Bitcoin Core  0.20.99
P2P Digital Currency
random.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2020 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6 #include <random.h>
7 
8 #include <compat/cpuid.h>
9 #include <crypto/sha256.h>
10 #include <crypto/sha512.h>
11 #include <support/cleanse.h>
12 #ifdef WIN32
13 #include <compat.h> // for Windows API
14 #include <wincrypt.h>
15 #endif
16 #include <logging.h> // for LogPrintf()
17 #include <randomenv.h>
19 #include <sync.h> // for Mutex
20 #include <util/time.h> // for GetTimeMicros()
21 
22 #include <stdlib.h>
23 #include <thread>
24 
25 #ifndef WIN32
26 #include <fcntl.h>
27 #include <sys/time.h>
28 #endif
29 
30 #ifdef HAVE_SYS_GETRANDOM
31 #include <sys/syscall.h>
32 #include <linux/random.h>
33 #endif
34 #if defined(HAVE_GETENTROPY) || (defined(HAVE_GETENTROPY_RAND) && defined(MAC_OSX))
35 #include <unistd.h>
36 #endif
37 #if defined(HAVE_GETENTROPY_RAND) && defined(MAC_OSX)
38 #include <sys/random.h>
39 #endif
40 #ifdef HAVE_SYSCTL_ARND
41 #include <util/strencodings.h> // for ARRAYLEN
42 #include <sys/sysctl.h>
43 #endif
44 
45 [[noreturn]] static void RandFailure()
46 {
47  LogPrintf("Failed to read randomness, aborting\n");
48  std::abort();
49 }
50 
51 static inline int64_t GetPerformanceCounter() noexcept
52 {
53  // Read the hardware time stamp counter when available.
54  // See https://en.wikipedia.org/wiki/Time_Stamp_Counter for more information.
55 #if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_X64))
56  return __rdtsc();
57 #elif !defined(_MSC_VER) && defined(__i386__)
58  uint64_t r = 0;
59  __asm__ volatile ("rdtsc" : "=A"(r)); // Constrain the r variable to the eax:edx pair.
60  return r;
61 #elif !defined(_MSC_VER) && (defined(__x86_64__) || defined(__amd64__))
62  uint64_t r1 = 0, r2 = 0;
63  __asm__ volatile ("rdtsc" : "=a"(r1), "=d"(r2)); // Constrain r1 to rax and r2 to rdx.
64  return (r2 << 32) | r1;
65 #else
66  // Fall back to using C++11 clock (usually microsecond or nanosecond precision)
67  return std::chrono::high_resolution_clock::now().time_since_epoch().count();
68 #endif
69 }
70 
71 #ifdef HAVE_GETCPUID
72 static bool g_rdrand_supported = false;
73 static bool g_rdseed_supported = false;
74 static constexpr uint32_t CPUID_F1_ECX_RDRAND = 0x40000000;
75 static constexpr uint32_t CPUID_F7_EBX_RDSEED = 0x00040000;
76 #ifdef bit_RDRND
77 static_assert(CPUID_F1_ECX_RDRAND == bit_RDRND, "Unexpected value for bit_RDRND");
78 #endif
79 #ifdef bit_RDSEED
80 static_assert(CPUID_F7_EBX_RDSEED == bit_RDSEED, "Unexpected value for bit_RDSEED");
81 #endif
82 
83 static void InitHardwareRand()
84 {
85  uint32_t eax, ebx, ecx, edx;
86  GetCPUID(1, 0, eax, ebx, ecx, edx);
87  if (ecx & CPUID_F1_ECX_RDRAND) {
88  g_rdrand_supported = true;
89  }
90  GetCPUID(7, 0, eax, ebx, ecx, edx);
91  if (ebx & CPUID_F7_EBX_RDSEED) {
92  g_rdseed_supported = true;
93  }
94 }
95 
96 static void ReportHardwareRand()
97 {
98  // This must be done in a separate function, as InitHardwareRand() may be indirectly called
99  // from global constructors, before logging is initialized.
