From 4905b4e4f96dc58c5aa0dfaf3ef79462c79e0bf1 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Sun, 5 Nov 2023 21:10:10 +0100
Subject: [PATCH] lib-auth: auth-scram-client - Always use
 str_equals_timing_almost_safe() instead of strcmp()

---
 src/lib-auth/auth-scram-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib-auth/auth-scram-client.c b/src/lib-auth/auth-scram-client.c
index a8060d8cb7..128096cf72 100644
--- a/src/lib-auth/auth-scram-client.c
+++ b/src/lib-auth/auth-scram-client.c
@@ -394,7 +394,7 @@ auth_scram_parse_server_final(struct auth_scram_client *client,
 	safe_memset(client->server_signature, 0,
 		    client->hmethod->digest_size);
 
-	bool equal = (strcmp(verifier, str_c(str)) == 0);
+	bool equal = str_equals_timing_almost_safe(verifier, str_c(str));
 	str_clear_safe(str);
 
 	if (!equal) {
-- 
2.47.3