commit

node_modules/safe-compare/index.js

@@ -0,0 +1,75 @@
+/**
+ * @author Michael Raith
+ * @date   24.02.2016 12:04
+ */
+
+'use strict';
+
+var crypto = require('crypto');
+var bufferAlloc = require('buffer-alloc');
+
+
+/**
+ * Do a constant time string comparison. Always compare the complete strings
+ * against each other to get a constant time. This method does not short-cut
+ * if the two string's length differs.
+ *
+ * @param {string} a
+ * @param {string} b
+ *
+ * @return {boolean}
+ */
+var safeCompare = function safeCompare(a, b) {
+    var strA = String(a);
+    var strB = String(b);
+    var lenA = strA.length;
+    var result = 0;
+
+    if (lenA !== strB.length) {
+        strB = strA;
+        result = 1;
+    }
+
+    for (var i = 0; i < lenA; i++) {
+        result |= (strA.charCodeAt(i) ^ strB.charCodeAt(i));
+    }
+
+    return result === 0;
+};
+
+
+/**
+ * Call native "crypto.timingSafeEqual" methods.
+ * All passed values will be converted into strings first.
+ *
+ * Runtime is always corresponding to the length of the first parameter (string
+ * a).
+ *
+ * @param {string} a
+ * @param {string} b
+ *
+ * @return {boolean}
+ */
+var nativeTimingSafeEqual = function nativeTimingSafeEqual(a, b) {
+    var strA = String(a);
+    var strB = String(b);
+    var aLen = Buffer.byteLength(strA);
+    var bLen = Buffer.byteLength(strB);
+
+    // Always use length of a to avoid leaking the length. Even if this is a
+    // false positive because one is a prefix of the other, the explicit length
+    // check at the end will catch that.
+    var bufA = bufferAlloc(aLen, 0, 'utf8');
+    bufA.write(strA);
+    var bufB = bufferAlloc(aLen, 0, 'utf8');
+    bufB.write(strB);
+
+    return crypto.timingSafeEqual(bufA, bufB) && aLen === bLen;
+};
+
+
+module.exports = (
+    typeof crypto.timingSafeEqual !== 'undefined' ?
+        nativeTimingSafeEqual :
+        safeCompare
+);