RFR 8206915: XDH TCK issues

Xuelei Fan xuelei.fan at oracle.com
Wed Jul 11 16:02:55 UTC 2018


Does it make sense if secret is not temporarily stored as a class filed?

Xuelei

On 7/11/2018 8:01 AM, Adam Petcher wrote:
> On 7/11/2018 10:41 AM, Sean Mullan wrote:
> 
>> XDHKeyAgreement.java
>>
>> 176         byte[] result = secret;
>>
>> Shouldn't this be:
>>
>> 176         byte[] result = secret.clone();
>>
>> since engineGenerateSecret() says it is returned in a new buffer.
> 
> I don't think cloning is necessary. The new array is created in 
> engineDoPhase, and it is always set to null in engineGenerateSecret 
> after it is returned or copied to the output buffer. In essence, this 
> overload of engineDoPhase transfers ownership of the array, and the 
> other one destroys it. So this engineDoPhase effectively returns a new 
> array, and I don't think it is possible for two clients (in the same 
> thread) to get the same array from these methods. Though I would 
> appreciate it if you could double-check this and make sure you agree.



More information about the security-dev mailing list