#include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
#include <openssl/jpake.h>
+#endif
#define NON_MAIN
#include "apps.h"
flags |= X509_V_FLAG_X509_STRICT;
else if (!strcmp(arg, "-policy_print"))
flags |= X509_V_FLAG_NOTIFY_POLICY;
+ else if (!strcmp(arg, "-check_ss_sig"))
+ flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
else
return 0;
BIO_free(out);
}
+#ifndef OPENSSL_NO_JPAKE
+
static JPAKE_CTX *jpake_init(const char *us, const char *them,
const char *secret)
{
int l;
l = BIO_gets(bconn, buf, sizeof buf);
- assert(l >= 0);
+ assert(l > 0);
assert(buf[l-1] == '\n');
buf[l-1] = '\0';
BN_hex2bn(bn, buf);
jpake_send_step3a(bconn, ctx);
jpake_receive_step3b(ctx, bconn);
- BIO_puts(out, "JPAKE authentication succeeded\n");
+ /*
+ * The problem is that you must use the derived key in the
+ * session key or you are subject to man-in-the-middle
+ * attacks.
+ */
+ BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+ " be MitMed. See the version in HEAD for how to do it"
+ " properly)\n");
BIO_pop(bconn);
BIO_free(bconn);
jpake_receive_step3a(ctx, bconn);
jpake_send_step3b(bconn, ctx);
- BIO_puts(out, "JPAKE authentication succeeded\n");
+ /*
+ * The problem is that you must use the derived key in the
+ * session key or you are subject to man-in-the-middle
+ * attacks.
+ */
+ BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+ " be MitMed. See the version in HEAD for how to do it"
+ " properly)\n");
BIO_pop(bconn);
BIO_free(bconn);
}
+
+#endif