restore xor algorithm for compareDigest

Author: PavelSafronov

src/cmap/auth/scram.ts

@@ -186,7 +186,7 @@ async function continueScramConversation(
   const r = await connection.command(ns(`${db}.$cmd`), saslContinueCmd, undefined);
   const parsedResponse = parsePayload(r.payload);
 
-  if (!(await compareDigest(ByteUtils.fromBase64(parsedResponse.v), serverSignature))) {
+  if (!compareDigest(ByteUtils.fromBase64(parsedResponse.v), serverSignature)) {
     throw new MongoRuntimeError('Server returned an invalid signature');
   }
 
@@ -342,25 +342,17 @@ async function HI(data: string, salt: Uint8Array, iterations: number, cryptoMeth
   return saltedData;
 }
 
-async function compareDigest(lhs: Uint8Array, rhs: Uint8Array) {
+function compareDigest(lhs: Uint8Array, rhs: Uint8Array) {
   if (lhs.length !== rhs.length) {
     return false;
   }
 
-  // Compare values using a time-constant algorithm to prevent against timing attacks
-  // The approach is called "Double HMAC Verification".  The basic idea is:
-  // 1. Generate a random key
-  // 2. HMAC the random key with both values
-  // 3. Compare the HMACs using an equality check
-
-  const randomKey = crypto.getRandomValues(new Uint8Array(32));
-  const lhsHMAC = await HMAC('sha256', randomKey, lhs);
-  const rhsHMAC = await HMAC('sha256', randomKey, rhs);
-  const lhsHex = ByteUtils.toHex(lhsHMAC);
-  const rhsHex = ByteUtils.toHex(rhsHMAC);
-  const areEqual = lhsHex === rhsHex;
+  let result = 0;
+  for (let i = 0; i < lhs.length; i++) {
+    result |= lhs[i] ^ rhs[i];
+  }
 
-  return areEqual;
+  return result === 0;
 }
 
 export class ScramSHA1 extends ScramSHA {