jdk-sandbox: comparison src/java.base/share/classes/sun/security/ssl/HandshakeHash.java

equal deleted inserted replaced

-:92cbbfc996f3
+:56aaa6cb3693
 /*
-* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 package sun.security.ssl;
 import java.io.ByteArrayOutputStream;
-import java.security.*;
+import java.io.IOException;
-import java.util.Locale;
 import java.nio.ByteBuffer;
+import java.security.MessageDigest;
-/**
+import java.util.Arrays;
-* Abstraction for the SSL/TLS hash of all handshake messages that is
+import java.util.LinkedList;
-* maintained to verify the integrity of the negotiation. Internally,
+import javax.crypto.SecretKey;
-* it consists of an MD5 and an SHA1 digest. They are used in the client
+import sun.security.util.MessageDigestSpi2;
-* and server finished messages and in certificate verify messages (if sent).
-*
-* This class transparently deals with cloneable and non-cloneable digests.
-*
-* This class now supports TLS 1.2 also. The key difference for TLS 1.2
-* is that you cannot determine the hash algorithms for CertificateVerify
-* at a early stage. On the other hand, it's simpler than TLS 1.1 (and earlier)
-* that there is no messy MD5+SHA1 digests.
-*
-* You need to obey these conventions when using this class:
-*
-* 1. protocolDetermined(version) should be called when the negotiated
-* protocol version is determined.
-*
-* 2. Before protocolDetermined() is called, only update(), and reset()
-* and setFinishedAlg() can be called.
-*
-* 3. After protocolDetermined() is called, reset() cannot be called.
-*
-* 4. After protocolDetermined() is called, if the version is pre-TLS 1.2,
-* getFinishedHash() cannot be called. Otherwise,
-* getMD5Clone() and getSHAClone() cannot be called.
-*
-* 5. getMD5Clone() and getSHAClone() can only be called after
-* protocolDetermined() is called and version is pre-TLS 1.2.
-*
-* 6. getFinishedHash() can only be called after protocolDetermined()
-* and setFinishedAlg() have been called and the version is TLS 1.2.
-*
-* Suggestion: Call protocolDetermined() and setFinishedAlg()
-* as early as possible.
-*
-* Example:
-* <pre>
-* HandshakeHash hh = new HandshakeHash(...)
-* hh.protocolDetermined(ProtocolVersion.TLS12);
-* hh.update(clientHelloBytes);
-* hh.setFinishedAlg("SHA-256");
-* hh.update(serverHelloBytes);
-* ...
-* hh.update(CertificateVerifyBytes);
-* ...
-* hh.update(finished1);
-* byte[] finDigest1 = hh.getFinishedHash();
-* hh.update(finished2);
-* byte[] finDigest2 = hh.getFinishedHash();
-* </pre>
-*/
 final class HandshakeHash {
+private TranscriptHash transcriptHash;
-// Common
+private LinkedList<byte[]> reserves;    // one handshake message per entry
+private boolean hasBeenUsed;
-// -1:  unknown
-//  1:  <=TLS 1.1
+HandshakeHash() {
-//  2:  TLS 1.2
+this.transcriptHash = new CacheOnlyHash();
-private int version = -1;
+this.reserves = new LinkedList<>();
-private ByteArrayOutputStream data = new ByteArrayOutputStream();
+this.hasBeenUsed = false;
+}
-// For TLS 1.1
-private MessageDigest md5, sha;
+// fix the negotiated protocol version and cipher suite
-private final int clonesNeeded;    // needs to be saved for later use
+void determine(ProtocolVersion protocolVersion,
+CipherSuite cipherSuite) {
-// For TLS 1.2
+if (!(transcriptHash instanceof CacheOnlyHash)) {
-private MessageDigest finMD;
+throw new IllegalStateException(
+"Not expected instance of transcript hash");
-// Cache for input record handshake hash computation
+}
-private ByteArrayOutputStream reserve = new ByteArrayOutputStream();
+CacheOnlyHash coh = (CacheOnlyHash)transcriptHash;
-/**
+if (protocolVersion.useTLS13PlusSpec()) {
-* Create a new HandshakeHash. needCertificateVerify indicates whether
+transcriptHash = new T13HandshakeHash(cipherSuite);
-* a hash for the certificate verify message is required.
