From ed48971390378b2eb8a31cc91dcf02e2b0af7964 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 8 Nov 2023 14:43:43 +0100
Subject: [PATCH] lib-auth: auth-scram-server - Always use
 str_equals_timing_almost_safe() instead of strcmp()

---
 src/lib-auth/auth-scram-server.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib-auth/auth-scram-server.c b/src/lib-auth/auth-scram-server.c
index 7f6b90f6a5..db43693c75 100644
--- a/src/lib-auth/auth-scram-server.c
+++ b/src/lib-auth/auth-scram-server.c
@@ -373,7 +373,7 @@ auth_scram_parse_client_final(struct auth_scram_server *server,
 	str_append(str, "c=");
 	base64_encode(cbind_input, strlen(cbind_input), str);
 
-	if (strcmp(fields[0], str_c(str)) != 0) {
+	if (!str_equals_timing_almost_safe(fields[0], str_c(str))) {
 		*error_r = "Invalid channel binding data";
 		return -1;
 	}
@@ -384,7 +384,7 @@ auth_scram_parse_client_final(struct auth_scram_server *server,
 	   s-nonce         = printable
 	 */
 	nonce_str = t_strconcat("r=", server->cnonce, server->snonce, NULL);
-	if (strcmp(fields[1], nonce_str) != 0) {
+	if (!str_equals_timing_almost_safe(fields[1], nonce_str)) {
 		*error_r = "Wrong nonce";
 		return -1;
 	}
-- 
2.47.3