Bitcoin Core 29.99.0
P2P Digital Currency
random.cpp
Go to the documentation of this file.
1// Copyright (c) 2009-2010 Satoshi Nakamoto
2// Copyright (c) 2009-present The Bitcoin Core developers
3// Distributed under the MIT software license, see the accompanying
4// file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6#include <bitcoin-build-config.h> // IWYU pragma: keep
7
8#include <random.h>
9
10#include <compat/compat.h>
11#include <compat/cpuid.h>
12#include <crypto/chacha20.h>
13#include <crypto/sha256.h>
14#include <crypto/sha512.h>
15#include <logging.h>
16#include <randomenv.h>
17#include <span.h>
19#include <support/cleanse.h>
20#include <sync.h>
21#include <util/time.h>
22
23#include <array>
24#include <cmath>
25#include <cstdlib>
26#include <optional>
27#include <thread>
28
29#ifdef WIN32
30#include <bcrypt.h>
31#else
32#include <fcntl.h>
33#include <sys/time.h>
34#endif
35
36#if defined(HAVE_GETRANDOM) || (defined(HAVE_GETENTROPY_RAND) && defined(__APPLE__))
37#include <sys/random.h>
38#endif
39
40#ifdef HAVE_SYSCTL_ARND
41#include <sys/sysctl.h>
42#endif
43
44namespace {
45
46/* Number of random bytes returned by GetOSRand.
47 * When changing this constant make sure to change all call sites, and make
48 * sure that the underlying OS APIs for all platforms support the number.
49 * (many cap out at 256 bytes).
50 */
51static const int NUM_OS_RANDOM_BYTES = 32;
52
53
54[[noreturn]] void RandFailure()
55{
56 LogError("Failed to read randomness, aborting\n");
57 std::abort();
58}
59
60inline int64_t GetPerformanceCounter() noexcept
61{
62 // Read the hardware time stamp counter when available.
63 // See https://en.wikipedia.org/wiki/Time_Stamp_Counter for more information.
64#if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_X64))
65 return __rdtsc();
66#elif !defined(_MSC_VER) && defined(__i386__)
67 uint64_t r = 0;
68 __asm__ volatile ("rdtsc" : "=A"(r)); // Constrain the r variable to the eax:edx pair.
69 return r;
70#elif !defined(_MSC_VER) && (defined(__x86_64__) || defined(__amd64__))
71 uint64_t r1 = 0, r2 = 0;
72 __asm__ volatile ("rdtsc" : "=a"(r1), "=d"(r2)); // Constrain r1 to rax and r2 to rdx.
73 return (r2 << 32) | r1;
74#else
75 // Fall back to using standard library clock (usually microsecond or nanosecond precision)
76 return std::chrono::high_resolution_clock::now().time_since_epoch().count();
77#endif
78}
79
80#ifdef HAVE_GETCPUID
81bool g_rdrand_supported = false;
82bool g_rdseed_supported = false;
83constexpr uint32_t CPUID_F1_ECX_RDRAND = 0x40000000;
84constexpr uint32_t CPUID_F7_EBX_RDSEED = 0x00040000;
85#ifdef bit_RDRND
86static_assert(CPUID_F1_ECX_RDRAND == bit_RDRND, "Unexpected value for bit_RDRND");
87#endif
88#ifdef bit_RDSEED
89static_assert(CPUID_F7_EBX_RDSEED == bit_RDSEED, "Unexpected value for bit_RDSEED");
90#endif
91
92void InitHardwareRand()
93{
94 uint32_t eax, ebx, ecx, edx;
95 GetCPUID(1, 0, eax, ebx, ecx, edx);
96 if (ecx & CPUID_F1_ECX_RDRAND) {
97 g_rdrand_supported = true;
98 }
99 GetCPUID(7, 0, eax, ebx, ecx, edx);
100 if (ebx & CPUID_F7_EBX_RDSEED) {
101 g_rdseed_supported = true;
102 }
103}
104
105void ReportHardwareRand()
106{
107 // This must be done in a separate function, as InitHardwareRand() may be indirectly called
108 // from global constructors, before logging is initialized.
