Move const time memory comparison utils to ct_utils.h

src/cli/zfec.cpp

@@ -8,6 +8,7 @@
 
 #if defined(BOTAN_HAS_ZFEC) && defined(BOTAN_HAS_SHA2_64)
    #include <botan/hash.h>
+   #include <botan/mem_ops.h>
    #include <botan/zfec.h>
    #include <botan/internal/loadstor.h>
    #include <fstream>
@@ -70,7 +71,7 @@ class FEC_Share final {
          hash.update(bits, len - hash_len);
          auto share_hash = hash.final();
 
-         const bool digest_ok = Botan::same_mem(share_hash.data(), &bits[len - hash_len], hash_len);
+         const bool digest_ok = Botan::constant_time_compare(share_hash.data(), &bits[len - hash_len], hash_len);
 
          if(!digest_ok) {
             throw CLI_Error("FEC share has invalid hash");
@@ -251,7 +252,8 @@ class FEC_Decode final : public Command {
 
          auto decoded_digest = hash->process(decoded.data(), decoded.size() - (hash_len + padding));
 
-         if(!Botan::same_mem(decoded_digest.data(), &decoded[decoded.size() - (hash_len + padding)], hash_len)) {
+         if(!Botan::constant_time_compare(
+               decoded_digest.data(), &decoded[decoded.size() - (hash_len + padding)], hash_len)) {
             throw CLI_Error("Recovered data failed digest check");
          }
 

src/lib/asn1/asn1_str.cpp

@@ -37,7 +37,7 @@ ASN1_Type choose_encoding(std::string_view str) {
       all_printable &= is_printable;
    }
 
-   if(all_printable.is_set()) {
+   if(all_printable.as_bool()) {
       return ASN1_Type::PrintableString;
    } else {
       return ASN1_Type::Utf8String;

src/lib/compat/sodium/sodium_secretbox.cpp

@@ -9,6 +9,7 @@
 #include <botan/mac.h>
 #include <botan/secmem.h>
 #include <botan/stream_cipher.h>
+#include <botan/internal/ct_utils.h>
 
 namespace Botan {
 
@@ -54,7 +55,7 @@ int Sodium::crypto_secretbox_xsalsa20poly1305_open(
    poly1305->update(ctext + 32, ctext_len - 32);
    secure_vector<uint8_t> computed = poly1305->final();
 
-   if(!constant_time_compare(computed.data(), ctext + 16, 16)) {
+   if(CT::is_not_equal(computed.data(), ctext + 16, 16).as_bool()) {
       return -1;
    }
 
@@ -105,7 +106,7 @@ int Sodium::crypto_secretbox_open_detached(uint8_t ptext[],
    poly1305->update(ctext, ctext_len);
    secure_vector<uint8_t> computed_mac = poly1305->final();
 
-   if(!constant_time_compare(mac, computed_mac.data(), computed_mac.size())) {
+   if(!CT::is_equal(mac, computed_mac.data(), computed_mac.size()).as_bool()) {
       return -1;
    }
 

src/lib/compat/sodium/sodium_utils.cpp

@@ -41,24 +41,25 @@ void Sodium::randombytes_buf_deterministic(void* buf, size_t size, const uint8_t
 }
 
 int Sodium::crypto_verify_16(const uint8_t x[16], const uint8_t y[16]) {
-   return same_mem(x, y, 16);
+   return static_cast<int>(CT::is_equal(x, y, 16).select(1, 0));
 }
 
 int Sodium::crypto_verify_32(const uint8_t x[32], const uint8_t y[32]) {
-   return same_mem(x, y, 32);
+   return static_cast<int>(CT::is_equal(x, y, 32).select(1, 0));
 }
 
 int Sodium::crypto_verify_64(const uint8_t x[64], const uint8_t y[64]) {
-   return same_mem(x, y, 64);
+   return static_cast<int>(CT::is_equal(x, y, 64).select(1, 0));
 }
 
 void Sodium::sodium_memzero(void* ptr, size_t len) {
    secure_scrub_memory(ptr, len);
 }
 
 int Sodium::sodium_memcmp(const void* x, const void* y, size_t len) {
-   const bool same = constant_time_compare(static_cast<const uint8_t*>(x), static_cast<const uint8_t*>(y), len);
-   return same ? 0 : -1;
+   const auto same = CT::is_equal(static_cast<const uint8_t*>(x), static_cast<const uint8_t*>(y), len);
+   // Return 0 if same or -1 if differing
+   return static_cast<int>(same.select(1, 0)) - 1;
 }
 
