- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Bring in some behind-the-scenes development, mainly By Arthur Mesh,
the rest by me.

o Namespace cleanup; the Yarrow name is now restricted to where it
really applies; this is in anticipation of being augmented or
replaced by Fortuna in the future. Fortuna is mentioned, but behind
#if logic, and is ignorable for now.

o The harvest queue is pulled out into its own modules.

o Entropy harvesting is emproved, both by being made more conservative,
and by separating (a bit!) the sources. Available entropy crumbs are
marginally improved.

o Selection of sources is made clearer. With recent revelations,
this will receive more work in the weeks and months to come.

Submitted by: Arthur Mesh (partly) <arthurmesh@gmail.com>

stop including rijndael-api-fst.h from rijndael.h.
this is required to integrate opencrypto into crypto.

Reorganise the entropy device so that high-yield entropy sources
can more easily be used INSTEAD OF the hard-working Yarrow.
The only hardware source used at this point is the one inside
the VIA C3 Nehemiah (Stepping 3 and above) CPU. More sources will
be added in due course. Contributions welcome!

Overhaul the entropy device:

o Each source gets its own queue, which is a FIFO, not a ring buffer.
The FIFOs are implemented with the sys/queue.h macros. The separation
is so that a low entropy/high rate source can't swamp the harvester
with low-grade entropy and destroy the reseeds.

o Each FIFO is limited to 256 (set as a macro, so adjustable) events
queueable. Full FIFOs are ignored by the harvester. This is to
prevent memory wastage, and helps to keep the kernel thread CPU
usage within reasonable limits.

o There is no need to break up the event harvesting into ${burst}
sized chunks, so retire that feature.

o Break the device away from its roots with the memory device, and
allow it to get its major number automagically.

Use __FBSDID().
Also some minor style cleanups.

No functional change. Fix comments and whitespace.

Upgrade the random device to use a "real" hash instead of building
one out of a block cipher. This has 2 advantages:
1) The code is _much_ simpler
2) We aren't committing our security to one algorithm (much as we
may think we trust AES).

While I'm here, make an explicit reseed do a slow reseed instead
of a fast; this is in line with what the original paper suggested.

Massive lint-inspired cleanup.

Remove unneeded includes.
Deal with unused function arguments.
Resolve a boatload of signed/unsigned imcompatabilities.
Etc.

Very large makeover of the /dev/random driver.

o Separate the kernel stuff from the Yarrow algorithm. Yarrow is now
well contained in one source file and one header.

o Replace the Blowfish-based crypto routines with Rijndael-based ones.
(Rijndael is the new AES algorithm). The huge improvement in
Rijndael's key-agility over Blowfish means that this is an
extremely dramatic improvement in speed, and makes a heck of
a difference in its (lack of) CPU load.

o Clean up the sysctl's. At BDE's prompting, I have gone back to
static sysctls.

o Bug fixes. The streamlining of the crypto stuff enabled me to
find and fix some bugs. DES also found a bug in the reseed routine
which is fixed.

o Change the way reseeds clear "used" entropy. Previously, only the
source(s) that caused a reseed were cleared. Now all sources in the
relevant pool(s) are cleared.

o Code tidy-up. Mostly to make it (nearly) 80-column compliant.

Fix safety-net code. While technically a bug, I'm delighted to see
that it has never (apparently) been invoked.

Submitted by: ache

Stop explicitly using nanotime(9) and use the new get_cyclecounter(9)
call instead.

This makes a pretty dramatic difference to the amount of work that
the harvester needs to do - it is much friendlier on the system.
(80386 and 80486 class machines will notice little, as the new
get_cyclecounter() call is a wrapper round nanotime(9) for them).

After some complaints about the dir names, the random device is
now in dirs called sys/*/random/ instead of sys/*/randomdev/*.

Introduce blocking, but only at startup; the random device will
block until the first reseed happens to prevent clients from
using untrustworthy output.

Provide a read_random() call for the rest of the kernel so that
the entropy device does not need to be present. This means that
things like IPX no longer need to have "device random" hardcoded
into thir kernel config. The downside is that read_random() will
provide very poor output until the entropy device is loaded and
reseeded. It is recommended that developers do NOT use the
read_random() call; instead, they should use arc4random() which
internally uses read_random().

Clean up the mutex and locking code a bit; this makes it possible
to unload the module again.

Remove unneeded includes.

Submitted by: phk

Large upgrade to the entropy device; mainly inspired by feedback
from many folk.

o The reseed process is now a kthread. With SMPng, kthreads are
pre-emptive, so the annoying jerkiness of the mouse is gone.

o The data structures are protected by mutexes now, not splfoo()/splx().

o The cryptographic routines are broken out into their own subroutines.
this facilitates review, and possible replacement if that is ever
found necessary.

Thanks to: kris, green, peter, jasone, grog, jhb
Forgotten to thank: You know who you are; no offense intended.