diff options
author | Gavin Andresen <gavinandresen@gmail.com> | 2013-08-08 19:58:57 +1000 |
---|---|---|
committer | Gavin Andresen <gavinandresen@gmail.com> | 2013-08-20 12:19:40 +1000 |
commit | cdb3441b5cd2c1bae49fae671dc4a496f7c96322 (patch) | |
tree | 920b43f3e70c3801375c10ab728070a8eaaa320e /src/bitcoinrpc.cpp | |
parent | 38863afbcc6ddb8a247210ac1d7c5d9717265339 (diff) | |
download | bitcoin-cdb3441b5cd2c1bae49fae671dc4a496f7c96322.tar.xz |
Make RPC password resistant to timing attacks
Fixes issue#2838; this is a tweaked version of pull#2845 that
should not leak the length of the password and is more generic,
in case we run into other situations where we need
timing-attack-resistant comparisons.
Diffstat (limited to 'src/bitcoinrpc.cpp')
-rw-r--r-- | src/bitcoinrpc.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp index 2c4744a579..31452fa1e7 100644 --- a/src/bitcoinrpc.cpp +++ b/src/bitcoinrpc.cpp @@ -479,7 +479,7 @@ bool HTTPAuthorized(map<string, string>& mapHeaders) return false; string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64); string strUserPass = DecodeBase64(strUserPass64); - return strUserPass == strRPCUserColonPass; + return TimingResistantEqual(strUserPass, strRPCUserColonPass); } // |