Merge
authorchegar
Mon, 07 Oct 2013 11:32:48 +0100
changeset 22320 d66c8815bebc
parent 20852 d09138f48ac1 (current diff)
parent 22319 8fbc2b703ae5 (diff)
child 22321 37f8c8b6ef7a
Merge
--- a/jdk/make/common/Release.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/make/common/Release.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -835,10 +835,6 @@
 	    $(BOOT_JAVA_CMD) -jar $(BUILDMETAINDEX_JARFILE) \
 		-o meta-index *.jar
 	@$(CD) $(JRE_IMAGE_DIR)/lib/ext && $(java-vm-cleanup)
-ifeq ($(PLATFORM), macosx)
-	@#install jobjc, apple mac only
-	$(CP) $(OUTPUTDIR)/JObjC.build/JObjC.jar $(JRE_IMAGE_DIR)/lib/JObjC.jar
-endif
 ifeq ($(PLATFORM), windows)
 	@# Remove certain *.lib files
 	$(CD) $(JRE_IMAGE_DIR)/lib && \
--- a/jdk/make/java/Makefile	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/make/java/Makefile	Mon Oct 07 11:32:48 2013 +0100
@@ -57,10 +57,6 @@
   SUBDIRS += jexec
 endif # PLATFORM
 
-ifeq ($(PLATFORM), macosx)
-  SUBDIRS += jobjc
-endif # PLATFORM
-
 include $(BUILDDIR)/common/Subdirs.gmk
 
 all build clean clobber::
--- a/jdk/makefiles/CompileJavaClasses.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/CompileJavaClasses.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -271,11 +271,6 @@
                $(JDK_TOPDIR)/src/solaris/classes/sun/util/locale/provider/HostLocaleProviderAdapterImpl.java \
                $(JDK_TOPDIR)/src/solaris/classes/sun/nio/fs/GnomeFileTypeDetector.java
 
-     # JObjC.jar contains 1.5 byte-code...so skip it here :-(
-     # MACOSX_SRC_DIRS += $(JDK_TOPDIR)/src/macosx/native/jobjc/src
-     # EXCLUDES+= tests/java/com/apple/jobjc
-
-     EXCLUDES+= com/apple/jobjc
 endif
 
 # The exception handling of swing beaninfo
@@ -327,44 +322,6 @@
 
 ##########################################################################################
 
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-#
-# JObjC.jar is compiled with BOOT_JAVAC which (may) not support the "-h" flag.
-#   so we first compile classes with BOOT_JAVAC and then with JDK_JAVAC :-(
-#
-$(eval $(call SetupJavaCompiler,GENERATE_15BYTECODE,\
-     JAVAC:=$(JAVAC),\
-     FLAGS:=-source 1.5 -target 1.5 -g -bootclasspath $(BOOT_RTJAR) -cp $(JDK_OUTPUTDIR)/../langtools/dist/lib/classes.jar $(DISABLE_WARNINGS),\
-     SERVER_DIR:=$(SJAVAC_SERVER_DIR),\
-     SERVER_JVM:=$(SJAVAC_SERVER_JAVA)))
-
-$(eval $(call SetupJavaCompilation,BUILD_JOBJC,\
-		SETUP:=GENERATE_15BYTECODE,\
-		DISABLE_SJAVAC:=true,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/java \
-		     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/java \
-		     $(JDK_OUTPUTDIR)/gensrc_jobjc/src, \
-		INCLUDES := com/apple/jobjc,\
-                EXCLUDES := tests/java/com/apple/jobjc,\
-		BIN:=$(JDK_OUTPUTDIR)/jobjc_classes,\
-		JAR:=$(JDK_OUTPUTDIR)/lib/JObjC.jar, \
-		JARINDEX := true))
-
-$(BUILD_JOBJC) : $(BUILD_JDK)
-
-$(eval $(call SetupJavaCompilation,BUILD_JOBJC_HEADERS,\
-		SETUP:=GENERATE_JDKBYTECODE,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/java \
-		     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/java \
-		     $(JDK_OUTPUTDIR)/gensrc_jobjc/src, \
-		INCLUDES := com/apple/jobjc,\
-                EXCLUDES := tests/java/com/apple/jobjc,\
-		BIN:=$(JDK_OUTPUTDIR)/jobjc_classes_headers,\
-		HEADERS:=$(JDK_OUTPUTDIR)/gensrc_headers_jobjc))
-
-$(BUILD_JOBJC_HEADERS) : $(BUILD_JDK)
-
-endif
 
 ##########################################################################################
 
@@ -403,7 +360,7 @@
 
 ##########################################################################################
 
-all: $(BUILD_JDK) $(BUILD_ALTCLASSES) $(BUILD_JOBJC) $(BUILD_JOBJC_HEADERS) $(COPY_EXTRA) \
+all: $(BUILD_JDK) $(BUILD_ALTCLASSES) $(COPY_EXTRA) \
 	$(JDK_OUTPUTDIR)/classes/META-INF/services/com.sun.tools.xjc.Plugin \
 	$(BUILD_ACCESSBRIDGE_32) $(BUILD_ACCESSBRIDGE_64) \
 	$(BUILD_ACCESSBRIDGE_LEGACY)
--- a/jdk/makefiles/CompileNativeLibraries.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/CompileNativeLibraries.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -3296,67 +3296,6 @@
 
 ##########################################################################################
 
-ifeq ($(OPENJDK_TARGET_OS), macosx)
-
-# Ugly hack to mimic behaviour in old build where this is built as an xcode project.
-SET_SHARED_LIBRARY_NAME=-Xlinker -install_name -Xlinker /usr/local/lib/libJObjC.dylib
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJOBJC32,\
-		LIBRARY:=JObjC,\
-                OUTPUT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc32,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/native \
-                     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/native ,\
-		LANG:=C,\
-		OPTIMIZATION:=LOW, \
-		CFLAGS:=-fpascal-strings \
-                        -fobjc-gc \
-                        -gdwarf-2 \
-                        $(CFLAGS_JDKLIB) -I$(JDK_OUTPUTDIR)/gensrc_headers_jobjc \
-                        -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-			-m32,\
-		LDFLAGS:=$(LDFLAGS_JDKLIB)\
-			-m32, \
-		LDFLAGS_SUFFIX:=-framework Foundation -framework JavaVM \
-                                  -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-                                  -framework JavaNativeFoundation \
-                                  -lffi, \
-		OBJECT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc32,\
-		DEBUG_SYMBOLS:=$(DEBUG_ALL_BINARIES)))
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJOBJC64,\
-		LIBRARY:=JObjC,\
-                OUTPUT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc64,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/native \
-                     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/native ,\
-		LANG:=C,\
-		OPTIMIZATION:=LOW, \
-		CFLAGS:=-fpascal-strings \
-                        -fobjc-gc \
-                        -gdwarf-2 \
-                        $(CFLAGS_JDKLIB) -I$(JDK_OUTPUTDIR)/gensrc_headers_jobjc \
-                        -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-			, \
-		LDFLAGS:=-fpascal-strings \
-                         -fobjc-gc \
-                         -gdwarf-2 \
-                         $(LDFLAGS_JDKLIB)\
-			 $(call SET_SHARED_LIBRARY_ORIGIN), \
-		LDFLAGS_SUFFIX:=-framework Foundation -framework JavaVM \
-                                  -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-                                  -framework JavaNativeFoundation \
-                                  -lffi, \
-		OBJECT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc64,\
-		DEBUG_SYMBOLS:=$(DEBUG_ALL_BINARIES)))
-
-$(INSTALL_LIBRARIES_HERE)/$(LIBRARY_PREFIX)JObjC$(SHARED_LIBRARY_SUFFIX): $(BUILD_LIBJOBJC32) $(BUILD_LIBJOBJC64)
-	$(LIPO) -create -output $@ $(BUILD_LIBJOBJC32) $(BUILD_LIBJOBJC64)
-
-BUILD_LIBRARIES += $(INSTALL_LIBRARIES_HERE)/$(LIBRARY_PREFIX)JObjC$(SHARED_LIBRARY_SUFFIX)
-
-endif
-
-##########################################################################################
-
 ifndef OPENJDK
 ifeq ($(OPENJDK_TARGET_OS), windows)
 
--- a/jdk/makefiles/CreateJars.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/CreateJars.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -994,15 +994,6 @@
 
 ##########################################################################################
 
