Merge #14955: Switch all RNG code to the built-in PRNG #4411
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
223de8d Document RNG design in random.h (Pieter Wuille) f2e60ca Use secure allocator for RNG state (Pieter Wuille) cddb31b Encapsulate RNGState better (Pieter Wuille) 152146e DRY: Implement GetRand using FastRandomContext::randrange (Pieter Wuille) a1f252e Sprinkle some sweet noexcepts over the RNG code (Pieter Wuille) 4ea8e50 Remove hwrand_initialized. (Pieter Wuille) 9d7032e Switch all RNG code to the built-in PRNG. (Pieter Wuille) 16e40a8 Integrate util/system's CInit into RNGState (Pieter Wuille) 2ccc3d3 Abstract out seeding/extracting entropy into RNGState::MixExtract (Pieter Wuille) aae8b9b Add thread safety annotations to RNG state (Pieter Wuille) d3f54d1 Rename some hardware RNG related functions (Pieter Wuille) 05fde14 Automatically initialize RNG on first use. (Pieter Wuille) 2d1cc50 Don't log RandAddSeedPerfmon details (Pieter Wuille) 6a57ca9 Use FRC::randbytes instead of reading >32 bytes from RNG (Pieter Wuille) Pull request description: This does not remove OpenSSL, but makes our own PRNG the 'main' one; for GetStrongRandBytes, the OpenSSL RNG is still used (indirectly, by feeding its output into our PRNG state). It includes a few policy changes (regarding what entropy is seeded when). Before this PR: * GetRand*: * OpenSSL * GetStrongRand*: * CPU cycle counter * Perfmon data (on Windows, once 10 min) * /dev/urandom (or equivalent) * rdrand (if available) * From scheduler when idle: * CPU cycle counter before and after 1ms sleep * At startup: * CPU cycle counter before and after 1ms sleep After this PR: * GetRand*: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter * GetStrongRand*: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter * /dev/urandom (or equivalent) * OpenSSL * CPU cycle counter again * From scheduler when idle: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter before and after 1ms sleep * Perfmon data (on Windows, once every 10 min) * At startup: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter * /dev/urandom (or equivalent) * OpenSSL * CPU cycle counter again * Perfmon data (on Windows, once every 10 min) The interface of random.h is also simplified, and documentation is added. This implements most of bitcoin#14623. Tree-SHA512: 0120e19bd4ce80a509b5c180a4f29497d299ce8242e25755880851344b825bc2d64a222bc245e659562fb5463fb7c70fbfcf003616be4dc59d0ed6534f93dd20
Comment on lines
+386
to
+389
| /* A note on the use of noexcept in the seeding functions below: | ||
| * | ||
| * None of the RNG code should ever throw any exception. | ||
| */ |
Member
There was a problem hiding this comment.
Why is this comment different??
Author
There was a problem hiding this comment.
Original patch used MilliSleep() that could throw, and the comment explained that and why related functions were not marked as noexcept.
Later that code has been changed to use UninterruptibleSleep() instead which does not throw.
Our code already has UninterruptibleSleep() instead of MilliSleep as of cbc4a74 (#4229) and so I used it here right away.
In later revisions of Bitcoin that use UninterruptibleSleep() too, the comment looks exactly like above.
Comment on lines
-345
to
-353
| // Combine with and update state | ||
| { | ||
| WAIT_LOCK(cs_rng_state, lock); | ||
| hasher.Write(rng_state, sizeof(rng_state)); | ||
| hasher.Write((const unsigned char*)&rng_counter, sizeof(rng_counter)); | ||
| ++rng_counter; | ||
| hasher.Finalize(buf); | ||
| memcpy(rng_state, buf + 32, 32); | ||
| } |
Author
There was a problem hiding this comment.
Do you mean some other fixes are to be backported? This specific block applied cleanly on cherry-picking as far as I remember, no conflicts in these lines.
There was a problem hiding this comment.
@PastaPastaPasta can you clarify pls? I don't see any
Member
There was a problem hiding this comment.
Upstream had https://github.com/bitcoin/bitcoin/pull/14955/files#diff-433f996b8149d6d6831ab1ee2978d4cc13dead5721c824175db806e4284ab15bL325-L328 instead of this, and I was just pointing out the difference
There was a problem hiding this comment.
https://github.com/dashpay/dash/pull/4411/files/4cbecd4510a62910519725aee8633d8b0166546e#diff-433f996b8149d6d6831ab1ee2978d4cc13dead5721c824175db806e4284ab15bL331-L334 👀 there is some confusion caused by diffs being displayed differently probably cause the code is the same as far as I can tell
Member
There was a problem hiding this comment.
