Mitigate Timing Attacks On Basic RPC Authorization

As per bitcoin#2838 . Eliminates the possibility of timing attacks by changing the way the two passwords are compared. See http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ for reference. It iterates through each char in the strings, and if the two chars it is comparing aren't the same, then it adds 1 to nReturn and the function returns false. Previously, the function would return false on the first char that didn't match, allowing a possible attacker to run a timing attack.
grayleonard · Jul 23, 2013 · 5d32282 · 5d32282
1 parent 0a74065
commit 5d32282
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp
@@ -471,12 +471,23 @@ int ReadHTTPMessage(std::basic_istream<char>& stream, map<string,
 
 bool HTTPAuthorized(map<string, string>& mapHeaders)
 {
+    int nResult = 0;
     string strAuth = mapHeaders["authorization"];
     if (strAuth.substr(0,6) != "Basic ")
         return false;
     string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64);
     string strUserPass = DecodeBase64(strUserPass64);
-    return strUserPass == strRPCUserColonPass;
+
+    //Begin constant-time comparison
+    if (strUserPass.length() != strRPCUserColonPass.length())
+        return false;
+
+    //XOR's chars in each password together, and then adds either 0 or 1 (0 if the chars match) to nResult
+    for (size_t i = 0; i < strUserPass.length(); i++)
+    { 
+        nResult |= strUserPass.at(i) ^ strRPCUserColonPass.at(i); 
+    }
+    return nResult == 0;
 }
 
 //