From 5117acb7be1f4d410fb35a100cddb203f0d9afbc Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Wed, 4 Mar 2026 10:49:02 -0700
Subject: [PATCH] harden compare of mac with TLS 1.3 finished

---
 src/tls13.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tls13.c b/src/tls13.c
index a464ce90063..766ccf7d00b 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -11178,7 +11178,7 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     if (sniff == NO_SNIFF) {
         /* Actually check verify data. */
         if (size > WC_MAX_DIGEST_SIZE ||
-                XMEMCMP(input + *inOutIdx, mac, size) != 0){
+                ConstantCompare(input + *inOutIdx, mac, size) != 0){
             WOLFSSL_MSG("Verify finished error on hashes");
             SendAlert(ssl, alert_fatal, decrypt_error);
             WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);