From 4691082c9b0659476e919bd7a8a30ec1b5537a7c Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 22 Jan 2009 12:11:16 +0000 Subject: case-insensitive check of SSL fingerprints (Daniel Richard G.) Daniel Richard G. writes: | I was clearing out an old Fetchmail SVN checkout I had lying around | here, and came across one small change that I forgot to send in. | | In socket.c, there's a bit of code that compares SSL certificate | fingerprints: [...] | | That strcmp() call should be an strcasecmp(). At one point, I | encountered a certificate where the fingerprint's hex digits were in a | different case than what was expected, and the connection attempt failed | because of that. Not exactly what you'd call a potential MitM attack | :-) He's right, we can compare case-insensitively without sacrificing fetchmail's security, so let's just do that for the sake of ease of use. svn path=/branches/BRANCH_6-3/; revision=5262 --- NEWS | 3 +++ socket.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index b026effb..a86d05c0 100644 --- a/NEWS +++ b/NEWS @@ -57,6 +57,9 @@ fetchmail 6.3.10 (not yet released): * Do not overlap source and destination fields in snprintf() in interface.c. Courtesy of Nico Golde, Debian. +# CHANGES +* Make the comparison of the SSL fingerprints case insensitive, to + ease its use. Suggested by Daniel Richard G. # TRANSLATION UPDATES AND ADDITIONS (ordered by language name): * [it] Italian (Vincenzo Campanella) diff --git a/socket.c b/socket.c index 3a03a6eb..51c15529 100644 --- a/socket.c +++ b/socket.c @@ -717,7 +717,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) if (outlevel > O_NORMAL) report(stdout, GT_("%s key fingerprint: %s\n"), _server_label, text); if (_check_digest != NULL) { - if (strcmp(text, _check_digest) == 0) { + if (strcasecmp(text, _check_digest) == 0) { if (outlevel > O_NORMAL) report(stdout, GT_("%s fingerprints match.\n"), _server_label); } else { -- cgit v1.2.3