lbrycrd/src/random.h

// Copyright (c) 2009-2010 Satoshi Nakamoto
// Copyright (c) 2009-2016 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#ifndef BITCOIN_RANDOM_H
#define BITCOIN_RANDOM_H

#include "uint256.h"

#include <stdint.h>

/* Seed OpenSSL PRNG with additional entropy data */
void RandAddSeed();

/**
 * Functions to gather random data via the OpenSSL PRNG
 */
void GetRandBytes(unsigned char* buf, int num);
uint64_t GetRand(uint64_t nMax);
int GetRandInt(int nMax);
uint256 GetRandHash();

/**
 * Function to gather random data from multiple sources, failing whenever any
 * of those source fail to provide a result.
 */
void GetStrongRandBytes(unsigned char* buf, int num);

/**
 * Fast randomness source. This is seeded once with secure random data, but
 * is completely deterministic and insecure after that.
 * This class is not thread-safe.
 */
class FastRandomContext {
public:
    explicit FastRandomContext(bool fDeterministic=false);

    uint32_t rand32() {
        Rz = 36969 * (Rz & 65535) + (Rz >> 16);
        Rw = 18000 * (Rw & 65535) + (Rw >> 16);
        return (Rw << 16) + Rz;
    }

    uint32_t Rz;
    uint32_t Rw;
};

/* Number of random bytes returned by GetOSRand.
 * When changing this constant make sure to change all call sites, and make
 * sure that the underlying OS APIs for all platforms support the number.
 * (many cap out at 256 bytes).
 */
static const ssize_t NUM_OS_RANDOM_BYTES = 32;

/** Get 32 bytes of system entropy. Do not use this in application code: use
 * GetStrongRandBytes instead.
 */
void GetOSRand(unsigned char *ent32);

/** Check that OS randomness is available and returning the requested number
 * of bytes.
 */
bool Random_SanityCheck();

#endif // BITCOIN_RANDOM_H
move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`// Copyright (c) 2009-2010 Satoshi Nakamoto`
Increment MIT Licence copyright header year on files modified in 2016 Edited via: $ contrib/devtools/copyright_header.py update . 2016-12-31 19:01:21 +01:00			`// Copyright (c) 2009-2016 The Bitcoin Core developers`
Remove references to X11 licence 2014-12-13 05:09:33 +01:00			`// Distributed under the MIT software license, see the accompanying`
move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

			`#ifndef BITCOIN_RANDOM_H`
			`#define BITCOIN_RANDOM_H`

			`#include "uint256.h"`

			`#include <stdint.h>`

Always require OS randomness when generating secret keys 2016-04-16 12:25:12 +02:00			`/* Seed OpenSSL PRNG with additional entropy data */`
move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`void RandAddSeed();`

			`/**`
			`* Functions to gather random data via the OpenSSL PRNG`
			`*/`
Make sure that GetRandomBytes never fails We're using GetRandomBytes in several contexts where it's either unwieldy to return an error, or an error would mean a fatal exception anyhow. @gmaxwell checked OpenSSL a while ago and discovered that it never actually fails, but it can't hurt to be a bit paranoid here. 2014-11-07 13:42:52 +01:00			`void GetRandBytes(unsigned char* buf, int num);`
move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`uint64_t GetRand(uint64_t nMax);`
			`int GetRandInt(int nMax);`
			`uint256 GetRandHash();`

Always require OS randomness when generating secret keys 2016-04-16 12:25:12 +02:00			`/**`
			`* Function to gather random data from multiple sources, failing whenever any`
			`* of those source fail to provide a result.`
			`*/`
			`void GetStrongRandBytes(unsigned char* buf, int num);`

