Make RPC password resistant to timing attacks

Fixes issue#2838; this is a tweaked version of pull#2845 that should not leak the length of the password and is more generic, in case we run into other situations where we need timing-attack-resistant comparisons.
author: Gavin Andresen <gavinandresen@gmail.com> 2013-08-08 19:58:57 +1000
committer: Gavin Andresen <gavinandresen@gmail.com> 2013-08-20 12:19:40 +1000
commit: cdb3441b5cd2c1bae49fae671dc4a496f7c96322 (patch)
tree: 920b43f3e70c3801375c10ab728070a8eaaa320e /src/bitcoinrpc.cpp
parent: 38863afbcc6ddb8a247210ac1d7c5d9717265339 (diff)
download: bitcoin-cdb3441b5cd2c1bae49fae671dc4a496f7c96322.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp
index 2c4744a579..31452fa1e7 100644
--- a/src/bitcoinrpc.cpp
+++ b/src/bitcoinrpc.cpp
@@ -479,7 +479,7 @@ bool HTTPAuthorized(map<string, string>& mapHeaders)
         return false;
     string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64);
     string strUserPass = DecodeBase64(strUserPass64);
-    return strUserPass == strRPCUserColonPass;
+    return TimingResistantEqual(strUserPass, strRPCUserColonPass);
 }
 
 //
author	Gavin Andresen <gavinandresen@gmail.com>	2013-08-08 19:58:57 +1000
committer	Gavin Andresen <gavinandresen@gmail.com>	2013-08-20 12:19:40 +1000
commit	cdb3441b5cd2c1bae49fae671dc4a496f7c96322 (patch)
tree	920b43f3e70c3801375c10ab728070a8eaaa320e /src/bitcoinrpc.cpp
parent	38863afbcc6ddb8a247210ac1d7c5d9717265339 (diff)
download	bitcoin-cdb3441b5cd2c1bae49fae671dc4a496f7c96322.tar.xz