Mercurial > hg > openjdk > aarch64-port > jdk
changeset 10980:eafaf84c15d1
Merge
| author | asaha |
|---|---|
| date | Wed, 15 Apr 2015 11:27:59 -0700 |
| parents | e8117dbd5e54 (diff) d7d84b8fb8be (current diff) |
| children | efc8652da937 |
| files | .hgtags |
| diffstat | 57 files changed, 1304 insertions(+), 549 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgtags Wed Apr 15 10:57:23 2015 -0700 +++ b/.hgtags Wed Apr 15 11:27:59 2015 -0700 @@ -353,11 +353,11 @@ a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11 6a12f34816d2ee12368274fc21225384a8893426 jdk8u31-b12 1fbdd5d80d0671decd8acb5adb64866f609e986f jdk8u31-b13 -a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33 367c7f061c5831ee54cd197f727e06109a67875b jdk8u31-b14 287e3219f3f531b2f20b50b180802a563a782b26 jdk8u31-b15 ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31 46338075c4262057099e57638e0758817052da0d jdk8u31-b32 +a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33 e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00 6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01 4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02 @@ -405,3 +405,12 @@ 20e6cadfac43717a81d99daff5e769de695992cd jdk8u45-b14 c7fbbf6133c339fb56f03241de28666774023d5d jdk8u45-b31 ea547c5a1217fe7916f366950d0e3156e4225aa5 jdk8u45-b32 +ac97b69b88e37c18c1b077be8b1f100b6803fea5 jdk8u51-b00 +2e0732282470f7a02d57af5fc8542efa9db7b3e4 jdk8u51-b01 +cc75137936f9a8e97017e7e18b1064b76238116f jdk8u51-b02 +f732971e3d20664164a3797cf0b1a4cb80470959 jdk8u51-b03 +6d6c0c93e822dc0e37d657060488de934ac2eb4c jdk8u51-b04 +7d9a58baae72804f0852890cf9fc75e6a759b608 jdk8u51-b05 +93e6b2bbc9ff46b3fea1fe89b810259d150a9fc4 jdk8u51-b06 +286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u51-b07 +f7da0b943b9381aaf378d0c7b337dd7654335293 jdk8u51-b08
--- a/make/data/tzdata/VERSION Wed Apr 15 10:57:23 2015 -0700 +++ b/make/data/tzdata/VERSION Wed Apr 15 11:27:59 2015 -0700 @@ -21,4 +21,4 @@ # or visit www.oracle.com if you need additional information or have any # questions. # -tzdata2015a +tzdata2015b
--- a/make/data/tzdata/asia Wed Apr 15 10:57:23 2015 -0700 +++ b/make/data/tzdata/asia Wed Apr 15 11:27:59 2015 -0700 @@ -1927,6 +1927,13 @@ # was at the start of 2008-03-31 (the day of Steffen Thorsen's report); # this is almost surely wrong. +# From Ganbold Tsagaankhuu (2015-03-10): +# It seems like yesterday Mongolian Government meeting has concluded to use +# daylight saving time in Mongolia.... Starting at 2:00AM of last Saturday of +# March 2015, daylight saving time starts. And 00:00AM of last Saturday of +# September daylight saving time ends. Source: +# http://zasag.mn/news/view/8969 + # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Mongol 1983 1984 - Apr 1 0:00 1:00 S Rule Mongol 1983 only - Oct 1 0:00 0 - @@ -1947,6 +1954,8 @@ Rule Mongol 2001 only - Apr lastSat 2:00 1:00 S Rule Mongol 2001 2006 - Sep lastSat 2:00 0 - Rule Mongol 2002 2006 - Mar lastSat 2:00 1:00 S +Rule Mongol 2015 max - Mar lastSat 2:00 1:00 S +Rule Mongol 2015 max - Sep lastSat 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] # Hovd, a.k.a. Chovd, Dund-Us, Dzhargalant, Khovd, Jirgalanta @@ -2365,13 +2374,19 @@ # official source...: # http://www.palestinecabinet.gov.ps/ar/Views/ViewDetails.aspx?pid=1252 -# From Paul Eggert (2013-09-24): -# For future dates, guess the last Thursday in March at 24:00 through -# the first Friday on or after September 21 at 00:00. This is consistent with -# the predictions in today's editions of the following URLs, -# which are for Gaza and Hebron respectively: -# http://www.timeanddate.com/worldclock/timezone.html?n=702 -# http://www.timeanddate.com/worldclock/timezone.html?n=2364 +# From Steffen Thorsen (2015-03-03): +# Sources such as http://www.alquds.com/news/article/view/id/548257 +# and http://www.raya.ps/ar/news/890705.html say Palestine areas will +# start DST on 2015-03-28 00:00 which is one day later than expected. +# +# From Paul Eggert (2015-03-03): +# http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014 +# says that the fall 2014 transition was Oct 23 at 24:00. +# For future dates, guess the last Friday in March at 24:00 through +# the first Friday on or after October 21 at 00:00. This is consistent with +# the predictions in today's editions of the following URLs: +# http://www.timeanddate.com/time/change/gaza-strip/gaza +# http://www.timeanddate.com/time/change/west-bank/hebron # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule EgyptAsia 1957 only - May 10 0:00 1:00 S @@ -2397,9 +2412,11 @@ Rule Palestine 2011 only - Aug 1 0:00 0 - Rule Palestine 2011 only - Aug 30 0:00 1:00 S Rule Palestine 2011 only - Sep 30 0:00 0 - -Rule Palestine 2012 max - Mar lastThu 24:00 1:00 S +Rule Palestine 2012 2014 - Mar lastThu 24:00 1:00 S Rule Palestine 2012 only - Sep 21 1:00 0 - -Rule Palestine 2013 max - Sep Fri>=21 0:00 0 - +Rule Palestine 2013 only - Sep Fri>=21 0:00 0 - +Rule Palestine 2014 max - Oct Fri>=21 0:00 0 - +Rule Palestine 2015 max - Mar lastFri 24:00 1:00 S # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
--- a/make/data/tzdata/australasia Wed Apr 15 10:57:23 2015 -0700 +++ b/make/data/tzdata/australasia Wed Apr 15 11:27:59 2015 -0700 @@ -396,6 +396,7 @@ 9:39:00 - LMT 1901 # Agana 10:00 - GST 2000 Dec 23 # Guam 10:00 - ChST # Chamorro Standard Time +Link Pacific/Guam Pacific/Saipan # N Mariana Is # Kiribati # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -411,12 +412,7 @@ 14:00 - LINT # N Mariana Is -# Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone Pacific/Saipan -14:17:00 - LMT 1844 Dec 31 - 9:43:00 - LMT 1901 - 9:00 - MPT 1969 Oct # N Mariana Is Time - 10:00 - MPT 2000 Dec 23 - 10:00 - ChST # Chamorro Standard Time +# See Pacific/Guam. # Marshall Is # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -586,6 +582,7 @@ -11:00 - NST 1967 Apr # N=Nome -11:00 - BST 1983 Nov 30 # B=Bering -11:00 - SST # S=Samoa +Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands # Samoa (formerly and also known as Western Samoa) @@ -767,23 +764,7 @@ # uninhabited # Midway -# -# From Mark Brader (2005-01-23): -# [Fallacies and Fantasies of Air Transport History, by R.E.G. Davies, -# published 1994 by Paladwr Press, McLean, VA, USA; ISBN 0-9626483-5-3] -# reproduced a Pan American Airways timetable from 1936, for their weekly -# "Orient Express" flights between San Francisco and Manila, and connecting -# flights to Chicago and the US East Coast. As it uses some time zone -# designations that I've never seen before:.... -# Fri. 6:30A Lv. HONOLOLU (Pearl Harbor), H.I. H.L.T. Ar. 5:30P Sun. -# " 3:00P Ar. MIDWAY ISLAND . . . . . . . . . M.L.T. Lv. 6:00A " -# -Zone Pacific/Midway -11:49:28 - LMT 1901 - -11:00 - NST 1956 Jun 3 - -11:00 1:00 NDT 1956 Sep 2 - -11:00 - NST 1967 Apr # N=Nome - -11:00 - BST 1983 Nov 30 # B=Bering - -11:00 - SST # S=Samoa +# See Pacific/Pago_Pago. # Palmyra # uninhabited since World War II; was probably like Pacific/Kiritimati
--- a/make/data/tzdata/europe Wed Apr 15 10:57:23 2015 -0700 +++ b/make/data/tzdata/europe Wed Apr 15 11:27:59 2015 -0700 @@ -2423,7 +2423,7 @@ 4:00 Russia VOL%sT 1989 Mar 26 2:00s # Volgograd T 3:00 Russia VOL%sT 1991 Mar 31 2:00s 4:00 - VOLT 1992 Mar 29 2:00s - 3:00 Russia MSK 2011 Mar 27 2:00s + 3:00 Russia MSK/MSD 2011 Mar 27 2:00s 4:00 - MSK 2014 Oct 26 2:00s 3:00 - MSK
--- a/make/data/tzdata/northamerica Wed Apr 15 10:57:23 2015 -0700 +++ b/make/data/tzdata/northamerica Wed Apr 15 11:27:59 2015 -0700 @@ -2335,8 +2335,24 @@ # "...the new time zone will come into effect at two o'clock on the first Sunday # of February, when we will have to advance the clock one hour from its current # time..." +# Also, the new zone will not use DST. # -# Also, the new zone will not use DST. +# From Carlos Raúl Perasso (2015-02-02): +# The decree that modifies the Mexican Hour System Law has finally +# been published at the Diario Oficial de la Federación +# http://www.dof.gob.mx/nota_detalle.php?codigo=5380123&fecha=31/01/2015 +# It establishes 5 zones for Mexico: +# 1- Zona Centro (Central Zone): Corresponds to longitude 90 W, +# includes most of Mexico, excluding what's mentioned below. +# 2- Zona Pacífico (Pacific Zone): Longitude 105 W, includes the +# states of Baja California Sur; Chihuahua; Nayarit (excluding Bahía +# de Banderas which lies in Central Zone); Sinaloa and Sonora. +# 3- Zona Noroeste (Northwest Zone): Longitude 120 W, includes the +# state of Baja California. +# 4- Zona Sureste (Southeast Zone): Longitude 75 W, includes the state +# of Quintana Roo. +# 5- The islands, reefs and keys shall take their timezone from the +# longitude they are located at. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Mexico 1939 only - Feb 5 0:00 1:00 D @@ -2531,14 +2547,9 @@ ############################################################################### # Anguilla +# Antigua and Barbuda # See America/Port_of_Spain. -# Antigua and Barbuda -# Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone America/Antigua -4:07:12 - LMT 1912 Mar 2 - -5:00 - EST 1951 - -4:00 - AST - # Bahamas # # For 1899 Milne gives -5:09:29.5; round that. @@ -2604,10 +2615,7 @@ -4:00 US A%sT # Cayman Is -# Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone America/Cayman -5:25:32 - LMT 1890 # Georgetown - -5:07:11 - KMT 1912 Feb # Kingston Mean Time - -5:00 - EST +# See America/Panama. # Costa Rica @@ -3130,6 +3138,7 @@ Zone America/Panama -5:18:08 - LMT 1890 -5:19:36 - CMT 1908 Apr 22 # Colón Mean Time -5:00 - EST +Link America/Panama America/Cayman # Puerto Rico # There are too many San Juans elsewhere, so we'll use 'Puerto_Rico'.
