constant-time comparison and guaranteed zeroing bikeshed

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

(I am not subscribed to this list, so please cc me in replies.)

Last year, drochner@ introduced consttime_bcmp and explicit_bzero to
support constant-time comparison of cryptographic secrets and zeroing
of buffers guaranteed not to be optimized away by the compiler.

christos@ objected to creating new APIs based on the deprecated bcmp /
bzero family, so these ended up with a double-underscore prefix in
userland as if to ward off incautious users.

I have been using these in-kernel and assumed without thinking that
they were also available in userland when I kinda jumped the gun and
made section 3 man page references to them and then renamed them
according to christos's objections.  With apologies for jumping the
gun like that, these changes should be discussed here.  We could do
several things:

1. Go back to the way things were -- __consttime_bcmp/__explicit_bzero
in libc, consttime_bcmp/explicit_bzero in kernel, and move the man
pages into section 9 -- against christos's objection.

2. Use __consttime_memequal/__explicit_memset in userland,
consttime_memequal/explicit_memset in kernel, and move the man pages
into section 9.

3. Use consttime_memequal/explicit_memset in userland and kernel,
expose them as a public part of libc, and keep the man pages in
section 3.  This would presumably require the rigamarole of making the
libc symbols weak with internal namespacing wotsits.

4. Teal with maroon trim and a great big red door.

Thoughts?  I am inclined to suggest 3, but there may be issues I am
not aware of with it.

(For options 2 or 3, I will fix the mistake I left in renaming
consttime_bcmp so that consttime_memequal will return true for equal
and false for not equal.)