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-    $(eval $(call SetupArchive,BUILD_JOBJC_JAR,,\
-		SRCS:=$(JDK_OUTPUTDIR)/jobjc_classes,\
-		JAR:=$(IMAGES_OUTPUTDIR)/lib/JObjC.jar, \
-		JARINDEX:=true))
-endif
-
-##########################################################################################
-
 ifndef OPENJDK
     $(eval $(call SetupArchive,BUILD_ALT_RT_JAR,,\
 		SRCS:=$(JDK_OUTPUTDIR)/altclasses_classes,\
--- a/jdk/makefiles/GenerateJavaSources.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/GenerateJavaSources.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -83,11 +83,6 @@
 include GensrcSwing.gmk
 GENSRC += $(GENSRC_SWING_BEANINFO) $(GENSRC_SWING_NIMBUS)
 
-ifeq ($(OPENJDK_TARGET_OS), macosx)
-     include GensrcJObjC.gmk
-     GENSRC += $(GENSRC_JOBJC)
-endif
-
 $(GENSRC) : $(BUILD_TOOLS)
 
 all: $(GENSRC)
--- a/jdk/makefiles/Images.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/Images.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -303,14 +303,13 @@
 	$(ECHO) $(LOG_INFO) Creating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
 	$(MKDIR) -p $@
 
-# In the old build, JObjC.jar is not part of the meta-index
 $(JRE_IMAGE_DIR)/lib/meta-index: $(JRE_LIB_TARGETS)
 	$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
-	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index `$(LS) *.jar | $(SED) 's/JObjC\.jar//g'`
+	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index *.jar
 
 $(JDK_IMAGE_DIR)/jre/lib/meta-index: $(JDKJRE_LIB_TARGETS)
 	$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
-	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index `$(LS) *.jar | $(SED) 's/JObjC\.jar//g'`
+	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index *.jar
 
 $(JRE_IMAGE_DIR)/lib/ext/meta-index: $(JRE_LIB_TARGETS)
 	$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
--- a/jdk/makefiles/Profiles.gmk	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/Profiles.gmk	Mon Oct 07 11:32:48 2013 +0100
@@ -109,10 +109,6 @@
     ALL_JARS += $(IMAGES_OUTPUTDIR)/lib/ext/sunmscapi.jar
 endif 
 
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-    ALL_JARS += $(IMAGES_OUTPUTDIR)/lib/JObjC.jar
-endif
-
 ifeq ($(PROFILE), profile_1)
     PROFILE_JARS := $(PROFILE_1_JARS)
 else ifeq ($(PROFILE), profile_2)
--- a/jdk/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m	Mon Oct 07 11:32:48 2013 +0100
@@ -290,8 +290,8 @@
         SplashUnlock(splash);
         rc = poll(pfd, 1, timeout);
         SplashLock(splash);
-        if (splash->isVisible>0 && SplashTime() >= splash->time +
-                splash->frames[splash->currentFrame].delay) {
+        if (splash->isVisible > 0 && splash->currentFrame >= 0 &&
+                SplashTime() >= splash->time + splash->frames[splash->currentFrame].delay) {
             SplashNextFrame(splash);
             SplashRedrawWindow(splash);
         }
--- a/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java	Mon Oct 07 11:32:48 2013 +0100
@@ -29,6 +29,7 @@
 import java.beans.ExceptionListener;
 
 import java.io.IOException;
+import java.io.StringReader;
 
 import java.lang.ref.Reference;
 import java.lang.ref.WeakReference;
@@ -246,6 +247,14 @@
     }
 
     /**
+     * Disables any external entities.
+     */
+    @Override
+    public InputSource resolveEntity(String publicId, String systemId) {
+        return new InputSource(new StringReader(""));
+    }
+
+    /**
      * Prepares this handler to read objects from XML document.
      */
     @Override
--- a/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -72,13 +72,17 @@
             throw new IllegalStateException(
                 "TlsRsaPremasterSecretGenerator must be initialized");
         }
-        if (random == null) {
-            random = new SecureRandom();
+        byte[] b = spec.getEncodedSecret();
+        if (b == null) {
+            if (random == null) {
+                random = new SecureRandom();
+            }
+            b = new byte[48];
+            random.nextBytes(b);
+            b[0] = (byte)spec.getMajorVersion();
+            b[1] = (byte)spec.getMinorVersion();
         }
-        byte[] b = new byte[48];
-        random.nextBytes(b);
-        b[0] = (byte)spec.getMajorVersion();
-        b[1] = (byte)spec.getMinorVersion();
+
         return new SecretKeySpec(b, "TlsRsaPremasterSecret");
     }
 
--- a/jdk/src/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -660,7 +660,7 @@
                      //Added the handling for Class tags to take care of maps
                      //Makes an entry into the map upon end of class tag
                      try{
-                          typeMap.put(Key_map,Class.forName(Value_map));
+                          typeMap.put(Key_map,sun.reflect.misc.ReflectUtil.forName(Value_map));
 
                         }catch(ClassNotFoundException ex) {
                           throw new SAXException(MessageFormat.format(resBundle.handleGetObject("xmlrch.errmap").toString(), ex.getMessage()));
--- a/jdk/src/share/classes/java/util/jar/JarFile.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/java/util/jar/JarFile.java	Mon Oct 07 11:32:48 2013 +0100
@@ -53,6 +53,13 @@
  * or method in this class will cause a {@link NullPointerException} to be
  * thrown.
  *
+ * If the verify flag is on when opening a signed jar file, the content of the
+ * file is verified against its signature embedded inside the file. Please note
+ * that the verification process does not include validating the signer's
+ * certificate. A caller should inspect the return value of
+ * {@link JarEntry#getCodeSigners()} to further determine if the signature
+ * can be trusted.
+ *
  * @author  David Connelly
  * @see     Manifest
  * @see     java.util.zip.ZipFile
--- a/jdk/src/share/classes/java/util/jar/JarVerifier.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/java/util/jar/JarVerifier.java	Mon Oct 07 11:32:48 2013 +0100
@@ -179,7 +179,9 @@
             name = name.substring(1);
 
         // only set the jev object for entries that have a signature
-        if (sigFileSigners.get(name) != null) {
+        // (either verified or not)
+        if (sigFileSigners.get(name) != null ||
+                verifiedSigners.get(name) != null) {
             mev.setEntry(name, je);
             return;
         }
--- a/jdk/src/share/classes/javax/security/auth/Subject.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/javax/security/auth/Subject.java	Mon Oct 07 11:32:48 2013 +0100
@@ -964,6 +964,10 @@
 
         s.defaultReadObject();
 
+        // Rewrap the principals into a SecureSet
+        principals = Collections.synchronizedSet(new SecureSet<Principal>
+                                (this, PRINCIPAL_SET, principals));
+
         // The Credential {@code Set} is not serialized, but we do not
         // want the default deserialization routine to set it to null.
         this.pubCredentials = Collections.synchronizedSet
--- a/jdk/src/share/classes/javax/sql/rowset/spi/SyncFactory.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/javax/sql/rowset/spi/SyncFactory.java	Mon Oct 07 11:32:48 2013 +0100
@@ -35,6 +35,8 @@
 import java.io.InputStream;
 import java.io.IOException;
 import java.io.FileNotFoundException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import javax.naming.*;
 
@@ -348,7 +350,17 @@
                 /*
                  * Dependent on application
                  */
-                String strRowsetProperties = System.getProperty("rowset.properties");
+                String strRowsetProperties;
+                try {
+                    strRowsetProperties = AccessController.doPrivileged(new PrivilegedAction<String>() {
+                        public String run() {
+                            return System.getProperty("rowset.properties");
+                        }
+                    }, null, new PropertyPermission("rowset.properties","read"));
+                } catch (Exception ex) {
+                    strRowsetProperties = null;
+                }
+
                 if (strRowsetProperties != null) {
                     // Load user's implementation of SyncProvider
                     // here. -Drowset.properties=/abc/def/pqr.txt
@@ -393,7 +405,16 @@
              * load additional properties from -D command line
              */
             properties.clear();
-            String providerImpls = System.getProperty(ROWSET_SYNC_PROVIDER);
+            String providerImpls;
+            try {
+                providerImpls = AccessController.doPrivileged(new PrivilegedAction<String>() {
+                    public String run() {
+                        return System.getProperty(ROWSET_SYNC_PROVIDER);
+                    }
+                }, null, new PropertyPermission(ROWSET_SYNC_PROVIDER,"read"));
+            } catch (Exception ex) {
+                providerImpls = null;
+            }
 
             if (providerImpls != null) {
                 int i = 0;
--- a/jdk/src/share/classes/javax/swing/event/EventListenerList.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/javax/swing/event/EventListenerList.java	Mon Oct 07 11:32:48 2013 +0100
@@ -27,6 +27,7 @@
 import java.io.*;
 import java.util.*;
 import java.lang.reflect.Array;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * A class that holds a list of EventListeners.  A single instance
@@ -271,7 +272,9 @@
         while (null != (listenerTypeOrNull = s.readObject())) {
             ClassLoader cl = Thread.currentThread().getContextClassLoader();
             EventListener l = (EventListener)s.readObject();
-            add((Class<EventListener>)Class.forName((String)listenerTypeOrNull, true, cl), l);
+            String name = (String) listenerTypeOrNull;
+            ReflectUtil.checkPackageAccess(name);
+            add((Class<EventListener>)Class.forName(name, true, cl), l);
         }
     }
 
