From 6fa4cd71365615b97e9e07a2b55baaeb0ec924e8 Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@openssl.org>
Date: Tue, 2 Dec 2008 13:36:47 +0000
Subject: [PATCH] Warn about JPAKE brokenness.

---
 apps/apps.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 5a5d1d3c45..367eb177e1 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2521,7 +2521,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
 	jpake_send_step3a(bconn, ctx);
 	jpake_receive_step3b(ctx, bconn);
 
-	BIO_puts(out, "JPAKE authentication succeeded\n");
+	/*
+	 * The problem is that you must use the derived key in the
+	 * session key or you are subject to man-in-the-middle
+	 * attacks.
+	 */
+	BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+		 " be MitMed. See the version in HEAD for how to do it"
+		 " properly)\n");
 
 	BIO_pop(bconn);
 	BIO_free(bconn);
@@ -2546,7 +2553,14 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 	jpake_receive_step3a(ctx, bconn);
 	jpake_send_step3b(bconn, ctx);
 
-	BIO_puts(out, "JPAKE authentication succeeded\n");
+	/*
+	 * The problem is that you must use the derived key in the
+	 * session key or you are subject to man-in-the-middle
+	 * attacks.
+	 */
+	BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+		 " be MitMed. See the version in HEAD for how to do it"
+		 " properly)\n");
 
 	BIO_pop(bconn);
 	BIO_free(bconn);
-- 
2.25.1