doveadm: Make doveadm_password safe against timing attacks.

dovecot · Apr 12, 2017 · fb7a68e · fb7a68e
1 parent 4e11e0a
commit fb7a68e
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/doveadm/client-connection.c b/src/doveadm/client-connection.c
@@ -365,7 +365,9 @@ client_connection_authenticate(struct client_connection *conn)
 		return -1;
 	}
 	pass = t_strndup(data + 9, size - 9);
-	if (strcmp(pass, conn->set->doveadm_password) != 0) {
+	if (strlen(pass) != strlen(conn->set->doveadm_password) ||
+	    !mem_equals_timing_safe(pass, conn->set->doveadm_password,
+				    strlen(pass))) {
 		i_error("doveadm client authenticated with wrong password");
 		return -1;
 	}