Merge
diff --git a/.hgtags b/.hgtags
index 84b7a46..d2e546d 100644
--- a/.hgtags
+++ b/.hgtags
@@ -353,11 +353,11 @@
a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11
6a12f34816d2ee12368274fc21225384a8893426 jdk8u31-b12
1fbdd5d80d0671decd8acb5adb64866f609e986f jdk8u31-b13
-a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33
367c7f061c5831ee54cd197f727e06109a67875b jdk8u31-b14
287e3219f3f531b2f20b50b180802a563a782b26 jdk8u31-b15
ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31
46338075c4262057099e57638e0758817052da0d jdk8u31-b32
+a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33
e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00
6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01
4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02
@@ -408,3 +408,15 @@
ea547c5a1217fe7916f366950d0e3156e4225aa5 jdk8u45-b32
27836976c3157a90a9504eb2ec0de54b769b68b4 jdk8u45-b33
98c0901da96579e1819e591c95d19066e0dad9b6 jdk8u45-b34
+ac97b69b88e37c18c1b077be8b1f100b6803fea5 jdk8u51-b00
+2e0732282470f7a02d57af5fc8542efa9db7b3e4 jdk8u51-b01
+cc75137936f9a8e97017e7e18b1064b76238116f jdk8u51-b02
+f732971e3d20664164a3797cf0b1a4cb80470959 jdk8u51-b03
+6d6c0c93e822dc0e37d657060488de934ac2eb4c jdk8u51-b04
+7d9a58baae72804f0852890cf9fc75e6a759b608 jdk8u51-b05
+93e6b2bbc9ff46b3fea1fe89b810259d150a9fc4 jdk8u51-b06
+286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u51-b07
+f7da0b943b9381aaf378d0c7b337dd7654335293 jdk8u51-b08
+7e8459e7a45cb5b49de376893e3a95bfa92d0325 jdk8u51-b09
+dcc75a75d3a30270fbf52d0d0b0504319882e419 jdk8u51-b10
+3ed614d4eee7c3225d48ed7c90622dd888cd143e jdk8u51-b11
diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
index 034114a..ebd4db7 100644
--- a/make/data/tzdata/VERSION
+++ b/make/data/tzdata/VERSION
@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
-tzdata2015a
+tzdata2015b
diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
index bff837c..fa4f246 100644
--- a/make/data/tzdata/asia
+++ b/make/data/tzdata/asia
@@ -1927,6 +1927,13 @@
# was at the start of 2008-03-31 (the day of Steffen Thorsen's report);
# this is almost surely wrong.
+# From Ganbold Tsagaankhuu (2015-03-10):
+# It seems like yesterday Mongolian Government meeting has concluded to use
+# daylight saving time in Mongolia.... Starting at 2:00AM of last Saturday of
+# March 2015, daylight saving time starts. And 00:00AM of last Saturday of
+# September daylight saving time ends. Source:
+# http://zasag.mn/news/view/8969
+
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule Mongol 1983 1984 - Apr 1 0:00 1:00 S
Rule Mongol 1983 only - Oct 1 0:00 0 -
@@ -1947,6 +1954,8 @@
Rule Mongol 2001 only - Apr lastSat 2:00 1:00 S
Rule Mongol 2001 2006 - Sep lastSat 2:00 0 -
Rule Mongol 2002 2006 - Mar lastSat 2:00 1:00 S
+Rule Mongol 2015 max - Mar lastSat 2:00 1:00 S
+Rule Mongol 2015 max - Sep lastSat 0:00 0 -
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
# Hovd, a.k.a. Chovd, Dund-Us, Dzhargalant, Khovd, Jirgalanta
@@ -2365,13 +2374,19 @@
# official source...:
# http://www.palestinecabinet.gov.ps/ar/Views/ViewDetails.aspx?pid=1252
-# From Paul Eggert (2013-09-24):
-# For future dates, guess the last Thursday in March at 24:00 through
-# the first Friday on or after September 21 at 00:00. This is consistent with
-# the predictions in today's editions of the following URLs,
-# which are for Gaza and Hebron respectively:
-# http://www.timeanddate.com/worldclock/timezone.html?n=702
-# http://www.timeanddate.com/worldclock/timezone.html?n=2364
+# From Steffen Thorsen (2015-03-03):
+# Sources such as http://www.alquds.com/news/article/view/id/548257
+# and http://www.raya.ps/ar/news/890705.html say Palestine areas will
+# start DST on 2015-03-28 00:00 which is one day later than expected.
+#
+# From Paul Eggert (2015-03-03):
+# http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
+# says that the fall 2014 transition was Oct 23 at 24:00.
+# For future dates, guess the last Friday in March at 24:00 through
+# the first Friday on or after October 21 at 00:00. This is consistent with
+# the predictions in today's editions of the following URLs:
+# http://www.timeanddate.com/time/change/gaza-strip/gaza
+# http://www.timeanddate.com/time/change/west-bank/hebron
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
@@ -2397,9 +2412,11 @@
Rule Palestine 2011 only - Aug 1 0:00 0 -
Rule Palestine 2011 only - Aug 30 0:00 1:00 S
Rule Palestine 2011 only - Sep 30 0:00 0 -
-Rule Palestine 2012 max - Mar lastThu 24:00 1:00 S
+Rule Palestine 2012 2014 - Mar lastThu 24:00 1:00 S
Rule Palestine 2012 only - Sep 21 1:00 0 -
-Rule Palestine 2013 max - Sep Fri>=21 0:00 0 -
+Rule Palestine 2013 only - Sep Fri>=21 0:00 0 -
+Rule Palestine 2014 max - Oct Fri>=21 0:00 0 -
+Rule Palestine 2015 max - Mar lastFri 24:00 1:00 S
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia
index f2a89e8..ec9f392 100644
--- a/make/data/tzdata/australasia
+++ b/make/data/tzdata/australasia
@@ -396,6 +396,7 @@
9:39:00 - LMT 1901 # Agana
10:00 - GST 2000 Dec 23 # Guam
10:00 - ChST # Chamorro Standard Time
+Link Pacific/Guam Pacific/Saipan # N Mariana Is
# Kiribati
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
@@ -411,12 +412,7 @@
14:00 - LINT
# N Mariana Is
-# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone Pacific/Saipan -14:17:00 - LMT 1844 Dec 31
- 9:43:00 - LMT 1901
- 9:00 - MPT 1969 Oct # N Mariana Is Time
- 10:00 - MPT 2000 Dec 23
- 10:00 - ChST # Chamorro Standard Time
+# See Pacific/Guam.
# Marshall Is
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
@@ -586,6 +582,7 @@
-11:00 - NST 1967 Apr # N=Nome
-11:00 - BST 1983 Nov 30 # B=Bering
-11:00 - SST # S=Samoa
+Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
# Samoa (formerly and also known as Western Samoa)
@@ -767,23 +764,7 @@
# uninhabited
# Midway
-#
-# From Mark Brader (2005-01-23):
-# [Fallacies and Fantasies of Air Transport History, by R.E.G. Davies,
-# published 1994 by Paladwr Press, McLean, VA, USA; ISBN 0-9626483-5-3]
-# reproduced a Pan American Airways timetable from 1936, for their weekly
-# "Orient Express" flights between San Francisco and Manila, and connecting
-# flights to Chicago and the US East Coast. As it uses some time zone
-# designations that I've never seen before:....
-# Fri. 6:30A Lv. HONOLOLU (Pearl Harbor), H.I. H.L.T. Ar. 5:30P Sun.
-# " 3:00P Ar. MIDWAY ISLAND . . . . . . . . . M.L.T. Lv. 6:00A "
-#
-Zone Pacific/Midway -11:49:28 - LMT 1901
- -11:00 - NST 1956 Jun 3
- -11:00 1:00 NDT 1956 Sep 2
- -11:00 - NST 1967 Apr # N=Nome
- -11:00 - BST 1983 Nov 30 # B=Bering
- -11:00 - SST # S=Samoa
+# See Pacific/Pago_Pago.
# Palmyra
# uninhabited since World War II; was probably like Pacific/Kiritimati
diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
index 89790f0..008268a 100644
--- a/make/data/tzdata/europe
+++ b/make/data/tzdata/europe
@@ -2423,7 +2423,7 @@
4:00 Russia VOL%sT 1989 Mar 26 2:00s # Volgograd T
3:00 Russia VOL%sT 1991 Mar 31 2:00s
4:00 - VOLT 1992 Mar 29 2:00s
- 3:00 Russia MSK 2011 Mar 27 2:00s
+ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s
4:00 - MSK 2014 Oct 26 2:00s
3:00 - MSK
diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
index 5943cfe..442a50e 100644
--- a/make/data/tzdata/northamerica
+++ b/make/data/tzdata/northamerica
@@ -2335,8 +2335,24 @@
# "...the new time zone will come into effect at two o'clock on the first Sunday
# of February, when we will have to advance the clock one hour from its current
# time..."
-#
# Also, the new zone will not use DST.
+#
+# From Carlos Raúl Perasso (2015-02-02):
+# The decree that modifies the Mexican Hour System Law has finally
+# been published at the Diario Oficial de la Federación
+# http://www.dof.gob.mx/nota_detalle.php?codigo=5380123&fecha=31/01/2015
+# It establishes 5 zones for Mexico:
+# 1- Zona Centro (Central Zone): Corresponds to longitude 90 W,
+# includes most of Mexico, excluding what's mentioned below.
+# 2- Zona Pacífico (Pacific Zone): Longitude 105 W, includes the
+# states of Baja California Sur; Chihuahua; Nayarit (excluding Bahía
+# de Banderas which lies in Central Zone); Sinaloa and Sonora.
+# 3- Zona Noroeste (Northwest Zone): Longitude 120 W, includes the
+# state of Baja California.
+# 4- Zona Sureste (Southeast Zone): Longitude 75 W, includes the state
+# of Quintana Roo.
+# 5- The islands, reefs and keys shall take their timezone from the
+# longitude they are located at.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule Mexico 1939 only - Feb 5 0:00 1:00 D
@@ -2531,13 +2547,8 @@
###############################################################################
# Anguilla
-# See America/Port_of_Spain.
-
# Antigua and Barbuda
-# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone America/Antigua -4:07:12 - LMT 1912 Mar 2
- -5:00 - EST 1951
- -4:00 - AST
+# See America/Port_of_Spain.
# Bahamas
#
@@ -2604,10 +2615,7 @@
-4:00 US A%sT
# Cayman Is
-# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone America/Cayman -5:25:32 - LMT 1890 # Georgetown
- -5:07:11 - KMT 1912 Feb # Kingston Mean Time
- -5:00 - EST
+# See America/Panama.
# Costa Rica
@@ -3130,6 +3138,7 @@
Zone America/Panama -5:18:08 - LMT 1890
-5:19:36 - CMT 1908 Apr 22 # Colón Mean Time
-5:00 - EST
+Link America/Panama America/Cayman
# Puerto Rico
# There are too many San Juans elsewhere, so we'll use 'Puerto_Rico'.
diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
index 02cf121..238ae3d 100644
--- a/make/data/tzdata/southamerica
+++ b/make/data/tzdata/southamerica
@@ -1229,10 +1229,13 @@
# DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC)
# http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf
-# From Juan Correa (2015-01-28):
-# ... today the Ministry of Energy announced that Chile will drop DST, will keep
-# "summer time" (UTC -3 / UTC -5) all year round....
-# http://www.minenergia.cl/ministerio/noticias/generales/ministerio-de-energia-anuncia.html
+# From Eduardo Romero Urra (2015-03-03):
+# Today has been published officially that Chile will use the DST time
+# permanently until March 25 of 2017
+# http://www.diariooficial.interior.gob.cl/media/2015/03/03/1-large.jpg
+#
+# From Paul Eggert (2015-03-03):
+# For now, assume that the extension will persist indefinitely.
# NOTE: ChileAQ rules for Antarctic bases are stored separately in the
# 'antarctica' file.
@@ -1291,7 +1294,7 @@
-3:00 - CLT
Zone Pacific/Easter -7:17:44 - LMT 1890
-7:17:28 - EMT 1932 Sep # Easter Mean Time
- -7:00 Chile EAS%sT 1982 Mar 13 3:00u # Easter Time
+ -7:00 Chile EAS%sT 1982 Mar 14 3:00u # Easter Time
-6:00 Chile EAS%sT 2015 Apr 26 3:00u
-5:00 - EAST
#
@@ -1626,6 +1629,7 @@
# These all agree with Trinidad and Tobago since 1970.
Link America/Port_of_Spain America/Anguilla
+Link America/Port_of_Spain America/Antigua
Link America/Port_of_Spain America/Dominica
Link America/Port_of_Spain America/Grenada
Link America/Port_of_Spain America/Guadeloupe
diff --git a/src/macosx/bin/java_md_macosx.c b/src/macosx/bin/java_md_macosx.c
index 248d2cb..f9e05c8 100644
--- a/src/macosx/bin/java_md_macosx.c
+++ b/src/macosx/bin/java_md_macosx.c
@@ -616,7 +616,11 @@
if (access(libjava, F_OK) == 0) {
return JNI_TRUE;
}
-
+ /* ensure storage for path + /jre + NULL */
+ if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
+ JLI_TraceLauncher("Insufficient space to store JRE path\n");
+ return JNI_FALSE;
+ }
/* Does the app ship a private JRE in <apphome>/jre directory? */
JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/" JAVA_DLL, path);
if (access(libjava, F_OK) == 0) {
diff --git a/src/macosx/classes/sun/lwawt/macosx/CClipboard.java b/src/macosx/classes/sun/lwawt/macosx/CClipboard.java
index b657aee..19f9a40 100644
--- a/src/macosx/classes/sun/lwawt/macosx/CClipboard.java
+++ b/src/macosx/classes/sun/lwawt/macosx/CClipboard.java
@@ -57,6 +57,18 @@
}
@Override
+ public synchronized Transferable getContents(Object requestor) {
+ checkPasteboardAndNotify();
+ return super.getContents(requestor);
+ }
+
+ @Override
+ protected synchronized Transferable getContextContents() {
+ checkPasteboardAndNotify();
+ return super.getContextContents();
+ }
+
+ @Override
protected void setContentsNative(Transferable contents) {
FlavorTable flavorMap = getDefaultFlavorTable();
// Don't use delayed Clipboard rendering for the Transferable's data.
@@ -116,13 +128,20 @@
private native void declareTypes(long[] formats, SunClipboard newOwner);
private native void setData(byte[] data, long format);
+ void checkPasteboardAndNotify() {
+ if (checkPasteboardWithoutNotification()) {
+ notifyChanged();
+ lostOwnershipNow(null);
+ }
+ }
+
/**
* Invokes native check whether a change count on the general pasteboard is different
* than when we set it. The different count value means the current owner lost
* pasteboard ownership and someone else put data on the clipboard.
* @since 1.7
*/
- native void checkPasteboard();
+ native boolean checkPasteboardWithoutNotification();
/*** Native Callbacks ***/
private void notifyLostOwnership() {
diff --git a/src/macosx/classes/sun/lwawt/macosx/CEmbeddedFrame.java b/src/macosx/classes/sun/lwawt/macosx/CEmbeddedFrame.java
index 1b6f14a..859909e 100644
--- a/src/macosx/classes/sun/lwawt/macosx/CEmbeddedFrame.java
+++ b/src/macosx/classes/sun/lwawt/macosx/CEmbeddedFrame.java
@@ -120,7 +120,7 @@
// it won't be invoced if focuse is moved to a html element
// on the same page.
