Support node 4

[hueniverse]

No description provided.

[msingh025]

Dear Hueniverse,
Could you please review code block of
exports.fixedTimeComparison = function (a, b) {

if (typeof a !== 'string' ||
    typeof b !== 'string') {

    return false;
}

let mismatch = (a.length === b.length ? 0 : 1);
if (mismatch) {
    b = a;
}

for (let i = 0; i < a.length; ++i) {
    const ac = a.charCodeAt(i);
    const bc = b.charCodeAt(i);
    mismatch |= (ac ^ bc);
      if(mismatch != 0)
    break;
}

return (mismatch === 0);

};
I have added a check inside for , immediate break the loop at false conditions.
Please provide you valuable comment on it.

[Marsup]

What does it have to do with this issue ?

[msingh025]

Not related to this issue , It was only enhancement .

[mtharrison]

@msingh025 this function fixedTimeComparison() is specifically designed to take the same time to execute on two same length strings whether they are equal or not. This is to prevent timing attacks.

[msingh025]

@mtharrison thanks a lot , we are on the same page, I have used it in our authentication module, before using it, i read and found, we are comparing strings char by char, I thought, I should break the loop on mismatched chars, so I added a extra line inside loop
if(mismatch != 0)
break;

[mtharrison]

@msingh025 why should you break on mismatched chars?

[msingh025]

@mtharrison bcz , I do not want iterate char till end of string's length. if const ac and const bc are not equal then defiantly both string a and string b is not equal to each other . Then I should break loop at that point.

[mtharrison]

That defeats the whole purpose of this function to be a fixed time comparison. If whether or not two strings are equal influences the running time of the function it is not running in fixed time and you might as well just be doing string1 === string2.

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.