Menu
I'm implementing a github push hook listener in dart, and I've come across this document: https://developer.github.com/webhooks/securing/
where it's written:
Using a plain == operator is not advised. A method like secure_compare performs a “constant time” string comparison, which renders it safe from certain timing attacks against regular equality operators.
I have to compare 2 hashes for equality. Now I was wondering if there was a way to compare string in constant time in dart? (read: is there a string constant time compare function in dart?)
888
The default implementation is not constant time, but you can just create your own comparison function that compares every code unit in the String and does not short circuit:
bool secureCompare(String a, String b) {
if(a.codeUnits.length != b.codeUnits.length)
return false;
var r = 0;
for(int i = 0; i < a.codeUnits.length; i++) {
r |= a.codeUnitAt(i) ^ b.codeUnitAt(i);
}
return r == 0;
}
This function will perform a constant time String compare as long as the two input Strings are of the same length. Since you are comparing hashes this shouldn't be a problem, but for variable length Strings this method will still leak timing info because it immediately returns if the lengths are not equal.
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
