Constant time comparison not constant if length different

[diafygi]

The constant time comparison function will return false faster if the two inputs are not equal length[1]. I'm not sure it's a security risk, but Defensive JS has a constant time comparison function that is still constant time even with different input lengths[2].

[arlolra]

The constant time comparison function will return false faster if the two inputs are not equal length[1].

That's true, but the uses of HLP.compare() in the library are with hashes and macs with known length.

I'm not sure it's a security risk, but Defensive JS has a constant time comparison function that is still constant time even with different input lengths[2].

The function you link to has some problems of its own. Depending on how it's optimized, a compiler can recognize that after the first res = false; assignment, it's safe (in terms of correctness) to return, leaking more than just the length. Further, the timing from the instructions to lookup b[i] in (i>>>=0)<b.length?b[i]:'' may leak the length difference we're trying to avoid.

[arlolra]

Also, the assignment res = false; is only executed conditional on the two sides !=, which is leaking timing.

[diafygi]

Gotcha, thanks for the clarification!