Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8230:ca52af59c969
8074865: General crypto resilience changes
Reviewed-by: mullan, xuelei
line wrap: on
line diff
--- a/src/share/classes/com/sun/crypto/provider/AESCrypt.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/com/sun/crypto/provider/AESCrypt.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,7 +37,7 @@ package com.sun.crypto.provider; import java.security.InvalidKeyException; -import java.util.Arrays; +import java.security.MessageDigest; /** * Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit @@ -88,7 +88,7 @@ key.length + " bytes"); } - if (!Arrays.equals(key, lastKey)) { + if (!MessageDigest.isEqual(key, lastKey)) { // re-generate session key 'sessionK' when cipher key changes makeSessionKey(key); lastKey = key.clone(); // save cipher key
--- a/src/share/classes/com/sun/crypto/provider/CipherCore.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/com/sun/crypto/provider/CipherCore.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it
--- a/src/share/classes/com/sun/crypto/provider/DESKey.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/com/sun/crypto/provider/DESKey.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; import javax.crypto.SecretKey; @@ -113,7 +114,7 @@ return false; byte[] thatKey = ((SecretKey)obj).getEncoded(); - boolean ret = java.util.Arrays.equals(this.key, thatKey); + boolean ret = MessageDigest.isEqual(this.key, thatKey); java.util.Arrays.fill(thatKey, (byte)0x00); return ret; }
--- a/src/share/classes/com/sun/crypto/provider/DESedeKey.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/com/sun/crypto/provider/DESedeKey.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; import javax.crypto.SecretKey; @@ -114,7 +115,7 @@ return false; byte[] thatKey = ((SecretKey)obj).getEncoded(); - boolean ret = java.util.Arrays.equals(this.key, thatKey); + boolean ret = MessageDigest.isEqual(this.key, thatKey); java.util.Arrays.fill(thatKey, (byte)0x00); return ret; }
--- a/src/share/classes/com/sun/crypto/provider/PBEKey.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/com/sun/crypto/provider/PBEKey.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package com.sun.crypto.provider; import java.io.UnsupportedEncodingException; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.spec.InvalidKeySpecException; import javax.crypto.SecretKey; @@ -108,7 +109,7 @@ return false; byte[] thatEncoded = that.getEncoded(); - boolean ret = java.util.Arrays.equals(this.key, thatEncoded); + boolean ret = MessageDigest.isEqual(this.key, thatEncoded); java.util.Arrays.fill(thatEncoded, (byte)0x00); return ret; }
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ import java.nio.CharBuffer; import java.nio.charset.Charset; import java.util.Arrays; +import java.security.MessageDigest; import java.security.KeyRep; import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; @@ -157,7 +158,7 @@ SecretKey sk = (SecretKey)obj; return prf.getAlgorithm().equalsIgnoreCase( sk.getAlgorithm()) && - Arrays.equals(password, sk.getEncoded()); + MessageDigest.isEqual(password, sk.getEncoded()); } }; prf.init(macKey); @@ -243,7 +244,7 @@ if (!(that.getFormat().equalsIgnoreCase("RAW"))) return false; byte[] thatEncoded = that.getEncoded(); - boolean ret = Arrays.equals(key, that.getEncoded()); + boolean ret = MessageDigest.isEqual(key, that.getEncoded()); java.util.Arrays.fill(thatEncoded, (byte)0x00); return ret; }
--- a/src/share/classes/java/security/Identity.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/java/security/Identity.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -261,7 +261,7 @@ certificates.addElement(certificate); } - private boolean keyEquals(Key aKey, Key anotherKey) { + private boolean keyEquals(PublicKey aKey, PublicKey anotherKey) { String aKeyFormat = aKey.getFormat(); String anotherKeyFormat = anotherKey.getFormat(); if ((aKeyFormat == null) ^ (anotherKeyFormat == null))
--- a/src/share/classes/java/security/MessageDigest.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/java/security/MessageDigest.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -428,6 +428,10 @@ * @return true if the digests are equal, false otherwise. */ public static boolean isEqual(byte[] digesta, byte[] digestb) { + if (digesta == digestb) return true; + if (digesta == null || digestb == null) { + return false; + } if (digesta.length != digestb.length) { return false; }
--- a/src/share/classes/java/security/Signature.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/java/security/Signature.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1288,7 +1288,7 @@ byte[] out = cipher.doFinal(sigBytes); byte[] dataBytes = data.toByteArray(); data.reset(); - return Arrays.equals(out, dataBytes); + return MessageDigest.isEqual(out, dataBytes); } catch (BadPaddingException e) { // e.g. wrong public key used // return false rather than throwing exception
