From: Aki Tuomi Date: Wed, 4 Mar 2026 06:05:13 +0000 (+0200) Subject: doveadm: client-connection - Use timing safe credential check X-Git-Tag: 2.4.3~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1864d4890499bc2b29fa1b62fe04073dd2bf0c57;p=thirdparty%2Fdovecot%2Fcore.git doveadm: client-connection - Use timing safe credential check --- diff --git a/src/doveadm/client-connection-http.c b/src/doveadm/client-connection-http.c index 81ae9f51da..f760548653 100644 --- a/src/doveadm/client-connection-http.c +++ b/src/doveadm/client-connection-http.c @@ -973,7 +973,9 @@ doveadm_http_server_auth_basic(struct client_request_http *req, value = p_strdup_printf(conn->conn.pool, "doveadm:%s", set->doveadm_password); base64_encode(value, strlen(value), b64_value); - if (creds->data != NULL && strcmp(creds->data, str_c(b64_value)) == 0) + + if (creds->data != NULL && + str_equals_timing_almost_safe(value, creds->data)) return TRUE; e_error(conn->conn.event, @@ -1000,7 +1002,8 @@ doveadm_http_server_auth_api_key(struct client_request_http *req, b64_value = str_new(conn->conn.pool, 32); base64_encode(set->doveadm_api_key, strlen(set->doveadm_api_key), b64_value); - if (creds->data != NULL && strcmp(creds->data, str_c(b64_value)) == 0) + if (creds->data != NULL && + str_equals_timing_almost_safe(creds->data, str_c(b64_value))) return TRUE; e_error(conn->conn.event, diff --git a/src/doveadm/client-connection-tcp.c b/src/doveadm/client-connection-tcp.c index 936bb03f01..cb16f7214b 100644 --- a/src/doveadm/client-connection-tcp.c +++ b/src/doveadm/client-connection-tcp.c @@ -400,9 +400,7 @@ client_connection_tcp_authenticate(struct client_connection_tcp *conn) return -1; } pass = t_strndup(data + 9, size - 9); - if (strlen(pass) != strlen(set->doveadm_password) || - !mem_equals_timing_safe(pass, set->doveadm_password, - strlen(pass))) { + if (!str_equals_timing_almost_safe(pass, set->doveadm_password)) { e_error(conn->conn.event, "doveadm client authenticated with wrong password"); return -1;