Ignore ECJPAKE suite if not configured on server
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index aab25e2..6676c18 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -707,6 +707,17 @@
}
#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+ mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+ "ecjpake not configured" ) );
+ return( 0 );
+ }
+#endif
+
+
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
( ssl->handshake->curves == NULL ||
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 77db588..20ee6bc 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2499,6 +2499,27 @@
-S "SSL - Unknown identity received" \
-s "SSL - Verification of the message MAC failed"
+# Tests for EC J-PAKE
+
+run_test "ECJPAKE: client not configured" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "add ciphersuite: c0ff" \
+ -C "adding ecjpake_kkpp extension" \
+ -S "ciphersuite mismatch: ecjpake not configured" \
+ -S "None of the common ciphersuites is usable"
+
+run_test "ECJPAKE: server not configured" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3 ecjpake_pw=bla \
+ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
+ 1 \
+ -c "add ciphersuite: c0ff" \
+ -c "adding ecjpake_kkpp extension" \
+ -s "ciphersuite mismatch: ecjpake not configured" \
+ -s "None of the common ciphersuites is usable"
+
# Tests for ciphersuites per version
run_test "Per-version suites: SSL3" \