100  if (g_rdseed_supported) {
101  LogPrintf("Using RdSeed as additional entropy source\n");
102  }
103  if (g_rdrand_supported) {
104  LogPrintf("Using RdRand as an additional entropy source\n");
105  }
106 }
107 
112 static uint64_t GetRdRand() noexcept
113 {
114  // RdRand may very rarely fail. Invoke it up to 10 times in a loop to reduce this risk.
115 #ifdef __i386__
116  uint8_t ok;
117  // Initialize to 0 to silence a compiler warning that r1 or r2 may be used
118  // uninitialized. Even if rdrand fails (!ok) it will set the output to 0,
119  // but there is no way that the compiler could know that.
120  uint32_t r1 = 0, r2 = 0;
121  for (int i = 0; i < 10; ++i) {
122  __asm__ volatile (".byte 0x0f, 0xc7, 0xf0; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdrand %eax
123  if (ok) break;
124  }
125  for (int i = 0; i < 10; ++i) {
126  __asm__ volatile (".byte 0x0f, 0xc7, 0xf0; setc %1" : "=a"(r2), "=q"(ok) :: "cc"); // rdrand %eax
127  if (ok) break;
128  }
129  return (((uint64_t)r2) << 32) | r1;
130 #elif defined(__x86_64__) || defined(__amd64__)
131  uint8_t ok;
132  uint64_t r1 = 0; // See above why we initialize to 0.
133  for (int i = 0; i < 10; ++i) {
134  __asm__ volatile (".byte 0x48, 0x0f, 0xc7, 0xf0; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdrand %rax
135  if (ok) break;
136  }
137  return r1;
138 #else
139 #error "RdRand is only supported on x86 and x86_64"
140 #endif
141 }
142 
147 static uint64_t GetRdSeed() noexcept
148 {
149  // RdSeed may fail when the HW RNG is overloaded. Loop indefinitely until enough entropy is gathered,
150  // but pause after every failure.
151 #ifdef __i386__
152  uint8_t ok;
153  uint32_t r1, r2;
154  do {
155  __asm__ volatile (".byte 0x0f, 0xc7, 0xf8; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdseed %eax
156  if (ok) break;
157  __asm__ volatile ("pause");
158  } while(true);
159  do {
160  __asm__ volatile (".byte 0x0f, 0xc7, 0xf8; setc %1" : "=a"(r2), "=q"(ok) :: "cc"); // rdseed %eax
161  if (ok) break;
162  __asm__ volatile ("pause");
163  } while(true);
164  return (((uint64_t)r2) << 32) | r1;
165 #elif defined(__x86_64__) || defined(__amd64__)
166  uint8_t ok;
167  uint64_t r1;
168  do {
169  __asm__ volatile (".byte 0x48, 0x0f, 0xc7, 0xf8; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdseed %rax
170  if (ok) break;
171  __asm__ volatile ("pause");
172  } while(true);
173  return r1;
174 #else
175 #error "RdSeed is only supported on x86 and x86_64"
176 #endif
177 }
178 
179 #else
180 /* Access to other hardware random number generators could be added here later,
181  * assuming it is sufficiently fast (in the order of a few hundred CPU cycles).
182  * Slower sources should probably be invoked separately, and/or only from
183  * RandAddPeriodic (which is called once a minute).
184  */
185 static void InitHardwareRand() {}
186 static void ReportHardwareRand() {}
187 #endif
188 
190 static void SeedHardwareFast(CSHA512& hasher) noexcept {
191 #if defined(__x86_64__) || defined(__amd64__) || defined(__i386__)
192  if (g_rdrand_supported) {
193  uint64_t out = GetRdRand();
194  hasher.Write((const unsigned char*)&out, sizeof(out));
195  return;
196  }
197 #endif
198 }
199 
201 static void SeedHardwareSlow(CSHA512& hasher) noexcept {
202 #if defined(__x86_64__) || defined(__amd64__) || defined(__i386__)
203  // When we want 256 bits of entropy, prefer RdSeed over RdRand, as it's
204  // guaranteed to produce independent randomness on every call.
