s...@ieee.org wrote: > Howards mentioned in another wrongly submitted issue (#9139) that > "memcmp.c isn't even referenced in the Makefile, so none of this code > is used." Here is the clarification, even if memcmp.c is not used, gcc > or other compilers' implementations of memcmp is still unsafe > (https://github.com/gcc-mirror/gcc/blob/master/libiberty/memcmp.c). > Even so, it's largely irrelevant. The default password storage scheme is a salted hash, not CLEARTEXT. The cleartext code isn't even compiled unless you explicitly configure to enable SLAPD_CLEARTEXT, and that is always disabled by default.
In the normal case, where any form of hash is used, the likelihood of gaining any useful timing information from a bytewise compare of two hashes is nil. The attacker would need to know the salt and the hash algo itself would have to be vulnerable to chosen-plaintext attacks for them to be able to leverage the timing and determine match lengths. Can you actually demonstrate a password extraction attack using memcmp timing side-channel against salted SHA1? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
