From 9d5d61f08f6d35bc9447536f91e728a834732fdc Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 4 Mar 2026 08:05:13 +0200
Subject: [PATCH] [PATCH 16/24] doveadm: client-connection - Use timing safe
 credential check

Gbp-Pq: Name CVE-2026-27856-1.patch
---
 src/doveadm/client-connection-http.c | 7 +++++--
 src/doveadm/client-connection-tcp.c  | 4 +---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/doveadm/client-connection-http.c b/src/doveadm/client-connection-http.c
index 81ae9f5..f760548 100644
--- a/src/doveadm/client-connection-http.c
+++ b/src/doveadm/client-connection-http.c
@@ -973,7 +973,9 @@ doveadm_http_server_auth_basic(struct client_request_http *req,
 	value = p_strdup_printf(conn->conn.pool,
 				"doveadm:%s", set->doveadm_password);
 	base64_encode(value, strlen(value), b64_value);
-	if (creds->data != NULL && strcmp(creds->data, str_c(b64_value)) == 0)
+
+	if (creds->data != NULL &&
+	    str_equals_timing_almost_safe(value, creds->data))
 		return TRUE;
 
 	e_error(conn->conn.event,
@@ -1000,7 +1002,8 @@ doveadm_http_server_auth_api_key(struct client_request_http *req,
 	b64_value = str_new(conn->conn.pool, 32);
 	base64_encode(set->doveadm_api_key,
 		      strlen(set->doveadm_api_key), b64_value);
-	if (creds->data != NULL && strcmp(creds->data, str_c(b64_value)) == 0)
+	if (creds->data != NULL &&
+	    str_equals_timing_almost_safe(creds->data, str_c(b64_value)))
 		return TRUE;
 
 	e_error(conn->conn.event,
diff --git a/src/doveadm/client-connection-tcp.c b/src/doveadm/client-connection-tcp.c
index 9299596..a6c39b9 100644
--- a/src/doveadm/client-connection-tcp.c
+++ b/src/doveadm/client-connection-tcp.c
@@ -400,9 +400,7 @@ client_connection_tcp_authenticate(struct client_connection_tcp *conn)
 		return -1;
 	}
 	pass = t_strndup(data + 9, size - 9);
-	if (strlen(pass) != strlen(set->doveadm_password) ||
-	    !mem_equals_timing_safe(pass, set->doveadm_password,
-				    strlen(pass))) {
+	if (!str_equals_timing_almost_safe(pass, set->doveadm_password)) {
 		e_error(conn->conn.event,
 			"doveadm client authenticated with wrong password");
 		return -1;
-- 
2.30.2