diff options
author | Daniel Stenberg <daniel@haxx.se> | 2022-10-06 00:49:10 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2022-10-08 11:50:47 +0200 |
commit | ed5095ed94281989e103c72e032200b83be37878 (patch) | |
tree | 82e843cf7fd9f863da7d1cf076a89d74c223cae7 /lib/netrc.c | |
parent | b90f857fabe629158db71e973270c1c964dcebc0 (diff) | |
download | curl-ed5095ed94281989e103c72e032200b83be37878.tar.gz |
strcase: add and use Curl_timestrcmp
This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.
The time this function takes is only a function of the shortest input
string.
Reported-by: Trail of Bits
Closes #9658
Diffstat (limited to 'lib/netrc.c')
-rw-r--r-- | lib/netrc.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/netrc.c b/lib/netrc.c index e183b6271..f09c75842 100644 --- a/lib/netrc.c +++ b/lib/netrc.c @@ -198,9 +198,9 @@ static int parsenetrc(const char *host, /* we are now parsing sub-keywords concerning "our" host */ if(state_login) { if(specific_login) { - state_our_login = !strcmp(login, tok); + state_our_login = !Curl_timestrcmp(login, tok); } - else if(!login || strcmp(login, tok)) { + else if(!login || Curl_timestrcmp(login, tok)) { if(login_alloc) { free(login); login_alloc = FALSE; @@ -216,7 +216,7 @@ static int parsenetrc(const char *host, } else if(state_password) { if((state_our_login || !specific_login) - && (!password || strcmp(password, tok))) { + && (!password || Curl_timestrcmp(password, tok))) { if(password_alloc) { free(password); password_alloc = FALSE; |