8269618: Better session identification

Reviewed-by: jnimeh, rhalade, ahgross

src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java

@@ -208,7 +208,7 @@ abstract class HelloCookieManager {
             byte[] target = md.digest(secret);      // 32 bytes
             target[0] = cookie[0];
 
-            return Arrays.equals(target, cookie);
+            return MessageDigest.isEqual(target, cookie);
         }
     }
 
@@ -361,7 +361,7 @@ abstract class HelloCookieManager {
             md.update(headerBytes);
             byte[] headerCookie = md.digest(secret);
 
-            if (!Arrays.equals(headerCookie, prevHeadCookie)) {
+            if (!MessageDigest.isEqual(headerCookie, prevHeadCookie)) {
                 return false;
             }
 

src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java

@@ -31,7 +31,6 @@ import java.text.MessageFormat;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Locale;
-import java.util.Arrays;
 import java.util.Collection;
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
@@ -569,7 +568,7 @@ final class PreSharedKeyExtension {
         SecretKey binderKey = deriveBinderKey(shc, psk, session);
         byte[] computedBinder =
                 computeBinder(shc, binderKey, session, pskBinderHash);
-        if (!Arrays.equals(binder, computedBinder)) {
+        if (!MessageDigest.isEqual(binder, computedBinder)) {
             throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorect PSK binder value");
         }

src/java.base/share/classes/sun/security/ssl/RandomCookie.java

@@ -25,10 +25,12 @@
 
 package sun.security.ssl;
 
+import sun.security.util.ByteArrays;
+
 import java.io.*;
 import java.nio.ByteBuffer;
+import java.security.MessageDigest;
 import java.security.SecureRandom;
-import java.util.Arrays;
 
 /*
  * RandomCookie ... SSL hands standard format random cookies (nonces)
@@ -111,7 +113,7 @@ final class RandomCookie {
     }
 
     boolean isHelloRetryRequest() {
-        return Arrays.equals(hrrRandomBytes, randomBytes);
+        return MessageDigest.isEqual(hrrRandomBytes, randomBytes);
     }
 
     // Used for client random validation of version downgrade protection.
@@ -130,10 +132,10 @@ final class RandomCookie {
     }
 
     private boolean isT12Downgrade() {
-        return Arrays.equals(randomBytes, 24, 32, t12Protection, 0, 8);
+        return ByteArrays.isEqual(randomBytes, 24, 32, t12Protection, 0, 8);
     }
 
     private boolean isT11Downgrade() {
-        return Arrays.equals(randomBytes, 24, 32, t11Protection, 0, 8);
+        return ByteArrays.isEqual(randomBytes, 24, 32, t11Protection, 0, 8);
     }
 }

src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java

@@ -27,6 +27,7 @@ package sun.security.ssl;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.MessageDigest;
 import java.text.MessageFormat;
 import java.util.Arrays;
 import java.util.Locale;
@@ -37,6 +38,7 @@ import sun.security.ssl.SSLExtension.ExtensionConsumer;
 import static sun.security.ssl.SSLExtension.SH_RENEGOTIATION_INFO;
 import sun.security.ssl.SSLExtension.SSLExtensionSpec;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.ByteArrays;
 
 /**
  * Pack of the "renegotiation_info" extensions [RFC 5746].
@@ -239,7 +241,7 @@ final class RenegoInfoExtension {
                             "renegotiation");
                 } else {
                     // verify the client_verify_data value
-                    if (!Arrays.equals(shc.conContext.clientVerifyData,
+                    if (!MessageDigest.isEqual(shc.conContext.clientVerifyData,
                             spec.renegotiatedConnection)) {
                         throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Invalid renegotiation_info extension data: " +
@@ -459,14 +461,14 @@ final class RenegoInfoExtension {
                 }
 
                 byte[] cvd = chc.conContext.clientVerifyData;
-                if (!Arrays.equals(spec.renegotiatedConnection,
+                if (!ByteArrays.isEqual(spec.renegotiatedConnection,
                         0, cvd.length, cvd, 0, cvd.length)) {
                     throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "unmatched client_verify_data value");
                 }
                 byte[] svd = chc.conContext.serverVerifyData;
-                if (!Arrays.equals(spec.renegotiatedConnection,
+                if (!ByteArrays.isEqual(spec.renegotiatedConnection,
                         cvd.length, infoLen, svd, 0, svd.length)) {
                     throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +

src/java.base/share/classes/sun/security/ssl/SessionId.java

@@ -25,6 +25,7 @@
 
 package sun.security.ssl;
 
+import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import javax.net.ssl.SSLProtocolException;
@@ -89,7 +90,7 @@ final class SessionId {
 
         if (obj instanceof SessionId) {
             SessionId that = (SessionId)obj;
-            return Arrays.equals(this.sessionId, that.sessionId);
+            return MessageDigest.isEqual(this.sessionId, that.sessionId);
         }
 
         return false;

src/java.base/share/classes/sun/security/util/ByteArrays.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+/**
+ * A time-instance comparison of two byte arrays.
+ */
+public class ByteArrays {
+    // See the MessageDigest.isEqual(byte[] digesta, byte[] digestb)
+    // implementation.  This is a potential enhancement of the
+    // MessageDigest class.
+    public static boolean isEqual(byte[] a, int aFromIndex, int aToIndex,
+                                 byte[] b, int bFromIndex, int bToIndex) {
+        if (a == b) {
+            return true;
+        }
+
+        if (a == null || b == null) {
+            return false;
+        }
+
+        if (a.length == 0) {
+            return b.length == 0;
+        }
+
+        int lenA = aToIndex - aFromIndex;
+        int lenB = bToIndex - bFromIndex;
+
+        if (lenB == 0) {
+            return lenA == 0;
+        }
+
+        int result = 0;
+        result |= lenA - lenB;
+
+        // time-constant comparison
+        for (int indexA = 0; indexA < lenA; indexA++) {
+            int indexB = ((indexA - lenB) >>> 31) * indexA;
+            result |= a[aFromIndex + indexA] ^ b[bFromIndex + indexB];
+        }
+
+        return result == 0;
+    }
+}