adamwill / 389-ds-base

Forked from 389-ds-base 4 years ago
Clone

3d22753 Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack

1 file Authored by William Brown 7 years ago, Committed by mreynolds 7 years ago,
    Ticket bz1358565 -  clear and unsalted password types are vulnerable to timing attack
    
    Bug Description:  Clear and unsalted password types were vulnerable to a timing
    attack. This is due to the use of memcmp and strcmp in their comparison.
    
    Fix Description:  Add a constant time memcmp function, that does not shortcircuit.
    Change all password comparison to use the constant time check. For the clear
    scheme, alter the way we do the check to prevent length disclosure timing
    attacks.
    
    This resolves CVE-2016-5405
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1358565
    
    https://access.redhat.com/security/cve/CVE-2016-5405
    
    Author: wibrown
    
    Review by: nhosoi (Thanks!)
    
    (cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
    (cherry picked from commit 762219a35005914c6c088d915ac9346ce7e28512)