205  if (g_rdseed_supported) {
206  for (int i = 0; i < 4; ++i) {
207  uint64_t out = GetRdSeed();
208  hasher.Write((const unsigned char*)&out, sizeof(out));
209  }
210  return;
211  }
212  // When falling back to RdRand, XOR the result of 1024 results.
213  // This guarantees a reseeding occurs between each.
214  if (g_rdrand_supported) {
215  for (int i = 0; i < 4; ++i) {
216  uint64_t out = 0;
217  for (int j = 0; j < 1024; ++j) out ^= GetRdRand();
218  hasher.Write((const unsigned char*)&out, sizeof(out));
219  }
220  return;
221  }
222 #endif
223 }
224 
226 static void Strengthen(const unsigned char (&seed)[32], int microseconds, CSHA512& hasher) noexcept
227 {
228  CSHA512 inner_hasher;
229  inner_hasher.Write(seed, sizeof(seed));
230 
231  // Hash loop
232  unsigned char buffer[64];
233  int64_t stop = GetTimeMicros() + microseconds;
234  do {
235  for (int i = 0; i < 1000; ++i) {
236  inner_hasher.Finalize(buffer);
237  inner_hasher.Reset();
238  inner_hasher.Write(buffer, sizeof(buffer));
239  }
240  // Benchmark operation and feed it into outer hasher.
241  int64_t perf = GetPerformanceCounter();
242  hasher.Write((const unsigned char*)&perf, sizeof(perf));
243  } while (GetTimeMicros() < stop);
244 
245  // Produce output from inner state and feed it to outer hasher.
246  inner_hasher.Finalize(buffer);
247  hasher.Write(buffer, sizeof(buffer));
248  // Try to clean up.
249  inner_hasher.Reset();
250  memory_cleanse(buffer, sizeof(buffer));
251 }
252 
253 #ifndef WIN32
254 
257 static void GetDevURandom(unsigned char *ent32)
258 {
259  int f = open("/dev/urandom", O_RDONLY);
260  if (f == -1) {
261  RandFailure();
262  }
263  int have = 0;
264  do {
265  ssize_t n = read(f, ent32 + have, NUM_OS_RANDOM_BYTES - have);
266  if (n <= 0 || n + have > NUM_OS_RANDOM_BYTES) {
267  close(f);
268  RandFailure();
269  }
270  have += n;
271  } while (have < NUM_OS_RANDOM_BYTES);
272  close(f);
273 }
274 #endif
275 
277 void GetOSRand(unsigned char *ent32)
278 {
279 #if defined(WIN32)
280  HCRYPTPROV hProvider;
281  int ret = CryptAcquireContextW(&hProvider, nullptr, nullptr, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
282  if (!ret) {
283  RandFailure();
284  }
285  ret = CryptGenRandom(hProvider, NUM_OS_RANDOM_BYTES, ent32);
286  if (!ret) {
287  RandFailure();
288  }
289  CryptReleaseContext(hProvider, 0);
290 #elif defined(HAVE_SYS_GETRANDOM)
291  /* Linux. From the getrandom(2) man page:
292  * "If the urandom source has been initialized, reads of up to 256 bytes
293  * will always return as many bytes as requested and will not be
294  * interrupted by signals."
295  */
296  int rv = syscall(SYS_getrandom, ent32, NUM_OS_RANDOM_BYTES, 0);
297  if (rv != NUM_OS_RANDOM_BYTES) {
298  if (rv < 0 && errno == ENOSYS) {
299  /* Fallback for kernel <3.17: the return value will be -1 and errno
300  * ENOSYS if the syscall is not available, in that case fall back
301  * to /dev/urandom.
302  */
303  GetDevURandom(ent32);
304  } else {
305  RandFailure();
306  }
307  }
308 #elif defined(HAVE_GETENTROPY) && defined(__OpenBSD__)
309  /* On OpenBSD this can return up to 256 bytes of entropy, will return an
310  * error if more are requested.
311  * The call cannot return less than the requested number of bytes.
