--- a/jdk/make/common/Release.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/make/common/Release.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -835,10 +835,6 @@
$(BOOT_JAVA_CMD) -jar $(BUILDMETAINDEX_JARFILE) \
-o meta-index *.jar
@$(CD) $(JRE_IMAGE_DIR)/lib/ext && $(java-vm-cleanup)
-ifeq ($(PLATFORM), macosx)
- @#install jobjc, apple mac only
- $(CP) $(OUTPUTDIR)/JObjC.build/JObjC.jar $(JRE_IMAGE_DIR)/lib/JObjC.jar
-endif
ifeq ($(PLATFORM), windows)
@# Remove certain *.lib files
$(CD) $(JRE_IMAGE_DIR)/lib && \
--- a/jdk/make/java/Makefile Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/make/java/Makefile Mon Oct 07 11:32:48 2013 +0100
@@ -57,10 +57,6 @@
SUBDIRS += jexec
endif # PLATFORM
-ifeq ($(PLATFORM), macosx)
- SUBDIRS += jobjc
-endif # PLATFORM
-
include $(BUILDDIR)/common/Subdirs.gmk
all build clean clobber::
--- a/jdk/makefiles/CompileJavaClasses.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/CompileJavaClasses.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -271,11 +271,6 @@
$(JDK_TOPDIR)/src/solaris/classes/sun/util/locale/provider/HostLocaleProviderAdapterImpl.java \
$(JDK_TOPDIR)/src/solaris/classes/sun/nio/fs/GnomeFileTypeDetector.java
- # JObjC.jar contains 1.5 byte-code...so skip it here :-(
- # MACOSX_SRC_DIRS += $(JDK_TOPDIR)/src/macosx/native/jobjc/src
- # EXCLUDES+= tests/java/com/apple/jobjc
-
- EXCLUDES+= com/apple/jobjc
endif
# The exception handling of swing beaninfo
@@ -327,44 +322,6 @@
##########################################################################################
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-#
-# JObjC.jar is compiled with BOOT_JAVAC which (may) not support the "-h" flag.
-# so we first compile classes with BOOT_JAVAC and then with JDK_JAVAC :-(
-#
-$(eval $(call SetupJavaCompiler,GENERATE_15BYTECODE,\
- JAVAC:=$(JAVAC),\
- FLAGS:=-source 1.5 -target 1.5 -g -bootclasspath $(BOOT_RTJAR) -cp $(JDK_OUTPUTDIR)/../langtools/dist/lib/classes.jar $(DISABLE_WARNINGS),\
- SERVER_DIR:=$(SJAVAC_SERVER_DIR),\
- SERVER_JVM:=$(SJAVAC_SERVER_JAVA)))
-
-$(eval $(call SetupJavaCompilation,BUILD_JOBJC,\
- SETUP:=GENERATE_15BYTECODE,\
- DISABLE_SJAVAC:=true,\
- SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/java \
- $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/java \
- $(JDK_OUTPUTDIR)/gensrc_jobjc/src, \
- INCLUDES := com/apple/jobjc,\
- EXCLUDES := tests/java/com/apple/jobjc,\
- BIN:=$(JDK_OUTPUTDIR)/jobjc_classes,\
- JAR:=$(JDK_OUTPUTDIR)/lib/JObjC.jar, \
- JARINDEX := true))
-
-$(BUILD_JOBJC) : $(BUILD_JDK)
-
-$(eval $(call SetupJavaCompilation,BUILD_JOBJC_HEADERS,\
- SETUP:=GENERATE_JDKBYTECODE,\
- SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/java \
- $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/java \
- $(JDK_OUTPUTDIR)/gensrc_jobjc/src, \
- INCLUDES := com/apple/jobjc,\
- EXCLUDES := tests/java/com/apple/jobjc,\
- BIN:=$(JDK_OUTPUTDIR)/jobjc_classes_headers,\
- HEADERS:=$(JDK_OUTPUTDIR)/gensrc_headers_jobjc))
-
-$(BUILD_JOBJC_HEADERS) : $(BUILD_JDK)
-
-endif
##########################################################################################
@@ -403,7 +360,7 @@
##########################################################################################
-all: $(BUILD_JDK) $(BUILD_ALTCLASSES) $(BUILD_JOBJC) $(BUILD_JOBJC_HEADERS) $(COPY_EXTRA) \
+all: $(BUILD_JDK) $(BUILD_ALTCLASSES) $(COPY_EXTRA) \
$(JDK_OUTPUTDIR)/classes/META-INF/services/com.sun.tools.xjc.Plugin \
$(BUILD_ACCESSBRIDGE_32) $(BUILD_ACCESSBRIDGE_64) \
$(BUILD_ACCESSBRIDGE_LEGACY)
--- a/jdk/makefiles/CompileNativeLibraries.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/CompileNativeLibraries.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -3296,67 +3296,6 @@
##########################################################################################
-ifeq ($(OPENJDK_TARGET_OS), macosx)
-
-# Ugly hack to mimic behaviour in old build where this is built as an xcode project.
