reverse convention for constant_time_select, resolving a TODO

src/decaf.c

@@ -93,7 +93,7 @@ static INLINE mask_t bool_to_mask (decaf_bool_t m) {
 /** Constant time, x = is_z ? z : y */
 static INLINE void
 cond_sel(gf x, const gf y, const gf z, mask_t is_z) {
-    constant_time_select(x,z,y,sizeof(gf),is_z,0);
+    constant_time_select(x,y,z,sizeof(gf),is_z,0);
 }
 
 /** Constant time, if (neg) x=-x; */
@@ -1537,7 +1537,7 @@ void API_NS(point_cond_sel) (
     const point_t b,
     decaf_bool_t pick_b
 ) {
-    constant_time_select(out,b,a,sizeof(point_t),bool_to_mask(pick_b),0);
+    constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0);
 }
 
 void API_NS(scalar_cond_sel) (
@@ -1546,7 +1546,7 @@ void API_NS(scalar_cond_sel) (
     const scalar_t b,
     decaf_bool_t pick_b
 ) {
-    constant_time_select(out,b,a,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
+    constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
 }
 
 /* FUTURE: restore Curve25519 Montgomery ladder? */

src/include/constant_time.h

@@ -303,16 +303,13 @@ constant_time_mask (
  *
  * Note that the output is not __restrict__, but if it overlaps either
  * input, it must be equal and not partially overlap.
- *
- * TODO: this has the opposite convention of certain other cond select functions,
- * because they are effectively [a,b][bool(mask)] instead of mask ? a : b.
  */
 static __inline__ void
 __attribute__((unused,always_inline))
 constant_time_select (
     void *a_,
-    const void *bTrue_,
     const void *bFalse_,
+    const void *bTrue_,
     word_t elem_bytes,
     mask_t mask,
     size_t alignment_bytes

src/p25519/f_arithmetic.c

@@ -39,6 +39,6 @@ void gf_isr (gf a, const gf x) {
     
     mask_t mask = gf_eq(st[1],ONE) | gf_eq(st[1],SQRT_MINUS_ONE);
     
-    constant_time_select(tmp1, ONE, SQRT_MINUS_ONE, sizeof(tmp1), mask, 0);
+    constant_time_select(tmp1, SQRT_MINUS_ONE, ONE, sizeof(tmp1), mask, 0);
     gf_mul(a,tmp1,st[0]);
 }