 int Sodium::sodium_compare(const uint8_t x[], const uint8_t y[], size_t len) {

src/lib/ffi/ffi.cpp

@@ -10,6 +10,7 @@
 #include <botan/hex.h>
 #include <botan/mem_ops.h>
 #include <botan/version.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/ffi_util.h>
 #include <botan/internal/os_utils.h>
 #include <cstdio>
@@ -290,7 +291,9 @@ uint32_t botan_version_datestamp() {
 }
 
 int botan_constant_time_compare(const uint8_t* x, const uint8_t* y, size_t len) {
-   return Botan::constant_time_compare(x, y, len) ? 0 : -1;
+   auto same = Botan::CT::is_equal(x, y, len);
+   // Return 0 if same or -1 otherwise
+   return static_cast<int>(same.select(1, 0)) - 1;
 }
 
 int botan_same_mem(const uint8_t* x, const uint8_t* y, size_t len) {

src/lib/mac/mac.cpp

@@ -9,6 +9,7 @@
 
 #include <botan/exceptn.h>
 #include <botan/mem_ops.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/scan_name.h>
 
 #if defined(BOTAN_HAS_CMAC)
@@ -169,7 +170,7 @@ bool MessageAuthenticationCode::verify_mac_result(std::span<const uint8_t> mac)
       return false;
    }
 
-   return constant_time_compare(our_mac.data(), mac.data(), mac.size());
+   return CT::is_equal(our_mac.data(), mac.data(), mac.size()).as_bool();
 }
 
 }  // namespace Botan

src/lib/math/bigint/bigint.cpp

@@ -165,7 +165,7 @@ bool BigInt::is_equal(const BigInt& other) const {
       return false;
    }
 
-   return bigint_ct_is_eq(this->data(), this->sig_words(), other.data(), other.sig_words()).is_set();
+   return bigint_ct_is_eq(this->data(), this->sig_words(), other.data(), other.sig_words()).as_bool();
 }
 
 bool BigInt::is_less_than(const BigInt& other) const {
@@ -178,10 +178,10 @@ bool BigInt::is_less_than(const BigInt& other) const {
    }
 
    if(other.is_negative() && this->is_negative()) {
-      return bigint_ct_is_lt(other.data(), other.sig_words(), this->data(), this->sig_words()).is_set();
+      return bigint_ct_is_lt(other.data(), other.sig_words(), this->data(), this->sig_words()).as_bool();
    }
 
-   return bigint_ct_is_lt(this->data(), this->sig_words(), other.data(), other.sig_words()).is_set();
+   return bigint_ct_is_lt(this->data(), this->sig_words(), other.data(), other.sig_words()).as_bool();
 }
 
 void BigInt::encode_words(word out[], size_t size) const {

src/lib/math/bigint/divide.cpp

@@ -40,7 +40,7 @@ inline bool division_check(word q, word y2, word y1, word x3, word x2, word x1)
    const word x[3] = {x1, x2, x3};
    const word y[3] = {y1, y2, y3};
 
-   return bigint_ct_is_lt(x, 3, y, 3).is_set();
+   return bigint_ct_is_lt(x, 3, y, 3).as_bool();
 }
 
 }  // namespace
@@ -98,7 +98,7 @@ void ct_divide_word(const BigInt& x, word y, BigInt& q_out, word& r_out) {
       r += x_b;
 
       const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
-      q.conditionally_set_bit(b, r_gte_y.is_set());
+      q.conditionally_set_bit(b, r_gte_y.as_bool());
       r = r_gte_y.select(r - y, r);
    }
 

src/lib/math/numbertheory/make_prm.cpp

@@ -54,7 +54,7 @@ class Prime_Sieve final {
             }
          }
 
-         return passes.is_set();
+         return passes.as_bool();
       }
 
    private:

src/lib/math/numbertheory/mod_inv.cpp

@@ -108,7 +108,7 @@ BigInt inverse_mod_odd_modulus(const BigInt& n, const BigInt& mod) {
       b_is_1 &= CT::Mask<word>::is_zero(b_w[i]);
    }
 
-   BOTAN_ASSERT(a_is_0.is_set(), "A is zero");
+   BOTAN_ASSERT(a_is_0.as_bool(), "A is zero");
 