--- a/make/data/tzdata/southamerica Wed Apr 15 10:57:23 2015 -0700 +++ b/make/data/tzdata/southamerica Wed Apr 15 11:27:59 2015 -0700 @@ -1229,10 +1229,13 @@ # DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC) # http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf -# From Juan Correa (2015-01-28): -# ... today the Ministry of Energy announced that Chile will drop DST, will keep -# "summer time" (UTC -3 / UTC -5) all year round.... -# http://www.minenergia.cl/ministerio/noticias/generales/ministerio-de-energia-anuncia.html +# From Eduardo Romero Urra (2015-03-03): +# Today has been published officially that Chile will use the DST time +# permanently until March 25 of 2017 +# http://www.diariooficial.interior.gob.cl/media/2015/03/03/1-large.jpg +# +# From Paul Eggert (2015-03-03): +# For now, assume that the extension will persist indefinitely. # NOTE: ChileAQ rules for Antarctic bases are stored separately in the # 'antarctica' file. @@ -1291,7 +1294,7 @@ -3:00 - CLT Zone Pacific/Easter -7:17:44 - LMT 1890 -7:17:28 - EMT 1932 Sep # Easter Mean Time - -7:00 Chile EAS%sT 1982 Mar 13 3:00u # Easter Time + -7:00 Chile EAS%sT 1982 Mar 14 3:00u # Easter Time -6:00 Chile EAS%sT 2015 Apr 26 3:00u -5:00 - EAST # @@ -1626,6 +1629,7 @@ # These all agree with Trinidad and Tobago since 1970. Link America/Port_of_Spain America/Anguilla +Link America/Port_of_Spain America/Antigua Link America/Port_of_Spain America/Dominica Link America/Port_of_Spain America/Grenada Link America/Port_of_Spain America/Guadeloupe
--- a/src/macosx/bin/java_md_macosx.c Wed Apr 15 10:57:23 2015 -0700 +++ b/src/macosx/bin/java_md_macosx.c Wed Apr 15 11:27:59 2015 -0700 @@ -616,7 +616,11 @@ if (access(libjava, F_OK) == 0) { return JNI_TRUE; } - + /* ensure storage for path + /jre + NULL */ + if ((JLI_StrLen(path) + 4 + 1) > pathsize) { + JLI_TraceLauncher("Insufficient space to store JRE path\n"); + return JNI_FALSE; + } /* Does the app ship a private JRE in <apphome>/jre directory? */ JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/" JAVA_DLL, path); if (access(libjava, F_OK) == 0) {
--- a/src/share/classes/java/net/InetAddress.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/java/net/InetAddress.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -203,16 +203,33 @@ static transient boolean preferIPv6Address = false; static class InetAddressHolder { + /** + * Reserve the original application specified hostname. + * + * The original hostname is useful for domain-based endpoint + * identification (see RFC 2818 and RFC 6125). If an address + * was created with a raw IP address, a reverse name lookup + * may introduce endpoint identification security issue via + * DNS forging. + * + * Oracle JSSE provider is using this original hostname, via + * sun.misc.JavaNetAccess, for SSL/TLS endpoint identification. + * + * Note: May define a new public method in the future if necessary. + */ + private String originalHostName; InetAddressHolder() {} InetAddressHolder(String hostName, int address, int family) { + this.originalHostName = hostName; this.hostName = hostName; this.address = address; this.family = family; } void init(String hostName, int family) { + this.originalHostName = hostName; this.hostName = hostName; if (family != -1) { this.family = family; @@ -225,6 +242,10 @@ return hostName; } + String getOriginalHostName() { + return originalHostName; + } + /** * Holds a 32-bit IPv4 address. */
--- a/src/share/classes/java/net/URLClassLoader.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/java/net/URLClassLoader.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -774,6 +774,10 @@ public URLClassPath getURLClassPath (URLClassLoader u) { return u.ucp; } + + public String getOriginalHostName(InetAddress ia) { + return ia.holder.getOriginalHostName(); + } } ); ClassLoader.registerAsParallelCapable();
--- a/src/share/classes/javax/management/MBeanServerInvocationHandler.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/javax/management/MBeanServerInvocationHandler.java Wed Apr 15 11:27:59 2015 -0700 @@ -141,6 +141,12 @@ if (connection == null) { throw new IllegalArgumentException("Null connection"); } + if (Proxy.isProxyClass(connection.getClass())) { + if (MBeanServerInvocationHandler.class.isAssignableFrom( + Proxy.getInvocationHandler(connection).getClass())) { + throw new IllegalArgumentException("Wrapping MBeanServerInvocationHandler"); + } + } if (objectName == null) { throw new IllegalArgumentException("Null object name"); } @@ -418,6 +424,10 @@ new Class<?>[] {Object.class}) && isLocal(proxy, method)) return true; + if (methodName.equals("finalize") + && method.getParameterTypes().length == 0) { + return true; + } return false; } @@ -453,6 +463,9 @@ connection + "[" + objectName + "])"; } else if (methodName.equals("hashCode")) { return objectName.hashCode()+connection.hashCode(); + } else if (methodName.equals("finalize")) { + // ignore the finalizer invocation via proxy + return null; } throw new RuntimeException("Unexpected method name: " + methodName);
--- a/src/share/classes/sun/misc/JavaNetAccess.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/misc/JavaNetAccess.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,10 +26,17 @@ package sun.misc; import java.net.URLClassLoader; +import java.net.InetAddress; public interface JavaNetAccess { /** * return the URLClassPath belonging to the given loader */ URLClassPath getURLClassPath (URLClassLoader u); + + /** + * Return the original application specified hostname of + * the given InetAddress object. + */ + String getOriginalHostName(InetAddress ia); }
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -159,12 +159,19 @@ ValidatorParams params) throws CertPathValidatorException { + // check if anchor is untrusted + UntrustedChecker untrustedChecker = new UntrustedChecker(); + X509Certificate anchorCert = anchor.getTrustedCert(); + if (anchorCert != null) { + untrustedChecker.check(anchorCert); + } + int certPathLen = params.certificates().size(); // create PKIXCertPathCheckers List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>(); // add standard checkers that we will be using - certPathCheckers.add(new UntrustedChecker()); + certPathCheckers.add(untrustedChecker); certPathCheckers.add(new AlgorithmChecker(anchor)); certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints()));
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,9 +34,9 @@ import java.security.Key; import java.util.Set; -import java.util.HashSet; import sun.security.util.DisabledAlgorithmConstraints; +import static sun.security.util.DisabledAlgorithmConstraints.*; import sun.security.ssl.CipherSuite.*; /** @@ -46,10 +46,15 @@ * for the syntax of the disabled algorithm string. */ final class SSLAlgorithmConstraints implements AlgorithmConstraints { + private final static AlgorithmConstraints tlsDisabledAlgConstraints = - new TLSDisabledAlgConstraints(); + new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS, + new SSLAlgorithmDecomposer()); + private final static AlgorithmConstraints x509DisabledAlgConstraints = - new X509DisabledAlgConstraints(); + new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS, + new SSLAlgorithmDecomposer(true)); + private AlgorithmConstraints userAlgConstraints = null; private AlgorithmConstraints peerAlgConstraints = null; @@ -267,217 +272,4 @@ } } - static private class BasicDisabledAlgConstraints - extends DisabledAlgorithmConstraints { - BasicDisabledAlgConstraints(String propertyName) { - super(propertyName); - } - - protected Set<String> decomposes(KeyExchange keyExchange, - boolean forCertPathOnly) { - Set<String> components = new HashSet<>(); - switch (keyExchange) { - case K_NULL: - if (!forCertPathOnly) { - components.add("NULL"); - } - break; - case K_RSA: - components.add("RSA"); - break; - case K_RSA_EXPORT: - components.add("RSA"); - components.add("RSA_EXPORT"); - break; - case K_DH_RSA: - components.add("RSA"); - components.add("DH"); - components.add("DiffieHellman"); - components.add("DH_RSA"); - break; - case K_DH_DSS: - components.add("DSA"); - components.add("DSS"); - components.add("DH"); - components.add("DiffieHellman"); - components.add("DH_DSS"); - break; - case K_DHE_DSS: - components.add("DSA"); - components.add("DSS"); - components.add("DH"); - components.add("DHE"); - components.add("DiffieHellman"); - components.add("DHE_DSS"); - break; - case K_DHE_RSA: - components.add("RSA"); - components.add("DH"); - components.add("DHE"); - components.add("DiffieHellman"); - components.add("DHE_RSA"); - break; - case K_DH_ANON: - if (!forCertPathOnly) { - components.add("ANON"); - components.add("DH"); - components.add("DiffieHellman"); - components.add("DH_ANON"); - } - break; - case K_ECDH_ECDSA: - components.add("ECDH"); - components.add("ECDSA"); - components.add("ECDH_ECDSA"); - break; - case K_ECDH_RSA: - components.add("ECDH"); - components.add("RSA"); - components.add("ECDH_RSA"); - break; - case K_ECDHE_ECDSA: - components.add("ECDHE"); - components.add("ECDSA"); - components.add("ECDHE_ECDSA"); - break; - case K_ECDHE_RSA: - components.add("ECDHE"); - components.add("RSA"); - components.add("ECDHE_RSA"); - break; - case K_ECDH_ANON: - if (!forCertPathOnly) { - components.add("ECDH"); - components.add("ANON"); - components.add("ECDH_ANON"); - } - break; - case K_KRB5: - if (!forCertPathOnly) { - components.add("KRB5"); - } - break; - case K_KRB5_EXPORT: - if (!forCertPathOnly) { - components.add("KRB5_EXPORT"); - } - break; - default: - // ignore - } - - return components; - } - - protected Set<String> decomposes(BulkCipher bulkCipher) { - Set<String> components = new HashSet<>(); - - if (bulkCipher.transformation != null) { - components.addAll(super.decomposes(bulkCipher.transformation)); - } - - return components; - } - - protected Set<String> decomposes(MacAlg macAlg) { - Set<String> components = new HashSet<>(); - - if (macAlg == CipherSuite.M_MD5) { - components.add("MD5"); - components.add("HmacMD5"); - } else if (macAlg == CipherSuite.M_SHA) { - components.add("SHA1"); - components.add("SHA-1"); - components.add("HmacSHA1"); - } else if (macAlg == CipherSuite.M_SHA256) { - components.add("SHA256"); - components.add("SHA-256"); - components.add("HmacSHA256"); - } else if (macAlg == CipherSuite.M_SHA384) { - components.add("SHA384"); - components.add("SHA-384"); - components.add("HmacSHA384"); - } - - return components; - } - } - - static private class TLSDisabledAlgConstraints - extends BasicDisabledAlgConstraints { - - TLSDisabledAlgConstraints() { - super(DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS); - } - - @Override - protected Set<String> decomposes(String algorithm) { - if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) { - CipherSuite cipherSuite = null; - try { - cipherSuite = CipherSuite.valueOf(algorithm); - } catch (IllegalArgumentException iae) { - // ignore: unknown or unsupported ciphersuite - } - - if (cipherSuite != null) { - Set<String> components = new HashSet<>(); - - if(cipherSuite.keyExchange != null) { - components.addAll( - decomposes(cipherSuite.keyExchange, false)); - } - - if (cipherSuite.cipher != null) { - components.addAll(decomposes(cipherSuite.cipher)); - } - - if (cipherSuite.macAlg != null) { - components.addAll(decomposes(cipherSuite.macAlg)); - } - - return components; - } - } - - return super.decomposes(algorithm); - } - } - - static private class X509DisabledAlgConstraints - extends BasicDisabledAlgConstraints { - - X509DisabledAlgConstraints() { - super(DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); - } - - @Override - protected Set<String> decomposes(String algorithm) { - if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) { - CipherSuite cipherSuite = null; - try { - cipherSuite = CipherSuite.valueOf(algorithm); - } catch (IllegalArgumentException iae) { - // ignore: unknown or unsupported ciphersuite - } - - if (cipherSuite != null) { - Set<String> components = new HashSet<>(); - - if(cipherSuite.keyExchange != null) { - components.addAll( - decomposes(cipherSuite.keyExchange, true)); - } - - // Certification path algorithm constraints do not apply - // to cipherSuite.cipher and cipherSuite.macAlg. - - return components; - } - } - - return super.decomposes(algorithm); - } - } } -
