Skip ECJPAKE suite in ClientHello if no pw set up

When we don't have a password, we want to skip the costly process of generating the extension. So for consistency don't offer the ciphersuite without the extension.
2025-11-03 20:22:59 -05:00 · 2015-09-16 09:58:31 +02:00 · 2015-09-16 09:58:31 +02:00 · ddf97a6c92
commit ddf97a6c92
parent 538cb7b0b4
1 changed files with 6 additions and 0 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -723,6 +723,12 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
            continue;
 #endif

+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+            mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+            continue;
+#endif
+
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
                       ciphersuites[i] ) );