diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index ae0feb9f627..350a735a89b 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -777,7 +777,7 @@ ah_input_cb(struct cryptop *crp)
 
 	/* Verify authenticator. */
 	ptr = (caddr_t) (tc + 1);
-	if (bcmp(ptr + skip + rplen, calc, authsize)) {
+	if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
 		DPRINTF(("%s: authentication hash mismatch for packet "
 		    "in SA %s/%08lx\n", __func__,
 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 67551caef43..d8182dfdf58 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -534,7 +534,7 @@ esp_input_cb(struct cryptop *crp)
 		ptr = (caddr_t) (tc + 1);
 
 		/* Verify authenticator */
-		if (bcmp(ptr, aalg, alen) != 0) {
+		if (timingsafe_bcmp(ptr, aalg, alen) != 0) {
 			DPRINTF(("%s: authentication hash mismatch for "
 			    "packet in SA %s/%08lx\n", __func__,
 			    ipsec_address(&saidx->dst, buf, sizeof(buf)),