Howards mentioned in another wrongly submitted issue (#9139) that
"memcmp.c isn't even referenced in the Makefile, so none of this code
is used." Here is the clarification, even if memcmp.c is not used, gcc
or other compilers' implementations of memcmp is still unsafe
Even so, it's largely irrelevant. The default password storage scheme is a
salted hash, not CLEARTEXT. The cleartext code isn't even compiled unless
you explicitly configure to enable SLAPD_CLEARTEXT, and that is always
disabled by default.
In the normal case, where any form of hash is used, the likelihood of gaining
any useful timing information from a bytewise compare of two hashes is nil.
The attacker would need to know the salt and the hash algo itself would have
to be vulnerable to chosen-plaintext attacks for them to be able to leverage
the timing and determine match lengths.
Can you actually demonstrate a password extraction attack using memcmp timing
side-channel against salted SHA1?
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/