aboutsummaryrefslogtreecommitdiff
path: root/src/random.cpp
AgeCommit message (Collapse)Author
2021-01-31refactor: replace sizeof(a)/sizeof(a[0]) by std::size (C++17)Sebastian Falbesoner
Removes the macro ARRAYLEN and also substitutes all other uses of the same "sizeof(a)/sizeof(a[0])" pattern by std::size, available since C++17.
2020-08-10Merge #17563: lib: fix a compiler warning: unused GetDevURandom()fanquake
ca2e47437277ef6851a739f247b44e73a53f21a1 Fix a compiler warning: unused GetDevURandom() (Vasil Dimov) Pull request description: ~~Only define GetDevURandom() if it is going to be used.~~ Silence by planting a dummy reference to the `GetDevURandom` symbol in the places where we don't call the function. ACKs for top commit: practicalswift: ACK ca2e47437277ef6851a739f247b44e73a53f21a1 -- increased signal to noise in compiler diagnostics is good sipa: utACK ca2e47437277ef6851a739f247b44e73a53f21a1 hebasto: re-ACK ca2e47437277ef6851a739f247b44e73a53f21a1, tested on macOS 10.15.6 + llvm clang 10.0.0 Tree-SHA512: 03c98f00dad5d9a3c5c9f68553d72ad5489ec02f18b9769108a22003ec7be7819a731b1eab6a9f64dafb5be0efddccf6980de7e3bb90cd20d4f4d72f74124675
2020-05-15Merge #18781: Add templated GetRandDuration<>MarcoFalke
0000ea32656833efa3d2ffd9bab66c88c83334f0 test: Add test for GetRandMillis and GetRandMicros (MarcoFalke) fa0e5b89cf742df56c6c8f49fe9b3c54d2970a66 Add templated GetRandomDuration<> (MarcoFalke) Pull request description: A naive implementation of this template is dangerous, because the call site might accidentally omit the template parameter: ```cpp template <typename D> D GetRandDur(const D& duration_max) { return D{GetRand(duration_max.count())}; } BOOST_AUTO_TEST_CASE(util_time_GetRandTime) { std::chrono::seconds rand_hour = GetRandDur(std::chrono::hours{1}); // Want seconds to be in range [0..1hour), but always get zero :(((( BOOST_CHECK_EQUAL(rand_hour.count(), 0); } ``` Luckily `std::common_type` is already specialised in the standard lib for `std::chrono::duration` (https://en.cppreference.com/w/cpp/chrono/duration/common_type). And its effect seem to be that the call site must always specify the template argument explicitly. So instead of implementing the function for each duration type by hand, replace it with a templated version that is safe to use. ACKs for top commit: laanwj: Code review ACK 0000ea32656833efa3d2ffd9bab66c88c83334f0 promag: Code review ACK 0000ea32656833efa3d2ffd9bab66c88c83334f0. jonatack: ACK 0000ea3 thanks for the improved documentation. Code review, built, ran `src/test/test_bitcoin -t random_tests -l test_suite` for the new unit tests, `git diff fa05a4c 0000ea3` since previous review: hebasto: ACK 0000ea32656833efa3d2ffd9bab66c88c83334f0 with non-blocking [nit](https://github.com/bitcoin/bitcoin/pull/18781#discussion_r424924671). Tree-SHA512: e89d46e31452be6ea14269ecbbb2cdd9ae83b4412cd14dff7d1084283092722a2f847cb501e8054394e4a3eff852f9c87f6d694fd008b3f7e8458cb5a3068af7
2020-05-03build: warn on potentially uninitialized readsVasil Dimov
Enable -Wconditional-uninitialized to warn on potentially uninitialized reads. Fix the sole such warning in Bitcoin Core in GetRdRand(): r1 would be set to 0 on rdrand failure, so initializing it to 0 is a non-functional change. From "Intel 64 and IA-32 ArchitecturesSoftware Developer's Manual" [1], page 1711: "CF=1 indicates that the data in the destination is valid. Otherwise CF=0 and the data in the destination operand will be returned as zeros for the specified width." [1] https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf
2020-04-30Add templated GetRandomDuration<>MarcoFalke
2020-04-29Merge #18038: P2P: Mempool tracks locally submitted transactions to improve ↵fanquake