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java Wed Apr 15 11:27:59 2015 -0700 @@ -0,0 +1,251 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.util.HashSet; +import java.util.Set; +import sun.security.util.AlgorithmDecomposer; +import static sun.security.ssl.CipherSuite.*; +import static sun.security.ssl.CipherSuite.KeyExchange.*; + +/** + * The class decomposes standard SSL/TLS cipher suites into sub-elements. + */ +class SSLAlgorithmDecomposer extends AlgorithmDecomposer { + + // indicates that only certification path algorithms need to be used + private final boolean onlyX509; + + SSLAlgorithmDecomposer(boolean onlyX509) { + this.onlyX509 = onlyX509; + } + + SSLAlgorithmDecomposer() { + this(false); + } + + private Set<String> decomposes(CipherSuite.KeyExchange keyExchange) { + Set<String> components = new HashSet<>(); + switch (keyExchange) { + case K_NULL: + if (!onlyX509) { + components.add("K_NULL"); + } + break; + case K_RSA: + components.add("RSA"); + break; + case K_RSA_EXPORT: + components.add("RSA"); + components.add("RSA_EXPORT"); + break; + case K_DH_RSA: + components.add("RSA"); + components.add("DH"); + components.add("DiffieHellman"); + components.add("DH_RSA"); + break; + case K_DH_DSS: + components.add("DSA"); + components.add("DSS"); + components.add("DH"); + components.add("DiffieHellman"); + components.add("DH_DSS"); + break; + case K_DHE_DSS: + components.add("DSA"); + components.add("DSS"); + components.add("DH"); + components.add("DHE"); + components.add("DiffieHellman"); + components.add("DHE_DSS"); + break; + case K_DHE_RSA: + components.add("RSA"); + components.add("DH"); + components.add("DHE"); + components.add("DiffieHellman"); + components.add("DHE_RSA"); + break; + case K_DH_ANON: + if (!onlyX509) { + components.add("ANON"); + components.add("DH"); + components.add("DiffieHellman"); + components.add("DH_ANON"); + } + break; + case K_ECDH_ECDSA: + components.add("ECDH"); + components.add("ECDSA"); + components.add("ECDH_ECDSA"); + break; + case K_ECDH_RSA: + components.add("ECDH"); + components.add("RSA"); + components.add("ECDH_RSA"); + break; + case K_ECDHE_ECDSA: + components.add("ECDHE"); + components.add("ECDSA"); + components.add("ECDHE_ECDSA"); + break; + case K_ECDHE_RSA: + components.add("ECDHE"); + components.add("RSA"); + components.add("ECDHE_RSA"); + break; + case K_ECDH_ANON: + if (!onlyX509) { + components.add("ECDH"); + components.add("ANON"); + components.add("ECDH_ANON"); + } + break; + case K_KRB5: + if (!onlyX509) { + components.add("KRB5"); + } + break; + case K_KRB5_EXPORT: + if (!onlyX509) { + components.add("KRB5_EXPORT"); + } + break; + default: + // ignore + } + + return components; + } + + private Set<String> decomposes(CipherSuite.BulkCipher bulkCipher) { + Set<String> components = new HashSet<>(); + + if (bulkCipher.transformation != null) { + components.addAll(super.decompose(bulkCipher.transformation)); + } + + if (bulkCipher == B_NULL) { + components.add("C_NULL"); + } else if (bulkCipher == B_RC2_40) { + components.add("RC2_CBC_40"); + } else if (bulkCipher == B_RC4_40) { + components.add("RC4_40"); + } else if (bulkCipher == B_RC4_128) { + components.add("RC4_128"); + } else if (bulkCipher == B_DES_40) { + components.add("DES40_CBC"); + components.add("DES_CBC_40"); + } else if (bulkCipher == B_DES) { + components.add("DES_CBC"); + } else if (bulkCipher == B_3DES) { + components.add("3DES_EDE_CBC"); + } else if (bulkCipher == B_AES_128) { + components.add("AES_128_CBC"); + } else if (bulkCipher == B_AES_256) { + components.add("AES_256_CBC"); + } else if (bulkCipher == B_AES_128_GCM) { + components.add("AES_128_GCM"); + } else if (bulkCipher == B_AES_256_GCM) { + components.add("AES_256_GCM"); + } + + return components; + } + + private Set<String> decomposes(CipherSuite.MacAlg macAlg, + BulkCipher cipher) { + Set<String> components = new HashSet<>(); + + if (macAlg == M_NULL + && cipher.cipherType != CipherType.AEAD_CIPHER) { + components.add("M_NULL"); + } else if (macAlg == M_MD5) { + components.add("MD5"); + components.add("HmacMD5"); + } else if (macAlg == M_SHA) { + components.add("SHA1"); + components.add("SHA-1"); + components.add("HmacSHA1"); + } else if (macAlg == M_SHA256) { + components.add("SHA256"); + components.add("SHA-256"); + components.add("HmacSHA256"); + } else if (macAlg == M_SHA384) { + components.add("SHA384"); + components.add("SHA-384"); + components.add("HmacSHA384"); + } + + return components; + } + + private Set<String> decompose(KeyExchange keyExchange, BulkCipher cipher, + MacAlg macAlg) { + Set<String> components = new HashSet<>(); + + if (keyExchange != null) { + components.addAll(decomposes(keyExchange)); + } + + if (onlyX509) { + // Certification path algorithm constraints do not apply + // to cipher and macAlg. + return components; + } + + if (cipher != null) { + components.addAll(decomposes(cipher)); + } + + if (macAlg != null) { + components.addAll(decomposes(macAlg, cipher)); + } + + return components; + } + + @Override + public Set<String> decompose(String algorithm) { + if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) { + CipherSuite cipherSuite = null; + try { + cipherSuite = CipherSuite.valueOf(algorithm); + } catch (IllegalArgumentException iae) { + // ignore: unknown or unsupported ciphersuite + } + + if (cipherSuite != null) { + return decompose(cipherSuite.keyExchange, cipherSuite.cipher, + cipherSuite.macAlg); + } + } + + return super.decompose(algorithm); + } + +}
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,6 +40,9 @@ import javax.crypto.BadPaddingException; import javax.net.ssl.*; +import sun.misc.JavaNetAccess; +import sun.misc.SharedSecrets; + /** * Implementation of an SSL socket. This is a normal connection type * socket, implementing SSL over some lower level socket, such as TCP. @@ -389,6 +392,15 @@ */ private boolean preferLocalCipherSuites = false; + /* + * Is the local name service trustworthy? + * + * If the local name service is not trustworthy, reverse host name + * resolution should not be performed for endpoint identification. + */ + static final boolean trustNameService = + Debug.getBooleanProperty("jdk.tls.trustNameService", false); + // // CONSTRUCTORS AND INITIALIZATION CODE // @@ -2149,11 +2161,41 @@ synchronized String getHost() { // Note that the host may be null or empty for localhost. if (host == null || host.length() == 0) { - host = getInetAddress().getHostName(); + if (!trustNameService) { + // If the local name service is not trustworthy, reverse host + // name resolution should not be performed for endpoint + // identification. Use the application original specified + // hostname or IP address instead. + host = getOriginalHostname(getInetAddress()); + } else { + host = getInetAddress().getHostName(); + } } + return host; } + /* + * Get the original application specified hostname. + */ + private static String getOriginalHostname(InetAddress inetAddress) { + /* + * Get the original hostname via sun.misc.SharedSecrets. + */ + JavaNetAccess jna = SharedSecrets.getJavaNetAccess(); + String originalHostname = jna.getOriginalHostName(inetAddress); + + /* + * If no application specified hostname, use the IP address. + */ + if (originalHostname == null || originalHostname.length() == 0) { + originalHostname = inetAddress.getHostAddress(); + } + + return originalHostname; + } + + // ONLY used by HttpsClient to setup the URI specified hostname // // Please NOTE that this method MUST be called before calling to
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,6 +41,7 @@ import javax.security.auth.Subject; import sun.security.util.KeyUtil; +import sun.security.util.LegacyAlgorithmConstraints; import sun.security.action.GetPropertyAction; import sun.security.ssl.HandshakeMessage.*; import sun.security.ssl.CipherSuite.*; @@ -106,6 +107,12 @@ // The customized ephemeral DH key size for non-exportable cipher suites. private static final int customizedDHKeySize; + // legacy algorithm constraints + private static final AlgorithmConstraints legacyAlgorithmConstraints = + new LegacyAlgorithmConstraints( + LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, + new SSLAlgorithmDecomposer()); + static { String property = AccessController.doPrivileged( new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); @@ -995,6 +1002,7 @@ proposed = getActiveCipherSuites(); } + List<CipherSuite> legacySuites = new ArrayList<>(); for (CipherSuite suite : prefered.collection()) { if (isNegotiable(proposed, suite) == false) { continue; @@ -1006,11 +1014,24 @@ continue; } } + + if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) { + legacySuites.add(suite); + continue; + } + if (trySetCipherSuite(suite) == false) { continue; } return; } + + for (CipherSuite suite : legacySuites) { + if (trySetCipherSuite(suite)) { + return; + } + } + fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common"); }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java Wed Apr 15 11:27:59 2015 -0700 @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import java.security.AccessController; +import java.security.AlgorithmConstraints; +import java.security.PrivilegedAction; +import java.security.Security; +import java.util.Map; +import java.util.Set; + +/** + * The class contains common functionality for algorithm constraints classes. + */ +public abstract class AbstractAlgorithmConstraints + implements AlgorithmConstraints { + + protected final AlgorithmDecomposer decomposer; + + protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) { + this.decomposer = decomposer; + } + + // Get algorithm constraints from the specified security property. + private static void loadAlgorithmsMap(Map<String, String[]> algorithmsMap, + String propertyName) { + String property = AccessController.doPrivileged( + (PrivilegedAction<String>) () -> Security.getProperty( + propertyName)); + + String[] algorithmsInProperty = null; + if (property != null && !property.isEmpty()) { + // remove double quote marks from beginning/end of the property + if (property.charAt(0) == '"' + && property.charAt(property.length() - 1) == '"') { + property = property.substring(1, property.length() - 1); + } + algorithmsInProperty = property.split(","); + for (int i = 0; i < algorithmsInProperty.length; + i++) { + algorithmsInProperty[i] = algorithmsInProperty[i].trim(); + } + } + + // map the disabled algorithms + if (algorithmsInProperty == null) { + algorithmsInProperty = new String[0]; + } + algorithmsMap.put(propertyName, algorithmsInProperty); + } + + static String[] getAlgorithms(Map<String, String[]> algorithmsMap, + String propertyName) { + synchronized (algorithmsMap) { + if (!algorithmsMap.containsKey(propertyName)) { + loadAlgorithmsMap(algorithmsMap, propertyName); + } + + return algorithmsMap.get(propertyName); + } + } + + static boolean checkAlgorithm(String[] algorithms, String algorithm, + AlgorithmDecomposer decomposer) { + if (algorithm == null || algorithm.length() == 0) { + throw new IllegalArgumentException("No algorithm name specified"); + } + + Set<String> elements = null; + for (String item : algorithms) { + if (item == null || item.isEmpty()) { + continue; + } + + // check the full name + if (item.equalsIgnoreCase(algorithm)) { + return false; + } + + // decompose the algorithm into sub-elements + if (elements == null) { + elements = decomposer.decompose(algorithm); + } + + // check the items of the algorithm + for (String element : elements) { + if (item.equalsIgnoreCase(element)) { + return false; + } + } + } + + return true; + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/security/util/AlgorithmDecomposer.java Wed Apr 15 11:27:59 2015 -0700 @@ -0,0 +1,130 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import java.util.HashSet; +import java.util.Set; +import java.util.regex.Pattern; + +/** + * The class decomposes standard algorithms into sub-elements. + */ +public class AlgorithmDecomposer { + + private static final Pattern transPattern = Pattern.compile("/"); + private static final Pattern pattern = + Pattern.compile("with|and", Pattern.CASE_INSENSITIVE); + + /** + * Decompose the standard algorithm name into sub-elements. + * <p> + * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA" + * so that we can check the "SHA1" and "RSA" algorithm constraints + * separately. + * <p> + * Please override the method if need to support more name pattern. + */ + public Set<String> decompose(String algorithm) { + if (algorithm == null || algorithm.length() == 0) { + return new HashSet<>(); + } + + // algorithm/mode/padding + String[] transTockens = transPattern.split(algorithm); + + Set<String> elements = new HashSet<>(); + for (String transTocken : transTockens) { + if (transTocken == null || transTocken.length() == 0) { + continue; + } + + // PBEWith<digest>And<encryption> + // PBEWith<prf>And<encryption> + // OAEPWith<digest>And<mgf>Padding + // <digest>with<encryption> + // <digest>with<encryption>and<mgf> + String[] tokens = pattern.split(transTocken); + + for (String token : tokens) { + if (token == null || token.length() == 0) { + continue; + } + + elements.add(token); + } + } + + // In Java standard algorithm name specification, for different + // purpose, the SHA-1 and SHA-2 algorithm names are different. For + // example, for MessageDigest, the standard name is "SHA-256", while + // for Signature, the digest algorithm component is "SHA256" for + // signature algorithm "SHA256withRSA". So we need to check both + // "SHA-256" and "SHA256" to make the right constraint checking. + + // handle special name: SHA-1 and SHA1 + if (elements.contains("SHA1") && !elements.contains("SHA-1")) { + elements.add("SHA-1"); + } + if (elements.contains("SHA-1") && !elements.contains("SHA1")) { + elements.add("SHA1"); + } + + // handle special name: SHA-224 and SHA224 + if (elements.contains("SHA224") && !elements.contains("SHA-224")) { + elements.add("SHA-224"); + } + if (elements.contains("SHA-224") && !elements.contains("SHA224")) { + elements.add("SHA224"); + } + + // handle special name: SHA-256 and SHA256 + if (elements.contains("SHA256") && !elements.contains("SHA-256")) { + elements.add("SHA-256"); + } + if (elements.contains("SHA-256") && !elements.contains("SHA256")) { + elements.add("SHA256"); + } + + // handle special name: SHA-384 and SHA384 + if (elements.contains("SHA384") && !elements.contains("SHA-384")) { + elements.add("SHA-384"); + } + if (elements.contains("SHA-384") && !elements.contains("SHA384")) { + elements.add("SHA384"); + } + + // handle special name: SHA-512 and SHA512 + if (elements.contains("SHA512") && !elements.contains("SHA-512")) { + elements.add("SHA-512"); + } + if (elements.contains("SHA-512") && !elements.contains("SHA512")) { + elements.add("SHA512"); + } + + return elements; + } + +}
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,15 +25,9 @@ package sun.security.util; -import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; import java.security.AlgorithmParameters; - import java.security.Key; -import java.security.Security; -import java.security.PrivilegedAction; -import java.security.AccessController; - import java.util.Locale; import java.util.Set; import java.util.Collections; @@ -49,7 +43,7 @@ * See the "jdk.certpath.disabledAlgorithms" specification in java.security * for the syntax of the disabled algorithm string. */ -public class DisabledAlgorithmConstraints implements AlgorithmConstraints { +public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { // the known security property, jdk.certpath.disabledAlgorithms public final static String PROPERTY_CERTPATH_DISABLED_ALGS = @@ -64,8 +58,8 @@ private final static Map<String, KeySizeConstraints> keySizeConstraintsMap = new HashMap<>(); - private String[] disabledAlgorithms; - private KeySizeConstraints keySizeConstraints; + private final String[] disabledAlgorithms; + private final KeySizeConstraints keySizeConstraints; /** * Initialize algorithm constraints with the specified security property. @@ -74,56 +68,27 @@ * algorithm constraints */ public DisabledAlgorithmConstraints(String propertyName) { - // Both disabledAlgorithmsMap and keySizeConstraintsMap are - // synchronized with the lock of disabledAlgorithmsMap. - synchronized (disabledAlgorithmsMap) { - if(!disabledAlgorithmsMap.containsKey(propertyName)) { - loadDisabledAlgorithmsMap(propertyName); - } + this(propertyName, new AlgorithmDecomposer()); + } - disabledAlgorithms = disabledAlgorithmsMap.get(propertyName); - keySizeConstraints = keySizeConstraintsMap.get(propertyName); - } + public DisabledAlgorithmConstraints(String propertyName, + AlgorithmDecomposer decomposer) { + super(decomposer); + disabledAlgorithms = getAlgorithms(disabledAlgorithmsMap, propertyName); + keySizeConstraints = getKeySizeConstraints(disabledAlgorithms, + propertyName); } @Override final public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) { - if (algorithm == null || algorithm.length() == 0) { - throw new IllegalArgumentException("No algorithm name specified"); - } - if (primitives == null || primitives.isEmpty()) { throw new IllegalArgumentException( "No cryptographic primitive specified"); } - Set<String> elements = null; - for (String disabled : disabledAlgorithms) { - if (disabled == null || disabled.isEmpty()) { - continue; - } - - // check the full name - if (disabled.equalsIgnoreCase(algorithm)) { - return false; - } - - // decompose the algorithm into sub-elements - if (elements == null) { - elements = decomposes(algorithm); - } - - // check the items of the algorithm - for (String element : elements) { - if (disabled.equalsIgnoreCase(element)) { - return false; - } - } - } - - return true; + return checkAlgorithm(disabledAlgorithms, algorithm, decomposer); } @Override @@ -142,98 +107,6 @@ return checkConstraints(primitives, algorithm, key, parameters); } - /** - * Decompose the standard algorithm name into sub-elements. - * <p> - * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA" - * so that we can check the "SHA1" and "RSA" algorithm constraints - * separately. - * <p> - * Please override the method if need to support more name pattern. - */ - protected Set<String> decomposes(String algorithm) { - if (algorithm == null || algorithm.length() == 0) { - return new HashSet<String>(); - } - - // algorithm/mode/padding - Pattern transPattern = Pattern.compile("/"); - String[] transTockens = transPattern.split(algorithm); - - Set<String> elements = new HashSet<String>(); - for (String transTocken : transTockens) { - if (transTocken == null || transTocken.length() == 0) { - continue; - } - - // PBEWith<digest>And<encryption> - // PBEWith<prf>And<encryption> - // OAEPWith<digest>And<mgf>Padding - // <digest>with<encryption> - // <digest>with<encryption>and<mgf> - Pattern pattern = - Pattern.compile("with|and", Pattern.CASE_INSENSITIVE); - String[] tokens = pattern.split(transTocken); - - for (String token : tokens) { - if (token == null || token.length() == 0) { - continue; - } - - elements.add(token); - } - } - - // In Java standard algorithm name specification, for different - // purpose, the SHA-1 and SHA-2 algorithm names are different. For - // example, for MessageDigest, the standard name is "SHA-256", while - // for Signature, the digest algorithm component is "SHA256" for - // signature algorithm "SHA256withRSA". So we need to check both - // "SHA-256" and "SHA256" to make the right constraint checking. - - // handle special name: SHA-1 and SHA1 - if (elements.contains("SHA1") && !elements.contains("SHA-1")) { - elements.add("SHA-1"); - } - if (elements.contains("SHA-1") && !elements.contains("SHA1")) { - elements.add("SHA1"); - } - - // handle special name: SHA-224 and SHA224 - if (elements.contains("SHA224") && !elements.contains("SHA-224")) { - elements.add("SHA-224"); - } - if (elements.contains("SHA-224") && !elements.contains("SHA224")) { - elements.add("SHA224"); - } - - // handle special name: SHA-256 and SHA256 - if (elements.contains("SHA256") && !elements.contains("SHA-256")) { - elements.add("SHA-256"); - } - if (elements.contains("SHA-256") && !elements.contains("SHA256")) { - elements.add("SHA256"); - } - - // handle special name: SHA-384 and SHA384 - if (elements.contains("SHA384") && !elements.contains("SHA-384")) { - elements.add("SHA-384"); - } - if (elements.contains("SHA-384") && !elements.contains("SHA384")) { - elements.add("SHA384"); - } - - // handle special name: SHA-512 and SHA512 - if (elements.contains("SHA512") && !elements.contains("SHA-512")) { - elements.add("SHA-512"); - } - if (elements.contains("SHA-512") && !elements.contains("SHA512")) { - elements.add("SHA512"); - } - - return elements; - } - // Check algorithm constraints private boolean checkConstraints(Set<CryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters) { @@ -263,43 +136,18 @@ return true; } - // Get disabled algorithm constraints from the specified security property. - private static void loadDisabledAlgorithmsMap( - final String propertyName) { - - String property = AccessController.doPrivileged( - new PrivilegedAction<String>() { - public String run() { - return Security.getProperty(propertyName); - } - }); - - String[] algorithmsInProperty = null; - - if (property != null && !property.isEmpty()) { - - // remove double quote marks from beginning/end of the property - if (property.charAt(0) == '"' && - property.charAt(property.length() - 1) == '"') { - property = property.substring(1, property.length() - 1); + private static KeySizeConstraints getKeySizeConstraints( + String[] disabledAlgorithms, String propertyName) { + synchronized (keySizeConstraintsMap) { + if(!keySizeConstraintsMap.containsKey(propertyName)) { + // map the key constraints + KeySizeConstraints keySizeConstraints = + new KeySizeConstraints(disabledAlgorithms); + keySizeConstraintsMap.put(propertyName, keySizeConstraints); } - algorithmsInProperty = property.split(","); - for (int i = 0; i < algorithmsInProperty.length; i++) { - algorithmsInProperty[i] = algorithmsInProperty[i].trim(); - } + return keySizeConstraintsMap.get(propertyName); } - - // map the disabled algorithms - if (algorithmsInProperty == null) { - algorithmsInProperty = new String[0]; - } - disabledAlgorithmsMap.put(propertyName, algorithmsInProperty); - - // map the key constraints - KeySizeConstraints keySizeConstraints = - new KeySizeConstraints(algorithmsInProperty); - keySizeConstraintsMap.put(propertyName, keySizeConstraints); } /**
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/security/util/LegacyAlgorithmConstraints.java Wed Apr 15 11:27:59 2015 -0700 @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import java.security.AlgorithmParameters; +import java.security.CryptoPrimitive; +import java.security.Key; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; +import static sun.security.util.AbstractAlgorithmConstraints.getAlgorithms; + +/** + * Algorithm constraints for legacy algorithms. + */ +public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints { + + // the known security property, jdk.tls.legacyAlgorithms + public final static String PROPERTY_TLS_LEGACY_ALGS = + "jdk.tls.legacyAlgorithms"; + + private final static Map<String, String[]> legacyAlgorithmsMap = + new HashMap<>(); + + private final String[] legacyAlgorithms; + + public LegacyAlgorithmConstraints(String propertyName, + AlgorithmDecomposer decomposer) { + super(decomposer); + legacyAlgorithms = getAlgorithms(legacyAlgorithmsMap, propertyName); + } + + @Override + final public boolean permits(Set<CryptoPrimitive> primitives, + String algorithm, AlgorithmParameters parameters) { + return checkAlgorithm(legacyAlgorithms, algorithm, decomposer); + } + + @Override + final public boolean permits(Set<CryptoPrimitive> primitives, Key key) { + return true; + } + + @Override + final public boolean permits(Set<CryptoPrimitive> primitives, + String algorithm, Key key, AlgorithmParameters parameters) { + return checkAlgorithm(legacyAlgorithms, algorithm, decomposer); + } + +}
--- a/src/share/classes/sun/security/validator/SimpleValidator.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/security/validator/SimpleValidator.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -141,8 +141,18 @@ // create distrusted certificates checker UntrustedChecker untrustedChecker = new UntrustedChecker(); + // check if anchor is untrusted + X509Certificate anchorCert = chain[chain.length - 1]; + try { + untrustedChecker.check(anchorCert); + } catch (CertPathValidatorException cpve) { + throw new ValidatorException( + "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(), + ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve); + } + // create default algorithm constraints checker - TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null); + TrustAnchor anchor = new TrustAnchor(anchorCert, null); AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor); // create application level algorithm constraints checker
--- a/src/share/classes/sun/util/calendar/ZoneInfoFile.java Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/classes/sun/util/calendar/ZoneInfoFile.java Wed Apr 15 11:27:59 2015 -0700 @@ -625,6 +625,15 @@ params[2] = 5; params[3] = 86400000; } + // Additional check for startDayOfWeek=6 and starTime=86400000 + // is needed for Asia/Amman; Asia/Gasa and Asia/Hebron + if (params[2] == 7 && params[3] == 0 && + (zoneId.equals("Asia/Amman") || + zoneId.equals("Asia/Gaza") || + zoneId.equals("Asia/Hebron"))) { + params[2] = 6; // Friday + params[3] = 86400000; // 24h + } //endDayOfWeek and endTime workaround if (params[7] == 6 && params[8] == 0 && (zoneId.equals("Africa/Cairo"))) {
--- a/src/share/lib/security/java.security-aix Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/lib/security/java.security-aix Wed Apr 15 11:27:59 2015 -0700 @@ -501,3 +501,60 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3 + +# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) +# processing in JSSE implementation. +# +# In some environments, a certain algorithm may be undesirable but it +# cannot be disabled because of its use in legacy applications. Legacy +# algorithms may still be supported, but applications should not use them +# as the security strength of legacy algorithms are usually not strong enough +# in practice. +# +# During SSL/TLS security parameters negotiation, legacy algorithms will +# not be negotiated unless there are no other candidates. +# +# The syntax of the disabled algorithm string is described as this Java +# BNF-style: +# LegacyAlgorithms: +# " LegacyAlgorithm { , LegacyAlgorithm } " +# +# LegacyAlgorithm: +# AlgorithmName (standard JSSE algorithm name) +# +# See the specification of security property "jdk.certpath.disabledAlgorithms" +# for the syntax and description of the "AlgorithmName" notation. +# +# Per SSL/TLS specifications, cipher suites have the form: +# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# or +# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# +# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the +# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC +# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest +# algorithm for HMAC. +# +# The LegacyAlgorithm can be one of the following standard algorithm names: +# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA +# 2. JSSE key exchange algorithm name, e.g., RSA +# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC +# 4. JSSE message digest algorithm name, e.g., SHA-1 +# +# See SSL/TLS specifications and "Java Cryptography Architecture Standard +# Algorithm Name Documentation" for information about the algorithm names. +# +# Note: This property is currently used by Oracle's JSSE implementation. +# It is not guaranteed to be examined and used by other implementations. +# There is no guarantee the property will continue to exist or be of the +# same syntax in future releases. +# +# Example: +# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 +# +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-linux Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/lib/security/java.security-linux Wed Apr 15 11:27:59 2015 -0700 @@ -501,3 +501,60 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3 + +# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) +# processing in JSSE implementation. +# +# In some environments, a certain algorithm may be undesirable but it +# cannot be disabled because of its use in legacy applications. Legacy +# algorithms may still be supported, but applications should not use them +# as the security strength of legacy algorithms are usually not strong enough +# in practice. +# +# During SSL/TLS security parameters negotiation, legacy algorithms will +# not be negotiated unless there are no other candidates. +# +# The syntax of the disabled algorithm string is described as this Java +# BNF-style: +# LegacyAlgorithms: +# " LegacyAlgorithm { , LegacyAlgorithm } " +# +# LegacyAlgorithm: +# AlgorithmName (standard JSSE algorithm name) +# +# See the specification of security property "jdk.certpath.disabledAlgorithms" +# for the syntax and description of the "AlgorithmName" notation. +# +# Per SSL/TLS specifications, cipher suites have the form: +# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# or +# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# +# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the +# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC +# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest +# algorithm for HMAC. +# +# The LegacyAlgorithm can be one of the following standard algorithm names: +# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA +# 2. JSSE key exchange algorithm name, e.g., RSA +# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC +# 4. JSSE message digest algorithm name, e.g., SHA-1 +# +# See SSL/TLS specifications and "Java Cryptography Architecture Standard +# Algorithm Name Documentation" for information about the algorithm names. +# +# Note: This property is currently used by Oracle's JSSE implementation. +# It is not guaranteed to be examined and used by other implementations. +# There is no guarantee the property will continue to exist or be of the +# same syntax in future releases. +# +# Example: +# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 +# +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-macosx Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/lib/security/java.security-macosx Wed Apr 15 11:27:59 2015 -0700 @@ -504,3 +504,60 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3 + +# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) +# processing in JSSE implementation. +# +# In some environments, a certain algorithm may be undesirable but it +# cannot be disabled because of its use in legacy applications. Legacy +# algorithms may still be supported, but applications should not use them +# as the security strength of legacy algorithms are usually not strong enough +# in practice. +# +# During SSL/TLS security parameters negotiation, legacy algorithms will +# not be negotiated unless there are no other candidates. +# +# The syntax of the disabled algorithm string is described as this Java +# BNF-style: +# LegacyAlgorithms: +# " LegacyAlgorithm { , LegacyAlgorithm } " +# +# LegacyAlgorithm: +# AlgorithmName (standard JSSE algorithm name) +# +# See the specification of security property "jdk.certpath.disabledAlgorithms" +# for the syntax and description of the "AlgorithmName" notation. +# +# Per SSL/TLS specifications, cipher suites have the form: +# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# or +# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# +# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the +# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC +# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest +# algorithm for HMAC. +# +# The LegacyAlgorithm can be one of the following standard algorithm names: +# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA +# 2. JSSE key exchange algorithm name, e.g., RSA +# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC +# 4. JSSE message digest algorithm name, e.g., SHA-1 +# +# See SSL/TLS specifications and "Java Cryptography Architecture Standard +# Algorithm Name Documentation" for information about the algorithm names. +# +# Note: This property is currently used by Oracle's JSSE implementation. +# It is not guaranteed to be examined and used by other implementations. +# There is no guarantee the property will continue to exist or be of the +# same syntax in future releases. +# +# Example: +# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 +# +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-solaris Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/lib/security/java.security-solaris Wed Apr 15 11:27:59 2015 -0700 @@ -503,3 +503,60 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3 + +# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) +# processing in JSSE implementation. +# +# In some environments, a certain algorithm may be undesirable but it +# cannot be disabled because of its use in legacy applications. Legacy +# algorithms may still be supported, but applications should not use them +# as the security strength of legacy algorithms are usually not strong enough +# in practice. +# +# During SSL/TLS security parameters negotiation, legacy algorithms will +# not be negotiated unless there are no other candidates. +# +# The syntax of the disabled algorithm string is described as this Java +# BNF-style: +# LegacyAlgorithms: +# " LegacyAlgorithm { , LegacyAlgorithm } " +# +# LegacyAlgorithm: +# AlgorithmName (standard JSSE algorithm name) +# +# See the specification of security property "jdk.certpath.disabledAlgorithms" +# for the syntax and description of the "AlgorithmName" notation. +# +# Per SSL/TLS specifications, cipher suites have the form: +# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# or +# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# +# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the +# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC +# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest +# algorithm for HMAC. +# +# The LegacyAlgorithm can be one of the following standard algorithm names: +# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA +# 2. JSSE key exchange algorithm name, e.g., RSA +# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC +# 4. JSSE message digest algorithm name, e.g., SHA-1 +# +# See SSL/TLS specifications and "Java Cryptography Architecture Standard +# Algorithm Name Documentation" for information about the algorithm names. +# +# Note: This property is currently used by Oracle's JSSE implementation. +# It is not guaranteed to be examined and used by other implementations. +# There is no guarantee the property will continue to exist or be of the +# same syntax in future releases. +# +# Example: +# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 +# +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-windows Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/lib/security/java.security-windows Wed Apr 15 11:27:59 2015 -0700 @@ -504,3 +504,60 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3 + +# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) +# processing in JSSE implementation. +# +# In some environments, a certain algorithm may be undesirable but it +# cannot be disabled because of its use in legacy applications. Legacy +# algorithms may still be supported, but applications should not use them +# as the security strength of legacy algorithms are usually not strong enough +# in practice. +# +# During SSL/TLS security parameters negotiation, legacy algorithms will +# not be negotiated unless there are no other candidates. +# +# The syntax of the disabled algorithm string is described as this Java +# BNF-style: +# LegacyAlgorithms: +# " LegacyAlgorithm { , LegacyAlgorithm } " +# +# LegacyAlgorithm: +# AlgorithmName (standard JSSE algorithm name) +# +# See the specification of security property "jdk.certpath.disabledAlgorithms" +# for the syntax and description of the "AlgorithmName" notation. +# +# Per SSL/TLS specifications, cipher suites have the form: +# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# or +# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# +# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the +# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC +# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest +# algorithm for HMAC. +# +# The LegacyAlgorithm can be one of the following standard algorithm names: +# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA +# 2. JSSE key exchange algorithm name, e.g., RSA +# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC +# 4. JSSE message digest algorithm name, e.g., SHA-1 +# +# See SSL/TLS specifications and "Java Cryptography Architecture Standard +# Algorithm Name Documentation" for information about the algorithm names. +# +# Note: This property is currently used by Oracle's JSSE implementation. +# It is not guaranteed to be examined and used by other implementations. +# There is no guarantee the property will continue to exist or be of the +# same syntax in future releases. +# +# Example: +# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 +# +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -53,6 +53,7 @@ Offset alternateSetTableOffset = SWAPW(alternateSetTableOffsetArray[coverageIndex]); const LEReferenceTo<AlternateSetTable> alternateSetTable(base, success, (const AlternateSetTable *) ((char *) this + alternateSetTableOffset)); + if (!LE_SUCCESS(success)) return 0; TTGlyphID alternate = SWAPW(alternateSetTable->alternateArray[0]); if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, alternate), success)) {
--- a/src/share/native/sun/font/layout/AnchorTables.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/AnchorTables.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -44,21 +44,27 @@ case 1: { LEReferenceTo<Format1AnchorTable> f1(base, success); - f1->getAnchor(f1, fontInstance, anchor, success); + if (LE_SUCCESS(success)) { + f1->getAnchor(f1, fontInstance, anchor, success); + } break; } case 2: { LEReferenceTo<Format2AnchorTable> f2(base, success); - f2->getAnchor(f2, glyphID, fontInstance, anchor, success); + if (LE_SUCCESS(success)) { + f2->getAnchor(f2, glyphID, fontInstance, anchor, success); + } break; } case 3: { LEReferenceTo<Format3AnchorTable> f3(base, success); - f3->getAnchor(f3, fontInstance, anchor, success); + if (LE_SUCCESS(success)) { + f3->getAnchor(f3, fontInstance, anchor, success); + } break; } @@ -66,7 +72,9 @@ { // unknown format: just use x, y coordinate, like format 1... LEReferenceTo<Format1AnchorTable> f1(base, success); - f1->getAnchor(f1, fontInstance, anchor, success); + if (LE_SUCCESS(success)) { + f1->getAnchor(f1, fontInstance, anchor, success); + } break; } } @@ -112,16 +120,18 @@ if (dtxOffset != 0) { LEReferenceTo<DeviceTable> dt(base, success, dtxOffset); - le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success); - - pixels.fX += adjx; + if (LE_SUCCESS(success)) { + le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success); + pixels.fX += adjx; + } } if (dtyOffset != 0) { LEReferenceTo<DeviceTable> dt(base, success, dtyOffset); - le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success); - - pixels.fY += adjy; + if (LE_SUCCESS(success)) { + le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success); + pixels.fY += adjy; + } } fontInstance->pixelsToUnits(pixels, anchor);
--- a/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -107,6 +107,10 @@ le_int16 markIndex = SWAPW(entry->markedInsertionListIndex); if (markIndex > 0) { + if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } le_int16 count = (flags & cgiMarkedInsertCountMask) >> 5; le_bool isKashidaLike = (flags & cgiMarkedIsKashidaLike); le_bool isBefore = (flags & cgiMarkInsertBefore); @@ -115,6 +119,10 @@ le_int16 currIndex = SWAPW(entry->currentInsertionListIndex); if (currIndex > 0) { + if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } le_int16 count = flags & cgiCurrentInsertCountMask; le_bool isKashidaLike = (flags & cgiCurrentIsKashidaLike); le_bool isBefore = (flags & cgiCurrentInsertBefore);
--- a/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -76,6 +76,10 @@ WordOffset currOffset = SWAPW(entry->currOffset); if (markOffset != 0 && LE_SUCCESS(success)) { + if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } LEGlyphID mGlyph = glyphStorage[markGlyph]; TTGlyphID newGlyph = SWAPW(int16Table.getObject(markOffset + LE_GET_GLYPH(mGlyph), success)); // whew. @@ -83,6 +87,10 @@ } if (currOffset != 0) { + if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } LEGlyphID thisGlyph = glyphStorage[currGlyph]; TTGlyphID newGlyph = SWAPW(int16Table.getObject(currOffset + LE_GET_GLYPH(thisGlyph), success)); // whew.
--- a/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -70,17 +70,25 @@ if(LE_FAILURE(success)) return 0; le_uint16 newState = SWAPW(entry->newStateIndex); le_uint16 flags = SWAPW(entry->flags); - le_int16 markIndex = SWAPW(entry->markIndex); - le_int16 currIndex = SWAPW(entry->currIndex); + le_uint16 markIndex = SWAPW(entry->markIndex); + le_uint16 currIndex = SWAPW(entry->currIndex); - if (markIndex != -1) { + if (markIndex != 0x0FFFF) { + if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } le_uint32 offset = SWAPL(perGlyphTable(markIndex, success)); LEGlyphID mGlyph = glyphStorage[markGlyph]; TTGlyphID newGlyph = lookup(offset, mGlyph, success); glyphStorage[markGlyph] = LE_SET_GLYPH(mGlyph, newGlyph); } - if (currIndex != -1) { + if (currIndex != 0x0FFFF) { + if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } le_uint32 offset = SWAPL(perGlyphTable(currIndex, success)); LEGlyphID thisGlyph = glyphStorage[currGlyph]; TTGlyphID newGlyph = lookup(offset, thisGlyph, success);
--- a/src/share/native/sun/font/layout/GXLayoutEngine.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/GXLayoutEngine.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -73,7 +73,7 @@ fMorphTable->process(fMorphTable, glyphStorage, success); - return count; + return glyphStorage.getGlyphCount(); } // apply positional tables