--- a/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,11 +45,12 @@
 
     private final int majorVersion;
     private final int minorVersion;
+    private final byte[] encodedSecret;
 
     /**
      * Constructs a new TlsRsaPremasterSecretParameterSpec.
-     *
-     * <p>The version numbers will be placed inside the premaster secret to
+     * <P>
+     * The version numbers will be placed inside the premaster secret to
      * detect version rollbacks attacks as described in the TLS specification.
      * Note that they do not indicate the protocol version negotiated for
      * the handshake.
@@ -65,7 +66,42 @@
         this.majorVersion =
             TlsMasterSecretParameterSpec.checkVersion(majorVersion);
         this.minorVersion =
-            TlsMasterSecretParameterSpec.checkVersion(minorVersion); }
+            TlsMasterSecretParameterSpec.checkVersion(minorVersion);
+        this.encodedSecret = null;
+    }
+
+    /**
+     * Constructs a new TlsRsaPremasterSecretParameterSpec.
+     * <P>
+     * The version numbers will be placed inside the premaster secret to
+     * detect version rollbacks attacks as described in the TLS specification.
+     * Note that they do not indicate the protocol version negotiated for
+     * the handshake.
+     * <P>
+     * Usually, the encoded secret key is a random number that acts as
+     * dummy pre_master_secret to avoid vulnerabilities described by
+     * section 7.4.7.1, RFC 5246.
+     *
+     * @param majorVersion the major number of the protocol version
+     * @param minorVersion the minor number of the protocol version
+     * @param encodedSecret the encoded secret key
+     *
+     * @throws IllegalArgumentException if minorVersion or majorVersion are
+     *   negative or larger than 255, or encodedSecret is not exactly 48 bytes.
+     */
+    public TlsRsaPremasterSecretParameterSpec(int majorVersion,
+            int minorVersion, byte[] encodedSecret) {
+        this.majorVersion =
+            TlsMasterSecretParameterSpec.checkVersion(majorVersion);
+        this.minorVersion =
+            TlsMasterSecretParameterSpec.checkVersion(minorVersion);
+
+        if (encodedSecret == null || encodedSecret.length != 48) {
+            throw new IllegalArgumentException(
+                        "Encoded secret is not exactly 48 bytes");
+        }
+        this.encodedSecret = encodedSecret.clone();
+    }
 
     /**
      * Returns the major version.
@@ -84,4 +120,13 @@
     public int getMinorVersion() {
         return minorVersion;
     }
+
+    /**
+     * Returns the encoded secret.
+     *
+     * @return the encoded secret, may be null if no encoded secret.
+     */
+    public byte[] getEncodedSecret() {
+        return encodedSecret == null ? null : encodedSecret.clone();
+    }
 }
--- a/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -451,30 +451,7 @@
     // see JCE spec
     protected Key engineUnwrap(byte[] wrappedKey, String algorithm,
             int type) throws InvalidKeyException, NoSuchAlgorithmException {
-        if (algorithm.equals("TlsRsaPremasterSecret")) {
-            // the instance variable "session" has been initialized for
-            // decrypt mode, so use a local variable instead.
-            Session s = null;
-            try {
-                s = token.getObjSession();
-                long keyType = CKK_GENERIC_SECRET;
-                CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
-                    new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-                    new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
-                };
-                attributes = token.getAttributes
-                    (O_IMPORT, CKO_SECRET_KEY, keyType, attributes);
-                long keyID = token.p11.C_UnwrapKey(s.id(),
-                        new CK_MECHANISM(mechanism), p11Key.keyID, wrappedKey,
-                        attributes);
-                return P11Key.secretKey(s, keyID, algorithm, 48 << 3,
-                        attributes);
-            } catch (PKCS11Exception e) {
-                throw new InvalidKeyException("unwrap() failed", e);
-            } finally {
-                token.releaseSession(s);
-            }
-        }
+
         // XXX implement unwrap using C_Unwrap() for all keys
         implInit(Cipher.DECRYPT_MODE, p11Key);
         if (wrappedKey.length > maxInputSize) {
--- a/jdk/src/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -88,23 +88,33 @@
             throw new IllegalStateException
                         ("TlsRsaPremasterSecretGenerator must be initialized");
         }
-        CK_VERSION version =
-                new CK_VERSION(spec.getMajorVersion(), spec.getMinorVersion());
-        Session session = null;
-        try {
-            session = token.getObjSession();
-            CK_ATTRIBUTE[] attributes = token.getAttributes
-                (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
-            long keyID = token.p11.C_GenerateKey
-                (session.id(), new CK_MECHANISM(mechanism, version), attributes);
-            SecretKey key = P11Key.secretKey
-                (session, keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
-            return key;
-        } catch (PKCS11Exception e) {
-            throw new ProviderException("Could not generate premaster secret", e);
-        } finally {
-            token.releaseSession(session);
+
+        byte[] b = spec.getEncodedSecret();
+        if (b == null) {
+            CK_VERSION version = new CK_VERSION(
+                        spec.getMajorVersion(), spec.getMinorVersion());
+            Session session = null;
+            try {
+                session = token.getObjSession();
+                CK_ATTRIBUTE[] attributes = token.getAttributes(
+                        O_GENERATE, CKO_SECRET_KEY,
+                        CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+                long keyID = token.p11.C_GenerateKey(session.id(),
+                        new CK_MECHANISM(mechanism, version), attributes);
+                SecretKey key = P11Key.secretKey(session,
+                        keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
+                return key;
+            } catch (PKCS11Exception e) {
+                throw new ProviderException(
+                        "Could not generate premaster secret", e);
+            } finally {
+                token.releaseSession(session);
+            }
         }
+
+        // Won't worry, the TlsRsaPremasterSecret will be soon converted to
+        // TlsMasterSecret.
+        return new SecretKeySpec(b, "TlsRsaPremasterSecret");
     }
 
 }
--- a/jdk/src/share/classes/sun/security/provider/ByteArrayAccess.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/provider/ByteArrayAccess.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,10 +43,8 @@
  * These are the only platforms we currently support, but other optimized
  * variants could be added as needed.
  *
- * NOTE that because this code performs unchecked direct memory access, it
- * MUST be restricted to trusted code. It is imperative that the caller protects
- * against out of bounds memory access by performing the necessary bounds
- * checks before calling methods in this class.
+ * NOTE that ArrayIndexOutOfBoundsException will be thrown if the bounds checks
+ * failed.
  *
  * This class may also be helpful in improving the performance of the
  * crypto code in the SunJCE provider. However, for now it is only accessible by
@@ -103,6 +101,10 @@
      * byte[] to int[] conversion, little endian byte order.
      */
     static void b2iLittle(byte[] in, int inOfs, int[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+            (outOfs < 0) || ((out.length - outOfs) < len/4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             len += inOfs;
@@ -131,6 +133,10 @@
 
     // Special optimization of b2iLittle(in, inOfs, out, 0, 64)
     static void b2iLittle64(byte[] in, int inOfs, int[] out) {
+        if ((inOfs < 0) || ((in.length - inOfs) < 64) ||
+            (out.length < 16)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             out[ 0] = unsafe.getInt(in, (long)(inOfs     ));
@@ -176,6 +182,10 @@
      * int[] to byte[] conversion, little endian byte order.
      */
     static void i2bLittle(int[] in, int inOfs, byte[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len/4) ||
+            (outOfs < 0) || ((out.length - outOfs) < len)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             outOfs += byteArrayOfs;
             len += outOfs;
@@ -204,6 +214,9 @@
 
     // Store one 32-bit value into out[outOfs..outOfs+3] in little endian order.
     static void i2bLittle4(int val, byte[] out, int outOfs) {
+        if ((outOfs < 0) || ((out.length - outOfs) < 4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             unsafe.putInt(out, (long)(byteArrayOfs + outOfs), val);
         } else if (bigEndian && ((outOfs & 3) == 0)) {
@@ -220,6 +233,10 @@
      * byte[] to int[] conversion, big endian byte order.
      */
     static void b2iBig(byte[] in, int inOfs, int[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+            (outOfs < 0) || ((out.length - outOfs) < len/4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             len += inOfs;
@@ -248,6 +265,10 @@
 
