Add ecjpake_pw option to ssl_client2/server2
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 99c2d2a..53ec635 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -75,6 +75,7 @@
#define DFL_KEY_FILE ""
#define DFL_PSK ""
#define DFL_PSK_IDENTITY "Client_identity"
+#define DFL_ECJPAKE_PW NULL
#define DFL_FORCE_CIPHER 0
#define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY -2
@@ -210,6 +211,13 @@
#define USAGE_RENEGO ""
#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define USAGE_ECJPAKE \
+ " ecjpake_pw=%%s default: none (disabled)\n"
+#else
+#define USAGE_ECJPAKE ""
+#endif
+
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -232,6 +240,7 @@
USAGE_IO \
"\n" \
USAGE_PSK \
+ USAGE_ECJPAKE \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
@@ -277,6 +286,7 @@
const char *key_file; /* the file with the client key */
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
+ const char *ecjpake_pw; /* the EC J-PAKE password */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */
@@ -466,6 +476,7 @@
opt.key_file = DFL_KEY_FILE;
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
+ opt.ecjpake_pw = DFL_ECJPAKE_PW;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
@@ -553,6 +564,8 @@
opt.psk = q;
else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q;
+ else if( strcmp( p, "ecjpake_pw" ) == 0 )
+ opt.ecjpake_pw = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q );
@@ -1194,6 +1207,19 @@
}
#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if( opt.ecjpake_pw != DFL_ECJPAKE_PW )
+ {
+ if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( &ssl,
+ (const unsigned char *) opt.ecjpake_pw,
+ strlen( opt.ecjpake_pw ) ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+#endif
+
if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
else
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index f169291..3f88452 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -102,6 +102,7 @@
#define DFL_KEY_FILE2 ""
#define DFL_PSK ""
#define DFL_PSK_IDENTITY "Client_identity"
+#define DFL_ECJPAKE_PW NULL
#define DFL_PSK_LIST NULL
#define DFL_FORCE_CIPHER 0
#define DFL_VERSION_SUITES NULL
@@ -293,6 +294,13 @@
#define USAGE_RENEGO ""
#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define USAGE_ECJPAKE \
+ " ecjpake_pw=%%s default: none (disabled)\n"
+#else
+#define USAGE_ECJPAKE ""
+#endif
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -314,6 +322,7 @@
USAGE_SNI \
"\n" \
USAGE_PSK \
+ USAGE_ECJPAKE \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
@@ -358,6 +367,7 @@
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
char *psk_list; /* list of PSK id/key pairs for callback */
+ const char *ecjpake_pw; /* the EC J-PAKE password */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
const char *version_suites; /* per-version ciphersuites */
int renegotiation; /* enable / disable renegotiation */
@@ -900,6 +910,7 @@
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST;
+ opt.ecjpake_pw = DFL_ECJPAKE_PW;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.version_suites = DFL_VERSION_SUITES;
opt.renegotiation = DFL_RENEGOTIATION;
@@ -985,6 +996,8 @@
opt.psk_identity = q;
else if( strcmp( p, "psk_list" ) == 0 )
opt.psk_list = q;
+ else if( strcmp( p, "ecjpake_pw" ) == 0 )
+ opt.ecjpake_pw = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q );
@@ -1898,6 +1911,19 @@
}
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if( opt.ecjpake_pw != DFL_ECJPAKE_PW )
+ {
+ if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( &ssl,
+ (const unsigned char *) opt.ecjpake_pw,
+ strlen( opt.ecjpake_pw ) ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+#endif
+
mbedtls_printf( " ok\n" );
/*
