diff options
Diffstat (limited to 'src/crypto/rsa/pss.go')
| -rw-r--r-- | src/crypto/rsa/pss.go | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go index f7d23b55ef..3a377cc9db 100644 --- a/src/crypto/rsa/pss.go +++ b/src/crypto/rsa/pss.go @@ -285,7 +285,17 @@ var invalidSaltLenErr = errors.New("crypto/rsa: PSSOptions.SaltLength cannot be // digest must be the result of hashing the input message using the given hash // function. The opts argument may be nil, in which case sensible defaults are // used. If opts.Hash is set, it overrides hash. +// +// The signature is randomized depending on the message, key, and salt size, +// using bytes from rand. Most applications should use [crypto/rand.Reader] as +// rand. func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, opts *PSSOptions) ([]byte, error) { + // Note that while we don't commit to deterministic execution with respect + // to the rand stream, we also don't apply MaybeReadByte, so per Hyrum's Law + // it's probably relied upon by some. It's a tolerable promise because a + // well-specified number of random bytes is included in the signature, in a + // well-specified way. + if boring.Enabled && rand == boring.RandReader { bkey, err := boringPrivateKey(priv) if err != nil { |