312  getentropy is explicitly limited to openbsd here, as a similar (but not
313  the same) function may exist on other platforms via glibc.
314  */
315  if (getentropy(ent32, NUM_OS_RANDOM_BYTES) != 0) {
316  RandFailure();
317  }
318 #elif defined(HAVE_GETENTROPY_RAND) && defined(MAC_OSX)
319  /* getentropy() is available on macOS 10.12 and later.
320  */
321  if (getentropy(ent32, NUM_OS_RANDOM_BYTES) != 0) {
322  RandFailure();
323  }
324 #elif defined(HAVE_SYSCTL_ARND)
325  /* FreeBSD, NetBSD and similar. It is possible for the call to return less
326  * bytes than requested, so need to read in a loop.
327  */
328  static int name[2] = {CTL_KERN, KERN_ARND};
329  int have = 0;
330  do {
331  size_t len = NUM_OS_RANDOM_BYTES - have;
332  if (sysctl(name, ARRAYLEN(name), ent32 + have, &len, nullptr, 0) != 0) {
333  RandFailure();
334  }
335  have += len;
336  } while (have < NUM_OS_RANDOM_BYTES);
337 #else
338  /* Fall back to /dev/urandom if there is no specific method implemented to
339  * get system entropy for this OS.
340  */
341  GetDevURandom(ent32);
342 #endif
343 }
344 
345 namespace {
346 
347 class RNGState {
348  Mutex m_mutex;
349  /* The RNG state consists of 256 bits of entropy, taken from the output of
350  * one operation's SHA512 output, and fed as input to the next one.
351  * Carrying 256 bits of entropy should be sufficient to guarantee
352  * unpredictability as long as any entropy source was ever unpredictable
353  * to an attacker. To protect against situations where an attacker might
354  * observe the RNG's state, fresh entropy is always mixed when
355  * GetStrongRandBytes is called.
356  */
357  unsigned char m_state[32] GUARDED_BY(m_mutex) = {0};
358  uint64_t m_counter GUARDED_BY(m_mutex) = 0;
359  bool m_strongly_seeded GUARDED_BY(m_mutex) = false;
360 
361  Mutex m_events_mutex;
362  CSHA256 m_events_hasher GUARDED_BY(m_events_mutex);
363 
364 public:
365  RNGState() noexcept
366  {
368  }
369 
370  ~RNGState()
371  {
372  }
373 
374  void AddEvent(uint32_t event_info) noexcept
375  {
376  LOCK(m_events_mutex);
377 
378  m_events_hasher.Write((const unsigned char *)&event_info, sizeof(event_info));
379  // Get the low four bytes of the performance counter. This translates to roughly the
380  // subsecond part.
381  uint32_t perfcounter = (GetPerformanceCounter() & 0xffffffff);
382  m_events_hasher.Write((const unsigned char*)&perfcounter, sizeof(perfcounter));
383  }
384 
388  void SeedEvents(CSHA512& hasher) noexcept
389  {
390  // We use only SHA256 for the events hashing to get the ASM speedups we have for SHA256,
391  // since we want it to be fast as network peers may be able to trigger it repeatedly.
392  LOCK(m_events_mutex);
393 
394  unsigned char events_hash[32];
395  m_events_hasher.Finalize(events_hash);
396  hasher.Write(events_hash, 32);
397 
398  // Re-initialize the hasher with the finalized state to use later.
399  m_events_hasher.Reset();
400  m_events_hasher.Write(events_hash, 32);
401  }
402 
407  bool MixExtract(unsigned char* out, size_t num, CSHA512&& hasher, bool strong_seed) noexcept
408  {
409  assert(num <= 32);
410  unsigned char buf[64];
411  static_assert(sizeof(buf) == CSHA512::OUTPUT_SIZE, "Buffer needs to have hasher's output size");
412  bool ret;
413  {
414  LOCK(m_mutex);
415  ret = (m_strongly_seeded |= strong_seed);
416  // Write the current state of the RNG into the hasher
417  hasher.Write(m_state, 32);
418  // Write a new counter number into the state
419  hasher.Write((const unsigned char*)&m_counter, sizeof(m_counter));
420  ++m_counter;
421  // Finalize the hasher
422  hasher.Finalize(buf);
423  // Store the last 32 bytes of the hash output as new RNG state.
