From 2856bdf841175e7490f89c4a39066c1f2694c9c0 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 15 Nov 2016 18:33:19 +0100
Subject: [PATCH] ssh: check md5 fingerprints case insensitively

---
 0001-curl-7.51.0-ssh-md5.patch | 33 +++++++++++++++++++++++++++++++++
 curl.spec                      |  9 ++++++++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 0001-curl-7.51.0-ssh-md5.patch

diff --git a/0001-curl-7.51.0-ssh-md5.patch b/0001-curl-7.51.0-ssh-md5.patch
new file mode 100644
index 0000000..6ed3e0e
--- /dev/null
+++ b/0001-curl-7.51.0-ssh-md5.patch
@@ -0,0 +1,33 @@
+From a57cd03551cb373bd69278d7281026ac147bb4b4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 7 Nov 2016 12:54:40 +0100
+Subject: [PATCH 1/2] ssh: check md5 fingerprints case insensitively
+ (regression)
+
+Revert the change from ce8d09483eea but use the new function
+
+Reported-by: Kamil Dudka
+Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
+
+Upstream-commit: 50aded1cd4bb751cad52c39c4fa1f06ebc5e133e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ssh.c b/lib/ssh.c
+index 43c8283..0df030d 100644
+--- a/lib/ssh.c
++++ b/lib/ssh.c
+@@ -676,7 +676,7 @@ static CURLcode ssh_check_fingerprint(struct connectdata *conn)
+    * against a known fingerprint, if available.
+    */
+   if(pubkey_md5 && strlen(pubkey_md5) == 32) {
+-    if(!fingerprint || strcmp(md5buffer, pubkey_md5)) {
++    if(!fingerprint || !strcasecompare(md5buffer, pubkey_md5)) {
+       if(fingerprint)
+         failf(data,
+             "Denied establishing ssh session: mismatch md5 fingerprint. "
+-- 
+2.7.4
+
diff --git a/curl.spec b/curl.spec
index 4bf6787..b862d09 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,11 +1,14 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.51.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 
+# ssh: check md5 fingerprints case insensitively
+Patch1:   0001-curl-7.51.0-ssh-md5.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -122,6 +125,7 @@ documentation of the library, too.
 %setup -q
 
 # upstream patches
+%patch1 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -229,6 +233,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
+- ssh: check md5 fingerprints case insensitively
+
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
 - temporarily disable failing libidn2 test-cases
 - new upstream release, which fixes the following vulnerabilities