doveadm: Make doveadm_password safe against timing attacks.

diff --git a/src/doveadm/client-connection.c b/src/doveadm/client-connection.c
index 7e64827a23b0e480a90ba22aa9f9f96182789bfc..b046ce10f89831dcff09d1532d80828350c14073 100644 (file)
--- a/src/doveadm/client-connection.c
+++ b/src/doveadm/client-connection.c
@@ -365,7 +365,9 @@ client_connection_authenticate(struct client_connection *conn)
                return -1;
        }
        pass = t_strndup(data + 9, size - 9);
-       if (strcmp(pass, conn->set->doveadm_password) != 0) {
+       if (strlen(pass) != strlen(conn->set->doveadm_password) ||
+           !mem_equals_timing_safe(pass, conn->set->doveadm_password,
+                                   strlen(pass))) {
                i_error("doveadm client authenticated with wrong password");
                return -1;
        }