CClipboard clipboard = (CClipboard) Toolkit.getDefaultToolkit().getSystemClipboard();
- clipboard.checkPasteboard();
+ clipboard.checkPasteboardAndNotify();
}
if (parentWindowActive) {
responder.handleWindowFocusEvent(focused, null);
diff --git a/src/macosx/native/sun/awt/CClipboard.m b/src/macosx/native/sun/awt/CClipboard.m
index 098e1c2..dde4ed8 100644
--- a/src/macosx/native/sun/awt/CClipboard.m
+++ b/src/macosx/native/sun/awt/CClipboard.m
@@ -171,6 +171,8 @@
else [args removeLastObject];
}
+
+
- (void) checkPasteboard:(id)application {
AWT_ASSERT_APPKIT_THREAD;
@@ -202,6 +204,19 @@
}
}
+- (BOOL) checkPasteboardWithoutNotification:(id)application {
+ AWT_ASSERT_APPKIT_THREAD;
+
+ NSInteger newChangeCount = [[NSPasteboard generalPasteboard] changeCount];
+
+ if (fChangeCount != newChangeCount) {
+ fChangeCount = newChangeCount;
+ return YES;
+ } else {
+ return NO;
+ }
+}
+
@end
/*
@@ -348,16 +363,17 @@
* Method: checkPasteboard
* Signature: ()V
*/
-JNIEXPORT void JNICALL Java_sun_lwawt_macosx_CClipboard_checkPasteboard
-(JNIEnv *env, jobject inObject )
+JNIEXPORT jboolean JNICALL Java_sun_lwawt_macosx_CClipboard_checkPasteboardWithoutNotification
+(JNIEnv *env, jobject inObject)
{
+ __block BOOL ret = NO;
JNF_COCOA_ENTER(env);
-
[ThreadUtilities performOnMainThreadWaiting:YES block:^(){
- [[CClipboard sharedClipboard] checkPasteboard:nil];
+ ret = [[CClipboard sharedClipboard] checkPasteboardWithoutNotification:nil];
}];
-
+
JNF_COCOA_EXIT(env);
+ return ret;
}
diff --git a/src/share/classes/com/sun/crypto/provider/AESCrypt.java b/src/share/classes/com/sun/crypto/provider/AESCrypt.java
index 02cc426..12ffe89 100644
--- a/src/share/classes/com/sun/crypto/provider/AESCrypt.java
+++ b/src/share/classes/com/sun/crypto/provider/AESCrypt.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@
package com.sun.crypto.provider;
import java.security.InvalidKeyException;
-import java.util.Arrays;
+import java.security.MessageDigest;
/**
* Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit
@@ -88,7 +88,7 @@
key.length + " bytes");
}
- if (!Arrays.equals(key, lastKey)) {
+ if (!MessageDigest.isEqual(key, lastKey)) {
// re-generate session key 'sessionK' when cipher key changes
makeSessionKey(key);
lastKey = key.clone(); // save cipher key
diff --git a/src/share/classes/com/sun/crypto/provider/CipherCore.java b/src/share/classes/com/sun/crypto/provider/CipherCore.java
index 8d54633..408da30 100644
--- a/src/share/classes/com/sun/crypto/provider/CipherCore.java
+++ b/src/share/classes/com/sun/crypto/provider/CipherCore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -568,7 +568,7 @@
// check key+iv for encryption in GCM mode
requireReinit =
Arrays.equals(ivBytes, lastEncIv) &&
- Arrays.equals(keyBytes, lastEncKey);
+ MessageDigest.isEqual(keyBytes, lastEncKey);
if (requireReinit) {
throw new InvalidAlgorithmParameterException
("Cannot reuse iv for GCM encryption");
diff --git a/src/share/classes/com/sun/crypto/provider/DESKey.java b/src/share/classes/com/sun/crypto/provider/DESKey.java
index 32564ce..d449380 100644
--- a/src/share/classes/com/sun/crypto/provider/DESKey.java
+++ b/src/share/classes/com/sun/crypto/provider/DESKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
+import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.InvalidKeyException;
import javax.crypto.SecretKey;
@@ -113,7 +114,7 @@
return false;
byte[] thatKey = ((SecretKey)obj).getEncoded();
- boolean ret = java.util.Arrays.equals(this.key, thatKey);
+ boolean ret = MessageDigest.isEqual(this.key, thatKey);
java.util.Arrays.fill(thatKey, (byte)0x00);
return ret;
}
diff --git a/src/share/classes/com/sun/crypto/provider/DESedeKey.java b/src/share/classes/com/sun/crypto/provider/DESedeKey.java
index 8f264b8..a0de5dc 100644
--- a/src/share/classes/com/sun/crypto/provider/DESedeKey.java
+++ b/src/share/classes/com/sun/crypto/provider/DESedeKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
+import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.InvalidKeyException;
import javax.crypto.SecretKey;
@@ -114,7 +115,7 @@
return false;
byte[] thatKey = ((SecretKey)obj).getEncoded();
- boolean ret = java.util.Arrays.equals(this.key, thatKey);
+ boolean ret = MessageDigest.isEqual(this.key, thatKey);
java.util.Arrays.fill(thatKey, (byte)0x00);
return ret;
}
diff --git a/src/share/classes/com/sun/crypto/provider/PBEKey.java b/src/share/classes/com/sun/crypto/provider/PBEKey.java
index d954d0f..7264bc2 100644
--- a/src/share/classes/com/sun/crypto/provider/PBEKey.java
+++ b/src/share/classes/com/sun/crypto/provider/PBEKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
+import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.SecretKey;
@@ -107,7 +108,7 @@
return false;
byte[] thatEncoded = that.getEncoded();
- boolean ret = java.util.Arrays.equals(this.key, thatEncoded);
+ boolean ret = MessageDigest.isEqual(this.key, thatEncoded);
java.util.Arrays.fill(thatEncoded, (byte)0x00);
return ret;
}
diff --git a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
index ec3bd3e..606c15c 100644
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
+++ b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.util.Arrays;
+import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
@@ -152,7 +153,7 @@
SecretKey sk = (SecretKey)obj;
return prf.getAlgorithm().equalsIgnoreCase(
sk.getAlgorithm()) &&
- Arrays.equals(password, sk.getEncoded());
+ MessageDigest.isEqual(password, sk.getEncoded());
}
};
prf.init(macKey);
@@ -238,7 +239,7 @@
if (!(that.getFormat().equalsIgnoreCase("RAW")))
return false;
byte[] thatEncoded = that.getEncoded();
- boolean ret = Arrays.equals(key, that.getEncoded());
+ boolean ret = MessageDigest.isEqual(key, that.getEncoded());
java.util.Arrays.fill(thatEncoded, (byte)0x00);
return ret;
}
diff --git a/src/share/classes/com/sun/jndi/dns/DnsClient.java b/src/share/classes/com/sun/jndi/dns/DnsClient.java
index 3c4ea36..bfe0198 100644
--- a/src/share/classes/com/sun/jndi/dns/DnsClient.java
+++ b/src/share/classes/com/sun/jndi/dns/DnsClient.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -184,119 +184,124 @@
Exception caughtException = null;
boolean[] doNotRetry = new boolean[servers.length];
- //
- // The UDP retry strategy is to try the 1st server, and then
- // each server in order. If no answer, double the timeout
- // and try each server again.
- //
- for (int retry = 0; retry < retries; retry++) {
+ try {
+ //
+ // The UDP retry strategy is to try the 1st server, and then
+ // each server in order. If no answer, double the timeout
+ // and try each server again.
+ //
+ for (int retry = 0; retry < retries; retry++) {
- // Try each name server.
- for (int i = 0; i < servers.length; i++) {
- if (doNotRetry[i]) {
- continue;
- }
-
- // send the request packet and wait for a response.
- try {
- if (debug) {
- dprint("SEND ID (" + (retry + 1) + "): " + xid);
- }
-
- byte[] msg = null;
- msg = doUdpQuery(pkt, servers[i], serverPorts[i],
- retry, xid);
- //
- // If the matching response is not got within the
- // given timeout, check if the response was enqueued
- // by some other thread, if not proceed with the next
- // server or retry.
- //
- if (msg == null) {
- if (resps.size() > 0) {
- msg = lookupResponse(xid);
- }
- if (msg == null) { // try next server or retry
- continue;
- }
- }
- Header hdr = new Header(msg, msg.length);
-
- if (auth && !hdr.authoritative) {
- caughtException = new NameNotFoundException(
- "DNS response not authoritative");
- doNotRetry[i] = true;
+ // Try each name server.
+ for (int i = 0; i < servers.length; i++) {
+ if (doNotRetry[i]) {
continue;
}
- if (hdr.truncated) { // message is truncated -- try TCP
- // Try each server, starting with the one that just
- // provided the truncated message.
- for (int j = 0; j < servers.length; j++) {
- int ij = (i + j) % servers.length;
- if (doNotRetry[ij]) {
+ // send the request packet and wait for a response.
+ try {
+ if (debug) {
+ dprint("SEND ID (" + (retry + 1) + "): " + xid);
+ }
+
+ byte[] msg = null;
+ msg = doUdpQuery(pkt, servers[i], serverPorts[i],
+ retry, xid);
+ //
+ // If the matching response is not got within the
+ // given timeout, check if the response was enqueued
+ // by some other thread, if not proceed with the next
+ // server or retry.
+ //
+ if (msg == null) {
+ if (resps.size() > 0) {
+ msg = lookupResponse(xid);
+ }
+ if (msg == null) { // try next server or retry
continue;
}
- try {
- Tcp tcp =
- new Tcp(servers[ij], serverPorts[ij]);
- byte[] msg2;
+ }
+ Header hdr = new Header(msg, msg.length);
+
+ if (auth && !hdr.authoritative) {
+ caughtException = new NameNotFoundException(
+ "DNS response not authoritative");
+ doNotRetry[i] = true;
+ continue;
+ }
+ if (hdr.truncated) { // message is truncated -- try TCP
+
+ // Try each server, starting with the one that just
+ // provided the truncated message.
+ for (int j = 0; j < servers.length; j++) {
+ int ij = (i + j) % servers.length;
+ if (doNotRetry[ij]) {
+ continue;
+ }
try {
- msg2 = doTcpQuery(tcp, pkt);
- } finally {
- tcp.close();
- }
- Header hdr2 = new Header(msg2, msg2.length);
- if (hdr2.query) {
- throw new CommunicationException(
- "DNS error: expecting response");
- }
- checkResponseCode(hdr2);
+ Tcp tcp =
+ new Tcp(servers[ij], serverPorts[ij]);
+ byte[] msg2;
+ try {
+ msg2 = doTcpQuery(tcp, pkt);
+ } finally {
+ tcp.close();
+ }
+ Header hdr2 = new Header(msg2, msg2.length);
+ if (hdr2.query) {
+ throw new CommunicationException(
+ "DNS error: expecting response");
+ }
+ checkResponseCode(hdr2);
- if (!auth || hdr2.authoritative) {
- // Got a valid response
- hdr = hdr2;
- msg = msg2;
- break;
- } else {
- doNotRetry[ij] = true;
+ if (!auth || hdr2.authoritative) {
+ // Got a valid response
+ hdr = hdr2;
+ msg = msg2;
+ break;
+ } else {
+ doNotRetry[ij] = true;
+ }
+ } catch (Exception e) {
+ // Try next server, or use UDP response
}
- } catch (Exception e) {
- // Try next server, or use UDP response
- }
- } // servers
- }
- return new ResourceRecords(msg, msg.length, hdr, false);
+ } // servers
+ }
+ return new ResourceRecords(msg, msg.length, hdr, false);
- } catch (IOException e) {
- if (debug) {
- dprint("Caught IOException:" + e);
- }
- if (caughtException == null) {
- caughtException = e;
- }
- // Use reflection to allow pre-1.4 compilation.
- // This won't be needed much longer.
- if (e.getClass().getName().equals(
- "java.net.PortUnreachableException")) {
+ } catch (IOException e) {
+ if (debug) {
+ dprint("Caught IOException:" + e);
+ }
+ if (caughtException == null) {
+ caughtException = e;
+ }
+ // Use reflection to allow pre-1.4 compilation.
+ // This won't be needed much longer.
+ if (e.getClass().getName().equals(
+ "java.net.PortUnreachableException")) {
+ doNotRetry[i] = true;
+ }
+ } catch (NameNotFoundException e) {
+ // This is authoritative, so return immediately
+ throw e;
+ } catch (CommunicationException e) {
+ if (caughtException == null) {
+ caughtException = e;
+ }
+ } catch (NamingException e) {
+ if (caughtException == null) {
+ caughtException = e;
+ }
doNotRetry[i] = true;
}
- } catch (NameNotFoundException e) {
- throw e;
- } catch (CommunicationException e) {
- if (caughtException == null) {
- caughtException = e;
- }
- } catch (NamingException e) {
- if (caughtException == null) {
- caughtException = e;
- }
- doNotRetry[i] = true;
- }
- } // servers
- } // retries
+ } // servers
+ } // retries
- reqs.remove(xid);
+ } finally {
+ reqs.remove(xid); // cleanup
+ }
+
if (caughtException instanceof NamingException) {
throw (NamingException) caughtException;
}
diff --git a/src/share/classes/java/io/ObjectInputStream.java b/src/share/classes/java/io/ObjectInputStream.java
index 15ecd9b..61e76e3 100644
--- a/src/share/classes/java/io/ObjectInputStream.java
+++ b/src/share/classes/java/io/ObjectInputStream.java
@@ -1829,6 +1829,8 @@
throws IOException
{
SerialCallbackContext oldContext = curContext;
+ if (oldContext != null)
+ oldContext.check();
curContext = null;
try {
boolean blocked = desc.hasBlockExternalData();
@@ -1853,6 +1855,8 @@
skipCustomData();
}
} finally {
+ if (oldContext != null)
+ oldContext.check();
curContext = oldContext;
}
/*
@@ -1883,12 +1887,12 @@
ObjectStreamClass slotDesc = slots[i].desc;
if (slots[i].hasData) {
- if (obj != null &&
- slotDesc.hasReadObjectMethod() &&
- handles.lookupException(passHandle) == null)
- {
+ if (obj == null || handles.lookupException(passHandle) != null) {
+ defaultReadFields(null, slotDesc); // skip field values
+ } else if (slotDesc.hasReadObjectMethod()) {
SerialCallbackContext oldContext = curContext;
-
+ if (oldContext != null)
+ oldContext.check();
try {
curContext = new SerialCallbackContext(obj, slotDesc);
@@ -1905,6 +1909,8 @@
handles.markException(passHandle, ex);
} finally {
curContext.setUsed();
+ if (oldContext!= null)
+ oldContext.check();
curContext = oldContext;
}
@@ -1917,6 +1923,7 @@
} else {
defaultReadFields(obj, slotDesc);
}
+
if (slotDesc.hasWriteObjectData()) {
skipCustomData();
} else {
diff --git a/src/share/classes/java/io/SerialCallbackContext.java b/src/share/classes/java/io/SerialCallbackContext.java
index 748d38e..4009087 100644
--- a/src/share/classes/java/io/SerialCallbackContext.java
+++ b/src/share/classes/java/io/SerialCallbackContext.java
@@ -60,6 +60,13 @@
return desc;
}
+ public void check() throws NotActiveException {
+ if (thread != null && thread != Thread.currentThread()) {
+ throw new NotActiveException(
+ "expected thread: " + thread + ", but got: " + Thread.currentThread());
+ }
+ }
+
private void checkAndSetUsed() throws NotActiveException {
if (thread != Thread.currentThread()) {
throw new NotActiveException(
diff --git a/src/share/classes/java/net/InetAddress.java b/src/share/classes/java/net/InetAddress.java
index 99ec1ac..e7809b5 100644
--- a/src/share/classes/java/net/InetAddress.java
+++ b/src/share/classes/java/net/InetAddress.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -203,16 +203,33 @@
static transient boolean preferIPv6Address = false;
static class InetAddressHolder {
+ /**
+ * Reserve the original application specified hostname.
+ *
+ * The original hostname is useful for domain-based endpoint
+ * identification (see RFC 2818 and RFC 6125). If an address
+ * was created with a raw IP address, a reverse name lookup
+ * may introduce endpoint identification security issue via
+ * DNS forging.
+ *
+ * Oracle JSSE provider is using this original hostname, via
+ * sun.misc.JavaNetAccess, for SSL/TLS endpoint identification.
+ *
+ * Note: May define a new public method in the future if necessary.
+ */
+ private String originalHostName;
InetAddressHolder() {}
InetAddressHolder(String hostName, int address, int family) {
+ this.originalHostName = hostName;
this.hostName = hostName;
this.address = address;
this.family = family;
}
void init(String hostName, int family) {
+ this.originalHostName = hostName;
this.hostName = hostName;
if (family != -1) {
this.family = family;
@@ -225,6 +242,10 @@
return hostName;
}
+ String getOriginalHostName() {
+ return originalHostName;
+ }
+
/**
* Holds a 32-bit IPv4 address.
*/
diff --git a/src/share/classes/java/net/URLClassLoader.java b/src/share/classes/java/net/URLClassLoader.java
index a75ac30..a3038e2 100644
--- a/src/share/classes/java/net/URLClassLoader.java
+++ b/src/share/classes/java/net/URLClassLoader.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -774,6 +774,10 @@
public URLClassPath getURLClassPath (URLClassLoader u) {
return u.ucp;
}
+
+ public String getOriginalHostName(InetAddress ia) {
+ return ia.holder.getOriginalHostName();
+ }
}
);
ClassLoader.registerAsParallelCapable();
diff --git a/src/share/classes/java/security/Identity.java b/src/share/classes/java/security/Identity.java
index 6a5e87e..6eada6d 100644
--- a/src/share/classes/java/security/Identity.java
+++ b/src/share/classes/java/security/Identity.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -261,7 +261,7 @@
certificates.addElement(certificate);
}
- private boolean keyEquals(Key aKey, Key anotherKey) {
+ private boolean keyEquals(PublicKey aKey, PublicKey anotherKey) {
String aKeyFormat = aKey.getFormat();
String anotherKeyFormat = anotherKey.getFormat();
if ((aKeyFormat == null) ^ (anotherKeyFormat == null))
diff --git a/src/share/classes/java/security/MessageDigest.java b/src/share/classes/java/security/MessageDigest.java
index cf3e3a3..5a58f09 100644
--- a/src/share/classes/java/security/MessageDigest.java
+++ b/src/share/classes/java/security/MessageDigest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -440,6 +440,10 @@
* @return true if the digests are equal, false otherwise.
