How to use the timingSafeEqual function from crypto

README.md?plain=1

GitHub: mscdex/ssh2

229
230
231
232
233
234
235
236
237
238
  if (autoReject) {
    // Prevent leaking length information by always making a comparison with the
    // same input when lengths don't match what we expect ...
    allowed = input;
  }
  const isMatch = timingSafeEqual(input, allowed);
  return (!autoReject && isMatch);
}

new Server({

657

0

126

+ 7 other calls in file

github-webhook-handler.js

GitHub: rvagg/github-webhook-handler

58
59
60
61
62
63
64
65
66
67
  const sig = Buffer.from(signature)
  const signed = Buffer.from(sign(data))
  if (sig.length !== signed.length) {
    return false
  }
  return crypto.timingSafeEqual(sig, signed)
}

function handler (req, res, callback) {
  let events

135

782

21

compare.js

GitHub: fastify/fastify-bearer-auth

7
8
9
10
11
12
13
    // Delay return with cryptographically secure timing check.
    crypto.timingSafeEqual(a, a)
    return false
  }

  return crypto.timingSafeEqual(a, b)
}

28

123

16

+ 3 other calls in file

app.js

GitHub: joeferner/redis-commander

23
24
25
26
27
28
29
30
31
32
let bufA = crypto.createHmac('sha256', key).update(a).digest();
let bufB = crypto.createHmac('sha256', key).update(b).digest();

let ret = true;
if (crypto.timingSafeEqual) {
  ret = crypto.timingSafeEqual(bufA, bufB);
}
else {
  for (let i = 0; i < a.length; i++) {
    if (a[i] !== b[i]) {

445

0

67

signature.js

GitHub: bottenderjs/messaging-apis

22
23
24
25
26
27
28
29
30
31
if (a.length !== b.length) {
  return false;
}

if (timingSafeEqual) {
  return timingSafeEqual(a, b);
}
let result = 0;
for (let i = 0; i < a.length; i++) {
  result |= a[i] ^ b[i]; /* eslint no-bitwise: 0 */

214

0

62

pre_execution.js

GitHub: pmq20/node-packer

225
226
227
228
229
230
231
232
233
234
} = integrityEntries[i];
const hash = createHash(algorithm);
hash.update(src);
const digest = hash.digest();
if (digest.length === expected.length &&
  timingSafeEqual(digest, expected)) {
  foundMatch = true;
  break;
}
realIntegrities.set(algorithm, digest.toString('base64'));

209

0

80

crypto.js

GitHub: vseryakov/backendjs

215
216
217
218
219
220
221
{
    if (typeof a == "string" && typeof b == "string") {
        return a.length === b.length && crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
    } else
    if (Buffer.isBuffer(a) && Buffer.isBuffer(b)) {
        return a.length === b.length && crypto.timingSafeEqual(a, b);
    }

5

40

9

+ 3 other calls in file

utils.js

GitHub: OpengramJS/opengram

126
127
128
129
130
131
132
133
134
  const bufA = Buffer.allocUnsafe(aLen)
  bufA.write(strA)
  const bufB = Buffer.allocUnsafe(aLen)
  bufB.write(strB)

  return crypto.timingSafeEqual(bufA, bufB) && aLen === bLen
}

module.exports = { getEntities, getText, getMessageFromAnySource, getThreadId, showWarning, timingSafeEqual }

1

21

4

salt.js

GitHub: possientis/Prog

15
16
17
18
19
20
21
22
23
24

const [salt, key] = user.password.split(':');
const hashedBuffer = scryptSync(password, salt, 64);

const keyBuffer = Buffer.from(key, 'hex');
const match = timingSafeEqual(hashedBuffer, keyBuffer);

if (match) {
    return 'login success!'
} else {

0

3

0

index.cjs

GitHub: compwright/defuse-node

103
104
105
106
107
108
109
110
111
112
 * @param Buffer given
 *
 * @return bool
 */
static hashEquals(expected, given) {
  return crypto.timingSafeEqual(expected, given);
}
/**
 * Throws an exception if the condition is false.
 *

0

0

0

+ 2 other calls in file

index.md?plain=1

GitHub: cloudflare/cloudflare-docs

168
169
170
171
172
173
174
175
176
177
  let actualSignature = headers.get('X-Hub-Signature');

  const expectedBuffer = Buffer.from(expectedSignature, 'hex');
  const actualBuffer = Buffer.from(actualSignature, 'hex');
  return expectedBuffer.byteLength == actualBuffer.byteLength &&
             crypto.timingSafeEqual(expectedBuffer, actualBuffer);
}
```

Your `wrangler.toml` file should look like this:

0

0

211