+} else if (protocolVersion.useTLS12PlusSpec()) {
-*/
+transcriptHash = new T12HandshakeHash(cipherSuite);
-HandshakeHash(boolean needCertificateVerify) {
+} else if (protocolVersion.useTLS10PlusSpec()) {
-// We may rework the code later, but for now we use hard-coded number
+transcriptHash = new T10HandshakeHash(cipherSuite);
-// of clones if the underlying MessageDigests are not cloneable.
+} else {
-//
+transcriptHash = new S30HandshakeHash(cipherSuite);
-// The number used here is based on the current handshake protocols and
+}
-// implementation.  It may be changed if the handshake processe gets
-// changed in the future, for example adding a new extension that
+byte[] reserved = coh.baos.toByteArray();
-// requires handshake hash.  Please be careful about the number of
+if (reserved.length != 0) {
-// clones if additional handshak hash is required in the future.
+transcriptHash.update(reserved, 0, reserved.length);
-//
+}
-// For the current implementation, the handshake hash is required for
+}
-// the following items:
-//     . CertificateVerify handshake message (optional)
+HandshakeHash copy() {
-//     . client Finished handshake message
+if (transcriptHash instanceof CacheOnlyHash) {
-//     . server Finished Handshake message
+HandshakeHash result = new HandshakeHash();
-//     . the extended Master Secret extension [RFC 7627]
+result.transcriptHash = ((CacheOnlyHash)transcriptHash).copy();
-//
+result.reserves = new LinkedList<>(reserves);
-// Note that a late call to server setNeedClientAuth dose not update
+result.hasBeenUsed = hasBeenUsed;
-// the number of clones.  We may address the issue later.
+return result;
-//
+} else {
-// Note for safety, we allocate one more clone for the current
+throw new IllegalStateException("Hash does not support copying");
-// implementation.  We may consider it more carefully in the future
+}
-// for the exact number or rework the code in a different way.
+}
-clonesNeeded = needCertificateVerify ? 5 : 4;
-}
+void receive(byte[] input) {
+reserves.add(Arrays.copyOf(input, input.length));
-void reserve(ByteBuffer input) {
+}
+void receive(byte[] input, int offset, int length) {
+reserves.add(Arrays.copyOfRange(input, offset, offset + length));
+}
+void receive(ByteBuffer input, int length) {
 if (input.hasArray()) {
-reserve.write(input.array(),
+int from = input.position() + input.arrayOffset();
+int to = from + length;
+reserves.add(Arrays.copyOfRange(input.array(), from, to));
+} else {
+int inPos = input.position();
+byte[] holder = new byte[length];
+input.get(holder);
+input.position(inPos);
+reserves.add(Arrays.copyOf(holder, holder.length));
+}
+}
+void receive(ByteBuffer input) {
+receive(input, input.remaining());
+}
+// For HelloRetryRequest only! Please use this method very carefully!
+void push(byte[] input) {
+reserves.push(Arrays.copyOf(input, input.length));
+}
+// For PreSharedKey to modify the state of the PSK binder hash
+byte[] removeLastReceived() {
+return reserves.removeLast();
+}
+void deliver(byte[] input) {
+update();
+transcriptHash.update(input, 0, input.length);
+}
+void deliver(byte[] input, int offset, int length) {
+update();
+transcriptHash.update(input, offset, length);
+}
+void deliver(ByteBuffer input) {
+update();
+if (input.hasArray()) {
+transcriptHash.update(input.array(),
 input.position() + input.arrayOffset(), input.remaining());
 } else {
 int inPos = input.position();
 byte[] holder = new byte[input.remaining()];
 input.get(holder);
 input.position(inPos);
-reserve.write(holder, 0, holder.length);
+transcriptHash.update(holder, 0, holder.length);
 }
 }
-void reserve(byte[] b, int offset, int len) {
+// Use one handshake message if it has not been used.
