From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Wed, 7 Jan 2026 16:54:57 +0000 (+0000)
Subject: lib-auth: crypt_verify_blowfish() - use str_equals_timing_almost_safe() instad of... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9d1420aede2312c0451ae59b880216b4a4aa9f5;p=thirdparty%2Fdovecot%2Fcore.git

lib-auth: crypt_verify_blowfish() - use str_equals_timing_almost_safe() instad of strcmp()
---

diff --git a/src/lib-auth/password-scheme-crypt.c b/src/lib-auth/password-scheme-crypt.c
index e1de1c5047..d418b194c7 100644
--- a/src/lib-auth/password-scheme-crypt.c
+++ b/src/lib-auth/password-scheme-crypt.c
@@ -130,7 +130,7 @@ crypt_verify_blowfish(const char *plaintext, const struct password_generate_para
 		return -1;
 	}
 
-	return strcmp(crypted, password) == 0 ? 1 : 0;
+	return str_equals_timing_almost_safe(crypted, password) ? 1 : 0;
 }
 
 static void