crypto/internal/fips140/drbg: add Counter warning

The support we provide is tightly scoped, and is not safe for generic
usage elsewhere in the standard library.

Change-Id: Ic38d5c4b416859ab30e2b4a3fc977ba8a2535ae8
Reviewed-on: https://go-review.googlesource.com/c/go/+/647815
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/src/crypto/internal/fips140/drbg/ctrdrbg.go b/src/crypto/internal/fips140/drbg/ctrdrbg.go
index cd1b40d10c..3c90054dfd 100644
--- a/src/crypto/internal/fips140/drbg/ctrdrbg.go
+++ b/src/crypto/internal/fips140/drbg/ctrdrbg.go
@@ -21,6 +21,14 @@ import (
 // We support a narrow range of parameters that fit the needs of our RNG:
 // AES-256, no derivation function, no personalization string, no prediction
 // resistance, and 384-bit additional input.
+//
+// WARNING: this type provides tightly scoped support for the DRBG
+// functionality we need for FIPS 140-3 _only_. This type _should not_ be used
+// outside of the FIPS 140-3 module for any other use.
+//
+// In particular, as documented, Counter does not support the derivation
+// function, or personalization strings which are necessary for safely using
+// this DRBG for generic purposes without leaking sensitive values.
 type Counter struct {
 	// c is instantiated with K as the key and V as the counter.
 	c aes.CTR