From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Wed, 25 Mar 2020 08:42:40 +0000 (+0200)
Subject: auth: DOVECOT-TOKEN mechanism - Fix potential timing attack in verying the token
X-Git-Tag: 2.3.11.2~351
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7cb8d18064348a253a90a4dd48612d22f8d7e018;p=thirdparty%2Fdovecot%2Fcore.git

auth: DOVECOT-TOKEN mechanism - Fix potential timing attack in verying the token
---

diff --git a/src/auth/mech-dovecot-token.c b/src/auth/mech-dovecot-token.c
index 6dee6819fb..55ca3e19ac 100644
--- a/src/auth/mech-dovecot-token.c
+++ b/src/auth/mech-dovecot-token.c
@@ -52,7 +52,7 @@ mech_dovecot_token_auth_continue(struct auth_request *request,
 			auth_token_get(service, pid, request->user, session_id);
 
 		if (auth_token != NULL &&
-		    strcmp(auth_token, valid_token) == 0) {
+		    str_equals_timing_almost_safe(auth_token, valid_token)) {
 			request->passdb_success = TRUE;
 			auth_request_set_field(request, "userdb_client_service", service, "");
 			auth_request_success(request, NULL, 0);