RFR: 8298390: Implementing ML-KEM key encapsulation mechanism [v15]
Weijun Wang
weijun at openjdk.org
Fri Nov 8 12:57:31 UTC 2024
On Thu, 7 Nov 2024 16:51:38 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> Ben Perez has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - default random for encaps, supported alg in SunJCE
>> - copyright header
>
> src/java.base/share/classes/com/sun/crypto/provider/ML_KEM.java line 515:
>
>> 513: mlKemH.update(encapsKey);
>> 514: mlKemH.digest(decapsKey, kPkePrivateKey.length + encapsKey.length, 32);
>> 515: System.arraycopy(kem_z, 0, decapsKey, kPkePrivateKey.length + encapsKey.length + 32, 32);
>
> Should values be zeroed after this line/before return?
Which value? `kem_z` is an input argument `decapsKey` is an output argument. They belong to the caller.
> src/java.base/share/classes/com/sun/crypto/provider/ML_KEM.java line 568:
>
>> 566: var kAndCoins = mlKemG.digest();
>> 567: var realResult = Arrays.copyOfRange(kAndCoins, 0, 32);
>> 568: var coins = Arrays.copyOfRange(kAndCoins, 32, 64);
>
> Several copies take place here. Should anything be zeroed?
We should zero out `kPkePrivateKeyBytes` and `kAndCoins`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21478#discussion_r1834358403
PR Review Comment: https://git.openjdk.org/jdk/pull/21478#discussion_r1834360261
More information about the security-dev
mailing list