"works for me" deraadt@

ok otto

new wording agreed by at least kettenis@ millert@ otto@

ok jsing@

ok beck@ deraadt@ jsing@ guenther@

OK benno@

Eval'ing constant expressions is not such a case.
"...fine with me" krw@

It represents the maximum time in seconds to wait for the start, stop
and reload actions to return. Defaults to "30".
No default behavior is changed.
ok beck@ sthen@ jasper@ giovanni@

ok beck@

compiled-in, with nonfunctional code, to be able to cope with the RSA
patent.
However, we don't use this option, and the RSA patent has expired more than 10
years ago, so just drop this piece.

because you care. reminded by matthew.

which had never been installed, so it's unlikely something ever used this
in the last 15~20 years.
ok deraadt@ jsing@ beck@

Since we assume the PRNG above is doing "something old, something new"
folding, shortcut and do fewer repeats through the timing loop.
ok beck

ok schwarze@

portable code path must handle that; with brent cook

improve the random stream itself (it doesn't), but to introduce
noise in the arc4random calling pattern. Thanks to matthew@ who
pointed out bias in a previous diff, ok deraadt@ matthew@

mechanism, to aid in portability to other systems as requested.
ok matthew

use the address, not what it points to (which is always the same)
ok deraadt@

ok deraadt@

by getauxval if we have it.
ok deraadt@

we are running supports it.
from enh@google.com

Ben Lovett, simpler diff from aja@

should not know anything about. Verified not to be used in ports; riding upon
the recent libcrypto major bump.

ChaCha context. Other changes will also ride this crank.

RANDOM_UUID is an enum member.

names to shorten line lengths
ok beck

artificially constrain alternative implementations. ok deraadt

Modern compiler toolchains are capable of optimizing even across
translation unit boundaries, so simply moving the memory clearing into
a separate function is not guaranteed to clear memory.
To avoid this, we take advantage of ELF weak symbol semantics, and
insert a call to an empty, weakly named function.  The semantics of
calling this function aren't determinable until load time, so the
compiler and linker need to keep the memset() call.
There are still ways a toolchain might defeat this trick (e.g.,
optimistically expecting the weak symbol to not be overloaded, and
only calling memset() if it is; promoting weak symbols to strong
symbols at link-time when emitting a static binary because they won't
be interposed; implementing load-time optimizations).  But at least
for the foreseeable future, these seem unlikely.
ok deraadt

ok deraadt@ beck@

/dev/urandom. Does well in the fallback case. Get it in tree so
it can be worked on.
ok otto@ deraadt@

Allow other non-zero return values in case we change our mind to
return an ssize_t byte count instead of simple success/fail.
ok deraadt, djm

MAP_INHERIT_ZERO anymore.  This restores arc4random's previous
behavior where fork children would mix in some randomness from the
parent process.
New behavior noticed by deraadt
ok deraadt, tedu

The extra argument doesn't hurt genuine atexit handlers and this fixes a
bug where we didn't provide the argument (effectively passing garbage) for
functions registered with __cxa_atexit in the main executable.
Pointed out by Dmitriy Ivanov <dimitry@google.com> and Elliott Hughes
<enh@google.com>.
ok matthew@