--- a/src/share/native/sun/font/layout/GXLayoutEngine2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/GXLayoutEngine2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -69,7 +69,7 @@ } fMorphTable->process(fMorphTable, glyphStorage, fTypoFlags, success); - return count; + return glyphStorage.getGlyphCount(); } // apply positional tables
--- a/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -70,6 +70,11 @@ ByteOffset newState = SWAPW(entry->newStateOffset); IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags); + if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } + if (flags & irfMarkFirst) { firstGlyph = currGlyph; }
--- a/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -68,6 +68,11 @@ le_uint16 newState = SWAPW(entry->newStateIndex); // index to the new state IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags); + if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return 0; + } + if (flags & irfMarkFirst) { firstGlyph = currGlyph; }
--- a/src/share/native/sun/font/layout/LETableReference.h Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/LETableReference.h Wed Apr 15 11:27:59 2015 -0700 @@ -188,7 +188,7 @@ void addOffset(size_t offset, LEErrorCode &success) { if(hasBounds()) { - if(offset > fLength) { + if(offset >= fLength) { LE_DEBUG_TR("addOffset off end"); success = LE_INDEX_OUT_OF_BOUNDS_ERROR; return; @@ -203,7 +203,7 @@ if(atPtr==NULL) return 0; if(LE_FAILURE(success)) return LE_UINTPTR_MAX; if((atPtr < fStart) || - (hasBounds() && (atPtr > fStart+fLength))) { + (hasBounds() && (atPtr >= fStart+fLength))) { LE_DEBUG_TR3("ptrToOffset args out of range: %p", atPtr, 0); success = LE_INDEX_OUT_OF_BOUNDS_ERROR; return LE_UINTPTR_MAX;
--- a/src/share/native/sun/font/layout/LigatureSubstProc.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/LigatureSubstProc.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -73,7 +73,7 @@ const LigatureSubstitutionStateEntry *entry = entryTable.getAlias(index, success); ByteOffset newState = SWAPW(entry->newStateOffset); - le_int16 flags = SWAPW(entry->flags); + le_uint16 flags = SWAPW(entry->flags); if (flags & lsfSetComponent) { if (++m >= nComponents) { @@ -92,15 +92,18 @@ if (actionOffset != 0) { LEReferenceTo<LigatureActionEntry> ap(stHeader, success, actionOffset); LigatureActionEntry action; - le_int32 offset, i = 0; + le_int32 offset, i = 0, j = 0; le_int32 stack[nComponents]; le_int16 mm = -1; do { le_uint32 componentGlyph = componentStack[m--]; + if (j++ > 0) { + ap.addObject(success); + } + action = SWAPL(*ap.getAlias()); - ap.addObject(success); // ap++ if (m < 0) { m = nComponents - 1;
--- a/src/share/native/sun/font/layout/LigatureSubstProc2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/LigatureSubstProc2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -98,7 +98,7 @@ ap.addObject(ligActionIndex, success); LEReferenceToArrayOf<TTGlyphID> ligatureTable(stHeader, success, ligatureOffset, LE_UNBOUNDED_ARRAY); LigatureActionEntry action; - le_int32 offset, i = 0; + le_int32 offset, i = 0, j = 0; le_int32 stack[nComponents]; le_int16 mm = -1; @@ -111,6 +111,10 @@ do { le_uint32 componentGlyph = componentStack[m--]; // pop off + if (j++ > 0) { + ap.addObject(success); + } + action = SWAPL(*ap.getAlias()); if (m < 0) { @@ -144,7 +148,6 @@ LE_DEBUG_BAD_FONT("m<0") } #endif - ap.addObject(success); } while (LE_SUCCESS(success) && !(action & lafLast) && (m>=0) ); // stop if last bit is set, or if run out of items while (mm >= 0) {
--- a/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -97,13 +97,9 @@ if( LE_FAILURE(success) ) { return 0; } Offset anchorTableOffset = SWAPW(baseRecord->baseAnchorTableOffsetArray[markClass]); - if (anchorTableOffset <= 0) { - // this means the table is mal-formed... - glyphIterator->setCurrGlyphBaseOffset(baseIterator.getCurrStreamPosition()); - return 0; - } + LEReferenceTo<AnchorTable> anchorTable(baseArray, success, anchorTableOffset); + if( LE_FAILURE(success) ) { return 0; } - LEReferenceTo<AnchorTable> anchorTable(baseArray, success, anchorTableOffset); LEPoint baseAnchor, markAdvance, pixels;
--- a/src/share/native/sun/font/layout/MorphTables.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/MorphTables.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -52,8 +52,15 @@ le_uint32 chain; for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain += 1) { + if (chain > 0) { + le_uint32 chainLength = SWAPL(chainHeader->chainLength); + if (chainLength & 0x03) { // incorrect alignment for 32 bit tables + success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any + return; + } + chainHeader.addOffset(chainLength, success); + } FeatureFlags defaultFlags = SWAPL(chainHeader->defaultFlags); - le_uint32 chainLength = SWAPL(chainHeader->chainLength); le_int16 nFeatureEntries = SWAPW(chainHeader->nFeatureEntries); le_int16 nSubtables = SWAPW(chainHeader->nSubtables); LEReferenceTo<MorphSubtableHeader> subtableHeader = @@ -61,7 +68,14 @@ le_int16 subtable; for (subtable = 0; LE_SUCCESS(success) && (subtable < nSubtables); subtable += 1) { - le_int16 length = SWAPW(subtableHeader->length); + if (subtable > 0) { + le_int16 length = SWAPW(subtableHeader->length); + if (length & 0x03) { // incorrect alignment for 32 bit tables + success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any + return; + } + subtableHeader.addOffset(length, success); + } SubtableCoverage coverage = SWAPW(subtableHeader->coverage); FeatureFlags subtableFeatures = SWAPL(subtableHeader->subtableFeatures); @@ -69,10 +83,7 @@ if ((coverage & scfVertical) == 0 && (subtableFeatures & defaultFlags) != 0 && LE_SUCCESS(success)) { subtableHeader->process(subtableHeader, glyphStorage, success); } - - subtableHeader.addOffset(length, success); } - chainHeader.addOffset(chainLength, success); } }
--- a/src/share/native/sun/font/layout/MorphTables2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/MorphTables2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -59,6 +59,10 @@ for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain++) { if (chain>0) { le_uint32 chainLength = SWAPL(chainHeader->chainLength); + if (chainLength & 0x03) { // incorrect alignment for 32 bit tables + success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any + return; + } chainHeader.addOffset(chainLength, success); // Don't increment the first time } FeatureFlags flag = SWAPL(chainHeader->defaultFlags); @@ -188,6 +192,10 @@ for (subtable = 0; LE_SUCCESS(success) && subtable < nSubtables; subtable++) { if(subtable>0) { le_uint32 length = SWAPL(subtableHeader->length); + if (length & 0x03) { // incorrect alignment for 32 bit tables + success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any + return; + } subtableHeader.addOffset(length, success); // Don't addOffset for the last entry. } le_uint32 coverage = SWAPL(subtableHeader->coverage);
--- a/src/share/native/sun/font/layout/PairPositioningSubtables.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/PairPositioningSubtables.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -179,12 +179,13 @@ LEReferenceTo<PairValueRecord> record(records); for(le_int32 r = 0; r < recordCount; r += 1) { + if (r > 0) { + record.addOffset(recordSize, success); + } if(LE_FAILURE(success)) return LEReferenceTo<PairValueRecord>(); if (SWAPW(record->secondGlyph) == glyphID) { return record; } - - record.addOffset(recordSize, success); } #else #error dead code - not updated.
--- a/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -94,7 +94,9 @@ return 0; } - if (coverageIndex >= 0) { + LEReferenceToArrayOf<TTGlyphID> substituteArrayRef(base, success, substituteArray, SWAPW(glyphCount)); + + if (coverageIndex >= 0 && LE_SUCCESS(success) && coverageIndex < substituteArrayRef.getCount()) { TTGlyphID substitute = SWAPW(substituteArray[coverageIndex]); if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, substitute), success)) {
--- a/src/share/native/sun/font/layout/StateTableProcessor.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/StateTableProcessor.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -85,6 +85,7 @@ if (currGlyph == glyphCount) { // XXX: How do we handle EOT vs. EOL? classCode = classCodeEOT; + break; } else { TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
--- a/src/share/native/sun/font/layout/StateTableProcessor2.cpp Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/StateTableProcessor2.cpp Wed Apr 15 11:27:59 2015 -0700 @@ -103,6 +103,7 @@ if (currGlyph == glyphCount || currGlyph == -1) { // XXX: How do we handle EOT vs. EOL? classCode = classCodeEOT; + break; } else { LEGlyphID gid = glyphStorage[currGlyph]; TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid); @@ -134,6 +135,7 @@ if (currGlyph == glyphCount || currGlyph == -1) { // XXX: How do we handle EOT vs. EOL? classCode = classCodeEOT; + break; } else { LEGlyphID gid = glyphStorage[currGlyph]; TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid); @@ -171,6 +173,7 @@ if (currGlyph == glyphCount || currGlyph == -1) { // XXX: How do we handle EOT vs. EOL? classCode = classCodeEOT; + break; } else if(currGlyph > glyphCount) { // note if > glyphCount, we've run off the end (bad font) currGlyph = glyphCount; @@ -211,6 +214,7 @@ if (currGlyph == glyphCount || currGlyph == -1) { // XXX: How do we handle EOT vs. EOL? classCode = classCodeEOT; + break; } else { TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]); if (glyphCode == 0xFFFF) {
--- a/src/share/native/sun/font/layout/StateTables.h Wed Apr 15 10:57:23 2015 -0700 +++ b/src/share/native/sun/font/layout/StateTables.h Wed Apr 15 11:27:59 2015 -0700 @@ -126,7 +126,7 @@ struct StateEntry { ByteOffset newStateOffset; - le_int16 flags; + le_uint16 flags; }; typedef le_uint16 EntryTableIndex2;
--- a/src/solaris/bin/java_md_solinux.c Wed Apr 15 10:57:23 2015 -0700 +++ b/src/solaris/bin/java_md_solinux.c Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -613,13 +613,14 @@ /* runpath contains current effective LD_LIBRARY_PATH setting */ jvmpath = JLI_StringDup(jvmpath); - new_runpath = JLI_MemAlloc(((runpath != NULL) ? JLI_StrLen(runpath) : 0) + + size_t new_runpath_size = ((runpath != NULL) ? JLI_StrLen(runpath) : 0) + 2 * JLI_StrLen(jrepath) + 2 * JLI_StrLen(arch) + #ifdef AIX /* On AIX we additionally need 'jli' in the path because ld doesn't support $ORIGIN. */ JLI_StrLen(jrepath) + JLI_StrLen(arch) + JLI_StrLen("/lib//jli:") + #endif - JLI_StrLen(jvmpath) + 52); + JLI_StrLen(jvmpath) + 52; + new_runpath = JLI_MemAlloc(new_runpath_size); newpath = new_runpath + JLI_StrLen(LD_LIBRARY_PATH "="); @@ -679,6 +680,11 @@ * loop of execv() because we test for the prefix, above. */ if (runpath != 0) { + /* ensure storage for runpath + colon + NULL */ + if ((JLI_StrLen(runpath) + 1 + 1) > new_runpath_size) { + JLI_ReportErrorMessageSys(JRE_ERROR11); + exit(1); + } JLI_StrCat(new_runpath, ":"); JLI_StrCat(new_runpath, runpath); } @@ -811,7 +817,11 @@ JLI_TraceLauncher("JRE path is %s\n", path); return JNI_TRUE; } - + /* ensure storage for path + /jre + NULL */ + if ((JLI_StrLen(path) + 4 + 1) > pathsize) { + JLI_TraceLauncher("Insufficient space to store JRE path\n"); + return JNI_FALSE; + } /* Does the app ship a private JRE in <apphome>/jre directory? */ JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/%s/" JAVA_DLL, path, arch); if (access(libjava, F_OK) == 0) {