-reserve.write(b, offset, len);
+void utilize() {
-}
+if (hasBeenUsed) {
+return;
-void reload() {
+}
-if (reserve.size() != 0) {
+if (reserves.size() != 0) {
-byte[] bytes = reserve.toByteArray();
+byte[] holder = reserves.remove();
-reserve.reset();
+transcriptHash.update(holder, 0, holder.length);
-update(bytes, 0, bytes.length);
+hasBeenUsed = true;
 }
 }
-void update(ByteBuffer input) {
+// Consume one handshake message if it has not been consumed.
+void consume() {
-// reload if there are reserved messages.
+if (hasBeenUsed) {
-reload();
+hasBeenUsed = false;
+return;
-int inPos = input.position();
+}
-switch (version) {
+if (reserves.size() != 0) {
-case 1:
+byte[] holder = reserves.remove();
-md5.update(input);
+transcriptHash.update(holder, 0, holder.length);
-input.position(inPos);
+}
+}
-sha.update(input);
-input.position(inPos);
+void update() {
+while (reserves.size() != 0) {
-break;
+byte[] holder = reserves.remove();
-default:
+transcriptHash.update(holder, 0, holder.length);
-if (finMD != null) {
+}
-finMD.update(input);
+hasBeenUsed = false;
-input.position(inPos);
+}
+byte[] digest() {
+// Note that the reserve handshake message may be not a part of
+// the expected digest.
+return transcriptHash.digest();
+}
+void finish() {
+this.transcriptHash = new CacheOnlyHash();
+this.reserves = new LinkedList<>();
+this.hasBeenUsed = false;
+}
+// Optional
+byte[] archived() {
+// Note that the reserve handshake message may be not a part of
+// the expected digest.
+return transcriptHash.archived();
+}
+// Optional, TLS 1.0/1.1 only
+byte[] digest(String algorithm) {
+T10HandshakeHash hh = (T10HandshakeHash)transcriptHash;
+return hh.digest(algorithm);
+}
+// Optional, SSL 3.0 only
+byte[] digest(String algorithm, SecretKey masterSecret) {
+S30HandshakeHash hh = (S30HandshakeHash)transcriptHash;
+return hh.digest(algorithm, masterSecret);
+}
+// Optional, SSL 3.0 only
+byte[] digest(boolean useClientLabel, SecretKey masterSecret) {
+S30HandshakeHash hh = (S30HandshakeHash)transcriptHash;
+return hh.digest(useClientLabel, masterSecret);
+}
+public boolean isHashable(byte handshakeType) {
+return handshakeType != SSLHandshake.HELLO_REQUEST.id &&
+handshakeType != SSLHandshake.HELLO_VERIFY_REQUEST.id;
+}
+interface TranscriptHash {
+void update(byte[] input, int offset, int length);
+byte[] digest();
+byte[] archived();  // optional
+}
+// For cache only.