-SET_SHARED_LIBRARY_NAME=-Xlinker -install_name -Xlinker /usr/local/lib/libJObjC.dylib
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJOBJC32,\
- LIBRARY:=JObjC,\
- OUTPUT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc32,\
- SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/native \
- $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/native ,\
- LANG:=C,\
- OPTIMIZATION:=LOW, \
- CFLAGS:=-fpascal-strings \
- -fobjc-gc \
- -gdwarf-2 \
- $(CFLAGS_JDKLIB) -I$(JDK_OUTPUTDIR)/gensrc_headers_jobjc \
- -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
- -m32,\
- LDFLAGS:=$(LDFLAGS_JDKLIB)\
- -m32, \
- LDFLAGS_SUFFIX:=-framework Foundation -framework JavaVM \
- -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
- -framework JavaNativeFoundation \
- -lffi, \
- OBJECT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc32,\
- DEBUG_SYMBOLS:=$(DEBUG_ALL_BINARIES)))
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJOBJC64,\
- LIBRARY:=JObjC,\
- OUTPUT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc64,\
- SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/native \
- $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/native ,\
- LANG:=C,\
- OPTIMIZATION:=LOW, \
- CFLAGS:=-fpascal-strings \
- -fobjc-gc \
- -gdwarf-2 \
- $(CFLAGS_JDKLIB) -I$(JDK_OUTPUTDIR)/gensrc_headers_jobjc \
- -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
- , \
- LDFLAGS:=-fpascal-strings \
- -fobjc-gc \
- -gdwarf-2 \
- $(LDFLAGS_JDKLIB)\
- $(call SET_SHARED_LIBRARY_ORIGIN), \
- LDFLAGS_SUFFIX:=-framework Foundation -framework JavaVM \
- -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
- -framework JavaNativeFoundation \
- -lffi, \
- OBJECT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc64,\
- DEBUG_SYMBOLS:=$(DEBUG_ALL_BINARIES)))
-
-$(INSTALL_LIBRARIES_HERE)/$(LIBRARY_PREFIX)JObjC$(SHARED_LIBRARY_SUFFIX): $(BUILD_LIBJOBJC32) $(BUILD_LIBJOBJC64)
- $(LIPO) -create -output $@ $(BUILD_LIBJOBJC32) $(BUILD_LIBJOBJC64)
-
-BUILD_LIBRARIES += $(INSTALL_LIBRARIES_HERE)/$(LIBRARY_PREFIX)JObjC$(SHARED_LIBRARY_SUFFIX)
-
-endif
-
-##########################################################################################
-
ifndef OPENJDK
ifeq ($(OPENJDK_TARGET_OS), windows)
--- a/jdk/makefiles/CreateJars.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/CreateJars.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -994,15 +994,6 @@
##########################################################################################
-ifeq ($(OPENJDK_TARGET_OS),macosx)
- $(eval $(call SetupArchive,BUILD_JOBJC_JAR,,\
- SRCS:=$(JDK_OUTPUTDIR)/jobjc_classes,\
- JAR:=$(IMAGES_OUTPUTDIR)/lib/JObjC.jar, \
- JARINDEX:=true))
-endif
-
-##########################################################################################
-
ifndef OPENJDK
$(eval $(call SetupArchive,BUILD_ALT_RT_JAR,,\
SRCS:=$(JDK_OUTPUTDIR)/altclasses_classes,\
--- a/jdk/makefiles/GenerateJavaSources.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/GenerateJavaSources.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -83,11 +83,6 @@
include GensrcSwing.gmk
GENSRC += $(GENSRC_SWING_BEANINFO) $(GENSRC_SWING_NIMBUS)
-ifeq ($(OPENJDK_TARGET_OS), macosx)
- include GensrcJObjC.gmk
- GENSRC += $(GENSRC_JOBJC)
-endif
-
$(GENSRC) : $(BUILD_TOOLS)
all: $(GENSRC)
--- a/jdk/makefiles/Images.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/Images.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -303,14 +303,13 @@
$(ECHO) $(LOG_INFO) Creating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
$(MKDIR) -p $@
