lib-sasl: sasl-server-mech-otp - Use constant-time hash comparisons

author Naveed.k <dxbnaveed.k@gmail.com>

Sat, 10 Jan 2026 13:56:49 +0000 (19:26 +0530)

committer Timo Sirainen <timo.sirainen@open-xchange.com>

Thu, 12 Feb 2026 09:09:05 +0000 (11:09 +0200)
author Naveed.k <dxbnaveed.k@gmail.com>
Sat, 10 Jan 2026 13:56:49 +0000 (19:26 +0530)
committer Timo Sirainen <timo.sirainen@open-xchange.com>
Thu, 12 Feb 2026 09:09:05 +0000 (11:09 +0200)
diff --git a/src/lib-sasl/sasl-server-mech-otp.c b/src/lib-sasl/sasl-server-mech-otp.c

index af4706c83aa08e5651aa331295ad4b7fc4562b5d..815069a6c0085f9e3c9907c5aaa320568149de5c 100644 (file)
--- a/src/lib-sasl/sasl-server-mech-otp.c
+++ b/src/lib-sasl/sasl-server-mech-otp.c
@@ -195,8 +195,7 @@ mech_otp_verify(struct otp_auth_request *request, const char *data, bool hex)
  
         otp_next_hash(state->algo, hash, cur_hash);
  
-       ret = memcmp(cur_hash, state->hash, OTP_HASH_SIZE);
-       if (ret != 0) {
+       if (!mem_equals_timing_safe(cur_hash, state->hash, OTP_HASH_SIZE)) {
                 sasl_server_request_password_mismatch(auth_request);
                 otp_unlock(request);
                 return;
@@ -229,8 +228,7 @@ mech_otp_verify_init(struct otp_auth_request *request, const char *data,
  
         otp_next_hash(request->state.algo, cur_hash, hash);
  
-       ret = memcmp(hash, request->state.hash, OTP_HASH_SIZE);
-       if (ret != 0) {
+       if (!mem_equals_timing_safe(hash, request->state.hash, OTP_HASH_SIZE)) {
                 sasl_server_request_password_mismatch(auth_request);
                 otp_unlock(request);
                 return;
author	Naveed.k <dxbnaveed.k@gmail.com>
	Sat, 10 Jan 2026 13:56:49 +0000 (19:26 +0530)
committer	Timo Sirainen <timo.sirainen@open-xchange.com>
	Thu, 12 Feb 2026 09:09:05 +0000 (11:09 +0200)