98d128d Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack

9 files Authored by William Brown 7 years ago, Committed by nhosoi 7 years ago,
    Ticket bz1358565 -  clear and unsalted password types are vulnerable to timing attack
    
    Bug Description:  Clear and unsalted password types were vulnerable to a timing
    attack. This is due to the use of memcmp and strcmp in their comparison.
    
    Fix Description:  Add a constant time memcmp function, that does not shortcircuit.
    Change all password comparison to use the constant time check. For the clear
    scheme, alter the way we do the check to prevent length disclosure timing
    attacks.
    
    This resolves CVE-2016-5405
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1358565
    
    https://access.redhat.com/security/cve/CVE-2016-5405
    
    Author: wibrown
    
    Review by: nhosoi (Thanks!)
    
    (cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
    (cherry picked from commit f0e03b5a51972a125fe78f448d1f68e288782d1e)