-# In the old build, JObjC.jar is not part of the meta-index
$(JRE_IMAGE_DIR)/lib/meta-index: $(JRE_LIB_TARGETS)
$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
- $(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index `$(LS) *.jar | $(SED) 's/JObjC\.jar//g'`
+ $(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index *.jar
$(JDK_IMAGE_DIR)/jre/lib/meta-index: $(JDKJRE_LIB_TARGETS)
$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
- $(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index `$(LS) *.jar | $(SED) 's/JObjC\.jar//g'`
+ $(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index *.jar
$(JRE_IMAGE_DIR)/lib/ext/meta-index: $(JRE_LIB_TARGETS)
$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
--- a/jdk/makefiles/Profiles.gmk Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/makefiles/Profiles.gmk Mon Oct 07 11:32:48 2013 +0100
@@ -109,10 +109,6 @@
ALL_JARS += $(IMAGES_OUTPUTDIR)/lib/ext/sunmscapi.jar
endif
-ifeq ($(OPENJDK_TARGET_OS),macosx)
- ALL_JARS += $(IMAGES_OUTPUTDIR)/lib/JObjC.jar
-endif
-
ifeq ($(PROFILE), profile_1)
PROFILE_JARS := $(PROFILE_1_JARS)
else ifeq ($(PROFILE), profile_2)
--- a/jdk/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m Mon Oct 07 11:32:48 2013 +0100
@@ -290,8 +290,8 @@
SplashUnlock(splash);
rc = poll(pfd, 1, timeout);
SplashLock(splash);
- if (splash->isVisible>0 && SplashTime() >= splash->time +
- splash->frames[splash->currentFrame].delay) {
+ if (splash->isVisible > 0 && splash->currentFrame >= 0 &&
+ SplashTime() >= splash->time + splash->frames[splash->currentFrame].delay) {
SplashNextFrame(splash);
SplashRedrawWindow(splash);
}
--- a/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java Mon Oct 07 11:32:48 2013 +0100
@@ -29,6 +29,7 @@
import java.beans.ExceptionListener;
import java.io.IOException;
+import java.io.StringReader;
import java.lang.ref.Reference;
import java.lang.ref.WeakReference;
@@ -246,6 +247,14 @@
}
/**
+ * Disables any external entities.
+ */
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId) {
+ return new InputSource(new StringReader(""));
+ }
+
+ /**
* Prepares this handler to read objects from XML document.
*/
@Override
--- a/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -72,13 +72,17 @@
throw new IllegalStateException(
"TlsRsaPremasterSecretGenerator must be initialized");
}
- if (random == null) {
- random = new SecureRandom();
+ byte[] b = spec.getEncodedSecret();
+ if (b == null) {
+ if (random == null) {
+ random = new SecureRandom();
+ }
+ b = new byte[48];
+ random.nextBytes(b);
+ b[0] = (byte)spec.getMajorVersion();
+ b[1] = (byte)spec.getMinorVersion();
}
- byte[] b = new byte[48];
- random.nextBytes(b);
- b[0] = (byte)spec.getMajorVersion();
- b[1] = (byte)spec.getMinorVersion();
+
return new SecretKeySpec(b, "TlsRsaPremasterSecret");
}
--- a/jdk/src/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -660,7 +660,7 @@
//Added the handling for Class tags to take care of maps
//Makes an entry into the map upon end of class tag
try{
- typeMap.put(Key_map,Class.forName(Value_map));
+ typeMap.put(Key_map,sun.reflect.misc.ReflectUtil.forName(Value_map));
}catch(ClassNotFoundException ex) {
throw new SAXException(MessageFormat.format(resBundle.handleGetObject("xmlrch.errmap").toString(), ex.getMessage()));
--- a/jdk/src/share/classes/java/util/jar/JarFile.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/java/util/jar/JarFile.java Mon Oct 07 11:32:48 2013 +0100
@@ -53,6 +53,13 @@
* or method in this class will cause a {@link NullPointerException} to be
* thrown.
