Extract fixed-time hash comparison into utility method.

dart-lang · Dec 6, 2023 · 1904055 · 1904055
1 parent b36a530
commit 1904055
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 12 deletions.
diff --git a/app/lib/package/export_api_to_bucket.dart b/app/lib/package/export_api_to_bucket.dart
@@ -282,17 +282,7 @@ class ApiExporter {
     if (info.length != bytesAndHash.length) {
       return false;
     }
-    if (bytesAndHash.md5Hash.length != info.md5Hash.length) {
-      return false;
-    }
-    // making sure the timing is fixed
-    var isSame = true;
-    for (var i = 0; i < bytesAndHash.md5Hash.length; i++) {
-      if (bytesAndHash.md5Hash[i] != info.md5Hash[i]) {
-        isSame = false;
-      }
-    }
-    return isSame;
+    return fixedTimeIntListEquals(info.md5Hash, bytesAndHash.md5Hash);
   }
 }
 

diff --git a/app/lib/shared/utils.dart b/app/lib/shared/utils.dart
@@ -277,14 +277,19 @@ extension ByteArrayEqualsExt on List<int> {
 
 /// Compare two strings with with fixed number of operations to prevent timing attacks.
 bool fixedTimeEquals(String a, String b) {
+  return fixedTimeIntListEquals(a.codeUnits, b.codeUnits);
+}
+
+/// Compare two int lists with with fixed number of operations to prevent timing attacks.
+bool fixedTimeIntListEquals(List<int> a, List<int> b) {
   final N = a.length;
   var result = 0;
   if (N != b.length) {
     b = a; // always cycle through a to avoid leaking length
     result = 1; // return false
   }
   for (var i = 0; i < N; i++) {
-    result |= a.codeUnitAt(i) ^ b.codeUnitAt(i);
+    result |= a[i] ^ b[i];
   }
   return result == 0;
 }