GH470: Synchronize access to a shared KeyPairGenerator, which may not…

… be thread-safe. The keyPairGenerator object in the MontgomeryCurve is a bouncycastle implementation of the java.security.KeyPairGenerator class. The generateKeyPair method in class org.bouncycastle.jcajce.provider.asymmetric.edec.KeyPairGeneratorSpi is not thread safe, so calling the keyPairGenerator.generateKeyPair method must be synchronized.
apache · Feb 25, 2024 · a90aa9f · a90aa9f
1 parent 2c62c72
commit a90aa9f
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/kex/MontgomeryCurve.java b/sshd-core/src/main/java/org/apache/sshd/common/kex/MontgomeryCurve.java
@@ -153,7 +153,9 @@ public Digest createDigest() {
     }
 
     public KeyPair generateKeyPair() {
-        return keyPairGenerator.generateKeyPair();
+        synchronized (this) {
+            return keyPairGenerator.generateKeyPair();
+        }
     }
 
     public byte[] encode(PublicKey key) throws InvalidKeyException {