*/
public static boolean isEqual(byte[] digesta, byte[] digestb) {
+ if (digesta == digestb) return true;
+ if (digesta == null || digestb == null) {
+ return false;
+ }
if (digesta.length != digestb.length) {
return false;
}
diff --git a/src/share/classes/java/security/Signature.java b/src/share/classes/java/security/Signature.java
index dccbe0b..355d708 100644
--- a/src/share/classes/java/security/Signature.java
+++ b/src/share/classes/java/security/Signature.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -1316,7 +1316,7 @@
byte[] out = cipher.doFinal(sigBytes);
byte[] dataBytes = data.toByteArray();
data.reset();
- return Arrays.equals(out, dataBytes);
+ return MessageDigest.isEqual(out, dataBytes);
} catch (BadPaddingException e) {
// e.g. wrong public key used
// return false rather than throwing exception
diff --git a/src/share/classes/java/security/cert/X509CRLSelector.java b/src/share/classes/java/security/cert/X509CRLSelector.java
index 0580ee3..face5ff 100644
--- a/src/share/classes/java/security/cert/X509CRLSelector.java
+++ b/src/share/classes/java/security/cert/X509CRLSelector.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -679,10 +679,14 @@
nowPlusSkew = new Date(dateAndTime.getTime() + skew);
nowMinusSkew = new Date(dateAndTime.getTime() - skew);
}
+
+ // Check that the test date is within the validity interval:
+ // [ thisUpdate - MAX_CLOCK_SKEW,
+ // nextUpdate + MAX_CLOCK_SKEW ]
if (nowMinusSkew.after(nextUpdate)
|| nowPlusSkew.before(crlThisUpdate)) {
if (debug != null) {
- debug.println("X509CRLSelector.match: update out of range");
+ debug.println("X509CRLSelector.match: update out-of-range");
}
return false;
}
diff --git a/src/share/classes/javax/crypto/spec/SecretKeySpec.java b/src/share/classes/javax/crypto/spec/SecretKeySpec.java
index aedd9ca..56ca9b5 100644
--- a/src/share/classes/javax/crypto/spec/SecretKeySpec.java
+++ b/src/share/classes/javax/crypto/spec/SecretKeySpec.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
package javax.crypto.spec;
+import java.security.MessageDigest;
import java.security.spec.KeySpec;
import javax.crypto.SecretKey;
@@ -226,6 +227,6 @@
byte[] thatKey = ((SecretKey)obj).getEncoded();
- return java.util.Arrays.equals(this.key, thatKey);
+ return MessageDigest.isEqual(this.key, thatKey);
}
}
diff --git a/src/share/classes/javax/management/MBeanServerInvocationHandler.java b/src/share/classes/javax/management/MBeanServerInvocationHandler.java
index b06ca06..d667dc7 100644
--- a/src/share/classes/javax/management/MBeanServerInvocationHandler.java
+++ b/src/share/classes/javax/management/MBeanServerInvocationHandler.java
@@ -141,6 +141,12 @@
if (connection == null) {
throw new IllegalArgumentException("Null connection");
}
+ if (Proxy.isProxyClass(connection.getClass())) {
+ if (MBeanServerInvocationHandler.class.isAssignableFrom(
+ Proxy.getInvocationHandler(connection).getClass())) {
+ throw new IllegalArgumentException("Wrapping MBeanServerInvocationHandler");
+ }
+ }
if (objectName == null) {
throw new IllegalArgumentException("Null object name");
}
@@ -418,6 +424,10 @@
new Class<?>[] {Object.class})
&& isLocal(proxy, method))
return true;
+ if (methodName.equals("finalize")
+ && method.getParameterTypes().length == 0) {
+ return true;
+ }
return false;
}
@@ -453,6 +463,9 @@
connection + "[" + objectName + "])";
} else if (methodName.equals("hashCode")) {
return objectName.hashCode()+connection.hashCode();
+ } else if (methodName.equals("finalize")) {
+ // ignore the finalizer invocation via proxy
+ return null;
}
throw new RuntimeException("Unexpected method name: " + methodName);
diff --git a/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java b/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
index 6f60de7..d4cecba 100644
--- a/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
+++ b/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
@@ -32,7 +32,6 @@
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Permission;
-import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
@@ -59,6 +58,7 @@
import com.sun.jmx.remote.util.ClassLogger;
import com.sun.jmx.remote.util.EnvHelp;
import com.sun.jmx.remote.util.OrderClassLoaders;
+import javax.management.loading.ClassLoaderRepository;
/**
* <p>Implementation of the {@link RMIConnection} interface. User
@@ -131,20 +131,24 @@
final ClassLoader dcl = defaultClassLoader;
- this.classLoaderWithRepository =
- AccessController.doPrivileged(
- new PrivilegedAction<ClassLoaderWithRepository>() {
- public ClassLoaderWithRepository run() {
- return new ClassLoaderWithRepository(
- mbeanServer.getClassLoaderRepository(),
- dcl);
- }
- },
-
- withPermissions( new MBeanPermission("*", "getClassLoaderRepository"),
- new RuntimePermission("createClassLoader"))
- );
-
+ ClassLoaderRepository repository = AccessController.doPrivileged(
+ new PrivilegedAction<ClassLoaderRepository>() {
+ public ClassLoaderRepository run() {
+ return mbeanServer.getClassLoaderRepository();
+ }
+ },
+ withPermissions(new MBeanPermission("*", "getClassLoaderRepository"))
+ );
+ this.classLoaderWithRepository = AccessController.doPrivileged(
+ new PrivilegedAction<ClassLoaderWithRepository>() {
+ public ClassLoaderWithRepository run() {
+ return new ClassLoaderWithRepository(
+ repository,
+ dcl);
+ }
+ },
+ withPermissions(new RuntimePermission("createClassLoader"))
+ );
this.defaultContextClassLoader =
AccessController.doPrivileged(
diff --git a/src/share/classes/sun/awt/datatransfer/SunClipboard.java b/src/share/classes/sun/awt/datatransfer/SunClipboard.java
index 388ebaf..da186ed 100644
--- a/src/share/classes/sun/awt/datatransfer/SunClipboard.java
+++ b/src/share/classes/sun/awt/datatransfer/SunClipboard.java
@@ -150,7 +150,7 @@
* AppContext as it is currently retrieved or null otherwise
* @since 1.5
*/
- private synchronized Transferable getContextContents() {
+ protected synchronized Transferable getContextContents() {
AppContext context = AppContext.getAppContext();
return (context == contentsContext) ? contents : null;
}
@@ -281,42 +281,41 @@
return;
}
- final Runnable runnable = new Runnable() {
- public void run() {
- final SunClipboard sunClipboard = SunClipboard.this;
- ClipboardOwner owner = null;
- Transferable contents = null;
-
- synchronized (sunClipboard) {
- final AppContext context = sunClipboard.contentsContext;
-
- if (context == null) {
- return;
- }
-
- if (disposedContext == null || context == disposedContext) {
- owner = sunClipboard.owner;
- contents = sunClipboard.contents;
- sunClipboard.contentsContext = null;
- sunClipboard.owner = null;
- sunClipboard.contents = null;
- sunClipboard.clearNativeContext();
- context.removePropertyChangeListener
- (AppContext.DISPOSED_PROPERTY_NAME, sunClipboard);
- } else {
- return;
- }
- }
- if (owner != null) {
- owner.lostOwnership(sunClipboard, contents);
- }
- }
- };
-
- SunToolkit.postEvent(context, new PeerEvent(this, runnable,
+ SunToolkit.postEvent(context, new PeerEvent(this, () -> lostOwnershipNow(disposedContext),
PeerEvent.PRIORITY_EVENT));
}
+ protected void lostOwnershipNow(final AppContext disposedContext) {
+ final SunClipboard sunClipboard = SunClipboard.this;
+ ClipboardOwner owner = null;
+ Transferable contents = null;
+
+ synchronized (sunClipboard) {
+ final AppContext context = sunClipboard.contentsContext;
+
+ if (context == null) {
+ return;
+ }
+
+ if (disposedContext == null || context == disposedContext) {
+ owner = sunClipboard.owner;
+ contents = sunClipboard.contents;
+ sunClipboard.contentsContext = null;
+ sunClipboard.owner = null;
+ sunClipboard.contents = null;
+ sunClipboard.clearNativeContext();
+ context.removePropertyChangeListener
+ (AppContext.DISPOSED_PROPERTY_NAME, sunClipboard);
+ } else {
+ return;
+ }
+ }
+ if (owner != null) {
+ owner.lostOwnership(sunClipboard, contents);
+ }
+ }
+
+
protected abstract void clearNativeContext();
protected abstract void setContentsNative(Transferable contents);
diff --git a/src/share/classes/sun/misc/JavaNetAccess.java b/src/share/classes/sun/misc/JavaNetAccess.java
index cc7bec1..9087831 100644
--- a/src/share/classes/sun/misc/JavaNetAccess.java
+++ b/src/share/classes/sun/misc/JavaNetAccess.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,10 +26,17 @@
package sun.misc;
import java.net.URLClassLoader;
+import java.net.InetAddress;
public interface JavaNetAccess {
/**
* return the URLClassPath belonging to the given loader
*/
URLClassPath getURLClassPath (URLClassLoader u);
+
+ /**
+ * Return the original application specified hostname of
+ * the given InetAddress object.
+ */
+ String getOriginalHostName(InetAddress ia);
}
diff --git a/src/share/classes/sun/security/pkcs11/P11Key.java b/src/share/classes/sun/security/pkcs11/P11Key.java
index 235c148..80db59a 100644
--- a/src/share/classes/sun/security/pkcs11/P11Key.java
+++ b/src/share/classes/sun/security/pkcs11/P11Key.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -165,7 +165,7 @@
} else {
otherEnc = other.getEncoded();
}
- return Arrays.equals(thisEnc, otherEnc);
+ return MessageDigest.isEqual(thisEnc, otherEnc);
}
public int hashCode() {
diff --git a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java
index 58f778e..9cef076 100644
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java
+++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
*/
/* Copyright (c) 2002 Graz University of Technology. All rights reserved.
@@ -447,22 +447,6 @@
/**
* Check the given arrays for equalitiy. This method considers both arrays as
* equal, if both are <code>null</code> or both have the same length and
- * contain exactly the same byte values.
- *
- * @param array1 The first array.
- * @param array2 The second array.
- * @return True, if both arrays are <code>null</code> or both have the same
- * length and contain exactly the same byte values. False, otherwise.
- * @preconditions
- * @postconditions
- */
- public static boolean equals(byte[] array1, byte[] array2) {
- return Arrays.equals(array1, array2);
- }
-
- /**
- * Check the given arrays for equalitiy. This method considers both arrays as
- * equal, if both are <code>null</code> or both have the same length and
* contain exactly the same char values.
*
* @param array1 The first array.
@@ -472,7 +456,7 @@
* @preconditions
* @postconditions
*/
- public static boolean equals(char[] array1, char[] array2) {
+ private static boolean equals(char[] array1, char[] array2) {
return Arrays.equals(array1, array2);
}
diff --git a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
index bdedcd0..b63ed6b 100644
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -2012,7 +2012,7 @@
"(MAC algorithm: " + m.getAlgorithm() + ")");
}
- if (!Arrays.equals(macData.getDigest(), macResult)) {
+ if (!MessageDigest.isEqual(macData.getDigest(), macResult)) {
throw new SecurityException("Failed PKCS12" +
" integrity checking");
}
diff --git a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
index 8075d73..47755e7 100644
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -151,8 +151,8 @@
private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
/**
- * Integer value indicating the maximum allowable clock skew, in seconds,
- * to be used for the OCSP check.
+ * Integer value indicating the maximum allowable clock skew,
+ * in milliseconds, to be used for the OCSP check.
*/
private static final int MAX_CLOCK_SKEW = initializeClockSkew();
@@ -586,13 +586,14 @@
"Unable to verify OCSP Response's signature");
}
- // Check freshness of OCSPResponse
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
+ // Check freshness of OCSPResponse
+
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
@@ -602,13 +603,18 @@
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
- debug.println("Response's validity interval is from " +
+ debug.println("OCSP response validity interval is from " +
sr.thisUpdate + until);
+ debug.println("Checking validity of OCSP response on: " +
+ new Date(now));
}
- // Check that the test date is within the validity interval
- if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) ||
- (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate)))
+ // Check that the test date is within the validity interval:
+ // [ thisUpdate - MAX_CLOCK_SKEW,
+ // MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ]
+ if (nowPlusSkew.before(sr.thisUpdate) ||
+ nowMinusSkew.after(
+ sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate))
{
throw new CertPathValidatorException(
"Response is unreliable: its validity " +
diff --git a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
index 571801f..98816f7 100644
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -159,12 +159,19 @@
ValidatorParams params)
throws CertPathValidatorException
{
+ // check if anchor is untrusted
+ UntrustedChecker untrustedChecker = new UntrustedChecker();
+ X509Certificate anchorCert = anchor.getTrustedCert();
+ if (anchorCert != null) {
+ untrustedChecker.check(anchorCert);
+ }
+
int certPathLen = params.certificates().size();
// create PKIXCertPathCheckers
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using
- certPathCheckers.add(new UntrustedChecker());
+ certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor));
certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints()));
diff --git a/src/share/classes/sun/security/rsa/RSASignature.java b/src/share/classes/sun/security/rsa/RSASignature.java
index d5ba1f8..f1572f7 100644
--- a/src/share/classes/sun/security/rsa/RSASignature.java
+++ b/src/share/classes/sun/security/rsa/RSASignature.java
@@ -27,7 +27,6 @@
import java.io.IOException;
import java.nio.ByteBuffer;
-import java.util.Arrays;
import java.security.*;
import java.security.interfaces.*;
@@ -194,7 +193,7 @@
byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
byte[] unpadded = padding.unpad(decrypted);
byte[] decodedDigest = decodeSignature(digestOID, unpadded);
- return Arrays.equals(digest, decodedDigest);
+ return MessageDigest.isEqual(digest, decodedDigest);
} catch (javax.crypto.BadPaddingException e) {
// occurs if the app has used the wrong RSA public key
// or if sigBytes is invalid
diff --git a/src/share/classes/sun/security/ssl/CipherSuite.java b/src/share/classes/sun/security/ssl/CipherSuite.java
index 7035171..740cdd6 100644
--- a/src/share/classes/sun/security/ssl/CipherSuite.java
+++ b/src/share/classes/sun/security/ssl/CipherSuite.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -968,7 +968,7 @@
* 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be
* changed later, see below).
* 2. Prefer the stronger bulk cipher, in the order of AES_256(GCM),
- * AES_128(GCM), AES_256, AES_128, 3DES-EDE, RC-4.
+ * AES_128(GCM), AES_256, AES_128, 3DES-EDE.
* 3. Prefer the stronger MAC algorithm, in the order of SHA384,
* SHA256, SHA, MD5.
* 4. Prefer the better performance of key exchange and digital
@@ -1115,20 +1115,6 @@
add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
0x0013, --p, K_DHE_DSS, B_3DES, N);
- // RC-4
- add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
- 0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
- add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
- 0xC011, --p, K_ECDHE_RSA, B_RC4_128, N);
- add("SSL_RSA_WITH_RC4_128_SHA",
- 0x0005, --p, K_RSA, B_RC4_128, N);
- add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
- 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N);
- add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
- 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N);
- add("SSL_RSA_WITH_RC4_128_MD5",
- 0x0004, --p, K_RSA, B_RC4_128, N);
-
// Renegotiation protection request Signalling Cipher Suite Value (SCSV)
add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
0x00ff, --p, K_SCSV, B_NULL, T);
@@ -1178,6 +1164,20 @@
add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
0x001b, --p, K_DH_ANON, B_3DES, N);
+ // RC-4
+ add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+ 0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
+ add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+ 0xC011, --p, K_ECDHE_RSA, B_RC4_128, N);
+ add("SSL_RSA_WITH_RC4_128_SHA",
+ 0x0005, --p, K_RSA, B_RC4_128, N);
+ add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+ 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N);
+ add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
+ 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N);
+ add("SSL_RSA_WITH_RC4_128_MD5",
+ 0x0004, --p, K_RSA, B_RC4_128, N);
+
add("TLS_ECDH_anon_WITH_RC4_128_SHA",
0xC016, --p, K_ECDH_ANON, B_RC4_128, N);
add("SSL_DH_anon_WITH_RC4_128_MD5",
diff --git a/src/share/classes/sun/security/ssl/ClientHandshaker.java b/src/share/classes/sun/security/ssl/ClientHandshaker.java
index 36afca6..c676a59 100644
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java
@@ -485,7 +485,7 @@
0, clientVerifyData.length);
System.arraycopy(serverVerifyData, 0, verifyData,
clientVerifyData.length, serverVerifyData.length);
- if (!Arrays.equals(verifyData,
+ if (!MessageDigest.isEqual(verifyData,
serverHelloRI.getRenegotiatedConnection())) {
fatalSE(Alerts.alert_handshake_failure,
"Incorrect verify data in ServerHello " +
diff --git a/src/share/classes/sun/security/ssl/HandshakeMessage.java b/src/share/classes/sun/security/ssl/HandshakeMessage.java
index 4190830..cc910a2 100644
--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java
+++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -1907,7 +1907,7 @@
*/
boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
byte[] myFinished = getFinished(handshakeHash, sender, master);
- return Arrays.equals(myFinished, verifyData);
+ return MessageDigest.isEqual(myFinished, verifyData);
}
/*
diff --git a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
index 1a8a973..1916196 100644
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
+++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -34,9 +34,9 @@
import java.security.Key;
import java.util.Set;
-import java.util.HashSet;
import sun.security.util.DisabledAlgorithmConstraints;
+import static sun.security.util.DisabledAlgorithmConstraints.*;
import sun.security.ssl.CipherSuite.*;
/**
@@ -46,10 +46,15 @@
* for the syntax of the disabled algorithm string.
*/
final class SSLAlgorithmConstraints implements AlgorithmConstraints {
+
private final static AlgorithmConstraints tlsDisabledAlgConstraints =
- new TLSDisabledAlgConstraints();
+ new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS,
+ new SSLAlgorithmDecomposer());
+
private final static AlgorithmConstraints x509DisabledAlgConstraints =
- new X509DisabledAlgConstraints();
+ new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS,
+ new SSLAlgorithmDecomposer(true));
+
private AlgorithmConstraints userAlgConstraints = null;
private AlgorithmConstraints peerAlgConstraints = null;
@@ -267,217 +272,4 @@
}
}
- static private class BasicDisabledAlgConstraints
- extends DisabledAlgorithmConstraints {
- BasicDisabledAlgConstraints(String propertyName) {
- super(propertyName);
- }
-
- protected Set<String> decomposes(KeyExchange keyExchange,
- boolean forCertPathOnly) {
- Set<String> components = new HashSet<>();
- switch (keyExchange) {
- case K_NULL:
- if (!forCertPathOnly) {
- components.add("NULL");
- }
- break;
- case K_RSA:
- components.add("RSA");
- break;
- case K_RSA_EXPORT:
- components.add("RSA");
- components.add("RSA_EXPORT");
- break;
- case K_DH_RSA:
- components.add("RSA");
- components.add("DH");
- components.add("DiffieHellman");
- components.add("DH_RSA");
- break;
- case K_DH_DSS:
- components.add("DSA");
- components.add("DSS");
- components.add("DH");
- components.add("DiffieHellman");
- components.add("DH_DSS");
- break;
- case K_DHE_DSS:
- components.add("DSA");
- components.add("DSS");
- components.add("DH");
- components.add("DHE");
- components.add("DiffieHellman");
- components.add("DHE_DSS");
- break;
- case K_DHE_RSA:
- components.add("RSA");
- components.add("DH");
- components.add("DHE");
- components.add("DiffieHellman");
- components.add("DHE_RSA");
- break;
- case K_DH_ANON:
- if (!forCertPathOnly) {
- components.add("ANON");
- components.add("DH");
- components.add("DiffieHellman");
- components.add("DH_ANON");
- }
- break;
- case K_ECDH_ECDSA:
- components.add("ECDH");
- components.add("ECDSA");
- components.add("ECDH_ECDSA");
- break;
- case K_ECDH_RSA:
- components.add("ECDH");
- components.add("RSA");
- components.add("ECDH_RSA");
- break;
- case K_ECDHE_ECDSA:
- components.add("ECDHE");
- components.add("ECDSA");
- components.add("ECDHE_ECDSA");
- break;
- case K_ECDHE_RSA:
- components.add("ECDHE");
- components.add("RSA");
- components.add("ECDHE_RSA");
- break;
- case K_ECDH_ANON:
- if (!forCertPathOnly) {
- components.add("ECDH");
- components.add("ANON");
- components.add("ECDH_ANON");
- }
- break;
- case K_KRB5:
- if (!forCertPathOnly) {
- components.add("KRB5");
- }
- break;
- case K_KRB5_EXPORT:
- if (!forCertPathOnly) {
- components.add("KRB5_EXPORT");
- }
- break;
- default:
- // ignore
- }
-
- return components;
- }
-
- protected Set<String> decomposes(BulkCipher bulkCipher) {
- Set<String> components = new HashSet<>();
-
- if (bulkCipher.transformation != null) {
- components.addAll(super.decomposes(bulkCipher.transformation));
- }
-
- return components;
- }
-
- protected Set<String> decomposes(MacAlg macAlg) {
- Set<String> components = new HashSet<>();
-
- if (macAlg == CipherSuite.M_MD5) {
- components.add("MD5");
- components.add("HmacMD5");
- } else if (macAlg == CipherSuite.M_SHA) {
- components.add("SHA1");
- components.add("SHA-1");
- components.add("HmacSHA1");
- } else if (macAlg == CipherSuite.M_SHA256) {
- components.add("SHA256");
- components.add("SHA-256");
- components.add("HmacSHA256");
- } else if (macAlg == CipherSuite.M_SHA384) {
- components.add("SHA384");
- components.add("SHA-384");
- components.add("HmacSHA384");
- }
-
- return components;
- }
- }
-
- static private class TLSDisabledAlgConstraints
- extends BasicDisabledAlgConstraints {
-
- TLSDisabledAlgConstraints() {
- super(DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS);
- }
-
- @Override
- protected Set<String> decomposes(String algorithm) {
- if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
- CipherSuite cipherSuite = null;
- try {
- cipherSuite = CipherSuite.valueOf(algorithm);
- } catch (IllegalArgumentException iae) {
- // ignore: unknown or unsupported ciphersuite
- }
-
- if (cipherSuite != null) {
- Set<String> components = new HashSet<>();
-
- if(cipherSuite.keyExchange != null) {
- components.addAll(
- decomposes(cipherSuite.keyExchange, false));
- }
-
- if (cipherSuite.cipher != null) {
- components.addAll(decomposes(cipherSuite.cipher));
- }
-
- if (cipherSuite.macAlg != null) {
- components.addAll(decomposes(cipherSuite.macAlg));
- }
-
- return components;
- }
- }
-
- return super.decomposes(algorithm);
- }
- }
-
- static private class X509DisabledAlgConstraints
- extends BasicDisabledAlgConstraints {
-
- X509DisabledAlgConstraints() {
- super(DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
- }
-
- @Override
- protected Set<String> decomposes(String algorithm) {
- if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
- CipherSuite cipherSuite = null;
- try {
- cipherSuite = CipherSuite.valueOf(algorithm);
- } catch (IllegalArgumentException iae) {
- // ignore: unknown or unsupported ciphersuite
- }
-
- if (cipherSuite != null) {
- Set<String> components = new HashSet<>();
-
- if(cipherSuite.keyExchange != null) {
- components.addAll(
- decomposes(cipherSuite.keyExchange, true));
- }
-
- // Certification path algorithm constraints do not apply
- // to cipherSuite.cipher and cipherSuite.macAlg.
