1 files changed, 32 insertions, 46 deletions

diff --git a/src/random.cpp b/src/random.cpp
index 8c33e1260b..fd1dfe506f 100644
--- a/src/random.cpp
+++ b/src/random.cpp
@@ -6,6 +6,7 @@
 #include <random.h>
 
 #include <compat/cpuid.h>
+#include <crypto/sha256.h>
 #include <crypto/sha512.h>
 #include <support/cleanse.h>
 #ifdef WIN32
@@ -43,10 +44,6 @@
 #include <sys/sysctl.h>
 #endif
 
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/conf.h>
-
 [[noreturn]] static void RandFailure()
 {
     LogPrintf("Failed to read randomness, aborting\n");
@@ -347,8 +344,6 @@ void GetOSRand(unsigned char *ent32)
 #endif
 }
 
-void LockingCallbackOpenSSL(int mode, int i, const char* file, int line);
-
 namespace {
 
 class RNGState {
@@ -364,31 +359,15 @@ class RNGState {
     unsigned char m_state[32] GUARDED_BY(m_mutex) = {0};
     uint64_t m_counter GUARDED_BY(m_mutex) = 0;
     bool m_strongly_seeded GUARDED_BY(m_mutex) = false;
-    std::unique_ptr<Mutex[]> m_mutex_openssl;
 
 public:
     RNGState() noexcept
     {
         InitHardwareRand();
-
-        // Init OpenSSL library multithreading support
-        m_mutex_openssl.reset(new Mutex[CRYPTO_num_locks()]);
-        CRYPTO_set_locking_callback(LockingCallbackOpenSSL);
-
-        // OpenSSL can optionally load a config file which lists optional loadable modules and engines.
-        // We don't use them so we don't require the config. However some of our libs may call functions
-        // which attempt to load the config file, possibly resulting in an exit() or crash if it is missing
-        // or corrupt. Explicitly tell OpenSSL not to try to load the file. The result for our libs will be
-        // that the config appears to have been loaded and there are no modules/engines available.
-        OPENSSL_no_config();
     }
 
     ~RNGState()
     {
-        // Securely erase the memory used by the OpenSSL PRNG
-        RAND_cleanup();
-        // Shutdown OpenSSL library multithreading support
-        CRYPTO_set_locking_callback(nullptr);
     }
 
     /** Extract up to 32 bytes of entropy from the RNG state, mixing in new entropy from hasher.
@@ -424,8 +403,6 @@ public:
         memory_cleanse(buf, 64);
         return ret;
     }
-
-    Mutex& GetOpenSSLMutex(int i) { return m_mutex_openssl[i]; }
 };
 
 RNGState& GetRNGState() noexcept
@@ -437,17 +414,6 @@ RNGState& GetRNGState() noexcept
 }
 }
 
-void LockingCallbackOpenSSL(int mode, int i, const char* file, int line) NO_THREAD_SAFETY_ANALYSIS
-{
-    RNGState& rng = GetRNGState();
-
-    if (mode & CRYPTO_LOCK) {
-        rng.GetOpenSSLMutex(i).lock();
-    } else {
-        rng.GetOpenSSLMutex(i).unlock();
-    }
-}
-
 /* A note on the use of noexcept in the seeding functions below:
  *
  * None of the RNG code should ever throw any exception.
@@ -474,6 +440,23 @@ static void SeedFast(CSHA512& hasher) noexcept
     SeedTimestamp(hasher);
 }
 
+// We use only SHA256 for the events hashing to get the ASM speedups we have for SHA256,
+// since we want it to be fast as network peers may be able to trigger it repeatedly.
+static Mutex events_mutex;
+static CSHA256 events_hasher;
+static void SeedEvents(CSHA512& hasher)
+{
+    LOCK(events_mutex);
+
+    unsigned char events_hash[32];
+    events_hasher.Finalize(events_hash);
+    hasher.Write(events_hash, 32);
+
+    // Re-initialize the hasher with the finalized state to use later.
+    events_hasher.Reset();
+    events_hasher.Write(events_hash, 32);
+}
+
 static void SeedSlow(CSHA512& hasher) noexcept
 {
     unsigned char buffer[32];
@@ -485,9 +468,8 @@ static void SeedSlow(CSHA512& hasher) noexcept
     GetOSRand(buffer);
     hasher.Write(buffer, sizeof(buffer));
 
-    // OpenSSL RNG (for now)
-    RAND_bytes(buffer, sizeof(buffer));
-    hasher.Write(buffer, sizeof(buffer));
+    // Add the events hasher into the mix
+    SeedEvents(hasher);
 
     // High-precision timestamp.
     //
@@ -514,6 +496,9 @@ static void SeedPeriodic(CSHA512& hasher, RNGState& rng) noexcept
     // High-precision timestamp
     SeedTimestamp(hasher);
 
+    // Add the events hasher into the mix
+    SeedEvents(hasher);
+
     // Dynamic environment data (performance monitoring, ...)
     auto old_size = hasher.Size();
     RandAddDynamicEnv(hasher);
@@ -576,20 +561,21 @@ static void ProcRand(unsigned char* out, int num, RNGLevel level)
         SeedStartup(startup_hasher, rng);
         rng.MixExtract(out, num, std::move(startup_hasher), true);
     }
-
-    // For anything but the 'fast' level, feed the resulting RNG output (after an additional hashing step) back into OpenSSL.
-    if (level != RNGLevel::FAST) {
-        unsigned char buf[64];
-        CSHA512().Write(out, num).Finalize(buf);
-        RAND_add(buf, sizeof(buf), num);
-        memory_cleanse(buf, 64);
-    }
 }
 
 void GetRandBytes(unsigned char* buf, int num) noexcept { ProcRand(buf, num, RNGLevel::FAST); }
 void GetStrongRandBytes(unsigned char* buf, int num) noexcept { ProcRand(buf, num, RNGLevel::SLOW); }
 void RandAddPeriodic() noexcept { ProcRand(nullptr, 0, RNGLevel::PERIODIC); }
 
+void RandAddEvent(const uint32_t event_info) {
+    LOCK(events_mutex);
+    events_hasher.Write((const unsigned char *)&event_info, sizeof(event_info));
+    // Get the low four bytes of the performance counter. This translates to roughly the
+    // subsecond part.
+    uint32_t perfcounter = (GetPerformanceCounter() & 0xffffffff);
+    events_hasher.Write((const unsigned char*)&perfcounter, sizeof(perfcounter));
+}
+
 bool g_mock_deterministic_tests{false};
 
 uint64_t GetRand(uint64_t nMax) noexcept