Use crypto.timingSafeEqual() vs hand rolled method for constant time password comparison

This commit is contained in:
Bryan Ashby 2019-02-20 21:12:41 -07:00
parent 70f160daa3
commit 65ef1feb6c
No known key found for this signature in database
GPG Key ID: B49EB437951D2542
1 changed files with 1 additions and 13 deletions

View File

@ -60,18 +60,6 @@ module.exports = class User {
}; };
} }
static isSamePasswordSlowCompare(passBuf1, passBuf2) {
if(passBuf1.length !== passBuf2.length) {
return false;
}
let c = 0;
for(let i = 0; i < passBuf1.length; i++) {
c |= passBuf1[i] ^ passBuf2[i];
}
return 0 === c;
}
isAuthenticated() { isAuthenticated() {
return true === this.authenticated; return true === this.authenticated;
} }
@ -220,7 +208,7 @@ module.exports = class User {
const passDkBuf = Buffer.from(passDk, 'hex'); const passDkBuf = Buffer.from(passDk, 'hex');
const propsDkBuf = Buffer.from(propsDk, 'hex'); const propsDkBuf = Buffer.from(propsDk, 'hex');
return callback(User.isSamePasswordSlowCompare(passDkBuf, propsDkBuf) ? return callback(crypto.timingSafeEqual(passDkBuf, propsDkBuf) ?
null : null :
Errors.AccessDenied('Invalid password') Errors.AccessDenied('Invalid password')
); );