From 59c8de789764e004e7e16d00702ba956dbb8cd2f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 8 Apr 2026 09:20:11 +0200 Subject: [PATCH] mbedtls: fix ECJPAKE matching It did not require a full-length match, so empty or prefix tokens map to ECJPAKE would silently add that cipher to the configured list. Follow-up to fba9afebba22d577f122239b18 Reported by Codex Security Closes #21264 --- lib/vtls/mbedtls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 6384ef21f4..1cac66041d 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -265,9 +265,11 @@ static uint16_t mbed_cipher_suite_walk_str(const char **str, const char **end) { uint16_t id = Curl_cipher_suite_walk_str(str, end); size_t len = *end - *str; + static const char ecjpake_suite[] = "TLS_ECJPAKE_WITH_AES_128_CCM_8"; if(!id) { - if(curl_strnequal("TLS_ECJPAKE_WITH_AES_128_CCM_8", *str, len)) + if((len == sizeof(ecjpake_suite) - 1) && + curl_strnequal(ecjpake_suite, *str, len)) id = MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8; } return id;