index.js
/**
* @author Michael Raith
* @date 24.02.2016 12:04
*/
'use strict';
var crypto = require('crypto');
var bufferAllocUnsafe = require('buffer-alloc-unsafe');
/**
* Do a constant time string comparison. Always compare the complete strings
* against each other to get a constant time. This method does not short-cut
* if the two string's length differs.
*
* @param {string} a
* @param {string} b
*
* @return {boolean}
*/
var safeCompare = function safeCompare(a, b) {
var strA = String(a);
var strB = String(b);
var lenA = strA.length;
var result = 0;
if (lenA !== strB.length) {
strB = strA;
result = 1;
}
for (var i = 0; i < lenA; i++) {
result |= (strA.charCodeAt(i) ^ strB.charCodeAt(i));
}
return result === 0;
};
/**
* Call native "crypto.timingSafeEqual" methods.
* All passed values will be converted into strings first.
*
* Runtime is always corresponding to the length of the first parameter (string
* a).
*
* @param {string} a
* @param {string} b
*
* @return {boolean}
*/
var nativeTimingSafeEqual = function nativeTimingSafeEqual(a, b) {
var strA = String(a);
var strB = String(b);
var aLen = Buffer.byteLength(strA);
var bLen = Buffer.byteLength(strB);
// Always use length of a to avoid leaking the length. Even if this is a
// false positive because one is a prefix of the other, the explicit length
// check at the end will catch that.
var bufA = bufferAllocUnsafe(aLen);
bufA.write(strA);
var bufB = bufferAllocUnsafe(aLen);
bufB.write(strB);
return crypto.timingSafeEqual(bufA, bufB) && aLen === bLen;
};
module.exports = (
typeof crypto.timingSafeEqual !== 'undefined' ?
nativeTimingSafeEqual :
safeCompare
);