crypto: use timing-safe comparison in Web Cryptography HMAC

panva · aduh95 · commit 52a52ef619aa · 2026-03-22T17:04:56.000+01:00
Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC` Web Cryptography algorithm implementations. Ref: https://hackerone.com/reports/3533945 Backport-PR-URL: nodejs-private/node-private#830 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: nodejs-private/node-private#822 CVE-ID: CVE-2026-21713
diff --git a/src/crypto/crypto_hmac.cc b/src/crypto/crypto_hmac.cc
@@ -264,7 +264,8 @@ MaybeLocal<Value> HmacTraits::EncodeOutput(Environment* env,
       return Boolean::New(
           env->isolate(),
           out->size() > 0 && out->size() == params.signature.size() &&
-              memcmp(out->data(), params.signature.data(), out->size()) == 0);
+              CRYPTO_memcmp(
+                  out->data(), params.signature.data(), out->size()) == 0);
   }
   UNREACHABLE();
 }

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,8 @@ MaybeLocal<Value> HmacTraits::EncodeOutput(Environment* env,`
`264`	`264`	`return Boolean::New(`
`265`	`265`	`env->isolate(),`
`266`	`266`	`out->size() > 0 && out->size() == params.signature.size() &&`
`267`		`- memcmp(out->data(), params.signature.data(), out->size()) == 0);`
	`267`	`+ CRYPTO_memcmp(`
	`268`	`+ out->data(), params.signature.data(), out->size()) == 0);`
`268`	`269`	`}`
`269`	`270`	`UNREACHABLE();`
`270`	`271`	`}`