+private static final class CacheOnlyHash implements TranscriptHash {
+private final ByteArrayOutputStream baos;
+CacheOnlyHash() {
+this.baos = new ByteArrayOutputStream();
+}
+@Override
+public void update(byte[] input, int offset, int length) {
+baos.write(input, offset, length);
+}
+@Override
+public byte[] digest() {
+throw new IllegalStateException(
+"Not expected call to handshake hash digest");
+}
+@Override
+public byte[] archived() {
+return baos.toByteArray();
+}
+CacheOnlyHash copy() {
+CacheOnlyHash result = new CacheOnlyHash();
+try {
+baos.writeTo(result.baos);
+} catch (IOException ex) {
+throw new RuntimeException("unable to to clone hash state");
+}
+return result;
+}
+}
+static final class S30HandshakeHash implements TranscriptHash {
+static final byte[] MD5_pad1 = genPad(0x36, 48);
+static final byte[] MD5_pad2 = genPad(0x5c, 48);
+static final byte[] SHA_pad1 = genPad(0x36, 40);
+static final byte[] SHA_pad2 = genPad(0x5c, 40);
+private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 };
+private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 };
+private final MessageDigest mdMD5;
+private final MessageDigest mdSHA;
+private final TranscriptHash md5;
+private final TranscriptHash sha;
+private final ByteArrayOutputStream baos;
+S30HandshakeHash(CipherSuite cipherSuite) {
+this.mdMD5 = JsseJce.getMessageDigest("MD5");
+this.mdSHA = JsseJce.getMessageDigest("SHA");
+boolean hasArchived = false;
+if (mdMD5 instanceof Cloneable) {
+md5 = new CloneableHash(mdMD5);
+} else {
+hasArchived = true;
+md5 = new NonCloneableHash(mdMD5);
+}
+if (mdSHA instanceof Cloneable) {
+sha = new CloneableHash(mdSHA);
+} else {
+hasArchived = true;
+sha = new NonCloneableHash(mdSHA);
+}
+if (hasArchived) {
+this.baos = null;
+} else {
+this.baos = new ByteArrayOutputStream();
+}
+}
+@Override
+public void update(byte[] input, int offset, int length) {
+md5.update(input, offset, length);
+sha.update(input, offset, length);
+if (baos != null) {
+baos.write(input, offset, length);
+}
+}
+@Override
+public byte[] digest() {
+byte[] digest = new byte[36];
+System.arraycopy(md5.digest(), 0, digest, 0, 16);
+System.arraycopy(sha.digest(), 0, digest, 16, 20);
+return digest;
+}
+@Override
+public byte[] archived() {
+if (baos != null) {
+return baos.toByteArray();
+} else if (md5 instanceof NonCloneableHash) {
+return md5.archived();
+} else {
+return sha.archived();
+}
+}
+byte[] digest(boolean useClientLabel, SecretKey masterSecret) {
+MessageDigest md5Clone = cloneMd5();
+MessageDigest shaClone = cloneSha();
+if (useClientLabel) {
+md5Clone.update(SSL_CLIENT);
+shaClone.update(SSL_CLIENT);
+} else {
+md5Clone.update(SSL_SERVER);
+shaClone.update(SSL_SERVER);
+}
+updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterSecret);
+updateDigest(shaClone, SHA_pad1, SHA_pad2, masterSecret);
+byte[] digest = new byte[36];
+System.arraycopy(md5Clone.digest(), 0, digest, 0, 16);
+System.arraycopy(shaClone.digest(), 0, digest, 16, 20);
+return digest;
+}
+byte[] digest(String algorithm, SecretKey masterSecret) {
+if ("RSA".equalsIgnoreCase(algorithm)) {
+MessageDigest md5Clone = cloneMd5();
+MessageDigest shaClone = cloneSha();
+updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterSecret);
+updateDigest(shaClone, SHA_pad1, SHA_pad2, masterSecret);
+byte[] digest = new byte[36];
+System.arraycopy(md5Clone.digest(), 0, digest, 0, 16);
+System.arraycopy(shaClone.digest(), 0, digest, 16, 20);
+return digest;
+} else {
+MessageDigest shaClone = cloneSha();
+updateDigest(shaClone, SHA_pad1, SHA_pad2, masterSecret);
+return shaClone.digest();
+}
+}
+private static byte[] genPad(int b, int count) {
+byte[] padding = new byte[count];
+Arrays.fill(padding, (byte)b);
+return padding;
+}
+private MessageDigest cloneMd5() {
+MessageDigest md5Clone;
+if (mdMD5 instanceof Cloneable) {
+try {
+md5Clone = (MessageDigest)mdMD5.clone();
