34 lines
947 B
JavaScript
34 lines
947 B
JavaScript
|
'use strict';
|
||
|
|
||
|
// Implements Brad Hill's Double HMAC pattern from
|
||
|
// https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/.
|
||
|
// The approach is similar to the node's native implementation of timing safe buffer comparison that will be available on v6+.
|
||
|
// https://github.com/nodejs/node/issues/3043
|
||
|
// https://github.com/nodejs/node/pull/3073
|
||
|
|
||
|
var crypto = require('crypto');
|
||
|
|
||
|
function bufferEqual(a, b) {
|
||
|
if (a.length !== b.length) {
|
||
|
return false;
|
||
|
}
|
||
|
for (var i = 0; i < a.length; i++) {
|
||
|
if (a[i] !== b[i]) {
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
function timeSafeCompare(a, b) {
|
||
|
var sa = String(a);
|
||
|
var sb = String(b);
|
||
|
var key = crypto.pseudoRandomBytes(32);
|
||
|
var ah = crypto.createHmac('sha256', key).update(sa).digest();
|
||
|
var bh = crypto.createHmac('sha256', key).update(sb).digest();
|
||
|
|
||
|
return bufferEqual(ah, bh) && a === b;
|
||
|
}
|
||
|
|
||
|
module.exports = timeSafeCompare;
|