 @@ -1,153 +1,157 @@
-.\"	$NetBSD: rndctl.8,v 1.22 2014/08/10 17:13:02 wiz Exp $
+.\"	$NetBSD: rndctl.8,v 1.23 2019/12/06 14:43:18 riastradh Exp $
 .\"
 .\" Copyright (c) 1997 Michael Graff
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote products
 .\"    derived from this software without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 .\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 .\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .Dd August 10, 2014
 .Dt RNDCTL 8
 .Os
 .Sh NAME
 .Nm rndctl
 .Nd in-kernel random number generator management tool
 .Sh SYNOPSIS
 .Nm
 .Op Fl CcEe
 .Op Fl d Ar devname | Fl t Ar devtype
 .Nm
 .Op Fl lsv
 .Op Fl d Ar devname | Fl t Ar devtype
 .Nm
 .Fl L Ar save-file
 .Nm
 .Fl S Ar save-file
 .Sh DESCRIPTION
 The
 .Nm
 program displays statistics on the current state of the
 .Xr rnd 4
 pseudo-driver, and allows the administrator to control which sources
 are allowed to contribute to the randomness pool maintained by
 .Xr rnd 4 ,
 as well as whether a given source counts as strongly random.
 .Pp
 The following options are available:
 .Bl -tag -width 123456
 .It Fl C
 Disable collection of timing information for the given
 device name or device type.
 .It Fl c
 Enable collection of timing information for the given
 device name or device type.
 .It Fl d
 Only the device named
 .Ar devname
 is altered or displayed.
 This is mutually exclusive with
 .Fl t .
 .It Fl E
 Disable entropy estimation from the collected timing information for
 the given device name or device type.
 If collection is still enabled, timing information is still
 collected and mixed into the internal entropy pool,
 but no entropy is assumed to be present.
 .It Fl e
 Enable entropy estimation using the collected timing information
 for the given device name or device type.
 .It Fl L
 Load saved entropy from file
-.Ar save-file ,
+.Ar save-file
-which will be overwritten and deleted before the entropy is loaded into
+and overwrite it with a seed derived by hashing it together with output
-the kernel.
+from
 .Pa /dev/urandom
 so that the new seed has at least as much entropy as either the old
 seed had or the system already has.
 If interrupted, either the old seed or the new seed will be in place.
 .It Fl l
 List all sources, or, if the
 .Fl t
 or
 .Fl d
 flags are specified, only those specified by the
 .Ar devtype
 or
 .Ar devname
 specified.
 .It Fl S
 Save entropy pool to file
 .Ar save-file .
 The file format is specific to
 .Nm
 and includes an estimate of the amount of saved entropy and a checksum.
 .It Fl s
 Display statistics on the current state of the random collection pool.
 .It Fl t
 All devices of type
 .Ar devtype
 are altered or displayed.
 This is mutually exclusive with
 .Fl d .
 .Pp
 The available types are:
 .Bl -tag -width "diskx"
 .It Ic disk
 Physical hard drives.
 .It Ic net
 Network interfaces.
 .It Ic tape
 Tape devices.
 .It Ic tty
 Terminal, mouse, or other user input devices.
 .It Ic rng
 Random number generators.
 .El
 .It Fl v
 Verbose output: show entropy estimation statistics for each source.
 .El
 .Sh FILES
 .Bl -tag -width /dev/urandomx -compact
 .It Pa /dev/random
 Returns
 .Dq good
 values only.
 .It Pa /dev/urandom
 Always returns data, degenerates to a pseudo-random generator.
 .El
 .Sh SEE ALSO
 .Xr rnd 4 ,
 .Xr rnd 9
 .Sh HISTORY
 The
 .Nm
 program was first made available in
 .Nx 1.3 .
 .Sh AUTHORS
 The
 .Nm
 program was written by
 .An Michael Graff
 .Aq explorer@flame.org .
 .Sh BUGS
 Turning on entropy estimation from unsafe or predictable sources will
 weaken system security, while turning on entropy collection from such
 sources may weaken system security.
 .Pp
 Care should be taken when using this command.

