Comparing version 0.5.2 to 0.5.3
// Load modules | ||
var Boom = require('boom'); | ||
var Cryptiles = require('cryptiles'); | ||
var Crypto = require('./crypto'); | ||
@@ -219,3 +220,3 @@ var Utils = require('./utils'); | ||
if (!Utils.fixedTimeComparison(mac, attributes.mac)) { | ||
if (!Cryptiles.fixedTimeComparison(mac, attributes.mac)) { | ||
return callback(Boom.unauthorized('Bad mac', 'Hawk'), credentials, attributes); | ||
@@ -234,3 +235,3 @@ } | ||
var hash = Crypto.calculateHash(options.payload, credentials.algorithm); | ||
if (!Utils.fixedTimeComparison(hash, attributes.hash)) { | ||
if (!Cryptiles.fixedTimeComparison(hash, attributes.hash)) { | ||
return callback(Boom.unauthorized('Bad payload hash', 'Hawk'), credentials, attributes); | ||
@@ -302,3 +303,3 @@ } | ||
timestamp: options.timestamp || Math.floor(now / 1000), | ||
nonce: options.nonce || Utils.randomString(6), | ||
nonce: options.nonce || Cryptiles.randomString(6), | ||
method: method, | ||
@@ -332,4 +333,4 @@ uri: uri, | ||
var calculatedHash = Crypto.calculateHash(payload, credentials.algorithm); | ||
return Utils.fixedTimeComparison(calculatedHash, hash); | ||
return Cryptiles.fixedTimeComparison(calculatedHash, hash); | ||
}; | ||
@@ -5,2 +5,3 @@ // Load modules | ||
var Boom = require('boom'); | ||
var Cryptiles = require('cryptiles'); | ||
var Crypto = require('./crypto'); | ||
@@ -131,3 +132,3 @@ var Utils = require('./utils'); | ||
if (!Utils.fixedTimeComparison(mac, bewit.mac)) { | ||
if (!Cryptiles.fixedTimeComparison(mac, bewit.mac)) { | ||
return callback(Boom.unauthorized('Bad mac', 'Hawk'), credentials, bewit); | ||
@@ -134,0 +135,0 @@ } |
@@ -8,5 +8,3 @@ // Load modules | ||
var internals = { | ||
randomSource: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' | ||
}; | ||
var internals = {}; | ||
@@ -36,36 +34,2 @@ | ||
// Generate a random string of given size (not for crypto) | ||
exports.randomString = function (size) { | ||
var result = []; | ||
var len = internals.randomSource.length; | ||
for (var i = 0; i < size; ++i) { | ||
result.push(internals.randomSource[Math.floor(Math.random() * len)]); | ||
} | ||
return result.join(''); | ||
}; | ||
// Compare two strings using fixed time algorithm (to prevent time-based analysis of MAC digest match) | ||
exports.fixedTimeComparison = function (a, b) { | ||
var mismatch = (a.length === b.length ? 0 : 1); | ||
if (mismatch) { | ||
b = a; | ||
} | ||
for (var i = 0, il = a.length; i < il; ++i) { | ||
var ac = a.charCodeAt(i); | ||
var bc = b.charCodeAt(i); | ||
mismatch += (ac === bc ? 0 : 1); | ||
} | ||
return (mismatch === 0); | ||
}; | ||
// Extract host and port from request | ||
@@ -72,0 +36,0 @@ |
{ | ||
"name": "hawk", | ||
"description": "HTTP Hawk Authentication Scheme", | ||
"version": "0.5.2", | ||
"version": "0.5.3", | ||
"author": "Eran Hammer <eran@hueniverse.com> (http://hueniverse.com)", | ||
@@ -20,3 +20,4 @@ "contributors": [], | ||
"hoek": "0.0.x", | ||
"boom": "0.0.x" | ||
"boom": "0.0.x", | ||
"cryptiles": "0.0.x" | ||
}, | ||
@@ -23,0 +24,0 @@ "devDependencies": { |
@@ -6,3 +6,3 @@ ![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png) | ||
Current version: **0.5.2** | ||
Current version: **0.5.3** | ||
@@ -9,0 +9,0 @@ [![Build Status](https://secure.travis-ci.org/hueniverse/hawk.png)](http://travis-ci.org/hueniverse/hawk) |
@@ -30,46 +30,2 @@ // Load modules | ||
}); | ||
describe('#fixedTimeComparison', function () { | ||
var a = Hawk.utils.randomString(50000); | ||
var b = Hawk.utils.randomString(150000); | ||
it('should take the same amount of time comparing different string sizes', function (done) { | ||
var now = Date.now(); | ||
Hawk.utils.fixedTimeComparison(b, a); | ||
var t1 = Date.now() - now; | ||
now = Date.now(); | ||
Hawk.utils.fixedTimeComparison(b, b); | ||
var t2 = Date.now() - now; | ||
expect(t2 - t1).to.be.within(-2, 2); | ||
done(); | ||
}); | ||
it('should return true for equal strings', function (done) { | ||
expect(Hawk.utils.fixedTimeComparison(a, a)).to.equal(true); | ||
done(); | ||
}); | ||
it('should return false for different strings (size, a < b)', function (done) { | ||
expect(Hawk.utils.fixedTimeComparison(a, a + 'x')).to.equal(false); | ||
done(); | ||
}); | ||
it('should return false for different strings (size, a > b)', function (done) { | ||
expect(Hawk.utils.fixedTimeComparison(a + 'x', a)).to.equal(false); | ||
done(); | ||
}); | ||
it('should return false for different strings (size, a = b)', function (done) { | ||
expect(Hawk.utils.fixedTimeComparison(a + 'x', a + 'y')).to.equal(false); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
@@ -76,0 +32,0 @@ }); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
109237
3
1578
+ Addedcryptiles@0.0.x
+ Addedboom@0.2.1(transitive)
+ Addedcryptiles@0.0.2(transitive)
+ Addedhoek@0.4.5(transitive)