-
- return components;
- }
- }
-
- return super.decomposes(algorithm);
- }
- }
}
-
diff --git a/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java b/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java
new file mode 100644
index 0000000..f14e095
--- /dev/null
+++ b/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java
@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.util.HashSet;
+import java.util.Set;
+import sun.security.util.AlgorithmDecomposer;
+import static sun.security.ssl.CipherSuite.*;
+import static sun.security.ssl.CipherSuite.KeyExchange.*;
+
+/**
+ * The class decomposes standard SSL/TLS cipher suites into sub-elements.
+ */
+class SSLAlgorithmDecomposer extends AlgorithmDecomposer {
+
+ // indicates that only certification path algorithms need to be used
+ private final boolean onlyX509;
+
+ SSLAlgorithmDecomposer(boolean onlyX509) {
+ this.onlyX509 = onlyX509;
+ }
+
+ SSLAlgorithmDecomposer() {
+ this(false);
+ }
+
+ private Set<String> decomposes(CipherSuite.KeyExchange keyExchange) {
+ Set<String> components = new HashSet<>();
+ switch (keyExchange) {
+ case K_NULL:
+ if (!onlyX509) {
+ components.add("K_NULL");
+ }
+ break;
+ case K_RSA:
+ components.add("RSA");
+ break;
+ case K_RSA_EXPORT:
+ components.add("RSA");
+ components.add("RSA_EXPORT");
+ break;
+ case K_DH_RSA:
+ components.add("RSA");
+ components.add("DH");
+ components.add("DiffieHellman");
+ components.add("DH_RSA");
+ break;
+ case K_DH_DSS:
+ components.add("DSA");
+ components.add("DSS");
+ components.add("DH");
+ components.add("DiffieHellman");
+ components.add("DH_DSS");
+ break;
+ case K_DHE_DSS:
+ components.add("DSA");
+ components.add("DSS");
+ components.add("DH");
+ components.add("DHE");
+ components.add("DiffieHellman");
+ components.add("DHE_DSS");
+ break;
+ case K_DHE_RSA:
+ components.add("RSA");
+ components.add("DH");
+ components.add("DHE");
+ components.add("DiffieHellman");
+ components.add("DHE_RSA");
+ break;
+ case K_DH_ANON:
+ if (!onlyX509) {
+ components.add("ANON");
+ components.add("DH");
+ components.add("DiffieHellman");
+ components.add("DH_ANON");
+ }
+ break;
+ case K_ECDH_ECDSA:
+ components.add("ECDH");
+ components.add("ECDSA");
+ components.add("ECDH_ECDSA");
+ break;
+ case K_ECDH_RSA:
+ components.add("ECDH");
+ components.add("RSA");
+ components.add("ECDH_RSA");
+ break;
+ case K_ECDHE_ECDSA:
+ components.add("ECDHE");
+ components.add("ECDSA");
+ components.add("ECDHE_ECDSA");
+ break;
+ case K_ECDHE_RSA:
+ components.add("ECDHE");
+ components.add("RSA");
+ components.add("ECDHE_RSA");
+ break;
+ case K_ECDH_ANON:
+ if (!onlyX509) {
+ components.add("ECDH");
+ components.add("ANON");
+ components.add("ECDH_ANON");
+ }
+ break;
+ case K_KRB5:
+ if (!onlyX509) {
+ components.add("KRB5");
+ }
+ break;
+ case K_KRB5_EXPORT:
+ if (!onlyX509) {
+ components.add("KRB5_EXPORT");
+ }
+ break;
+ default:
+ // ignore
+ }
+
+ return components;
+ }
+
+ private Set<String> decomposes(CipherSuite.BulkCipher bulkCipher) {
+ Set<String> components = new HashSet<>();
+
+ if (bulkCipher.transformation != null) {
+ components.addAll(super.decompose(bulkCipher.transformation));
+ }
+
+ if (bulkCipher == B_NULL) {
+ components.add("C_NULL");
+ } else if (bulkCipher == B_RC2_40) {
+ components.add("RC2_CBC_40");
+ } else if (bulkCipher == B_RC4_40) {
+ components.add("RC4_40");
+ } else if (bulkCipher == B_RC4_128) {
+ components.add("RC4_128");
+ } else if (bulkCipher == B_DES_40) {
+ components.add("DES40_CBC");
+ components.add("DES_CBC_40");
+ } else if (bulkCipher == B_DES) {
+ components.add("DES_CBC");
+ } else if (bulkCipher == B_3DES) {
+ components.add("3DES_EDE_CBC");
+ } else if (bulkCipher == B_AES_128) {
+ components.add("AES_128_CBC");
+ } else if (bulkCipher == B_AES_256) {
+ components.add("AES_256_CBC");
+ } else if (bulkCipher == B_AES_128_GCM) {
+ components.add("AES_128_GCM");
+ } else if (bulkCipher == B_AES_256_GCM) {
+ components.add("AES_256_GCM");
+ }
+
+ return components;
+ }
+
+ private Set<String> decomposes(CipherSuite.MacAlg macAlg,
+ BulkCipher cipher) {
+ Set<String> components = new HashSet<>();
+
+ if (macAlg == M_NULL
+ && cipher.cipherType != CipherType.AEAD_CIPHER) {
+ components.add("M_NULL");
+ } else if (macAlg == M_MD5) {
+ components.add("MD5");
+ components.add("HmacMD5");
+ } else if (macAlg == M_SHA) {
+ components.add("SHA1");
+ components.add("SHA-1");
+ components.add("HmacSHA1");
+ } else if (macAlg == M_SHA256) {
+ components.add("SHA256");
+ components.add("SHA-256");
+ components.add("HmacSHA256");
+ } else if (macAlg == M_SHA384) {
+ components.add("SHA384");
+ components.add("SHA-384");
+ components.add("HmacSHA384");
+ }
+
+ return components;
+ }
+
+ private Set<String> decompose(KeyExchange keyExchange, BulkCipher cipher,
+ MacAlg macAlg) {
+ Set<String> components = new HashSet<>();
+
+ if (keyExchange != null) {
+ components.addAll(decomposes(keyExchange));
+ }
+
+ if (onlyX509) {
+ // Certification path algorithm constraints do not apply
+ // to cipher and macAlg.
+ return components;
+ }
+
+ if (cipher != null) {
+ components.addAll(decomposes(cipher));
+ }
+
+ if (macAlg != null) {
+ components.addAll(decomposes(macAlg, cipher));
+ }
+
+ return components;
+ }
+
+ @Override
+ public Set<String> decompose(String algorithm) {
+ if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
+ CipherSuite cipherSuite = null;
+ try {
+ cipherSuite = CipherSuite.valueOf(algorithm);
+ } catch (IllegalArgumentException iae) {
+ // ignore: unknown or unsupported ciphersuite
+ }
+
+ if (cipherSuite != null) {
+ return decompose(cipherSuite.keyExchange, cipherSuite.cipher,
+ cipherSuite.macAlg);
+ }
+ }
+
+ return super.decompose(algorithm);
+ }
+
+}
diff --git a/src/share/classes/sun/security/ssl/SSLSocketImpl.java b/src/share/classes/sun/security/ssl/SSLSocketImpl.java
index 7b91f3e..6b98e93 100644
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,9 @@
import javax.crypto.BadPaddingException;
import javax.net.ssl.*;
+import sun.misc.JavaNetAccess;
+import sun.misc.SharedSecrets;
+
/**
* Implementation of an SSL socket. This is a normal connection type
* socket, implementing SSL over some lower level socket, such as TCP.
@@ -389,6 +392,15 @@
*/
private boolean preferLocalCipherSuites = false;
+ /*
+ * Is the local name service trustworthy?
+ *
+ * If the local name service is not trustworthy, reverse host name
+ * resolution should not be performed for endpoint identification.
+ */
+ static final boolean trustNameService =
+ Debug.getBooleanProperty("jdk.tls.trustNameService", false);
+
//
// CONSTRUCTORS AND INITIALIZATION CODE
//
@@ -2149,11 +2161,41 @@
synchronized String getHost() {
// Note that the host may be null or empty for localhost.
if (host == null || host.length() == 0) {
- host = getInetAddress().getHostName();
+ if (!trustNameService) {
+ // If the local name service is not trustworthy, reverse host
+ // name resolution should not be performed for endpoint
+ // identification. Use the application original specified
+ // hostname or IP address instead.
+ host = getOriginalHostname(getInetAddress());
+ } else {
+ host = getInetAddress().getHostName();
+ }
}
+
return host;
}
+ /*
+ * Get the original application specified hostname.
+ */
+ private static String getOriginalHostname(InetAddress inetAddress) {
+ /*
+ * Get the original hostname via sun.misc.SharedSecrets.
+ */
+ JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
+ String originalHostname = jna.getOriginalHostName(inetAddress);
+
+ /*
+ * If no application specified hostname, use the IP address.
+ */
+ if (originalHostname == null || originalHostname.length() == 0) {
+ originalHostname = inetAddress.getHostAddress();
+ }
+
+ return originalHostname;
+ }
+
+
// ONLY used by HttpsClient to setup the URI specified hostname
//
// Please NOTE that this method MUST be called before calling to
diff --git a/src/share/classes/sun/security/ssl/ServerHandshaker.java b/src/share/classes/sun/security/ssl/ServerHandshaker.java
index 37babc7..97f7c5e 100644
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -41,6 +41,7 @@
import javax.security.auth.Subject;
import sun.security.util.KeyUtil;
+import sun.security.util.LegacyAlgorithmConstraints;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.HandshakeMessage.*;
import sun.security.ssl.CipherSuite.*;
@@ -106,6 +107,12 @@
// The customized ephemeral DH key size for non-exportable cipher suites.
private static final int customizedDHKeySize;
+ // legacy algorithm constraints
+ private static final AlgorithmConstraints legacyAlgorithmConstraints =
+ new LegacyAlgorithmConstraints(
+ LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
+ new SSLAlgorithmDecomposer());
+
static {
String property = AccessController.doPrivileged(
new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
@@ -406,7 +413,7 @@
}
// verify the client_verify_data value
- if (!Arrays.equals(clientVerifyData,
+ if (!MessageDigest.isEqual(clientVerifyData,
clientHelloRI.getRenegotiatedConnection())) {
fatalSE(Alerts.alert_handshake_failure,
"Incorrect verify data in ClientHello " +
@@ -995,6 +1002,7 @@
proposed = getActiveCipherSuites();
}
+ List<CipherSuite> legacySuites = new ArrayList<>();
for (CipherSuite suite : prefered.collection()) {
if (isNegotiable(proposed, suite) == false) {
continue;
@@ -1006,11 +1014,24 @@
continue;
}
}
+
+ if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
+ legacySuites.add(suite);
+ continue;
+ }
+
if (trySetCipherSuite(suite) == false) {
continue;
}
return;
}
+
+ for (CipherSuite suite : legacySuites) {
+ if (trySetCipherSuite(suite)) {
+ return;
+ }
+ }
+
fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
}
diff --git a/src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java b/src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java
new file mode 100644
index 0000000..4c3efd9
--- /dev/null
+++ b/src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.security.AccessController;
+import java.security.AlgorithmConstraints;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * The class contains common functionality for algorithm constraints classes.
+ */
+public abstract class AbstractAlgorithmConstraints
+ implements AlgorithmConstraints {
+
+ protected final AlgorithmDecomposer decomposer;
+
+ protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) {
+ this.decomposer = decomposer;
+ }
+
+ // Get algorithm constraints from the specified security property.
+ private static void loadAlgorithmsMap(Map<String, String[]> algorithmsMap,
+ String propertyName) {
+ String property = AccessController.doPrivileged(
+ (PrivilegedAction<String>) () -> Security.getProperty(
+ propertyName));
+
+ String[] algorithmsInProperty = null;
+ if (property != null && !property.isEmpty()) {
+ // remove double quote marks from beginning/end of the property
+ if (property.charAt(0) == '"'
+ && property.charAt(property.length() - 1) == '"') {
+ property = property.substring(1, property.length() - 1);
+ }
+ algorithmsInProperty = property.split(",");
+ for (int i = 0; i < algorithmsInProperty.length;
+ i++) {
+ algorithmsInProperty[i] = algorithmsInProperty[i].trim();
+ }
+ }
+
+ // map the disabled algorithms
+ if (algorithmsInProperty == null) {
+ algorithmsInProperty = new String[0];
+ }
+ algorithmsMap.put(propertyName, algorithmsInProperty);
+ }
+
+ static String[] getAlgorithms(Map<String, String[]> algorithmsMap,
+ String propertyName) {
+ synchronized (algorithmsMap) {
+ if (!algorithmsMap.containsKey(propertyName)) {
+ loadAlgorithmsMap(algorithmsMap, propertyName);
+ }
+
+ return algorithmsMap.get(propertyName);
+ }
+ }
+
+ static boolean checkAlgorithm(String[] algorithms, String algorithm,
+ AlgorithmDecomposer decomposer) {
+ if (algorithm == null || algorithm.length() == 0) {
+ throw new IllegalArgumentException("No algorithm name specified");
+ }
+
+ Set<String> elements = null;
+ for (String item : algorithms) {
+ if (item == null || item.isEmpty()) {
+ continue;
+ }
+
+ // check the full name
+ if (item.equalsIgnoreCase(algorithm)) {
+ return false;
+ }
+
+ // decompose the algorithm into sub-elements
+ if (elements == null) {
+ elements = decomposer.decompose(algorithm);
+ }
+
+ // check the items of the algorithm
+ for (String element : elements) {
+ if (item.equalsIgnoreCase(element)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+ }
+
+}
diff --git a/src/share/classes/sun/security/util/AlgorithmDecomposer.java b/src/share/classes/sun/security/util/AlgorithmDecomposer.java
new file mode 100644
index 0000000..394b846
--- /dev/null
+++ b/src/share/classes/sun/security/util/AlgorithmDecomposer.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * The class decomposes standard algorithms into sub-elements.
+ */
+public class AlgorithmDecomposer {
+
+ private static final Pattern transPattern = Pattern.compile("/");
+ private static final Pattern pattern =
+ Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
+
+ /**
+ * Decompose the standard algorithm name into sub-elements.
+ * <p>
+ * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
+ * so that we can check the "SHA1" and "RSA" algorithm constraints
+ * separately.
+ * <p>
+ * Please override the method if need to support more name pattern.
+ */
+ public Set<String> decompose(String algorithm) {
+ if (algorithm == null || algorithm.length() == 0) {
+ return new HashSet<>();
+ }
+
+ // algorithm/mode/padding
+ String[] transTockens = transPattern.split(algorithm);
+
+ Set<String> elements = new HashSet<>();
+ for (String transTocken : transTockens) {
+ if (transTocken == null || transTocken.length() == 0) {
+ continue;
+ }
+
+ // PBEWith<digest>And<encryption>
+ // PBEWith<prf>And<encryption>
+ // OAEPWith<digest>And<mgf>Padding
+ // <digest>with<encryption>
+ // <digest>with<encryption>and<mgf>
+ String[] tokens = pattern.split(transTocken);
+
+ for (String token : tokens) {
+ if (token == null || token.length() == 0) {
+ continue;
+ }
+
+ elements.add(token);
+ }
+ }
+
+ // In Java standard algorithm name specification, for different
+ // purpose, the SHA-1 and SHA-2 algorithm names are different. For
+ // example, for MessageDigest, the standard name is "SHA-256", while
+ // for Signature, the digest algorithm component is "SHA256" for
+ // signature algorithm "SHA256withRSA". So we need to check both
+ // "SHA-256" and "SHA256" to make the right constraint checking.
