Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
(cherry picked from commit f0e03b5a51972a125fe78f448d1f68e288782d1e)