changeset 21953:ec6539bd0690

doveadm: Make doveadm_password safe against timing attacks.
author Timo Sirainen <timo.sirainen@dovecot.fi>
date Sun, 09 Apr 2017 15:19:25 +0300
parents e19e015f7449
children 1c952a42bf12
files src/doveadm/client-connection.c
diffstat 1 files changed, 3 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/doveadm/client-connection.c	Sun Apr 09 00:50:15 2017 +0300
+++ b/src/doveadm/client-connection.c	Sun Apr 09 15:19:25 2017 +0300
@@ -365,7 +365,9 @@
 		return -1;
 	}
 	pass = t_strndup(data + 9, size - 9);
-	if (strcmp(pass, conn->set->doveadm_password) != 0) {
+	if (strlen(pass) != strlen(conn->set->doveadm_password) ||
+	    !mem_equals_timing_safe(pass, conn->set->doveadm_password,
+				    strlen(pass))) {
 		i_error("doveadm client authenticated with wrong password");
 		return -1;
 	}