LibCrypto: Use AK::timing_safe_compare to validate sensitive data

Addresses one FIXME in GCM, and another similar issue in EMSA_PSS.
We should be using constant time memory comparisons in all of our
crypto code.

Userland/Libraries/LibCrypto/Cipher/Mode/GCM.h

@@ -6,6 +6,7 @@
 
 #pragma once
 
+#include <AK/Memory.h>
 #include <AK/OwnPtr.h>
 #include <AK/StringBuilder.h>
 #include <AK/StringView.h>
@@ -124,12 +125,11 @@ public:
         block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });
 
         auto test_consistency = [&] {
-            if (block0.block_size() != tag.size() || __builtin_memcmp(block0.bytes().data(), tag.data(), tag.size()) != 0)
+            if (block0.block_size() != tag.size() || !timing_safe_compare(block0.bytes().data(), tag.data(), tag.size()))
                 return VerificationConsistency::Inconsistent;
 
             return VerificationConsistency::Consistent;
         };
-        // FIXME: This block needs constant-time comparisons.
 
         if (in.is_empty()) {
             out = {};

Userland/Libraries/LibCrypto/PK/Code/EMSA_PSS.h

@@ -8,6 +8,7 @@
 
 #include <AK/Array.h>
 #include <AK/Format.h>
+#include <AK/Memory.h>
 #include <AK/Random.h>
 #include <AK/Vector.h>
 #include <LibCrypto/PK/Code/Code.h>
@@ -140,7 +141,7 @@ public:
         hash_fn.update(m_prime_buffer);
         auto H_prime = hash_fn.digest();
 
-        if (__builtin_memcmp(message_hash.data, H_prime.data, HashFunction::DigestSize) != 0)
+        if (!timing_safe_compare(message_hash.data, H_prime.data, HashFunction::DigestSize))
             return VerificationConsistency::Inconsistent;
 
         return VerificationConsistency::Consistent;