Mercurial > hg > openjdk > aarch64-port > jdk
changeset 10988:814e82e7b5af
8074865: General crypto resilience changes
Reviewed-by: mullan, xuelei
line wrap: on
line diff
--- a/src/share/classes/com/sun/crypto/provider/AESCrypt.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/com/sun/crypto/provider/AESCrypt.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,7 +37,7 @@ package com.sun.crypto.provider; import java.security.InvalidKeyException; -import java.util.Arrays; +import java.security.MessageDigest; /** * Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit @@ -88,7 +88,7 @@ key.length + " bytes"); } - if (!Arrays.equals(key, lastKey)) { + if (!MessageDigest.isEqual(key, lastKey)) { // re-generate session key 'sessionK' when cipher key changes makeSessionKey(key); lastKey = key.clone(); // save cipher key
--- a/src/share/classes/com/sun/crypto/provider/CipherCore.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/com/sun/crypto/provider/CipherCore.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -568,7 +568,7 @@ // check key+iv for encryption in GCM mode requireReinit = Arrays.equals(ivBytes, lastEncIv) && - Arrays.equals(keyBytes, lastEncKey); + MessageDigest.isEqual(keyBytes, lastEncKey); if (requireReinit) { throw new InvalidAlgorithmParameterException ("Cannot reuse iv for GCM encryption");
--- a/src/share/classes/com/sun/crypto/provider/DESKey.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/com/sun/crypto/provider/DESKey.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; import javax.crypto.SecretKey; @@ -113,7 +114,7 @@ return false; byte[] thatKey = ((SecretKey)obj).getEncoded(); - boolean ret = java.util.Arrays.equals(this.key, thatKey); + boolean ret = MessageDigest.isEqual(this.key, thatKey); java.util.Arrays.fill(thatKey, (byte)0x00); return ret; }
--- a/src/share/classes/com/sun/crypto/provider/DESedeKey.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/com/sun/crypto/provider/DESedeKey.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; import javax.crypto.SecretKey; @@ -114,7 +115,7 @@ return false; byte[] thatKey = ((SecretKey)obj).getEncoded(); - boolean ret = java.util.Arrays.equals(this.key, thatKey); + boolean ret = MessageDigest.isEqual(this.key, thatKey); java.util.Arrays.fill(thatKey, (byte)0x00); return ret; }
--- a/src/share/classes/com/sun/crypto/provider/PBEKey.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/com/sun/crypto/provider/PBEKey.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.spec.InvalidKeySpecException; import javax.crypto.SecretKey; @@ -107,7 +108,7 @@ return false; byte[] thatEncoded = that.getEncoded(); - boolean ret = java.util.Arrays.equals(this.key, thatEncoded); + boolean ret = MessageDigest.isEqual(this.key, thatEncoded); java.util.Arrays.fill(thatEncoded, (byte)0x00); return ret; }
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ import java.nio.CharBuffer; import java.nio.charset.Charset; import java.util.Arrays; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; @@ -152,7 +153,7 @@ SecretKey sk = (SecretKey)obj; return prf.getAlgorithm().equalsIgnoreCase( sk.getAlgorithm()) && - Arrays.equals(password, sk.getEncoded()); + MessageDigest.isEqual(password, sk.getEncoded()); } }; prf.init(macKey); @@ -238,7 +239,7 @@ if (!(that.getFormat().equalsIgnoreCase("RAW"))) return false; byte[] thatEncoded = that.getEncoded(); - boolean ret = Arrays.equals(key, that.getEncoded()); + boolean ret = MessageDigest.isEqual(key, that.getEncoded()); java.util.Arrays.fill(thatEncoded, (byte)0x00); return ret; }
--- a/src/share/classes/java/security/Identity.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/java/security/Identity.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -261,7 +261,7 @@ certificates.addElement(certificate); } - private boolean keyEquals(Key aKey, Key anotherKey) { + private boolean keyEquals(PublicKey aKey, PublicKey anotherKey) { String aKeyFormat = aKey.getFormat(); String anotherKeyFormat = anotherKey.getFormat(); if ((aKeyFormat == null) ^ (anotherKeyFormat == null))
--- a/src/share/classes/java/security/MessageDigest.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/java/security/MessageDigest.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -440,6 +440,10 @@ * @return true if the digests are equal, false otherwise. */ public static boolean isEqual(byte[] digesta, byte[] digestb) { + if (digesta == digestb) return true; + if (digesta == null || digestb == null) { + return false; + } if (digesta.length != digestb.length) { return false; }
