There are lots of authentication functions which end by comparing two digests. The recent ccm_decrypt_message is typical, ending with
return (memcmp(tag, src + mlength, tlength) == 0);
This can leak information (via cache or timing) on the position of the first difference, which might cause problems in some situations. Would it be a good idea to add a side-channel silent memory comparison function? The hardest question is, as often, how it should be named. But it should be pretty easy to implement, I think
int mem_equal (const void *ap, const void *bp, size_t n) { volatile const unsigned char *a = ap; volatile const unsigned char *b = bp volatile unsigned char d; size_t i; for (i = d = 0; i < n; i++) d |= a[i] ^ b[i]; return d == 0; }
should do (even if maybe volatile const is an unusual combination of qualifiers). Is this a good name?
The nacl library (by djb et al) includes similar functions, see http://nacl.cr.yp.to/verify.html.
Regards, /Niels