 @@ -1,536 +1,656 @@
-/*	$NetBSD: rndctl.c,v 1.30 2015/04/13 22:18:50 riastradh Exp $	*/
+/*	$NetBSD: rndctl.c,v 1.31 2019/12/06 14:43:18 riastradh Exp $	*/
 /*-
  * Copyright (c) 1997 Michael Graff.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 3. Neither the name of the author nor the names of other contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
+ *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
 #include <sys/types.h>
 #include <sha1.h>
 #ifndef lint
-__RCSID("$NetBSD: rndctl.c,v 1.30 2015/04/13 22:18:50 riastradh Exp $");
+__RCSID("$NetBSD: rndctl.c,v 1.31 2019/12/06 14:43:18 riastradh Exp $");
 #endif
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/param.h>
 #include <sys/rndio.h>
 #include <sys/sha3.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <err.h>
 #include <paths.h>
 #include <string.h>
 typedef struct {
 	const char *a_name;
 	u_int32_t a_type;
 } arg_t;
 static const arg_t source_types[] = {
 	{ "???",     RND_TYPE_UNKNOWN },
 	{ "disk",    RND_TYPE_DISK },
 	{ "net",     RND_TYPE_NET },
 	{ "tape",    RND_TYPE_TAPE },
 	{ "tty",     RND_TYPE_TTY },
 	{ "rng",     RND_TYPE_RNG },
 	{ "skew",    RND_TYPE_SKEW },
 	{ "env",     RND_TYPE_ENV },
 	{ "vm",      RND_TYPE_VM },
 	{ "power",   RND_TYPE_POWER },
 	{ NULL,      0 }
 };
 __dead static void usage(void);
 static u_int32_t find_type(const char *name);
 static const char *find_name(u_int32_t);
 static void do_ioctl(rndctl_t *);
 static char * strflags(u_int32_t);
 static void do_list(int, u_int32_t, char *);
 static void do_stats(void);
 static int vflag;
 static void
 usage(void)
+{
 	fprintf(stderr, "usage: %s [-CEce] [-d devname | -t devtype]\n",
 	    getprogname());
 	fprintf(stderr, "       %s [-lsv] [-d devname | -t devtype]\n",
 	    getprogname());
 	fprintf(stderr, "	%s -[L|S] save-file\n", getprogname());
 	exit(1);
+}
 static u_int32_t
 find_type(const char *name)
+{
 	const arg_t *a;
 	a = source_types;
 	while (a->a_name != NULL) {
 		if (strcmp(a->a_name, name) == 0)
 			return (a->a_type);
 		a++;
+	}
 	errx(1, "device name %s unknown", name);
 	return (0);
+}
 static const char *
 find_name(u_int32_t type)
+{
 	const arg_t *a;
 	a = source_types;
 	while (a->a_name != NULL) {
 		if (type == a->a_type)
 			return (a->a_name);
 		a++;
+	}
 	warnx("device type %u unknown", type);
 	return ("???");
+}
 static void
-do_save(const char *const filename)
+do_save(const char *filename, const void *extra, size_t nextra,
     uint32_t extraentropy)
+{
-	int est1, est2;
+	char tmp[PATH_MAX];
-	rndpoolstat_t rp;
+	uint32_t systementropy;
 	uint8_t buf[32];
 	SHAKE128_CTX shake128;
 	rndsave_t rs;
 	SHA1_CTX s;
 	ssize_t nread, nwrit;
 	int fd;
-	fd = open(_PATH_URANDOM, O_RDONLY, 0644);
+	/* Paranoia: Avoid stack memory disclosure.  */
-	if (fd < 0) {
+	memset(&rs, 0, sizeof rs);
 		err(1, "device open");
 	if (ioctl(fd, RNDGETPOOLSTAT, &rp) < 0) {
 		err(1, "ioctl(RNDGETPOOLSTAT)");
-	est1 = rp.curentropy;
+	/* Format the temporary file name.  */
 	if (snprintf(tmp, sizeof tmp, "%s.tmp", filename) >= PATH_MAX)
 		errx(1, "path too long");
-	if (read(fd, rs.data, sizeof(rs.data)) != sizeof(rs.data)) {
+	/* Open /dev/urandom.  */
-		err(1, "entropy read");
+	if ((fd = open(_PATH_URANDOM, O_RDONLY)) == -1)
 		err(1, "device open");
-	if (ioctl(fd, RNDGETPOOLSTAT, &rp) < 0) {
+	/* Find how much entropy is in the pool.  */
-		err(1, "ioctl(RNDGETPOOLSTAT)");
+	if (ioctl(fd, RNDGETENTCNT, &systementropy) == -1)
 		err(1, "ioctl(RNDGETENTCNT)");
 	/* Read some data from /dev/urandom.  */
 	if ((size_t)(nread = read(fd, buf, sizeof buf)) != sizeof buf) {
 		if (nread == -1)
 			err(1, "read");
 		else
 			errx(1, "truncated read");
+	}
 	/* Close /dev/urandom; we're done with it.  */
 	if (close(fd) == -1)
 		warn("close");
 	fd = -1;		/* paranoia */
-	est2 = rp.curentropy;
+	/*
 	 * Hash what we read together with the extra input to generate
 	 * the seed data.
