tsse
v2.1.0
Published
Constant time string/buffer equals
Downloads
45,932
Maintainers
Readme
Synopsis
tsse is a string comparison algorithm to prevent Node.js timing attacks.
This differs from
crypto.timingSafeEqual
because it:
- supports both
strings
andBuffers
;- supports inputs of different lengths.
Install
$ npm install --save tsse
Usage
const tsse = require('tsse');
const hash = '0a4d55a8d778e5022fab701977c5d840bbc486d0';
const givenHash = '1265a5eb08997ced279d3854629cba68a378b528';
if (tsse(hash, givenHash)) {
console.log('good hash');
} else {
console.log('bad hash');
}
// => bad hash
API
tsse(hiddenStr, inputStr) ⇒ boolean
Does a constant-time String comparison.
NOTE: When hiddenStr
and inputStr
have different lengths hiddenStr
is compared to itself, which makes the comparison non-commutative (time-wise).
Kind: global function
Returns: boolean - true if equals, false otherwise.
Access: public
| Param | Type | Description | | --- | --- | --- | | hiddenStr | string | Buffer | A string that you don't want to leak. | | inputStr | string | Buffer | Another string. |
Contributing
Contributions are REALLY welcome and if you find a security flaw in this code, PLEASE report it.
Authors
- Simone Primarosa - Github (@simonepri) • Twitter (@simoneprimarosa)
See also the list of contributors who participated in this project.
License
This project is licensed under the MIT License - see the license file for details.