The following suggestions were made late in the X25519/X448 code development cycle, and the changes did not make it in time for code review: 1) Ensure that the contract for methods that take array arguments is properly specified and/or checked. For example IntegerPolynomial::addLimbs/conditionalSwap take two arrays, but it is not stated/checked that these arrays must have the same length. 2) In XDHKeyAgreement::engineGenerateSecret, use secure coding guidelines style to prevent overflow. Change: if (offset + secretLen > sharedSecret.length) ... to if (secretLen > sharedSecret.length - offset) ... Or perhaps Math.addExact can be used here.
|