mbedtls: fix ECJPAKE matching

It did not require a full-length match, so empty or prefix tokens map to
ECJPAKE would silently add that cipher to the configured list.

Follow-up to fba9afebba22d577f122239b18

Reported by Codex Security

Closes #21264

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 6384ef21f4fc88aef3c7415927c60cd4b46cb6ef..1cac66041d0c0e9404259eace776493c812fc4fa 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -265,9 +265,11 @@ static uint16_t mbed_cipher_suite_walk_str(const char **str, const char **end)
 {
   uint16_t id = Curl_cipher_suite_walk_str(str, end);
   size_t len = *end - *str;
+  static const char ecjpake_suite[] = "TLS_ECJPAKE_WITH_AES_128_CCM_8";
 
   if(!id) {
-    if(curl_strnequal("TLS_ECJPAKE_WITH_AES_128_CCM_8", *str, len))
+    if((len == sizeof(ecjpake_suite) - 1) &&
+       curl_strnequal(ecjpake_suite, *str, len))
       id = MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8;
   }
   return id;