*
+ * If the verify flag is on when opening a signed jar file, the content of the
+ * file is verified against its signature embedded inside the file. Please note
+ * that the verification process does not include validating the signer's
+ * certificate. A caller should inspect the return value of
+ * {@link JarEntry#getCodeSigners()} to further determine if the signature
+ * can be trusted.
+ *
* @author David Connelly
* @see Manifest
* @see java.util.zip.ZipFile
--- a/jdk/src/share/classes/java/util/jar/JarVerifier.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/java/util/jar/JarVerifier.java Mon Oct 07 11:32:48 2013 +0100
@@ -179,7 +179,9 @@
name = name.substring(1);
// only set the jev object for entries that have a signature
- if (sigFileSigners.get(name) != null) {
+ // (either verified or not)
+ if (sigFileSigners.get(name) != null ||
+ verifiedSigners.get(name) != null) {
mev.setEntry(name, je);
return;
}
--- a/jdk/src/share/classes/javax/security/auth/Subject.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/javax/security/auth/Subject.java Mon Oct 07 11:32:48 2013 +0100
@@ -964,6 +964,10 @@
s.defaultReadObject();
+ // Rewrap the principals into a SecureSet
+ principals = Collections.synchronizedSet(new SecureSet<Principal>
+ (this, PRINCIPAL_SET, principals));
+
// The Credential {@code Set} is not serialized, but we do not
// want the default deserialization routine to set it to null.
this.pubCredentials = Collections.synchronizedSet
--- a/jdk/src/share/classes/javax/sql/rowset/spi/SyncFactory.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/javax/sql/rowset/spi/SyncFactory.java Mon Oct 07 11:32:48 2013 +0100
@@ -35,6 +35,8 @@
import java.io.InputStream;
import java.io.IOException;
import java.io.FileNotFoundException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import javax.naming.*;
@@ -348,7 +350,17 @@
/*
* Dependent on application
*/
- String strRowsetProperties = System.getProperty("rowset.properties");
+ String strRowsetProperties;
+ try {
+ strRowsetProperties = AccessController.doPrivileged(new PrivilegedAction<String>() {
+ public String run() {
+ return System.getProperty("rowset.properties");
+ }
+ }, null, new PropertyPermission("rowset.properties","read"));
+ } catch (Exception ex) {
+ strRowsetProperties = null;
+ }
+
if (strRowsetProperties != null) {
// Load user's implementation of SyncProvider
// here. -Drowset.properties=/abc/def/pqr.txt
@@ -393,7 +405,16 @@
* load additional properties from -D command line
*/
properties.clear();
- String providerImpls = System.getProperty(ROWSET_SYNC_PROVIDER);
+ String providerImpls;
+ try {
+ providerImpls = AccessController.doPrivileged(new PrivilegedAction<String>() {
+ public String run() {
+ return System.getProperty(ROWSET_SYNC_PROVIDER);
+ }
+ }, null, new PropertyPermission(ROWSET_SYNC_PROVIDER,"read"));
+ } catch (Exception ex) {
+ providerImpls = null;
+ }
if (providerImpls != null) {
int i = 0;
--- a/jdk/src/share/classes/javax/swing/event/EventListenerList.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/javax/swing/event/EventListenerList.java Mon Oct 07 11:32:48 2013 +0100
@@ -27,6 +27,7 @@
import java.io.*;
import java.util.*;
import java.lang.reflect.Array;
+import sun.reflect.misc.ReflectUtil;
/**
* A class that holds a list of EventListeners. A single instance
@@ -271,7 +272,9 @@
while (null != (listenerTypeOrNull = s.readObject())) {
ClassLoader cl = Thread.currentThread().getContextClassLoader();
EventListener l = (EventListener)s.readObject();
- add((Class<EventListener>)Class.forName((String)listenerTypeOrNull, true, cl), l);
+ String name = (String) listenerTypeOrNull;
+ ReflectUtil.checkPackageAccess(name);
+ add((Class<EventListener>)Class.forName(name, true, cl), l);
}
}
--- a/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -45,11 +45,12 @@
private final int majorVersion;
private final int minorVersion;
+ private final byte[] encodedSecret;
/**
* Constructs a new TlsRsaPremasterSecretParameterSpec.
