From 30173d9270e145dad2386b7ad0b4266fb41f5539 Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jpds@protonmail.com>
Date: Fri, 10 Apr 2026 12:24:45 +0000
Subject: [PATCH] Use constant-time comparison in SCRAM client proof
 verification

---
 src/xmpp_sasl_scram.erl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/xmpp_sasl_scram.erl b/src/xmpp_sasl_scram.erl
index bee8c89..c611793 100644
--- a/src/xmpp_sasl_scram.erl
+++ b/src/xmpp_sasl_scram.erl
@@ -235,8 +235,8 @@ mech_step(#state{step = 4, algo = Algo} = State, ClientIn) ->
 				    ClientKey =
 				    scram:client_key_xor(ClientProof, ClientSignature),
 				    CompareStoredKey = scram:stored_key(Algo, ClientKey),
-				    if
-					CompareStoredKey == State#state.stored_key ->
+				    case crypto:hash_equals(CompareStoredKey, State#state.stored_key) of
+					true ->
 					    ServerSignature =
 					    scram:server_signature(Algo,
 								   State#state.server_key,
@@ -245,7 +245,7 @@ mech_step(#state{step = 4, algo = Algo} = State, ClientIn) ->
 						  {auth_module, State#state.auth_module},
 						  {authzid, State#state.username}],
 					     <<"v=", (base64:encode(ServerSignature))/binary>>};
-					true ->
+					false ->
 					    {error, not_authorized, State#state.username}
 				    end
 			    end;