(p1 - p2 == 0) => (p1 == p2)

No binary changes on supported platforms except on gcc/armv7l where
the control flow remains identical but permutative statements get switched.

src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c

@@ -6,6 +6,6 @@ int crypto_auth_verify(const unsigned char *h,const unsigned char *in,unsigned l
 {
   unsigned char correct[32];
   crypto_auth(correct,in,inlen,k);
-  return crypto_verify_32(h,correct) | (-(h - correct == 0)) |
+  return crypto_verify_32(h,correct) | (-(h == correct)) |
          sodium_memcmp(correct,h,32);
 }

src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c

@@ -7,6 +7,6 @@ int crypto_auth_verify(const unsigned char *h, const unsigned char *in,
 {
   unsigned char correct[64];
   crypto_auth(correct,in,inlen,k);
-  return crypto_verify_64(h,correct) | (-(h - correct == 0)) |
+  return crypto_verify_64(h,correct) | (-(h == correct)) |
          sodium_memcmp(correct,h,64);
 }

src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c

@@ -7,6 +7,6 @@ int crypto_auth_verify(const unsigned char *h, const unsigned char *in,
 {
   unsigned char correct[32];
   crypto_auth(correct,in,inlen,k);
-  return crypto_verify_32(h,correct) | (-(h - correct == 0)) |
+  return crypto_verify_32(h,correct) | (-(h == correct)) |
          sodium_memcmp(correct,h,32);
 }

src/libsodium/crypto_sign/ed25519/ref10/open.c

@@ -43,7 +43,7 @@ crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m,
     ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
     ge_tobytes(rcheck, &R);
 
-    return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) |
+    return crypto_verify_32(rcheck, sig) | (-(rcheck == sig)) |
            sodium_memcmp(sig, rcheck, 32);
 }