As part of a larger security analysis of embedded security architectures and applications, we found that this repository is using a non-constant-time function (secure_memcmp) for comparing secret-dependent memory buffers. This may allow an attacker to brute-force expected authentication tags in linear instead of exponential time.

We recommend using something like libsodium's constant-time comparison (re-use allowed under ISC license):

static inline __attribute__((always_inline))
int cst_memeq(const unsigned char *x_, const unsigned char *y_, unsigned int n)
{
    const volatile unsigned char *volatile x = const volatile unsigned char *volatile) x_;
    const volatile unsigned char *volatile y = const volatile unsigned char *volatile) y_;
    volatile unsigned int d = 0U;
    unsigned int i;

    for (i = 0; i < n; i++) {
        d |= x[i] ^ y[i];
    }

    return (1 & ((d - 1) >> 8)) - 1;
}

For more information about our analysis, we invite you to read our paper on exposing timing leakage at different levels of the hardware-software stack, which will appear at the 8th Workshop on System Software for Trusted Execution (SysTEX 2025).

Let us know if you have any questions, and thank you for releasing your work as open source!

@rubenvdijck, @martonbognar, @jovanbulck