From cdb3441b5cd2c1bae49fae671dc4a496f7c96322 Mon Sep 17 00:00:00 2001
From: Gavin Andresen <gavinandresen@gmail.com>
Date: Thu, 8 Aug 2013 19:58:57 +1000
Subject: Make RPC password resistant to timing attacks

Fixes issue#2838; this is a tweaked version of pull#2845 that
should not leak the length of the password and is more generic,
in case we run into other situations where we need
timing-attack-resistant comparisons.
---
 src/bitcoinrpc.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/bitcoinrpc.cpp')

diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp
index 2c4744a579..31452fa1e7 100644
--- a/src/bitcoinrpc.cpp
+++ b/src/bitcoinrpc.cpp
@@ -479,7 +479,7 @@ bool HTTPAuthorized(map<string, string>& mapHeaders)
         return false;
     string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64);
     string strUserPass = DecodeBase64(strUserPass64);
-    return strUserPass == strRPCUserColonPass;
+    return TimingResistantEqual(strUserPass, strRPCUserColonPass);
 }
 
 //
-- 
cgit v1.2.3