Make OPENSSL_memcmp constant-time while preserving ordering

Rewrite OPENSSL_memcmp to iterate the full length and capture the
lowest-index differing byte pair via constant_time_select, so it
returns memcmp's negative/zero/positive ordering without leaking
timing information about where bytes differ.

Replace all OPENSSL_memcmp_ordered callers (which used plain memcmp)
with the new OPENSSL_memcmp and remove the helper.

Author: WillChilds-Klein

crypto/asn1/asn1_lib.c

@@ -350,7 +350,7 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) {
     return 1;
   }
 
-  int ret = OPENSSL_memcmp_ordered(a->data, b->data, a_length);
+  int ret = OPENSSL_memcmp(a->data, b->data, a_length);
   if (ret != 0) {
     return ret;
   }

crypto/asn1/tasn_enc.c

@@ -370,7 +370,7 @@ static int der_cmp(const void *a, const void *b) {
   const DER_ENC *d1 = a, *d2 = b;
   int cmplen, i;
   cmplen = (d1->length < d2->length) ? d1->length : d2->length;
-  i = OPENSSL_memcmp_ordered(d1->data, d2->data, cmplen);
+  i = OPENSSL_memcmp(d1->data, d2->data, cmplen);
   if (i) {
     return i;
   }

crypto/bytestring/cbb.c

@@ -655,7 +655,7 @@ static int compare_set_of_element(const void *a_ptr, const void *b_ptr) {
   const CBS *a = a_ptr, *b = b_ptr;
   size_t a_len = CBS_len(a), b_len = CBS_len(b);
   size_t min_len = a_len < b_len ? a_len : b_len;
-  int ret = OPENSSL_memcmp_ordered(CBS_data(a), CBS_data(b), min_len);
+  int ret = OPENSSL_memcmp(CBS_data(a), CBS_data(b), min_len);
   if (ret != 0) {
     return ret;
   }

crypto/internal.h

@@ -803,8 +803,10 @@ static inline uint64_t CRYPTO_bswap8(uint64_t x) {
 // These wrapper functions behave the same as the corresponding C standard
 // functions, but behave as expected when passed NULL if the length is zero.
 //
-// |OPENSSL_memcmp| delegates to |CRYPTO_memcmp| to provide constant-time
-// comparison, preventing timing side-channel attacks.
+// |OPENSSL_memcmp| performs a constant-time comparison that preserves the
+// ordering semantics of |memcmp| (negative, zero, or positive). It iterates
+// over the full length regardless of where the first differing byte is, so it
+// can be used safely with secret data without leaking timing information.
 
 // C++ defines |memchr| as a const-correct overload.
 #if defined(__cplusplus)
@@ -843,20 +845,21 @@ static inline void *OPENSSL_memchr(const void *s, int c, size_t n) {
 #endif  // __cplusplus
 
 static inline int OPENSSL_memcmp(const void *s1, const void *s2, size_t n) {
-  return CRYPTO_memcmp(s1, s2, n);
-}
-
-// OPENSSL_memcmp_ordered wraps memcmp with NULL-safe behavior for n == 0.
-// Unlike |OPENSSL_memcmp|, it preserves ordering semantics (negative, zero,
-// positive return values) and is NOT constant-time. Use this only for
-// comparisons of non-secret data that require ordering.
-static inline int OPENSSL_memcmp_ordered(const void *s1, const void *s2,
-                                         size_t n) {
-  if (n == 0) {
-    return 0;
+  const uint8_t *a = (const uint8_t *)s1;
+  const uint8_t *b = (const uint8_t *)s2;
+  // Walk from the end so the lowest-index differing byte (the one that decides
+  // memcmp's sign) is the last write to |result|. Equal-byte iterations leave
+  // |result| unchanged. The loop always runs |n| iterations, so timing depends
+  // only on |n|.
+  int result = 0;
+  for (size_t i = n; i > 0; i--) {
+    uint8_t ai = a[i - 1];
+    uint8_t bi = b[i - 1];
+    crypto_word_t diff_mask =
+        ~constant_time_is_zero_w((crypto_word_t)(ai ^ bi));
+    result = constant_time_select_int(diff_mask, (int)ai - (int)bi, result);
   }
-
-  return memcmp(s1, s2, n);
+  return result;
 }
 
 static inline void *OPENSSL_memcpy(void *dst, const void *src, size_t n) {

crypto/obj/obj.c

@@ -115,7 +115,7 @@ int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {
   } else if (a->length > b->length) {
     return 1;
   }
-  return OPENSSL_memcmp_ordered(a->data, b->data, a->length);
+  return OPENSSL_memcmp(a->data, b->data, a->length);
 }
 
 const uint8_t *OBJ_get0_data(const ASN1_OBJECT *obj) {

crypto/pool/pool.c

@@ -27,7 +27,7 @@ static int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) {
   if (a->len != b->len) {
     return 1;
   }
-  return OPENSSL_memcmp_ordered(a->data, b->data, a->len);
+  return OPENSSL_memcmp(a->data, b->data, a->len);
 }
 
 CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void) {

crypto/x509/x509_cmp.c

@@ -83,7 +83,7 @@ int X509_cmp(const X509 *a, const X509 *b) {
   x509v3_cache_extensions((X509 *)a);
   x509v3_cache_extensions((X509 *)b);
 
-  return OPENSSL_memcmp_ordered(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
+  return OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
 }
 
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) {
@@ -111,7 +111,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) {
     return ret;
   }
 
-  return OPENSSL_memcmp_ordered(a->canon_enc, b->canon_enc, a->canon_enclen);
+  return OPENSSL_memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
 }
 
 uint32_t X509_NAME_hash(X509_NAME *x) {