aboutsummaryrefslogtreecommitdiff
path: root/src/random.cpp
AgeCommit message (Collapse)Author
2023-11-07Merge bitcoin/bitcoin#26839: Add support for RNDR/RNDRRS for AArch64 on LinuxAndrew Chow
aee5404e02e203a256c1a97b629b9b107cc8bb07 Add support for RNDR/RNDRRS for aarch64 on Linux (John Moffett) Pull request description: This checks whether the ARMv8.5-A optional TRNG extensions [RNDR](https://developer.arm.com/documentation/ddi0601/2022-12/AArch64-Registers/RNDR--Random-Number) and [RNDRRS](https://developer.arm.com/documentation/ddi0601/2022-12/AArch64-Registers/RNDRRS--Reseeded-Random-Number) are available and, if they are, uses them for random entropy purposes. They are nearly functionally identical to the x86 RDRAND/RDSEED extensions and are used in a similar manner. Currently, there [appears to be](https://marcin.juszkiewicz.com.pl/download/tables/arm-socs.html) only one actual hardware implementation -- the Amazon Graviton 3. (See the `rnd` column in the link.) However, future hardware implementations may become available. It's not possible to directly query for the capability in userspace, but the Linux kernel [added support](https://github.com/torvalds/linux/commit/1a50ec0b3b2e9a83f1b1245ea37a853aac2f741c) for querying the extension via `getauxval` in version 5.6 (in 2020), so this is limited to Linux-only for now. Reviewers may want to launch any of the `c7g` instances from AWS to test the Graviton 3 hardware. Alternatively, QEMU emulates these opcodes for `aarch64` with CPU setting `max`. Output from Graviton 3 hardware: ``` ubuntu@ip:~/bitcoin$ src/bitcoind -regtest 2023-01-06T20:01:48Z Bitcoin Core version v24.99.0-3670266ce89a (release build) 2023-01-06T20:01:48Z Using the 'arm_shani(1way,2way)' SHA256 implementation 2023-01-06T20:01:48Z Using RNDR and RNDRRS as additional entropy sources 2023-01-06T20:01:48Z Default data directory /home/ubuntu/.bitcoin ``` Graviton 2 (doesn't support extensions): ``` ubuntu@ip:~/bitcoin$ src/bitcoind -regtest 2023-01-06T20:05:04Z Bitcoin Core version v24.99.0-3670266ce89a (release build) 2023-01-06T20:05:04Z Using the 'arm_shani(1way,2way)' SHA256 implementation 2023-01-06T20:05:04Z Default data directory /home/ubuntu/.bitcoin ``` This partially closes #26796. As noted in that issue, OpenSSL [added support](https://github.com/openssl/openssl/pull/15361) for these extensions a little over a year ago. ACKs for top commit: achow101: ACK aee5404e02e203a256c1a97b629b9b107cc8bb07 laanwj: Tested ACK aee5404e02e203a256c1a97b629b9b107cc8bb07 Tree-SHA512: 1c1eb345d6690f5307a87e9bac8f06a0d1fdc7ca35db38fa22192510a44289a03252e4677dc7cbf731a27e6e3a9a4e42b6eb4149fe063bc1c905eb2536cdb1d3
2023-09-29Add support for RNDR/RNDRRS for aarch64 on LinuxJohn Moffett
This checks whether the ARMv8.5 extensions RNDR and RNDRRS are available and uses them for random entropy purposes. They are functionally identical to the x86 RDRAND/RDSEED extensions and are used in a similar manner.
2023-09-12[refactor] Remove compat.h from kernel headersTheCharlatan
This commit makes compat.h no longer a required include for users of the libbitcoinkernel. Including compat.h imports a bunch of platform-specific definitions. This commit is part of the libbitcoinkernel project, namely its stage 1 step 3: Decouple most non-consensus headers from libbitcoinkernel.
