3 // Implements Brad Hill's Double HMAC pattern from
4 // https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/.
5 // The approach is similar to the node's native implementation of timing safe buffer comparison that will be available on v6+.
6 // https://github.com/nodejs/node/issues/3043
7 // https://github.com/nodejs/node/pull/3073
9 var crypto = require('crypto');
11 function bufferEqual(a, b) {
12 if (a.length !== b.length) {
15 for (var i = 0; i < a.length; i++) {
23 function timeSafeCompare(a, b) {
26 var key = crypto.pseudoRandomBytes(32);
27 var ah = crypto.createHmac('sha256', key).update(sa).digest();
28 var bh = crypto.createHmac('sha256', key).update(sb).digest();
30 return bufferEqual(ah, bh) && a === b;
33 module.exports = timeSafeCompare;