wallet privacy 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 [mempool] Persist unbroadcast set to mempool.dat (Amiti Uttarwar) 297a1785360c4db662a7f3d3ade7b6b503258d39 [test] Integration tests for unbroadcast functionality (Amiti Uttarwar) 6851502472d3625416f0e7796e9f2a0379d14d49 [refactor/test] Extract P2PTxInvStore into test framework (Amiti Uttarwar) dc1da48dc5e5526215561311c184a8cbc345ecdc [wallet] Update the rebroadcast frequency to be ~1/day. (Amiti Uttarwar) e25e42f20a3aa39651fbc1f9fa3df1a49f1f5868 [p2p] Reattempt initial send of unbroadcast transactions (Amiti Uttarwar) 7e93eecce3bc5a1b7bb0284e06f9e2e69454f5ba [util] Add method that returns random time in milliseconds (Amiti Uttarwar) 89eeb4a3335f8e871cc3f5286af4546dff66172a [mempool] Track "unbroadcast" transactions (Amiti Uttarwar) Pull request description: This PR introduces mempool tracking of unbroadcast transactions and periodic reattempts at initial broadcast. This is a part of the rebroadcast project, and a standalone privacy win. The current rebroadcast logic is terrible for privacy because 1. only the source wallet rebroadcasts transactions and 2. it does so quite frequently. In the current system, if a user submits a transaction that does not immediately get broadcast to the network (eg. they are offline), this "rebroadcast" behavior is the safety net that can actually serve as the initial broadcast. So, keeping the attempts frequent is important for initial delivery within a reasonable timespan. This PR aims to improve # 2 by reducing the wallet rebroadcast frequency to ~1/day from ~1/15 min. It achieves this by separating the notion of initial broadcast from rebroadcasts. With these changes, the mempool tracks locally submitted transactions & periodically reattempts initial broadcast. Transactions submitted via the wallet or RPC are added to an "unbroadcast" set & are removed when a peer sends a `getdata` request, or the transaction is removed from the mempool. Every 10-15 minutes, the node reattempts an initial broadcast. This enables reducing the wallet rebroadcast frequency while ensuring the transactions will be propagated to the network. For privacy improvements around # 1, please see #16698. Thank you to gmaxwell for the idea of how to break out this subset of functionality (https://github.com/bitcoin/bitcoin/pull/16698#issuecomment-571399346) ACKs for top commit: fjahr: Code review ACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 MarcoFalke: ACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00, I think this is ready for merge now 👻 amitiuttarwar: The current tip `50fc4df` currently has 6 ACKs on it, so I've opened #18807 to address the last bits. jnewbery: utACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00. ariard: Code Review ACK 50fc4df (minor points no need to invalid other ACKs) robot-visions: ACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 sipa: utACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 naumenkogs: utACK 50fc4df Tree-SHA512: 2dd935d645d5e209f8abf87bfaa3ef0e4492705ce7e89ea64279cb27ffd37f4727fa94ad62d41be331177332f8edbebf3c7f4972f8cda10dd951b80a28ab3c0f
2020-04-23[util] Add method that returns random time in millisecondsAmiti Uttarwar
2020-04-16scripted-diff: Bump copyright headersMarcoFalke
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT-
2020-03-20Fix a compiler warning: unused GetDevURandom()Vasil Dimov
``` random.cpp:255:13: error: unused function 'GetDevURandom' [-Werror,-Wunused-function] ``` Clang 9.0.0, FreeBSD 12.1 Silence by planting a dummy reference to the `GetDevURandom` symbol in the places where we don't call the function.
2020-03-19build: fix sysctl() detection on macOSfanquake
sysctl() on *BSD takes a "const int *name", whereas sysctl() on macOS it takes an "int *name". So our configure check and sysctl() detection on macOS currently fails: ```bash /usr/include/sys/sysctl.h:759:9: note: candidate function not viable: no known conversion from 'const int [2]' to 'int *' for 1st argument int sysctl(int *, u_int, void *, size_t *, void *, size_t); ``` This change removes the name argument from the sysctl() detection check, meaning we will detect correctly on macOS and *BSD. For consistency we also switch to using the more generic, non-const version of the name parameter in the rest of our usage.