     // Special optimization of b2iBig(in, inOfs, out, 0, 64)
     static void b2iBig64(byte[] in, int inOfs, int[] out) {
+        if ((inOfs < 0) || ((in.length - inOfs) < 64) ||
+            (out.length < 16)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             out[ 0] = reverseBytes(unsafe.getInt(in, (long)(inOfs     )));
@@ -293,6 +314,10 @@
      * int[] to byte[] conversion, big endian byte order.
      */
     static void i2bBig(int[] in, int inOfs, byte[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len/4) ||
+            (outOfs < 0) || ((out.length - outOfs) < len)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             outOfs += byteArrayOfs;
             len += outOfs;
@@ -321,6 +346,9 @@
 
     // Store one 32-bit value into out[outOfs..outOfs+3] in big endian order.
     static void i2bBig4(int val, byte[] out, int outOfs) {
+        if ((outOfs < 0) || ((out.length - outOfs) < 4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             unsafe.putInt(out, (long)(byteArrayOfs + outOfs), reverseBytes(val));
         } else if (bigEndian && ((outOfs & 3) == 0)) {
@@ -337,6 +365,10 @@
      * byte[] to long[] conversion, big endian byte order.
      */
     static void b2lBig(byte[] in, int inOfs, long[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+            (outOfs < 0) || ((out.length - outOfs) < len/8)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             len += inOfs;
@@ -378,6 +410,10 @@
 
     // Special optimization of b2lBig(in, inOfs, out, 0, 128)
     static void b2lBig128(byte[] in, int inOfs, long[] out) {
+        if ((inOfs < 0) || ((in.length - inOfs) < 128) ||
+            (out.length < 16)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             out[ 0] = reverseBytes(unsafe.getLong(in, (long)(inOfs      )));
@@ -406,6 +442,10 @@
      * long[] to byte[] conversion, big endian byte order.
      */
     static void l2bBig(long[] in, int inOfs, byte[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len/8) ||
+            (outOfs < 0) || ((out.length - outOfs) < len)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         len += outOfs;
         while (outOfs < len) {
             long i = in[inOfs++];
@@ -419,5 +459,4 @@
             out[outOfs++] = (byte)(i      );
         }
     }
-
 }
--- a/jdk/src/share/classes/sun/security/rsa/RSAPadding.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPadding.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -318,33 +318,53 @@
 
     /**
      * PKCS#1 v1.5 unpadding (blocktype 1 and 2).
+     *
+     * Note that we want to make it a constant-time operation
      */
     private byte[] unpadV15(byte[] padded) throws BadPaddingException {
         int k = 0;
+        BadPaddingException bpe = null;
+
         if (padded[k++] != 0) {
-            throw new BadPaddingException("Data must start with zero");
+            bpe = new BadPaddingException("Data must start with zero");
         }
-        if (padded[k++] != type) {
-            throw new BadPaddingException("Blocktype mismatch: " + padded[1]);
+        if (padded[k++] != type && bpe == null) {
+            bpe = new BadPaddingException("Blocktype mismatch: " + padded[1]);
         }
-        while (true) {
+        int p = 0;
+        while (k < padded.length) {
             int b = padded[k++] & 0xff;
-            if (b == 0) {
-                break;
+            if (b == 0 && p == 0) {
+                p = k;
             }
-            if (k == padded.length) {
-                throw new BadPaddingException("Padding string not terminated");
+            if (k == padded.length && p == 0 && bpe == null) {
+                bpe = new BadPaddingException("Padding string not terminated");
             }
-            if ((type == PAD_BLOCKTYPE_1) && (b != 0xff)) {
-                throw new BadPaddingException("Padding byte not 0xff: " + b);
+            if ((type == PAD_BLOCKTYPE_1) && (b != 0xff) &&
+                    p == 0 && bpe == null) {
+                bpe = new BadPaddingException("Padding byte not 0xff: " + b);
             }
         }
-        int n = padded.length - k;
-        if (n > maxDataSize) {
-            throw new BadPaddingException("Padding string too short");
+        int n = padded.length - p;
+        if (n > maxDataSize && bpe == null) {
+            bpe = new BadPaddingException("Padding string too short");
         }
+
+        // copy useless padding array for a constant-time method
+        //
+        // Is it necessary?
+        byte[] padding = new byte[p];
+        System.arraycopy(padded, 0, padding, 0, p);
+
         byte[] data = new byte[n];
-        System.arraycopy(padded, padded.length - n, data, 0, n);
+        System.arraycopy(padded, p, data, 0, n);
+
+        if (bpe == null) {
+            bpe = new BadPaddingException("Unused exception");
+        } else {
+            throw bpe;
+        }
+
         return data;
     }
 
--- a/jdk/src/share/classes/sun/security/ssl/Handshaker.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/ssl/Handshaker.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1112,94 +1112,23 @@
                 clnt_random.random_bytes, svr_random.random_bytes,
                 prfHashAlg, prfHashLength, prfBlockSize);
 
-        SecretKey masterSecret;
         try {
             KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
             kg.init(spec);
-            masterSecret = kg.generateKey();
-        } catch (GeneralSecurityException e) {
+            return kg.generateKey();
+        } catch (InvalidAlgorithmParameterException |
+                NoSuchAlgorithmException iae) {
+            // unlikely to happen, otherwise, must be a provider exception
+            //
             // For RSA premaster secrets, do not signal a protocol error
             // due to the Bleichenbacher attack. See comments further down.
-            if (!preMasterSecret.getAlgorithm().equals(
-                    "TlsRsaPremasterSecret")) {
-                throw new ProviderException(e);
-            }
-
             if (debug != null && Debug.isOn("handshake")) {
                 System.out.println("RSA master secret generation error:");
-                e.printStackTrace(System.out);
-            }
-
-            if (requestedVersion != null) {
-                preMasterSecret =
-                    RSAClientKeyExchange.generateDummySecret(requestedVersion);
-            } else {
-                preMasterSecret =
-                    RSAClientKeyExchange.generateDummySecret(protocolVersion);
+                iae.printStackTrace(System.out);
             }
-
-            // recursive call with new premaster secret
-            return calculateMasterSecret(preMasterSecret, null);
-        }
-
-        // if no version check requested (client side handshake), or version
-        // information is not available (not an RSA premaster secret),
-        // return master secret immediately.
-        if ((requestedVersion == null) ||
-                !(masterSecret instanceof TlsMasterSecret)) {
-            return masterSecret;
-        }
-
-        // we have checked the ClientKeyExchange message when reading TLS
-        // record, the following check is necessary to ensure that
-        // JCE provider does not ignore the checking, or the previous
-        // checking process bypassed the premaster secret version checking.
-        TlsMasterSecret tlsKey = (TlsMasterSecret)masterSecret;
-        int major = tlsKey.getMajorVersion();
-        int minor = tlsKey.getMinorVersion();
-        if ((major < 0) || (minor < 0)) {
-            return masterSecret;
-        }
+            throw new ProviderException(iae);
 
-        // check if the premaster secret version is ok
-        // the specification says that it must be the maximum version supported
-        // by the client from its ClientHello message. However, many
-        // implementations send the negotiated version, so accept both
-        // for SSL v3.0 and TLS v1.0.
-        // NOTE that we may be comparing two unsupported version numbers, which
-        // is why we cannot use object reference equality in this special case.
-        ProtocolVersion premasterVersion =
-                                    ProtocolVersion.valueOf(major, minor);
-        boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
-
-        /*
-         * we never checked the client_version in server side
-         * for TLS v1.0 and SSL v3.0. For compatibility, we
-         * maintain this behavior.
-         */
-        if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
-            versionMismatch = (premasterVersion.v != protocolVersion.v);
         }
-
-        if (versionMismatch == false) {
-            // check passed, return key
-            return masterSecret;
-        }
-
-        // Due to the Bleichenbacher attack, do not signal a protocol error.
-        // Generate a random premaster secret and continue with the handshake,
-        // which will fail when verifying the finished messages.
-        // For more information, see comments in PreMasterSecret.
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println("RSA PreMasterSecret version error: expected"
-                + protocolVersion + " or " + requestedVersion + ", decrypted: "
-                + premasterVersion);
-        }
-        preMasterSecret =
-            RSAClientKeyExchange.generateDummySecret(requestedVersion);
-
-        // recursive call with new premaster secret
-        return calculateMasterSecret(preMasterSecret, null);
     }
 
     /*
--- a/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -133,26 +133,37 @@
         } else {
             encrypted = new byte [messageSize];
             if (input.read(encrypted) != messageSize) {
-                throw new SSLProtocolException
-                        ("SSL: read PreMasterSecret: short read");
+                throw new SSLProtocolException(
+                        "SSL: read PreMasterSecret: short read");
             }
         }
 