+} catch (CloneNotSupportedException ex) {   // unlikely
+throw new RuntimeException(
+"MessageDigest does no support clone operation");
 }
-if (input.hasArray()) {
+} else {
-data.write(input.array(),
+md5Clone = JsseJce.getMessageDigest("MD5");
-inPos + input.arrayOffset(), input.remaining());
+md5Clone.update(md5.archived());
+}
+return md5Clone;
+}
+private MessageDigest cloneSha() {
+MessageDigest shaClone;
+if (mdSHA instanceof Cloneable) {
+try {
+shaClone = (MessageDigest)mdSHA.clone();
+} catch (CloneNotSupportedException ex) {   // unlikely
+throw new RuntimeException(
+"MessageDigest does no support clone operation");
+}
+} else {
+shaClone = JsseJce.getMessageDigest("SHA");
+shaClone.update(sha.archived());
+}
+return shaClone;
+}
+private static void updateDigest(MessageDigest md,
+byte[] pad1, byte[] pad2, SecretKey masterSecret) {
+byte[] keyBytes = "RAW".equals(masterSecret.getFormat())
+? masterSecret.getEncoded() : null;
+if (keyBytes != null) {
+md.update(keyBytes);
+} else {
+digestKey(md, masterSecret);
+}
+md.update(pad1);
+byte[] temp = md.digest();
+if (keyBytes != null) {
+md.update(keyBytes);
+} else {
+digestKey(md, masterSecret);
+}
+md.update(pad2);
+md.update(temp);
+}
+private static void digestKey(MessageDigest md, SecretKey key) {
+try {
+if (md instanceof MessageDigestSpi2) {
+((MessageDigestSpi2)md).engineUpdate(key);
 } else {
-byte[] holder = new byte[input.remaining()];
+throw new Exception(
-input.get(holder);
+"Digest does not support implUpdate(SecretKey)");
-input.position(inPos);
-data.write(holder, 0, holder.length);
 }
-break;
+} catch (Exception e) {
-}
+throw new RuntimeException(
-}
+"Could not obtain encoded key and "
++ "MessageDigest cannot digest key", e);
-void update(byte handshakeType, byte[] handshakeBody) {
+}
+}
-// reload if there are reserved messages.
+}
-reload();
+// TLS 1.0 and TLS 1.1
-switch (version) {
+static final class T10HandshakeHash implements TranscriptHash {
-case 1:
+private final TranscriptHash md5;
-md5.update(handshakeType);
+private final TranscriptHash sha;
-sha.update(handshakeType);
+private final ByteArrayOutputStream baos;
-md5.update((byte)((handshakeBody.length >> 16) & 0xFF));
+T10HandshakeHash(CipherSuite cipherSuite) {
-sha.update((byte)((handshakeBody.length >> 16) & 0xFF));
+MessageDigest mdMD5 = JsseJce.getMessageDigest("MD5");
-md5.update((byte)((handshakeBody.length >> 8) & 0xFF));
+MessageDigest mdSHA = JsseJce.getMessageDigest("SHA");
-sha.update((byte)((handshakeBody.length >> 8) & 0xFF));
-md5.update((byte)(handshakeBody.length & 0xFF));
+boolean hasArchived = false;
-sha.update((byte)(handshakeBody.length & 0xFF));
+if (mdMD5 instanceof Cloneable) {
+md5 = new CloneableHash(mdMD5);
-md5.update(handshakeBody);
+} else {
-sha.update(handshakeBody);
+hasArchived = true;
-break;
+md5 = new NonCloneableHash(mdMD5);
-default:
+}
-if (finMD != null) {
+if (mdSHA instanceof Cloneable) {
-finMD.update(handshakeType);
+sha = new CloneableHash(mdSHA);
-finMD.update((byte)((handshakeBody.length >> 16) & 0xFF));
+} else {
-finMD.update((byte)((handshakeBody.length >> 8) & 0xFF));
+hasArchived = true;
-finMD.update((byte)(handshakeBody.length & 0xFF));
+sha = new NonCloneableHash(mdSHA);
-finMD.update(handshakeBody);
+}
-}
-data.write(handshakeType);
+if (hasArchived) {
-data.write((byte)((handshakeBody.length >> 16) & 0xFF));
+this.baos = null;
-data.write((byte)((handshakeBody.length >> 8) & 0xFF));
+} else {
-data.write((byte)(handshakeBody.length & 0xFF));
+this.baos = new ByteArrayOutputStream();
-data.write(handshakeBody, 0, handshakeBody.length);
+}
-break;
+}
-}
-}
+@Override
+public void update(byte[] input, int offset, int length) {
-void update(byte[] b, int offset, int len) {
+md5.update(input, offset, length);
+sha.update(input, offset, length);
-// reload if there are reserved messages.
