tls: psa_pake: enforce not empty passwords
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h
index e7ca1b2..3dd3361 100644
--- a/include/mbedtls/ecjpake.h
+++ b/include/mbedtls/ecjpake.h
@@ -113,7 +113,7 @@
* \param curve The identifier of the elliptic curve to use,
* for example #MBEDTLS_ECP_DP_SECP256R1.
* \param secret The pre-shared secret (passphrase). This must be
- * a readable buffer of length \p len Bytes. It need
+ * a readable not empty buffer of length \p len Bytes. It need
* only be valid for the duration of this call.
* \param len The length of the pre-shared secret \p secret.
*
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 01ede40..0852357 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3824,9 +3824,10 @@
* \note The SSL context needs to be already set up. The right place
* to call this function is between \c mbedtls_ssl_setup() or
* \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
+ * Password cannot be empty (see RFC 8236).
*
* \param ssl SSL context
- * \param pw EC J-PAKE password (pre-shared secret)
+ * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty
* \param pw_len length of pw in bytes
*
* \return 0 on success, or a negative error code.