 	 */
 	SHAKE128_Init(&shake128);
 	SHAKE128_Update(&shake128, buf, sizeof buf);
 	SHAKE128_Update(&shake128, extra, nextra);
 	SHAKE128_Final(rs.data, sizeof(rs.data), &shake128);
 	explicit_memset(&shake128, 0, sizeof shake128); /* paranoia */
-	if (est1 - est2 < 0) {
+	/*
-		rs.entropy = 0;
+	 * Report an upper bound on the min-entropy of the seed data.
-	} else {
+	 * We take the larger of the system entropy and the extra
-		rs.entropy = est1 - est2;
+	 * entropy -- the system state and the extra input may or may
 	 * not be independent, so we can't add them -- and clamp to the
 	 * size of the data.
 	 */
 	systementropy = MIN(systementropy,
 	    MIN(sizeof(buf), UINT32_MAX/NBBY)*NBBY);
 	extraentropy = MIN(extraentropy, MIN(nextra, UINT32_MAX/NBBY)*NBBY);
 	rs.entropy = MIN(MAX(systementropy, extraentropy),
 	    MIN(sizeof(rs.data), UINT32_MAX/NBBY)*NBBY);
 	/*
 	 * Compute the checksum on the 32-bit entropy count, in host
 	 * byte order (XXX this means it is not portable across
 	 * different-endian platforms!), followed by the seed data.
 	 */
 	SHA1Init(&s);
-	SHA1Update(&s, (uint8_t *)&rs.entropy, sizeof(rs.entropy));
+	SHA1Update(&s, (const uint8_t *)&rs.entropy, sizeof(rs.entropy));
 	SHA1Update(&s, rs.data, sizeof(rs.data));
 	SHA1Final(rs.digest, &s);
 	explicit_memset(&s, 0, sizeof s); /* paranoia */
-	close(fd);
+	/*
-	unlink(filename);
+	 * Write it to a temporary file and sync it before we commit.
-	fd = open(filename, O_CREAT|O_EXCL|O_WRONLY, 0600);
+	 * This way either the old seed or the new seed is completely
-	if (fd < 0) {
+	 * written in the expected location on disk even if the system
-		err(1, "output open");
+	 * crashes as long as the file system doesn't get corrupted too
 	 * badly.
+	 *
-	if (write(fd, &rs, sizeof(rs)) != sizeof(rs)) {
+	 * If interrupted after this point and the temporary file is
-		unlink(filename);
+	 * disclosed, no big deal -- either the pool was predictable to
-		fsync_range(fd, FDATASYNC|FDISKSYNC, (off_t)0, (off_t)0);
+	 * begin with in which case we're hosed either way, or we've
-		err(1, "write");
+	 * just revealed some output which is not a problem.
