Does it make sense if secret is not temporarily stored as a class filed?
Xuelei
On 7/11/2018 8:01 AM, Adam Petcher wrote:
On 7/11/2018 10:41 AM, Sean Mullan wrote:
XDHKeyAgreement.java
176 byte[] result = secret;
Shouldn't this be:
176 byte[] result = secret.clone();
since engineGenerateSecret() says it is returned in a new buffer.
I don't think cloning is necessary. The new array is created in
engineDoPhase, and it is always set to null in engineGenerateSecret
after it is returned or copied to the output buffer. In essence, this
overload of engineDoPhase transfers ownership of the array, and the
other one destroys it. So this engineDoPhase effectively returns a new
array, and I don't think it is possible for two clients (in the same
thread) to get the same array from these methods. Though I would
appreciate it if you could double-check this and make sure you agree.