[Refactor] Update RNG code from upstream #2278

This makes it possible to plug it into the various standard C++11 random distribution algorithms and other functions like std::shuffle.

These are hard to deal with, as in a follow-up this function can get called before the logging infrastructure is initialized.

This guarantees that OpenSSL is initialized properly whenever randomness is used, even when that randomness is invoked from global constructors. Note that this patch uses Mutex directly, rather than CCriticalSection. This is because the lock-detection code is not necessarily initialized during global constructors.

It includes the following policy changes: * All GetRand* functions seed the stack pointer and rdrand result (in addition to the performance counter) * The periodic entropy added by the idle scheduler now seeds stack pointer, rdrand and perfmon data (once every 10 minutes) in addition to just a sleep timing. * The entropy added when calling GetStrongRandBytes no longer includes the once-per-10-minutes perfmon data on windows (it is moved to the idle scheduler instead, where latency matters less). Other changes: * OpenSSL is no longer seeded directly anywhere. Instead, any generated randomness through our own RNG is fed back to OpenSSL (after an additional hashing step to prevent leaking our RNG state). * Seeding that was previously done directly in RandAddSeedSleep is now moved to SeedSleep(), which is indirectly invoked through ProcRand from RandAddSeedSleep. * Seeding that was previously done directly in GetStrongRandBytes() is now moved to SeedSlow(), which is indirectly invoked through ProcRand from GetStrongRandBytes().

All access to hwrand is now gated by GetRNGState, which initializes the hwrand code.

This introduces support for autodetecting and using the RdSeed instruction. In addition: * In SeedFast, only 64 bits of entropy are generated through RdRand (256 was relatively slow). * In SeedStartup, 256 bits of entropy are generated, using RdSeed (preferably) or RdRand (otherwise).

Once every minute, this will feed the RNG state through repeated SHA512 for 10ms. The timings of that operation are used as entropy source as well.

This removes the code introduced in [dashpay#4399](bitcoin#4399) that attempts to add additional entroy to the OpenSSL PRNG using Windows messages. Note that this is specific to bitcoin-qt running on Windows. ``` RAND_event() collects the entropy from Windows events such as mouse movements and other user interaction. It should be called with the iMsg, wParam and lParam arguments of all messages sent to the window procedure. It will estimate the entropy contained in the event message (if any), and add it to the PRNG. The program can then process the messages as usual. ``` Besides BIP70, this is the last place we are directly using OpenSSL in the GUI code. All other OpenSSL usage is in random.cpp. Note that we are still also doing Windows specific entropy gathering in multiple other places. Such as [RandAddSeedPerfmon](https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp#L268) and [RAND_screen()](https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp#L600). Also note that if RAND_event returns 0 (PRNG has NOT been seeded with enough data), we're just logging a message and continuing on, which seems less than ideal.

Follow up to bitcoin#17151 where there were multiple calls to also remove our call to RAND_screen().

`random.cpp` needs to explicitly include `utilstrencodings.h` to get `ARRAYLEN`. This fixes the FreeBSD build.

This should have been part of bitcoin#17151.

This sort of data is also used by OpenSSL.

This based on code by Gregory Maxwell. # Conflicts: # src/randomenv.cpp

Suggested by Wladimir van der Laan.

* Instead of calling RandAddSeedSleep anytime the scheduler goes idle, call its replacement (RandAddSeedPeriodic) just once per minute. This has better guarantees of actually being run, and helps limit how frequently the dynamic env data is gathered. * Since this code runs once per minute regardless now, we no longer need to keep track of the last time strengthening was run; just do it always. * Make strengthening time context dependent (100 ms at startup, 10 ms once per minute afterwards).

The usage of MilliSleep() in SeedPeriodic (previously SeedSleep) was removed in bitcoin#17270, meaning it, and its users can now be marked noexcept.

# Conflicts: # src/randomenv.cpp

PIVX-Project#2276 split the `allocators.h` header and has been merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Refactor] Update RNG code from upstream #2278

[Refactor] Update RNG code from upstream #2278

Commits on Apr 14, 2021