crypto.timingSafeEqual(a, b) | Node.js API 文档

版本历史

版本	变更
v15.0.0	a 和 b 参数也可以是 ArrayBuffer。
v6.6.0	新增于: v6.6.0

a <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>
b <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>
返回：<boolean>

¥Returns: <boolean>

此函数使用恒定时间算法比较表示给定 ArrayBuffer、TypedArray 或 DataView 实例的底层字节。

¥This function compares the underlying bytes that represent the given ArrayBuffer, TypedArray, or DataView instances using a constant-time algorithm.

此函数不会泄露允许攻击者猜测其中一个值的计时信息。这适用于比较 HMAC 摘要或秘密值，如身份验证 cookie 或能力网址。

¥This function does not leak timing information that would allow an attacker to guess one of the values. This is suitable for comparing HMAC digests or secret values like authentication cookies or capability urls.

a 和 b 必须都是 Buffer、TypedArray 或 DataView，并且它们的字节长度必须相同。如果 a 和 b 的字节长度不同，则抛出错误。

¥a and b must both be Buffers, TypedArrays, or DataViews, and they must have the same byte length. An error is thrown if a and b have different byte lengths.

如果 a 和 b 中的至少一个是每个条目超过一个字节的 TypedArray，例如 Uint16Array，则将使用平台字节顺序计算结果。

¥If at least one of a and b is a TypedArray with more than one byte per entry, such as Uint16Array, the result will be computed using the platform byte order.

当两个输入均为 Float32Array 或 Float64Array 时，由于浮点数的 IEEE 754 编码，此函数可能会返回意外结果。特别是，x === y 和 Object.is(x, y) 都不意味着两个浮点数 x 和 y 的字节表示是相等的。

¥When both of the inputs are Float32Arrays or Float64Arrays, this function might return unexpected results due to IEEE 754 encoding of floating-point numbers. In particular, neither x === y nor Object.is(x, y) implies that the byte representations of two floating-point numbers x and y are equal.

使用 crypto.timingSafeEqual 并不能保证周围的代码是时序安全的。应注意确保周围的代码不会引入时序漏洞。

¥Use of crypto.timingSafeEqual does not guarantee that the surrounding code is timing-safe. Care should be taken to ensure that the surrounding code does not introduce timing vulnerabilities.