Make RPC password resistant to timing attacks

Fixes issue#2838; this is a tweaked version of pull#2845 that should not leak the length of the password and is more generic, in case we run into other situations where we need timing-attack-resistant comparisons.
author: Gavin Andresen <gavinandresen@gmail.com> 2013-08-08 19:58:57 +1000
committer: Gavin Andresen <gavinandresen@gmail.com> 2013-08-08 19:58:57 +1000
commit: 42656ea2e552b027e174fdceab7348ffcb8245c4 (patch)
tree: 8bf5b945afc2d198727ce1cd94cc3766b4ce0d93 /src/bitcoinrpc.cpp
parent: 6cc766fa55c0d74916d615c69689e9e798bf0aba (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp
index 7a3e6560ab..dfce9789a5 100644
--- a/src/bitcoinrpc.cpp
+++ b/src/bitcoinrpc.cpp
@@ -476,7 +476,7 @@ bool HTTPAuthorized(map<string, string>& mapHeaders)
         return false;
     string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64);
     string strUserPass = DecodeBase64(strUserPass64);
-    return strUserPass == strRPCUserColonPass;
+    return TimingResistantEqual(strUserPass, strRPCUserColonPass);
 }
 
 //
author	Gavin Andresen <gavinandresen@gmail.com>	2013-08-08 19:58:57 +1000
committer	Gavin Andresen <gavinandresen@gmail.com>	2013-08-08 19:58:57 +1000
commit	42656ea2e552b027e174fdceab7348ffcb8245c4 (patch)
tree	8bf5b945afc2d198727ce1cd94cc3766b4ce0d93 /src/bitcoinrpc.cpp
parent	6cc766fa55c0d74916d615c69689e9e798bf0aba (diff)