- *
- * <p>The version numbers will be placed inside the premaster secret to
+ * <P>
+ * The version numbers will be placed inside the premaster secret to
* detect version rollbacks attacks as described in the TLS specification.
* Note that they do not indicate the protocol version negotiated for
* the handshake.
@@ -65,7 +66,42 @@
this.majorVersion =
TlsMasterSecretParameterSpec.checkVersion(majorVersion);
this.minorVersion =
- TlsMasterSecretParameterSpec.checkVersion(minorVersion); }
+ TlsMasterSecretParameterSpec.checkVersion(minorVersion);
+ this.encodedSecret = null;
+ }
+
+ /**
+ * Constructs a new TlsRsaPremasterSecretParameterSpec.
+ * <P>
+ * The version numbers will be placed inside the premaster secret to
+ * detect version rollbacks attacks as described in the TLS specification.
+ * Note that they do not indicate the protocol version negotiated for
+ * the handshake.
+ * <P>
+ * Usually, the encoded secret key is a random number that acts as
+ * dummy pre_master_secret to avoid vulnerabilities described by
+ * section 7.4.7.1, RFC 5246.
+ *
+ * @param majorVersion the major number of the protocol version
+ * @param minorVersion the minor number of the protocol version
+ * @param encodedSecret the encoded secret key
+ *
+ * @throws IllegalArgumentException if minorVersion or majorVersion are
+ * negative or larger than 255, or encodedSecret is not exactly 48 bytes.
+ */
+ public TlsRsaPremasterSecretParameterSpec(int majorVersion,
+ int minorVersion, byte[] encodedSecret) {
+ this.majorVersion =
+ TlsMasterSecretParameterSpec.checkVersion(majorVersion);
+ this.minorVersion =
+ TlsMasterSecretParameterSpec.checkVersion(minorVersion);
+
+ if (encodedSecret == null || encodedSecret.length != 48) {
+ throw new IllegalArgumentException(
+ "Encoded secret is not exactly 48 bytes");
+ }
+ this.encodedSecret = encodedSecret.clone();
+ }
/**
* Returns the major version.
@@ -84,4 +120,13 @@
public int getMinorVersion() {
return minorVersion;
}
+
+ /**
+ * Returns the encoded secret.
+ *
+ * @return the encoded secret, may be null if no encoded secret.
+ */
+ public byte[] getEncodedSecret() {
+ return encodedSecret == null ? null : encodedSecret.clone();
+ }
}
--- a/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -451,30 +451,7 @@
// see JCE spec
protected Key engineUnwrap(byte[] wrappedKey, String algorithm,
int type) throws InvalidKeyException, NoSuchAlgorithmException {
- if (algorithm.equals("TlsRsaPremasterSecret")) {
- // the instance variable "session" has been initialized for
- // decrypt mode, so use a local variable instead.
