romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 22:41:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

strcase: add and use Curl_timestrcmp

Browse source 
This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input
string.

Reported-by: Trail of Bits

Closes #9658
This commit is contained in:
Daniel Stenberg 2022-10-06 00:49:10 +02:00
parent b90f857fab
commit ed5095ed94
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
6 changed files with 43 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/netrc.c
View file

@ -198,9 +198,9 @@ static int parsenetrc(const char *host,
/* we are now parsing sub-keywords concerning "our" host */
if(state_login) {
if(specific_login) {
state_our_login = !strcmp(login, tok);
state_our_login = !Curl_timestrcmp(login, tok);
}
else if(!login || strcmp(login, tok)) {
else if(!login || Curl_timestrcmp(login, tok)) {
if(login_alloc) {
free(login);
login_alloc = FALSE;
@ -216,7 +216,7 @@ static int parsenetrc(const char *host,
}
else if(state_password) {
if((state_our_login || !specific_login)
&& (!password || strcmp(password, tok))) {
&& (!password || Curl_timestrcmp(password, tok))) {
if(password_alloc) {
free(password);
password_alloc = FALSE;