109 if (g_rdseed_supported) {
110 LogPrintf("Using RdSeed as an additional entropy source\n");
111 }
112 if (g_rdrand_supported) {
113 LogPrintf("Using RdRand as an additional entropy source\n");
114 }
115}
116
121uint64_t GetRdRand() noexcept
122{
123 // RdRand may very rarely fail. Invoke it up to 10 times in a loop to reduce this risk.
124#ifdef __i386__
125 uint8_t ok = 0;
126 // Initialize to 0 to silence a compiler warning that r1 or r2 may be used
127 // uninitialized. Even if rdrand fails (!ok) it will set the output to 0,
128 // but there is no way that the compiler could know that.
129 uint32_t r1 = 0, r2 = 0;
130 for (int i = 0; i < 10; ++i) {
131 __asm__ volatile (".byte 0x0f, 0xc7, 0xf0; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdrand %eax
132 if (ok) break;
133 }
134 for (int i = 0; i < 10; ++i) {
135 __asm__ volatile (".byte 0x0f, 0xc7, 0xf0; setc %1" : "=a"(r2), "=q"(ok) :: "cc"); // rdrand %eax
136 if (ok) break;
137 }
138 return (((uint64_t)r2) << 32) | r1;
139#elif defined(__x86_64__) || defined(__amd64__)
140 uint8_t ok = 0;
141 uint64_t r1 = 0; // See above why we initialize to 0.
142 for (int i = 0; i < 10; ++i) {
143 __asm__ volatile (".byte 0x48, 0x0f, 0xc7, 0xf0; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdrand %rax
144 if (ok) break;
145 }
146 return r1;
147#else
148#error "RdRand is only supported on x86 and x86_64"
149#endif
150}
151
156uint64_t GetRdSeed() noexcept
157{
158 // RdSeed may fail when the HW RNG is overloaded. Loop indefinitely until enough entropy is gathered,
159 // but pause after every failure.
160#ifdef __i386__
161 uint8_t ok = 0;
162 uint32_t r1, r2;
163 do {
164 __asm__ volatile (".byte 0x0f, 0xc7, 0xf8; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdseed %eax
165 if (ok) break;
166 __asm__ volatile ("pause");
167 } while(true);
168 do {
169 __asm__ volatile (".byte 0x0f, 0xc7, 0xf8; setc %1" : "=a"(r2), "=q"(ok) :: "cc"); // rdseed %eax
170 if (ok) break;
171 __asm__ volatile ("pause");
172 } while(true);
173 return (((uint64_t)r2) << 32) | r1;
174#elif defined(__x86_64__) || defined(__amd64__)
175 uint8_t ok;
176 uint64_t r1;
177 do {
178 __asm__ volatile (".byte 0x48, 0x0f, 0xc7, 0xf8; setc %1" : "=a"(r1), "=q"(ok) :: "cc"); // rdseed %rax
179 if (ok) break;
180 __asm__ volatile ("pause");
181 } while(true);
182 return r1;
183#else
184#error "RdSeed is only supported on x86 and x86_64"
185#endif
186}
187
188#else
189/* Access to other hardware random number generators could be added here later,
190 * assuming it is sufficiently fast (in the order of a few hundred CPU cycles).
191 * Slower sources should probably be invoked separately, and/or only from
192 * RandAddPeriodic (which is called once a minute).
