obgm · mrdeep1 · Jul 17, 2024 · May 23, 2024
diff --git a/examples/coap-client.c b/examples/coap-client.c
@@ -154,6 +154,7 @@ static coap_oscore_conf_t *oscore_conf = NULL;
 static int doing_oscore = 0;
 static int doing_tls_engine = 0;
 static char *tls_engine_conf = NULL;
+static int ec_jpake = 0;
 
 static int quit = 0;
 
@@ -509,7 +510,7 @@ usage(const char *program, const char *version) {
           "\t\t[-E oscore_conf_file[,seq_file]] [-G count] [-H hoplimit]\n"
           "\t\t[-K interval] [-N] [-O num,text] [-P scheme://address[:port]\n"
           "\t\t[-T token] [-U]  [-V num] [-X size]\n"
-          "\t\t[[-h match_hint_file] [-k key] [-u user]]\n"
+          "\t\t[[-h match_hint_file] [-k key] [-u user] [-2]]\n"
           "\t\t[[-c certfile] [-j keyfile] [-n] [-C cafile]\n"
           "\t\t[-J pkcs11_pin] [-M raw_pk] [-R trust_casfile]] URI\n"
           "\tURI can be an absolute URI or a URI prefixed with scheme and host\n\n"
@@ -590,6 +591,7 @@ usage(const char *program, const char *version) {
           "\t       \t\tkey begins with 0x, then the hex text (two [0-9a-f] per\n"
           "\t       \t\tbyte) is converted to binary data\n"
           "\t-u user\t\tUser identity to send for pre-shared key mode\n"
+          "\t-2     \t\tUse EC-JPAKE negotiation (if supported)\n"
           "PKI Options (if supported by underlying (D)TLS library)\n"
           "\tNote: If any one of '-c certfile', '-j keyfile' or '-C cafile' is in\n"
           "\tPKCS11 URI naming format (pkcs11: prefix), then any remaining non\n"
@@ -1467,6 +1469,7 @@ setup_psk(const uint8_t *identity,
 
   memset(&dtls_psk, 0, sizeof(dtls_psk));
   dtls_psk.version = COAP_DTLS_CPSK_SETUP_VERSION;
+  dtls_psk.ec_jpake = ec_jpake;
   if (valid_ihs.count) {
     dtls_psk.validate_ih_call_back = verify_ih_callback;
   }
@@ -1663,7 +1666,7 @@ main(int argc, char **argv) {
   coap_startup();
 
   while ((opt = getopt(argc, argv,
-                       "a:b:c:e:f:h:j:k:l:m:no:p:q:rs:t:u:v:wA:B:C:E:G:H:J:K:L:M:NO:P:R:T:UV:X:")) != -1) {
+                       "a:b:c:e:f:h:j:k:l:m:no:p:q:rs:t:u:v:wA:B:C:E:G:H:J:K:L:M:NO:P:R:T:UV:X:2")) != -1) {
     switch (opt) {
     case 'a':
       strncpy(node_str, optarg, NI_MAXHOST - 1);
@@ -1816,6 +1819,9 @@ main(int argc, char **argv) {
       tls_engine_conf = optarg;
       doing_tls_engine = 1;
       break;
+    case '2':
+      ec_jpake = 1;
+      break;
     default:
       usage(argv[0], LIBCOAP_PACKAGE_VERSION);
       goto failed;

diff --git a/examples/coap-server.c b/examples/coap-server.c
@@ -75,6 +75,7 @@ static coap_oscore_conf_t *oscore_conf;
 static int doing_oscore = 0;
 static int doing_tls_engine = 0;
 static char *tls_engine_conf = NULL;
+static int ec_jpake = 0;
 
 /* set to 1 to request clean server shutdown */
 static int quit = 0;
@@ -2079,6 +2080,7 @@ setup_spsk(void) {
 