--- a/src/share/classes/java/security/Signature.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/java/security/Signature.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1316,7 +1316,7 @@ byte[] out = cipher.doFinal(sigBytes); byte[] dataBytes = data.toByteArray(); data.reset(); - return Arrays.equals(out, dataBytes); + return MessageDigest.isEqual(out, dataBytes); } catch (BadPaddingException e) { // e.g. wrong public key used // return false rather than throwing exception
--- a/src/share/classes/javax/crypto/spec/SecretKeySpec.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/javax/crypto/spec/SecretKeySpec.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package javax.crypto.spec; +import java.security.MessageDigest; import java.security.spec.KeySpec; import javax.crypto.SecretKey; @@ -226,6 +227,6 @@ byte[] thatKey = ((SecretKey)obj).getEncoded(); - return java.util.Arrays.equals(this.key, thatKey); + return MessageDigest.isEqual(this.key, thatKey); } }
--- a/src/share/classes/sun/security/pkcs11/P11Key.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/pkcs11/P11Key.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -165,7 +165,7 @@ } else { otherEnc = other.getEncoded(); } - return Arrays.equals(thisEnc, otherEnc); + return MessageDigest.isEqual(thisEnc, otherEnc); } public int hashCode() {
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. */ /* Copyright (c) 2002 Graz University of Technology. All rights reserved. @@ -447,22 +447,6 @@ /** * Check the given arrays for equalitiy. This method considers both arrays as * equal, if both are <code>null</code> or both have the same length and - * contain exactly the same byte values. - * - * @param array1 The first array. - * @param array2 The second array. - * @return True, if both arrays are <code>null</code> or both have the same - * length and contain exactly the same byte values. False, otherwise. - * @preconditions - * @postconditions - */ - public static boolean equals(byte[] array1, byte[] array2) { - return Arrays.equals(array1, array2); - } - - /** - * Check the given arrays for equalitiy. This method considers both arrays as - * equal, if both are <code>null</code> or both have the same length and * contain exactly the same char values. * * @param array1 The first array. @@ -472,7 +456,7 @@ * @preconditions * @postconditions */ - public static boolean equals(char[] array1, char[] array2) { + private static boolean equals(char[] array1, char[] array2) { return Arrays.equals(array1, array2); }
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -2012,7 +2012,7 @@ "(MAC algorithm: " + m.getAlgorithm() + ")"); } - if (!Arrays.equals(macData.getDigest(), macResult)) { + if (!MessageDigest.isEqual(macData.getDigest(), macResult)) { throw new SecurityException("Failed PKCS12" + " integrity checking"); }
--- a/src/share/classes/sun/security/rsa/RSASignature.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/rsa/RSASignature.java Fri Apr 10 07:23:55 2015 -0700 @@ -27,7 +27,6 @@ import java.io.IOException; import java.nio.ByteBuffer; -import java.util.Arrays; import java.security.*; import java.security.interfaces.*; @@ -194,7 +193,7 @@ byte[] decrypted = RSACore.rsa(sigBytes, publicKey); byte[] unpadded = padding.unpad(decrypted); byte[] decodedDigest = decodeSignature(digestOID, unpadded); - return Arrays.equals(digest, decodedDigest); + return MessageDigest.isEqual(digest, decodedDigest); } catch (javax.crypto.BadPaddingException e) { // occurs if the app has used the wrong RSA public key // or if sigBytes is invalid
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java Fri Apr 10 07:23:55 2015 -0700 @@ -485,7 +485,7 @@ 0, clientVerifyData.length); System.arraycopy(serverVerifyData, 0, verifyData, clientVerifyData.length, serverVerifyData.length); - if (!Arrays.equals(verifyData, + if (!MessageDigest.isEqual(verifyData, serverHelloRI.getRenegotiatedConnection())) { fatalSE(Alerts.alert_handshake_failure, "Incorrect verify data in ServerHello " +
--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java Fri Apr 10 07:23:55 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1907,7 +1907,7 @@ */ boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { byte[] myFinished = getFinished(handshakeHash, sender, master); - return Arrays.equals(myFinished, verifyData); + return MessageDigest.isEqual(myFinished, verifyData); } /*
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Wed Apr 22 14:01:01 2015 +0100 +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 10 07:23:55 2015 -0700 @@ -413,7 +413,7 @@ } // verify the client_verify_data value - if (!Arrays.equals(clientVerifyData, + if (!MessageDigest.isEqual(clientVerifyData, clientHelloRI.getRenegotiatedConnection())) { fatalSE(Alerts.alert_handshake_failure, "Incorrect verify data in ClientHello " +