Use constant-time comparisons for checksums

2 files changed, 5 insertions, 5 deletions

diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index aae74fcd1..ca21d43a9 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -309,7 +309,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
             cksum.length = 16;
         cksum.contents = md5cksum.contents + 16 - cksum.length;
 
-        code = memcmp(cksum.contents, ptr+14, cksum.length);
+        code = k5_bcmp(cksum.contents, ptr + 14, cksum.length);
         break;
 
     case SGN_ALG_MD2_5:
@@ -353,7 +353,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
             return(GSS_S_FAILURE);
         }
 
-        code = memcmp(md5cksum.contents, ptr+14, 8);
+        code = k5_bcmp(md5cksum.contents, ptr + 14, 8);
         /* Falls through to defective-token??  */
 
     default:
@@ -393,7 +393,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
             return(GSS_S_FAILURE);
         }
 
-        code = memcmp(md5cksum.contents, ptr+14, cksum_len);
+        code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len);
         break;
     }
 
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 24853abec..e34bda475 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -234,11 +234,11 @@ kg_unseal_v1_iov(krb5_context context,
         cksum.length = cksum_len;
         cksum.contents = md5cksum.contents + 16 - cksum.length;
 
-        code = memcmp(cksum.contents, ptr + 14, cksum.length);
+        code = k5_bcmp(cksum.contents, ptr + 14, cksum.length);
         break;
     case SGN_ALG_HMAC_SHA1_DES3_KD:
     case SGN_ALG_HMAC_MD5:
-        code = memcmp(md5cksum.contents, ptr + 14, cksum_len);
+        code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len);
         break;
     default:
         code = 0;