Revert "crypto/rand: add randcrash=0 GODEBUG"

A GODEBUG is actually a security risk here: most programs will start to
ignore errors from Read because they can't happen (which is the intended
behavior), but then if a program is run with GODEBUG=randcrash=0 it will
use a partial buffer in case an error occurs, which may be catastrophic.

Note that the proposal was accepted without the GODEBUG, which was only
added later.

This (partially) reverts CL 608435. I kept the tests.

Updates #66821

Change-Id: I3fd20f9cae0d34115133fe935f0cfc7a741a2662
Reviewed-on: https://go-review.googlesource.com/c/go/+/622115
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>

diff --git a/doc/godebug.md b/doc/godebug.md
index a97d8234fe87d24d72f8dabe3b0218b10153be30..7b5fd3e48b87d7c59050c462cd5ba12aae2e8a65 100644 (file)
--- a/doc/godebug.md
+++ b/doc/godebug.md
@@ -168,11 +168,6 @@ For Go 1.24, it now defaults to multipathtcp="2", thus
 enabled by default on listerners. Using multipathtcp="0" reverts to the
 pre-Go 1.24 behavior.
 
-Go 1.24 changed [`crypto/rand.Read`](/pkg/crypto/rand/#Read) to crash the
-program on any error. This setting is controlled by the `randcrash` setting.
-For Go 1.24 it defaults to `randcrash=1`.
-Using `randcrash=0` reverts to the pre-Go 1.24 behavior.
-
 ### Go 1.23
 
 Go 1.23 changed the channels created by package time to be unbuffered

diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
index 7c18d595c2eeaa90e90b7fc2959f0c967e3aaab1..b3d0a7368f7fa0550f108055d35b2514a3df4077 100644 (file)
--- a/src/crypto/rand/rand.go
+++ b/src/crypto/rand/rand.go
@@ -8,7 +8,6 @@ package rand
 
 import (
        "crypto/internal/boring"
-       "internal/godebug"
        "io"
        "os"
        "sync"
@@ -65,8 +64,6 @@ func (r *reader) Read(b []byte) (n int, err error) {
 //go:linkname fatal
 func fatal(string)
 
-var randcrash = godebug.New("randcrash")
-
 // Read fills b with cryptographically secure random bytes. It never returns an
 // error, and always fills b entirely.
 //
@@ -86,10 +83,6 @@ func Read(b []byte) (n int, err error) {
                copy(b, bb)
        }
        if err != nil {
-               if randcrash.Value() == "0" {
-                       randcrash.IncNonDefault()
-                       return 0, err
-               }
                fatal("crypto/rand: failed to read random data (see https://go.dev/issue/66821): " + err.Error())
                panic("unreachable") // To be sure.
        }

diff --git a/src/crypto/rand/rand_test.go b/src/crypto/rand/rand_test.go
index 2372413279dafee193349a9e6ee298e282f5cd4e..63581b75fdbc7fa047b60726b291fb1392c0b4f1 100644 (file)
--- a/src/crypto/rand/rand_test.go
+++ b/src/crypto/rand/rand_test.go
@@ -198,8 +198,7 @@ func TestReadError(t *testing.T) {
        }
        testenv.MustHaveExec(t)
 
-       // We run this test in a subprocess because it's expected to crash the
-       // program unless the GODEBUG is set.
+       // We run this test in a subprocess because it's expected to crash.
        if os.Getenv("GO_TEST_READ_ERROR") == "1" {
                defer func(r io.Reader) { Reader = r }(Reader)
                Reader = readerFunc(func([]byte) (int, error) {
@@ -221,13 +220,6 @@ func TestReadError(t *testing.T) {
        if !bytes.Contains(out, []byte(exp)) {
                t.Errorf("subprocess output does not contain %q: %s", exp, out)
        }
-
-       cmd = testenv.Command(t, os.Args[0], "-test.run=TestReadError")
-       cmd.Env = append(os.Environ(), "GO_TEST_READ_ERROR=1", "GODEBUG=randcrash=0")
-       out, err = cmd.CombinedOutput()
-       if err != nil {
-               t.Errorf("subprocess failed: %v\n%s", err, out)
-       }
 }
 
 func BenchmarkRead(b *testing.B) {

diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
index 3af86d070a4c0fd2daa1982563e7a0f01ca23ff1..59d4fa7d5b87414a77ca0ef68813d4d6deef0df5 100644 (file)
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@@ -47,7 +47,6 @@ var All = []Info{
        {Name: "netedns0", Package: "net", Changed: 19, Old: "0"},
        {Name: "panicnil", Package: "runtime", Changed: 21, Old: "1"},
        {Name: "randautoseed", Package: "math/rand"},
-       {Name: "randcrash", Package: "crypto/rand", Changed: 24, Old: "0"},
        {Name: "randseednop", Package: "math/rand", Changed: 24, Old: "0"},
        {Name: "tarinsecurepath", Package: "archive/tar"},
        {Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},

diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
index 3d2cc6159f2686135eed0f7bafdffbd8e444b5ce..906abb4102e674e73a95f81f2980ab58ab6cffa9 100644 (file)
--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
@@ -306,10 +306,6 @@ Below is the full list of supported metrics, ordered lexicographically.
                The number of non-default behaviors executed by the math/rand
                package due to a non-default GODEBUG=randautoseed=... setting.
 
-       /godebug/non-default-behavior/randcrash:events
-               The number of non-default behaviors executed by the crypto/rand
-               package due to a non-default GODEBUG=randcrash=... setting.
-
        /godebug/non-default-behavior/randseednop:events
                The number of non-default behaviors executed by the math/rand
                package due to a non-default GODEBUG=randseednop=... setting.