Well, one problem is that "strcasecmp" is not in the Standard C Library, and in
fact is illegal, because external identifiers beginning with "str" are reserved
to the implementation.
There is no standard case-insensitive string-comparison function in C. You have
to write your own.
Here's one:
#include <ctype.h>
int cmpstri(const char *s1, const char *s2)
{
const unsigned char *us1 = (const unsigned char *)s1, *us2 = (const
unsigned char *)s2;
/***
Handle null inputs. This function treats null strings as equal to one
another
and less than non-null strings. Some applications might prefer different
semantics (e.g. treating null strings as empty strings).
***/
if (!s1 && !s2) return 0;
else if (!s1) return -1;
else if (!s2) return 1;
/***
Compare strings. Use unsigned char because tolower is not guaranteed
with signed
input, and plain char may be signed (implemenation-dependent). ISO
9899-1990 7.3.
***/
while (*us1 || *us2)
{
unsigned char l1 = tolower(*us1), l2 = tolower(*us2);
if (l1 < l2) return -1;
if (l2 > l1) return 1;
us1++, us2++;
}
return 0;
}
(Untested, but copied with some modifications from an existing implementation.)
That said, I agree that case-insensitive comparison would be a good idea here.
--
Michael Wojcik
Technology Specialist, Micro Focus
> -----Original Message-----
> From: [email protected] [mailto:owner-openssl-
> [email protected]] On Behalf Of Salz, Rich
> Sent: Friday, 15 August, 2014 14:36
> To: [email protected]
> Subject: RE: Case-sensitive cipher names are a bad idea
>
> > The case makes some things more clear:
>
> I never said it didn't.
>
> > There are lots of other ways to typo the input string.
>
> Yup, but saying TLSV1 won't work while TLSv1 does work is silly.
>
> > Perhaps there are currently no collisions, and case folding is likely safe,
> but I
> > don't really see much benefit from this. I think that's the wrong problem
> to
> > invest time in. Instead, things like the security level interface in
> "master",
> > (which still needs some polish) are more like the way to go. The
> cipherlist
> > mini-language is much too subtle for most users.
>
> While I tend to agree (my test: explain the difference between ! and -), I
> have seen people hurt by this particular problem. I happen not to be
> thrilled with the security level interface, but that's me. Many people will
> find it useful. It will not address the problems some of us have.
>
> And as you point out, it's not done yet.
>
> I'm talking a bugfix-level patch to turn strncmp() in ssl/ssl_ciph.c to
> strncasecmp.
>
> Does anyone see a PROBLEM with this?
>
> /r$
>
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge MA
> IM: [email protected] Twitter: RichSalz
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
This message has been scanned for malware by Websense. www.websense.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
