From 31db2e67bb49fe838e39819394470867064624e6 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 15 Apr 2022 17:18:32 +0100 Subject: [PATCH] Make smemeq return unsigned, not bool. bool is dangerous in a time-safe context, because C compilers might insert a control flow divergence to implement the implicit normalisation of nonzero integers to 1 when you assign to a bool. Everywhere else time-safe, I avoid using it; but smemeq has been an exception until now, because the response to smemeq returning failure was to do an obvious protocol-level divergence _anyway_ (like disconnecting due to MAC mismatch). But I'm about to want to use smemeq in a context where I use the result _subtly_ and don't want to give away what it is, so now it's time to get rid of that bool and have smemeq return unsigned. --- misc.h | 6 +++--- utils/smemeq.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/misc.h b/misc.h index dea7190b..7acd8f41 100644 --- a/misc.h +++ b/misc.h @@ -207,9 +207,9 @@ void smemclr(void *b, size_t len); /* Compare two fixed-length chunks of memory for equality, without * data-dependent control flow (so an attacker with a very accurate * stopwatch can't try to guess where the first mismatching byte was). - * Returns false for mismatch or true for equality (unlike memcmp), - * hinted at by the 'eq' in the name. */ -bool smemeq(const void *av, const void *bv, size_t len); + * Returns 0 for mismatch or 1 for equality (unlike memcmp), hinted at + * by the 'eq' in the name. */ +unsigned smemeq(const void *av, const void *bv, size_t len); /* Encode a single UTF-8 character. Assumes that illegal characters * (such as things in the surrogate range, or > 0x10FFFF) have already diff --git a/utils/smemeq.c b/utils/smemeq.c index 2692d134..ce3761ec 100644 --- a/utils/smemeq.c +++ b/utils/smemeq.c @@ -8,7 +8,7 @@ #include "defs.h" #include "misc.h" -bool smemeq(const void *av, const void *bv, size_t len) +unsigned smemeq(const void *av, const void *bv, size_t len) { const unsigned char *a = (const unsigned char *)av; const unsigned char *b = (const unsigned char *)bv;