Assuming that you are dealing with two strings of the same length (e.g., HMACs) then you can just apply a comparison to each character and accumulate the result:
proc safeequal {s1 s2} {
set equal 1
foreach c1 [split $s1 ""] c2 [split $s2 ""] {
set equal [expr {$equal & ($c1 eq $c2)}]
}
return $equal
}
Now, there might be some timing effects due to split doing character sharing, but they'll be really difficult to exploit to determine the content of the strings as the timings won't be identifiable with a position and will in any case be down in the noise. I can't make my system anywhere near quiet enough for me to see a difference even between comparing two strings (of about HMAC length) that are equal at every character and comparing two that are different at every character.
% time {safeequal qwertyuiopasdfghjklzxcvbnm qwertyuiopasdfghjklzxcvbnm} 100000
9.847818689999999 microseconds per iteration
% time {safeequal qwertyuiopasdfghjklzxcvbnm QWERTYUIOPASDFGHJKLZXCVBNM} 100000
9.78685247 microseconds per iteration
% time {safeequal qwertyuiopasdfghjklzxcvbnm qwertyuiopasdfghjklzxcvbnm} 100000
9.72245421 microseconds per iteration
% time {safeequal qwertyuiopasdfghjklzxcvbnm QWERTYUIOPASDFGHJKLZXCVBNM} 100000
9.88214891 microseconds per iteration
I think I'll add a length check, but otherwise it's Good Enough™.