193 */
194void InitHardwareRand() {}
195void ReportHardwareRand() {}
196#endif
197
199void SeedHardwareFast(CSHA512& hasher) noexcept {
200#if defined(__x86_64__) || defined(__amd64__) || defined(__i386__)
201 if (g_rdrand_supported) {
202 uint64_t out = GetRdRand();
203 hasher.Write((const unsigned char*)&out, sizeof(out));
204 return;
205 }
206#endif
207}
208
210void SeedHardwareSlow(CSHA512& hasher) noexcept {
211#if defined(__x86_64__) || defined(__amd64__) || defined(__i386__)
212 // When we want 256 bits of entropy, prefer RdSeed over RdRand, as it's
213 // guaranteed to produce independent randomness on every call.
214 if (g_rdseed_supported) {
215 for (int i = 0; i < 4; ++i) {
216 uint64_t out = GetRdSeed();
217 hasher.Write((const unsigned char*)&out, sizeof(out));
218 }
219 return;
220 }
221 // When falling back to RdRand, XOR the result of 1024 results.
222 // This guarantees a reseeding occurs between each.
223 if (g_rdrand_supported) {
224 for (int i = 0; i < 4; ++i) {
225 uint64_t out = 0;
226 for (int j = 0; j < 1024; ++j) out ^= GetRdRand();
227 hasher.Write((const unsigned char*)&out, sizeof(out));
228 }
229 return;
230 }
231#endif
232}
233
235void Strengthen(const unsigned char (&seed)[32], SteadyClock::duration dur, CSHA512& hasher) noexcept
236{
237 CSHA512 inner_hasher;
238 inner_hasher.Write(seed, sizeof(seed));
239
240 // Hash loop
241 unsigned char buffer[64];
242 const auto stop{SteadyClock::now() + dur};
243 do {
244 for (int i = 0; i < 1000; ++i) {
245 inner_hasher.Finalize(buffer);
246 inner_hasher.Reset();
247 inner_hasher.Write(buffer, sizeof(buffer));
248 }
249 // Benchmark operation and feed it into outer hasher.
250 int64_t perf = GetPerformanceCounter();
251 hasher.Write((const unsigned char*)&perf, sizeof(perf));
252 } while (SteadyClock::now() < stop);
253
254 // Produce output from inner state and feed it to outer hasher.
255 inner_hasher.Finalize(buffer);
256 hasher.Write(buffer, sizeof(buffer));
257 // Try to clean up.
258 inner_hasher.Reset();
259 memory_cleanse(buffer, sizeof(buffer));
260}
261
262#ifndef WIN32
266[[maybe_unused]] void GetDevURandom(unsigned char *ent32)
267{
268 int f = open("/dev/urandom", O_RDONLY);
269 if (f == -1) {
270 RandFailure();
271 }
272 int have = 0;
273 do {
274 ssize_t n = read(f, ent32 + have, NUM_OS_RANDOM_BYTES - have);
275 if (n <= 0 || n + have > NUM_OS_RANDOM_BYTES) {
276 close(f);
277 RandFailure();
278 }
279 have += n;
280 } while (have < NUM_OS_RANDOM_BYTES);
281 close(f);
282}
283#endif
284
286void GetOSRand(unsigned char *ent32)
287{
288#if defined(WIN32)
289 constexpr uint32_t STATUS_SUCCESS{0x00000000};
290 NTSTATUS status = BCryptGenRandom(/*hAlgorithm=*/NULL,
291 /*pbBuffer=*/ent32,
292 /*cbBuffer=*/NUM_OS_RANDOM_BYTES,
293 /*dwFlags=*/BCRYPT_USE_SYSTEM_PREFERRED_RNG);
294
295 if (status != STATUS_SUCCESS) {
296 RandFailure();
297 }
298#elif defined(HAVE_GETRANDOM)
299 /* Linux. From the getrandom(2) man page:
300 * "If the urandom source has been initialized, reads of up to 256 bytes
301 * will always return as many bytes as requested and will not be
302 * interrupted by signals."
303 */
304 if (getrandom(ent32, NUM_OS_RANDOM_BYTES, 0) != NUM_OS_RANDOM_BYTES) {
305 RandFailure();
306 }
307#elif defined(__OpenBSD__)
308 /* OpenBSD. From the arc4random(3) man page:
309 "Use of these functions is encouraged for almost all random number
310 consumption because the other interfaces are deficient in either
311 quality, portability, standardization, or availability."