+
+ // handle special name: SHA-1 and SHA1
+ if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
+ elements.add("SHA-1");
+ }
+ if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
+ elements.add("SHA1");
+ }
+
+ // handle special name: SHA-224 and SHA224
+ if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
+ elements.add("SHA-224");
+ }
+ if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
+ elements.add("SHA224");
+ }
+
+ // handle special name: SHA-256 and SHA256
+ if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
+ elements.add("SHA-256");
+ }
+ if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
+ elements.add("SHA256");
+ }
+
+ // handle special name: SHA-384 and SHA384
+ if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
+ elements.add("SHA-384");
+ }
+ if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
+ elements.add("SHA384");
+ }
+
+ // handle special name: SHA-512 and SHA512
+ if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
+ elements.add("SHA-512");
+ }
+ if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
+ elements.add("SHA512");
+ }
+
+ return elements;
+ }
+
+}
diff --git a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
index 17b5697..28eeef0 100644
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
+++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,15 +25,9 @@
package sun.security.util;
-import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.AlgorithmParameters;
-
import java.security.Key;
-import java.security.Security;
-import java.security.PrivilegedAction;
-import java.security.AccessController;
-
import java.util.Locale;
import java.util.Set;
import java.util.Collections;
@@ -49,7 +43,7 @@
* See the "jdk.certpath.disabledAlgorithms" specification in java.security
* for the syntax of the disabled algorithm string.
*/
-public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
+public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
// the known security property, jdk.certpath.disabledAlgorithms
public final static String PROPERTY_CERTPATH_DISABLED_ALGS =
@@ -64,8 +58,8 @@
private final static Map<String, KeySizeConstraints> keySizeConstraintsMap =
new HashMap<>();
- private String[] disabledAlgorithms;
- private KeySizeConstraints keySizeConstraints;
+ private final String[] disabledAlgorithms;
+ private final KeySizeConstraints keySizeConstraints;
/**
* Initialize algorithm constraints with the specified security property.
@@ -74,56 +68,27 @@
* algorithm constraints
*/
public DisabledAlgorithmConstraints(String propertyName) {
- // Both disabledAlgorithmsMap and keySizeConstraintsMap are
- // synchronized with the lock of disabledAlgorithmsMap.
- synchronized (disabledAlgorithmsMap) {
- if(!disabledAlgorithmsMap.containsKey(propertyName)) {
- loadDisabledAlgorithmsMap(propertyName);
- }
+ this(propertyName, new AlgorithmDecomposer());
+ }
- disabledAlgorithms = disabledAlgorithmsMap.get(propertyName);
- keySizeConstraints = keySizeConstraintsMap.get(propertyName);
- }
+ public DisabledAlgorithmConstraints(String propertyName,
+ AlgorithmDecomposer decomposer) {
+ super(decomposer);
+ disabledAlgorithms = getAlgorithms(disabledAlgorithmsMap, propertyName);
+ keySizeConstraints = getKeySizeConstraints(disabledAlgorithms,
+ propertyName);
}
@Override
final public boolean permits(Set<CryptoPrimitive> primitives,
String algorithm, AlgorithmParameters parameters) {
- if (algorithm == null || algorithm.length() == 0) {
- throw new IllegalArgumentException("No algorithm name specified");
- }
-
if (primitives == null || primitives.isEmpty()) {
throw new IllegalArgumentException(
"No cryptographic primitive specified");
}
- Set<String> elements = null;
- for (String disabled : disabledAlgorithms) {
- if (disabled == null || disabled.isEmpty()) {
- continue;
- }
-
- // check the full name
- if (disabled.equalsIgnoreCase(algorithm)) {
- return false;
- }
-
- // decompose the algorithm into sub-elements
- if (elements == null) {
- elements = decomposes(algorithm);
- }
-
- // check the items of the algorithm
- for (String element : elements) {
- if (disabled.equalsIgnoreCase(element)) {
- return false;
- }
- }
- }
-
- return true;
+ return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
}
@Override
@@ -142,98 +107,6 @@
return checkConstraints(primitives, algorithm, key, parameters);
}
- /**
- * Decompose the standard algorithm name into sub-elements.
- * <p>
- * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
- * so that we can check the "SHA1" and "RSA" algorithm constraints
- * separately.
- * <p>
- * Please override the method if need to support more name pattern.
- */
- protected Set<String> decomposes(String algorithm) {
- if (algorithm == null || algorithm.length() == 0) {
- return new HashSet<String>();
- }
-
- // algorithm/mode/padding
- Pattern transPattern = Pattern.compile("/");
- String[] transTockens = transPattern.split(algorithm);
-
- Set<String> elements = new HashSet<String>();
- for (String transTocken : transTockens) {
- if (transTocken == null || transTocken.length() == 0) {
- continue;
- }
-
- // PBEWith<digest>And<encryption>
- // PBEWith<prf>And<encryption>
- // OAEPWith<digest>And<mgf>Padding
- // <digest>with<encryption>
- // <digest>with<encryption>and<mgf>
- Pattern pattern =
- Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
- String[] tokens = pattern.split(transTocken);
-
- for (String token : tokens) {
- if (token == null || token.length() == 0) {
- continue;
- }
-
- elements.add(token);
- }
- }
-
- // In Java standard algorithm name specification, for different
- // purpose, the SHA-1 and SHA-2 algorithm names are different. For
- // example, for MessageDigest, the standard name is "SHA-256", while
- // for Signature, the digest algorithm component is "SHA256" for
- // signature algorithm "SHA256withRSA". So we need to check both
- // "SHA-256" and "SHA256" to make the right constraint checking.
-
- // handle special name: SHA-1 and SHA1
- if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
- elements.add("SHA-1");
- }
- if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
- elements.add("SHA1");
- }
-
- // handle special name: SHA-224 and SHA224
- if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
- elements.add("SHA-224");
- }
- if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
- elements.add("SHA224");
- }
-
- // handle special name: SHA-256 and SHA256
- if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
- elements.add("SHA-256");
- }
- if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
- elements.add("SHA256");
- }
-
- // handle special name: SHA-384 and SHA384
- if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
- elements.add("SHA-384");
- }
- if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
- elements.add("SHA384");
- }
-
- // handle special name: SHA-512 and SHA512
- if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
- elements.add("SHA-512");
- }
- if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
- elements.add("SHA512");
- }
-
- return elements;
- }
-
// Check algorithm constraints
private boolean checkConstraints(Set<CryptoPrimitive> primitives,
String algorithm, Key key, AlgorithmParameters parameters) {
@@ -263,43 +136,18 @@
return true;
}
- // Get disabled algorithm constraints from the specified security property.
- private static void loadDisabledAlgorithmsMap(
- final String propertyName) {
-
- String property = AccessController.doPrivileged(
- new PrivilegedAction<String>() {
- public String run() {
- return Security.getProperty(propertyName);
- }
- });
-
- String[] algorithmsInProperty = null;
-
- if (property != null && !property.isEmpty()) {
-
- // remove double quote marks from beginning/end of the property
- if (property.charAt(0) == '"' &&
- property.charAt(property.length() - 1) == '"') {
- property = property.substring(1, property.length() - 1);
+ private static KeySizeConstraints getKeySizeConstraints(
+ String[] disabledAlgorithms, String propertyName) {
+ synchronized (keySizeConstraintsMap) {
+ if(!keySizeConstraintsMap.containsKey(propertyName)) {
+ // map the key constraints
+ KeySizeConstraints keySizeConstraints =
+ new KeySizeConstraints(disabledAlgorithms);
+ keySizeConstraintsMap.put(propertyName, keySizeConstraints);
}
- algorithmsInProperty = property.split(",");
- for (int i = 0; i < algorithmsInProperty.length; i++) {
- algorithmsInProperty[i] = algorithmsInProperty[i].trim();
- }
+ return keySizeConstraintsMap.get(propertyName);
}
-
- // map the disabled algorithms
- if (algorithmsInProperty == null) {
- algorithmsInProperty = new String[0];
- }
- disabledAlgorithmsMap.put(propertyName, algorithmsInProperty);
-
- // map the key constraints
- KeySizeConstraints keySizeConstraints =
- new KeySizeConstraints(algorithmsInProperty);
- keySizeConstraintsMap.put(propertyName, keySizeConstraints);
}
/**
diff --git a/src/share/classes/sun/security/util/LegacyAlgorithmConstraints.java b/src/share/classes/sun/security/util/LegacyAlgorithmConstraints.java
new file mode 100644
index 0000000..106ec78
--- /dev/null
+++ b/src/share/classes/sun/security/util/LegacyAlgorithmConstraints.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.Key;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+import static sun.security.util.AbstractAlgorithmConstraints.getAlgorithms;
+
+/**
+ * Algorithm constraints for legacy algorithms.
+ */
+public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints {
+
+ // the known security property, jdk.tls.legacyAlgorithms
+ public final static String PROPERTY_TLS_LEGACY_ALGS =
+ "jdk.tls.legacyAlgorithms";
+
+ private final static Map<String, String[]> legacyAlgorithmsMap =
+ new HashMap<>();
+
+ private final String[] legacyAlgorithms;
+
+ public LegacyAlgorithmConstraints(String propertyName,
+ AlgorithmDecomposer decomposer) {
+ super(decomposer);
+ legacyAlgorithms = getAlgorithms(legacyAlgorithmsMap, propertyName);
+ }
+
+ @Override
+ final public boolean permits(Set<CryptoPrimitive> primitives,
+ String algorithm, AlgorithmParameters parameters) {
+ return checkAlgorithm(legacyAlgorithms, algorithm, decomposer);
+ }
+
+ @Override
+ final public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
+ return true;
+ }
+
+ @Override
+ final public boolean permits(Set<CryptoPrimitive> primitives,
+ String algorithm, Key key, AlgorithmParameters parameters) {
+ return checkAlgorithm(legacyAlgorithms, algorithm, decomposer);
+ }
+
+}
diff --git a/src/share/classes/sun/security/validator/SimpleValidator.java b/src/share/classes/sun/security/validator/SimpleValidator.java
index a0f4f8b..f041a8c 100644
--- a/src/share/classes/sun/security/validator/SimpleValidator.java
+++ b/src/share/classes/sun/security/validator/SimpleValidator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -141,8 +141,18 @@
// create distrusted certificates checker
UntrustedChecker untrustedChecker = new UntrustedChecker();
+ // check if anchor is untrusted
+ X509Certificate anchorCert = chain[chain.length - 1];
+ try {
+ untrustedChecker.check(anchorCert);
+ } catch (CertPathValidatorException cpve) {
+ throw new ValidatorException(
+ "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
+ ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
+ }
+
// create default algorithm constraints checker
- TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
+ TrustAnchor anchor = new TrustAnchor(anchorCert, null);
AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
// create application level algorithm constraints checker
diff --git a/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/share/classes/sun/util/calendar/ZoneInfoFile.java
index 78d9f3e..61efb54 100644
--- a/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+++ b/src/share/classes/sun/util/calendar/ZoneInfoFile.java
@@ -625,6 +625,15 @@
params[2] = 5;
params[3] = 86400000;
}
+ // Additional check for startDayOfWeek=6 and starTime=86400000
+ // is needed for Asia/Amman; Asia/Gasa and Asia/Hebron
+ if (params[2] == 7 && params[3] == 0 &&
+ (zoneId.equals("Asia/Amman") ||
+ zoneId.equals("Asia/Gaza") ||
+ zoneId.equals("Asia/Hebron"))) {
+ params[2] = 6; // Friday
+ params[3] = 86400000; // 24h
+ }
//endDayOfWeek and endTime workaround
if (params[7] == 6 && params[8] == 0 &&
(zoneId.equals("Africa/Cairo"))) {
diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix
index 81ce1d7..891ec95 100644
--- a/src/share/lib/security/java.security-aix
+++ b/src/share/lib/security/java.security-aix
@@ -501,3 +501,60 @@
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications. Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+# LegacyAlgorithms:
+# " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+# LegacyAlgorithm:
+# AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+# 2. JSSE key exchange algorithm name, e.g., RSA
+# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+# 4. JSSE message digest algorithm name, e.g., SHA-1
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+ DH_RSA_EXPORT, RSA_EXPORT, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC
diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux
index 81ce1d7..891ec95 100644
--- a/src/share/lib/security/java.security-linux
+++ b/src/share/lib/security/java.security-linux
@@ -501,3 +501,60 @@
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications. Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+# LegacyAlgorithms:
+# " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+# LegacyAlgorithm:
+# AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+# 2. JSSE key exchange algorithm name, e.g., RSA
+# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+# 4. JSSE message digest algorithm name, e.g., SHA-1
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+ DH_RSA_EXPORT, RSA_EXPORT, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC
diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx
index d72511b..4dc124c 100644
--- a/src/share/lib/security/java.security-macosx
+++ b/src/share/lib/security/java.security-macosx
@@ -504,3 +504,60 @@
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications. Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+# LegacyAlgorithms:
+# " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+# LegacyAlgorithm:
+# AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+# 2. JSSE key exchange algorithm name, e.g., RSA
+# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+# 4. JSSE message digest algorithm name, e.g., SHA-1
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+ DH_RSA_EXPORT, RSA_EXPORT, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC
diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris
index 92d0358..47fb7d9 100644
--- a/src/share/lib/security/java.security-solaris
+++ b/src/share/lib/security/java.security-solaris
@@ -503,3 +503,60 @@
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications. Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+# LegacyAlgorithms:
+# " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+# LegacyAlgorithm:
+# AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+# 2. JSSE key exchange algorithm name, e.g., RSA
+# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+# 4. JSSE message digest algorithm name, e.g., SHA-1
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+ DH_RSA_EXPORT, RSA_EXPORT, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC
diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows
index 41907ee..434471d 100644
--- a/src/share/lib/security/java.security-windows
+++ b/src/share/lib/security/java.security-windows
@@ -504,3 +504,60 @@
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications. Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+# LegacyAlgorithms:
+# " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+# LegacyAlgorithm:
+# AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+# 2. JSSE key exchange algorithm name, e.g., RSA
+# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+# 4. JSSE message digest algorithm name, e.g., SHA-1
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+ DH_RSA_EXPORT, RSA_EXPORT, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC
diff --git a/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp b/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp
index 3c68251..f296e89 100644
--- a/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp
+++ b/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp
@@ -53,6 +53,7 @@
Offset alternateSetTableOffset = SWAPW(alternateSetTableOffsetArray[coverageIndex]);
const LEReferenceTo<AlternateSetTable> alternateSetTable(base, success,
(const AlternateSetTable *) ((char *) this + alternateSetTableOffset));
+ if (!LE_SUCCESS(success)) return 0;
TTGlyphID alternate = SWAPW(alternateSetTable->alternateArray[0]);
if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, alternate), success)) {
diff --git a/src/share/native/sun/font/layout/AnchorTables.cpp b/src/share/native/sun/font/layout/AnchorTables.cpp
index 93610b8..92231ef 100644
--- a/src/share/native/sun/font/layout/AnchorTables.cpp
+++ b/src/share/native/sun/font/layout/AnchorTables.cpp
@@ -44,21 +44,27 @@
case 1:
{
LEReferenceTo<Format1AnchorTable> f1(base, success);
- f1->getAnchor(f1, fontInstance, anchor, success);
+ if (LE_SUCCESS(success)) {
+ f1->getAnchor(f1, fontInstance, anchor, success);
+ }
break;
}
case 2:
{
LEReferenceTo<Format2AnchorTable> f2(base, success);
- f2->getAnchor(f2, glyphID, fontInstance, anchor, success);
+ if (LE_SUCCESS(success)) {
+ f2->getAnchor(f2, glyphID, fontInstance, anchor, success);
+ }
break;
}
case 3:
{
LEReferenceTo<Format3AnchorTable> f3(base, success);
- f3->getAnchor(f3, fontInstance, anchor, success);
+ if (LE_SUCCESS(success)) {
+ f3->getAnchor(f3, fontInstance, anchor, success);
+ }
break;
}
@@ -66,7 +72,9 @@
{
// unknown format: just use x, y coordinate, like format 1...
LEReferenceTo<Format1AnchorTable> f1(base, success);
- f1->getAnchor(f1, fontInstance, anchor, success);
+ if (LE_SUCCESS(success)) {
+ f1->getAnchor(f1, fontInstance, anchor, success);
+ }
break;
}
}
@@ -112,16 +120,18 @@
if (dtxOffset != 0) {
LEReferenceTo<DeviceTable> dt(base, success, dtxOffset);
- le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success);
-
- pixels.fX += adjx;
+ if (LE_SUCCESS(success)) {
+ le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success);
+ pixels.fX += adjx;
+ }
}
if (dtyOffset != 0) {
LEReferenceTo<DeviceTable> dt(base, success, dtyOffset);
- le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success);
-
- pixels.fY += adjy;
+ if (LE_SUCCESS(success)) {
+ le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success);
+ pixels.fY += adjy;
+ }
}
fontInstance->pixelsToUnits(pixels, anchor);
diff --git a/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp b/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp
index 85f9fc7..40fefef 100644
--- a/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp
+++ b/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp
@@ -107,6 +107,10 @@
le_int16 markIndex = SWAPW(entry->markedInsertionListIndex);
if (markIndex > 0) {
+ if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
le_int16 count = (flags & cgiMarkedInsertCountMask) >> 5;
le_bool isKashidaLike = (flags & cgiMarkedIsKashidaLike);
le_bool isBefore = (flags & cgiMarkInsertBefore);
@@ -115,6 +119,10 @@
le_int16 currIndex = SWAPW(entry->currentInsertionListIndex);
if (currIndex > 0) {
+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
le_int16 count = flags & cgiCurrentInsertCountMask;
le_bool isKashidaLike = (flags & cgiCurrentIsKashidaLike);
le_bool isBefore = (flags & cgiCurrentInsertBefore);
diff --git a/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp b/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp
index 87fdf4d..63f7b64 100644
--- a/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp
+++ b/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp
@@ -76,6 +76,10 @@
WordOffset currOffset = SWAPW(entry->currOffset);
if (markOffset != 0 && LE_SUCCESS(success)) {
+ if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
LEGlyphID mGlyph = glyphStorage[markGlyph];
TTGlyphID newGlyph = SWAPW(int16Table.getObject(markOffset + LE_GET_GLYPH(mGlyph), success)); // whew.
