changeset 12876:ddae5cb11d6c jdk8u162-b12

Merge
author asaha
date Tue, 19 Dec 2017 15:30:37 -0800
parents 19a5eb7025aa 3befcaf2833f
children d201d8b87f48
files .hgtags
diffstat 2 files changed, 26 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Fri Dec 15 13:51:10 2017 -0800
+++ b/.hgtags	Tue Dec 19 15:30:37 2017 -0800
@@ -833,6 +833,7 @@
 2c4e596e0cc3281fe976d9a730677c0a15113153 jdk8u161-b09
 3eaad567db074e4d3df7d4088a4a029ef5ad1179 jdk8u161-b10
 8d358ca3cfb813af87aa4bed5a1e7fbb678ea6be jdk8u161-b11
+76f2c555cccab8df114dd6ebb8ed7634c7ce1896 jdk8u161-b12
 e03f9868f7df1e3db537f3b61704658e8a9dafb5 jdk8u162-b00
 538bdf24383954cd2356e39e8081c2cb3ac27281 jdk8u162-b01
 18e0bc77adafd0e5e459e381b6993bb0625b05be jdk8u162-b02
--- a/src/share/classes/sun/security/ssl/HandshakeHash.java	Fri Dec 15 13:51:10 2017 -0800
+++ b/src/share/classes/sun/security/ssl/HandshakeHash.java	Tue Dec 19 15:30:37 2017 -0800
@@ -104,7 +104,29 @@
      * a hash for the certificate verify message is required.
      */
     HandshakeHash(boolean needCertificateVerify) {
-        clonesNeeded = needCertificateVerify ? 3 : 2;
+        // We may rework the code later, but for now we use hard-coded number
+        // of clones if the underlying MessageDigests are not cloneable.
+        //
+        // The number used here is based on the current handshake protocols and
+        // implementation.  It may be changed if the handshake processe gets
+        // changed in the future, for example adding a new extension that
+        // requires handshake hash.  Please be careful about the number of
+        // clones if additional handshak hash is required in the future.
+        //
+        // For the current implementation, the handshake hash is required for
+        // the following items:
+        //     . CertificateVerify handshake message (optional)
+        //     . client Finished handshake message
+        //     . server Finished Handshake message
+        //     . the extended Master Secret extension [RFC 7627]
+        //
+        // Note that a late call to server setNeedClientAuth dose not update
+        // the number of clones.  We may address the issue later.
+        //
+        // Note for safe, we allocate one more clone for the current
+        // implementation.  We may consider it more carefully in the future
+        // for the exactly number or rework the code in a different way.
+        clonesNeeded = needCertificateVerify ? 5 : 4;
     }
 
     void update(byte[] b, int offset, int len) {
@@ -226,7 +248,8 @@
         if (finMD != null) return;
 
         try {
-            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 2);
+            // See comment in the contructor.
+            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
         } catch (NoSuchAlgorithmException e) {
             throw new Error(e);
         }