 	 */
-	fsync_range(fd, FDATASYNC|FDISKSYNC, (off_t)0, (off_t)0);
+	if ((fd = open(tmp, O_CREAT|O_TRUNC|O_WRONLY, 0600)) == -1)
-	close(fd);
+		err(1, "open seed file to save");
 	if ((size_t)(nwrit = write(fd, &rs, sizeof rs)) != sizeof rs) {
 		int error = errno;
 		if (unlink(tmp) == -1)
 			warn("unlink");
 		if (nwrit == -1)
 			errc(1, error, "write");
 		else
 			errx(1, "truncated write");
+	}
 	explicit_memset(&rs, 0, sizeof rs); /* paranoia */
 	if (fsync_range(fd, FDATASYNC|FDISKSYNC, 0, 0) == -1) {
 		int error = errno;
 		if (unlink(tmp) == -1)
 			warn("unlink");
 		errc(1, error, "fsync_range");
+	}
 	if (close(fd) == -1)
 		warn("close");
 	/* Rename it over the original file to commit.  */
 	if (rename(tmp, filename) == -1)
 		err(1, "rename");
+}
 static void
-do_load(const char *const filename)
+do_load(const char *filename)
+{
-	int fd;
+	char tmp[PATH_MAX];
-	rndsave_t rs, rszero;
+	int fd_seed, fd_random;
 	rndsave_t rs;
 	rnddata_t rd;
 	ssize_t nread, nwrit;
 	SHA1_CTX s;
 	uint8_t digest[SHA1_DIGEST_LENGTH];
-	fd = open(filename, O_RDWR, 0600);
+	/*
-	if (fd < 0) {
+	 * The order of operations is important here:
 		err(1, "input open");
 	 * 1. Load the old seed.
 	 * 2. Feed the old seed into the kernel.
-	unlink(filename);
+	 * 3. Generate and write a new seed.
 	 * 4. Erase the old seed.
+	 *
 	 * This follows the procedure in
+	 *
 	 *	Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno,
 	 *	_Cryptography Engineering_, Wiley, 2010, Sec. 9.6.2
 	 *	`Update Seed File'.
+	 *
 	 * There is a race condition: If another process generates a
 	 * key from /dev/urandom after step (2) but before step (3),
 	 * and if the machine crashes before step (3), an adversary who
 	 * can read the disk after the crash can probably guess the
 	 * complete state of the entropy pool and thereby predict the
 	 * key.
+	 *
 	 * There's not much we can do here without some kind of
 	 * systemwide lock on /dev/urandom and without introducing an
 	 * opportunity for a crash to wipe out the entropy altogether.
 	 * To avoid this race, you should ensure that any key
 	 * generation happens _after_ `rndctl -L' has completed.
 	 */
-	if (read(fd, &rs, sizeof(rs)) != sizeof(rs)) {
+	/* Format the temporary file name.  */
-		err(1, "read");
+	if (snprintf(tmp, sizeof tmp, "%s.tmp", filename) >= PATH_MAX)
 		errx(1, "path too long");
 	/* 1. Load the old seed.  */
 	if ((fd_seed = open(filename, O_RDWR)) == -1)
 		err(1, "open seed file to load");
 	if ((size_t)(nread = read(fd_seed, &rs, sizeof rs)) != sizeof rs) {
 		if (nread == -1)
 			err(1, "read seed");
 		else
 			errx(1, "seed too short");
+	}
-	memset(&rszero, 0, sizeof(rszero));
+	/* Verify its checksum.  */
 	if (pwrite(fd, &rszero, sizeof(rszero), (off_t)0) != sizeof(rszero))
 		err(1, "overwrite");
 	fsync_range(fd, FDATASYNC|FDISKSYNC, (off_t)0, (off_t)0);
 	close(fd);
 	SHA1Init(&s);
-	SHA1Update(&s, (uint8_t *)&rs.entropy, sizeof(rs.entropy));
+	SHA1Update(&s, (const uint8_t *)&rs.entropy, sizeof(rs.entropy));
 	SHA1Update(&s, rs.data, sizeof(rs.data));
 	SHA1Final(digest, &s);
 	if (!consttime_memequal(digest, rs.digest, sizeof(digest))) {
-	if (memcmp(digest, rs.digest, sizeof(digest))) {
+		/*
-		errx(1, "bad digest");
+		 * If the checksum doesn't match, doesn't hurt to feed
 		 * the seed in anyway, but act as though it has zero
 		 * entropy in case it was corrupted with predictable
 		 * garbage.
