# HG changeset patch
# User xuelei
# Date 1513835498 0
# Node ID 38493aecb3d1bdbc1cb91b207e767dfaf7724e97
# Parent  63fb11c1550d070a58a1aaecb13a2e0ea5fd0e40
8193683: Increase the number of clones in the CloneableDigest
Reviewed-by: coffeys, wetmore

diff -r 63fb11c1550d -r 38493aecb3d1 src/java.base/share/classes/sun/security/ssl/HandshakeHash.java
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java	Wed Dec 20 22:36:21 2017 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java	Thu Dec 21 05:51:38 2017 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -108,7 +108,29 @@
      * a hash for the certificate verify message is required.
      */
     HandshakeHash(boolean needCertificateVerify) {
-        clonesNeeded = needCertificateVerify ? 4 : 3;
+        // We may rework the code later, but for now we use hard-coded number
+        // of clones if the underlying MessageDigests are not cloneable.
+        //
+        // The number used here is based on the current handshake protocols and
+        // implementation.  It may be changed if the handshake processe gets
+        // changed in the future, for example adding a new extension that
+        // requires handshake hash.  Please be careful about the number of
+        // clones if additional handshak hash is required in the future.
+        //
+        // For the current implementation, the handshake hash is required for
+        // the following items:
+        //     . CertificateVerify handshake message (optional)
+        //     . client Finished handshake message
+        //     . server Finished Handshake message
+        //     . the extended Master Secret extension [RFC 7627]
+        //
+        // Note that a late call to server setNeedClientAuth dose not update
+        // the number of clones.  We may address the issue later.
+        //
+        // Note for safety, we allocate one more clone for the current
+        // implementation.  We may consider it more carefully in the future
+        // for the exact number or rework the code in a different way.
+        clonesNeeded = needCertificateVerify ? 5 : 4;
     }
 
     void reserve(ByteBuffer input) {
@@ -335,7 +357,8 @@
         if (finMD != null) return;
 
         try {
-            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 2);
+            // See comment in the contructor.
+            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
         } catch (NoSuchAlgorithmException e) {
             throw new Error(e);
         }