Adapt ssl_client2 to restartable EC
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 5032a9f..84ce115 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -79,6 +79,7 @@
#define DFL_PSK ""
#define DFL_PSK_IDENTITY "Client_identity"
#define DFL_ECJPAKE_PW NULL
+#define DFL_EC_MAX_OPS -1
#define DFL_FORCE_CIPHER 0
#define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY -2
@@ -235,6 +236,13 @@
#define USAGE_ECJPAKE ""
#endif
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+#define USAGE_ECRESTART \
+ " ec_max_ops=%%s default: library default (restart disabled)\n"
+#else
+#define USAGE_ECRESTART ""
+#endif
+
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -258,6 +266,7 @@
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
+ USAGE_ECRESTART \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
@@ -310,6 +319,7 @@
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
const char *ecjpake_pw; /* the EC J-PAKE password */
+ int ec_max_ops; /* EC consecutive operations limit */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */
@@ -527,6 +537,7 @@
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.ecjpake_pw = DFL_ECJPAKE_PW;
+ opt.ec_max_ops = DFL_EC_MAX_OPS;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
@@ -619,6 +630,8 @@
opt.psk_identity = q;
else if( strcmp( p, "ecjpake_pw" ) == 0 )
opt.ecjpake_pw = q;
+ else if( strcmp( p, "ec_max_ops" ) == 0 )
+ opt.ec_max_ops = atoi( q );
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q );
@@ -1374,6 +1387,11 @@
mbedtls_timing_get_delay );
#endif
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if( opt.ec_max_ops != DFL_EC_MAX_OPS )
+ mbedtls_ecp_set_max_ops( opt.ec_max_ops );
+#endif
+
mbedtls_printf( " ok\n" );
/*
@@ -1384,7 +1402,9 @@
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
- if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n", -ret );
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
@@ -1476,7 +1496,8 @@
while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
goto exit;
@@ -1528,7 +1549,8 @@
<= 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n", -ret );
goto exit;
@@ -1540,7 +1562,8 @@
{
do ret = mbedtls_ssl_write( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
if( ret < 0 )
{
@@ -1573,7 +1596,8 @@
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
continue;
if( ret <= 0 )
@@ -1618,7 +1642,8 @@
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
if( ret <= 0 )
{
@@ -1666,7 +1691,8 @@
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
@@ -1749,7 +1775,8 @@
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
