Make RPC password resistant to timing attacks

Fixes issue#2838; this is a tweaked version of pull#2845 that should not leak the length of the password and is more generic, in case we run into other situations where we need timing-attack-resistant comparisons.
author: Gavin Andresen <gavinandresen@gmail.com> 2013-08-08 19:58:57 +1000
committer: Gavin Andresen <gavinandresen@gmail.com> 2013-08-20 12:19:40 +1000
commit: cdb3441b5cd2c1bae49fae671dc4a496f7c96322 (patch)
tree: 920b43f3e70c3801375c10ab728070a8eaaa320e /src/util.h
parent: 38863afbcc6ddb8a247210ac1d7c5d9717265339 (diff)
download: bitcoin-cdb3441b5cd2c1bae49fae671dc4a496f7c96322.tar.xz
1 files changed, 15 insertions, 0 deletions
diff --git a/src/util.h b/src/util.h
index 3f3dd0f487..9b7e2573da 100644
--- a/src/util.h
+++ b/src/util.h
@@ -433,6 +433,21 @@ static inline uint32_t insecure_rand(void)
  */
 void seed_insecure_rand(bool fDeterministic=false);
 
+/**
+ * Timing-attack-resistant comparison.
+ * Takes time proportional to length
+ * of first argument.
+ */
+template <typename T>
+bool TimingResistantEqual(const T& a, const T& b)
+{
+    if (b.size() == 0) return a.size() == 0;
+    size_t accumulator = a.size() ^ b.size();
+    for (size_t i = 0; i < a.size(); i++)
+        accumulator |= a[i] ^ b[i%b.size()];
+    return accumulator == 0;
+}
+
 /** Median filter over a stream of values.
  * Returns the median of the last N numbers
  */
author	Gavin Andresen <gavinandresen@gmail.com>	2013-08-08 19:58:57 +1000
committer	Gavin Andresen <gavinandresen@gmail.com>	2013-08-20 12:19:40 +1000
commit	cdb3441b5cd2c1bae49fae671dc4a496f7c96322 (patch)
tree	920b43f3e70c3801375c10ab728070a8eaaa320e /src/util.h
parent	38863afbcc6ddb8a247210ac1d7c5d9717265339 (diff)
download	bitcoin-cdb3441b5cd2c1bae49fae671dc4a496f7c96322.tar.xz