JDK-8201317 : X25519/X448 code improvements
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 8,11,12
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-04-09
  • Updated: 2020-01-13
  • Resolved: 2018-08-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 7 JDK 8 Other
11.0.2Fixed 12 b09Fixed 7u231Fixed 8u221Fixed openjdk7uFixed
The following suggestions were made late in the X25519/X448 code development cycle, and the changes did not make it in time for code review:

1) Ensure that the contract for methods that take array arguments is properly specified and/or checked. For example  IntegerPolynomial::addLimbs/conditionalSwap take two arrays, but it is not stated/checked that these arrays must have the same length.

2) In XDHKeyAgreement::engineGenerateSecret, use secure coding guidelines style to prevent overflow. Change:

 if (offset + secretLen > sharedSecret.length) ...
 if (secretLen > sharedSecret.length - offset) ...

Or perhaps Math.addExact can be used here.
8u fix request: Doc changes to IntegerPolynomial.java will apply cleanly as this file is only altered by two other changes, which are also being backported to 8u (JDK-8181594 which introduces the file & JDK-8203228). Overflow fix applied to XDHKeyAgreement.java is not needed as 8u doesn't have XDHKeyAgreement.java, which is part of TLS 1.3 (JDK-8171277)

Taking this one for 8u

Fix Request Backporting this change avoids a simple potential overflow, and also updates the docs. Risk is low. Patch applies cleanly to 11u and passes jdk_security.