Skip to content

Commit

Permalink
Mitigate Timing Attacks On Basic RPC Authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
Tranz5 committed May 23, 2014
1 parent a2e14a0 commit d61aefe
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/bitcoinrpc.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -457,7 +457,7 @@ bool HTTPAuthorized(map<string, string>& mapHeaders)
return false;
string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64);
string strUserPass = DecodeBase64(strUserPass64);
return strUserPass == strRPCUserColonPass;
return TimingResistantEqual(strUserPass, strRPCUserColonPass);
}

//
Expand Down
14 changes: 14 additions & 0 deletions src/util.h
Original file line number Diff line number Diff line change
Expand Up @@ -533,6 +533,20 @@ inline uint160 Hash160(const std::vector<unsigned char>& vch)
return hash2;
}

/**
* Timing-attack-resistant comparison.
* Takes time proportional to length
* of first argument.
*/
template <typename T>
bool TimingResistantEqual(const T& a, const T& b)
{
if (b.size() == 0) return a.size() == 0;
size_t accumulator = a.size() ^ b.size();
for (size_t i = 0; i < a.size(); i++)
accumulator |= a[i] ^ b[i%b.size()];
return accumulator == 0;
}

/** Median filter over a stream of values.
* Returns the median of the last N numbers
Expand Down

0 comments on commit d61aefe

Please sign in to comment.