Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use crypto.timingSafeEqual for fixedTimeComparison #24

Closed
ChALkeR opened this issue Sep 15, 2016 · 5 comments
Closed

Use crypto.timingSafeEqual for fixedTimeComparison #24

ChALkeR opened this issue Sep 15, 2016 · 5 comments
Assignees
@hueniverse
Labels
breaking changes Change that can breaking existing code
Milestone
4.0.0

Comments

@ChALkeR
Copy link

ChALkeR commented Sep 15, 2016
edited
Loading

Node.js 6.6.0 has crypto.timingSafeEqual(), which operates on two Buffers of the same length.

You should probably use it instead of a js-land magic to securely compare digests.

See nodejs/node#8304 and /~https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.6.0.
@hueniverse
Copy link
Contributor

I will as soon as hapi doesn't support any other version of node. I'll leave this open as a reminder.

@hueniverse hueniverse added feature New functionality or improvement dependency Update module dependency labels Sep 16, 2016
@ChALkeR
Copy link
Author

ChALkeR commented Sep 16, 2016
edited
Loading

@hueniverse You could use a simple feature detection (i.e. if (crypto.timingSafeEqual) {) even now.

@hueniverse
Copy link
Contributor

I don't like doing that. Makes it harder to reason about code across platforms.

@fanatid
Copy link

fanatid commented Jan 5, 2017

Should note that you can require timing-safe-equal and randombytes instead crypto.

@hueniverse hueniverse added this to the 3.1.3 milestone Sep 24, 2017
@hueniverse hueniverse self-assigned this Sep 24, 2017
@hueniverse hueniverse added breaking changes Change that can breaking existing code and removed dependency Update module dependency feature New functionality or improvement labels Sep 24, 2017
@Marsup Marsup mentioned this issue Sep 27, 2017
Closed
@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hueniverse hueniverse

Labels
breaking changes Change that can breaking existing code
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
3 participants
@hueniverse @ChALkeR @fanatid