--- rt-authen-externalauth-0.10.orig/lib/RT/Authen/ExternalAuth.pm
+++ rt-authen-externalauth-0.10/lib/RT/Authen/ExternalAuth.pm
@@ -133,6 +133,7 @@ root.
 
 use RT::Authen::ExternalAuth::LDAP;
 use RT::Authen::ExternalAuth::DBI;
+use Encode qw/encode/;
 
 use strict;
 
@@ -669,4 +670,37 @@ sub CanonicalizeUserInfo {
     };
 }
 
+=head2 C<constant_time_eq($a, $b)>
+
+Taken verbatim from RT 4.4's RT::Util.
+
+=cut
+
+sub constant_time_eq {
+    my ($a, $b) = @_;
+
+    my $result = 0;
+
+    # generic error message avoids potential information leaks
+    my $generic_error = "Cannot compare values";
+    die $generic_error unless defined $a and defined $b;
+    die $generic_error unless length $a == length $b;
+    die $generic_error if ref($a) or ref($b);
+
+    for (my $i = 0; $i < length($a); $i++) {
+        my $a_char = substr($a, $i, 1);
+        my $b_char = substr($b, $i, 1);
+
+        # encode() is set to die on malformed
+        my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+        my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
+        die $generic_error if (scalar @a_octets) != (scalar @b_octets);
+
+        for (my $j = 0; $j < scalar @a_octets; $j++) {
+            $result |= $a_octets[$j] ^ $b_octets[$j];
+        }
+    }
+    return 0 + not $result;
+}
+
 1;
--- rt-authen-externalauth-0.10.orig/lib/RT/Authen/ExternalAuth/DBI.pm
+++ rt-authen-externalauth-0.10/lib/RT/Authen/ExternalAuth/DBI.pm
@@ -77,7 +77,7 @@ sub GetAuth {
         # Jump to the next external authentication service if they don't match
         if(defined($db_p_salt)) {
             $RT::Logger->debug("Using salt:",$db_p_salt);
-            if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){
+            unless (RT::Authen::ExternalAuth::constant_time_eq(${encrypt}->($password,$db_p_salt), $pass_from_db)) {
                 $RT::Logger->info(  $service,
                                     "AUTH FAILED", 
                                     $username, 
@@ -85,7 +85,7 @@ sub GetAuth {
                 return 0;
             }
         } else {
-            if(${encrypt}->($password) ne $pass_from_db){
+            unless (RT::Authen::ExternalAuth::constant_time_eq(${encrypt}->($password), $pass_from_db)) {
                 $RT::Logger->info(  $service,
                                     "AUTH FAILED", 
                                     $username, 