--- a/src/windows/bin/java_md.c Wed Apr 15 10:57:23 2015 -0700 +++ b/src/windows/bin/java_md.c Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -318,7 +318,11 @@ JLI_TraceLauncher("JRE path is %s\n", path); return JNI_TRUE; } - + /* ensure storage for path + \jre + NULL */ + if ((JLI_StrLen(path) + 4 + 1) > pathsize) { + JLI_TraceLauncher("Insufficient space to store JRE path\n"); + return JNI_FALSE; + } /* Does this app ship a private JRE in <apphome>\jre directory? */ JLI_Snprintf(javadll, sizeof (javadll), "%s\\jre\\bin\\" JAVA_DLL, path); if (stat(javadll, &s) == 0) {
--- a/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java Wed Apr 15 11:27:59 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,7 +31,7 @@ * @bug 7188657 * @summary There should be a way to reorder the JSSE ciphers * @run main/othervm UseCipherSuitesOrder - * TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA + * TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA */ import java.io.*;
--- a/test/sun/util/calendar/zi/tzdata/VERSION Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/util/calendar/zi/tzdata/VERSION Wed Apr 15 11:27:59 2015 -0700 @@ -21,4 +21,4 @@ # or visit www.oracle.com if you need additional information or have any # questions. # -tzdata2015a +tzdata2015b
--- a/test/sun/util/calendar/zi/tzdata/asia Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/util/calendar/zi/tzdata/asia Wed Apr 15 11:27:59 2015 -0700 @@ -1927,6 +1927,13 @@ # was at the start of 2008-03-31 (the day of Steffen Thorsen's report); # this is almost surely wrong. +# From Ganbold Tsagaankhuu (2015-03-10): +# It seems like yesterday Mongolian Government meeting has concluded to use +# daylight saving time in Mongolia.... Starting at 2:00AM of last Saturday of +# March 2015, daylight saving time starts. And 00:00AM of last Saturday of +# September daylight saving time ends. Source: +# http://zasag.mn/news/view/8969 + # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Mongol 1983 1984 - Apr 1 0:00 1:00 S Rule Mongol 1983 only - Oct 1 0:00 0 - @@ -1947,6 +1954,8 @@ Rule Mongol 2001 only - Apr lastSat 2:00 1:00 S Rule Mongol 2001 2006 - Sep lastSat 2:00 0 - Rule Mongol 2002 2006 - Mar lastSat 2:00 1:00 S +Rule Mongol 2015 max - Mar lastSat 2:00 1:00 S +Rule Mongol 2015 max - Sep lastSat 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] # Hovd, a.k.a. Chovd, Dund-Us, Dzhargalant, Khovd, Jirgalanta @@ -2365,13 +2374,19 @@ # official source...: # http://www.palestinecabinet.gov.ps/ar/Views/ViewDetails.aspx?pid=1252 -# From Paul Eggert (2013-09-24): -# For future dates, guess the last Thursday in March at 24:00 through -# the first Friday on or after September 21 at 00:00. This is consistent with -# the predictions in today's editions of the following URLs, -# which are for Gaza and Hebron respectively: -# http://www.timeanddate.com/worldclock/timezone.html?n=702 -# http://www.timeanddate.com/worldclock/timezone.html?n=2364 +# From Steffen Thorsen (2015-03-03): +# Sources such as http://www.alquds.com/news/article/view/id/548257 +# and http://www.raya.ps/ar/news/890705.html say Palestine areas will +# start DST on 2015-03-28 00:00 which is one day later than expected. +# +# From Paul Eggert (2015-03-03): +# http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014 +# says that the fall 2014 transition was Oct 23 at 24:00. +# For future dates, guess the last Friday in March at 24:00 through +# the first Friday on or after October 21 at 00:00. This is consistent with +# the predictions in today's editions of the following URLs: +# http://www.timeanddate.com/time/change/gaza-strip/gaza +# http://www.timeanddate.com/time/change/west-bank/hebron # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule EgyptAsia 1957 only - May 10 0:00 1:00 S @@ -2397,9 +2412,11 @@ Rule Palestine 2011 only - Aug 1 0:00 0 - Rule Palestine 2011 only - Aug 30 0:00 1:00 S Rule Palestine 2011 only - Sep 30 0:00 0 - -Rule Palestine 2012 max - Mar lastThu 24:00 1:00 S +Rule Palestine 2012 2014 - Mar lastThu 24:00 1:00 S Rule Palestine 2012 only - Sep 21 1:00 0 - -Rule Palestine 2013 max - Sep Fri>=21 0:00 0 - +Rule Palestine 2013 only - Sep Fri>=21 0:00 0 - +Rule Palestine 2014 max - Oct Fri>=21 0:00 0 - +Rule Palestine 2015 max - Mar lastFri 24:00 1:00 S # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
--- a/test/sun/util/calendar/zi/tzdata/australasia Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/util/calendar/zi/tzdata/australasia Wed Apr 15 11:27:59 2015 -0700 @@ -396,6 +396,7 @@ 9:39:00 - LMT 1901 # Agana 10:00 - GST 2000 Dec 23 # Guam 10:00 - ChST # Chamorro Standard Time +Link Pacific/Guam Pacific/Saipan # N Mariana Is # Kiribati # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -411,12 +412,7 @@ 14:00 - LINT # N Mariana Is -# Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone Pacific/Saipan -14:17:00 - LMT 1844 Dec 31 - 9:43:00 - LMT 1901 - 9:00 - MPT 1969 Oct # N Mariana Is Time - 10:00 - MPT 2000 Dec 23 - 10:00 - ChST # Chamorro Standard Time +# See Pacific/Guam. # Marshall Is # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -586,6 +582,7 @@ -11:00 - NST 1967 Apr # N=Nome -11:00 - BST 1983 Nov 30 # B=Bering -11:00 - SST # S=Samoa +Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands # Samoa (formerly and also known as Western Samoa) @@ -767,23 +764,7 @@ # uninhabited # Midway -# -# From Mark Brader (2005-01-23): -# [Fallacies and Fantasies of Air Transport History, by R.E.G. Davies, -# published 1994 by Paladwr Press, McLean, VA, USA; ISBN 0-9626483-5-3] -# reproduced a Pan American Airways timetable from 1936, for their weekly -# "Orient Express" flights between San Francisco and Manila, and connecting -# flights to Chicago and the US East Coast. As it uses some time zone -# designations that I've never seen before:.... -# Fri. 6:30A Lv. HONOLOLU (Pearl Harbor), H.I. H.L.T. Ar. 5:30P Sun. -# " 3:00P Ar. MIDWAY ISLAND . . . . . . . . . M.L.T. Lv. 6:00A " -# -Zone Pacific/Midway -11:49:28 - LMT 1901 - -11:00 - NST 1956 Jun 3 - -11:00 1:00 NDT 1956 Sep 2 - -11:00 - NST 1967 Apr # N=Nome - -11:00 - BST 1983 Nov 30 # B=Bering - -11:00 - SST # S=Samoa +# See Pacific/Pago_Pago. # Palmyra # uninhabited since World War II; was probably like Pacific/Kiritimati
--- a/test/sun/util/calendar/zi/tzdata/europe Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/util/calendar/zi/tzdata/europe Wed Apr 15 11:27:59 2015 -0700 @@ -2423,7 +2423,7 @@ 4:00 Russia VOL%sT 1989 Mar 26 2:00s # Volgograd T 3:00 Russia VOL%sT 1991 Mar 31 2:00s 4:00 - VOLT 1992 Mar 29 2:00s - 3:00 Russia MSK 2011 Mar 27 2:00s + 3:00 Russia MSK/MSD 2011 Mar 27 2:00s 4:00 - MSK 2014 Oct 26 2:00s 3:00 - MSK
--- a/test/sun/util/calendar/zi/tzdata/northamerica Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/util/calendar/zi/tzdata/northamerica Wed Apr 15 11:27:59 2015 -0700 @@ -2335,8 +2335,24 @@ # "...the new time zone will come into effect at two o'clock on the first Sunday # of February, when we will have to advance the clock one hour from its current # time..." +# Also, the new zone will not use DST. # -# Also, the new zone will not use DST. +# From Carlos Raúl Perasso (2015-02-02): +# The decree that modifies the Mexican Hour System Law has finally +# been published at the Diario Oficial de la Federación +# http://www.dof.gob.mx/nota_detalle.php?codigo=5380123&fecha=31/01/2015 +# It establishes 5 zones for Mexico: +# 1- Zona Centro (Central Zone): Corresponds to longitude 90 W, +# includes most of Mexico, excluding what's mentioned below. +# 2- Zona Pacífico (Pacific Zone): Longitude 105 W, includes the +# states of Baja California Sur; Chihuahua; Nayarit (excluding Bahía +# de Banderas which lies in Central Zone); Sinaloa and Sonora. +# 3- Zona Noroeste (Northwest Zone): Longitude 120 W, includes the +# state of Baja California. +# 4- Zona Sureste (Southeast Zone): Longitude 75 W, includes the state +# of Quintana Roo. +# 5- The islands, reefs and keys shall take their timezone from the +# longitude they are located at. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Mexico 1939 only - Feb 5 0:00 1:00 D @@ -2531,14 +2547,9 @@ ############################################################################### # Anguilla +# Antigua and Barbuda # See America/Port_of_Spain. -# Antigua and Barbuda -# Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone America/Antigua -4:07:12 - LMT 1912 Mar 2 - -5:00 - EST 1951 - -4:00 - AST - # Bahamas # # For 1899 Milne gives -5:09:29.5; round that. @@ -2604,10 +2615,7 @@ -4:00 US A%sT # Cayman Is -# Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone America/Cayman -5:25:32 - LMT 1890 # Georgetown - -5:07:11 - KMT 1912 Feb # Kingston Mean Time - -5:00 - EST +# See America/Panama. # Costa Rica @@ -3130,6 +3138,7 @@ Zone America/Panama -5:18:08 - LMT 1890 -5:19:36 - CMT 1908 Apr 22 # Colón Mean Time -5:00 - EST +Link America/Panama America/Cayman # Puerto Rico # There are too many San Juans elsewhere, so we'll use 'Puerto_Rico'.
--- a/test/sun/util/calendar/zi/tzdata/southamerica Wed Apr 15 10:57:23 2015 -0700 +++ b/test/sun/util/calendar/zi/tzdata/southamerica Wed Apr 15 11:27:59 2015 -0700 @@ -1229,10 +1229,13 @@ # DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC) # http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf -# From Juan Correa (2015-01-28): -# ... today the Ministry of Energy announced that Chile will drop DST, will keep -# "summer time" (UTC -3 / UTC -5) all year round.... -# http://www.minenergia.cl/ministerio/noticias/generales/ministerio-de-energia-anuncia.html +# From Eduardo Romero Urra (2015-03-03): +# Today has been published officially that Chile will use the DST time +# permanently until March 25 of 2017 +# http://www.diariooficial.interior.gob.cl/media/2015/03/03/1-large.jpg +# +# From Paul Eggert (2015-03-03): +# For now, assume that the extension will persist indefinitely. # NOTE: ChileAQ rules for Antarctic bases are stored separately in the # 'antarctica' file. @@ -1291,7 +1294,7 @@ -3:00 - CLT Zone Pacific/Easter -7:17:44 - LMT 1890 -7:17:28 - EMT 1932 Sep # Easter Mean Time - -7:00 Chile EAS%sT 1982 Mar 13 3:00u # Easter Time + -7:00 Chile EAS%sT 1982 Mar 14 3:00u # Easter Time -6:00 Chile EAS%sT 2015 Apr 26 3:00u -5:00 - EAST # @@ -1626,6 +1629,7 @@ # These all agree with Trinidad and Tobago since 1970. Link America/Port_of_Spain America/Anguilla +Link America/Port_of_Spain America/Antigua Link America/Port_of_Spain America/Dominica Link America/Port_of_Spain America/Grenada Link America/Port_of_Spain America/Guadeloupe