Use constant-time comparisons for checksums

2 files changed, 5 insertions, 5 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 9d7d7bd6e7..bfa25ae611 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -903,8 +903,8 @@ pkinit_as_rep_parse(krb5_context context,
         }
 
         if ((cksum.length != key_pack->asChecksum.length) ||
-            memcmp(cksum.contents, key_pack->asChecksum.contents,
-                   cksum.length)) {
+            k5_bcmp(cksum.contents, key_pack->asChecksum.contents,
+                    cksum.length) != 0) {
             TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(context, &cksum,
                                                   &key_pack->asChecksum);
             pkiDebug("failed to match the checksums\n");
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 640e835ca8..1179216b5e 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -461,9 +461,9 @@ pkinit_server_verify_padata(krb5_context context,
             goto cleanup;
         }
         if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length ||
-            memcmp(cksum.contents,
-                   auth_pack->pkAuthenticator.paChecksum.contents,
-                   cksum.length)) {
+            k5_bcmp(cksum.contents,
+                    auth_pack->pkAuthenticator.paChecksum.contents,
+                    cksum.length) != 0) {
             pkiDebug("failed to match the checksum\n");
 #ifdef DEBUG_CKSUM
             pkiDebug("calculating checksum on buf size (%d)\n",