bsd.own.mk: rename GCC_NO_* to CC_WNO_*

Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.

GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.

.include bsd.own.mk for ${NETBSDSRCDIR}

Teach `rndctl -L' to update the seed file, not just delete it.

The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, and
writing it atomically with write-to-temporary/rename-to-permanent.

This way, interruption by crash or power loss does not obliterate
your persistent entropy (unless it causes file system corruption).

introduce some common variables for use in GCC warning disables:

GCC_NO_FORMAT_TRUNCATION -Wno-format-truncation (GCC 7/8)
GCC_NO_STRINGOP_TRUNCATION -Wno-stringop-truncation (GCC 8)
GCC_NO_STRINGOP_OVERFLOW -Wno-stringop-overflow (GCC 8)
GCC_NO_CAST_FUNCTION_TYPE -Wno-cast-function-type (GCC 8)

use these to turn off warnings for most GCC-8 complaints. many
of these are false positives, most of the real bugs are already
commited, or are yet to come.


we plan to introduce versions of (some?) of these that use the
"-Wno-error=" form, which still displays the warnings but does
not make it an error, and all of the above will be re-considered
as either being "fix me" (warning still displayed) or "warning
is wrong."

branches: 1.2.112; 1.2.114;
Remove bogons.

Add rndctl(8) and man page

branches: 1.1.2; 1.1.6;
Teach `rndctl -L' to update the seed file, not just delete it.

The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, and
writing it atomically with write-to-temporary/rename-to-permanent.

This way, interruption by crash or power loss does not obliterate
your persistent entropy (unless it causes file system corruption).

rndctl(8): Nix trailing whitespace in man page.

No functional change intended.

rndctl.8: add more detail about the -l and -v options

branches: 1.29.8;
Clarify wording further based on private feedback.

Clarify security model of rndctl -S files.

rndctl.8: reflect current reality

Touch up rndctl(8) a bit.

Add -i to SYNOPSIS.

Tweak logic to decide whether a medium is safe for an rndseed.

- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.

- Teach rndctl to accept `-i' flag instructing it to ignore the
entropy estimate in the seed.

- Teach /etc/rc.d/random_seed to:
(a) assume nonlocal file systems are unsafe, and use -i, but
(b) assume / is safe, even if it is nonlocal.
If the medium is nonwritable, leave it to rndctl to detect that.
(Could use statvfs and check for ST_LOCAL in rndctl, I guess, but I
already implemented it this way.)

Treating nonlocal / as safe is a compromise: it's up to the operator
to secure the network for (e.g.) nfs mounts, but that's true whether
we're talking entropy or not -- if the adversary has access to the
network that you've mounted / from, they can do a lot more damage
anyway; this reduces warning fatigue for diskless systems, e.g. test
racks.

Teach `rndctl -L' to update the seed file, not just delete it.

The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, and
writing it atomically with write-to-temporary/rename-to-permanent.

This way, interruption by crash or power loss does not obliterate
your persistent entropy (unless it causes file system corruption).

branches: 1.22.24; 1.22.26;
Sort options and mark them as optional.
Bump date for previous.

Merge tls-earlyentropy branch into HEAD.

branches: 1.20.6; 1.20.16;
Sort option descriptions, bump date for previous.

Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.

Goes to some trouble to never load or save to network filesystems.

Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.

branches: 1.18.2;
Fix typo

Add a list of device types for use with "rndctl -t ${typename}".

Adjust synopsis and description to make it clear that -d devname and
-t devtype are mutually exclusive.

branches: 1.15.16; 1.15.32; 1.15.40;
.Nm does not need a dummy argument ("") before punctuation or
for correct formatting of the SYNOPSIS any longer.

New sentence, new line. From Robert Elz.

Sort options. Fix grammar. Use more mdoc.

Generate <>& symbolically. I'm avoiding .../dist/... directories for now.

Sort sections, use standard headers, sort SEE ALSO.

Whitespace nits

Drop arguments of .Os.

Don't explain -s twice.

document -s

branches: 1.6.2;
revised rndctl which can display pool statistics.

branches: 1.5.8;
Add missing .El line.

sort entries and delete extra periods in SEE also section.

Update copyright message (I wrote this, not the template of the day)

branches: 1.2.2;
Fix .Nm usage.

Add rndctl(8) and man page

rndctl(8): Take omitted name/type as empty device name.

This can now be used to change flags for all sources at once.

XXX pullup-10

branches: 1.40.6;
rndctl(8): to -l, add a "samples" column separate to "bits"

rename the "bits" column to "estimated bits".

this provides a clear indication when a source is being used, but
not increasing the entropy counter.

this commit fixes an unrelated bug where verbose output functioned
incorrectly when a class of device was specified with -t.

while here, reduce code duplication.

"gofer it" riastradh@

rndctl(8): remove no-longer-useful stats from -s

these are always 0 now.

