		@@ -7,15 +7,28 @@ 'use strict';
		// https://github.com/nodejs/node/issues/3043
		// https://github.com/nodejs/node/pull/3073

		var crypto = require('crypto');

		function bufferEqual(a, b) {
		if (a.length !== b.length) {
		return false;
		}
		for (var i = 0; i < a.length; i++) {
		if (a[i] !== b[i]) {
		return false;
		}
		}
		return true;
		}

		function timeSafeCompare(a, b) {
		a = String(a);
		b = String(b);
		var key = crypto.randomBytes(32);
		var ah = crypto.createHmac('sha256', key).update(a).digest('base64');
		var bh = crypto.createHmac('sha256', key).update(b).digest('base64');
		var sa = String(a);
		var sb = String(b);
		var key = crypto.pseudoRandomBytes(32);
		var ah = crypto.createHmac('sha256', key).update(sa).digest();
		var bh = crypto.createHmac('sha256', key).update(sb).digest();

		return ah === bh && a === b;
		return bufferEqual(ah, bh) && a === b;
		}

		module.exports = timeSafeCompare;
		module.exports = timeSafeCompare;

package.json

		{
		"name": "tsscmp",
		"version": "1.0.1",
		"version": "1.0.2",
		"description": "Timing safe string compare using double HMAC",
		@@ -9,3 +9,3 @@ "main": "lib/index.js",
		"scripts": {
		"test": "node test/index-test.js"
		"test": "node test/unit && node test/benchmark"
		},
		@@ -31,9 +31,3 @@ "repository": {
		},
		"engineStrict": true,
		"licenses": [
		{
		"type": "Apache 2.0",
		"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
		}
		]
		}
		"license": "MIT"
		}

README.md

		@@ -1,15 +0,30 @@
		# Timing safe string compare using double hmac
		[![travis][travis-image]][travis-url]
		[![Node.js Version][node-version-image]][node-version-url]
		[![npm][npm-image]][npm-url]

		[travis-image]: https://travis-ci.org/suryagh/tsscmp.svg?branch=master
		[![NPM Downloads][downloads-image]][downloads-url]
		[![Build Status][travis-image]][travis-url]
		[![Build Status][appveyor-image]][appveyor-url]
		[![Dependency Status][david-image]][david-url]
		[![github-license][github-license-image]][license-url]
		[travis-image]: https://img.shields.io/travis/suryagh/tsscmp/master.svg?style=flat-square
		[travis-url]: https://travis-ci.org/suryagh/tsscmp

		[npm-image]: https://img.shields.io/npm/v/tsscmp.svg?style=flat
		[appveyor-image]: https://img.shields.io/appveyor/ci/suryagh/tsscmp/master.svg?style=flat-square&label=windows
		[appveyor-url]: https://ci.appveyor.com/project/suryagh/tsscmp
		[npm-image]: https://img.shields.io/npm/v/tsscmp.svg?style=flat-square
		[npm-url]: https://npmjs.org/package/tsscmp
		[node-version-image]: https://img.shields.io/node/v/tsscmp.svg?style=flat-square
		[node-version-url]: https://nodejs.org/en/download
		[downloads-image]: https://img.shields.io/npm/dm/tsscmp.svg?style=flat-square
		[downloads-url]: https://npmjs.org/package/tsscmp
		[david-image]: http://img.shields.io/david/suryagh/tsscmp.svg?style=flat-square
		[david-url]: https://david-dm.org/suryagh/tsscmp
		[npm-license-image]: http://img.shields.io/npm/l/tsscmp.svg?style=flat-square
		[github-license-image]: https://img.shields.io/github/license/suryagh/tsscmp.svg?style=flat-square
		[license-url]: LICENSE
		# Timing safe string compare using double HMAC
		Prevents [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) using Brad Hill's
		[Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/)
		to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the
		timing channel using random time per attempt comparison against iterative brute force attacks.

		Prevents timing attacks using Brad Hill's [Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/) to perform __safe string comparison__. The approach is similar to the node's native implementation of timing safe buffer comparison that will be available on [v6+](https://github.com/nodejs/node/issues/3043).

		Double HMAC avoids the timing atacks by blinding the timing channel using random time per attempt comparison against iterative brute force attacks.

		## Install
		@@ -20,9 +35,9 @@
		```
		## Why
		High level languages like JavaScript cannot perform
		[reliable](https://github.com/nodejs/node-v0.x-archive/issues/8560#issuecomment-59521094)
		constant-time string comparison because of the many layers of software and hardware optimizers.

		## Why?
		## Example

		To minimize vulnerability against [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) during string comparision.

		## Examples

		```js
		@@ -39,3 +54,9 @@ var timingSafeCompare = require('tsscmp');
		}
		```
		## Credits to
		[@jsha](https://github.com/jsha)</br>
		[@bnoordhuis](https://github.com/bnoordhuis)

		```
		## License

		[MIT](LICENSE)

test/index-test.js

.travis.yml

Sorry, the diff of this file is not supported yet

tsscmp - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics