ssl_context -> ciphersuites = m_new (int , 2 );
501+ if (ssl_context -> ciphersuites == NULL ) {
502+ mp_raise_OSError (MP_ENOMEM );
503+ }
504+ ssl_context -> ciphersuites [0 ] = mbedtls_ssl_ciphersuite_get_id (info );
492505 ssl_context -> ciphersuites [1 ] = 0 ; // Terminating zero
493506
494507 // Configure the ciphersuite
@@ -507,15 +520,15 @@ static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite)
507520 mbedtls_raise_error (MBEDTLS_ERR_SSL_BAD_CONFIG );
508521 }
509522
510- // Parse list of ciphers.
523+ // Parse list of ciphers using mbedtls API for validation .
511524 ssl_context -> ciphersuites = m_new (int , len + 1 );
512525 for (size_t i = 0 ; i < len ; ++ i ) {
513526 const char * ciphername = mp_obj_str_get_str (ciphers [i ]);
514- const int id = mbedtls_ssl_get_ciphersuite_id (ciphername );
515- if (id == 0 ) {
527+ const mbedtls_ssl_ciphersuite_t * info = mbedtls_ssl_ciphersuite_from_string (ciphername );
528+ if (info == NULL ) {
516529 mbedtls_raise_error (MBEDTLS_ERR_SSL_BAD_CONFIG );
517530 }
518- ssl_context -> ciphersuites [i ] = id ;
531+ ssl_context -> ciphersuites [i ] = mbedtls_ssl_ciphersuite_get_id ( info ) ;
519532 }
520533 ssl_context -> ciphersuites [len ] = 0 ;
521534
@@ -526,6 +539,46 @@ static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite)
526539}
527540static MP_DEFINE_CONST_FUN_OBJ_2 (ssl_context_set_ciphers_obj , ssl_context_set_ciphers )
528541
542+ // Helper function to check if a ciphersuite uses PSK
543+ static bool ciphersuite_uses_psk (const mbedtls_ssl_ciphersuite_t * info ) {
544+ if (info == NULL ) {
545+ return false;
546+ }
547+
548+ // Check if ciphersuite ID corresponds to any PSK ciphersuite
549+ int id = mbedtls_ssl_ciphersuite_get_id (info );
550+
551+ // Check for common PSK ciphersuites based on their IDs
552+ // These correspond to the MBEDTLS_TLS_*_PSK_* constants
553+ return (id == 0x2C || // MBEDTLS_TLS_PSK_WITH_NULL_SHA
554+ id == 0x2D || // MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
555+ id == 0x2E || // MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
556+ id == 0x8C || // MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
557+ id == 0x8D || // MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
558+ id == 0x90 || // MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
559+ id == 0x91 || // MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
560+ id == 0x94 || // MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
561+ id == 0x95 || // MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
562+ id == 0xA8 || // MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
563+ id == 0xA9 || // MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
564+ id == 0xAA || // MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
565+ id == 0xAB || // MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
566+ id == 0xAC || // MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
567+ id == 0xAD || // MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
568+ id == 0xAE || // MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
569+ id == 0xAF || // MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
570+ id == 0xB0 || // MBEDTLS_TLS_PSK_WITH_NULL_SHA256
571+ id == 0xB1 || // MBEDTLS_TLS_PSK_WITH_NULL_SHA384
572+ id == 0xB2 || // MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
573+ id == 0xB3 || // MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
574+ id == 0xB4 || // MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
575+ id == 0xB5 || // MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
576+ id == 0xB6 || // MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
577+ id == 0xB7 || // MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
578+ id == 0xB8 || // MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
579+ id == 0xB9 ); // MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
580+ }
581+
529582static void ssl_context_load_key (mp_obj_ssl_context_t * self , mp_obj_t key_obj , mp_obj_t cert_obj ) {
530583 size_t key_len ;
531584 const unsigned char * key = asn1_get_data (key_obj , & key_len );
0 commit comments