Skip to content

Commit

Permalink
8264329: Z cannot be 1 for Diffie-Hellman key agreement
Browse files Browse the repository at this point in the history
Reviewed-by: wetmore
  • Loading branch information
XueleiFan committed Mar 28, 2021
1 parent a209ed0 commit c986457
Showing 1 changed file with 11 additions and 2 deletions.
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -313,6 +313,15 @@ protected int engineGenerateSecret(byte[] sharedSecret, int offset)
// above, so user can recover w/o losing internal state
generateSecret = false;

// No further process if z <= 1 or z == (p - 1) (See section 5.7.1,
// NIST SP 800-56A Rev 3).
BigInteger z = this.y.modPow(this.x, modulus);
if ((z.compareTo(BigInteger.ONE) <= 0) ||
z.equals(modulus.subtract(BigInteger.ONE))) {
throw new ProviderException(
"Generated secret is out-of-range of (1, p -1)");
}

/*
* NOTE: BigInteger.toByteArray() returns a byte array containing
* the two's-complement representation of this BigInteger with
Expand All @@ -327,7 +336,7 @@ protected int engineGenerateSecret(byte[] sharedSecret, int offset)
* exactly expectedLen bytes of magnitude, we strip any extra
* leading 0's, or pad with 0's in case of a "short" secret.
*/
byte[] secret = this.y.modPow(this.x, modulus).toByteArray();
byte[] secret = z.toByteArray();
if (secret.length == expectedLen) {
System.arraycopy(secret, 0, sharedSecret, offset,
secret.length);
Expand Down

1 comment on commit c986457

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.