+        Exception failover = null;
+        byte[] encoded = null;
         try {
             Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
-            cipher.init(Cipher.UNWRAP_MODE, privateKey);
-            preMaster = (SecretKey)cipher.unwrap(encrypted,
-                                "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            // Cannot generate key here, please don't use Cipher.UNWRAP_MODE!
+            cipher.init(Cipher.DECRYPT_MODE, privateKey);
+            encoded = cipher.doFinal(encrypted);
+        } catch (BadPaddingException bpe) {
+            failover = bpe;
+            encoded = null;
+        } catch (IllegalBlockSizeException ibse) {
+            // the message it too big to process with RSA
+            throw new SSLProtocolException(
+                "Unable to process PreMasterSecret, may be too big");
+        } catch (Exception e) {
+            // unlikely to happen, otherwise, must be a provider exception
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("RSA premaster secret decryption error:");
+                e.printStackTrace(System.out);
+            }
+            throw new RuntimeException("Could not generate dummy secret", e);
+        }
 
-            // polish the premaster secret
-            preMaster = polishPreMasterSecretKey(currentVersion, maxVersion,
-                                                generator, preMaster, null);
-        } catch (Exception e) {
-            // polish the premaster secret
-            preMaster =
-                    polishPreMasterSecretKey(currentVersion, maxVersion,
-                                                generator, null, e);
-        }
+        // polish the premaster secret
+        preMaster = polishPreMasterSecretKey(
+                    currentVersion, maxVersion, generator, encoded, failover);
     }
 
     /**
@@ -163,85 +174,74 @@
      *
      * RFC 5246 describes the approach as :
      *
-     *  1. Generate a string R of 46 random bytes
+     *  1. Generate a string R of 48 random bytes
      *
      *  2. Decrypt the message to recover the plaintext M
      *
      *  3. If the PKCS#1 padding is not correct, or the length of message
      *     M is not exactly 48 bytes:
-     *        pre_master_secret = ClientHello.client_version || R
+     *        pre_master_secret = R
      *     else If ClientHello.client_version <= TLS 1.0, and version
      *     number check is explicitly disabled:
-     *        pre_master_secret = M
+     *        premaster secret = M
+     *     else If M[0..1] != ClientHello.client_version:
+     *        premaster secret = R
      *     else:
-     *        pre_master_secret = ClientHello.client_version || M[2..47]
+     *        premaster secret = M
+     *
+     * Note that #2 has completed before the call of this method.
      */
     private SecretKey polishPreMasterSecretKey(ProtocolVersion currentVersion,
             ProtocolVersion clientHelloVersion, SecureRandom generator,
-            SecretKey secretKey, Exception failoverException) {
+            byte[] encoded, Exception failoverException) {
 
         this.protocolVersion = clientHelloVersion;
+        if (generator == null) {
+            generator = new SecureRandom();
+        }
+        byte[] random = new byte[48];
+        generator.nextBytes(random);
 
-        if (failoverException == null && secretKey != null) {
+        if (failoverException == null && encoded != null) {
             // check the length
-            byte[] encoded = secretKey.getEncoded();
-            if (encoded == null) {      // unable to get the encoded key
+            if (encoded.length != 48) {
                 if (debug != null && Debug.isOn("handshake")) {
                     System.out.println(
-                        "unable to get the plaintext of the premaster secret");
+                        "incorrect length of premaster secret: " +
+                        encoded.length);
                 }
 
-                int keySize = KeyUtil.getKeySize(secretKey);
-                if (keySize > 0 && keySize != 384) {       // 384 = 48 * 8
-                    if (debug != null && Debug.isOn("handshake")) {
-                        System.out.println(
-                            "incorrect length of premaster secret: " +
-                            (keySize/8));
-                    }
-
-                    return generateDummySecret(clientHelloVersion);
-                }
+                return generatePreMasterSecret(
+                        clientHelloVersion, random, generator);
+            }
 
-                // The key size is exactly 48 bytes or not accessible.
-                //
-                // Conservatively, pass the checking to master secret
-                // calculation.
-                return secretKey;
-            } else if (encoded.length == 48) {
-                // check the version
-                if (clientHelloVersion.major == encoded[0] &&
-                    clientHelloVersion.minor == encoded[1]) {
+            if (clientHelloVersion.major != encoded[0] ||
+                        clientHelloVersion.minor != encoded[1]) {
 
-                    return secretKey;
-                } else if (clientHelloVersion.v <= ProtocolVersion.TLS10.v &&
-                           currentVersion.major == encoded[0] &&
-                           currentVersion.minor == encoded[1]) {
+                if (clientHelloVersion.v <= ProtocolVersion.TLS10.v &&
+                       currentVersion.major == encoded[0] &&
+                       currentVersion.minor == encoded[1]) {
                     /*
                      * For compatibility, we maintain the behavior that the
                      * version in pre_master_secret can be the negotiated
                      * version for TLS v1.0 and SSL v3.0.
                      */
                     this.protocolVersion = currentVersion;
-                    return secretKey;
-                }
-
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Mismatching Protocol Versions, " +
-                        "ClientHello.client_version is " + clientHelloVersion +
-                        ", while PreMasterSecret.client_version is " +
-                        ProtocolVersion.valueOf(encoded[0], encoded[1]));
-                }
+                } else {
+                    if (debug != null && Debug.isOn("handshake")) {
+                        System.out.println("Mismatching Protocol Versions, " +
+                            "ClientHello.client_version is " +
+                            clientHelloVersion +
+                            ", while PreMasterSecret.client_version is " +
+                            ProtocolVersion.valueOf(encoded[0], encoded[1]));
+                    }
 
-                return generateDummySecret(clientHelloVersion);
-            } else {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println(
-                        "incorrect length of premaster secret: " +
-                        encoded.length);
+                    encoded = random;
                 }
+            }
 
-                return generateDummySecret(clientHelloVersion);
-            }
+            return generatePreMasterSecret(
+                    clientHelloVersion, encoded, generator);
         }
 
         if (debug != null && Debug.isOn("handshake") &&
@@ -250,11 +250,14 @@
             failoverException.printStackTrace(System.out);
         }
 
-        return generateDummySecret(clientHelloVersion);
+        return generatePreMasterSecret(clientHelloVersion, random, generator);
     }
 
     // generate a premaster secret with the specified version number
-    static SecretKey generateDummySecret(ProtocolVersion version) {
+    private static SecretKey generatePreMasterSecret(
+            ProtocolVersion version, byte[] encodedSecret,
+            SecureRandom generator) {
+
         if (debug != null && Debug.isOn("handshake")) {
             System.out.println("Generating a random fake premaster secret");
         }
@@ -263,11 +266,17 @@
             String s = ((version.v >= ProtocolVersion.TLS12.v) ?
                 "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
             KeyGenerator kg = JsseJce.getKeyGenerator(s);
-            kg.init(new TlsRsaPremasterSecretParameterSpec
-                    (version.major, version.minor));
+            kg.init(new TlsRsaPremasterSecretParameterSpec(
+                    version.major, version.minor, encodedSecret), generator);
             return kg.generateKey();
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException("Could not generate dummy secret", e);
+        } catch (InvalidAlgorithmParameterException |
+                NoSuchAlgorithmException iae) {
+            // unlikely to happen, otherwise, must be a provider exception
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("RSA premaster secret generation error:");
+                iae.printStackTrace(System.out);
+            }
+            throw new RuntimeException("Could not generate dummy secret", iae);
         }
     }
 
--- a/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java	Mon Oct 07 11:32:48 2013 +0100
@@ -158,8 +158,13 @@
     private String altSignerClasspath = null;
     private ZipFile zipFile = null;
 
+    // Informational warnings
+    private boolean hasExpiringCert = false;
+    private boolean noTimestamp = false;
+    private Date expireDate = new Date(0L);     // used in noTimestamp warning
+
+    // Severe warnings
     private boolean hasExpiredCert = false;
-    private boolean hasExpiringCert = false;
     private boolean notYetValidCert = false;
     private boolean chainNotValidated = false;
     private boolean notSignedByAlias = false;
@@ -258,9 +263,6 @@
 
         if (strict) {
             int exitCode = 0;
-            if (hasExpiringCert) {
-                exitCode |= 2;
-            }
             if (chainNotValidated || hasExpiredCert || notYetValidCert) {
                 exitCode |= 4;
             }
@@ -754,14 +756,25 @@
                 System.out.println(rb.getString(
                       "jar.is.unsigned.signatures.missing.or.not.parsable."));
             } else {
-                System.out.println(rb.getString("jar.verified."));
-                if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert ||
-                    badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
-                    notYetValidCert || chainNotValidated ||
-                    aliasNotInStore || notSignedByAlias) {
+                boolean warningAppeared = false;
+                boolean errorAppeared = false;
+                if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
+                        notYetValidCert || chainNotValidated || hasExpiredCert ||
+                        hasUnsignedEntry ||
+                        aliasNotInStore || notSignedByAlias) {
 
