crypto.timingSafeEqual(a, b)
a
<Buffer> | <TypedArray> | <DataView>b
<Buffer> | <TypedArray> | <DataView>- 返回: <boolean>
该函数基于恒定时间算法。
如果 a
等于 b
,则返回 true,而不会泄露允许攻击者猜测其中一个值的时间信息。
这适用于比较 HMAC 摘要或秘密值,如身份验证 cookie 或功能网址。
a
和 b
必须都是 Buffer
、TypedArray
s 或 DataView
,并且它们的字节长度必须相同。
如果 a
和 b
中的至少一个是每个条目超过一个字节的 TypedArray
,例如 Uint16Array
,则将使用平台字节顺序计算结果。
使用 crypto.timingSafeEqual
并不能保证周围的代码是时间安全的。
应注意确保周围的代码不会引入时序漏洞。
a
<Buffer> | <TypedArray> | <DataView>b
<Buffer> | <TypedArray> | <DataView>- Returns: <boolean>
This function is based on a constant-time algorithm.
Returns true if a
is equal to b
, without leaking timing information that
would allow an attacker to guess one of the values. This is suitable for
comparing HMAC digests or secret values like authentication cookies or
capability urls.
a
and b
must both be Buffer
s, TypedArray
s, or DataView
s, and they
must have the same byte length.
If at least one of a
and b
is a TypedArray
with more than one byte per
entry, such as Uint16Array
, the result will be computed using the platform
byte order.
Use of crypto.timingSafeEqual
does not guarantee that the surrounding code
is timing-safe. Care should be taken to ensure that the surrounding code does
not introduce timing vulnerabilities.