From: Naveed.k <dxbnaveed.k@gmail.com>
Date: Sat, 10 Jan 2026 13:56:49 +0000 (+0530)
Subject: lib-sasl: sasl-server-mech-otp - Use constant-time hash comparisons
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=912470570dee2b4c43bb837ff333196a6c76c9a7;p=thirdparty%2Fdovecot%2Fcore.git

lib-sasl: sasl-server-mech-otp - Use constant-time hash comparisons
---

diff --git a/src/lib-sasl/sasl-server-mech-otp.c b/src/lib-sasl/sasl-server-mech-otp.c
index af4706c83a..815069a6c0 100644
--- a/src/lib-sasl/sasl-server-mech-otp.c
+++ b/src/lib-sasl/sasl-server-mech-otp.c
@@ -195,8 +195,7 @@ mech_otp_verify(struct otp_auth_request *request, const char *data, bool hex)
 
 	otp_next_hash(state->algo, hash, cur_hash);
 
-	ret = memcmp(cur_hash, state->hash, OTP_HASH_SIZE);
-	if (ret != 0) {
+	if (!mem_equals_timing_safe(cur_hash, state->hash, OTP_HASH_SIZE)) {
 		sasl_server_request_password_mismatch(auth_request);
 		otp_unlock(request);
 		return;
@@ -229,8 +228,7 @@ mech_otp_verify_init(struct otp_auth_request *request, const char *data,
 
 	otp_next_hash(request->state.algo, cur_hash, hash);
 
-	ret = memcmp(hash, request->state.hash, OTP_HASH_SIZE);
-	if (ret != 0) {
+	if (!mem_equals_timing_safe(hash, request->state.hash, OTP_HASH_SIZE)) {
 		sasl_server_request_password_mismatch(auth_request);
 		otp_unlock(request);
 		return;