@@ -83,6 +87,10 @@
}
if (currOffset != 0) {
+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
LEGlyphID thisGlyph = glyphStorage[currGlyph];
TTGlyphID newGlyph = SWAPW(int16Table.getObject(currOffset + LE_GET_GLYPH(thisGlyph), success)); // whew.
diff --git a/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp b/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp
index f6d93b4..a59096e 100644
--- a/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp
+++ b/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp
@@ -70,17 +70,25 @@
if(LE_FAILURE(success)) return 0;
le_uint16 newState = SWAPW(entry->newStateIndex);
le_uint16 flags = SWAPW(entry->flags);
- le_int16 markIndex = SWAPW(entry->markIndex);
- le_int16 currIndex = SWAPW(entry->currIndex);
+ le_uint16 markIndex = SWAPW(entry->markIndex);
+ le_uint16 currIndex = SWAPW(entry->currIndex);
- if (markIndex != -1) {
+ if (markIndex != 0x0FFFF) {
+ if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
le_uint32 offset = SWAPL(perGlyphTable(markIndex, success));
LEGlyphID mGlyph = glyphStorage[markGlyph];
TTGlyphID newGlyph = lookup(offset, mGlyph, success);
glyphStorage[markGlyph] = LE_SET_GLYPH(mGlyph, newGlyph);
}
- if (currIndex != -1) {
+ if (currIndex != 0x0FFFF) {
+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
le_uint32 offset = SWAPL(perGlyphTable(currIndex, success));
LEGlyphID thisGlyph = glyphStorage[currGlyph];
TTGlyphID newGlyph = lookup(offset, thisGlyph, success);
diff --git a/src/share/native/sun/font/layout/Features.cpp b/src/share/native/sun/font/layout/Features.cpp
index 6c6bcc8..02bb838 100644
--- a/src/share/native/sun/font/layout/Features.cpp
+++ b/src/share/native/sun/font/layout/Features.cpp
@@ -41,7 +41,7 @@
LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
{
LEReferenceToArrayOf<FeatureRecord>
- featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
+ featureRecordArrayRef(base, success, featureRecordArray, featureIndex+1);
if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
return LEReferenceTo<FeatureTable>();
diff --git a/src/share/native/sun/font/layout/GXLayoutEngine.cpp b/src/share/native/sun/font/layout/GXLayoutEngine.cpp
index e6da45d..cbe4b0a 100644
--- a/src/share/native/sun/font/layout/GXLayoutEngine.cpp
+++ b/src/share/native/sun/font/layout/GXLayoutEngine.cpp
@@ -73,7 +73,7 @@
fMorphTable->process(fMorphTable, glyphStorage, success);
- return count;
+ return glyphStorage.getGlyphCount();
}
// apply positional tables
diff --git a/src/share/native/sun/font/layout/GXLayoutEngine2.cpp b/src/share/native/sun/font/layout/GXLayoutEngine2.cpp
index d4e3850..0d437d6 100644
--- a/src/share/native/sun/font/layout/GXLayoutEngine2.cpp
+++ b/src/share/native/sun/font/layout/GXLayoutEngine2.cpp
@@ -69,7 +69,7 @@
}
fMorphTable->process(fMorphTable, glyphStorage, fTypoFlags, success);
- return count;
+ return glyphStorage.getGlyphCount();
}
// apply positional tables
diff --git a/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp b/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp
index 3ae26be..a5f3088 100644
--- a/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp
+++ b/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp
@@ -70,6 +70,11 @@
ByteOffset newState = SWAPW(entry->newStateOffset);
IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags);
+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
+
if (flags & irfMarkFirst) {
firstGlyph = currGlyph;
}
diff --git a/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp b/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp
index 4d531b2..1cf169b 100644
--- a/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp
+++ b/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp
@@ -68,6 +68,11 @@
le_uint16 newState = SWAPW(entry->newStateIndex); // index to the new state
IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags);
+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
+
if (flags & irfMarkFirst) {
firstGlyph = currGlyph;
}
diff --git a/src/share/native/sun/font/layout/LETableReference.h b/src/share/native/sun/font/layout/LETableReference.h
index 459d4e0..deffe9f 100644
--- a/src/share/native/sun/font/layout/LETableReference.h
+++ b/src/share/native/sun/font/layout/LETableReference.h
@@ -188,7 +188,7 @@
void addOffset(size_t offset, LEErrorCode &success) {
if(hasBounds()) {
- if(offset > fLength) {
+ if(offset >= fLength) {
LE_DEBUG_TR("addOffset off end");
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return;
@@ -203,7 +203,7 @@
if(atPtr==NULL) return 0;
if(LE_FAILURE(success)) return LE_UINTPTR_MAX;
if((atPtr < fStart) ||
- (hasBounds() && (atPtr > fStart+fLength))) {
+ (hasBounds() && (atPtr >= fStart+fLength))) {
LE_DEBUG_TR3("ptrToOffset args out of range: %p", atPtr, 0);
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return LE_UINTPTR_MAX;
@@ -240,6 +240,18 @@
}
/**
+ * Throw an error if size*count overflows
+ */
+ size_t verifyLength(size_t offset, size_t size, le_uint32 count, LEErrorCode &success) {
+ if(count!=0 && size>LE_UINT32_MAX/count) {
+ LE_DEBUG_TR3("verifyLength failed size=%u, count=%u", size, count);
+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+ return 0;
+ }
+ return verifyLength(offset, size*count, success);
+ }
+
+ /**
* Change parent link to another
*/
LETableReference &reparent(const LETableReference &base) {
@@ -424,7 +436,7 @@
if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
}
- LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
+ LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
}
if(LE_FAILURE(success)) {
fCount=0;
@@ -439,7 +451,7 @@
if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
}
- LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
+ LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
}
if(LE_FAILURE(success)) clear();
}
@@ -450,7 +462,7 @@
if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
}
- LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
+ LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
}
if(LE_FAILURE(success)) clear();
}
diff --git a/src/share/native/sun/font/layout/LigatureSubstProc.cpp b/src/share/native/sun/font/layout/LigatureSubstProc.cpp
index 99e9e37..5a94563 100644
--- a/src/share/native/sun/font/layout/LigatureSubstProc.cpp
+++ b/src/share/native/sun/font/layout/LigatureSubstProc.cpp
@@ -73,7 +73,7 @@
const LigatureSubstitutionStateEntry *entry = entryTable.getAlias(index, success);
ByteOffset newState = SWAPW(entry->newStateOffset);
- le_int16 flags = SWAPW(entry->flags);
+ le_uint16 flags = SWAPW(entry->flags);
if (flags & lsfSetComponent) {
if (++m >= nComponents) {
@@ -92,15 +92,18 @@
if (actionOffset != 0) {
LEReferenceTo<LigatureActionEntry> ap(stHeader, success, actionOffset);
LigatureActionEntry action;
- le_int32 offset, i = 0;
+ le_int32 offset, i = 0, j = 0;
le_int32 stack[nComponents];
le_int16 mm = -1;
do {
le_uint32 componentGlyph = componentStack[m--];
+ if (j++ > 0) {
+ ap.addObject(success);
+ }
+
action = SWAPL(*ap.getAlias());
- ap.addObject(success); // ap++
if (m < 0) {
m = nComponents - 1;
diff --git a/src/share/native/sun/font/layout/LigatureSubstProc2.cpp b/src/share/native/sun/font/layout/LigatureSubstProc2.cpp
index 558cf8b..77e9073 100644
--- a/src/share/native/sun/font/layout/LigatureSubstProc2.cpp
+++ b/src/share/native/sun/font/layout/LigatureSubstProc2.cpp
@@ -98,7 +98,7 @@
ap.addObject(ligActionIndex, success);
LEReferenceToArrayOf<TTGlyphID> ligatureTable(stHeader, success, ligatureOffset, LE_UNBOUNDED_ARRAY);
LigatureActionEntry action;
- le_int32 offset, i = 0;
+ le_int32 offset, i = 0, j = 0;
le_int32 stack[nComponents];
le_int16 mm = -1;
@@ -111,6 +111,10 @@
do {
le_uint32 componentGlyph = componentStack[m--]; // pop off
+ if (j++ > 0) {
+ ap.addObject(success);
+ }
+
action = SWAPL(*ap.getAlias());
if (m < 0) {
@@ -144,7 +148,6 @@
LE_DEBUG_BAD_FONT("m<0")
}
#endif
- ap.addObject(success);
} while (LE_SUCCESS(success) && !(action & lafLast) && (m>=0) ); // stop if last bit is set, or if run out of items
while (mm >= 0) {
diff --git a/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp b/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp
index 74feb89..ed1d11d 100644
--- a/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp
+++ b/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp
@@ -97,13 +97,9 @@
if( LE_FAILURE(success) ) { return 0; }
Offset anchorTableOffset = SWAPW(baseRecord->baseAnchorTableOffsetArray[markClass]);
- if (anchorTableOffset <= 0) {
- // this means the table is mal-formed...
- glyphIterator->setCurrGlyphBaseOffset(baseIterator.getCurrStreamPosition());
- return 0;
- }
-
LEReferenceTo<AnchorTable> anchorTable(baseArray, success, anchorTableOffset);
+ if( LE_FAILURE(success) ) { return 0; }
+
LEPoint baseAnchor, markAdvance, pixels;
diff --git a/src/share/native/sun/font/layout/MorphTables.cpp b/src/share/native/sun/font/layout/MorphTables.cpp
index 17597a1..483f720 100644
--- a/src/share/native/sun/font/layout/MorphTables.cpp
+++ b/src/share/native/sun/font/layout/MorphTables.cpp
@@ -52,8 +52,15 @@
le_uint32 chain;
for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain += 1) {
+ if (chain > 0) {
+ le_uint32 chainLength = SWAPL(chainHeader->chainLength);
+ if (chainLength & 0x03) { // incorrect alignment for 32 bit tables
+ success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+ return;
+ }
+ chainHeader.addOffset(chainLength, success);
+ }
FeatureFlags defaultFlags = SWAPL(chainHeader->defaultFlags);
- le_uint32 chainLength = SWAPL(chainHeader->chainLength);
le_int16 nFeatureEntries = SWAPW(chainHeader->nFeatureEntries);
le_int16 nSubtables = SWAPW(chainHeader->nSubtables);
LEReferenceTo<MorphSubtableHeader> subtableHeader =
@@ -61,7 +68,14 @@
le_int16 subtable;
for (subtable = 0; LE_SUCCESS(success) && (subtable < nSubtables); subtable += 1) {
- le_int16 length = SWAPW(subtableHeader->length);
+ if (subtable > 0) {
+ le_int16 length = SWAPW(subtableHeader->length);
+ if (length & 0x03) { // incorrect alignment for 32 bit tables
+ success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+ return;
+ }
+ subtableHeader.addOffset(length, success);
+ }
SubtableCoverage coverage = SWAPW(subtableHeader->coverage);
FeatureFlags subtableFeatures = SWAPL(subtableHeader->subtableFeatures);
@@ -69,10 +83,7 @@
if ((coverage & scfVertical) == 0 && (subtableFeatures & defaultFlags) != 0 && LE_SUCCESS(success)) {
subtableHeader->process(subtableHeader, glyphStorage, success);
}
-
- subtableHeader.addOffset(length, success);
}
- chainHeader.addOffset(chainLength, success);
}
}
diff --git a/src/share/native/sun/font/layout/MorphTables2.cpp b/src/share/native/sun/font/layout/MorphTables2.cpp
index b75ca85..33cbdee 100644
--- a/src/share/native/sun/font/layout/MorphTables2.cpp
+++ b/src/share/native/sun/font/layout/MorphTables2.cpp
@@ -59,6 +59,10 @@
for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain++) {
if (chain>0) {
le_uint32 chainLength = SWAPL(chainHeader->chainLength);
+ if (chainLength & 0x03) { // incorrect alignment for 32 bit tables
+ success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+ return;
+ }
chainHeader.addOffset(chainLength, success); // Don't increment the first time
}
FeatureFlags flag = SWAPL(chainHeader->defaultFlags);
@@ -188,6 +192,10 @@
for (subtable = 0; LE_SUCCESS(success) && subtable < nSubtables; subtable++) {
if(subtable>0) {
le_uint32 length = SWAPL(subtableHeader->length);
+ if (length & 0x03) { // incorrect alignment for 32 bit tables
+ success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+ return;
+ }
subtableHeader.addOffset(length, success); // Don't addOffset for the last entry.
}
le_uint32 coverage = SWAPL(subtableHeader->coverage);
diff --git a/src/share/native/sun/font/layout/PairPositioningSubtables.cpp b/src/share/native/sun/font/layout/PairPositioningSubtables.cpp
index 894cb44..41922b7 100644
--- a/src/share/native/sun/font/layout/PairPositioningSubtables.cpp
+++ b/src/share/native/sun/font/layout/PairPositioningSubtables.cpp
@@ -179,12 +179,13 @@
LEReferenceTo<PairValueRecord> record(records);
for(le_int32 r = 0; r < recordCount; r += 1) {
+ if (r > 0) {
+ record.addOffset(recordSize, success);
+ }
if(LE_FAILURE(success)) return LEReferenceTo<PairValueRecord>();
if (SWAPW(record->secondGlyph) == glyphID) {
return record;
}
-
- record.addOffset(recordSize, success);
}
#else
#error dead code - not updated.
diff --git a/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp b/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp
index 5b99174..ccbc052 100644
--- a/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp
+++ b/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp
@@ -94,7 +94,9 @@
return 0;
}
- if (coverageIndex >= 0) {
+ LEReferenceToArrayOf<TTGlyphID> substituteArrayRef(base, success, substituteArray, SWAPW(glyphCount));
+
+ if (coverageIndex >= 0 && LE_SUCCESS(success) && coverageIndex < substituteArrayRef.getCount()) {
TTGlyphID substitute = SWAPW(substituteArray[coverageIndex]);
if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, substitute), success)) {
diff --git a/src/share/native/sun/font/layout/StateTableProcessor.cpp b/src/share/native/sun/font/layout/StateTableProcessor.cpp
index 9924a90..f5bef5f 100644
--- a/src/share/native/sun/font/layout/StateTableProcessor.cpp
+++ b/src/share/native/sun/font/layout/StateTableProcessor.cpp
@@ -85,6 +85,7 @@
if (currGlyph == glyphCount) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
+ break;
} else {
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
diff --git a/src/share/native/sun/font/layout/StateTableProcessor2.cpp b/src/share/native/sun/font/layout/StateTableProcessor2.cpp
index e00a2d0..9aa097a 100644
--- a/src/share/native/sun/font/layout/StateTableProcessor2.cpp
+++ b/src/share/native/sun/font/layout/StateTableProcessor2.cpp
@@ -103,6 +103,7 @@
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
+ break;
} else {
LEGlyphID gid = glyphStorage[currGlyph];
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid);
@@ -134,6 +135,7 @@
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
+ break;
} else {
LEGlyphID gid = glyphStorage[currGlyph];
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid);
@@ -171,6 +173,7 @@
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
+ break;
} else if(currGlyph > glyphCount) {
// note if > glyphCount, we've run off the end (bad font)
currGlyph = glyphCount;
@@ -211,6 +214,7 @@
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
+ break;
} else {
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
if (glyphCode == 0xFFFF) {
diff --git a/src/share/native/sun/font/layout/StateTables.h b/src/share/native/sun/font/layout/StateTables.h
index 9ba6da5..fb09aee 100644
--- a/src/share/native/sun/font/layout/StateTables.h
+++ b/src/share/native/sun/font/layout/StateTables.h
@@ -126,7 +126,7 @@
struct StateEntry
{
ByteOffset newStateOffset;
- le_int16 flags;
+ le_uint16 flags;
};
typedef le_uint16 EntryTableIndex2;
diff --git a/src/share/native/sun/security/ec/impl/ec.c b/src/share/native/sun/security/ec/impl/ec.c
index 2f665a9..2f26390 100644
--- a/src/share/native/sun/security/ec/impl/ec.c
+++ b/src/share/native/sun/security/ec/impl/ec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: April 2015
*********************************************************************** */
#include "mplogic.h"
@@ -585,6 +586,10 @@
return SECFailure;
}
+ if (EC_ValidatePublicKey(ecParams, publicValue, kmflag) != SECSuccess) {
+ return SECFailure;
+ }
+
memset(derivedSecret, 0, sizeof *derivedSecret);
len = (ecParams->fieldID.size + 7) >> 3;
pointQ.len = 2*len + 1;
diff --git a/src/share/native/sun/security/ec/impl/ecc_impl.h b/src/share/native/sun/security/ec/impl/ecc_impl.h
index 40d2e33..0739f4c 100644
--- a/src/share/native/sun/security/ec/impl/ecc_impl.h
+++ b/src/share/native/sun/security/ec/impl/ecc_impl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: November 2013
*********************************************************************** */
#ifndef _ECC_IMPL_H
diff --git a/src/share/native/sun/security/ec/impl/ecdecode.c b/src/share/native/sun/security/ec/impl/ecdecode.c
index 7af83f7..6528022 100644
--- a/src/share/native/sun/security/ec/impl/ecdecode.c
+++ b/src/share/native/sun/security/ec/impl/ecdecode.c
@@ -34,6 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: March 2012
*********************************************************************** */
#include <sys/types.h>
diff --git a/src/share/native/sun/security/ec/impl/mpi.c b/src/share/native/sun/security/ec/impl/mpi.c
index 496916a..c91a04f 100644
--- a/src/share/native/sun/security/ec/impl/mpi.c
+++ b/src/share/native/sun/security/ec/impl/mpi.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
* Netscape Communications Corporation
* Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
*
+ * Last Modified Date from the Original Code: June 2014
*********************************************************************** */
/* Arbitrary precision integer arithmetic library */
diff --git a/src/share/native/sun/security/ec/impl/oid.c b/src/share/native/sun/security/ec/impl/oid.c
index 6c541c4..6239ec4 100644
--- a/src/share/native/sun/security/ec/impl/oid.c
+++ b/src/share/native/sun/security/ec/impl/oid.c
@@ -33,6 +33,7 @@
* Contributor(s):
* Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: March 2012
*********************************************************************** */
#include <sys/types.h>
diff --git a/src/share/native/sun/security/ec/impl/secitem.c b/src/share/native/sun/security/ec/impl/secitem.c
index 4473f11..fab4415 100644
--- a/src/share/native/sun/security/ec/impl/secitem.c
+++ b/src/share/native/sun/security/ec/impl/secitem.c
@@ -32,6 +32,7 @@
*
* Contributor(s):
*
+ * Last Modified Date from the Original Code: March 2012
*********************************************************************** */
/*
diff --git a/src/solaris/bin/java_md_solinux.c b/src/solaris/bin/java_md_solinux.c
index d2337d7..6d97710 100644
--- a/src/solaris/bin/java_md_solinux.c
+++ b/src/solaris/bin/java_md_solinux.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -613,13 +613,14 @@
/* runpath contains current effective LD_LIBRARY_PATH setting */
jvmpath = JLI_StringDup(jvmpath);
- new_runpath = JLI_MemAlloc(((runpath != NULL) ? JLI_StrLen(runpath) : 0) +
+ size_t new_runpath_size = ((runpath != NULL) ? JLI_StrLen(runpath) : 0) +
2 * JLI_StrLen(jrepath) + 2 * JLI_StrLen(arch) +
#ifdef AIX
/* On AIX we additionally need 'jli' in the path because ld doesn't support $ORIGIN. */
JLI_StrLen(jrepath) + JLI_StrLen(arch) + JLI_StrLen("/lib//jli:") +
#endif
- JLI_StrLen(jvmpath) + 52);
+ JLI_StrLen(jvmpath) + 52;
+ new_runpath = JLI_MemAlloc(new_runpath_size);
newpath = new_runpath + JLI_StrLen(LD_LIBRARY_PATH "=");
@@ -679,6 +680,11 @@
* loop of execv() because we test for the prefix, above.
