From 96507853a1cc5ab3ce7123a7486fc3d13fd092b0 Mon Sep 17 00:00:00 2001
From: "G. Branden Robinson" <g.branden.robinson@gmail.com>
Date: Sun, 30 Jul 2023 10:31:37 -0500
Subject: memcmp.3: Recast security caveat

Use terminology more carefully.

* Refer to the info sec property of confidentiality[1] instead of saying,
  vaguely, "security-critical".
* Try not to confuse anyone who's studied the analysis of algorithms:
  don't say "constant time" when "deterministic time" is meant.  The
  time to perform the memory comparison remains linear (O(n)), not
  constant (O(1)).
* Tighten wording.

Link: [1] <https://informationsecurity.wustl.edu/items/confidentiality-integrity-and-availability-the-cia-triad/>
Signed-off-by: "G. Branden Robinson" <g.branden.robinson@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
 man3/memcmp.3 | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/man3/memcmp.3 b/man3/memcmp.3
index 9a2aad353..67ebe392e 100644
--- a/man3/memcmp.3
+++ b/man3/memcmp.3
@@ -67,9 +67,17 @@ POSIX.1-2001, C89, SVr4, 4.3BSD.
 .SH CAVEATS
 Do not use
 .BR memcmp ()
-to compare security critical data, such as cryptographic secrets,
-because the required CPU time depends on the number of equal bytes.
-Instead, a function that performs comparisons in constant time is required.
+to compare confidential data,
+such as cryptographic secrets,
+because the CPU time required for the comparison
+depends on the contents of the addresses compared,
+this function is subject to timing-based side-channel attacks.
+In such cases,
+a function that performs comparisons in deterministic time,
+depending only on
+.I n
+(the quantity of bytes compared)
+is required.
 Some operating systems provide such a function (e.g., NetBSD's
 .BR consttime_memequal ()),
 but no such function is specified in POSIX.
-- 
cgit v1.2.3