crypto/rsa: return error if keygen random source is broken

Fixes #70643

Change-Id: I47c76500bb2e79b0d1dc096651eb45885f6888b6
Reviewed-on: https://go-review.googlesource.com/c/go/+/632896
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

diff --git a/src/crypto/internal/fips140/rsa/keygen.go b/src/crypto/internal/fips140/rsa/keygen.go
index 62e0063d60c7441d71aef24f42c82b2e91ce9457..a9e12eb1e8e920a3dcdc184c5aa62dec8ebd93ac 100644 (file)
--- a/src/crypto/internal/fips140/rsa/keygen.go
+++ b/src/crypto/internal/fips140/rsa/keygen.go
@@ -45,6 +45,10 @@ func GenerateKey(rand io.Reader, bits int) (*PrivateKey, error) {
                        return nil, err
                }
 
+               if Q.Nat().ExpandFor(P).Equal(P.Nat()) == 1 {
+                       return nil, errors.New("rsa: generated p == q, random source is broken")
+               }
+
                N, err := bigmod.NewModulusProduct(p, q)
                if err != nil {
                        return nil, err