romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 22:51:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

mbedtls: fix ECJPAKE matching

Browse source 
It did not require a full-length match, so empty or prefix tokens map to
ECJPAKE would silently add that cipher to the configured list.

Follow-up to fba9afebba

Reported by Codex Security

Closes #21264
This commit is contained in:
Daniel Stenberg 2026-04-08 09:20:11 +02:00
parent 135665036f
commit 59c8de7897
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/vtls/mbedtls.c
View file

@ -265,9 +265,11 @@ static uint16_t mbed_cipher_suite_walk_str(const char **str, const char **end)
{ {
uint16_t id = Curl_cipher_suite_walk_str(str, end); uint16_t id = Curl_cipher_suite_walk_str(str, end);
size_t len = *end - *str; size_t len = *end - *str;
static const char ecjpake_suite[] = "TLS_ECJPAKE_WITH_AES_128_CCM_8";
if(!id) { if(!id) {
if(curl_strnequal("TLS_ECJPAKE_WITH_AES_128_CCM_8", *str, len)) if((len == sizeof(ecjpake_suite) - 1) &&
curl_strnequal(ecjpake_suite, *str, len))
id = MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8; id = MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8;
} }
return id; return id;