* Constant time password DK compare

* Minor View update * Test module. Start work on module switching functionality. NYW!
2014-11-03 22:53:01 -07:00
parent 1264cdde01
commit eaf2aae48d
4 changed files with 73 additions and 21 deletions
--- a/core/user.js
+++ b/core/user.js
@@ -305,7 +305,23 @@ function authenticate(userName, password, client, cb) {
 			if(err) {
 				cb(false);
 			} else {
-				cb(passDk === propsDk);
+				//
+				//	Use constant time comparison here for security feel-goods
+				//
+				var passDkBuf	= new Buffer(passDk, 'hex');
+				var propsDkBuf	= new Buffer(propsDk, 'hex');
+
+				if(passDkBuf.length !== propsDkBuf.length) {
+					cb(false);
+					return;
+				}
+
+				var c = 0;
+				for(var i = 0; i < passDkBuf.length; i++) {
+					c |= passDkBuf[i] ^ propsDkBuf[i];
+				}
+
+				cb(0 === c);
 			}
 		}
 	);