Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support node 4 #23

Closed
hueniverse opened this issue Sep 5, 2016 · 8 comments
Closed

Support node 4 #23

hueniverse opened this issue Sep 5, 2016 · 8 comments
Assignees
Labels
bug
Milestone

Comments

@hueniverse
Copy link
Member

@hueniverse hueniverse commented Sep 5, 2016

No description provided.

@hueniverse hueniverse added the bug label Sep 5, 2016
@hueniverse hueniverse added this to the 3.1.1 milestone Sep 5, 2016
@hueniverse hueniverse self-assigned this Sep 5, 2016
@hueniverse hueniverse closed this in 2c34bef Sep 5, 2016
@msingh025

This comment has been minimized.

Copy link

@msingh025 msingh025 commented May 3, 2017

Dear Hueniverse,
Could you please review code block of
exports.fixedTimeComparison = function (a, b) {

if (typeof a !== 'string' ||
    typeof b !== 'string') {

    return false;
}

let mismatch = (a.length === b.length ? 0 : 1);
if (mismatch) {
    b = a;
}

for (let i = 0; i < a.length; ++i) {
    const ac = a.charCodeAt(i);
    const bc = b.charCodeAt(i);
    mismatch |= (ac ^ bc);
      if(mismatch != 0)
    break;
}

return (mismatch === 0);

};
I have added a check inside for , immediate break the loop at false conditions.
Please provide you valuable comment on it.

@Marsup

This comment has been minimized.

Copy link
Member

@Marsup Marsup commented May 3, 2017

What does it have to do with this issue ?

@msingh025

This comment has been minimized.

Copy link

@msingh025 msingh025 commented May 4, 2017

Not related to this issue , It was only enhancement .

@mtharrison

This comment has been minimized.

Copy link
Member

@mtharrison mtharrison commented May 4, 2017

@msingh025 this function fixedTimeComparison() is specifically designed to take the same time to execute on two same length strings whether they are equal or not. This is to prevent timing attacks.

@msingh025

This comment has been minimized.

Copy link

@msingh025 msingh025 commented May 4, 2017

@mtharrison thanks a lot , we are on the same page, I have used it in our authentication module, before using it, i read and found, we are comparing strings char by char, I thought, I should break the loop on mismatched chars, so I added a extra line inside loop
if(mismatch != 0)
break;

@mtharrison

This comment has been minimized.

Copy link
Member

@mtharrison mtharrison commented May 4, 2017

@msingh025 why should you break on mismatched chars?

@msingh025

This comment has been minimized.

Copy link

@msingh025 msingh025 commented May 4, 2017

@mtharrison bcz , I do not want iterate char till end of string's length. if const ac and const bc are not equal then defiantly both string a and string b is not equal to each other . Then I should break loop at that point.

@mtharrison

This comment has been minimized.

Copy link
Member

@mtharrison mtharrison commented May 4, 2017

That defeats the whole purpose of this function to be a fixed time comparison. If whether or not two strings are equal influences the running time of the function it is not running in fixed time and you might as well just be doing string1 === string2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.