golang

History

Adam Langley 6269dcdc24 crypto: randomly read an extra byte of randomness in some places. Code has ended up depending on things like RSA's key generation being deterministic given a fixed random Reader. This was never guaranteed and would prevent us from ever changing anything about it. This change makes certain calls randomly (based on the internal fastrand) read an extra byte from the random Reader. This helps to ensure that code does not depend on internal details. I've not added this call in the key generation of ECDSA and DSA because, in those cases, key generation is so obvious that it probably is acceptable to do the obvious thing and not worry about code that depends on that. This does not affect tests that use a Reader of constant bytes (e.g. a zeroReader) because shifting such a stream is a no-op. The stdlib uses this internally (which is fine because it can be atomically updated if the crypto libraries change). It is possible that external tests could be doing the same and would thus break if we ever, say, tweaked the way RSA key generation worked. I feel that addressing that would be more effort than it's worth. Fixes #21915 Change-Id: I84cff2e249acc921ad6eb5527171e02e6d39c530 Reviewed-on: https://go-review.googlesource.com/64451 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>	2018-06-07 15:09:25 +00:00
..
randutil.go	crypto: randomly read an extra byte of randomness in some places.	2018-06-07 15:09:25 +00:00

Adam Langley 6269dcdc24 crypto: randomly read an extra byte of randomness in some places.

Code has ended up depending on things like RSA's key generation being
deterministic given a fixed random Reader. This was never guaranteed and
would prevent us from ever changing anything about it.

This change makes certain calls randomly (based on the internal
fastrand) read an extra byte from the random Reader. This helps to
ensure that code does not depend on internal details.

I've not added this call in the key generation of ECDSA and DSA because,
in those cases, key generation is so obvious that it probably is
acceptable to do the obvious thing and not worry about code that depends
on that.

This does not affect tests that use a Reader of constant bytes (e.g. a
zeroReader) because shifting such a stream is a no-op. The stdlib uses
this internally (which is fine because it can be atomically updated if
the crypto libraries change).

It is possible that external tests could be doing the same and would
thus break if we ever, say, tweaked the way RSA key generation worked.
I feel that addressing that would be more effort than it's worth.

Fixes #21915

Change-Id: I84cff2e249acc921ad6eb5527171e02e6d39c530
Reviewed-on: https://go-review.googlesource.com/64451
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>

2018-06-07 15:09:25 +00:00

randutil.go

crypto: randomly read an extra byte of randomness in some places.

2018-06-07 15:09:25 +00:00