Sounds good, just wanted to point it out to make sure we weren't missing smth
PastaPastaPasta
approved these changes
Sep 11, 2021
Member
PastaPastaPasta
left a comment
PastaPastaPasta
left a comment
There was a problem hiding this comment.
utACK for squash merge, LGTM
gades
pushed a commit
to cosanta/cosanta-core
that referenced
this pull request
May 1, 2022
…y#4411) 223de8d Document RNG design in random.h (Pieter Wuille) f2e60ca Use secure allocator for RNG state (Pieter Wuille) cddb31b Encapsulate RNGState better (Pieter Wuille) 152146e DRY: Implement GetRand using FastRandomContext::randrange (Pieter Wuille) a1f252e Sprinkle some sweet noexcepts over the RNG code (Pieter Wuille) 4ea8e50 Remove hwrand_initialized. (Pieter Wuille) 9d7032e Switch all RNG code to the built-in PRNG. (Pieter Wuille) 16e40a8 Integrate util/system's CInit into RNGState (Pieter Wuille) 2ccc3d3 Abstract out seeding/extracting entropy into RNGState::MixExtract (Pieter Wuille) aae8b9b Add thread safety annotations to RNG state (Pieter Wuille) d3f54d1 Rename some hardware RNG related functions (Pieter Wuille) 05fde14 Automatically initialize RNG on first use. (Pieter Wuille) 2d1cc50 Don't log RandAddSeedPerfmon details (Pieter Wuille) 6a57ca9 Use FRC::randbytes instead of reading >32 bytes from RNG (Pieter Wuille) Pull request description: This does not remove OpenSSL, but makes our own PRNG the 'main' one; for GetStrongRandBytes, the OpenSSL RNG is still used (indirectly, by feeding its output into our PRNG state). It includes a few policy changes (regarding what entropy is seeded when). Before this PR: * GetRand*: * OpenSSL * GetStrongRand*: * CPU cycle counter * Perfmon data (on Windows, once 10 min) * /dev/urandom (or equivalent) * rdrand (if available) * From scheduler when idle: * CPU cycle counter before and after 1ms sleep * At startup: * CPU cycle counter before and after 1ms sleep After this PR: * GetRand*: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter * GetStrongRand*: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter * /dev/urandom (or equivalent) * OpenSSL * CPU cycle counter again * From scheduler when idle: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter before and after 1ms sleep * Perfmon data (on Windows, once every 10 min) * At startup: * Stack pointer (which indirectly identifies thread and some call stack information) * rdrand (if available) * CPU cycle counter * /dev/urandom (or equivalent) * OpenSSL * CPU cycle counter again * Perfmon data (on Windows, once every 10 min) The interface of random.h is also simplified, and documentation is added. This implements most of bitcoin#14623. Tree-SHA512: 0120e19bd4ce80a509b5c180a4f29497d299ce8242e25755880851344b825bc2d64a222bc245e659562fb5463fb7c70fbfcf003616be4dc59d0ed6534f93dd20 Co-authored-by: Wladimir J. van der Laan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
223de8d Document RNG design in random.h (Pieter Wuille)
f2e60ca Use secure allocator for RNG state (Pieter Wuille)
cddb31b Encapsulate RNGState better (Pieter Wuille)
152146e DRY: Implement GetRand using FastRandomContext::randrange (Pieter Wuille)
a1f252e Sprinkle some sweet noexcepts over the RNG code (Pieter Wuille)
4ea8e50 Remove hwrand_initialized. (Pieter Wuille)
9d7032e Switch all RNG code to the built-in PRNG. (Pieter Wuille)
16e40a8 Integrate util/system's CInit into RNGState (Pieter Wuille)
2ccc3d3 Abstract out seeding/extracting entropy into RNGState::MixExtract (Pieter Wuille)
aae8b9b Add thread safety annotations to RNG state (Pieter Wuille)
d3f54d1 Rename some hardware RNG related functions (Pieter Wuille)
05fde14 Automatically initialize RNG on first use. (Pieter Wuille)
2d1cc50 Don't log RandAddSeedPerfmon details (Pieter Wuille)
6a57ca9 Use FRC::randbytes instead of reading >32 bytes from RNG (Pieter Wuille)
Pull request description:
This does not remove OpenSSL, but makes our own PRNG the 'main' one; for GetStrongRandBytes, the OpenSSL RNG is still used (indirectly, by feeding its output into our PRNG state).
It includes a few policy changes (regarding what entropy is seeded when).
Before this PR:
After this PR:
The interface of random.h is also simplified, and documentation is added.
This implements most of bitcoin#14623.
Tree-SHA512: 0120e19bd4ce80a509b5c180a4f29497d299ce8242e25755880851344b825bc2d64a222bc245e659562fb5463fb7c70fbfcf003616be4dc59d0ed6534f93dd20