Honest question. What's wrong with the function?
I have a similar function to ironically enough compare Hmacs in an encryption program I wrote in Java and C#
When I release the source code for the java version I replaced my function with java's own Arrays.equals though
It's not a valid concern in this context, however, because an attacker attempting to bruteforce it can simply code the more efficient comparison and use it.
Timing attacks are a concern on network applications or when considering a block-box type attack.
Don't they also generally depend on the attacker either having access to a steady stream of crypto-events, or being able to cause them? i.e. you either watch a loaded system doing encryption, or create some load and time it yourself.
Neither of which would be relevant to an offline file format.
