diff --git a/dbutil.c b/dbutil.c
index 8ee6050ce371bccd4e97f7cda6d84100068290bb..2589e1a77d869a488dd862694176ace046eafa1c 100644
--- a/dbutil.c
+++ b/dbutil.c
@@ -884,3 +884,16 @@ int m_str_to_uint(const char* str, unsigned int *val) {
 		return DROPBEAR_SUCCESS;
 	}
 }
+
+int constant_time_memcmp(const void* a, const void *b, size_t n)
+{
+	const char *xa = a, *xb = b;
+	uint8_t c = 0;
+	size_t i;
+	for (i = 0; i < n; i++)
+	{
+		c |= (xa[i] ^ xb[i]);
+	}
+	return c;
+}
+
diff --git a/dbutil.h b/dbutil.h
index 3af79f728627d84c5ff33cfbd6188421bc008752..a34ddd754a3f9ec4922d3e33fcd4b8c73baf7d23 100644
--- a/dbutil.h
+++ b/dbutil.h
@@ -94,4 +94,7 @@ int m_str_to_uint(const char* str, unsigned int *val);
 /* Dropbear assertion */
 #define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
 
+/* Returns 0 if a and b have the same contents */
+int constant_time_memcmp(const void* a, const void *b, size_t n);
+
 #endif /* _DBUTIL_H_ */
diff --git a/packet.c b/packet.c
index d458ccf791c4fdee369a2af312b5e3ca67bc9dfe..4ebd0d716860b74cc282c463e5709b8074298eab 100644
--- a/packet.c
+++ b/packet.c
@@ -376,7 +376,7 @@ static int checkmac() {
 
 	/* compare the hash */
 	buf_setpos(ses.readbuf, contents_len);
-	if (memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) {
+	if (constant_time_memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) {
 		return DROPBEAR_FAILURE;
 	} else {
 		return DROPBEAR_SUCCESS;
diff --git a/svr-authpasswd.c b/svr-authpasswd.c
index 17dd2a1b166b935feb230449d069b4af474f3f01..7a5a1210235d62fd06bbac94e10d18da57bbf35c 100644
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -33,6 +33,17 @@
 
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
+static int constant_time_strcmp(const char* a, const char* b) {
+	size_t la = strlen(a);
+	size_t lb = strlen(b);
+
+	if (la != lb) {
+		return 1;
+	}
+
+	return constant_time_memcmp(a, b, la);
+}
+
 /* Process a password auth request, sending success or failure messages as
  * appropriate */
 void svr_auth_password() {
@@ -82,7 +93,7 @@ void svr_auth_password() {
 		return;
 	}
 
-	if (strcmp(testcrypt, passwdcrypt) == 0) {
+	if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) {
 		/* successful authentication */
 		dropbear_log(LOG_NOTICE, 
 				"Password auth succeeded for '%s' from %s",