On Wed, 30 Apr 2025 18:25:35 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/ServerHello.java line 624: >> >>> 622: >>> 623: SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc); >>> 624: SecretKey handshakeSecret = handshakeKD.deriveKey( >> >> It looks like this can be cleared after it is used to derive the key. >> Similar comment on line 1310. > > Well, I am not sure if clearing `handshakeSecret` is ok - this > `handshakeSecret` is passed to `kd` on line 636 and stored internally without > cloning. Then `kd` is stored into `shc` which suggests that it may be used > later. Clearing it will likely cause problems for subsequent key derivations? > Same goes for line 1310. Is there something that I missed? Ah, yes you are right. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2069307086