 		 */
 		warnx("bad checksum");
 		rs.entropy = 0;
+	}
 	/* Format the ioctl request.  */
 	rd.len = MIN(sizeof(rd.data), sizeof(rs.data));
 	rd.entropy = rs.entropy;
-	memcpy(rd.data, rs.data, MIN(sizeof(rd.data), sizeof(rs.data)));
+	memcpy(rd.data, rs.data, rd.len);
 	explicit_memset(&rs, 0, sizeof rs); /* paranoia */
-	fd = open(_PATH_URANDOM, O_RDWR, 0644);
+	/* 2. Feed the old seed into the kernel.  */
-	if (fd < 0) {
+	if ((fd_random = open(_PATH_URANDOM, O_WRONLY)) == -1)
-		err(1, "device open");
+		err(1, "open /dev/urandom");
 	if (ioctl(fd_random, RNDADDDATA, &rd) == -1)
 		err(1, "RNDADDDATA");
 	if (close(fd_random) == -1)
 		warn("close /dev/urandom");
 	fd_random = -1;		/* paranoia */
-	if (ioctl(fd, RNDADDDATA, &rd) < 0) {
+	/*
-		err(1, "ioctl");
+	 * 3. Generate and write a new seed.  Note that we hash the old
 	 * seed together with whatever /dev/urandom returns in do_save.
 	 * Why?  After RNDADDDATA, the input may not be distributed
 	 * immediately to /dev/urandom.
 	 */
 	do_save(filename, rd.data, rd.len, rd.entropy);
 	explicit_memset(&rd, 0, sizeof rd); /* paranoia */
 	/*
 	 * 4. Erase the old seed.  Only effective if we're on a
 	 * fixed-address file system like ffs -- doesn't help to erase
 	 * the data on lfs, but doesn't hurt either.  No need to unlink
 	 * because do_save will have already overwritten it.
 	 */
 	memset(&rs, 0, sizeof rs);
 	if ((size_t)(nwrit = pwrite(fd_seed, &rs, sizeof rs, 0)) !=
 	    sizeof rs) {
 		if (nwrit == -1)
 			err(1, "overwrite old seed");
 		else
 			errx(1, "truncated overwrite");
+	}
-	close(fd);
+	if (fsync_range(fd_seed, FDATASYNC|FDISKSYNC, 0, 0) == -1)
 		err(1, "fsync_range");
+}
 static void
 do_ioctl(rndctl_t *rctl)
+{
 	int fd;
 	int res;
 	fd = open(_PATH_URANDOM, O_RDONLY, 0644);
 	if (fd < 0)
 		err(1, "open");
 	res = ioctl(fd, RNDCTL, rctl);
 	if (res < 0)
 		err(1, "ioctl(RNDCTL)");
 	close(fd);
+}
 static char *
 strflags(u_int32_t fl)
+{
 	static char str[512];
 	str[0] = '\0';
 	if (fl & RND_FLAG_NO_ESTIMATE)
+		;
 	else
 		strlcat(str, "estimate, ", sizeof(str));
 	if (fl & RND_FLAG_NO_COLLECT)
+		;
 	else
 		strlcat(str, "collect, ", sizeof(str));
 	if (fl & RND_FLAG_COLLECT_VALUE)
 		strlcat(str, "v, ", sizeof(str));
 	if (fl & RND_FLAG_COLLECT_TIME)
 		strlcat(str, "t, ", sizeof(str));
 	if (fl & RND_FLAG_ESTIMATE_VALUE)
 		strlcat(str, "dv, ", sizeof(str));
 	if (fl & RND_FLAG_ESTIMATE_TIME)
 		strlcat(str, "dt, ", sizeof(str));
 	if (str[strlen(str) - 2] == ',')
 		str[strlen(str) - 2] = '\0';
 	return (str);
+}
 #define HEADER "Source                 Bits Type      Flags\n"
 static void
 do_list(int all, u_int32_t type, char *name)
+{
 	rndstat_est_t rstat;
