From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 8 Nov 2023 13:43:43 +0000 (+0100)
Subject: lib-auth: auth-scram-server - Always use str_equals_timing_almost_safe() instead... 
X-Git-Tag: 2.4.1~305
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed48971390378b2eb8a31cc91dcf02e2b0af7964;p=thirdparty%2Fdovecot%2Fcore.git

lib-auth: auth-scram-server - Always use str_equals_timing_almost_safe() instead of strcmp()
---

diff --git a/src/lib-auth/auth-scram-server.c b/src/lib-auth/auth-scram-server.c
index 7f6b90f6a5..db43693c75 100644
--- a/src/lib-auth/auth-scram-server.c
+++ b/src/lib-auth/auth-scram-server.c
@@ -373,7 +373,7 @@ auth_scram_parse_client_final(struct auth_scram_server *server,
 	str_append(str, "c=");
 	base64_encode(cbind_input, strlen(cbind_input), str);
 
-	if (strcmp(fields[0], str_c(str)) != 0) {
+	if (!str_equals_timing_almost_safe(fields[0], str_c(str))) {
 		*error_r = "Invalid channel binding data";
 		return -1;
 	}
@@ -384,7 +384,7 @@ auth_scram_parse_client_final(struct auth_scram_server *server,
 	   s-nonce         = printable
 	 */
 	nonce_str = t_strconcat("r=", server->cnonce, server->snonce, NULL);
-	if (strcmp(fields[1], nonce_str) != 0) {
+	if (!str_equals_timing_almost_safe(fields[1], nonce_str)) {
 		*error_r = "Wrong nonce";
 		return -1;
 	}