+if (baos != null) {
-reload();
+baos.write(input, offset, length);
+}
-switch (version) {
+}
-case 1:
-md5.update(b, offset, len);
+@Override
-sha.update(b, offset, len);
+public byte[] digest() {
-break;
+byte[] digest = new byte[36];
-default:
+System.arraycopy(md5.digest(), 0, digest, 0, 16);
-if (finMD != null) {
+System.arraycopy(sha.digest(), 0, digest, 16, 20);
-finMD.update(b, offset, len);
-}
+return digest;
-data.write(b, offset, len);
+}
-break;
-}
+byte[] digest(String algorithm) {
-}
+if ("RSA".equalsIgnoreCase(algorithm)) {
+return digest();
-/**
+} else {
-* Reset the remaining digests. Note this does *not* reset the number of
+return sha.digest();
-* digest clones that can be obtained. Digests that have already been
+}
-* cloned and are gone remain gone.
+}
-*/
-void reset() {
+@Override
-if (version != -1) {
+public byte[] archived() {
-throw new RuntimeException(
+if (baos != null) {
-"reset() can be only be called before protocolDetermined");
+return baos.toByteArray();
-}
+} else if (md5 instanceof NonCloneableHash) {
-data.reset();
+return md5.archived();
-}
+} else {
+return sha.archived();
+}
-void protocolDetermined(ProtocolVersion pv) {
+}
+}
-// Do not set again, will ignore
-if (version != -1) {
+static final class T12HandshakeHash implements TranscriptHash {
-return;
+private final TranscriptHash transcriptHash;
-}
+private final ByteArrayOutputStream baos;
-if (pv.maybeDTLSProtocol()) {
+T12HandshakeHash(CipherSuite cipherSuite) {
-version = pv.compareTo(ProtocolVersion.DTLS12) >= 0 ? 2 : 1;
+MessageDigest md =
-} else {
+JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
-version = pv.compareTo(ProtocolVersion.TLS12) >= 0 ? 2 : 1;
+if (md instanceof Cloneable) {
-}
+transcriptHash = new CloneableHash(md);
-switch (version) {
+this.baos = null;
-case 1:
+} else {
-// initiate md5, sha and call update on saved array
+transcriptHash = new NonCloneableHash(md);
-try {
+this.baos = new ByteArrayOutputStream();
-md5 = CloneableDigest.getDigest("MD5", clonesNeeded);
+}
-sha = CloneableDigest.getDigest("SHA", clonesNeeded);
+}
-} catch (NoSuchAlgorithmException e) {
-throw new RuntimeException
+@Override
-("Algorithm MD5 or SHA not available", e);
+public void update(byte[] input, int offset, int length) {
-}
+transcriptHash.update(input, offset, length);
-byte[] bytes = data.toByteArray();
+if (baos != null) {
-update(bytes, 0, bytes.length);
+baos.write(input, offset, length);
-break;
+}
-case 2:
+}
-break;
-}
+@Override
-}
+public byte[] digest() {
+return transcriptHash.digest();
-/////////////////////////////////////////////////////////////
+}
-// Below are old methods for pre-TLS 1.1
-/////////////////////////////////////////////////////////////
+@Override
+public byte[] archived() {
-/**
+if (baos != null) {
-* Return a new MD5 digest updated with all data hashed so far.
+return baos.toByteArray();
-*/
+} else {
-MessageDigest getMD5Clone() {
+return transcriptHash.archived();
-if (version != 1) {
+}
-throw new RuntimeException(
+}
-"getMD5Clone() can be only be called for TLS 1.1");
+}
-}
-return cloneDigest(md5);
+static final class T13HandshakeHash implements TranscriptHash {
-}
+private final TranscriptHash transcriptHash;
+private final ByteArrayOutputStream baos;
-/**
-* Return a new SHA digest updated with all data hashed so far.
