Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use crypto.timingSafeEqual for fixedTimeComparison #24

Closed
ChALkeR opened this issue Sep 15, 2016 · 4 comments
Closed

Use crypto.timingSafeEqual for fixedTimeComparison #24

ChALkeR opened this issue Sep 15, 2016 · 4 comments
Assignees
Milestone

Comments

@ChALkeR
Copy link

@ChALkeR ChALkeR commented Sep 15, 2016

Node.js 6.6.0 has crypto.timingSafeEqual(), which operates on two Buffers of the same length.

You should probably use it instead of a js-land magic to securely compare digests.

See nodejs/node#8304 and https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.6.0.

@hueniverse

This comment has been minimized.

Copy link
Member

@hueniverse hueniverse commented Sep 16, 2016

I will as soon as hapi doesn't support any other version of node. I'll leave this open as a reminder.

@ChALkeR

This comment has been minimized.

Copy link
Author

@ChALkeR ChALkeR commented Sep 16, 2016

@hueniverse You could use a simple feature detection (i.e. if (crypto.timingSafeEqual) {) even now.

@hueniverse

This comment has been minimized.

Copy link
Member

@hueniverse hueniverse commented Sep 16, 2016

I don't like doing that. Makes it harder to reason about code across platforms.

@fanatid

This comment has been minimized.

Copy link

@fanatid fanatid commented Jan 5, 2017

Should note that you can require timing-safe-equal and randombytes instead crypto.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.