8268525: Some new memory leak after JDK-8248268 and JDK-8255557

wangweij · wangweij · commit 7b2e7d8bab89 · 2021-06-10T22:18:38.000Z
Reviewed-by: valeriep, ascarpino
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java b/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java
@@ -435,50 +435,54 @@ void init(int opmode, Key key, AlgorithmParameterSpec params,
 
         byte[] keyBytes = getKeyBytes(key);
         byte[] ivBytes = null;
-        if (params != null) {
-            if (params instanceof IvParameterSpec) {
-                ivBytes = ((IvParameterSpec) params).getIV();
-                if ((ivBytes == null) || (ivBytes.length != blockSize)) {
+        try {
+            if (params != null) {
+                if (params instanceof IvParameterSpec) {
+                    ivBytes = ((IvParameterSpec) params).getIV();
+                    if ((ivBytes == null) || (ivBytes.length != blockSize)) {
+                        throw new InvalidAlgorithmParameterException
+                                ("Wrong IV length: must be " + blockSize +
+                                        " bytes long");
+                    }
+                } else if (params instanceof RC2ParameterSpec) {
+                    ivBytes = ((RC2ParameterSpec) params).getIV();
+                    if ((ivBytes != null) && (ivBytes.length != blockSize)) {
+                        throw new InvalidAlgorithmParameterException
+                                ("Wrong IV length: must be " + blockSize +
+                                        " bytes long");
+                    }
+                } else {
                     throw new InvalidAlgorithmParameterException
-                        ("Wrong IV length: must be " + blockSize +
-                            " bytes long");
+                            ("Unsupported parameter: " + params);
                 }
-            } else if (params instanceof RC2ParameterSpec) {
-                ivBytes = ((RC2ParameterSpec) params).getIV();
-                if ((ivBytes != null) && (ivBytes.length != blockSize)) {
+            }
+            if (cipherMode == ECB_MODE) {
+                if (ivBytes != null) {
                     throw new InvalidAlgorithmParameterException
-                        ("Wrong IV length: must be " + blockSize +
-                            " bytes long");
+                            ("ECB mode cannot use IV");
+                }
+            } else if (ivBytes == null) {
+                if (decrypting) {
+                    throw new InvalidAlgorithmParameterException("Parameters "
+                            + "missing");
                 }
-            } else {
-                throw new InvalidAlgorithmParameterException
-                    ("Unsupported parameter: " + params);
-            }
-        }
-        if (cipherMode == ECB_MODE) {
-            if (ivBytes != null) {
-                throw new InvalidAlgorithmParameterException
-                    ("ECB mode cannot use IV");
-            }
-        } else if (ivBytes == null) {
-            if (decrypting) {
-                throw new InvalidAlgorithmParameterException("Parameters "
-                    + "missing");
-            }
 
-            if (random == null) {
-                random = SunJCE.getRandom();
-            }
+                if (random == null) {
+                    random = SunJCE.getRandom();
+                }
 
-            ivBytes = new byte[blockSize];
-            random.nextBytes(ivBytes);
-        }
+                ivBytes = new byte[blockSize];
+                random.nextBytes(ivBytes);
+            }
 
-        buffered = 0;
-        diffBlocksize = blockSize;
+            buffered = 0;
+            diffBlocksize = blockSize;
 
-        String algorithm = key.getAlgorithm();
-        cipher.init(decrypting, algorithm, keyBytes, ivBytes);
+            String algorithm = key.getAlgorithm();
+            cipher.init(decrypting, algorithm, keyBytes, ivBytes);
+        } finally {
+            Arrays.fill(keyBytes, (byte)0);
+        }
     }
 
     void init(int opmode, Key key, AlgorithmParameters params,
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/ConstructKeys.java b/src/java.base/share/classes/com/sun/crypto/provider/ConstructKeys.java
@@ -25,6 +25,8 @@
 
 package com.sun.crypto.provider;
 