+T13HandshakeHash(CipherSuite cipherSuite) {
-*/
+MessageDigest md =
-MessageDigest getSHAClone() {
+JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
-if (version != 1) {
+if (md instanceof Cloneable) {
-throw new RuntimeException(
+transcriptHash = new CloneableHash(md);
-"getSHAClone() can be only be called for TLS 1.1");
+this.baos = null;
-}
+} else {
-return cloneDigest(sha);
+transcriptHash = new NonCloneableHash(md);
-}
+this.baos = new ByteArrayOutputStream();
+}
-private static MessageDigest cloneDigest(MessageDigest digest) {
+}
-try {
-return (MessageDigest)digest.clone();
+@Override
-} catch (CloneNotSupportedException e) {
+public void update(byte[] input, int offset, int length) {
-// cannot occur for digests generated via CloneableDigest
+transcriptHash.update(input, offset, length);
-throw new RuntimeException("Could not clone digest", e);
+if (baos != null) {
-}
+baos.write(input, offset, length);
 }
+}
-/////////////////////////////////////////////////////////////
-// Below are new methods for TLS 1.2
+@Override
-/////////////////////////////////////////////////////////////
+public byte[] digest() {
+return transcriptHash.digest();
-private static String normalizeAlgName(String alg) {
+}
-alg = alg.toUpperCase(Locale.US);
-if (alg.startsWith("SHA")) {
+@Override
-if (alg.length() == 3) {
+public byte[] archived() {
-return "SHA-1";
+if (baos != null) {
-}
+return baos.toByteArray();
-if (alg.charAt(3) != '-') {
+} else {
-return "SHA-" + alg.substring(3);
+return transcriptHash.archived();
 }
-}
-return alg;
+// throw new UnsupportedOperationException("Not supported yet.");
 }
-/**
+}
-* Specifies the hash algorithm used in Finished. This should be called
-* based in info in ServerHello.
+static final class CloneableHash implements TranscriptHash {
-* Can be called multiple times.
+private final MessageDigest md;
-*/
-void setFinishedAlg(String s) {
+CloneableHash(MessageDigest md) {
-if (s == null) {
+this.md = md;
-throw new RuntimeException(
+}
-"setFinishedAlg's argument cannot be null");
-}
+@Override
+public void update(byte[] input, int offset, int length) {
-// Can be called multiple times, but only set once
+md.update(input, offset, length);
-if (finMD != null) return;
+}
-try {
+@Override
-// See comment in the contructor.
+public byte[] digest() {
-finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
+try {
-} catch (NoSuchAlgorithmException e) {
+return ((MessageDigest)md.clone()).digest();
-throw new Error(e);
+} catch (CloneNotSupportedException ex) {
-}
+// unlikely
-finMD.update(data.toByteArray());
+return new byte[0];
 }
+}
-byte[] getAllHandshakeMessages() {
-return data.toByteArray();
+@Override
-}
+public byte[] archived() {
+throw new UnsupportedOperationException("Not supported yet.");
-/**
+}
-* Calculates the hash in Finished. Must be called after setFinishedAlg().
+}
-* This method can be called twice, for Finished messages of the server
-* side and client side respectively.
+static final class NonCloneableHash implements TranscriptHash {
-*/
+private final MessageDigest md;
-byte[] getFinishedHash() {
+private final ByteArrayOutputStream baos = new ByteArrayOutputStream();
-try {
-return cloneDigest(finMD).digest();
+NonCloneableHash(MessageDigest md) {
-} catch (Exception e) {
+this.md = md;
-throw new Error("Error during hash calculation", e);
+}
+@Override
+public void update(byte[] input, int offset, int length) {
+baos.write(input, offset, length);
+}
+@Override
+public byte[] digest() {
+byte[] bytes = baos.toByteArray();
+md.reset();
+return md.digest(bytes);
+}
+@Override
+public byte[] archived() {
+return baos.toByteArray();
 }
 }
 }
-/**
-* A wrapper for MessageDigests that simulates cloning of non-cloneable
-* digests. It uses the standard MessageDigest API and therefore can be used
-* transparently in place of a regular digest.
-*
-* Note that we extend the MessageDigest class directly rather than
-* MessageDigestSpi. This works because MessageDigest was originally designed
-* this way in the JDK 1.1 days which allows us to avoid creating an internal
-* provider.