424  memcpy(m_state, buf + 32, 32);
425  }
426  // If desired, copy (up to) the first 32 bytes of the hash output as output.
427  if (num) {
428  assert(out != nullptr);
429  memcpy(out, buf, num);
430  }
431  // Best effort cleanup of internal state
432  hasher.Reset();
433  memory_cleanse(buf, 64);
434  return ret;
435  }
436 };
437 
438 RNGState& GetRNGState() noexcept
439 {
440  // This C++11 idiom relies on the guarantee that static variable are initialized
441  // on first call, even when multiple parallel calls are permitted.
442  static std::vector<RNGState, secure_allocator<RNGState>> g_rng(1);
443  return g_rng[0];
444 }
445 }
446 
447 /* A note on the use of noexcept in the seeding functions below:
448  *
449  * None of the RNG code should ever throw any exception.
450  */
451 
452 static void SeedTimestamp(CSHA512& hasher) noexcept
453 {
454  int64_t perfcounter = GetPerformanceCounter();
455  hasher.Write((const unsigned char*)&perfcounter, sizeof(perfcounter));
456 }
457 
458 static void SeedFast(CSHA512& hasher) noexcept
459 {
460  unsigned char buffer[32];
461 
462  // Stack pointer to indirectly commit to thread/callstack
463  const unsigned char* ptr = buffer;
464  hasher.Write((const unsigned char*)&ptr, sizeof(ptr));
465 
466  // Hardware randomness is very fast when available; use it always.
467  SeedHardwareFast(hasher);
468 
469  // High-precision timestamp
470  SeedTimestamp(hasher);
471 }
472 
473 static void SeedSlow(CSHA512& hasher, RNGState& rng) noexcept
474 {
475  unsigned char buffer[32];
476 
477  // Everything that the 'fast' seeder includes
478  SeedFast(hasher);
479 
480  // OS randomness
481  GetOSRand(buffer);
482  hasher.Write(buffer, sizeof(buffer));
483 
484  // Add the events hasher into the mix
485  rng.SeedEvents(hasher);
486 
487  // High-precision timestamp.
488  //
489  // Note that we also commit to a timestamp in the Fast seeder, so we indirectly commit to a
490  // benchmark of all the entropy gathering sources in this function).
491  SeedTimestamp(hasher);
492 }
493 
495 static void SeedStrengthen(CSHA512& hasher, RNGState& rng, int microseconds) noexcept
496 {
497  // Generate 32 bytes of entropy from the RNG, and a copy of the entropy already in hasher.
498  unsigned char strengthen_seed[32];
499  rng.MixExtract(strengthen_seed, sizeof(strengthen_seed), CSHA512(hasher), false);
500  // Strengthen the seed, and feed it into hasher.
501  Strengthen(strengthen_seed, microseconds, hasher);
502 }
503 
504 static void SeedPeriodic(CSHA512& hasher, RNGState& rng) noexcept
505 {
506  // Everything that the 'fast' seeder includes
507  SeedFast(hasher);
508 
509  // High-precision timestamp
510  SeedTimestamp(hasher);
511 
512  // Add the events hasher into the mix
513  rng.SeedEvents(hasher);
514 
515  // Dynamic environment data (performance monitoring, ...)
516  auto old_size = hasher.Size();
517  RandAddDynamicEnv(hasher);
518  LogPrint(BCLog::RAND, "Feeding %i bytes of dynamic environment data into RNG\n", hasher.Size() - old_size);
519 
520  // Strengthen for 10 ms
521  SeedStrengthen(hasher, rng, 10000);
522 }
523 
524 static void SeedStartup(CSHA512& hasher, RNGState& rng) noexcept
525 {
526  // Gather 256 bits of hardware randomness, if available
527  SeedHardwareSlow(hasher);
528 
529  // Everything that the 'slow' seeder includes.
