Make ec_felem_equal constant-time.

This doesn't fix any particular issue, but we may as well use
the constant-time comparison to be more robust.

Change-Id: I96dffce7fe153a7dd4eec226a6b42dcea240c3f1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40591
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

crypto/fipsmodule/ec/felem.c

diff --git a/crypto/fipsmodule/ec/felem.c b/crypto/fipsmodule/ec/felem.c
index 713b6b8..be178f5 100644
--- a/crypto/fipsmodule/ec/felem.c
+++ b/crypto/fipsmodule/ec/felem.c
@@ -94,8 +94,6 @@
 
 int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a,
                    const EC_FELEM *b) {
-  // Note this function is variable-time. Constant-time operations should use
-  // |ec_felem_non_zero_mask|.
-  return OPENSSL_memcmp(a->words, b->words,
-                        group->field.width * sizeof(BN_ULONG)) == 0;
+  return CRYPTO_memcmp(a->words, b->words,
+                       group->field.width * sizeof(BN_ULONG)) == 0;
 }

crypto/fipsmodule/ec/internal.h

diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h
index 7295335..5a40d9d 100644
--- a/crypto/fipsmodule/ec/internal.h
+++ b/crypto/fipsmodule/ec/internal.h
@@ -218,8 +218,7 @@
 void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask,
                      const EC_FELEM *a, const EC_FELEM *b);
 
-// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. It
-// treats |a| and |b| as public and does *not* run in constant time.
+// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise.
 int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b);