[release-branch.go1.12] crypto/rc4: remove false guarantees from Reset docs and deprecate it

FiloSottile · FiloSottile · commit da1f5d376a74 · 2019-02-22T18:31:50.000Z
Nothing in Go can truly guarantee a key will be gone from memory (see #21865), so remove that claim. That makes Reset useless, because unlike most Reset methods it doesn't restore the original value state, so deprecate it. Change-Id: I6bb0f7f94c7e6dd4c5ac19761bc8e5df1f9ec618 Reviewed-on: https://go-review.googlesource.com/c/162297 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b35daca) Reviewed-on: https://go-review.googlesource.com/c/163438
diff --git a/src/crypto/rc4/rc4.go b/src/crypto/rc4/rc4.go
@@ -45,8 +45,10 @@ func NewCipher(key []byte) (*Cipher, error) {
 	return &c, nil
 }
 
-// Reset zeros the key data so that it will no longer appear in the
-// process's memory.
+// Reset zeros the key data and makes the Cipher unusable.
+//
+// Deprecated: Reset can't guarantee that the key will be entirely removed from
+// the process's memory.
 func (c *Cipher) Reset() {
 	for i := range c.s {
 		c.s[i] = 0