    // if b != 1 then gcd(n,mod) > 1 and inverse does not exist
    // in which case zero out the result to indicate this

src/lib/misc/cryptobox/cryptobox.cpp

@@ -14,6 +14,7 @@
 #include <botan/pem.h>
 #include <botan/pwdhash.h>
 #include <botan/rng.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/loadstor.h>
 
 namespace Botan::CryptoBox {
@@ -132,7 +133,7 @@ secure_vector<uint8_t> decrypt_bin(const uint8_t input[], size_t input_len, std:
    }
    secure_vector<uint8_t> computed_mac = hmac->final();
 
-   if(!constant_time_compare(computed_mac.data(), box_mac, MAC_OUTPUT_LEN)) {
+   if(!CT::is_equal(computed_mac.data(), box_mac, MAC_OUTPUT_LEN).as_bool()) {
       throw Decoding_Error("CryptoBox integrity failure");
    }
 

src/lib/misc/tss/tss.cpp

@@ -10,6 +10,7 @@
 #include <botan/hash.h>
 #include <botan/hex.h>
 #include <botan/rng.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/loadstor.h>
 
 namespace Botan {
@@ -215,7 +216,7 @@ secure_vector<uint8_t> RTSS_Share::reconstruct(const std::vector<RTSS_Share>& sh
             throw Decoding_Error("Different sized RTSS shares detected");
          }
 
-         if(!same_mem(&shares[0].m_contents[0], &shares[i].m_contents[0], RTSS_HEADER_SIZE)) {
+         if(!CT::is_equal(&shares[0].m_contents[0], &shares[i].m_contents[0], RTSS_HEADER_SIZE).as_bool()) {
             throw Decoding_Error("Different RTSS headers detected");
          }
       }
@@ -289,7 +290,7 @@ secure_vector<uint8_t> RTSS_Share::reconstruct(const std::vector<RTSS_Share>& sh
       hash->update(recovered.data(), secret_len);
       secure_vector<uint8_t> hash_check = hash->final();
 
-      if(!constant_time_compare(hash_check.data(), &recovered[secret_len], hash->output_length())) {
+      if(!CT::is_equal(hash_check.data(), &recovered[secret_len], hash->output_length()).as_bool()) {
          throw Decoding_Error("RTSS hash check failed");
       }
 

src/lib/modes/aead/ccm/ccm.cpp

@@ -8,6 +8,7 @@
 
 #include <botan/internal/ccm.h>
 
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/fmt.h>
 #include <botan/internal/loadstor.h>
 
@@ -265,7 +266,7 @@ void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
 
    T ^= S0;
 
-   if(!constant_time_compare(T.data(), buf_end, tag_size())) {
+   if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
       throw Invalid_Authentication_Tag("CCM tag check failed");
    }
 

src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp

@@ -8,6 +8,7 @@
 
 #include <botan/internal/chacha20poly1305.h>
 
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/loadstor.h>
 
 namespace Botan {
@@ -158,7 +159,7 @@ void ChaCha20Poly1305_Decryption::finish_msg(secure_vector<uint8_t>& buffer, siz
    m_ctext_len = 0;
    m_nonce_len = 0;
 
-   if(!constant_time_compare(mac, included_tag, tag_size())) {
+   if(!CT::is_equal(mac, included_tag, tag_size()).as_bool()) {
       throw Invalid_Authentication_Tag("ChaCha20Poly1305 tag check failed");
    }
    buffer.resize(offset + remaining);

src/lib/modes/aead/eax/eax.cpp

@@ -9,6 +9,7 @@
 #include <botan/internal/eax.h>
 
 #include <botan/internal/cmac.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/ctr.h>
 #include <botan/internal/fmt.h>
 
@@ -176,7 +177,7 @@ void EAX_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
 
    mac ^= m_ad_mac;
 
-   bool accept_mac = constant_time_compare(mac.data(), included_tag, tag_size());
+   const bool accept_mac = CT::is_equal(mac.data(), included_tag, tag_size()).as_bool();
 
    buffer.resize(offset + remaining);
 

src/lib/modes/aead/gcm/gcm.cpp

@@ -9,6 +9,7 @@
 #include <botan/internal/gcm.h>
 
 #include <botan/block_cipher.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/ctr.h>
 #include <botan/internal/fmt.h>
 #include <botan/internal/ghash.h>
@@ -167,7 +168,7 @@ void GCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
 
    const uint8_t* included_tag = &buffer[remaining + offset];
 