2023-08-17crypto: require key on ChaCha20 initializationPieter Wuille
2023-08-17random: simplify FastRandomContext::randbytes using fillrandPieter Wuille
2023-08-17crypto: refactor ChaCha20 classes to use Span<std::byte> interfacePieter Wuille
2023-06-30Allow FastRandomContext::randbytes for all byte typesMarcoFalke
2023-06-23Bench test for EllSwift ECDHPieter Wuille
Co-authored-by: Dhruv Mehta <856960+dhruv@users.noreply.github.com>
2023-05-20random: switch to using getrandom() directlyfanquake
This requires a linux kernel of 3.17.0+, which seems entirely reasonable. 3.17 went EOL in 2015, and the last supported 3.x kernel (3.16) went EOL > 4 years ago, in 2020. For reference, the current oldest maintained kernel is 4.14 (released 2017, EOL Jan 2024). Support for `getrandom()` (and `getentropy()`) was added to glibc 2.25, https://sourceware.org/legacy-ml/libc-alpha/2017-02/msg00079.html, and we already require 2.27+. All that being said, I don't think you would encounter a current day system, running with kernel headers older than 3.17 (released 2014) but also having a glibc of 2.27+ (released 2018).
2023-05-20random: add [[maybe_unused]] to GetDevURandomfanquake
Rather than multiple instances of (void)GetDevURandom to silence compiler warnings.
2023-05-20random: getentropy on macOS does not need unistd.hfanquake
Remove it. Make this change, so in a future commit, we can combine #ifdefs, and avoid duplicate <sys/random.h> includes once we switch to using getrandom directly. Also remove the comment about macOS 10.12. We already require macOS > 10.15, so it is redundant.
2023-03-02Use steady clock in SeedStrengthen and FindBestImplementationMarcoFalke
2023-02-17random: consolidate WIN32 #ifdefsfanquake
Order includes Remove // for xyz comments
2023-02-17random: remove compat.h includefanquake
We no-longer need ssize_t. Add windows.h, which was being indirectly included via compat.h. It isn't actually included in compat.h itself, but was being included as a side-effect of other includes, like winsock2.h.
2023-02-17random: use int for MAX_TRIESfanquake
Removing the use of ssize_t, removes the need to include compat.h, just to make Windows happy.
2023-01-30Only support 32-byte keys in ChaCha20{,Aligned}Pieter Wuille
2023-01-30Use ChaCha20 caching in FastRandomContextPieter Wuille
2023-01-12doc: remove usages of C++11fanquake
Now it's just the standard library.
2022-12-24scripted-diff: Bump copyright headersHennadii Stepanov
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT- Commits of previous years: - 2021: f47dda2c58b5d8d623e0e7ff4e74bc352dfa83d7 - 2020: fa0074e2d82928016a43ca408717154a1c70a4db - 2019: aaaaad6ac95b402fe18d019d67897ced6b316ee0
2022-09-23refactor: use <cstdlib> over stdlib.hfanquake
We currently use both. Consolidate on the former.
2022-07-20refactor: move compat.h into compat/fanquake
2022-06-21Use consistent wording in logIgor Bubelov
2022-05-17refactor: use C++11 default initializersfanquake
2022-05-16Merge bitcoin/bitcoin#25109: Strengthen AssertLockNotHeld assertionsMacroFake
436ce0233c276e263dcb441255dc0b881cb39cfb sync.h: strengthen AssertLockNotHeld assertion (Anthony Towns) 7d73f58e9cea8f4b0bc16512983898fddde3d764 Increase threadsafety annotation coverage (Anthony Towns) Pull request description: This changes `AssertLockNotHeld` so that it is annotated with the negative capability for the mutex it refers to. clang applies negative capabilities recursively, so this helps avoid forgetting to annotate functions. Note that this can't reasonably be used for globals, because clang would require every function to be annotated with `EXCLUSIVE_LOCKS_REQUIRED(!g_mutex)` for each global mutex. At present, the only global mutexes that use `AssertLockNotHeld` are `RecursiveMutex` so we treat that as an exception in order to avoid having to add an excessive number of negative annotations. ACKs for top commit: vasild: ACK 436ce0233c276e263dcb441255dc0b881cb39cfb MarcoFalke: review ACK 436ce0233c276e263dcb441255dc0b881cb39cfb 🌺 Tree-SHA512: 5f16d098790a36b5277324d5ee89cdc87033c19b11c7943c2f630a41c2e3998eb39d356a763e857f4d8fefb6c0c02291f720bb6769bcbdf5e2cd765bf266ab8c
