From 4691082c9b0659476e919bd7a8a30ec1b5537a7c Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Thu, 22 Jan 2009 12:11:16 +0000
Subject: case-insensitive check of SSL fingerprints (Daniel Richard G.)

Daniel Richard G. writes:
| I was clearing out an old Fetchmail SVN checkout I had lying around
| here, and came across one small change that I forgot to send in.
|
| In socket.c, there's a bit of code that compares SSL certificate
| fingerprints: [...]
|
| That strcmp() call should be an strcasecmp(). At one point, I
| encountered a certificate where the fingerprint's hex digits were in a
| different case than what was expected, and the connection attempt failed
| because of that.  Not exactly what you'd call a potential MitM attack
| :-)

He's right, we can compare case-insensitively without sacrificing
fetchmail's security, so let's just do that for the sake of ease of use.

svn path=/branches/BRANCH_6-3/; revision=5262
---
 socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'socket.c')

diff --git a/socket.c b/socket.c
index 3a03a6eb..51c15529 100644
--- a/socket.c
+++ b/socket.c
@@ -717,7 +717,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 			if (outlevel > O_NORMAL)
 			    report(stdout, GT_("%s key fingerprint: %s\n"), _server_label, text);
 			if (_check_digest != NULL) {
-				if (strcmp(text, _check_digest) == 0) {
+				if (strcasecmp(text, _check_digest) == 0) {
 				    if (outlevel > O_NORMAL)
 					report(stdout, GT_("%s fingerprints match.\n"), _server_label);
 				} else {
-- 
cgit v1.2.3