+import jdk.internal.access.SharedSecrets;
+
 import java.security.Key;
 import java.security.PublicKey;
 import java.security.PrivateKey;
@@ -48,33 +50,25 @@
  */
 
 final class ConstructKeys {
-    /**
-     * Construct a public key from its encoding.
-     *
-     * @param encodedKey the encoding of a public key.
-     *
-     * @param encodedKeyAlgorithm the algorithm the encodedKey is for.
-     *
-     * @return a public key constructed from the encodedKey.
-     */
+
     private static final PublicKey constructPublicKey(byte[] encodedKey,
-            String encodedKeyAlgorithm)
+            int ofs, int len, String encodedKeyAlgorithm)
             throws InvalidKeyException, NoSuchAlgorithmException {
         PublicKey key = null;
+        byte[] keyBytes = (ofs == 0 && encodedKey.length == len)
+                ? encodedKey : Arrays.copyOfRange(encodedKey, ofs, ofs + len);
+        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
         try {
             KeyFactory keyFactory =
                 KeyFactory.getInstance(encodedKeyAlgorithm,
                     SunJCE.getInstance());
-            X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encodedKey);
             key = keyFactory.generatePublic(keySpec);
         } catch (NoSuchAlgorithmException nsae) {
             // Try to see whether there is another
             // provider which supports this algorithm
             try {
                 KeyFactory keyFactory =
                     KeyFactory.getInstance(encodedKeyAlgorithm);
-                X509EncodedKeySpec keySpec =
-                    new X509EncodedKeySpec(encodedKey);
                 key = keyFactory.generatePublic(keySpec);
             } catch (NoSuchAlgorithmException nsae2) {
                 throw new NoSuchAlgorithmException("No installed providers " +
@@ -97,34 +91,24 @@ private static final PublicKey constructPublicKey(byte[] encodedKey,
         return key;
     }
 
-    /**
-     * Construct a private key from its encoding.
-     *
-     * @param encodedKey the encoding of a private key.
-     *
-     * @param encodedKeyAlgorithm the algorithm the wrapped key is for.
-     *
-     * @return a private key constructed from the encodedKey.
-     */
     private static final PrivateKey constructPrivateKey(byte[] encodedKey,
-            String encodedKeyAlgorithm)
+            int ofs, int len, String encodedKeyAlgorithm)
             throws InvalidKeyException, NoSuchAlgorithmException {
         PrivateKey key = null;
-
+        byte[] keyBytes = (ofs == 0 && encodedKey.length == len)
+                ? encodedKey : Arrays.copyOfRange(encodedKey, ofs, ofs + len);
+        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
         try {
             KeyFactory keyFactory =
                 KeyFactory.getInstance(encodedKeyAlgorithm,
                     SunJCE.getInstance());
-            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encodedKey);
             return keyFactory.generatePrivate(keySpec);
         } catch (NoSuchAlgorithmException nsae) {
             // Try to see whether there is another
             // provider which supports this algorithm
             try {
                 KeyFactory keyFactory =
                     KeyFactory.getInstance(encodedKeyAlgorithm);
-                PKCS8EncodedKeySpec keySpec =
-                    new PKCS8EncodedKeySpec(encodedKey);
                 key = keyFactory.generatePrivate(keySpec);
             } catch (NoSuchAlgorithmException nsae2) {
                 throw new NoSuchAlgorithmException("No installed providers " +
@@ -142,20 +126,16 @@ private static final PrivateKey constructPrivateKey(byte[] encodedKey,
                 new InvalidKeyException("Cannot construct private key");
             ike.initCause(ikse);
             throw ike;
+        } finally {
+            SharedSecrets.getJavaSecuritySpecAccess().clearEncodedKeySpec(keySpec);
+            if (keyBytes != encodedKey) {
+                Arrays.fill(keyBytes, (byte)0);
+            }
         }
 
