luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libssh2: compare sha256 strings case sensitively

Browse Source 
Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1549435
Closes #8744
This commit is contained in:
Daniel Stenberg 2022-04-25 11:41:20 +02:00
parent a09a12806e
commit ff2f3e8367
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/vssh/libssh2.c
View File

@ -694,12 +694,12 @@ static CURLcode ssh_check_fingerprint(struct Curl_easy *data)
* against a known fingerprint, if available.
*/
if((pub_pos != b64_pos) ||
Curl_strncasecompare(fingerprint_b64, pubkey_sha256, pub_pos) != 1) {
strncmp(fingerprint_b64, pubkey_sha256, pub_pos)) {
free(fingerprint_b64);
failf(data,
"Denied establishing ssh session: mismatch sha256 fingerprint. "
"Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256);
"Denied establishing ssh session: mismatch sha256 fingerprint. "
"Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256);
state(data, SSH_SESSION_FREE);
sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
return sshc->actualcode;