Merge #14955: Switch all RNG code to the built-in PRNG

223de8d Document RNG design in random.h (Pieter Wuille)
f2e60ca Use secure allocator for RNG state (Pieter Wuille)
cddb31b Encapsulate RNGState better (Pieter Wuille)
152146e DRY: Implement GetRand using FastRandomContext::randrange (Pieter Wuille)
a1f252e Sprinkle some sweet noexcepts over the RNG code (Pieter Wuille)
4ea8e50 Remove hwrand_initialized. (Pieter Wuille)
9d7032e Switch all RNG code to the built-in PRNG. (Pieter Wuille)
16e40a8 Integrate util/system's CInit into RNGState (Pieter Wuille)
2ccc3d3 Abstract out seeding/extracting entropy into RNGState::MixExtract (Pieter Wuille)
aae8b9b Add thread safety annotations to RNG state (Pieter Wuille)
d3f54d1 Rename some hardware RNG related functions (Pieter Wuille)
05fde14 Automatically initialize RNG on first use. (Pieter Wuille)
2d1cc50 Don't log RandAddSeedPerfmon details (Pieter Wuille)
6a57ca9 Use FRC::randbytes instead of reading >32 bytes from RNG (Pieter Wuille)

Pull request description:

  This does not remove OpenSSL, but makes our own PRNG the 'main' one; for GetStrongRandBytes, the OpenSSL RNG is still used (indirectly, by feeding its output into our PRNG state).

  It includes a few policy changes (regarding what entropy is seeded when).

  Before this PR:
  * GetRand*:
    * OpenSSL
  * GetStrongRand*:
    * CPU cycle counter
    * Perfmon data (on Windows, once 10 min)
    * /dev/urandom (or equivalent)
    * rdrand (if available)
  * From scheduler when idle:
    * CPU cycle counter before and after 1ms sleep
  * At startup:
    * CPU cycle counter before and after 1ms sleep

  After this PR:
  * GetRand*:
    * Stack pointer (which indirectly identifies thread and some call stack information)
    * rdrand (if available)
    * CPU cycle counter
  * GetStrongRand*:
    * Stack pointer (which indirectly identifies thread and some call stack information)
    * rdrand (if available)
    * CPU cycle counter
    * /dev/urandom (or equivalent)
    * OpenSSL
    * CPU cycle counter again
  * From scheduler when idle:
    * Stack pointer (which indirectly identifies thread and some call stack information)
    * rdrand (if available)
    * CPU cycle counter before and after 1ms sleep
    * Perfmon data (on Windows, once every 10 min)
  * At startup:
    * Stack pointer (which indirectly identifies thread and some call stack information)
    * rdrand (if available)
    * CPU cycle counter
    * /dev/urandom (or equivalent)
    * OpenSSL
    * CPU cycle counter again
    * Perfmon data (on Windows, once every 10 min)

  The interface of random.h is also simplified, and documentation is added.

  This implements most of #14623.

Tree-SHA512: 0120e19bd4ce80a509b5c180a4f29497d299ce8242e25755880851344b825bc2d64a222bc245e659562fb5463fb7c70fbfcf003616be4dc59d0ed6534f93dd20

Author: laanwj

src/bench/bench_bitcoin.cpp

@@ -6,7 +6,6 @@
 
 #include <crypto/sha256.h>
 #include <key.h>
-#include <random.h>
 #include <util/system.h>
 #include <util/strencodings.h>
 #include <validation.h>
@@ -67,7 +66,6 @@ int main(int argc, char** argv)
     const fs::path bench_datadir{SetDataDir()};
 
     SHA256AutoDetect();
-    RandomInit();
     ECC_Start();
     SetupEnvironment();
 

src/crypto/sha512.h

@@ -17,7 +17,7 @@ class CSHA512
     uint64_t bytes;
 
 public:
-    static const size_t OUTPUT_SIZE = 64;
+    static constexpr size_t OUTPUT_SIZE = 64;
 
     CSHA512();
     CSHA512& Write(const unsigned char* data, size_t len);

src/qt/test/paymentservertests.cpp

@@ -181,12 +181,12 @@ void PaymentServerTests::paymentServerTests()
     QCOMPARE(PaymentServer::verifyExpired(r.paymentRequest.getDetails()), true);
 
     // Test BIP70 DoS protection:
-    unsigned char randData[BIP70_MAX_PAYMENTREQUEST_SIZE + 1];
-    GetRandBytes(randData, sizeof(randData));
+    auto randdata = FastRandomContext().randbytes(BIP70_MAX_PAYMENTREQUEST_SIZE + 1);
+
     // Write data to a temp file:
     QTemporaryFile tempFile;
     tempFile.open();
-    tempFile.write((const char*)randData, sizeof(randData));
+    tempFile.write((const char*)randdata.data(), randdata.size());
     tempFile.close();
     // compares 50001 <= BIP70_MAX_PAYMENTREQUEST_SIZE == false
     QCOMPARE(PaymentServer::verifySize(tempFile.size()), false);