--- a/src/share/classes/javax/crypto/spec/SecretKeySpec.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/javax/crypto/spec/SecretKeySpec.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,6 +27,7 @@ import java.io.UnsupportedEncodingException; import java.security.Key; +import java.security.MessageDigest; import java.security.spec.KeySpec; import javax.crypto.SecretKey; @@ -228,6 +229,6 @@ byte[] thatKey = ((SecretKey)obj).getEncoded(); - return java.util.Arrays.equals(this.key, thatKey); + return MessageDigest.isEqual(this.key, thatKey); } }
--- a/src/share/classes/sun/security/pkcs11/P11Key.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/pkcs11/P11Key.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -162,7 +162,7 @@ } else { otherEnc = other.getEncoded(); } - return Arrays.equals(thisEnc, otherEnc); + return MessageDigest.isEqual(thisEnc, otherEnc); } public int hashCode() {
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. */ /* Copyright (c) 2002 Graz University of Technology. All rights reserved. @@ -447,22 +447,6 @@ /** * Check the given arrays for equalitiy. This method considers both arrays as * equal, if both are <code>null</code> or both have the same length and - * contain exactly the same byte values. - * - * @param array1 The first array. - * @param array2 The second array. - * @return True, if both arrays are <code>null</code> or both have the same - * length and contain exactly the same byte values. False, otherwise. - * @preconditions - * @postconditions - */ - public static boolean equals(byte[] array1, byte[] array2) { - return Arrays.equals(array1, array2); - } - - /** - * Check the given arrays for equalitiy. This method considers both arrays as - * equal, if both are <code>null</code> or both have the same length and * contain exactly the same char values. * * @param array1 The first array. @@ -472,7 +456,7 @@ * @preconditions * @postconditions */ - public static boolean equals(char[] array1, char[] array2) { + private static boolean equals(char[] array1, char[] array2) { return Arrays.equals(array1, array2); }
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Mon Jul 20 00:25:34 2015 +0100 @@ -1347,7 +1347,7 @@ m.update(authSafeData); byte[] macResult = m.doFinal(); - if (!Arrays.equals(macData.getDigest(), macResult)) { + if (!MessageDigest.isEqual(macData.getDigest(), macResult)) { throw new SecurityException("Failed PKCS12" + " integrity checking"); }
--- a/src/share/classes/sun/security/rsa/RSASignature.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/rsa/RSASignature.java Mon Jul 20 00:25:34 2015 +0100 @@ -28,7 +28,6 @@ import java.io.IOException; import java.nio.ByteBuffer; import java.math.BigInteger; -import java.util.Arrays; import java.security.*; import java.security.interfaces.*; @@ -195,7 +194,7 @@ byte[] decrypted = RSACore.rsa(sigBytes, publicKey); byte[] unpadded = padding.unpad(decrypted); byte[] decodedDigest = decodeSignature(digestOID, unpadded); - return Arrays.equals(digest, decodedDigest); + return MessageDigest.isEqual(digest, decodedDigest); } catch (javax.crypto.BadPaddingException e) { // occurs if the app has used the wrong RSA public key // or if sigBytes is invalid
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java Mon Jul 20 00:25:34 2015 +0100 @@ -486,7 +486,7 @@ 0, clientVerifyData.length); System.arraycopy(serverVerifyData, 0, verifyData, clientVerifyData.length, serverVerifyData.length); - if (!Arrays.equals(verifyData, + if (!MessageDigest.isEqual(verifyData, serverHelloRI.getRenegotiatedConnection())) { fatalSE(Alerts.alert_handshake_failure, "Incorrect verify data in ServerHello " +
--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java Mon Jul 20 00:25:34 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1881,7 +1881,7 @@ */ boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { byte[] myFinished = getFinished(handshakeHash, sender, master); - return Arrays.equals(myFinished, verifyData); + return MessageDigest.isEqual(myFinished, verifyData); } /*
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Tue Apr 07 14:33:49 2015 +0300 +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Mon Jul 20 00:25:34 2015 +0100 @@ -383,7 +383,7 @@ } // verify the client_verify_data value - if (!Arrays.equals(clientVerifyData, + if (!MessageDigest.isEqual(clientVerifyData, clientHelloRI.getRenegotiatedConnection())) { fatalSE(Alerts.alert_handshake_failure, "Incorrect verify data in ClientHello " +