Merge

76a8c3b3 · asaha · 3acb0f58 · d5abcbc7 · 76a8c3b3 · 76a8c3b3
隐藏空白更改
内联并排

Showing with 26 addition and 2 deletion

.hgtags .hgtags +1 -0

src/share/classes/sun/security/ssl/HandshakeHash.java src/share/classes/sun/security/ssl/HandshakeHash.java +25 -2

未找到文件。
--- a/.hgtags
+++ b/.hgtags
@@ -833,6 +833,7 @@ e7c79f48e83772546a1d35d98101853e2ca17947 jdk8u161-b08
 2c4e596e0cc3281fe976d9a730677c0a15113153 jdk8u161-b09
 3eaad567db074e4d3df7d4088a4a029ef5ad1179 jdk8u161-b10
 8d358ca3cfb813af87aa4bed5a1e7fbb678ea6be jdk8u161-b11
+76f2c555cccab8df114dd6ebb8ed7634c7ce1896 jdk8u161-b12
 e03f9868f7df1e3db537f3b61704658e8a9dafb5 jdk8u162-b00
 538bdf24383954cd2356e39e8081c2cb3ac27281 jdk8u162-b01
 18e0bc77adafd0e5e459e381b6993bb0625b05be jdk8u162-b02

--- a/src/share/classes/sun/security/ssl/HandshakeHash.java
+++ b/src/share/classes/sun/security/ssl/HandshakeHash.java
@@ -104,7 +104,29 @@ final class HandshakeHash {
     * a hash for the certificate verify message is required.
     */
    HandshakeHash(boolean needCertificateVerify) {
-        clonesNeeded = needCertificateVerify ? 3 : 2;
+        // We may rework the code later, but for now we use hard-coded number
+        // of clones if the underlying MessageDigests are not cloneable.
+        //
+        // The number used here is based on the current handshake protocols and
+        // implementation.  It may be changed if the handshake processe gets
+        // changed in the future, for example adding a new extension that
+        // requires handshake hash.  Please be careful about the number of
+        // clones if additional handshak hash is required in the future.
+        //
+        // For the current implementation, the handshake hash is required for
+        // the following items:
+        //     . CertificateVerify handshake message (optional)
+        //     . client Finished handshake message
+        //     . server Finished Handshake message
+        //     . the extended Master Secret extension [RFC 7627]
+        //
+        // Note that a late call to server setNeedClientAuth dose not update
+        // the number of clones.  We may address the issue later.
+        //
+        // Note for safe, we allocate one more clone for the current
+        // implementation.  We may consider it more carefully in the future
+        // for the exactly number or rework the code in a different way.
+        clonesNeeded = needCertificateVerify ? 5 : 4;
    }

    void update(byte[] b, int offset, int len) {
@@ -226,7 +248,8 @@ final class HandshakeHash {
        if (finMD != null) return;

        try {
-            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 2);
+            // See comment in the contructor.
+            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
        } catch (NoSuchAlgorithmException e) {
            throw new Error(e);
        }