2020-03-17doc: fix GetTimeMicros() comment in random.cppfanquake
2020-03-17rand: remove getentropy() fallback for macOS < 10.12fanquake
2019-12-30scripted-diff: Bump copyright of files changed in 2019MarcoFalke
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT-
2019-12-08Make env data logging optionalPieter Wuille
2019-12-05Move events_hasher into RNGState()Pieter Wuille
2019-12-05Merge #17507: random: mark RandAddPeriodic and SeedPeriodic as noexceptWladimir J. van der Laan
55b2cb199c276781b6daa5438af2da57dea3ac52 random: mark RandAddPeriodic and SeedPeriodic as noexcept (fanquake) 461e547877da0c04db69e067c923cc4540aab03a doc: correct random.h docs after #17270 (fanquake) Pull request description: The usage of `MilliSleep()` in SeedPeriodic (previously SeedSleep) was [removed](https://github.com/bitcoin/bitcoin/pull/17270/commits/d61f2bb076d8f17840a8e79f1583d7f6e3e6d09a) in #17270, meaning it, and its users can now be marked `noexcept`. This also corrects the docs in random.h for some of the changes in #17270. ACKs for top commit: practicalswift: ACK 55b2cb199c276781b6daa5438af2da57dea3ac52 laanwj: ACK 55b2cb199c276781b6daa5438af2da57dea3ac52 sipa: ACK 55b2cb199c276781b6daa5438af2da57dea3ac52 Tree-SHA512: 672d369796e7c4f9b4d98dc545e5454999fa1bef373871994a26041d6163c58909e2255e4f820d3ef011679aa3392754eb57477306a89f5fd3d57e2bd7f0811a
2019-11-23Seed RNG with precision timestamps on receipt of net messages.Matt Corallo
2019-11-18random: mark RandAddPeriodic and SeedPeriodic as noexceptfanquake
The usage of MilliSleep() in SeedPeriodic (previously SeedSleep) was removed in #17270, meaning it, and its users can now be marked noexcept.
2019-11-18doc: correct random.h docs after #17270fanquake
2019-11-18random: Remove remaining OpenSSL calls and locking infrastructurefanquake
2019-11-18random: stop retrieving random bytes from OpenSSLfanquake
On the ::SLOW path we would use OpenSSL as an additional source of random bytes. This commit removes that functionality. Note that this was always only an additional source, and that we never checked the return value RAND_bytes(): https://www.openssl.org/docs/manmaster/man3/RAND_bytes.html RAND_bytes() puts num cryptographically strong pseudo-random bytes into buf.
2019-11-18random: stop feeding RNG output back into OpenSSLfanquake
On the ::SLOW or ::SLEEP paths, we would feed our RNG output back into OpenSSL using RAND_add. This commit removes that functionality. RAND_add(): https://www.openssl.org/docs/manmaster/man3/RAND_add.html RAND_add() mixes the num bytes at buf into the internal state of the random generator. This function will not normally be needed, as mentioned above. The randomness argument is an estimate of how much randomness is contained in buf, in bytes, and should be a number between zero and num.
2019-11-12Report amount of data gathered from environmentPieter Wuille
2019-11-12Run background seeding periodically instead of unpredictablyPieter Wuille
* Instead of calling RandAddSeedSleep anytime the scheduler goes idle, call its replacement (RandAddSeedPeriodic) just once per minute. This has better guarantees of actually being run, and helps limit how frequently the dynamic env data is gathered. * Since this code runs once per minute regardless now, we no longer need to keep track of the last time strengthening was run; just do it always. * Make strengthening time context dependent (100 ms at startup, 10 ms once per minute afterwards).
2019-11-12[MOVEONLY] Move cpuid code from random & sha256 to compat/cpuidPieter Wuille
2019-11-12[MOVEONLY] Move perfmon data gathering to new randomenv modulePieter Wuille
2019-11-12doc: minor corrections in random.cppfanquake
This should have been part of #17151.
2019-10-18random: remove call to RAND_screen() (Windows only)fanquake
Follow up to https://github.com/bitcoin/bitcoin/pull/17151 where there were multiple calls to also remove our call to RAND_screen().