 	rndstat_est_name_t rstat_name;
 	int fd;
 	int res;
 	uint32_t i;
 	u_int32_t start;
 	fd = open(_PATH_URANDOM, O_RDONLY, 0644);
 	if (fd < 0)
 		err(1, "open");
 	if (all == 0 && type == 0xff) {
 		strncpy(rstat_name.name, name, sizeof(rstat_name.name));
 		res = ioctl(fd, RNDGETESTNAME, &rstat_name);
 		if (res < 0)
 			err(1, "ioctl(RNDGETESTNAME)");
 		printf(HEADER);
 		printf("%-16s %10u %-4s %s\n",
 		    rstat_name.source.rt.name,
 		    rstat_name.source.rt.total,
 		    find_name(rstat_name.source.rt.type),
 		    strflags(rstat_name.source.rt.flags));
 		if (vflag) {
 			printf("\tDt samples = %d\n",
 			       rstat_name.source.dt_samples);
 			printf("\tDt bits = %d\n",
 			       rstat_name.source.dt_total);
 			printf("\tDv samples = %d\n",
 				rstat_name.source.dv_samples);
 			printf("\tDv bits = %d\n",
 			       rstat_name.source.dv_total);
+		}
 		close(fd);
 		return;
+	}
 	/*
 	 * Run through all the devices present in the system, and either
 	 * print out ones that match, or print out all of them.
 	 */
 	printf(HEADER);
 	start = 0;
 	for (;;) {
 		rstat.count = RND_MAXSTATCOUNT;
 		rstat.start = start;
 		res = ioctl(fd, RNDGETESTNUM, &rstat);
 		if (res < 0)
 			err(1, "ioctl(RNDGETESTNUM)");
 		if (rstat.count == 0)
 			break;
 		for (i = 0; i < rstat.count; i++) {
 			if (all != 0 ||
 			    type == rstat.source[i].rt.type)
 				printf("%-16s %10u %-4s %s\n",
 				    rstat.source[i].rt.name,
 				    rstat.source[i].rt.total,
 				    find_name(rstat.source[i].rt.type),
 				    strflags(rstat.source[i].rt.flags));
 			if (vflag) {
 				printf("\tDt samples = %d\n",
 				       rstat.source[i].dt_samples);
 				printf("\tDt bits = %d\n",
 				       rstat.source[i].dt_total);
 				printf("\tDv samples = %d\n",
 				       rstat.source[i].dv_samples);
 				printf("\tDv bits = %d\n",
 				       rstat.source[i].dv_total);
+			}
+                }
 		start += rstat.count;
+	}
 	close(fd);
+}
 static void
 do_stats(void)
+{
 	rndpoolstat_t rs;
 	int fd;
 	fd = open(_PATH_URANDOM, O_RDONLY, 0644);
 	if (fd < 0)
 		err(1, "open");
 	if (ioctl(fd, RNDGETPOOLSTAT, &rs) < 0)
 		err(1, "ioctl(RNDGETPOOLSTAT)");
 	printf("\t%9u bits mixed into pool\n", rs.added);
 	printf("\t%9u bits currently stored in pool (max %u)\n",
 	    rs.curentropy, rs.maxentropy);
 	printf("\t%9u bits of entropy discarded due to full pool\n",
 	    rs.discarded);
 	printf("\t%9u hard-random bits generated\n", rs.removed);
 	printf("\t%9u pseudo-random bits generated\n", rs.generated);
 	close(fd);
+}
 int
 main(int argc, char **argv)
+{
 	rndctl_t rctl;
 	int ch, cmd, lflag, mflag, sflag;
 	u_int32_t type;
 	char name[16];
 	const char *filename = NULL;