530  SeedSlow(hasher, rng);
531 
532  // Dynamic environment data (performance monitoring, ...)
533  auto old_size = hasher.Size();
534  RandAddDynamicEnv(hasher);
535 
536  // Static environment data
537  RandAddStaticEnv(hasher);
538  LogPrint(BCLog::RAND, "Feeding %i bytes of environment data into RNG\n", hasher.Size() - old_size);
539 
540  // Strengthen for 100 ms
541  SeedStrengthen(hasher, rng, 100000);
542 }
543 
544 enum class RNGLevel {
545  FAST,
546  SLOW,
547  PERIODIC,
548 };
549 
550 static void ProcRand(unsigned char* out, int num, RNGLevel level) noexcept
551 {
552  // Make sure the RNG is initialized first (as all Seed* function possibly need hwrand to be available).
553  RNGState& rng = GetRNGState();
554 
555  assert(num <= 32);
556 
557  CSHA512 hasher;
558  switch (level) {
559  case RNGLevel::FAST:
560  SeedFast(hasher);
561  break;
562  case RNGLevel::SLOW:
563  SeedSlow(hasher, rng);
564  break;
565  case RNGLevel::PERIODIC:
566  SeedPeriodic(hasher, rng);
567  break;
568  }
569 
570  // Combine with and update state
571  if (!rng.MixExtract(out, num, std::move(hasher), false)) {
572  // On the first invocation, also seed with SeedStartup().
573  CSHA512 startup_hasher;
574  SeedStartup(startup_hasher, rng);
575  rng.MixExtract(out, num, std::move(startup_hasher), true);
576  }
577 }
578 
579 void GetRandBytes(unsigned char* buf, int num) noexcept { ProcRand(buf, num, RNGLevel::FAST); }
580 void GetStrongRandBytes(unsigned char* buf, int num) noexcept { ProcRand(buf, num, RNGLevel::SLOW); }
581 void RandAddPeriodic() noexcept { ProcRand(nullptr, 0, RNGLevel::PERIODIC); }
582 void RandAddEvent(const uint32_t event_info) noexcept { GetRNGState().AddEvent(event_info); }
583 
585 
586 uint64_t GetRand(uint64_t nMax) noexcept
587 {
589 }
590 
591 int GetRandInt(int nMax) noexcept
592 {
593  return GetRand(nMax);
594 }
595 
597 {
598  uint256 hash;
599  GetRandBytes((unsigned char*)&hash, sizeof(hash));
600  return hash;
601 }
602 
604 {
605  uint256 seed = GetRandHash();
606  rng.SetKey(seed.begin(), 32);
607  requires_seed = false;
608 }
609 
611 {
612  if (bytebuf_size < 32) {
613  FillByteBuffer();
614  }
615  uint256 ret;
616  memcpy(ret.begin(), bytebuf + 64 - bytebuf_size, 32);
617  bytebuf_size -= 32;
618  return ret;
619 }
620 
621 std::vector<unsigned char> FastRandomContext::randbytes(size_t len)
622 {
623  if (requires_seed) RandomSeed();
624  std::vector<unsigned char> ret(len);
625  if (len > 0) {
626  rng.Keystream(&ret[0], len);
627  }
628  return ret;
629 }
630 
631 FastRandomContext::FastRandomContext(const uint256& seed) noexcept : requires_seed(false), bytebuf_size(0), bitbuf_size(0)
632 {
633  rng.SetKey(seed.begin(), 32);
634 }
635 
637 {
638  uint64_t start = GetPerformanceCounter();
639 
640  /* This does not measure the quality of randomness, but it does test that
641  * GetOSRand() overwrites all 32 bytes of the output given a maximum
642  * number of tries.