-                    System.out.println();
-                    System.out.println(rb.getString("Warning."));
+                    if (strict) {
+                        System.out.println(rb.getString("jar.verified.with.signer.errors."));
+                        System.out.println();
+                        System.out.println(rb.getString("Error."));
+                        errorAppeared = true;
+                    } else {
+                        System.out.println(rb.getString("jar.verified."));
+                        System.out.println();
+                        System.out.println(rb.getString("Warning."));
+                        warningAppeared = true;
+                    }
+
                     if (badKeyUsage) {
                         System.out.println(
                             rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
@@ -785,10 +798,6 @@
                         System.out.println(rb.getString(
                             "This.jar.contains.entries.whose.signer.certificate.has.expired."));
                     }
-                    if (hasExpiringCert) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
-                    }
                     if (notYetValidCert) {
                         System.out.println(rb.getString(
                             "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
@@ -807,10 +816,29 @@
                     if (aliasNotInStore) {
                         System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
                     }
+                } else {
+                    System.out.println(rb.getString("jar.verified."));
+                }
+                if (hasExpiringCert || noTimestamp) {
+                    if (!warningAppeared) {
+                        System.out.println();
+                        System.out.println(rb.getString("Warning."));
+                        warningAppeared = true;
+                    }
+                    if (hasExpiringCert) {
+                        System.out.println(rb.getString(
+                                "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
+                    }
+                    if (noTimestamp) {
+                        System.out.println(
+                                String.format(rb.getString("no.timestamp.verifying"), expireDate));
+                    }
+                }
+                if (warningAppeared || errorAppeared) {
                     if (! (verbose != null && showcerts)) {
                         System.out.println();
                         System.out.println(rb.getString(
-                            "Re.run.with.the.verbose.and.certs.options.for.more.details."));
+                                "Re.run.with.the.verbose.and.certs.options.for.more.details."));
                     }
                 }
             }
@@ -870,6 +898,9 @@
             try {
                 boolean printValidity = true;
                 if (timestamp == null) {
+                    if (expireDate.getTime() == 0 || expireDate.after(notAfter)) {
+                        expireDate = notAfter;
+                    }
                     x509Cert.checkValidity();
                     // test if cert will expire within six months
                     if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
@@ -1233,6 +1264,10 @@
                 tsaCert = getTsaCert(tsaAlias);
             }
 
+            if (tsaUrl == null && tsaCert == null) {
+                noTimestamp = true;
+            }
+
             SignatureFile.Block block = null;
 
             try {
@@ -1380,12 +1415,20 @@
                 }
             }
 
-            if (hasExpiredCert || hasExpiringCert || notYetValidCert
-                    || badKeyUsage || badExtendedKeyUsage
-                    || badNetscapeCertType || chainNotValidated) {
-                System.out.println();
+            boolean warningAppeared = false;
+            if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
+                    notYetValidCert || chainNotValidated || hasExpiredCert) {
+                if (strict) {
+                    System.out.println(rb.getString("jar.signed.with.signer.errors."));
+                    System.out.println();
+                    System.out.println(rb.getString("Error."));
+                } else {
+                    System.out.println(rb.getString("jar.signed."));
+                    System.out.println();
+                    System.out.println(rb.getString("Warning."));
+                    warningAppeared = true;
+                }
 
-                System.out.println(rb.getString("Warning."));
                 if (badKeyUsage) {
                     System.out.println(
                         rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
@@ -1404,9 +1447,6 @@
                 if (hasExpiredCert) {
                     System.out.println(
                         rb.getString("The.signer.certificate.has.expired."));
-                } else if (hasExpiringCert) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.will.expire.within.six.months."));
                 } else if (notYetValidCert) {
                     System.out.println(
                         rb.getString("The.signer.certificate.is.not.yet.valid."));
@@ -1416,6 +1456,24 @@
                     System.out.println(
                             rb.getString("The.signer.s.certificate.chain.is.not.validated."));
                 }
+            } else {
+                System.out.println(rb.getString("jar.signed."));
+            }
+            if (hasExpiringCert || noTimestamp) {
+                if (!warningAppeared) {
+                    System.out.println();
+                    System.out.println(rb.getString("Warning."));
+                }
+
+                if (hasExpiringCert) {
+                    System.out.println(
+                            rb.getString("The.signer.certificate.will.expire.within.six.months."));
+                }
+
+                if (noTimestamp) {
+                    System.out.println(
+                            String.format(rb.getString("no.timestamp.signing"), expireDate));
+                }
             }
 
         // no IOException thrown in the above try clause, so disable
@@ -1502,6 +1560,7 @@
             timestamp = ts.getTimestamp();
         } else {
             timestamp = null;
+            noTimestamp = true;
         }
         // display the certificate(s). The first one is end-entity cert and
         // its KeyUsage should be checked.
--- a/jdk/src/share/classes/sun/security/tools/jarsigner/Resources.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/tools/jarsigner/Resources.java	Mon Oct 07 11:32:48 2013 +0100
@@ -135,7 +135,10 @@
         {".Unsigned.entries.", "(Unsigned entries)"},
         {"jar.is.unsigned.signatures.missing.or.not.parsable.",
                 "jar is unsigned. (signatures missing or not parsable)"},
+        {"jar.signed.", "jar signed."},
+        {"jar.signed.with.signer.errors.", "jar signed, with signer errors."},
         {"jar.verified.", "jar verified."},
+        {"jar.verified.with.signer.errors.", "jar verified, with signer errors."},
         {"jarsigner.", "jarsigner: "},
         {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
                 "signature filename must consist of the following characters: A-Z, 0-9, _ or -"},
@@ -193,6 +196,7 @@
                 "using an alternative signing mechanism"},
         {"entry.was.signed.on", "entry was signed on {0}"},
         {"Warning.", "Warning: "},
+        {"Error.", "Error: "},
         {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "This jar contains unsigned entries which have not been integrity-checked. "},
         {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -229,6 +233,10 @@
                 "The signer's certificate chain is not validated."},
         {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.",
                  "This jar contains entries whose certificate chain is not validated."},
+        {"no.timestamp.signing",
+                "No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
+        {"no.timestamp.verifying",
+                "This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
         {"Unknown.password.type.", "Unknown password type: "},
         {"Cannot.find.environment.variable.",
                 "Cannot find environment variable: "},
--- a/jdk/src/share/lib/security/java.security-linux	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-linux	Mon Oct 07 11:32:48 2013 +0100
@@ -182,6 +182,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -204,7 +205,7 @@
                com.sun.org.glassfish.,\
                com.oracle.xmlns.internal.,\
                com.oracle.webservices.internal.,\
-	       oracle.jrockit.jfr.,\
+               oracle.jrockit.jfr.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
@@ -227,6 +228,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
@@ -249,7 +251,7 @@
                    com.sun.org.glassfish.,\
                    com.oracle.xmlns.internal.,\
                    com.oracle.webservices.internal.,\
-		   oracle.jrockit.jfr.,\
+                   oracle.jrockit.jfr.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
--- a/jdk/src/share/lib/security/java.security-macosx	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-macosx	Mon Oct 07 11:32:48 2013 +0100
@@ -183,6 +183,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -228,6 +229,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
--- a/jdk/src/share/lib/security/java.security-solaris	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-solaris	Mon Oct 07 11:32:48 2013 +0100
@@ -184,6 +184,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -206,7 +207,7 @@
                com.sun.org.glassfish.,\
                com.oracle.xmlns.internal.,\
                com.oracle.webservices.internal.,\
-	       oracle.jrockit.jfr.,\
+               oracle.jrockit.jfr.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
@@ -228,6 +229,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
@@ -250,7 +252,7 @@
                    com.sun.org.glassfish.,\
                    com.oracle.xmlns.internal.,\
                    com.oracle.webservices.internal.,\
-		   oracle.jrockit.jfr.,\
+                   oracle.jrockit.jfr.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
--- a/jdk/src/share/lib/security/java.security-windows	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-windows	Mon Oct 07 11:32:48 2013 +0100
@@ -183,6 +183,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -205,7 +206,7 @@
                com.sun.org.glassfish.,\
                com.oracle.xmlns.internal.,\
                com.oracle.webservices.internal.,\
-	       oracle.jrockit.jfr.,\
+               oracle.jrockit.jfr.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
@@ -228,6 +229,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
@@ -250,7 +252,7 @@
                    com.sun.org.glassfish.,\
                    com.oracle.xmlns.internal.,\
                    com.oracle.webservices.internal.,\
-		   oracle.jrockit.jfr.,\
+                   oracle.jrockit.jfr.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.c	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.c	Mon Oct 07 11:32:48 2013 +0100
@@ -111,8 +111,9 @@
 int
 SplashIsStillLooping(Splash * splash)
 {
-    if (splash->currentFrame < 0)
+    if (splash->currentFrame < 0) {
         return 0;
+    }
     return splash->loopCount != 1 ||
         splash->currentFrame + 1 < splash->frameCount;
 }
@@ -121,17 +122,22 @@
 SplashUpdateScreenData(Splash * splash)
 {
     ImageRect srcRect, dstRect;
+    if (splash->currentFrame < 0) {
+        return;
+    }
 