 	if (SHA3_Selftest() != 0)
 		errx(1, "SHA-3 self-test failed");
 	rctl.mask = 0;
 	rctl.flags = 0;
 	cmd = 0;
 	lflag = 0;
 	mflag = 0;
 	sflag = 0;
 	type = 0xff;
 	while ((ch = getopt(argc, argv, "CES:L:celt:d:sv")) != -1) {
 		switch (ch) {
 		case 'C':
 			rctl.flags |= RND_FLAG_NO_COLLECT;
 			rctl.mask |= RND_FLAG_NO_COLLECT;
 			mflag++;
 			break;
 		case 'E':
 			rctl.flags |= RND_FLAG_NO_ESTIMATE;
 			rctl.mask |= RND_FLAG_NO_ESTIMATE;
 			mflag++;
 			break;
 		case 'L':
 			if (cmd != 0)
 				usage();
 			cmd = 'L';
 			filename = optarg;
 			break;
 		case 'S':
 			if (cmd != 0)
 				usage();
 			cmd = 'S';
 			filename = optarg;
 			break;
 		case 'c':
 			rctl.flags &= ~RND_FLAG_NO_COLLECT;
 			rctl.mask |= RND_FLAG_NO_COLLECT;
 			mflag++;
 			break;
 		case 'e':
 			rctl.flags &= ~RND_FLAG_NO_ESTIMATE;
 			rctl.mask |= RND_FLAG_NO_ESTIMATE;
 			mflag++;
 			break;
 		case 'l':
 			lflag++;
 			break;
 		case 't':
 			if (cmd != 0)
 				usage();
 			cmd = 't';
 			type = find_type(optarg);
 			break;
 		case 'd':
 			if (cmd != 0)
 				usage();
 			cmd = 'd';
 			type = 0xff;
 			strlcpy(name, optarg, sizeof(name));
 			break;
 		case 's':
 			sflag++;
 			break;
 		case 'v':
 			vflag++;
 			break;
 		case '?':
 		default:
 			usage();
+		}
+	}
 	argc -= optind;
 	argv += optind;
 	/*
 	 * No leftover non-option arguments.
 	 */
 	if (argc > 0)
 		usage();
 	/*
 	 * Save.
 	 */
 	if (cmd == 'S') {
-		do_save(filename);
+		do_save(filename, NULL, 0, 0);
 		exit(0);
+	}
 	/*
 	 * Load.
 	 */
 	if (cmd == 'L') {
 		do_load(filename);
 		exit(0);
+	}
 	/*
 	 * Cannot list and modify at the same time.
 	 */
 	if ((lflag != 0 || sflag != 0) && mflag != 0)
 		usage();
 	/*
 	 * Bomb out on no-ops.
 	 */
 	if (lflag == 0 && mflag == 0 && sflag == 0)
 		usage();
 	/*
 	 * If not listing, we need a device name or a type.
 	 */
 	if (lflag == 0 && cmd == 0 && sflag == 0)
 		usage();
 	/*
 	 * Modify request.
 	 */
 	if (mflag != 0) {
 		rctl.type = type;
 		strncpy(rctl.name, name, sizeof(rctl.name));
 		do_ioctl(&rctl);
 		exit(0);
+	}
 	/*
 	 * List sources.
 	 */
 	if (lflag != 0)
 		do_list(cmd == 0, type, name);
 	if (sflag != 0)
 		do_stats();
 	exit(0);
+}

 @@ -1,8 +1,20 @@
-#	$NetBSD: Makefile,v 1.3 2019/10/13 07:28:13 mrg Exp $
+#	$NetBSD: Makefile,v 1.4 2019/12/06 14:43:18 riastradh Exp $
 PROG=	rndctl
 MAN=	rndctl.8
 COPTS.rndctl.c+=	${GCC_NO_STRINGOP_TRUNCATION}
 SRCS+=	rndctl.c
 # Hack: libc does not export public SHA-3 symbols, so we'll just copy
 # them here statically.
 .PATH:	${NETBSDSRCDIR}/common/lib/libc/hash/sha3
 # Hack for namespace.h in sha3.c.
 CPPFLAGS+=	-I${.CURDIR}
 SRCS+=	sha3.c
 SRCS+=	keccak.c
 .include <bsd.prog.mk>