node package manager


safe, constant-time comparison of Buffers


Safe, constant-time comparison of Buffers.

Since scmp 2.x, Buffers are now required to be passed as arguments. In 1.x, the arguments were assumed to be strings, and were always run through String().

Also, there is a new crypto.timingSafeEqual() since Node v6.6.0. If this function is available, then that will be used, otherwise a scmp-internal implementation will be used.

npm install scmp

To minimize vulnerability against timing attacks.

const scmp = require('scmp');
const Buffer = require('safe-buffer').Buffer;
const hash      = Buffer.from('e727d1464ae12436e899a726da5b2f11d8381b26', 'hex');
const givenHash = Buffer.from('e727e1b80e448a213b392049888111e1779a52db', 'hex');
if (scmp(hash, givenHash)) {
  console.log('good hash');
} else {
  console.log('bad hash');