-   if(!constant_time_compare(mac.data(), included_tag, tag_size())) {
+   if(!CT::is_equal(mac.data(), included_tag, tag_size()).as_bool()) {
       throw Invalid_Authentication_Tag("GCM tag check failed");
    }
 

src/lib/modes/aead/ocb/ocb.cpp

@@ -10,6 +10,7 @@
 
 #include <botan/block_cipher.h>
 #include <botan/internal/bit_ops.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/poly_dbl.h>
 
 namespace Botan {
@@ -486,7 +487,7 @@ void OCB_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
    // compare mac
    const uint8_t* included_tag = &buf[remaining];
 
-   if(!constant_time_compare(mac.data(), included_tag, tag_size())) {
+   if(!CT::is_equal(mac.data(), included_tag, tag_size()).as_bool()) {
       throw Invalid_Authentication_Tag("OCB tag check failed");
    }
 

src/lib/modes/aead/siv/siv.cpp

@@ -10,6 +10,7 @@
 
 #include <botan/block_cipher.h>
 #include <botan/internal/cmac.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/ctr.h>
 #include <botan/internal/poly_dbl.h>
 
@@ -187,7 +188,7 @@ void SIV_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
 
    const secure_vector<uint8_t> T = S2V(buffer.data() + offset, buffer.size() - offset - V.size());
 
-   if(!constant_time_compare(T.data(), V.data(), T.size())) {
+   if(!CT::is_equal(T.data(), V.data(), T.size()).as_bool()) {
       throw Invalid_Authentication_Tag("SIV tag check failed");
    }
 

src/lib/passhash/argon2fmt/argon2fmt.cpp

@@ -9,6 +9,7 @@
 #include <botan/base64.h>
 #include <botan/pwdhash.h>
 #include <botan/rng.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/fmt.h>
 #include <botan/internal/parsing.h>
 
@@ -139,7 +140,7 @@ bool argon2_check_pwhash(const char* password, size_t password_len, std::string_
 
    pwdhash->derive_key(generated.data(), generated.size(), password, password_len, salt.data(), salt.size());
 
-   return constant_time_compare(generated.data(), hash.data(), generated.size());
+   return CT::is_equal(generated.data(), hash.data(), generated.size()).as_bool();
 }
 
 }  // namespace Botan

src/lib/passhash/bcrypt/bcrypt.cpp

@@ -176,7 +176,8 @@ bool check_bcrypt(std::string_view pass, std::string_view hash) {
 
    const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
 
-   return same_mem(hash.data(), compare.data(), compare.size());
+   return CT::is_equal(cast_char_ptr_to_uint8(hash.data()), cast_char_ptr_to_uint8(compare.data()), compare.size())
+      .as_bool();
 }
 
 }  // namespace Botan

src/lib/passhash/passhash9/passhash9.cpp

@@ -10,6 +10,7 @@
 #include <botan/base64.h>
 #include <botan/pbkdf2.h>
 #include <botan/rng.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/loadstor.h>
 
 namespace Botan {
@@ -119,8 +120,9 @@ bool check_passhash9(std::string_view pass, std::string_view hash) {
       kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES, kdf_iterations)
          .bits_of();
 
-   return constant_time_compare(
-      cmp.data(), &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES], PASSHASH9_PBKDF_OUTPUT_LEN);
+   const uint8_t* hashbytes = &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES];
+
+   return CT::is_equal(cmp.data(), hashbytes, PASSHASH9_PBKDF_OUTPUT_LEN).as_bool();
 }
 
 bool is_passhash9_alg_supported(uint8_t alg_id) {

src/lib/pk_pad/eme_oaep/oaep.cpp

@@ -117,7 +117,9 @@ secure_vector<uint8_t> oaep_find_delim(uint8_t& valid_mask,
 
    // If we never saw any non-zero byte, then it's not valid input
    bad_input_m |= waiting_for_delim;
-   bad_input_m |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(&input[hlen], Phash.data(), hlen));
+
+   // If the P hash is wrong, then it's not valid
+   bad_input_m |= CT::is_not_equal(&input[hlen], Phash.data(), hlen);
 
    delim_idx += 1;