*/
if (runpath != 0) {
+ /* ensure storage for runpath + colon + NULL */
+ if ((JLI_StrLen(runpath) + 1 + 1) > new_runpath_size) {
+ JLI_ReportErrorMessageSys(JRE_ERROR11);
+ exit(1);
+ }
JLI_StrCat(new_runpath, ":");
JLI_StrCat(new_runpath, runpath);
}
@@ -811,7 +817,11 @@
JLI_TraceLauncher("JRE path is %s\n", path);
return JNI_TRUE;
}
-
+ /* ensure storage for path + /jre + NULL */
+ if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
+ JLI_TraceLauncher("Insufficient space to store JRE path\n");
+ return JNI_FALSE;
+ }
/* Does the app ship a private JRE in <apphome>/jre directory? */
JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/%s/" JAVA_DLL, path, arch);
if (access(libjava, F_OK) == 0) {
diff --git a/src/solaris/native/java/net/net_util_md.c b/src/solaris/native/java/net/net_util_md.c
index 769e540..f32b089 100644
--- a/src/solaris/native/java/net/net_util_md.c
+++ b/src/solaris/native/java/net/net_util_md.c
@@ -1521,6 +1521,7 @@
int exclbind = -1;
#endif
int rv;
+ int arg, alen;
#ifdef __linux__
/*
@@ -1537,7 +1538,7 @@
}
#endif
-#if defined(__solaris__) && defined(AF_INET6)
+#if defined(__solaris__)
/*
* Solaris has separate IPv4 and IPv6 port spaces so we
* use an exclusive bind when SO_REUSEADDR is not used to
@@ -1547,35 +1548,31 @@
* results in a late bind that fails because the
* corresponding IPv4 port is in use.
*/
- if (ipv6_available()) {
- int arg, len;
-
- len = sizeof(arg);
- if (useExclBind || getsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
- (char *)&arg, &len) == 0) {
- if (useExclBind || arg == 0) {
- /*
- * SO_REUSEADDR is disabled or sun.net.useExclusiveBind
- * property is true so enable TCP_EXCLBIND or
- * UDP_EXCLBIND
- */
- len = sizeof(arg);
- if (getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&arg,
- &len) == 0) {
- if (arg == SOCK_STREAM) {
- level = IPPROTO_TCP;
- exclbind = TCP_EXCLBIND;
- } else {
- level = IPPROTO_UDP;
- exclbind = UDP_EXCLBIND;
- }
+ alen = sizeof(arg);
+ if (useExclBind || getsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
+ (char *)&arg, &alen) == 0) {
+ if (useExclBind || arg == 0) {
+ /*
+ * SO_REUSEADDR is disabled or sun.net.useExclusiveBind
+ * property is true so enable TCP_EXCLBIND or
+ * UDP_EXCLBIND
+ */
+ alen = sizeof(arg);
+ if (getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&arg,
+ &alen) == 0) {
+ if (arg == SOCK_STREAM) {
+ level = IPPROTO_TCP;
+ exclbind = TCP_EXCLBIND;
+ } else {
+ level = IPPROTO_UDP;
+ exclbind = UDP_EXCLBIND;
}
-
- arg = 1;
- setsockopt(fd, level, exclbind, (char *)&arg,
- sizeof(arg));
}
- }
+
+ arg = 1;
+ setsockopt(fd, level, exclbind, (char *)&arg,
+ sizeof(arg));
+ }
}
#endif
diff --git a/src/windows/bin/java_md.c b/src/windows/bin/java_md.c
index 43ccfc8..cf146ed 100644
--- a/src/windows/bin/java_md.c
+++ b/src/windows/bin/java_md.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -318,7 +318,11 @@
JLI_TraceLauncher("JRE path is %s\n", path);
return JNI_TRUE;
}
-
+ /* ensure storage for path + \jre + NULL */
+ if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
+ JLI_TraceLauncher("Insufficient space to store JRE path\n");
+ return JNI_FALSE;
+ }
/* Does this app ship a private JRE in <apphome>\jre directory? */
JLI_Snprintf(javadll, sizeof (javadll), "%s\\jre\\bin\\" JAVA_DLL, path);
if (stat(javadll, &s) == 0) {
diff --git a/test/com/sun/security/auth/login/ConfigFile/InconsistentError.java b/test/com/sun/security/auth/login/ConfigFile/InconsistentError.java
index 8bece1c..6dd4825 100644
--- a/test/com/sun/security/auth/login/ConfigFile/InconsistentError.java
+++ b/test/com/sun/security/auth/login/ConfigFile/InconsistentError.java
@@ -26,6 +26,7 @@
* @bug 4406033
* @summary ConfigFile throws an inconsistent error message
* when the configuration file is not found
+ * @run main/othervm -Duser.language=en InconsistentError
*/
import com.sun.security.auth.login.*;
diff --git a/test/com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java b/test/com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java
index 585b3b6..3b91876 100644
--- a/test/com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java
+++ b/test/com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java
@@ -25,6 +25,7 @@
* @test
* @bug 4919147
* @summary Support for token-based KeyStores
+ * @run main/othervm -Duser.language=en OptionTest
*/
import java.io.File;
diff --git a/test/java/awt/datatransfer/ClipboardInterVMTest/ClipboardInterVMTest.java b/test/java/awt/datatransfer/ClipboardInterVMTest/ClipboardInterVMTest.java
new file mode 100644
index 0000000..fd1fa7c
--- /dev/null
+++ b/test/java/awt/datatransfer/ClipboardInterVMTest/ClipboardInterVMTest.java
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ @test
+ @bug 8071668
+ @summary Check whether clipboard see changes from external process after taking ownership
+ @author Anton Nashatyrev: area=datatransfer
+ @library /lib/testlibrary
+ @build jdk.testlibrary.Utils
+ @run main ClipboardInterVMTest
+*/
+
+import jdk.testlibrary.Utils;
+
+import java.awt.*;
+import java.awt.datatransfer.*;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.Reader;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+public class ClipboardInterVMTest {
+
+ static CountDownLatch lostOwnershipMonitor = new CountDownLatch(1);
+ static CountDownLatch flavorChangedMonitor = new CountDownLatch(1);
+ static Process process;
+
+ public static void main(String[] args) throws Throwable {
+ Clipboard clip = Toolkit.getDefaultToolkit().getSystemClipboard();
+
+ if (args.length > 0) {
+ System.out.println("Changing clip...");
+ clip.setContents(new StringSelection("pong"), null);
+ System.out.println("done");
+ // keeping this process running for a while since on Mac the clipboard
+ // will be invalidated via NSApplicationDidBecomeActiveNotification
+ // callback in the main process after this child process finishes
+ Thread.sleep(60 * 1000);
+ return;
+ };
+
+
+ clip.setContents(new CustomSelection(), new ClipboardOwner() {
+ @Override
+ public void lostOwnership(Clipboard clipboard, Transferable contents) {
+ System.out.println("ClipboardInterVMTest.lostOwnership");
+ lostOwnershipMonitor.countDown();
+ }
+ });
+
+ clip.addFlavorListener(new FlavorListener() {
+ @Override
+ public void flavorsChanged(FlavorEvent e) {
+ System.out.println("ClipboardInterVMTest.flavorsChanged");
+ flavorChangedMonitor.countDown();
+ }
+ });
+
+ System.out.println("Starting external clipborad modifier...");
+ new Thread(() -> runTest(ClipboardInterVMTest.class.getCanonicalName(), "pong")).start();
+
+ String content = "";
+ long startTime = System.currentTimeMillis();
+ while (System.currentTimeMillis() - startTime < 30 * 1000) {
+ Transferable c = clip.getContents(null);
+ if (c.isDataFlavorSupported(DataFlavor.plainTextFlavor)) {
+ Reader reader = DataFlavor.plainTextFlavor.getReaderForText(c);
+ content = new BufferedReader(reader).readLine();
+ System.out.println(content);
+ if (content.equals("pong")) {
+ break;
+ }
+ }
+ Thread.sleep(200);
+ }
+
+ if (!lostOwnershipMonitor.await(10, TimeUnit.SECONDS)) {
+ throw new RuntimeException("No LostOwnership event received.");
+ };
+
+ if (!flavorChangedMonitor.await(10, TimeUnit.SECONDS)) {
+ throw new RuntimeException("No LostOwnership event received.");
+ };
+
+ if (!content.equals("pong")) {
+ throw new RuntimeException("Content was not passed.");
+ }
+
+ process.destroy();
+
+ System.out.println("Passed.");
+ }
+
+ private static void runTest(String main, String... args) {
+
+ try {
+ List<String> opts = new ArrayList<>();
+ opts.add(getJavaExe());
+ opts.addAll(Arrays.asList(Utils.getTestJavaOpts()));
+ opts.add("-cp");
+ opts.add(System.getProperty("test.class.path", System.getProperty("java.class.path")));
+
+ opts.add(main);
+ opts.addAll(Arrays.asList(args));
+
+ ProcessBuilder pb = new ProcessBuilder(opts.toArray(new String[0]));
+ process = pb.start();
+ } catch (Throwable throwable) {
+ throw new RuntimeException(throwable);
+ }
+ }
+
+ private static String getJavaExe() throws IOException {
+ File p = new File(System.getProperty("java.home"), "bin");
+ File j = new File(p, "java");
+ if (!j.canRead()) {
+ j = new File(p, "java.exe");
+ }
+ if (!j.canRead()) {
+ throw new RuntimeException("Can't find java executable in " + p);
+ }
+ return j.getCanonicalPath();
+ }
+
+ static class CustomSelection implements Transferable {
+ private static final DataFlavor[] flavors = { DataFlavor.allHtmlFlavor };
+
+ public DataFlavor[] getTransferDataFlavors() {
+ return flavors;
+ }
+
+ public boolean isDataFlavorSupported(DataFlavor flavor) {
+ return flavors[0].equals(flavor);
+ }
+
+ public Object getTransferData(DataFlavor flavor)
+ throws UnsupportedFlavorException, java.io.IOException {
+ if (isDataFlavorSupported(flavor)) {
+ return "ping";
+ } else {
+ throw new UnsupportedFlavorException(flavor);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/test/javax/xml/jaxp/parsers/8073385/BadExceptionMessageTest.java b/test/javax/xml/jaxp/parsers/8073385/BadExceptionMessageTest.java
new file mode 100644
index 0000000..719629b
--- /dev/null
+++ b/test/javax/xml/jaxp/parsers/8073385/BadExceptionMessageTest.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8073385
+ * @summary test that invalid XML character exception string contains
+ * information about character value, element and attribute names
+ * @run testng/othervm BadExceptionMessageTest
+ */
+
+import java.io.StringReader;
+import java.util.Locale;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.DocumentBuilder;
+import org.xml.sax.SAXException;
+import org.xml.sax.InputSource;
+
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import static org.testng.Assert.assertTrue;
+
+public class BadExceptionMessageTest {
+
+ private Locale defLoc;
+
+ @BeforeClass
+ private void setup() {
+ defLoc = Locale.getDefault();
+ Locale.setDefault(Locale.ENGLISH);
+ }
+
+ @AfterClass
+ private void cleanup() {
+ Locale.setDefault(defLoc);
+ }
+
+ @DataProvider(name = "illegalCharactersData")
+ public static Object[][] illegalCharactersData() {
+ return new Object[][]{
+ {0x00},
+ {0xFFFE},
+ {0xFFFF}
+ };
+ }
+
+ @Test(dataProvider = "illegalCharactersData")
+ public void test(int character) throws Exception {
+ // Construct the XML document as a String
+ int[] cps = new int[]{character};
+ String txt = new String(cps, 0, cps.length);
+ String inxml = "<topElement attTest=\'" + txt + "\'/>";
+ String exceptionText = "NO EXCEPTION OBSERVED";
+ String hexString = "0x" + Integer.toHexString(character);
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setNamespaceAware(true);
+ dbf.setValidating(false);
+ DocumentBuilder db = dbf.newDocumentBuilder();
+ InputSource isrc = new InputSource(new StringReader(inxml));
+
+ try {
+ db.parse(isrc);
+ } catch (SAXException e) {
+ exceptionText = e.toString();
+ }
+ System.out.println("Got Exception:" + exceptionText);
+ assertTrue(exceptionText.contains("attribute \"attTest\""));
+ assertTrue(exceptionText.contains("element is \"topElement\""));
+ assertTrue(exceptionText.contains("Unicode: " + hexString));
+ }
+}
diff --git a/test/javax/xml/jaxp/transform/8062923/XslSubstringTest.java b/test/javax/xml/jaxp/transform/8062923/XslSubstringTest.java
index fcc36ae..cb3594b 100644
--- a/test/javax/xml/jaxp/transform/8062923/XslSubstringTest.java
+++ b/test/javax/xml/jaxp/transform/8062923/XslSubstringTest.java
@@ -23,10 +23,11 @@
/**
* @test
- * @bug 8062923 8062924
+ * @bug 8062923 8062924 8074297 8076290
* @run testng XslSubstringTest
* @summary Test xsl substring function with negative, Inf and
- * NaN length and few other use cases
+ * NaN length and few other use cases. Also test proper
+ * processing of supplementary characters by substring function.
*/
import java.io.StringReader;
@@ -39,6 +40,7 @@
import javax.xml.transform.stream.StreamSource;
import static org.testng.Assert.assertEquals;
+import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
public class XslSubstringTest {
@@ -50,6 +52,36 @@
+ "<xsl:template match='/'><t>";
final String xslPost = "</t></xsl:template></xsl:stylesheet>";
+ @DataProvider(name = "GeneralTestsData")
+ private Object[][] xmls() {
+ return new Object[][] {
+ { "|<xsl:value-of select=\"substring('asdf',2, 1)\"/>|", "<t>|s|</t>"},
+ { "|<xsl:value-of select=\"substring('asdf',2, 1 div 0)\"/>|", "<t>|sdf|</t>"},
+ { "|<xsl:value-of select=\"substring('asdf',2, -0 div 0)\"/>|", "<t>||</t>" },
+ { "|<xsl:value-of select=\"substring('asdf',2, 1 div 0)\"/>|", "<t>|sdf|</t>" },
+ // 8076290 bug test case
+ { "|<xsl:value-of select=\"substring('123', 0, 3)\"/>|", "<t>|12|</t>"},
+ };
+ }
+
+ @DataProvider(name = "SupplementaryCharactersTestData")
+ private Object[][] dataSupplementaryCharacters() {
+ return new Object[][] {
+ // 8074297 bug test cases
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 3)\"/>|", "<t>|BC|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 3, 1)\"/>|", "<t>|B|</t>" },
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 2, 2)\"/>|", "<t>|AB|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 3, 2)\"/>|", "<t>|BC|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 3, 4)\"/>|", "<t>|BC|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 1, 1)\"/>|", "<t>|𠀋|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 2, 1)\"/>|", "<t>|A|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 1, 1 div 0)\"/>|", "<t>|𠀋ABC|</t>"},
+ { "|<xsl:value-of select=\"substring('𠀋ABC', -10, 1 div 0)\"/>|", "<t>|𠀋ABC|</t>"},
+ // 8076290 bug test case
+ { "|<xsl:value-of select=\"substring('𠀋ABC', 0, 2)\"/>|", "<t>|𠀋|</t>"},
+ };
+ }
+
private String testTransform(String xsl) throws Exception {
//Prepare sources for transormation
Source src = new StreamSource(new StringReader(xml));
@@ -78,27 +110,14 @@
"<t>||</t>");
}
- @Test
- public void testGeneral1() throws Exception {
- assertEquals(testTransform("|<xsl:value-of select=\"substring('asdf',2, 1)\"/>|"),
- "<t>|s|</t>");
+ @Test(dataProvider = "GeneralTestsData")
+ public void testGeneralAll(String xsl, String result) throws Exception {
+ assertEquals(testTransform(xsl), result);
}
- @Test
- public void testGeneral2() throws Exception {
- assertEquals(testTransform("|<xsl:value-of select=\"substring('asdf',2, 1 div 0)\"/>|"),
- "<t>|sdf|</t>");
+ @Test(dataProvider = "SupplementaryCharactersTestData")
+ public void testSupplementCharacters(String xsl, String result) throws Exception {
+ assertEquals(testTransform(xsl), result);
}
- @Test
- public void testGeneral3() throws Exception {
- assertEquals(testTransform("|<xsl:value-of select=\"substring('asdf',2, -0 div 0)\"/>|"),
- "<t>||</t>");
- }
-
- @Test
- public void testGeneral4() throws Exception {
- assertEquals(testTransform("|<xsl:value-of select=\"substring('asdf',2, 0 div 0)\"/>|"),
- "<t>||</t>");
- }
}
diff --git a/test/javax/xml/ws/8046817/GenerateEnumSchema.java b/test/javax/xml/ws/8046817/GenerateEnumSchema.java
index cb70d22..4ef1f05 100644
--- a/test/javax/xml/ws/8046817/GenerateEnumSchema.java
+++ b/test/javax/xml/ws/8046817/GenerateEnumSchema.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,57 +23,83 @@
/*
* @test
- * @bug 8046817
- * @summary schemagen fails to generate xsd for enum types
+ * @bug 8046817 8073357
+ * @summary schemagen fails to generate xsd for enum types.
+ * Check that order of Enum values is preserved.
