Dart constant time string comparison

Question

I'm implementing a github push hook listener in dart, and I've come across this document: https://developer.github.com/webhooks/securing/

where it's written:

Using a plain == operator is not advised. A method like secure_compare performs a “constant time” string comparison, which renders it safe from certain timing attacks against regular equality operators.

I have to compare 2 hashes for equality. Now I was wondering if there was a way to compare string in constant time in dart? (read: is there a string constant time compare function in dart?)

Answer 1

The default implementation is not constant time, but you can just create your own comparison function that compares every code unit in the String and does not short circuit:

bool secureCompare(String a, String b) {
  if(a.codeUnits.length != b.codeUnits.length)
    return false;

  var r = 0;
  for(int i = 0; i < a.codeUnits.length; i++) {
    r |= a.codeUnitAt(i) ^ b.codeUnitAt(i);
  }
  return r == 0;
}

This function will perform a constant time String compare as long as the two input Strings are of the same length. Since you are comparing hashes this shouldn't be a problem, but for variable length Strings this method will still leak timing info because it immediately returns if the lengths are not equal.