-
Adam Langley authored
Code has ended up depending on things like RSA's key generation being deterministic given a fixed random Reader. This was never guaranteed and would prevent us from ever changing anything about it. This change makes certain calls randomly (based on the internal fastrand) read an extra byte from the random Reader. This helps to ensure that code does not depend on internal details. I've not added this call in the key generation of ECDSA and DSA because, in those cases, key generation is so obvious that it probably is acceptable to do the obvious thing and not worry about code that depends on that. This does not affect tests that use a Reader of constant bytes (e.g. a zeroReader) because shifting such a stream is a no-op. The stdlib uses this internally (which is fine because it can be atomically updated if the crypto libraries change). It is possible that external tests could be doing the same and would thus break if we ever, say, tweaked the way RSA key generation worked. I feel that addressing that would be more effort than it's worth. Fixes #21915 Change-Id: I84cff2e249acc921ad6eb5527171e02e6d39c530 Reviewed-on: https://go-review.googlesource.com/64451Reviewed-by:
Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
6269dcdc