312 The function call is always successful.
313 */
314 arc4random_buf(ent32, NUM_OS_RANDOM_BYTES);
315#elif defined(HAVE_GETENTROPY_RAND) && defined(__APPLE__)
316 if (getentropy(ent32, NUM_OS_RANDOM_BYTES) != 0) {
317 RandFailure();
318 }
319#elif defined(HAVE_SYSCTL_ARND)
320 /* FreeBSD, NetBSD and similar. It is possible for the call to return less
321 * bytes than requested, so need to read in a loop.
322 */
323 static int name[2] = {CTL_KERN, KERN_ARND};
324 int have = 0;
325 do {
326 size_t len = NUM_OS_RANDOM_BYTES - have;
327 if (sysctl(name, std::size(name), ent32 + have, &len, nullptr, 0) != 0) {
328 RandFailure();
329 }
330 have += len;
331 } while (have < NUM_OS_RANDOM_BYTES);
332#else
333 /* Fall back to /dev/urandom if there is no specific method implemented to
334 * get system entropy for this OS.
335 */
336 GetDevURandom(ent32);
337#endif
338}
339
340class RNGState {
341 Mutex m_mutex;
342 /* The RNG state consists of 256 bits of entropy, taken from the output of
343 * one operation's SHA512 output, and fed as input to the next one.
344 * Carrying 256 bits of entropy should be sufficient to guarantee
345 * unpredictability as long as any entropy source was ever unpredictable
346 * to an attacker. To protect against situations where an attacker might
347 * observe the RNG's state, fresh entropy is always mixed when
348 * GetStrongRandBytes is called.
349 */
350 unsigned char m_state[32] GUARDED_BY(m_mutex) = {0};
351 uint64_t m_counter GUARDED_BY(m_mutex) = 0;
352 bool m_strongly_seeded GUARDED_BY(m_mutex) = false;
353
356 std::optional<ChaCha20> m_deterministic_prng GUARDED_BY(m_mutex);
357
358 Mutex m_events_mutex;
359 CSHA256 m_events_hasher GUARDED_BY(m_events_mutex);
360
361public:
362 RNGState() noexcept
363 {
364 InitHardwareRand();
365 }
366
367 ~RNGState() = default;
368
369 void AddEvent(uint32_t event_info) noexcept EXCLUSIVE_LOCKS_REQUIRED(!m_events_mutex)
370 {
371 LOCK(m_events_mutex);
372
373 m_events_hasher.Write((const unsigned char *)&event_info, sizeof(event_info));
374 // Get the low four bytes of the performance counter. This translates to roughly the
375 // subsecond part.
376 uint32_t perfcounter = (GetPerformanceCounter() & 0xffffffff);
377 m_events_hasher.Write((const unsigned char*)&perfcounter, sizeof(perfcounter));
378 }
379
383 void SeedEvents(CSHA512& hasher) noexcept EXCLUSIVE_LOCKS_REQUIRED(!m_events_mutex)
384 {
385 // We use only SHA256 for the events hashing to get the ASM speedups we have for SHA256,
386 // since we want it to be fast as network peers may be able to trigger it repeatedly.
387 LOCK(m_events_mutex);
388
389 unsigned char events_hash[32];
390 m_events_hasher.Finalize(events_hash);
391 hasher.Write(events_hash, 32);
392
393 // Re-initialize the hasher with the finalized state to use later.