   memset(&dtls_spsk, 0, sizeof(dtls_spsk));
   dtls_spsk.version = COAP_DTLS_SPSK_SETUP_VERSION;
+  dtls_spsk.ec_jpake = ec_jpake;
   dtls_spsk.validate_id_call_back = valid_ids.count ?
                                     verify_id_callback : NULL;
   dtls_spsk.validate_sni_call_back = valid_psk_snis.count ?
@@ -2145,7 +2147,7 @@ usage(const char *program, const char *version) {
           "\t\t[-L value] [-N] [-P scheme://address[:port],[name1[,name2..]]]\n"
           "\t\t[-T max_token_size] [-U type] [-V num] [-X size]\n"
           "\t\t[[-h hint] [-i match_identity_file] [-k key]\n"
-          "\t\t[-s match_psk_sni_file] [-u user]]\n"
+          "\t\t[-s match_psk_sni_file] [-u user] [-2]]\n"
           "\t\t[[-c certfile] [-j keyfile] [-m] [-n] [-C cafile]\n"
           "\t\t[-J pkcs11_pin] [-M rpk_file] [-R trust_casfile]\n"
           "\t\t[-S match_pki_sni_file]]\n"
@@ -2252,6 +2254,7 @@ usage(const char *program, const char *version) {
           "\t       \t\t-s followed by -i\n"
           "\t-u user\t\tUser identity for pre-shared key mode (only used if\n"
           "\t       \t\toption -P is set)\n"
+          "\t-2     \t\tUse EC-JPAKE negotiation (if supported)\n"
          );
   fprintf(stderr,
           "PKI Options (if supported by underlying (D)TLS library)\n"
@@ -2850,7 +2853,7 @@ main(int argc, char **argv) {
   clock_offset = time(NULL);
 
   while ((opt = getopt(argc, argv,
-                       "a:b:c:d:eg:h:i:j:k:l:mnp:q:rs:tu:v:w:A:C:E:G:J:L:M:NP:R:S:T:U:V:X:")) != -1) {
+                       "a:b:c:d:eg:h:i:j:k:l:mnp:q:rs:tu:v:w:A:C:E:G:J:L:M:NP:R:S:T:U:V:X:2")) != -1) {
     switch (opt) {
 #ifndef _WIN32
     case 'a':
@@ -3016,6 +3019,9 @@ main(int argc, char **argv) {
     case 'X':
       csm_max_message_size = strtol(optarg, NULL, 10);
       break;
+    case '2':
+      ec_jpake = 1;
+      break;
     default:
       usage(argv[0], LIBCOAP_PACKAGE_VERSION);
       goto failed;

diff --git a/include/coap3/coap_dtls.h b/include/coap3/coap_dtls.h
@@ -451,9 +451,11 @@ typedef struct coap_dtls_cpsk_t {
                        to support this version of the struct */
 
   /* Options to enable different TLS functionality in libcoap */
-  uint8_t reserved[7];             /**< Reserved - must be set to 0 for
-                                        future compatibility */
-  /* Size of 7 chosen to align to next
+  uint8_t ec_jpake;        /**< Set to 1 if EC-JPAKE is to be used.
+                                Currently Mbed TLS only */
+  uint8_t reserved[6];     /**< Reserved - must be set to 0 for
+                                future compatibility */
+  /* Size of 6 chosen to align to next
    * parameter, so if newly defined option
    * it can use one of the reserverd slot so
    * no need to change
@@ -539,9 +541,11 @@ typedef struct coap_dtls_spsk_t {
                        to support this version of the struct */
 
   /* Options to enable different TLS functionality in libcoap */
-  uint8_t reserved[7];             /**< Reserved - must be set to 0 for
-                                        future compatibility */
-  /* Size of 7 chosen to align to next
+  uint8_t ec_jpake;        /**< Set to 1 if EC-JPAKE can be used.
+                                Currently Mbed TLS only */
+  uint8_t reserved[6];     /**< Reserved - must be set to 0 for
+                                future compatibility */
+  /* Size of 6 chosen to align to next
    * parameter, so if newly defined option
    * it can use one of the reserverd slot so
    * no need to change

diff --git a/man/coap-client.txt.in b/man/coap-client.txt.in
@@ -27,7 +27,7 @@ SYNOPSIS
               [*-K* interval] [*-L* value] [*-N*] [*-O* num,text]
               [*-P* scheme://addr[:port]] [*-T* token] [*-U*] [*-V* num]
               [*-X* size]
-              [[*-h* match_hint_file] [*-k* key] [*-u* user]]
+              [[*-h* match_hint_file] [*-k* key] [*-u* user] [*-2*]]
               [[*-c* certfile] [*-j* keyfile] [*-n*] [*-C* cafile]
               [*-J* pkcs11_pin] [*-M* rpk_file] [*-R* trust_casfile]] URI
 
@@ -217,6 +217,9 @@ OPTIONS - PSK
 *-u* user::
    User identity to send for pre-shared key mode (*-k* option also required).
 
