Improve safeStringCompare using xor (#77)

richterdennis · dcodeIO · commit 648482a5395b · 2018-03-05T18:39:02.000+01:00
diff --git a/src/bcrypt.js b/src/bcrypt.js
@@ -198,18 +198,11 @@ bcrypt.hash = function(s, salt, callback, progressCallback) {
  * @inner
  */
 function safeStringCompare(known, unknown) {
-    var right = 0,
-        wrong = 0;
-    for (var i=0, k=known.length; i<k; ++i) {
-        if (known.charCodeAt(i) === unknown.charCodeAt(i))
-            ++right;
-        else
-            ++wrong;
+    var diff = known.length ^ unknown.length;
+    for (var i=0, i<known.length; ++i) {
+        diff |= known.charCodeAt(i) ^ unknown.charCodeAt(i);
     }
-    // Prevent removal of unused variables (never true, actually)
-    if (right < 0)
-        return false;
-    return wrong === 0;
+    return diff === 0;
 }
 
 /**