394 m_events_hasher.Reset();
395 m_events_hasher.Write(events_hash, 32);
396 }
397
399 void MakeDeterministic(const uint256& seed) noexcept EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
400 {
401 LOCK(m_mutex);
402 m_deterministic_prng.emplace(MakeByteSpan(seed));
403 }
404
412 bool MixExtract(unsigned char* out, size_t num, CSHA512&& hasher, bool strong_seed, bool always_use_real_rng) noexcept EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
413 {
414 assert(num <= 32);
415 unsigned char buf[64];
416 static_assert(sizeof(buf) == CSHA512::OUTPUT_SIZE, "Buffer needs to have hasher's output size");
417 bool ret;
418 {
419 LOCK(m_mutex);
420 ret = (m_strongly_seeded |= strong_seed);
421 // Write the current state of the RNG into the hasher
422 hasher.Write(m_state, 32);
423 // Write a new counter number into the state
424 hasher.Write((const unsigned char*)&m_counter, sizeof(m_counter));
425 ++m_counter;
426 // Finalize the hasher
427 hasher.Finalize(buf);
428 // Store the last 32 bytes of the hash output as new RNG state.
429 memcpy(m_state, buf + 32, 32);
430 // Handle requests for deterministic randomness.
431 if (!always_use_real_rng && m_deterministic_prng.has_value()) [[unlikely]] {
432 // Overwrite the beginning of buf, which will be used for output.
433 m_deterministic_prng->Keystream(std::as_writable_bytes(std::span{buf, num}));
434 // Do not require strong seeding for deterministic output.
435 ret = true;
436 }
437 }
438 // If desired, copy (up to) the first 32 bytes of the hash output as output.
439 if (num) {
440 assert(out != nullptr);
441 memcpy(out, buf, num);
442 }
443 // Best effort cleanup of internal state
444 hasher.Reset();
445 memory_cleanse(buf, 64);
446 return ret;
447 }
448};
449
450RNGState& GetRNGState() noexcept
451{
452 // This idiom relies on the guarantee that static variable are initialized
453 // on first call, even when multiple parallel calls are permitted.
454 static std::vector<RNGState, secure_allocator<RNGState>> g_rng(1);
455 return g_rng[0];
456}
457
458/* A note on the use of noexcept in the seeding functions below:
459 *
460 * None of the RNG code should ever throw any exception.
461 */
462
463void SeedTimestamp(CSHA512& hasher) noexcept
464{
465 int64_t perfcounter = GetPerformanceCounter();
466 hasher.Write((const unsigned char*)&perfcounter, sizeof(perfcounter));
467}
468
469void SeedFast(CSHA512& hasher) noexcept
470{
471 unsigned char buffer[32];
472
473 // Stack pointer to indirectly commit to thread/callstack
474 const unsigned char* ptr = buffer;
475 hasher.Write((const unsigned char*)&ptr, sizeof(ptr));
476
477 // Hardware randomness is very fast when available; use it always.
478 SeedHardwareFast(hasher);
479
480 // High-precision timestamp
481 SeedTimestamp(hasher);
482}
483
484void SeedSlow(CSHA512& hasher, RNGState& rng) noexcept
485{
486 unsigned char buffer[32];
487
488 // Everything that the 'fast' seeder includes
489 SeedFast(hasher);
490
491 // OS randomness
492 GetOSRand(buffer);
493 hasher.Write(buffer, sizeof(buffer));
494
495 // Add the events hasher into the mix
496 rng.SeedEvents(hasher);
497
498 // High-precision timestamp.
499 //
500 // Note that we also commit to a timestamp in the Fast seeder, so we indirectly commit to a
501 // benchmark of all the entropy gathering sources in this function).
502 SeedTimestamp(hasher);
503}
504
506void SeedStrengthen(CSHA512& hasher, RNGState& rng, SteadyClock::duration dur) noexcept
507{
508 // Generate 32 bytes of entropy from the RNG, and a copy of the entropy already in hasher.
509 // Never use the deterministic PRNG for this, as the result is only used internally.
510 unsigned char strengthen_seed[32];
511 rng.MixExtract(strengthen_seed, sizeof(strengthen_seed), CSHA512(hasher), false, /*always_use_real_rng=*/true);
512 // Strengthen the seed, and feed it into hasher.