+*-2* ::
+   Use EC-JPAKE negotiation (if supported).
+
 OPTIONS - PKI
 -------------
 (If supported by underlying (D)TLS library)

diff --git a/man/coap-server.txt.in b/man/coap-server.txt.in
@@ -27,7 +27,7 @@ SYNOPSIS
               [*-P* scheme://addr[:port],[name1[,name2..]]]
               [*-T* max_token_size] [*-U* type] [*-V* num] [*-X* size]
               [[*-h* hint] [*-i* match_identity_file] [*-k* key]
-              [*-s* match_psk_sni_file] [*-u* user]]
+              [*-s* match_psk_sni_file] [*-u* user] [*-2*]]
               [[*-c* certfile] [*-j* keyfile] [*-n*] [*-C* cafile]
               [*-J* pkcs11_pin] [*-M* rpk_file] [*-R* trust_casfile]
               [*-S* match_pki_sni_file]]
@@ -196,6 +196,9 @@ OPTIONS - PSK
 *-u* user ::
    User identity for pre-shared key mode (only used if option *-P* is set).
 
+*-2* ::
+   Use EC-JPAKE negotiation (if supported).
+
 OPTIONS - PKI
 -------------
 (If supported by underlying (D)TLS library)

diff --git a/man/coap_encryption.txt.in b/man/coap_encryption.txt.in
@@ -140,7 +140,11 @@ typedef struct coap_dtls_cpsk_t {
                        to support the version of the struct */
 
   /* Options to enable different TLS functionality in libcoap */
-  uint8_t reserved[7];             /* Reserved - must be set to 0 for
+  uint8_t ec_jpake;        /* Set to 1 if DC-JPAKE is to be used.
+                              Currently Mbed TLS only */
+
+  /* Options to enable different TLS functionality in libcoap */
+  uint8_t reserved[6];             /* Reserved - must be set to 0 for
                                       future compatibility */
 
   /** Identity Hint check callback function.
@@ -178,6 +182,11 @@ definition.
 *version* is set to COAP_DTLS_CPSK_SETUP_VERSION.  This will then allow
 support for different versions of the coap_dtls_cpsk_t structure in the future.
 
+*SECTION: PSK Server: coap_dtls_spsk_t: ec_jpake*
+
+*ec_jpake* Set to 1 if EC-JPAKE negotiation is to be used. Currently only
+supported by suitably compiled Mbed TLS library.
+
 *SECTION: PSK Client: coap_dtls_cpsk_t: Reserved*
 
 *reserved* All must be set to 0.  Future functionality updates will make use of
@@ -262,11 +271,15 @@ environment.
 [source, c]
 ----
 typedef struct coap_dtls_spsk_t {
-  uint8_t version; /** Set to COAP_DTLS_SPSK_SETUP_VERSION
+  uint8_t version; /* Set to COAP_DTLS_SPSK_SETUP_VERSION
                        to support the version of the struct */
 
   /* Options to enable different TLS functionality in libcoap */
-  uint8_t reserved[7];             /* Reserved - must be set to 0 for
+  uint8_t ec_jpake;        /* Set to 1 if DC-JPAKE can be used.
+                              Currently Mbed TLS only */
+
+  /* Options to enable different TLS functionality in libcoap */
+  uint8_t reserved[6];             /* Reserved - must be set to 0 for
                                       future compatibility */
 
   /** Identity check callback function.
@@ -304,6 +317,11 @@ definition.
 *version* is set to COAP_DTLS_SPSK_SETUP_VERSION.  This will then allow
 support for different versions of the coap_dtls_spsk_t structure in the future.
 
+*SECTION: PSK Server: coap_dtls_spsk_t: ec_jpake*
+
+*ec_jpake* Set to 1 if EC-JPAKE negotiation can be used. Currently only
+supported by suitably compiled Mbed TLS library.
+
 *SECTION: PSK Server: coap_dtls_spsk_t: Reserved*
 
 *reserved* All must be set to 0.  Future functionality updates will make use of

diff --git a/src/coap_gnutls.c b/src/coap_gnutls.c
@@ -394,6 +394,9 @@ coap_dtls_context_set_spsk(coap_context_t *c_context,
   if (!g_context || !setup_data)
     return 0;
 
+  if (setup_data->ec_jpake) {
+    coap_log_warn("GnuTLS has no EC-JPAKE support\n");
+  }
   g_context->psk_pki_enabled |= IS_PSK;
   return 1;
 }
@@ -414,6 +417,9 @@ coap_dtls_context_set_cpsk(coap_context_t *c_context,
   if (!g_context || !setup_data)
     return 0;
 
+  if (setup_data->ec_jpake) {
+    coap_log_warn("GnuTLS has no EC-JPAKE support\n");
+  }
   g_context->psk_pki_enabled |= IS_PSK;
   return 1;
 }