Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Cumulative update to arc4random(3).

MFC r227519, r227520, r238118, r241046:

r227519 (das)

Sync the style, comments, and variable names of arc4random.c with
OpenBSD's version (r1.22). No functional changes, as verified with
md5.

r227520 (das)

Further reduce diffs with OpenBSD's arc4random. The main functional
change here is to ensure that when a process forks after arc4random
is seeded, the parent and child don't observe the same random sequence.
OpenBSD's fix introduces some additional overhead in the form of a
getpid() call.

The only significant remaining difference between our arc4random and
OpenBSD's is in how we seed the generator in arc4_stir().

r238118 (pjd):

Prefer sysctl to open/read/close for obtaining random data.

This method is more sandbox-friendly and also should be faster as only
one syscall is needed instead of three.
In case of an error fall back to the old method.

r241046 (jilles)

libc: Use O_CLOEXEC for various internal file descriptors.

Approved by: re (gjb)

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Return two fixes from previous backout which does not require
review by secteam@ for the reasons mentioned below.

1) Rename /dev/urandom to /dev/random since urandom marked as
XXX Deprecated
alias in /sys/dev/random/randomdev.c
(this is our naming convention and no review by secteam@ required)

2) Set rs_stired flag after forced initialization to prevent
double stearing.
(this is already in OpenBSD, i.e. they don't have double stearing.
It means that this change matches their code path and no additional
secteam@ review required)

Submitted by: Thorsten Glaser <tg@mirbsd.de> (2)

Restored from previous backing out (because that is OpenBSD way, so
assumed to be reviewd by them):
Stir directly from the kernel PRNG, without taking less random pid & time
bytes too (when it is possible).

The difference with OpenBSD code is that they have KERN_ARND sysctl for
that task, while we need to read /dev/random

Per rwatson's request:
"If you don't get a review within a day or two, I would firmly recommend
backing out the changes"

back out all my changes, i.e. not comes from merging from OpenBSD as
unreviewed by secteam@ yet.
(OpenBSD changes stays in assumption they are reviewd by OpenBSD)

Yes, it means some old bugs returned, like not setted rs_stired = 1 in
arc4random_stir(3) causing double stirring.

Fixes based on bde's feedback.
1) Unindent and sort variables.
2) Indent struct members.
3) Remove _packed, use guaranteed >128 bytes size and only first 128
bytes from the structure.
4) Reword comment.

Obtained from: bde

Change /dev/urandom to /dev/random since urandom marked as
XXX Deprecated
alias in /sys/dev/random/randomdev.c

In arc4random_uniform() detect simple "power of two" case and
return just (arc4random() % upper_bound)

Add arc4random_uniform() function (to avoid "modulo bias")

Obtained from: OpenBSD

Increase initially dropped bytes from 512 to 768 (768 is also
suggested in the Ilya Mironov's article). 768 taken from another
research where it treats as default for RC4-drop(768):
http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC4-drop

Minor style tweak.

1) Use __packed attr on rdat structure to make it exact 128 bytes.
2) Use gettimeofday() and getpid() only if reading from /dev/urandom
fails or impossible.
3) Discard N bytes on very first initialization only (i.e. don't
discard on re-stir).
4) Reduce N from 1024 to 512 as really suggested in the
"(Not So) Random Shuffles of RC4" paper:
http://research.microsoft.com/users/mironov/papers/rc4full.pdf

1) Update copyright notice.
2) Eliminate "struct arc4_stream *as" arg since only single arg is
possible.
3) Set rs.j = rs.i after arc4random key schedule to be more like arc4
stream cipher.

Obtained from: OpenBSD

Implement arc4random_buf() function

Obtained from: OpenBSD

Decrease arc4_count only when needed and with proper bytes amount.

Obtained from: OpenBSD

1) Set stired flag after forced initialization.
2) Increase arc4_count to the limit OpenBSD use.

Submitted by: Thorsten Glaser <tg@mirbsd.de> (1)
Obtained from: OpenBSD (2)

ANSIfy function definitions, reduces diff against OpenBSD.

Automatically re-stir every 400000 calls

Obtained from: OpenBSD

Add locking so that arc4random(3) functions are all reentrant for
pthreads.

Submitted by: Christian S.J. Peron <maneo@bsdpro.com>

Apply style(9).

Submitted by: "Christian S.J. Peron" <maneo@bsdpro.com>
PR: bin/63283

style cleanup: Remove duplicate $FreeBSD$ tags.

These files had tags at the start of the file
(incorrect, removed), and after the copyright
notices (correct).

Approved by: rwatson (mentor)

Discard the first 1024 bytes of output as suggested by
http://citeseer.nj.nec.com/fluhrer01weaknesses.html and
http://citeseer.nj.nec.com/531224.html .

PR: 61126
Submitted by: Jeff Ito <jeffi@rcn.com>

Fix the style of the SCM ID's.
I believe have made all of libc .c's as consistent as possible.

Remove _THREAD_SAFE and make libc thread-safe by default by
adding (weak definitions to) stubs for some of the pthread
functions. If the threads library is linked in, the real
pthread functions will pulled in.

Use the following convention for system calls wrapped by the
threads library:
__sys_foo - actual system call
_foo - weak definition to __sys_foo
foo - weak definition to __sys_foo

Change all libc uses of system calls wrapped by the threads
library from foo to _foo. In order to define the prototypes
for _foo(), we introduce namespace.h and un-namespace.h
(suggested by bde). All files that need to reference these
system calls, should include namespace.h before any standard
includes, then include un-namespace.h after the standard
includes and before any local includes. <db.h> is an exception
and shouldn't be included in between namespace.h and
un-namespace.h namespace.h will define foo to _foo, and
un-namespace.h will undefine foo.

Try to eliminate some of the recursive calls to MT-safe
functions in libc/stdio in preparation for adding a mutex
to FILE. We have recursive mutexes, but would like to avoid
using them if possible.

Remove uneeded includes of <errno.h> from a few files.

Add $FreeBSD$ to a few files in order to pass commitprep.

Approved by: -arch

Simplify sytem call renaming. Instead of _foo() <-- _libc_foo <-- foo(),
just use _foo() <-- foo(). In the case of a libpthread that doesn't do
call conversion (such as linuxthreads and our upcoming libpthread), this
is adequate. In the case of libc_r, we still need three names, which are
now _thread_sys_foo() <-- _foo() <-- foo().

Convert all internal libc usage of: aio_suspend(), close(), fsync(), msync(),
nanosleep(), open(), fcntl(), read(), and write() to _foo() instead of foo().

Remove all internal libc usage of: creat(), pause(), sleep(), system(),
tcdrain(), wait(), and waitpid().

Make thread cancellation fully POSIX-compliant.

Suggested by: deischen

Add three-tier symbol naming in support of POSIX thread cancellation
points. For library functions, the pattern is __sleep() <--
_libc_sleep() <-- sleep(). The arrows represent weak aliases. For
system calls, the pattern is _read() <-- _libc_read() <-- read().

$Id$ -> $FreeBSD$

Add arc4random() functions from OpenBSD. They are almost same as our
srandomdev(), but can be used inside libraries. random() can't be used
inside libraries because it breaks its possible predictable sequence.
arc4random() is true random as designed, so its usage is library-safe.
Obtained from: OpenBSD