513 Strengthen(strengthen_seed, dur, hasher);
514}
515
516void SeedPeriodic(CSHA512& hasher, RNGState& rng) noexcept
517{
518 // Everything that the 'fast' seeder includes
519 SeedFast(hasher);
520
521 // High-precision timestamp
522 SeedTimestamp(hasher);
523
524 // Add the events hasher into the mix
525 rng.SeedEvents(hasher);
526
527 // Dynamic environment data (clocks, resource usage, ...)
528 auto old_size = hasher.Size();
529 RandAddDynamicEnv(hasher);
530 LogDebug(BCLog::RAND, "Feeding %i bytes of dynamic environment data into RNG\n", hasher.Size() - old_size);
531
532 // Strengthen for 10 ms
533 SeedStrengthen(hasher, rng, 10ms);
534}
535
536void SeedStartup(CSHA512& hasher, RNGState& rng) noexcept
537{
538 // Gather 256 bits of hardware randomness, if available
539 SeedHardwareSlow(hasher);
540
541 // Everything that the 'slow' seeder includes.
542 SeedSlow(hasher, rng);
543
544 // Dynamic environment data (clocks, resource usage, ...)
545 auto old_size = hasher.Size();
546 RandAddDynamicEnv(hasher);
547
548 // Static environment data
549 RandAddStaticEnv(hasher);
550 LogDebug(BCLog::RAND, "Feeding %i bytes of environment data into RNG\n", hasher.Size() - old_size);
551
552 // Strengthen for 100 ms
553 SeedStrengthen(hasher, rng, 100ms);
554}
555
556enum class RNGLevel {
557 FAST,
558 SLOW,
559 PERIODIC,
560};
561
562void ProcRand(unsigned char* out, int num, RNGLevel level, bool always_use_real_rng) noexcept
563{
564 // Make sure the RNG is initialized first (as all Seed* function possibly need hwrand to be available).
565 RNGState& rng = GetRNGState();
566
567 assert(num <= 32);
568
569 CSHA512 hasher;
570 switch (level) {
571 case RNGLevel::FAST:
572 SeedFast(hasher);
573 break;
574 case RNGLevel::SLOW:
575 SeedSlow(hasher, rng);
576 break;
577 case RNGLevel::PERIODIC:
578 SeedPeriodic(hasher, rng);
579 break;
580 }
581
582 // Combine with and update state
583 if (!rng.MixExtract(out, num, std::move(hasher), false, always_use_real_rng)) {
584 // On the first invocation, also seed with SeedStartup().
585 CSHA512 startup_hasher;
586 SeedStartup(startup_hasher, rng);
587 rng.MixExtract(out, num, std::move(startup_hasher), true, always_use_real_rng);
588 }
589}
590
591} // namespace
592
593
595void MakeRandDeterministicDANGEROUS(const uint256& seed) noexcept
596{
597 GetRNGState().MakeDeterministic(seed);
598}
599std::atomic<bool> g_used_g_prng{false}; // Only accessed from tests
600
601void GetRandBytes(std::span<unsigned char> bytes) noexcept
602{
603 g_used_g_prng = true;
604 ProcRand(bytes.data(), bytes.size(), RNGLevel::FAST, /*always_use_real_rng=*/false);
605}
606
607void GetStrongRandBytes(std::span<unsigned char> bytes) noexcept
608{
609 ProcRand(bytes.data(), bytes.size(), RNGLevel::SLOW, /*always_use_real_rng=*/true);
610}
611
612void RandAddPeriodic() noexcept
613{
614 ProcRand(nullptr, 0, RNGLevel::PERIODIC, /*always_use_real_rng=*/false);
615}
616
617void RandAddEvent(const uint32_t event_info) noexcept { GetRNGState().AddEvent(event_info); }
618
620{
621 uint256 seed = GetRandHash();
622 rng.SetKey(MakeByteSpan(seed));
623 requires_seed = false;
624}
625
626void FastRandomContext::fillrand(std::span<std::byte> output) noexcept
627{
628 if (requires_seed) RandomSeed();
629 rng.Keystream(output);
630}
631
632FastRandomContext::FastRandomContext(const uint256& seed) noexcept : requires_seed(false), rng(MakeByteSpan(seed)) {}
633
634void FastRandomContext::Reseed(const uint256& seed) noexcept
635{
636 FlushCache();
637 requires_seed = false;
638 rng = {MakeByteSpan(seed)};
639}
640
642{
643 uint64_t start = GetPerformanceCounter();
644
645 /* This does not measure the quality of randomness, but it does test that
646 * GetOSRand() overwrites all 32 bytes of the output given a maximum
647 * number of tries.