- Session s = null;
- try {
- s = token.getObjSession();
- long keyType = CKK_GENERIC_SECRET;
- CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
- new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
- new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
- };
- attributes = token.getAttributes
- (O_IMPORT, CKO_SECRET_KEY, keyType, attributes);
- long keyID = token.p11.C_UnwrapKey(s.id(),
- new CK_MECHANISM(mechanism), p11Key.keyID, wrappedKey,
- attributes);
- return P11Key.secretKey(s, keyID, algorithm, 48 << 3,
- attributes);
- } catch (PKCS11Exception e) {
- throw new InvalidKeyException("unwrap() failed", e);
- } finally {
- token.releaseSession(s);
- }
- }
+
// XXX implement unwrap using C_Unwrap() for all keys
implInit(Cipher.DECRYPT_MODE, p11Key);
if (wrappedKey.length > maxInputSize) {
--- a/jdk/src/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -88,23 +88,33 @@
throw new IllegalStateException
("TlsRsaPremasterSecretGenerator must be initialized");
}
- CK_VERSION version =
- new CK_VERSION(spec.getMajorVersion(), spec.getMinorVersion());
- Session session = null;
- try {
- session = token.getObjSession();
- CK_ATTRIBUTE[] attributes = token.getAttributes
- (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
- long keyID = token.p11.C_GenerateKey
- (session.id(), new CK_MECHANISM(mechanism, version), attributes);
- SecretKey key = P11Key.secretKey
- (session, keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
- return key;
- } catch (PKCS11Exception e) {
- throw new ProviderException("Could not generate premaster secret", e);
- } finally {
- token.releaseSession(session);
+
+ byte[] b = spec.getEncodedSecret();
+ if (b == null) {
+ CK_VERSION version = new CK_VERSION(
+ spec.getMajorVersion(), spec.getMinorVersion());
+ Session session = null;
+ try {
+ session = token.getObjSession();
+ CK_ATTRIBUTE[] attributes = token.getAttributes(
+ O_GENERATE, CKO_SECRET_KEY,
+ CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+ long keyID = token.p11.C_GenerateKey(session.id(),
+ new CK_MECHANISM(mechanism, version), attributes);
+ SecretKey key = P11Key.secretKey(session,
+ keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
+ return key;
+ } catch (PKCS11Exception e) {
+ throw new ProviderException(
+ "Could not generate premaster secret", e);
+ } finally {
+ token.releaseSession(session);
+ }
}
+
+ // Won't worry, the TlsRsaPremasterSecret will be soon converted to
+ // TlsMasterSecret.
+ return new SecretKeySpec(b, "TlsRsaPremasterSecret");
}
}
--- a/jdk/src/share/classes/sun/security/provider/ByteArrayAccess.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/provider/ByteArrayAccess.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -43,10 +43,8 @@
* These are the only platforms we currently support, but other optimized
* variants could be added as needed.
*
- * NOTE that because this code performs unchecked direct memory access, it
- * MUST be restricted to trusted code. It is imperative that the caller protects
- * against out of bounds memory access by performing the necessary bounds
- * checks before calling methods in this class.
+ * NOTE that ArrayIndexOutOfBoundsException will be thrown if the bounds checks
+ * failed.
*
* This class may also be helpful in improving the performance of the
* crypto code in the SunJCE provider. However, for now it is only accessible by
@@ -103,6 +101,10 @@
* byte[] to int[] conversion, little endian byte order.
*/
static void b2iLittle(byte[] in, int inOfs, int[] out, int outOfs, int len) {
+ if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+ (outOfs < 0) || ((out.length - outOfs) < len/4)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
inOfs += byteArrayOfs;
len += inOfs;
@@ -131,6 +133,10 @@
// Special optimization of b2iLittle(in, inOfs, out, 0, 64)
static void b2iLittle64(byte[] in, int inOfs, int[] out) {
+ if ((inOfs < 0) || ((in.length - inOfs) < 64) ||
+ (out.length < 16)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
inOfs += byteArrayOfs;
out[ 0] = unsafe.getInt(in, (long)(inOfs ));
@@ -176,6 +182,10 @@
* int[] to byte[] conversion, little endian byte order.
*/
static void i2bLittle(int[] in, int inOfs, byte[] out, int outOfs, int len) {
+ if ((inOfs < 0) || ((in.length - inOfs) < len/4) ||
+ (outOfs < 0) || ((out.length - outOfs) < len)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
outOfs += byteArrayOfs;
len += outOfs;
@@ -204,6 +214,9 @@
// Store one 32-bit value into out[outOfs..outOfs+3] in little endian order.
static void i2bLittle4(int val, byte[] out, int outOfs) {
+ if ((outOfs < 0) || ((out.length - outOfs) < 4)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
unsafe.putInt(out, (long)(byteArrayOfs + outOfs), val);
} else if (bigEndian && ((outOfs & 3) == 0)) {
@@ -220,6 +233,10 @@
* byte[] to int[] conversion, big endian byte order.
