On Thu, 18 Feb 2021 19:18:26 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
>> line 261:
>>
>>> 259: md5.update(clientRandom);
>>> 260: md5.update(serverRandom);
>>> 261: digest = md5.digest();
>>
>> In other Tls* sources, you call MessageDigest.reset() but not here?
>> Particular reason?
>
> I usually call it when the last updated bytes are sensitive. They will stay
> in the buffer.
Ok
>> src/java.base/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
>> line 97:
>>
>>> 95: } finally {
>>> 96: Arrays.fill(masterSecret, (byte)0);
>>> 97: }
>>
>> It seems that for other Tls* classes, the Arrays.fill(...) call is still
>> inside each method instead of being moved up a level. Just curious why this
>> is done differently?
>
> The `engineGenerateKey0` method is quite long and I don't want to wrap
> everything in a big try-finally block, so I move it a little higher. Now
> `masterSecret` is still created and cleaned in the same method.
Ok
-------------
PR: https://git.openjdk.java.net/jdk/pull/2070