643  */
644  static const ssize_t MAX_TRIES = 1024;
645  uint8_t data[NUM_OS_RANDOM_BYTES];
646  bool overwritten[NUM_OS_RANDOM_BYTES] = {}; /* Tracks which bytes have been overwritten at least once */
647  int num_overwritten;
648  int tries = 0;
649  /* Loop until all bytes have been overwritten at least once, or max number tries reached */
650  do {
651  memset(data, 0, NUM_OS_RANDOM_BYTES);
652  GetOSRand(data);
653  for (int x=0; x < NUM_OS_RANDOM_BYTES; ++x) {
654  overwritten[x] |= (data[x] != 0);
655  }
656 
657  num_overwritten = 0;
658  for (int x=0; x < NUM_OS_RANDOM_BYTES; ++x) {
659  if (overwritten[x]) {
660  num_overwritten += 1;
661  }
662  }
663 
664  tries += 1;
665  } while (num_overwritten < NUM_OS_RANDOM_BYTES && tries < MAX_TRIES);
666  if (num_overwritten != NUM_OS_RANDOM_BYTES) return false; /* If this failed, bailed out after too many tries */
667 
668  // Check that GetPerformanceCounter increases at least during a GetOSRand() call + 1ms sleep.
669  std::this_thread::sleep_for(std::chrono::milliseconds(1));
670  uint64_t stop = GetPerformanceCounter();
671  if (stop == start) return false;
672 
673  // We called GetPerformanceCounter. Use it as entropy.
674  CSHA512 to_add;
675  to_add.Write((const unsigned char*)&start, sizeof(start));
676  to_add.Write((const unsigned char*)&stop, sizeof(stop));
677  GetRNGState().MixExtract(nullptr, 0, std::move(to_add), false);
678 
679  return true;
680 }
681 
682 FastRandomContext::FastRandomContext(bool fDeterministic) noexcept : requires_seed(!fDeterministic), bytebuf_size(0), bitbuf_size(0)
683 {
684  if (!fDeterministic) {
685  return;
686  }
687  uint256 seed;
688  rng.SetKey(seed.begin(), 32);
689 }
690 
692 {
693  requires_seed = from.requires_seed;
694  rng = from.rng;
695  std::copy(std::begin(from.bytebuf), std::end(from.bytebuf), std::begin(bytebuf));
696  bytebuf_size = from.bytebuf_size;
697  bitbuf = from.bitbuf;
698  bitbuf_size = from.bitbuf_size;
699  from.requires_seed = true;
700  from.bytebuf_size = 0;
701  from.bitbuf_size = 0;
702  return *this;
703 }
704 
706 {
707  // Invoke RNG code to trigger initialization (if not already performed)
708  ProcRand(nullptr, 0, RNGLevel::FAST);
709 
711 }
static const int NUM_OS_RANDOM_BYTES
Definition: random.h:248
void RandomInit()
Initialize global RNG state and log any CPU features that are used.
Definition: random.cpp:705
void GetOSRand(unsigned char *ent32)
Get 32 bytes of system entropy.
Definition: random.cpp:277
void RandAddEvent(const uint32_t event_info) noexcept
Gathers entropy from the low bits of the time at which events occur.
Definition: random.cpp:582
uint64_t GetRand(uint64_t nMax) noexcept
Generate a uniform random integer in the range [0..range).
Definition: random.cpp:586
#define LogPrint(category,...)
Definition: logging.h:182
FastRandomContext & operator=(const FastRandomContext &)=delete
uint256 GetRandHash() noexcept
Definition: random.cpp:596
static void SeedHardwareSlow(CSHA512 &hasher) noexcept
Add 256 bits of entropy gathered from hardware to hasher.
Definition: random.cpp:201
#define ARRAYLEN(array)
Utilities for converting data from/to strings.
Definition: strencodings.h:19
static void ProcRand(unsigned char *out, int num, RNGLevel level) noexcept
Definition: random.cpp:550
static void GetDevURandom(unsigned char *ent32)
Fallback: get 32 bytes of system entropy from /dev/urandom.
Definition: random.cpp:257
uint256 rand256() noexcept
generate a random uint256.
