Ignore ECJPAKE suite if not configured on server

library/ssl_srv.c

@@ -707,6 +707,17 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
     }
 #endif
 
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+        mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                                    "ecjpake not configured" ) );
+        return( 0 );
+    }
+#endif
+
+
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
     if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
         ( ssl->handshake->curves == NULL ||

tests/ssl-opt.sh

@@ -2499,6 +2499,27 @@ run_test    "PSK callback: wrong key" \
             -S "SSL - Unknown identity received" \
             -s "SSL - Verification of the message MAC failed"
 
+# Tests for EC J-PAKE
+
+run_test    "ECJPAKE: client not configured" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -C "add ciphersuite: c0ff" \
+            -C "adding ecjpake_kkpp extension" \
+            -S "ciphersuite mismatch: ecjpake not configured" \
+            -S "None of the common ciphersuites is usable"
+
+run_test    "ECJPAKE: server not configured" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3 ecjpake_pw=bla \
+             force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
+            1 \
+            -c "add ciphersuite: c0ff" \
+            -c "adding ecjpake_kkpp extension" \
+            -s "ciphersuite mismatch: ecjpake not configured" \
+            -s "None of the common ciphersuites is usable"
+
 # Tests for ciphersuites per version
 
 run_test    "Per-version suites: SSL3" \