lib-oauth2: Fix possible timing attack in oauth2_validate_hmac()

author Patrick Gansterer <paroga@paroga.com>

Tue, 24 Mar 2020 19:34:17 +0000 (20:34 +0100)

committer timo.sirainen <timo.sirainen@open-xchange.com>

Wed, 1 Apr 2020 07:13:28 +0000 (07:13 +0000)
author Patrick Gansterer <paroga@paroga.com>
Tue, 24 Mar 2020 19:34:17 +0000 (20:34 +0100)
committer timo.sirainen <timo.sirainen@open-xchange.com>
Wed, 1 Apr 2020 07:13:28 +0000 (07:13 +0000)
diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c

index 527a0f3194165cedb6b76706fb65624f28101787..29c6fa55230b2811418707098806c103c821a171 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -105,7 +105,7 @@ static int oauth2_validate_hmac(const struct oauth2_settings *set,
         buffer_t *their_digest =
                 t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
         if (method->digest_size != their_digest->used ||
-           memcmp(digest, their_digest->data, method->digest_size) != 0) {
+           !mem_equals_timing_safe(digest, their_digest->data, method->digest_size)) {
                 *error_r = "Incorrect JWT signature";
                 return -1;
         }
author	Patrick Gansterer <paroga@paroga.com>
	Tue, 24 Mar 2020 19:34:17 +0000 (20:34 +0100)
committer	timo.sirainen <timo.sirainen@open-xchange.com>
	Wed, 1 Apr 2020 07:13:28 +0000 (07:13 +0000)