     initRect(&srcRect, 0, 0, splash->width, splash->height, 1,
         splash->width * sizeof(rgbquad_t),
         splash->frames[splash->currentFrame].bitmapBits, &splash->imageFormat);
-    if (splash->screenData)
+    if (splash->screenData) {
         free(splash->screenData);
+    }
     splash->screenStride = splash->width * splash->screenFormat.depthBytes;
-    if (splash->byteAlignment > 1)
+    if (splash->byteAlignment > 1) {
         splash->screenStride =
             (splash->screenStride + splash->byteAlignment - 1) &
             ~(splash->byteAlignment - 1);
+    }
     splash->screenData = malloc(splash->height * splash->screenStride);
     initRect(&dstRect, 0, 0, splash->width, splash->height, 1,
         splash->screenStride, splash->screenData, &splash->screenFormat);
@@ -146,16 +152,19 @@
 void
 SplashNextFrame(Splash * splash)
 {
-    if (splash->currentFrame < 0)
+    if (splash->currentFrame < 0) {
         return;
+    }
     do {
-        if (!SplashIsStillLooping(splash))
+        if (!SplashIsStillLooping(splash)) {
             return;
+        }
         splash->time += splash->frames[splash->currentFrame].delay;
         if (++splash->currentFrame >= splash->frameCount) {
             splash->currentFrame = 0;
-            if (splash->loopCount > 0)
+            if (splash->loopCount > 0) {
                 splash->loopCount--;
+            }
         }
     } while (splash->time + splash->frames[splash->currentFrame].delay -
         SplashTime() <= 0);
@@ -183,8 +192,9 @@
                 pSrc += pSrcRect->depthBytes;
                 ++i;
             }
-            if (i >= pSrcRect->numSamples)
+            if (i >= pSrcRect->numSamples) {
                 break;
+            }
             i0 = i;
             while (i < pSrcRect->numSamples &&
                    getRGBA(pSrc, pSrcRect->format) >= ALPHA_THRESHOLD) {
--- a/jdk/src/share/native/sun/font/layout/LookupProcessor.cpp	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/native/sun/font/layout/LookupProcessor.cpp	Mon Oct 07 11:32:48 2013 +0100
@@ -138,7 +138,7 @@
 le_int32 LookupProcessor::selectLookups(const LEReferenceTo<FeatureTable> &featureTable, FeatureMask featureMask, le_int32 order, LEErrorCode &success)
 {
   le_uint16 lookupCount = featureTable.isValid()? SWAPW(featureTable->lookupCount) : 0;
-    le_int32  store = order;
+    le_uint32  store = (le_uint32)order;
 
     LEReferenceToArrayOf<le_uint16> lookupListIndexArray(featureTable, success, featureTable->lookupListIndexArray, lookupCount);
 
@@ -147,6 +147,9 @@
       if (lookupListIndex >= lookupSelectCount) {
         continue;
       }
+      if (store >= lookupOrderCount) {
+        continue;
+      }
 
       lookupSelectArray[lookupListIndex] |= featureMask;
       lookupOrderArray[store++] = lookupListIndex;
@@ -246,7 +249,7 @@
 
     if (requiredFeatureIndex != 0xFFFF) {
       requiredFeatureTable = featureListTable->getFeatureTable(featureListTable, requiredFeatureIndex, &requiredFeatureTag, success);
-      featureReferences += SWAPW(featureTable->lookupCount);
+      featureReferences += SWAPW(requiredFeatureTable->lookupCount);
     }
 
     lookupOrderArray = LE_NEW_ARRAY(le_uint16, featureReferences);
@@ -254,6 +257,7 @@
         success = LE_MEMORY_ALLOCATION_ERROR;
         return;
     }
+    lookupOrderCount = featureReferences;
 
     for (le_int32 f = 0; f < featureMapCount; f += 1) {
         FeatureMap fm = featureMap[f];
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsintrp.c	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsintrp.c	Mon Oct 07 11:32:48 2013 +0100
@@ -215,6 +215,11 @@
     Output[0] = LinearInterp(rest, y0, y1);
 }
 
+// To prevent out of bounds indexing
+cmsINLINE cmsFloat32Number fclamp(cmsFloat32Number v)
+{
+    return v < 0.0f ? 0.0f : (v > 1.0f ? 1.0f : v);
+}
 
 // Floating-point version of 1D interpolation
 static
@@ -227,13 +232,15 @@
        int cell0, cell1;
        const cmsFloat32Number* LutTable = (cmsFloat32Number*) p ->Table;
 
+       val2 = fclamp(Value[0]);
+
        // if last value...
-       if (Value[0] == 1.0) {
+       if (val2 == 1.0) {
            Output[0] = LutTable[p -> Domain[0]];
            return;
        }
 
-       val2 = p -> Domain[0] * Value[0];
+       val2 *= p -> Domain[0];
 
        cell0 = (int) floor(val2);
        cell1 = (int) ceil(val2);
@@ -292,13 +299,15 @@
     cmsUInt32Number OutChan;
     const cmsFloat32Number* LutTable = (cmsFloat32Number*) p ->Table;
 
+    val2 = fclamp(Value[0]);
+
         // if last value...
-       if (Value[0] == 1.0) {
+       if (val2 == 1.0) {
            Output[0] = LutTable[p -> Domain[0]];
            return;
        }
 
-       val2 = p -> Domain[0] * Value[0];
+       val2 *= p -> Domain[0];
 
        cell0 = (int) floor(val2);
        cell1 = (int) ceil(val2);
@@ -339,8 +348,8 @@
         dxy;
 
     TotalOut   = p -> nOutputs;
-    px = Input[0] * p->Domain[0];
-    py = Input[1] * p->Domain[1];
+    px = fclamp(Input[0]) * p->Domain[0];
+    py = fclamp(Input[1]) * p->Domain[1];
 
     x0 = (int) _cmsQuickFloor(px); fx = px - (cmsFloat32Number) x0;
     y0 = (int) _cmsQuickFloor(py); fy = py - (cmsFloat32Number) y0;
@@ -454,20 +463,9 @@
     TotalOut   = p -> nOutputs;
 
     // We need some clipping here
-    px = Input[0];
-    py = Input[1];
-    pz = Input[2];
-
-    if (px < 0) px = 0;
-    if (px > 1) px = 1;
-    if (py < 0) py = 0;
-    if (py > 1) py = 1;
-    if (pz < 0) pz = 0;
-    if (pz > 1) pz = 1;
-
-    px *= p->Domain[0];
-    py *= p->Domain[1];
-    pz *= p->Domain[2];
+    px = fclamp(Input[0]) * p->Domain[0];
+    py = fclamp(Input[1]) * p->Domain[1];
+    pz = fclamp(Input[2]) * p->Domain[2];
 
     x0 = (int) _cmsQuickFloor(px); fx = px - (cmsFloat32Number) x0;
     y0 = (int) _cmsQuickFloor(py); fy = py - (cmsFloat32Number) y0;
@@ -609,20 +607,9 @@
     TotalOut   = p -> nOutputs;
 
