RFR: 8311902: Concurrency regression in the PBKDF2 key impl of SunJCE provider
Valerie Peng
valeriep at openjdk.org
Thu Jul 13 21:03:59 UTC 2023
On Thu, 13 Jul 2023 18:27:08 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> This change adds back the Reference.ReachabilityFence(Object) call removed by [JDK-8301553](https://bugs.openjdk.org/browse/JDK-8301553).
>>
>> Please help review.
>> Thanks!
>> Valerie
>
> src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java line 1:
>
>> 1: /*
>
> I also think the change which moved the registering of the `Cleaner` outside the `finally` block in the constructor is not correct, as the passwd is no longer zero-ed out if the code after that throws an Exception.
Per my reading of the code. the cleaner is only used when the PBKDF2 key constructor succeeds. If an exception occurred, then the passwd cleanup is handled by the if (key == null) condition in the finally block.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14859#discussion_r1263049090
More information about the security-dev
mailing list