> > Don't forget to use CRYPTO_memcmp for comparing the HMACs, not regular > > ol' memcmp. > > What's the rationale? The HMAC result isn't secret. The _purported_ tag is public, but the _ground truth_ tag is not. Indeed, that's the whole reason to use a constant time compare. Otherwise, an attacker can adaptively construct a valid tag, or forgery, for a chosen message (with no previous valid tag seen) by varying tag bytes and submitting a chosen message with the candidate tag for verification, and measuring the time. A regular memcmp will early exit on the first mismatch between the purported tag and the ground truth tag. In this way, the attack is linear in complexity. This is the textbook example I give in my crypto courses for timing attacks. Cheers, BBB