648 */
649 static constexpr int MAX_TRIES{1024};
650 uint8_t data[NUM_OS_RANDOM_BYTES];
651 bool overwritten[NUM_OS_RANDOM_BYTES] = {}; /* Tracks which bytes have been overwritten at least once */
652 int num_overwritten;
653 int tries = 0;
654 /* Loop until all bytes have been overwritten at least once, or max number tries reached */
655 do {
656 memset(data, 0, NUM_OS_RANDOM_BYTES);
657 GetOSRand(data);
658 for (int x=0; x < NUM_OS_RANDOM_BYTES; ++x) {
659 overwritten[x] |= (data[x] != 0);
660 }
661
662 num_overwritten = 0;
663 for (int x=0; x < NUM_OS_RANDOM_BYTES; ++x) {
664 if (overwritten[x]) {
665 num_overwritten += 1;
666 }
667 }
668
669 tries += 1;
670 } while (num_overwritten < NUM_OS_RANDOM_BYTES && tries < MAX_TRIES);
671 if (num_overwritten != NUM_OS_RANDOM_BYTES) return false; /* If this failed, bailed out after too many tries */
672
673 // Check that GetPerformanceCounter increases at least during a GetOSRand() call + 1ms sleep.
674 std::this_thread::sleep_for(std::chrono::milliseconds(1));
675 uint64_t stop = GetPerformanceCounter();
676 if (stop == start) return false;
677
678 // We called GetPerformanceCounter. Use it as entropy.
679 CSHA512 to_add;
680 to_add.Write((const unsigned char*)&start, sizeof(start));
681 to_add.Write((const unsigned char*)&stop, sizeof(stop));
682 GetRNGState().MixExtract(nullptr, 0, std::move(to_add), false, /*always_use_real_rng=*/true);
683
684 return true;
685}
686
687static constexpr std::array<std::byte, ChaCha20::KEYLEN> ZERO_KEY{};
688
689FastRandomContext::FastRandomContext(bool fDeterministic) noexcept : requires_seed(!fDeterministic), rng(ZERO_KEY)
690{
691 // Note that despite always initializing with ZERO_KEY, requires_seed is set to true if not
692 // fDeterministic. That means the rng will be reinitialized with a secure random key upon first
693 // use.
694}
695
697{
698 // Invoke RNG code to trigger initialization (if not already performed)
699 ProcRand(nullptr, 0, RNGLevel::FAST, /*always_use_real_rng=*/true);
700
701 ReportHardwareRand();
702}
703
704double MakeExponentiallyDistributed(uint64_t uniform) noexcept
705{
706 // To convert uniform into an exponentially-distributed double, we use two steps:
707 // - Convert uniform into a uniformly-distributed double in range [0, 1), use the expression
708 // ((uniform >> 11) * 0x1.0p-53), as described in https://prng.di.unimi.it/ under
709 // "Generating uniform doubles in the unit interval". Call this value x.
710 // - Given an x in uniformly distributed in [0, 1), we find an exponentially distributed value
711 // by applying the quantile function to it. For the exponential distribution with mean 1 this
712 // is F(x) = -log(1 - x).