"gofer it" riastradh@

rndctl: make -l's "Flags" field reflect current reality

don't print "legacy options" RND_FLAG_ESTIMATE_TIME and
"RND_FLAG_ESTIMATE_VALUE"

only print "estimate" if we have actually counted any bits from
something, since it's no longer really possible to "enable estimation".

ideally, there should also be a "samples" field so it's clear
collected bits are not being counted.

Whitespace alignment nits.

Trigger entropy consolidation before saving seed.

This way, whenever /etc/security runs infrequently (daily), or the
operator manually issues rndctl -S, we ensure that all samples taken
during the entire boot are hashed together in the seed for the next
boot.

This should be infrequent enough that it's unlikely to enable the
iterative-guessing attacks that we try to mitigate by not frequently
consolidating entropy.

Rework rndctl seed load sequence again.

Go back to the book's order, now that writing to /dev/random
guarantees to consolidate entropy -- this way the _next_ boot is no
less secure than the current boot, in the event that entropy sources
like interrupt timings provided any security that we just don't know
how to measure honestly.

Make sure to open the old seed to overwrite and the new seed to write
anew first so that we can determine whether the medium is read-only
before accepting the file's entropy estimate.

Tweak logic to decide whether a medium is safe for an rndseed.

- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.

- Teach rndctl to accept `-i' flag instructing it to ignore the
entropy estimate in the seed.

- Teach /etc/rc.d/random_seed to:
(a) assume nonlocal file systems are unsafe, and use -i, but
(b) assume / is safe, even if it is nonlocal.
If the medium is nonwritable, leave it to rndctl to detect that.
(Could use statvfs and check for ST_LOCAL in rndctl, I guess, but I
already implemented it this way.)

Treating nonlocal / as safe is a compromise: it's up to the operator
to secure the network for (e.g.) nfs mounts, but that's true whether
we're talking entropy or not -- if the adversary has access to the
network that you've mounted / from, they can do a lot more damage
anyway; this reduces warning fatigue for diskless systems, e.g. test
racks.

Sort includes.

Accept both byte orders for random seed in `rndctl -L'.

The file format was defined with a machine-dependent 32-bit integer
field (the estimated number of bits of entropy in the process that
generated it). Take whichever byte order gives a number that is
reasonable, i.e. lower than the number of bits in the buffer.

Continue to have `rndctl -S' generate it in machine-dependent byte
order for now, so that if you roll back to an older rndctl(8) then
`rndctl -L' on the same machine will still be able to load it with
the right entropy estimate. In a future revision, perhaps we can
change it to be little-endian.

Teach `rndctl -L' to update the seed file, not just delete it.

The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, and
writing it atomically with write-to-temporary/rename-to-permanent.

This way, interruption by crash or power loss does not obliterate
your persistent entropy (unless it causes file system corruption).

branches: 1.30.16; 1.30.18;
Use <sys/rndio.h> instead of <sys/rnd.h>.

Sync usage with manpage a bit more.

Merge tls-earlyentropy branch into HEAD.

branches: 1.27.2;
Overwrite the seed file from the beginning, using pwrite(2).

Fix arguments for write.

branches: 1.25.2;
Use _PATH_URANDOM from paths(3).

Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

Make "rndctl -L" overwrite the file with zeros, not with the
same data that was just read from the file.

Make the rndsave structure public -- the kernel will learn to read it
and sysinst may learn to write it (since, on some systems, most of
the keyboard input they ever get happens to be during install). Fix a
couple of minor problems with the random_seed rc script addition.

Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.

Goes to some trouble to never load or save to network filesystems.

Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.

branches: 1.20.2;
static + const + __dead

fix sign-compare issues

branches: 1.18.2;
* Instead of silently ignoring extra args, print a usage error. This
adddresses the silent failure reported in PR 39862 by Brian A. Seklecki
* Adjust usage message to match the synopsis in the man page.

branches: 1.17.4; 1.17.20; 1.17.28;
Move WARNS=3 to the Makefile.inc, and add a little const to the remaining
programs that did not compile before.

strlcat

Add NetBSD RCS Ids.

do not hardcode buffer size

Type 'network' was an alias for 'net' and was changed to "net" in
rev 1.5. Remove duplicate. Reported by Christian Biere in PR17976.

Since all members in rndpoolstat_t are unsigned, print them so. PR#14584.

- Recognize new type `rng'.
- Use getprogname().

Don't punt on really unknown type of device when fetching name of it.
Instead, warn and just print it as ???.

Cosmetic changes.

document -s

initialize sflag to zero; discovered on Digital UNIX, where I got
random (no pun intended) functionality

branches: 1.6.2;
revised rndctl which can display pool statistics.

branches: 1.5.8;
Make the usage string match the man page.

flags and type are seperate now

RCS Id Police.

clean up warnings, gads

Add rndctl(8) and man page