From: Stephan Bosch Date: Sun, 5 Nov 2023 20:10:10 +0000 (+0100) Subject: lib-auth: auth-scram-client - Always use str_equals_timing_almost_safe() instead... X-Git-Tag: 2.4.1~306 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4905b4e4f96dc58c5aa0dfaf3ef79462c79e0bf1;p=thirdparty%2Fdovecot%2Fcore.git lib-auth: auth-scram-client - Always use str_equals_timing_almost_safe() instead of strcmp() --- diff --git a/src/lib-auth/auth-scram-client.c b/src/lib-auth/auth-scram-client.c index a8060d8cb7..128096cf72 100644 --- a/src/lib-auth/auth-scram-client.c +++ b/src/lib-auth/auth-scram-client.c @@ -394,7 +394,7 @@ auth_scram_parse_server_final(struct auth_scram_client *client, safe_memset(client->server_signature, 0, client->hmethod->digest_size); - bool equal = (strcmp(verifier, str_c(str)) == 0); + bool equal = str_equals_timing_almost_safe(verifier, str_c(str)); str_clear_safe(str); if (!equal) {