2019-10-16doc: correct function name in ReportHardwareRand()fanquake
2019-10-15Remove unused includespracticalswift
2019-06-17net: Use mockable time for tx downloadMarcoFalke
2019-05-18Merge #15224: Add RNG strengthening (10ms once every minute)Wladimir J. van der Laan
3cb9ce85d0c6d01217babf0df7efc2eabde1b12f Document strenghtening (Pieter Wuille) 1d207bc46f995ad3b5ae89bb504affaca09d10b1 Add hash strengthening to the RNG (Pieter Wuille) Pull request description: This patch improves the built-in RNG using hash strengthening. At startup, and once every minute, 32 bytes of entropy are produced from the RNG, repeatedly hashed using SHA512 for 10ms, and then fed back into the RNG, together with high-precision timestamps obtained every 1000 iterations. ACKs for commit 3cb9ce: pstratem: utACK 3cb9ce85d0c6d01217babf0df7efc2eabde1b12f Tree-SHA512: 4fb6f61639b392697beb81c5f0903f79f10dd1087bed7f34de2abb5c22704a671e37b2d828ed141492491863efb1e7d1fa04408a1d32c9de2f2cc8ac406bbe57
2019-05-06Add hash strengthening to the RNGPieter Wuille
Once every minute, this will feed the RNG state through repeated SHA512 for 10ms. The timings of that operation are used as entropy source as well.
2019-05-03Add ChaCha20 encryption option (XOR)Jonas Schnelli
2019-02-18Merge #15250: Use RdSeed when available, and reduce RdRand loadWladimir J. van der Laan
1435fabc19d2143187efb493cbe23225eaf851ae Use RdSeed when available, and reduce RdRand load (Pieter Wuille) Pull request description: This introduces support for autodetecting and using the RdSeed instruction on x86/x86_64 systems. In addition: * In SeedFast, only 64 bits of entropy are generated through RdRand (256 was relatively slow). * In SeedStartup, 256 bits of entropy are generated, using RdSeed (preferably) or RdRand (otherwise). Tree-SHA512: fb7d3e22e93e14592f4b07282aa79d7c3cc4e9debdd9978580b8d2562bbad345e289bf3f80de2c50c9b50b8bac2aa9b838f9f272f7f8d43f1efc0913aa8acce3
2019-02-03Use RdSeed when available, and reduce RdRand loadPieter Wuille
This introduces support for autodetecting and using the RdSeed instruction. In addition: * In SeedFast, only 64 bits of entropy are generated through RdRand (256 was relatively slow). * In SeedStartup, 256 bits of entropy are generated, using RdSeed (preferably) or RdRand (otherwise).
2019-02-02test: Make bloom tests deterministicMarcoFalke
2019-01-16Document RNG design in random.hPieter Wuille
2019-01-16Use secure allocator for RNG statePieter Wuille
2019-01-16Encapsulate RNGState betterPieter Wuille
2019-01-16DRY: Implement GetRand using FastRandomContext::randrangePieter Wuille
2019-01-16Sprinkle some sweet noexcepts over the RNG codePieter Wuille
2019-01-16Remove hwrand_initialized.Pieter Wuille
All access to hwrand is now gated by GetRNGState, which initializes the hwrand code.
2019-01-16Switch all RNG code to the built-in PRNG.Pieter Wuille
It includes the following policy changes: * All GetRand* functions seed the stack pointer and rdrand result (in addition to the performance counter) * The periodic entropy added by the idle scheduler now seeds stack pointer, rdrand and perfmon data (once every 10 minutes) in addition to just a sleep timing. * The entropy added when calling GetStrongRandBytes no longer includes the once-per-10-minutes perfmon data on windows (it is moved to the idle scheduler instead, where latency matters less). Other changes: * OpenSSL is no longer seeded directly anywhere. Instead, any generated randomness through our own RNG is fed back to OpenSSL (after an additional hashing step to prevent leaking our RNG state). * Seeding that was previously done directly in RandAddSeedSleep is now moved to SeedSleep(), which is indirectly invoked through ProcRand from RandAddSeedSleep. * Seeding that was previously done directly in GetStrongRandBytes() is now moved to SeedSlow(), which is indirectly invoked through ProcRand from GetStrongRandBytes().
2019-01-16Integrate util/system's CInit into RNGStatePieter Wuille
This guarantees that OpenSSL is initialized properly whenever randomness is used, even when that randomness is invoked from global constructors. Note that this patch uses Mutex directly, rather than CCriticalSection. This is because the lock-detection code is not necessarily initialized during global constructors.
2019-01-16Abstract out seeding/extracting entropy into RNGState::MixExtractPieter Wuille
2019-01-16Add thread safety annotations to RNG statePieter Wuille
2019-01-16Rename some hardware RNG related functionsPieter Wuille
2019-01-16Automatically initialize RNG on first use.Pieter Wuille
2019-01-16Don't log RandAddSeedPerfmon detailsPieter Wuille
These are hard to deal with, as in a follow-up this function can get called before the logging infrastructure is initialized.