squash! apply suggestions

corecode#71
fphammerle · Dec 29, 2019 · 8f1204a · 8f1204a
1 parent 95787ff
commit 8f1204a
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 12 deletions.
diff --git a/conf.c b/conf.c
@@ -226,7 +226,7 @@ parse_conf(const char *config_path)
 			if (fingerprint == NULL) {
 				errlogx(EX_CONFIG, "fingerprint allocation failed");
 			}
-			for (unsigned int i=0; i<SHA256_DIGEST_LENGTH; i++) {
+			for (unsigned int i = 0; i < SHA256_DIGEST_LENGTH; i++) {
 				if(sscanf(data + 2 * i, "%02hhx", &fingerprint[i]) != 1) {
 					errlogx(EX_CONFIG, "failed to read fingerprint");
 				}

diff --git a/crypto.c b/crypto.c
@@ -78,28 +78,27 @@ init_cert_file(SSL_CTX *ctx, const char *path)
 	return (0);
 }
 
-unsigned int verify_server_fingerprint(const X509 *cert)
+int
+verify_server_fingerprint(const X509 *cert)
 {
 	unsigned char fingerprint[EVP_MAX_MD_SIZE] = {0};
 	unsigned int fingerprint_len = 0;
 	if(!X509_digest(cert, EVP_sha256(), fingerprint, &fingerprint_len)) {
 		syslog(LOG_WARNING, "failed to load fingerprint of server's certicate: %s",
 			   ssl_errstr());
-		return 1;
+		return (1);
 	}
 	if(fingerprint_len != SHA256_DIGEST_LENGTH) {
 		syslog(LOG_WARNING, "sha256 fingerprint has unexpected length of %d bytes",
 		       fingerprint_len);
-		return 1;
+		return (1);
 	}
-	for(unsigned int i=0; i<SHA256_DIGEST_LENGTH; i++) {
-		if(fingerprint[i] != config.fingerprint[i]) {
-			syslog(LOG_WARNING, "fingerprints do not match");
-			return 1;
-		}
+	if(memcmp(fingerprint, config.fingerprint, SHA256_DIGEST_LENGTH) != 0) {
+		syslog(LOG_WARNING, "fingerprints do not match");
+		return (1);
 	}
 	syslog(LOG_DEBUG, "verified server's fingerprint");
-	return 0;
+	return (0);
 }
 
 int

diff --git a/dma.8 b/dma.8
@@ -227,7 +227,8 @@ Uncomment if you want to use STARTTLS.
 Only useful together with
 .Sq SECURETRANS .
 .It Ic FINGERPRINT Xo
-Optionally verify SHA256 fingerprint of smarthost's certificate.
+Pin the server certificate by specifying its SHA256 fingerprint.
+Only makes sense if you use a smarthost.
 .It Ic OPPORTUNISTIC_TLS Xo
 (boolean, default=commented)
 .Xc

diff --git a/dma.conf b/dma.conf
@@ -25,7 +25,8 @@
 # SECURETRANSFER)
 #STARTTLS
 
-# Optionally verify SHA256 fingerprint of smarthost's certificate.
+# Pin the server certificate by specifying its SHA256 fingerprint.
+# Only makes sense if you use a smarthost.
 #FINGERPRINT 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF
 
 # Uncomment if you have specified STARTTLS above and it should be allowed