RFR 8206915: XDH TCK issues
Xuelei Fan
xuelei.fan at oracle.com
Wed Jul 11 16:02:55 UTC 2018
Does it make sense if secret is not temporarily stored as a class filed?
Xuelei
On 7/11/2018 8:01 AM, Adam Petcher wrote:
> On 7/11/2018 10:41 AM, Sean Mullan wrote:
>
>> XDHKeyAgreement.java
>>
>> 176 byte[] result = secret;
>>
>> Shouldn't this be:
>>
>> 176 byte[] result = secret.clone();
>>
>> since engineGenerateSecret() says it is returned in a new buffer.
>
> I don't think cloning is necessary. The new array is created in
> engineDoPhase, and it is always set to null in engineGenerateSecret
> after it is returned or copied to the output buffer. In essence, this
> overload of engineDoPhase transfers ownership of the array, and the
> other one destroys it. So this engineDoPhase effectively returns a new
> array, and I don't think it is possible for two clients (in the same
> thread) to get the same array from these methods. Though I would
> appreciate it if you could double-check this and make sure you agree.
More information about the security-dev
mailing list