2022-05-12Increase threadsafety annotation coverageAnthony Towns
2022-04-22refactor: make GetRand a template, remove GetRandIntpasta
2022-04-21Merge bitcoin/bitcoin#24213: refactor: use Span in random.*laanwj
3ae7791bcaa88f5c68592673b8926ee807242ce7 refactor: use Span in random.* (pasta) Pull request description: ~This PR does two things~ 1. use a Span<unsigned char> for GetRandBytes and GetStrongRandBytes ~2. make GetRand a template for which any integral type can be used, where the default behavior is to return a random integral up to the max of the integral unless a max is provided. This simplifies a lot of code from `GetRand(std::numeric_limits<uint64_t>::max()` -> `GetRand<uint64_t>()`~ MarcoFalke this was inspired by your comment here: https://github.com/bitcoin/bitcoin/pull/24185#issuecomment-1025514263 about using Span, so hopefully I'll be able to get this PR done and merged 😂 ~Also, if requested I could revert the `GetRand(std::numeric_limits<uint64_t>::max()` -> `GetRand<uint64_t>()` related changes if it ends up causing too many conflicts~ ACKs for top commit: laanwj: Thank you! Code review re-ACK 3ae7791bcaa88f5c68592673b8926ee807242ce7 Tree-SHA512: 12375a83b68b288916ba0de81cfcab4aac14389a66a36811ae850427435eb67dd55e47df9ac3ec47db4e214f4330139e548bec815fff8a3f571484ea558dca79
2022-04-14lint: Convert lint-logs.sh to PythonDimitri
2022-03-23refactor: use Span in random.*pasta
2022-02-02build: remove unneeded getentropy detection (HAVE_GETENTROPY)Sebastian Falbesoner
2022-02-02random: use arc4random on OpenBSDSebastian Falbesoner
Following best practices on OpenBSD. The getentropy(2) man page states: "getentropy() is not intended for regular code; please use the arc4random(3) family of functions instead."
2022-01-13scripted-diff: replace PoissonNextSend with GetExponentialRandJohn Newbery
This distribution is used for more than just the next inv send, so make the name more generic. Also rename to "exponential" to avoid the confusion that this is a poisson distribution. -BEGIN VERIFY SCRIPT- ren() { sed -i "s/\<$1\>/$2/g" $(git grep -l "$1" ./src) ; } ren PoissonNextSend GetExponentialRand ren "a poisson timer" "an exponential timer" -END VERIFY SCRIPT-
2022-01-13[refactor] Use uint64_t and std namespace in PoissonNextSendJohn Newbery
Co-authored-by: Martin Zumsande <mzumsande@gmail.com>
2022-01-13[move] Move PoissonNextSend to src/random and update commentJohn Newbery
PoissonNextSend is used by net and net_processing and is stateless, so place it in the utility random.cpp translation unit.
2021-12-30scripted-diff: Bump copyright headersHennadii Stepanov
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT- Commits of previous years: * 2020: fa0074e2d82928016a43ca408717154a1c70a4db * 2019: aaaaad6ac95b402fe18d019d67897ced6b316ee0
2021-05-04refactor: Replace &foo[0] with foo.data()MarcoFalke
2021-01-31refactor: replace sizeof(a)/sizeof(a[0]) by std::size (C++17)Sebastian Falbesoner
Removes the macro ARRAYLEN and also substitutes all other uses of the same "sizeof(a)/sizeof(a[0])" pattern by std::size, available since C++17.