move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`/**`
Kill insecure_random and associated global state There are only a few uses of `insecure_random` outside the tests. This PR replaces uses of insecure_random (and its accompanying global state) in the core code with an FastRandomContext that is automatically seeded on creation. This is meant to be used for inner loops. The FastRandomContext can be in the outer scope, or the class itself, then rand32() is used inside the loop. Useful e.g. for pushing addresses in CNode or the fee rounding, or randomization for coin selection. As a context is created per purpose, thus it gets rid of cross-thread unprotected shared usage of a single set of globals, this should also get rid of the potential race conditions. - I'd say TxMempool::check is not called enough to warrant using a special fast random context, this is switched to GetRand() (open for discussion...) - The use of `insecure_rand` in ConnectThroughProxy has been replaced by an atomic integer counter. The only goal here is to have a different credentials pair for each connection to go on a different Tor circuit, it does not need to be random nor unpredictable. - To avoid having a FastRandomContext on every CNode, the context is passed into PushAddress as appropriate. There remains an insecure_random for test usage in `test_random.h`. 2016-10-13 16:19:20 +02:00			`* Fast randomness source. This is seeded once with secure random data, but`
			`* is completely deterministic and insecure after that.`
			`* This class is not thread-safe.`
move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`*/`
Kill insecure_random and associated global state There are only a few uses of `insecure_random` outside the tests. This PR replaces uses of insecure_random (and its accompanying global state) in the core code with an FastRandomContext that is automatically seeded on creation. This is meant to be used for inner loops. The FastRandomContext can be in the outer scope, or the class itself, then rand32() is used inside the loop. Useful e.g. for pushing addresses in CNode or the fee rounding, or randomization for coin selection. As a context is created per purpose, thus it gets rid of cross-thread unprotected shared usage of a single set of globals, this should also get rid of the potential race conditions. - I'd say TxMempool::check is not called enough to warrant using a special fast random context, this is switched to GetRand() (open for discussion...) - The use of `insecure_rand` in ConnectThroughProxy has been replaced by an atomic integer counter. The only goal here is to have a different credentials pair for each connection to go on a different Tor circuit, it does not need to be random nor unpredictable. - To avoid having a FastRandomContext on every CNode, the context is passed into PushAddress as appropriate. There remains an insecure_random for test usage in `test_random.h`. 2016-10-13 16:19:20 +02:00			`class FastRandomContext {`
			`public:`
			`explicit FastRandomContext(bool fDeterministic=false);`

			`uint32_t rand32() {`
			`Rz = 36969 * (Rz & 65535) + (Rz >> 16);`
			`Rw = 18000 * (Rw & 65535) + (Rw >> 16);`
			`return (Rw << 16) + Rz;`
			`}`

			`uint32_t Rz;`
			`uint32_t Rw;`
			`};`
move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00
squashme: comment that NUM_OS_RANDOM_BYTES should not be changed lightly 2017-02-22 07:38:42 +01:00			`/* Number of random bytes returned by GetOSRand.`
			`* When changing this constant make sure to change all call sites, and make`
			`* sure that the underlying OS APIs for all platforms support the number.`
			`* (many cap out at 256 bytes).`
			`*/`
util: Specific GetOSRandom for Linux/FreeBSD/OpenBSD These are available in sandboxes without access to files or devices. Also [they are safer and more straightforward](https://en.wikipedia.org/wiki/Entropy-supplying_system_calls) to use than `/dev/urandom` as reading from a file has quite a few edge cases: - Linux: `getrandom(buf, buflen, 0)`. [getrandom(2)](http://man7.org/linux/man-pages/man2/getrandom.2.html) was introduced in version 3.17 of the Linux kernel. - OpenBSD: `getentropy(buf, buflen)`. The [getentropy(2)](http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2) function appeared in OpenBSD 5.6. - FreeBSD and NetBSD: `sysctl(KERN_ARND)`. Not sure when this was added but it has existed for quite a while. Alternatives: - Linux has sysctl `CTL_KERN` / `KERN_RANDOM` / `RANDOM_UUID` which gives 16 bytes of randomness. This may be available on older kernels, however [sysctl is deprecated on Linux](https://lwn.net/Articles/605392/) and even removed in some distros so we shouldn't use it. Add tests for `GetOSRand()`: - Test that no error happens (otherwise `RandFailure()` which aborts) - Test that all 32 bytes are overwritten (initialize with zeros, try multiple times) Discussion: - When to use these? Currently they are always used when available. Another option would be to use them only when `/dev/urandom` is not available. But this would mean these code paths receive less testing, and I'm not sure there is any reason to prefer `/dev/urandom`. Closes: #9676 2017-02-21 17:36:37 +01:00			`static const ssize_t NUM_OS_RANDOM_BYTES = 32;`

			`/** Get 32 bytes of system entropy. Do not use this in application code: use`
			`* GetStrongRandBytes instead.`
			`*/`
			`void GetOSRand(unsigned char *ent32);`

sanity: Move OS random to sanity check function Move the OS random test to a sanity check function that is called every time bitcoind is initialized. Keep `src/test/random_tests.cpp` for the case that later random tests are added, and keep a rudimentary test that just calls the sanity check. 2017-02-22 08:02:50 +01:00			`/** Check that OS randomness is available and returning the requested number`
			`* of bytes.`
			`*/`
			`bool Random_SanityCheck();`

move rand functions from util to new random.h/.cpp 2014-06-26 14:41:53 +02:00			`#endif // BITCOIN_RANDOM_H`