auth: DOVECOT-TOKEN mechanism - Fix potential timing attack in verying the token

author Timo Sirainen <timo.sirainen@open-xchange.com>

Wed, 25 Mar 2020 08:42:40 +0000 (10:42 +0200)

committer timo.sirainen <timo.sirainen@open-xchange.com>

Wed, 15 Apr 2020 10:57:57 +0000 (10:57 +0000)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Wed, 25 Mar 2020 08:42:40 +0000 (10:42 +0200)
committer timo.sirainen <timo.sirainen@open-xchange.com>
Wed, 15 Apr 2020 10:57:57 +0000 (10:57 +0000)
diff --git a/src/auth/mech-dovecot-token.c b/src/auth/mech-dovecot-token.c

index 6dee6819fb8938b2702728376cb1faa33d8341f1..55ca3e19acde7f862274244eb97776f5481fa578 100644 (file)
--- a/src/auth/mech-dovecot-token.c
+++ b/src/auth/mech-dovecot-token.c
@@ -52,7 +52,7 @@ mech_dovecot_token_auth_continue(struct auth_request *request,
                         auth_token_get(service, pid, request->user, session_id);
  
                 if (auth_token != NULL &&
-                   strcmp(auth_token, valid_token) == 0) {
+                   str_equals_timing_almost_safe(auth_token, valid_token)) {
                         request->passdb_success = TRUE;
                         auth_request_set_field(request, "userdb_client_service", service, "");
                         auth_request_success(request, NULL, 0);
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Wed, 25 Mar 2020 08:42:40 +0000 (10:42 +0200)
committer	timo.sirainen <timo.sirainen@open-xchange.com>
	Wed, 15 Apr 2020 10:57:57 +0000 (10:57 +0000)