From eaa40f3df673e7588cf8c39609dca5475c792ab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Thu, 5 Mar 2026 11:46:33 +0100 Subject: [PATCH] Harden hash comparison in TLS1.2 finished --- src/internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index f7f0b26d64..580456f023 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17611,7 +17611,8 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, #endif if (sniff == NO_SNIFF) { - if (XMEMCMP(input + *inOutIdx, &ssl->hsHashes->verifyHashes,size) != 0){ + if (ConstantCompare(input + *inOutIdx, + (const byte*)&ssl->hsHashes->verifyHashes, (int)size) != 0) { WOLFSSL_MSG("Verify finished error on hashes"); WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR); return VERIFY_FINISHED_ERROR;