From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 6 Oct 2022 00:49:10 +0200
Subject: [PATCH] strcase: add and use Curl_timestrcmp

This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input
string.

Reported-by: Trail of Bits

Closes #9658
---
 lib/netrc.c             |  6 +++---
 lib/strcase.c           | 22 ++++++++++++++++++++++
 lib/strcase.h           |  1 +
 lib/url.c               | 34 +++++++++++++---------------------
 lib/vauth/digest_sspi.c |  4 ++--
 lib/vtls/vtls.c         |  4 ++--
 6 files changed, 43 insertions(+), 28 deletions(-)

--- a/lib/strcase.c
+++ b/lib/strcase.c
@@ -151,3 +151,25 @@ int curl_strnequal(const char *first, co
 {
   return Curl_strncasecompare(first, second, max);
 }
+
+/*
+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
+ * function spends is a function of the shortest string, not of the contents.
+ */
+int Curl_timestrcmp(const char *a, const char *b)
+{
+  int match = 0;
+  int i = 0;
+
+  if(a && b) {
+    while(1) {
+      match |= a[i]^b[i];
+      if(!a[i] || !b[i])
+        break;
+      i++;
+    }
+  }
+  else
+    return a || b;
+  return match;
+}
--- a/lib/strcase.h
+++ b/lib/strcase.h
@@ -50,5 +50,6 @@ void Curl_strntoupper(char *dest, const
 void Curl_strntolower(char *dest, const char *src, size_t n);
 
 bool Curl_safecmp(char *a, char *b);
+int Curl_timestrcmp(const char *first, const char *second);
 
 #endif /* HEADER_CURL_STRCASE_H */