     // We need some clipping here
-    px = Input[0];
-    py = Input[1];
-    pz = Input[2];
-
-    if (px < 0) px = 0;
-    if (px > 1) px = 1;
-    if (py < 0) py = 0;
-    if (py > 1) py = 1;
-    if (pz < 0) pz = 0;
-    if (pz > 1) pz = 1;
-
-    px *= p->Domain[0];
-    py *= p->Domain[1];
-    pz *= p->Domain[2];
+    px = fclamp(Input[0]) * p->Domain[0];
+    py = fclamp(Input[1]) * p->Domain[1];
+    pz = fclamp(Input[2]) * p->Domain[2];
 
     x0 = (int) _cmsQuickFloor(px); rx = (px - (cmsFloat32Number) x0);
     y0 = (int) _cmsQuickFloor(py); ry = (py - (cmsFloat32Number) y0);
@@ -1039,8 +1026,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1127,7 +1113,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1214,7 +1200,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1299,7 +1285,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1384,7 +1370,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
--- a/jdk/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c	Mon Oct 07 11:32:48 2013 +0100
@@ -577,8 +577,8 @@
         SplashUnlock(splash);
         rc = poll(pfd, 2, timeout);
         SplashLock(splash);
-        if (splash->isVisible>0 && SplashTime() >= splash->time +
-                splash->frames[splash->currentFrame].delay) {
+        if (splash->isVisible > 0 && splash->currentFrame >= 0 &&
+                SplashTime() >= splash->time + splash->frames[splash->currentFrame].delay) {
             SplashNextFrame(splash);
             SplashUpdateShape(splash);
             SplashRedrawWindow(splash);
--- a/jdk/test/java/lang/SecurityManager/CheckPackageAccess.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/java/lang/SecurityManager/CheckPackageAccess.java	Mon Oct 07 11:32:48 2013 +0100
@@ -23,7 +23,7 @@
 
 /*
  *  @test
- *  @bug 6741606 7146431 8000450 8019830
+ *  @bug 6741606 7146431 8000450 8019830 8022945
  *  @summary Make sure all restricted packages listed in the package.access
  *           property in the java.security file are blocked
  *  @run main/othervm CheckPackageAccess
@@ -55,6 +55,7 @@
         "com.sun.istack.internal.",
         "com.sun.jmx.",
         "com.sun.media.sound.",
+        "com.sun.naming.internal.",
         "com.sun.proxy.",
         "com.sun.org.apache.bcel.internal.",
         "com.sun.org.apache.regexp.internal.",
--- a/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java	Mon Oct 07 11:32:48 2013 +0100
@@ -239,13 +239,13 @@
                 " -J-Djava.security.egd=file:/dev/./urandom" +
                 " -debug -keystore " + TSKS + " -storepass changeit" +
                 " -tsa http://localhost:" + port + "/%d" +
-                " -signedjar new.jar " + JAR + " old";
+                " -signedjar new_%d.jar " + JAR + " old";
         } else {
             cmd = System.getProperty("java.home") + "/bin/jarsigner" +
                 " -J-Djava.security.egd=file:/dev/./urandom" +
                 " -debug -keystore " + TSKS + " -storepass changeit" +
                 " -tsa http://localhost:" + port + "/%d" +
-                " -signedjar new.jar " + JAR + " old";
+                " -signedjar new_%d.jar " + JAR + " old";
         }
 
         try {
@@ -280,7 +280,7 @@
     static void jarsigner(String cmd, int path, boolean expected)
             throws Exception {
         System.err.println("Test " + path);
-        Process p = Runtime.getRuntime().exec(String.format(cmd, path));
+        Process p = Runtime.getRuntime().exec(String.format(cmd, path, path));
         BufferedReader reader = new BufferedReader(
                 new InputStreamReader(p.getErrorStream()));
         while (true) {
@@ -288,9 +288,25 @@
             if (s == null) break;
             System.err.println(s);
         }
+
+        // Will not see noTimestamp warning
+        boolean seeWarning = false;
+        reader = new BufferedReader(
+                new InputStreamReader(p.getInputStream()));
+        while (true) {
+            String s = reader.readLine();
+            if (s == null) break;
+            System.err.println(s);
+            if (s.indexOf("Warning:") >= 0) {
+                seeWarning = true;
+            }
+        }
         int result = p.waitFor();
         if (expected && result != 0 || !expected && result == 0) {
             throw new Exception("Failed");
         }
+        if (seeWarning) {
+            throw new Exception("See warning");
+        }
     }
 }
--- a/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh	Mon Oct 07 11:32:48 2013 +0100
@@ -139,7 +139,6 @@
 # 16 and 32 already covered in the first part
 # ==========================================================
 
-$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m
 $KT -genkeypair -alias expired -dname CN=expired -startdate -10m
 $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
 $KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
@@ -154,9 +153,6 @@
         $KT -importcert -alias badchain
 $KT -delete -alias ca
 
-$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring
-[ $? = 2 ] || exit $LINENO
-
 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
 [ $? = 4 ] || exit $LINENO
 
--- a/jdk/test/sun/security/tools/jarsigner/ts.sh	Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/sun/security/tools/jarsigner/ts.sh	Mon Oct 07 11:32:48 2013 +0100
@@ -22,7 +22,7 @@
 #
 
 # @test
-# @bug 6543842 6543440 6939248 8009636
+# @bug 6543842 6543440 6939248 8009636 8024302
 # @summary checking response of timestamp
 #
 # @run shell/timeout=600 ts.sh
@@ -53,7 +53,7 @@
 JAR="${TESTJAVA}${FS}bin${FS}jar"
 JAVA="${TESTJAVA}${FS}bin${FS}java"
 JAVAC="${TESTJAVA}${FS}bin${FS}javac"
-KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit"
+KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit -validity 200"
 
 rm tsks
 echo Nothing > A
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/jarsigner/warnings.sh	Mon Oct 07 11:32:48 2013 +0100
@@ -0,0 +1,117 @@
+#
+# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 8024302
+# @summary Clarify jar verifications
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+KS=warnings.jks
+JFILE=warnings.jar
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit \
+        -keystore $KS"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner -keystore $KS -storepass changeit"
+
+rm $KS 2> /dev/null
+
+export LANG=C
+
+echo 12345 > file
+
+ERR=""
+
+# Normal signer expiring on 2100-01-01
+$KT -alias s1 -dname CN=s1 -genkey -startdate 2000/01/01 -validity 36525 || ERR="$ERR keytool s1,"
+# Cert expiring soon, informational warning
+$KT -alias s2 -dname CN=s2 -genkey -validity 100 || ERR="$ERR keytool s2,"
+# Cert expired, severe warning
+$KT -alias s3 -dname CN=s3 -genkey -startdate -200d -validity 100 || ERR="$ERR keytool s3,"
+
+# noTimestamp is informatiional warning and includes a date
+$JAR cvf $JFILE file
+$JARSIGNER $JFILE s1 > output1 || ERR="$ERR jarsigner s1,"
+$JARSIGNER -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict,"
+$JARSIGNER -verify $JFILE s1 >> output1 || ERR="$ERR jarsigner s1,"
+$JARSIGNER -verify -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict,"
+
+cat output1 | grep Warning || ERR="$ERR s1 warning,"
+cat output1 | grep Error && ERR="$ERR s1 error,"
+cat output1 | grep timestamp | grep 2100-01-01 || ERR="$ERR s1 timestamp,"
+cat output1 | grep "with signer errors" && ERR="$ERR s1 err,"
+
+# hasExpiringCert is informatiional warning
+$JAR cvf $JFILE file
+$JARSIGNER $JFILE s2 > output2 || ERR="$ERR jarsigner s2,"
+$JARSIGNER -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict,"
+$JARSIGNER -verify $JFILE s2 >> output2 || ERR="$ERR jarsigner s2,"
+$JARSIGNER -verify -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict,"
+
+cat output2 | grep Warning || ERR="$ERR s2 warning,"
+cat output2 | grep Error && ERR="$ERR s2 error,"
+cat output2 | grep timestamp || ERR="$ERR s2 timestamp,"
+cat output2 | grep "will expire" || ERR="$ERR s2 expiring,"
+cat output2 | grep "with signer errors" && ERR="$ERR s2 err,"
+
+# hasExpiredCert is severe warning
+$JAR cvf $JFILE file
+$JARSIGNER $JFILE s3 > output3 || ERR="$ERR jarsigner s3,"
+$JARSIGNER -strict $JFILE s3 > output3s && ERR="$ERR jarsigner s3 strict,"
+$JARSIGNER -verify $JFILE s3 >> output3 || ERR="$ERR jarsigner s3,"
+$JARSIGNER -verify -strict $JFILE s3 >> output3s && ERR="$ERR jarsigner s3 strict,"
+
+# warning without -strict
+cat output3 | grep Warning || ERR="$ERR s3 warning,"
+cat output3 | grep Error && ERR="$ERR s3 error,"
+cat output3 | grep "with signer errors" && ERR="$ERR s3 err,"
+
+# error with -strict
+cat output3s | grep Warning || ERR="$ERR s3s warning,"
+cat output3s | grep Error || ERR="$ERR s3s error,"
+cat output3s | grep "with signer errors" || ERR="$ERR s3 err,"
+
+if [ "$ERR" = "" ]; then
+    exit 0
+else
+    echo "ERR is $ERR"
+    exit 1
+fi
+
+