         return key;
     }
 
-    /**
-     * Construct a secret key from its encoding.
-     *
-     * @param encodedKey the encoding of a secret key.
-     *
-     * @param encodedKeyAlgorithm the algorithm the secret key is for.
-     *
-     * @return a secret key constructed from the encodedKey.
-     */
     private static final SecretKey constructSecretKey(byte[] encodedKey,
             int ofs, int len, String encodedKeyAlgorithm) {
         return (new SecretKeySpec(encodedKey, ofs, len, encodedKeyAlgorithm));
@@ -170,35 +150,14 @@ static final Key constructKey(byte[] encoding, String keyAlgorithm,
     static final Key constructKey(byte[] encoding, int ofs, int len,
             String keyAlgorithm, int keyType)
             throws InvalidKeyException, NoSuchAlgorithmException {
-        switch (keyType) {
-        case Cipher.SECRET_KEY:
-            try {
-                return ConstructKeys.constructSecretKey(encoding, ofs, len,
-                        keyAlgorithm);
-            } finally {
-                Arrays.fill(encoding, ofs, len, (byte)0);
-            }
-        case Cipher.PRIVATE_KEY:
-            byte[] encoding2 = encoding;
-            try {
-                if (ofs != 0 || len != encoding.length) {
-                    encoding2 = Arrays.copyOfRange(encoding, ofs, ofs + len);
-                }
-                return ConstructKeys.constructPrivateKey(encoding2,
-                        keyAlgorithm);
-            } finally {
-                Arrays.fill(encoding, ofs, len, (byte)0);
-                if (encoding2 != encoding) {
-                    Arrays.fill(encoding2, (byte)0);
-                }
-            }
-        case Cipher.PUBLIC_KEY:
-            if (ofs != 0 || len != encoding.length) {
-                encoding = Arrays.copyOfRange(encoding, ofs, ofs + len);
-            }
-            return ConstructKeys.constructPublicKey(encoding, keyAlgorithm);
-        default:
-            throw new NoSuchAlgorithmException("Unsupported key type");
-        }
+        return switch (keyType) {
+            case Cipher.SECRET_KEY -> ConstructKeys.constructSecretKey(
+                    encoding, ofs, len, keyAlgorithm);
+            case Cipher.PRIVATE_KEY -> ConstructKeys.constructPrivateKey(
+                    encoding, ofs, len, keyAlgorithm);
+            case Cipher.PUBLIC_KEY -> ConstructKeys.constructPublicKey(
+                    encoding, ofs, len, keyAlgorithm);
+            default -> throw new NoSuchAlgorithmException("Unsupported key type");
+        };
     }
 }
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java b/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
@@ -163,7 +163,13 @@ void init(int opmode, Key key, GCMParameterSpec spec)
         reInit = false;
 
         // always encrypt mode for embedded cipher
-        blockCipher.init(false, key.getAlgorithm(), keyValue);
+        try {
+            blockCipher.init(false, key.getAlgorithm(), keyValue);
+        } finally {
+            if (!encryption) {
+                Arrays.fill(keyValue, (byte) 0);
+            }
+        }
     }
 
     @Override
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/KWUtil.java b/src/java.base/share/classes/com/sun/crypto/provider/KWUtil.java
@@ -124,6 +124,7 @@ static final int W_INV(byte[] in, int inLen, byte[] icvOut,
             }
         }
         System.arraycopy(buffer, 0, icvOut, 0, SEMI_BLKSIZE);
+        Arrays.fill(buffer, (byte)0);
         return inLen - SEMI_BLKSIZE;
     }
 }
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/KeyWrapCipher.java b/src/java.base/share/classes/com/sun/crypto/provider/KeyWrapCipher.java
@@ -472,7 +472,11 @@ protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen)
             int outLen = engineDoFinal(in, inOfs, inLen, out, 0);
 
             if (outLen < estOutLen) {
-                return Arrays.copyOf(out, outLen);
+                try {
+                    return Arrays.copyOf(out, outLen);
+                } finally {
+                    Arrays.fill(out, (byte)0);
+                }
             } else {
                 return out;
             }
@@ -529,6 +533,9 @@ protected int engineDoFinal(byte[] in, int inOfs, int inLen,
                 return outLen;
             }
         } finally {
+            if (dataBuf != null) {
+                Arrays.fill(dataBuf, (byte)0);
+            }
             dataBuf = null;
             dataIdx = 0;
         }
@@ -559,8 +566,14 @@ private int implDoFinal(byte[] in, int inOfs, int inLen, byte[] out)
             len += inLen;
         }
 
-        return (opmode == Cipher.ENCRYPT_MODE?
-                helperEncrypt(out, len) : helperDecrypt(out, len));
+        try {
+            return (opmode == Cipher.ENCRYPT_MODE ?
+                    helperEncrypt(out, len) : helperDecrypt(out, len));
+        } finally {
+            if (dataBuf != null && dataBuf != out) {
+                Arrays.fill(dataBuf, (byte)0);
+            }
+        }
     }
 
     // helper routine for in-place encryption.

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,7 @@ static final int W_INV(byte[] in, int inLen, byte[] icvOut,`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`	`System.arraycopy(buffer, 0, icvOut, 0, SEMI_BLKSIZE);`
	`127`	`+ Arrays.fill(buffer, (byte)0);`
`127`	`128`	`return inLen - SEMI_BLKSIZE;`
`128`	`129`	`}`
`129`	`130`	`}`