Bertrand, Note: I was the contributor that added the secure_memcmp converter.
Am 21.01.21 um 22:16 schrieb Bertrand Jacquin: > diff --git a/doc/configuration.txt b/doc/configuration.txt > index 899bdf553a85..f25da9c1bfa6 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -15996,7 +15996,11 @@ secure_memcmp(<var>) > performed in constant time. > > Please note that this converter is only available when haproxy has been > - compiled with USE_OPENSSL. > + compiled with USE_OPENSSL. Requires at least OpenSSL 1.0.2. > + > + See also the strcmp converter if you need to compare two binary > + strings without concern related to constant time or if OpenSSL is not > + enabled. The strcmp converter is not binary safe. It uses strncmp internally. > Example : > > diff --git a/src/sample.c b/src/sample.c > index bf2de2a2522d..bb12789b551f 100644 > --- a/src/sample.c > +++ b/src/sample.c > @@ -3100,12 +3100,14 @@ static int sample_conv_strcmp(const struct arg > *arg_p, struct sample *smp, void > return 1; > } > > -#ifdef USE_OPENSSL > +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL We strive to use feature detection instead of version number comparisons for SSL. Is it possible to use feature detection here? Adding Ilya to CC. > /* Compares bytestring with a variable containing a bytestring. Return value > * is `true` if both bytestrings are bytewise identical and `false` > otherwise. > * > - * Comparison will be performed in constant time if both bytestrings are of > - * the same length. If the lengths differ execution time will not be > constant. > + * Comparison will be performed in constant time if the library support > + * constant time memcmp (starting with OpenSSL 1.0.2) and if both > + * bytestrings are of the same length. Otherwise execution time will not > + * be constant. I am not sure whether this wording change is useful, as the definition of the function already is guarded by the #if. As such sample_conv_secure_memcmp guarantees the constant time comparison (independent of the library support). It just might be that the function might not exist. Best regards Tim Düsterhus