713 //
714 // Combining the two, and using log1p(x) = log(1 + x), we obtain the following:
715 return -std::log1p((uniform >> 11) * -0x1.0p-53);
716}
int ret
A hasher class for SHA-256.
Definition: sha256.h:14
A hasher class for SHA-512.
Definition: sha512.h:13
static constexpr size_t OUTPUT_SIZE
Definition: sha512.h:20
CSHA512 & Reset()
Definition: sha512.cpp:202
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha512.cpp:185
CSHA512 & Write(const unsigned char *data, size_t len)
Definition: sha512.cpp:159
void SetKey(std::span< const std::byte > key) noexcept
Set 32-byte key, and seek to nonce 0 and block position 0.
Definition: chacha20.cpp:337
FastRandomContext(bool fDeterministic=false) noexcept
Construct a FastRandomContext with GetRandHash()-based entropy (or zero key if fDeterministic).
Definition: random.cpp:689
ChaCha20 rng
Definition: random.h:380
void RandomSeed() noexcept
Definition: random.cpp:619
void fillrand(std::span< std::byte > output) noexcept
Fill a byte span with random bytes.
Definition: random.cpp:626
void Reseed(const uint256 &seed) noexcept
Reseed with explicit seed (only for testing).
Definition: random.cpp:634
bool requires_seed
Definition: random.h:379
256-bit opaque blob.
Definition: uint256.h:196
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14
#define LogError(...)
Definition: logging.h:263
#define LogDebug(category,...)
Definition: logging.h:280
#define LogPrintf(...)
Definition: logging.h:266
@ RAND
Definition: logging.h:56
std::atomic< bool > g_used_g_prng
Definition: random.cpp:599
void RandAddPeriodic() noexcept
Gather entropy from various expensive sources, and feed them to the PRNG state.
Definition: random.cpp:612
void GetStrongRandBytes(std::span< unsigned char > bytes) noexcept
Gather entropy from various sources, feed it into the internal PRNG, and generate random data using i...
Definition: random.cpp:607
bool Random_SanityCheck()
Check that OS randomness is available and returning the requested number of bytes.
Definition: random.cpp:641
static constexpr std::array< std::byte, ChaCha20::KEYLEN > ZERO_KEY
Definition: random.cpp:687
void MakeRandDeterministicDANGEROUS(const uint256 &seed) noexcept
Internal function to set g_determinstic_rng.
Definition: random.cpp:595
void RandomInit()
Overall design of the RNG and entropy sources.
Definition: random.cpp:696
void GetRandBytes(std::span< unsigned char > bytes) noexcept
Generate random data via the internal PRNG.
Definition: random.cpp:601
void RandAddEvent(const uint32_t event_info) noexcept
Gathers entropy from the low bits of the time at which events occur.
Definition: random.cpp:617
double MakeExponentiallyDistributed(uint64_t uniform) noexcept
Given a uniformly random uint64_t, return an exponentially distributed double with mean 1.
Definition: random.cpp:704
uint256 GetRandHash() noexcept
Generate a random uint256.
Definition: random.h:454
void RandAddStaticEnv(CSHA512 &hasher)
Gather non-cryptographic environment data that does not change over time.
Definition: randomenv.cpp:267
void RandAddDynamicEnv(CSHA512 &hasher)
Gather non-cryptographic environment data that changes over time.
Definition: randomenv.cpp:188
const char * name
Definition: rest.cpp:49
static RPCHelpMan stop()
Definition: server.cpp:156
auto MakeByteSpan(const V &v) noexcept
Definition: span.h:84
#define LOCK(cs)
Definition: sync.h:257
#define EXCLUSIVE_LOCKS_REQUIRED(...)
Definition: threadsafety.h:49
#define GUARDED_BY(x)
Definition: threadsafety.h:38
assert(!tx.IsCoinBase())