Mercurial > dovecot > core-2.2
changeset 21953:ec6539bd0690
doveadm: Make doveadm_password safe against timing attacks.
| author | Timo Sirainen <timo.sirainen@dovecot.fi> |
|---|---|
| date | Sun, 09 Apr 2017 15:19:25 +0300 |
| parents | e19e015f7449 |
| children | 1c952a42bf12 |
| files | src/doveadm/client-connection.c |
| diffstat | 1 files changed, 3 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/doveadm/client-connection.c Sun Apr 09 00:50:15 2017 +0300 +++ b/src/doveadm/client-connection.c Sun Apr 09 15:19:25 2017 +0300 @@ -365,7 +365,9 @@ return -1; } pass = t_strndup(data + 9, size - 9); - if (strcmp(pass, conn->set->doveadm_password) != 0) { + if (strlen(pass) != strlen(conn->set->doveadm_password) || + !mem_equals_timing_safe(pass, conn->set->doveadm_password, + strlen(pass))) { i_error("doveadm client authenticated with wrong password"); return -1; }