* @run main/othervm GenerateEnumSchema
*/
import java.io.BufferedReader;
import java.io.File;
-import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStreamReader;
+import java.nio.file.Files;
import java.nio.file.Paths;
-import java.util.Scanner;
+import java.util.stream.Collectors;
public class GenerateEnumSchema {
private static final String SCHEMA_OUTPUT_FILENAME = "schema1.xsd";
private static final File schemaOutputFile = new File(SCHEMA_OUTPUT_FILENAME);
+ private static final String[] expectedEnums = {
+ "\"FIRST\"", "\"ONE\"", "\"TWO\"", "\"THREE\"",
+ "\"FOUR\"", "\"FIVE\"", "\"SIX\"", "\"LAST\""};
+ private static String schemaContent = "";
- public static void main(String[] args) throws Exception, IOException {
+ public static void main(String[] args) throws Exception {
+
//Check schema generation for class type
runSchemaGen("TestClassType.java");
checkIfSchemaGenerated();
+ readSchemaContent();
checkSchemaContent("<xs:complexType name=\"testClassType\">");
checkSchemaContent("<xs:element name=\"a\" type=\"xs:int\"/>");
- schemaOutputFile.delete();
+
//Check schema generation for enum type
runSchemaGen("TestEnumType.java");
checkIfSchemaGenerated();
+ readSchemaContent();
+ //Check if Enum type schema is generated
checkSchemaContent("<xs:simpleType name=\"testEnumType\">");
- checkSchemaContent("<xs:enumeration value=\"ONE\"/>");
- checkSchemaContent("<xs:enumeration value=\"TWO\"/>");
- checkSchemaContent("<xs:enumeration value=\"THREE\"/>");
+ //Check the sequence of enum values order
+ checkEnumOrder();
schemaOutputFile.delete();
}
+ // Check if schema file successfully generated by schemagen
private static void checkIfSchemaGenerated() {
if (!schemaOutputFile.exists()) {
throw new RuntimeException("FAIL:" + SCHEMA_OUTPUT_FILENAME + " was not generated by schemagen tool");
}
}
- private static void checkSchemaContent(String exp_token) throws FileNotFoundException {
- System.out.print("Check if generated schema contains '" + exp_token + "' string: ");
- try (Scanner scanner = new Scanner(schemaOutputFile)) {
- if (scanner.findWithinHorizon(exp_token, 0) != null) {
- System.out.println("OK");
- return;
- }
+ //Read schema content from file
+ private static void readSchemaContent() throws Exception {
+ schemaContent = Files.lines(schemaOutputFile.toPath()).collect(Collectors.joining(""));
+ }
+
+ // Check if schema file contains specific string
+ private static void checkSchemaContent(String expContent) {
+ System.out.print("Check if generated schema contains '" + expContent + "' string: ");
+ if (schemaContent.contains(expContent)) {
+ System.out.println("OK");
+ return;
}
System.out.println("FAIL");
- throw new RuntimeException("The '" + exp_token + "' is not found in generated schema");
+ throw new RuntimeException("The '" + expContent + "' is not found in generated schema");
+ }
+ // Check if the generated schema contains all enum constants
+ // and their order is preserved
+ private static void checkEnumOrder() throws Exception {
+ int prevElem = -1;
+ for (String elem : expectedEnums) {
+ int curElem = schemaContent.indexOf(elem);
+ System.out.println(elem + " position = " + curElem);
+ if (curElem < prevElem) {
+ throw new RuntimeException("FAIL: Enum values order is incorrect or " + elem + " element is not found");
+ }
+ prevElem = curElem;
+ }
}
private static String getClassFilePath(String filename) {
diff --git a/test/javax/xml/ws/8046817/TestEnumType.java b/test/javax/xml/ws/8046817/TestEnumType.java
index 785fb19..728e1b7 100644
--- a/test/javax/xml/ws/8046817/TestEnumType.java
+++ b/test/javax/xml/ws/8046817/TestEnumType.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,5 +25,5 @@
@XmlEnum(String.class)
public enum TestEnumType {
- ONE, TWO, THREE
+ FIRST, ONE, TWO, THREE, FOUR, FIVE, SIX, LAST
}
diff --git a/test/sun/security/pkcs11/sslecc/CipherTest.java b/test/sun/security/pkcs11/sslecc/CipherTest.java
index ae5091e..4ec2374 100644
--- a/test/sun/security/pkcs11/sslecc/CipherTest.java
+++ b/test/sun/security/pkcs11/sslecc/CipherTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -45,7 +45,7 @@
public class CipherTest {
// use any available port for the server socket
- static int serverPort = 0;
+ static volatile int serverPort = 0;
final int THREADS;
diff --git a/test/sun/security/pkcs11/sslecc/JSSEServer.java b/test/sun/security/pkcs11/sslecc/JSSEServer.java
index 0d1002b..af8d4b5 100644
--- a/test/sun/security/pkcs11/sslecc/JSSEServer.java
+++ b/test/sun/security/pkcs11/sslecc/JSSEServer.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -42,7 +42,7 @@
serverContext.init(new KeyManager[] {cipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
SSLServerSocketFactory factory = (SSLServerSocketFactory)serverContext.getServerSocketFactory();
- serverSocket = (SSLServerSocket)factory.createServerSocket(cipherTest.serverPort);
+ serverSocket = (SSLServerSocket)factory.createServerSocket(0);
cipherTest.serverPort = serverSocket.getLocalPort();
serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
serverSocket.setWantClientAuth(true);
diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
index 546a786..9873611 100644
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -79,6 +79,9 @@
ssle1.setEnabledCipherSuites(new String [] {
"SSL_RSA_WITH_RC4_128_MD5"});
+ ssle2.setEnabledCipherSuites(new String [] {
+ "SSL_RSA_WITH_RC4_128_MD5"});
+
createBuffers();
}
diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
index 5960ea6..a7a9f44 100644
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -92,6 +92,7 @@
createSSLEngines();
System.out.println("Using " + cipher);
+ ssle1.setEnabledCipherSuites(new String [] { cipher });
ssle2.setEnabledCipherSuites(new String [] { cipher });
createBuffers();
diff --git a/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java b/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java
index c25d74c..41ae7bb 100644
--- a/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java
+++ b/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -31,7 +31,7 @@
* @bug 7188657
* @summary There should be a way to reorder the JSSE ciphers
* @run main/othervm UseCipherSuitesOrder
- * TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
+ * TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
*/
import java.io.*;
diff --git a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
index c96d8ec..0bb929a 100644
--- a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -93,6 +93,10 @@
SSLServerSocket sslServerSocket =
(SSLServerSocket) sslssf.createServerSocket(serverPort);
+ // enable a stream cipher
+ sslServerSocket.setEnabledCipherSuites(
+ new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
+
serverPort = sslServerSocket.getLocalPort();
/*
diff --git a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
index 69745aa..d7cd97d 100644
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
+++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -93,13 +93,6 @@
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
- "SSL_RSA_WITH_RC4_128_SHA",
- "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDH_RSA_WITH_RC4_128_SHA",
- "SSL_RSA_WITH_RC4_128_MD5",
-
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
@@ -113,8 +106,16 @@
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+ "SSL_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+ "SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
+
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
diff --git a/test/sun/util/calendar/zi/tzdata/VERSION b/test/sun/util/calendar/zi/tzdata/VERSION
index 034114a..ebd4db7 100644
--- a/test/sun/util/calendar/zi/tzdata/VERSION
+++ b/test/sun/util/calendar/zi/tzdata/VERSION
@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
-tzdata2015a
+tzdata2015b
diff --git a/test/sun/util/calendar/zi/tzdata/asia b/test/sun/util/calendar/zi/tzdata/asia
index bff837c..fa4f246 100644
--- a/test/sun/util/calendar/zi/tzdata/asia
+++ b/test/sun/util/calendar/zi/tzdata/asia
@@ -1927,6 +1927,13 @@
# was at the start of 2008-03-31 (the day of Steffen Thorsen's report);
# this is almost surely wrong.
+# From Ganbold Tsagaankhuu (2015-03-10):
+# It seems like yesterday Mongolian Government meeting has concluded to use
+# daylight saving time in Mongolia.... Starting at 2:00AM of last Saturday of
+# March 2015, daylight saving time starts. And 00:00AM of last Saturday of
+# September daylight saving time ends. Source:
+# http://zasag.mn/news/view/8969
+
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule Mongol 1983 1984 - Apr 1 0:00 1:00 S
Rule Mongol 1983 only - Oct 1 0:00 0 -
@@ -1947,6 +1954,8 @@
Rule Mongol 2001 only - Apr lastSat 2:00 1:00 S
Rule Mongol 2001 2006 - Sep lastSat 2:00 0 -
Rule Mongol 2002 2006 - Mar lastSat 2:00 1:00 S
+Rule Mongol 2015 max - Mar lastSat 2:00 1:00 S
+Rule Mongol 2015 max - Sep lastSat 0:00 0 -
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
# Hovd, a.k.a. Chovd, Dund-Us, Dzhargalant, Khovd, Jirgalanta
@@ -2365,13 +2374,19 @@
# official source...:
# http://www.palestinecabinet.gov.ps/ar/Views/ViewDetails.aspx?pid=1252
-# From Paul Eggert (2013-09-24):
-# For future dates, guess the last Thursday in March at 24:00 through
-# the first Friday on or after September 21 at 00:00. This is consistent with
-# the predictions in today's editions of the following URLs,
-# which are for Gaza and Hebron respectively:
-# http://www.timeanddate.com/worldclock/timezone.html?n=702
-# http://www.timeanddate.com/worldclock/timezone.html?n=2364
+# From Steffen Thorsen (2015-03-03):
+# Sources such as http://www.alquds.com/news/article/view/id/548257
+# and http://www.raya.ps/ar/news/890705.html say Palestine areas will
+# start DST on 2015-03-28 00:00 which is one day later than expected.
+#
+# From Paul Eggert (2015-03-03):
+# http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
+# says that the fall 2014 transition was Oct 23 at 24:00.
+# For future dates, guess the last Friday in March at 24:00 through
+# the first Friday on or after October 21 at 00:00. This is consistent with
+# the predictions in today's editions of the following URLs:
+# http://www.timeanddate.com/time/change/gaza-strip/gaza
+# http://www.timeanddate.com/time/change/west-bank/hebron
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
@@ -2397,9 +2412,11 @@
Rule Palestine 2011 only - Aug 1 0:00 0 -
Rule Palestine 2011 only - Aug 30 0:00 1:00 S
Rule Palestine 2011 only - Sep 30 0:00 0 -
-Rule Palestine 2012 max - Mar lastThu 24:00 1:00 S
+Rule Palestine 2012 2014 - Mar lastThu 24:00 1:00 S
Rule Palestine 2012 only - Sep 21 1:00 0 -
-Rule Palestine 2013 max - Sep Fri>=21 0:00 0 -
+Rule Palestine 2013 only - Sep Fri>=21 0:00 0 -
+Rule Palestine 2014 max - Oct Fri>=21 0:00 0 -
+Rule Palestine 2015 max - Mar lastFri 24:00 1:00 S
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
diff --git a/test/sun/util/calendar/zi/tzdata/australasia b/test/sun/util/calendar/zi/tzdata/australasia
index f2a89e8..ec9f392 100644
--- a/test/sun/util/calendar/zi/tzdata/australasia
+++ b/test/sun/util/calendar/zi/tzdata/australasia
@@ -396,6 +396,7 @@
9:39:00 - LMT 1901 # Agana
10:00 - GST 2000 Dec 23 # Guam
10:00 - ChST # Chamorro Standard Time
+Link Pacific/Guam Pacific/Saipan # N Mariana Is
# Kiribati
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
@@ -411,12 +412,7 @@
14:00 - LINT
# N Mariana Is
-# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone Pacific/Saipan -14:17:00 - LMT 1844 Dec 31
- 9:43:00 - LMT 1901
- 9:00 - MPT 1969 Oct # N Mariana Is Time
- 10:00 - MPT 2000 Dec 23
- 10:00 - ChST # Chamorro Standard Time
+# See Pacific/Guam.
# Marshall Is
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
@@ -586,6 +582,7 @@
-11:00 - NST 1967 Apr # N=Nome
-11:00 - BST 1983 Nov 30 # B=Bering
-11:00 - SST # S=Samoa
+Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
# Samoa (formerly and also known as Western Samoa)
@@ -767,23 +764,7 @@
# uninhabited
# Midway
-#
-# From Mark Brader (2005-01-23):
-# [Fallacies and Fantasies of Air Transport History, by R.E.G. Davies,
-# published 1994 by Paladwr Press, McLean, VA, USA; ISBN 0-9626483-5-3]
-# reproduced a Pan American Airways timetable from 1936, for their weekly
-# "Orient Express" flights between San Francisco and Manila, and connecting
-# flights to Chicago and the US East Coast. As it uses some time zone
-# designations that I've never seen before:....
-# Fri. 6:30A Lv. HONOLOLU (Pearl Harbor), H.I. H.L.T. Ar. 5:30P Sun.
-# " 3:00P Ar. MIDWAY ISLAND . . . . . . . . . M.L.T. Lv. 6:00A "
-#
-Zone Pacific/Midway -11:49:28 - LMT 1901
- -11:00 - NST 1956 Jun 3
- -11:00 1:00 NDT 1956 Sep 2
- -11:00 - NST 1967 Apr # N=Nome
- -11:00 - BST 1983 Nov 30 # B=Bering
- -11:00 - SST # S=Samoa
+# See Pacific/Pago_Pago.
# Palmyra
# uninhabited since World War II; was probably like Pacific/Kiritimati
diff --git a/test/sun/util/calendar/zi/tzdata/europe b/test/sun/util/calendar/zi/tzdata/europe
index 89790f0..008268a 100644
--- a/test/sun/util/calendar/zi/tzdata/europe
+++ b/test/sun/util/calendar/zi/tzdata/europe
@@ -2423,7 +2423,7 @@
4:00 Russia VOL%sT 1989 Mar 26 2:00s # Volgograd T
3:00 Russia VOL%sT 1991 Mar 31 2:00s
4:00 - VOLT 1992 Mar 29 2:00s
- 3:00 Russia MSK 2011 Mar 27 2:00s
+ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s
4:00 - MSK 2014 Oct 26 2:00s
3:00 - MSK
diff --git a/test/sun/util/calendar/zi/tzdata/northamerica b/test/sun/util/calendar/zi/tzdata/northamerica
index 5943cfe..442a50e 100644
--- a/test/sun/util/calendar/zi/tzdata/northamerica
+++ b/test/sun/util/calendar/zi/tzdata/northamerica
@@ -2335,8 +2335,24 @@
# "...the new time zone will come into effect at two o'clock on the first Sunday
# of February, when we will have to advance the clock one hour from its current
# time..."
-#
# Also, the new zone will not use DST.
+#
+# From Carlos Raúl Perasso (2015-02-02):
+# The decree that modifies the Mexican Hour System Law has finally
+# been published at the Diario Oficial de la Federación
+# http://www.dof.gob.mx/nota_detalle.php?codigo=5380123&fecha=31/01/2015
+# It establishes 5 zones for Mexico:
+# 1- Zona Centro (Central Zone): Corresponds to longitude 90 W,
+# includes most of Mexico, excluding what's mentioned below.
+# 2- Zona Pacífico (Pacific Zone): Longitude 105 W, includes the
+# states of Baja California Sur; Chihuahua; Nayarit (excluding Bahía
+# de Banderas which lies in Central Zone); Sinaloa and Sonora.
+# 3- Zona Noroeste (Northwest Zone): Longitude 120 W, includes the
+# state of Baja California.
+# 4- Zona Sureste (Southeast Zone): Longitude 75 W, includes the state
+# of Quintana Roo.
+# 5- The islands, reefs and keys shall take their timezone from the
+# longitude they are located at.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule Mexico 1939 only - Feb 5 0:00 1:00 D
@@ -2531,13 +2547,8 @@
###############################################################################
# Anguilla
-# See America/Port_of_Spain.
-
# Antigua and Barbuda
-# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone America/Antigua -4:07:12 - LMT 1912 Mar 2
- -5:00 - EST 1951
- -4:00 - AST
+# See America/Port_of_Spain.
# Bahamas
#
@@ -2604,10 +2615,7 @@
-4:00 US A%sT
# Cayman Is
-# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone America/Cayman -5:25:32 - LMT 1890 # Georgetown
- -5:07:11 - KMT 1912 Feb # Kingston Mean Time
- -5:00 - EST
+# See America/Panama.
# Costa Rica
@@ -3130,6 +3138,7 @@
Zone America/Panama -5:18:08 - LMT 1890
-5:19:36 - CMT 1908 Apr 22 # Colón Mean Time
-5:00 - EST
+Link America/Panama America/Cayman
# Puerto Rico
# There are too many San Juans elsewhere, so we'll use 'Puerto_Rico'.
diff --git a/test/sun/util/calendar/zi/tzdata/southamerica b/test/sun/util/calendar/zi/tzdata/southamerica
index 02cf121..238ae3d 100644
--- a/test/sun/util/calendar/zi/tzdata/southamerica
+++ b/test/sun/util/calendar/zi/tzdata/southamerica
@@ -1229,10 +1229,13 @@
# DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC)
# http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf
-# From Juan Correa (2015-01-28):
-# ... today the Ministry of Energy announced that Chile will drop DST, will keep
-# "summer time" (UTC -3 / UTC -5) all year round....
-# http://www.minenergia.cl/ministerio/noticias/generales/ministerio-de-energia-anuncia.html
+# From Eduardo Romero Urra (2015-03-03):
+# Today has been published officially that Chile will use the DST time
+# permanently until March 25 of 2017
+# http://www.diariooficial.interior.gob.cl/media/2015/03/03/1-large.jpg
+#
+# From Paul Eggert (2015-03-03):
+# For now, assume that the extension will persist indefinitely.
# NOTE: ChileAQ rules for Antarctic bases are stored separately in the
# 'antarctica' file.
@@ -1291,7 +1294,7 @@
-3:00 - CLT
Zone Pacific/Easter -7:17:44 - LMT 1890
-7:17:28 - EMT 1932 Sep # Easter Mean Time
- -7:00 Chile EAS%sT 1982 Mar 13 3:00u # Easter Time
+ -7:00 Chile EAS%sT 1982 Mar 14 3:00u # Easter Time
-6:00 Chile EAS%sT 2015 Apr 26 3:00u
-5:00 - EAST
#
@@ -1626,6 +1629,7 @@
# These all agree with Trinidad and Tobago since 1970.
Link America/Port_of_Spain America/Anguilla
+Link America/Port_of_Spain America/Antigua
Link America/Port_of_Spain America/Dominica
Link America/Port_of_Spain America/Grenada
Link America/Port_of_Spain America/Guadeloupe