2020-08-10Merge #17563: lib: fix a compiler warning: unused GetDevURandom()fanquake
ca2e47437277ef6851a739f247b44e73a53f21a1 Fix a compiler warning: unused GetDevURandom() (Vasil Dimov) Pull request description: ~~Only define GetDevURandom() if it is going to be used.~~ Silence by planting a dummy reference to the `GetDevURandom` symbol in the places where we don't call the function. ACKs for top commit: practicalswift: ACK ca2e47437277ef6851a739f247b44e73a53f21a1 -- increased signal to noise in compiler diagnostics is good sipa: utACK ca2e47437277ef6851a739f247b44e73a53f21a1 hebasto: re-ACK ca2e47437277ef6851a739f247b44e73a53f21a1, tested on macOS 10.15.6 + llvm clang 10.0.0 Tree-SHA512: 03c98f00dad5d9a3c5c9f68553d72ad5489ec02f18b9769108a22003ec7be7819a731b1eab6a9f64dafb5be0efddccf6980de7e3bb90cd20d4f4d72f74124675
2020-05-15Merge #18781: Add templated GetRandDuration<>MarcoFalke
0000ea32656833efa3d2ffd9bab66c88c83334f0 test: Add test for GetRandMillis and GetRandMicros (MarcoFalke) fa0e5b89cf742df56c6c8f49fe9b3c54d2970a66 Add templated GetRandomDuration<> (MarcoFalke) Pull request description: A naive implementation of this template is dangerous, because the call site might accidentally omit the template parameter: ```cpp template <typename D> D GetRandDur(const D& duration_max) { return D{GetRand(duration_max.count())}; } BOOST_AUTO_TEST_CASE(util_time_GetRandTime) { std::chrono::seconds rand_hour = GetRandDur(std::chrono::hours{1}); // Want seconds to be in range [0..1hour), but always get zero :(((( BOOST_CHECK_EQUAL(rand_hour.count(), 0); } ``` Luckily `std::common_type` is already specialised in the standard lib for `std::chrono::duration` (https://en.cppreference.com/w/cpp/chrono/duration/common_type). And its effect seem to be that the call site must always specify the template argument explicitly. So instead of implementing the function for each duration type by hand, replace it with a templated version that is safe to use. ACKs for top commit: laanwj: Code review ACK 0000ea32656833efa3d2ffd9bab66c88c83334f0 promag: Code review ACK 0000ea32656833efa3d2ffd9bab66c88c83334f0. jonatack: ACK 0000ea3 thanks for the improved documentation. Code review, built, ran `src/test/test_bitcoin -t random_tests -l test_suite` for the new unit tests, `git diff fa05a4c 0000ea3` since previous review: hebasto: ACK 0000ea32656833efa3d2ffd9bab66c88c83334f0 with non-blocking [nit](https://github.com/bitcoin/bitcoin/pull/18781#discussion_r424924671). Tree-SHA512: e89d46e31452be6ea14269ecbbb2cdd9ae83b4412cd14dff7d1084283092722a2f847cb501e8054394e4a3eff852f9c87f6d694fd008b3f7e8458cb5a3068af7
2020-05-03build: warn on potentially uninitialized readsVasil Dimov
Enable -Wconditional-uninitialized to warn on potentially uninitialized reads. Fix the sole such warning in Bitcoin Core in GetRdRand(): r1 would be set to 0 on rdrand failure, so initializing it to 0 is a non-functional change. From "Intel 64 and IA-32 ArchitecturesSoftware Developer's Manual" [1], page 1711: "CF=1 indicates that the data in the destination is valid. Otherwise CF=0 and the data in the destination operand will be returned as zeros for the specified width." [1] https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf
2020-04-30Add templated GetRandomDuration<>MarcoFalke
2020-04-29Merge #18038: P2P: Mempool tracks locally submitted transactions to improve ↵fanquake
wallet privacy 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 [mempool] Persist unbroadcast set to mempool.dat (Amiti Uttarwar) 297a1785360c4db662a7f3d3ade7b6b503258d39 [test] Integration tests for unbroadcast functionality (Amiti Uttarwar) 6851502472d3625416f0e7796e9f2a0379d14d49 [refactor/test] Extract P2PTxInvStore into test framework (Amiti Uttarwar) dc1da48dc5e5526215561311c184a8cbc345ecdc [wallet] Update the rebroadcast frequency to be ~1/day. (Amiti Uttarwar) e25e42f20a3aa39651fbc1f9fa3df1a49f1f5868 [p2p] Reattempt initial send of unbroadcast transactions (Amiti Uttarwar) 7e93eecce3bc5a1b7bb0284e06f9e2e69454f5ba [util] Add method that returns random time in milliseconds (Amiti Uttarwar) 89eeb4a3335f8e871cc3f5286af4546dff66172a [mempool] Track "unbroadcast" transactions (Amiti Uttarwar) Pull request description: This PR introduces mempool tracking of unbroadcast transactions and periodic reattempts at initial broadcast. This is a part of the rebroadcast project, and a standalone privacy win. The current rebroadcast logic is terrible for privacy because 1. only the source wallet rebroadcasts transactions and 2. it does so quite frequently. In the current system, if a user submits a transaction that does not immediately get broadcast to the network (eg. they are offline), this "rebroadcast" behavior is the safety net that can actually serve as the initial broadcast. So, keeping the attempts frequent is important for initial delivery within a reasonable timespan. This PR aims to improve # 2 by reducing the wallet rebroadcast frequency to ~1/day from ~1/15 min. It achieves this by separating the notion of initial broadcast from rebroadcasts. With these changes, the mempool tracks locally submitted transactions & periodically reattempts initial broadcast. Transactions submitted via the wallet or RPC are added to an "unbroadcast" set & are removed when a peer sends a `getdata` request, or the transaction is removed from the mempool. Every 10-15 minutes, the node reattempts an initial broadcast. This enables reducing the wallet rebroadcast frequency while ensuring the transactions will be propagated to the network. For privacy improvements around # 1, please see #16698. Thank you to gmaxwell for the idea of how to break out this subset of functionality (https://github.com/bitcoin/bitcoin/pull/16698#issuecomment-571399346) ACKs for top commit: fjahr: Code review ACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 MarcoFalke: ACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00, I think this is ready for merge now 👻 amitiuttarwar: The current tip `50fc4df` currently has 6 ACKs on it, so I've opened #18807 to address the last bits. jnewbery: utACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00. ariard: Code Review ACK 50fc4df (minor points no need to invalid other ACKs) robot-visions: ACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 sipa: utACK 50fc4df6c4e8a84bdda13ade7bed7a2131796f00 naumenkogs: utACK 50fc4df Tree-SHA512: 2dd935d645d5e209f8abf87bfaa3ef0e4492705ce7e89ea64279cb27ffd37f4727fa94ad62d41be331177332f8edbebf3c7f4972f8cda10dd951b80a28ab3c0f
2020-04-23[util] Add method that returns random time in millisecondsAmiti Uttarwar
2020-04-16scripted-diff: Bump copyright headersMarcoFalke
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT-
2020-03-20Fix a compiler warning: unused GetDevURandom()Vasil Dimov
``` random.cpp:255:13: error: unused function 'GetDevURandom' [-Werror,-Wunused-function] ``` Clang 9.0.0, FreeBSD 12.1 Silence by planting a dummy reference to the `GetDevURandom` symbol in the places where we don't call the function.
2020-03-19build: fix sysctl() detection on macOSfanquake
sysctl() on *BSD takes a "const int *name", whereas sysctl() on macOS it takes an "int *name". So our configure check and sysctl() detection on macOS currently fails: ```bash /usr/include/sys/sysctl.h:759:9: note: candidate function not viable: no known conversion from 'const int [2]' to 'int *' for 1st argument int sysctl(int *, u_int, void *, size_t *, void *, size_t); ``` This change removes the name argument from the sysctl() detection check, meaning we will detect correctly on macOS and *BSD. For consistency we also switch to using the more generic, non-const version of the name parameter in the rest of our usage.
2020-03-17doc: fix GetTimeMicros() comment in random.cppfanquake
2020-03-17rand: remove getentropy() fallback for macOS < 10.12fanquake
2019-12-30scripted-diff: Bump copyright of files changed in 2019MarcoFalke
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT-
2019-12-08Make env data logging optionalPieter Wuille