From 81da4ee249ddd0a21a57b740fb1cc93fcad592ba Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Tue, 19 May 2026 12:29:34 +0200
Subject: [PATCH] vtls: use Curl_safecmp for CRLfile and pinned_key comparison

Both are filesystem paths (or case-sensitive hash strings for
pinned_key). curl_strequal is case-insensitive and would treat
/etc/ssl/Crl.pem and /etc/ssl/crl.pem as the same file, unlike the other
path fields (CApath, CAfile, issuercert, clientcert) which already use
Curl_safecmp.

Closes #21668
---
 lib/vtls/vtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index c83f6e6678..4600557879 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -217,8 +217,8 @@ static bool match_ssl_primary_config(struct Curl_easy *data,
      curl_strequal(c1->cipher_list13, c2->cipher_list13) &&
      curl_strequal(c1->curves, c2->curves) &&
      curl_strequal(c1->signature_algorithms, c2->signature_algorithms) &&
-     curl_strequal(c1->CRLfile, c2->CRLfile) &&
-     curl_strequal(c1->pinned_key, c2->pinned_key))
+     Curl_safecmp(c1->CRLfile, c2->CRLfile) &&
+     Curl_safecmp(c1->pinned_key, c2->pinned_key))
     return TRUE;
 
   return FALSE;