Skip to content

mbedtls: fix ECJPAKE matching#21264

Closed
bagder wants to merge 1 commit intomasterfrom
bagder/mbed-ecjpake
Closed

mbedtls: fix ECJPAKE matching#21264
bagder wants to merge 1 commit intomasterfrom
bagder/mbed-ecjpake

Conversation

@bagder
Copy link
Copy Markdown
Member

@bagder bagder commented Apr 8, 2026

It did not require a full-length match, so empty or prefix tokens map to ECJPAKE would silently add that cipher to the configured list.

Follow-up to fba9afe

Reported by Codex Security

@bagder
mbedtls: fix ECJPAKE matching
1c6be3a 
It did not require a full-length match, so empty or prefix tokens map to
ECJPAKE would silently add that cipher to the configured list.

Follow-up to fba9afe

Reported by Codex Security
@bagder bagder added the TLS label Apr 8, 2026
@bagder
Copy link
Copy Markdown
Member Author

bagder commented Apr 8, 2026

cc @jan2000

@bagder bagder marked this pull request as ready for review April 8, 2026 07:23
@bagder bagder requested a review from Copilot April 8, 2026 07:30
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes cipher-suite parsing for the mbedTLS backend so that TLS_ECJPAKE_WITH_AES_128_CCM_8 is only recognized on an exact, full-token match (preventing empty/prefix tokens from being interpreted as ECJPAKE).

Changes:

  • Require full-length token match before mapping to MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8.
  • Deduplicate the ECJPAKE suite string into a local constant to avoid repeating the literal.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bagder bagder closed this in 59c8de7 Apr 8, 2026
@bagder bagder deleted the bagder/mbed-ecjpake branch April 8, 2026 09:28
@jan2000
Copy link
Copy Markdown
Contributor

jan2000 commented Apr 8, 2026

Yup. Seems I made the same mistake in sectransp, but that one is already gone.

Side note, having AI commenting in the PR seems like a distraction. "Deduplicate the ECJPAKE suite string into a local constant to avoid repeating the literal." Ugh.

@bagder
Copy link
Copy Markdown
Member Author

bagder commented Apr 9, 2026

having AI commenting in the PR seems like a distraction

Agreed. Their reviews are useful however, and that's why we use them. As a side effect, both Copilot and Augment add their pointless explanations of the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

TLS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bagder @jan2000