Definition: random.cpp:610
static void LogPrintf(const char *fmt, const Args &... args)
Definition: logging.h:166
void RandAddPeriodic() noexcept
Gather entropy from various expensive sources, and feed them to the PRNG state.
Definition: random.cpp:581
void GetRandBytes(unsigned char *buf, int num) noexcept
Overall design of the RNG and entropy sources.
Definition: random.cpp:579
FastRandomContext(bool fDeterministic=false) noexcept
Definition: random.cpp:682
static void Strengthen(const unsigned char(&seed)[32], int microseconds, CSHA512 &hasher) noexcept
Use repeated SHA512 to strengthen the randomness in seed32, and feed into hasher. ...
Definition: random.cpp:226
static void SeedStrengthen(CSHA512 &hasher, RNGState &rng, int microseconds) noexcept
Extract entropy from rng, strengthen it, and feed it into hasher.
Definition: random.cpp:495
unsigned char * begin()
Definition: uint256.h:54
Called by RandAddPeriodic()
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha512.cpp:185
RNGLevel
Definition: random.cpp:544
static void SeedFast(CSHA512 &hasher) noexcept
Definition: random.cpp:458
static void RandFailure()
Definition: random.cpp:45
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14
void GetStrongRandBytes(unsigned char *buf, int num) noexcept
Gather entropy from various sources, feed it into the internal PRNG, and generate random data using i...
Definition: random.cpp:580
#define LOCK(cs)
Definition: sync.h:226
const char * name
Definition: rest.cpp:41
Fast randomness source.
Definition: random.h:119
CSHA512 & Reset()
Definition: sha512.cpp:202
static void SeedStartup(CSHA512 &hasher, RNGState &rng) noexcept
Definition: random.cpp:524
void RandomSeed()
Definition: random.cpp:603
Automatically called by GetStrongRandBytes.
static constexpr size_t OUTPUT_SIZE
Definition: sha512.h:20
static void SeedPeriodic(CSHA512 &hasher, RNGState &rng) noexcept
Definition: random.cpp:504
int64_t GetTimeMicros()
Returns the system time (not mockable)
Definition: time.cpp:65
bool requires_seed
Definition: random.h:122
256-bit opaque blob.
Definition: uint256.h:120
Automatically called by GetRandBytes.
static void ReportHardwareRand()
Definition: random.cpp:186
static void SeedSlow(CSHA512 &hasher, RNGState &rng) noexcept
Definition: random.cpp:473
void * memcpy(void *a, const void *b, size_t c)
CSHA512 & Write(const unsigned char *data, size_t len)
Definition: sha512.cpp:159
#define GUARDED_BY(x)
Definition: threadsafety.h:40
A hasher class for SHA-512.
Definition: sha512.h:12
bool g_mock_deterministic_tests
Definition: random.cpp:584
static void SeedHardwareFast(CSHA512 &hasher) noexcept
Add 64 bits of entropy gathered from hardware to hasher.
Definition: random.cpp:190
A hasher class for SHA-256.
Definition: sha256.h:13
void RandAddStaticEnv(CSHA512 &hasher)
Gather non-cryptographic environment data that does not change over time.
Definition: randomenv.cpp:306
int GetRandInt(int nMax) noexcept
Definition: random.cpp:591
bool Random_SanityCheck()
Check that OS randomness is available and returning the requested number of bytes.
Definition: random.cpp:636
static void InitHardwareRand()
Definition: random.cpp:185
uint64_t randrange(uint64_t range) noexcept
Generate a random integer in the range [0..range).
Definition: random.h:190
std::vector< unsigned char > randbytes(size_t len)
Generate random bytes.
Definition: random.cpp:621
UniValue stop(const JSONRPCRequest &jsonRequest)
Definition: server.cpp:157
static int64_t GetPerformanceCounter() noexcept
Definition: random.cpp:51
static void SeedTimestamp(CSHA512 &hasher) noexcept
Definition: random.cpp:452
void RandAddDynamicEnv(CSHA512 &hasher)
Gather non-cryptographic environment data that changes over time.
Definition: randomenv.cpp:225