-*
-* It can be "cloned" a limited number of times, which is specified at
-* construction time. This is achieved by internally maintaining n digests
-* in parallel. Consequently, it is only 1/n-th times as fast as the original
-* digest.
-*
-* Example:
-*   MessageDigest md = CloneableDigest.getDigest("SHA", 2);
-*   md.update(data1);
-*   MessageDigest md2 = (MessageDigest)md.clone();
-*   md2.update(data2);
-*   byte[] d1 = md2.digest(); // digest of data1 || data2
-*   md.update(data3);
-*   byte[] d2 = md.digest();  // digest of data1 || data3
-*
-* This class is not thread safe.
-*
-*/
-final class CloneableDigest extends MessageDigest implements Cloneable {
-/**
-* The individual MessageDigests. Initially, all elements are non-null.
-* When clone() is called, the non-null element with the maximum index is
-* returned and the array element set to null.
-*
-* All non-null element are always in the same state.
-*/
-private final MessageDigest[] digests;
-private CloneableDigest(MessageDigest digest, int n, String algorithm)
-throws NoSuchAlgorithmException {
-super(algorithm);
-digests = new MessageDigest[n];
-digests[0] = digest;
-for (int i = 1; i < n; i++) {
-digests[i] = JsseJce.getMessageDigest(algorithm);
-}
-}
-/**
-* Return a MessageDigest for the given algorithm that can be cloned the
-* specified number of times. If the default implementation supports
-* cloning, it is returned. Otherwise, an instance of this class is
-* returned.
-*/
-static MessageDigest getDigest(String algorithm, int n)
-throws NoSuchAlgorithmException {
-MessageDigest digest = JsseJce.getMessageDigest(algorithm);
-try {
-digest.clone();
-// already cloneable, use it
-return digest;
-} catch (CloneNotSupportedException e) {
-return new CloneableDigest(digest, n, algorithm);
-}
-}
-/**
-* Check if this object is still usable. If it has already been cloned the
-* maximum number of times, there are no digests left and this object can no
-* longer be used.
-*/
-private void checkState() {
-// XXX handshaking currently doesn't stop updating hashes...
-// if (digests[0] == null) {
-//     throw new IllegalStateException("no digests left");
-// }
-}
-@Override
-protected int engineGetDigestLength() {
-checkState();
-return digests[0].getDigestLength();
-}
-@Override
-protected void engineUpdate(byte b) {
-checkState();
-for (int i = 0; (i < digests.length) && (digests[i] != null); i++) {
-digests[i].update(b);
-}
-}
-@Override
-protected void engineUpdate(byte[] b, int offset, int len) {
-checkState();
-for (int i = 0; (i < digests.length) && (digests[i] != null); i++) {
-digests[i].update(b, offset, len);
-}
-}
-@Override
-protected byte[] engineDigest() {
-checkState();
-byte[] digest = digests[0].digest();
-digestReset();
-return digest;
-}
-@Override
-protected int engineDigest(byte[] buf, int offset, int len)
-throws DigestException {
-checkState();
-int n = digests[0].digest(buf, offset, len);
-digestReset();
-return n;
-}
-/**
-* Reset all digests after a digest() call. digests[0] has already been
-* implicitly reset by the digest() call and does not need to be reset
-* again.
-*/
-private void digestReset() {
-for (int i = 1; (i < digests.length) && (digests[i] != null); i++) {
-digests[i].reset();
-}
-}
-@Override
-protected void engineReset() {
-checkState();
-for (int i = 0; (i < digests.length) && (digests[i] != null); i++) {
-digests[i].reset();
-}
-}
-@Override
-public Object clone() {
-checkState();
-for (int i = digests.length - 1; i >= 0; i--) {
-if (digests[i] != null) {
-MessageDigest digest = digests[i];
-digests[i] = null;
-return digest;
-}
-}
-// cannot occur
-throw new InternalError();
-}
-}

branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 48358	38493aecb3d1
child 56646	e57205a6e4ee