*/
static void b2iBig(byte[] in, int inOfs, int[] out, int outOfs, int len) {
+ if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+ (outOfs < 0) || ((out.length - outOfs) < len/4)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
inOfs += byteArrayOfs;
len += inOfs;
@@ -248,6 +265,10 @@
// Special optimization of b2iBig(in, inOfs, out, 0, 64)
static void b2iBig64(byte[] in, int inOfs, int[] out) {
+ if ((inOfs < 0) || ((in.length - inOfs) < 64) ||
+ (out.length < 16)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
inOfs += byteArrayOfs;
out[ 0] = reverseBytes(unsafe.getInt(in, (long)(inOfs )));
@@ -293,6 +314,10 @@
* int[] to byte[] conversion, big endian byte order.
*/
static void i2bBig(int[] in, int inOfs, byte[] out, int outOfs, int len) {
+ if ((inOfs < 0) || ((in.length - inOfs) < len/4) ||
+ (outOfs < 0) || ((out.length - outOfs) < len)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
outOfs += byteArrayOfs;
len += outOfs;
@@ -321,6 +346,9 @@
// Store one 32-bit value into out[outOfs..outOfs+3] in big endian order.
static void i2bBig4(int val, byte[] out, int outOfs) {
+ if ((outOfs < 0) || ((out.length - outOfs) < 4)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
unsafe.putInt(out, (long)(byteArrayOfs + outOfs), reverseBytes(val));
} else if (bigEndian && ((outOfs & 3) == 0)) {
@@ -337,6 +365,10 @@
* byte[] to long[] conversion, big endian byte order.
*/
static void b2lBig(byte[] in, int inOfs, long[] out, int outOfs, int len) {
+ if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+ (outOfs < 0) || ((out.length - outOfs) < len/8)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
inOfs += byteArrayOfs;
len += inOfs;
@@ -378,6 +410,10 @@
// Special optimization of b2lBig(in, inOfs, out, 0, 128)
static void b2lBig128(byte[] in, int inOfs, long[] out) {
+ if ((inOfs < 0) || ((in.length - inOfs) < 128) ||
+ (out.length < 16)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
if (littleEndianUnaligned) {
inOfs += byteArrayOfs;
out[ 0] = reverseBytes(unsafe.getLong(in, (long)(inOfs )));
@@ -406,6 +442,10 @@
* long[] to byte[] conversion, big endian byte order.
*/
static void l2bBig(long[] in, int inOfs, byte[] out, int outOfs, int len) {
+ if ((inOfs < 0) || ((in.length - inOfs) < len/8) ||
+ (outOfs < 0) || ((out.length - outOfs) < len)) {
+ throw new ArrayIndexOutOfBoundsException();
+ }
len += outOfs;
while (outOfs < len) {
long i = in[inOfs++];
@@ -419,5 +459,4 @@
out[outOfs++] = (byte)(i );
}
}
-
}
--- a/jdk/src/share/classes/sun/security/rsa/RSAPadding.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPadding.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2013 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -318,33 +318,53 @@
/**
* PKCS#1 v1.5 unpadding (blocktype 1 and 2).
+ *
+ * Note that we want to make it a constant-time operation
*/
private byte[] unpadV15(byte[] padded) throws BadPaddingException {
int k = 0;
+ BadPaddingException bpe = null;
+
if (padded[k++] != 0) {
- throw new BadPaddingException("Data must start with zero");
+ bpe = new BadPaddingException("Data must start with zero");
}
- if (padded[k++] != type) {
- throw new BadPaddingException("Blocktype mismatch: " + padded[1]);
+ if (padded[k++] != type && bpe == null) {
+ bpe = new BadPaddingException("Blocktype mismatch: " + padded[1]);
}
- while (true) {
+ int p = 0;
+ while (k < padded.length) {
int b = padded[k++] & 0xff;
- if (b == 0) {
- break;
+ if (b == 0 && p == 0) {
+ p = k;
}
- if (k == padded.length) {
- throw new BadPaddingException("Padding string not terminated");
+ if (k == padded.length && p == 0 && bpe == null) {
+ bpe = new BadPaddingException("Padding string not terminated");
}
- if ((type == PAD_BLOCKTYPE_1) && (b != 0xff)) {
- throw new BadPaddingException("Padding byte not 0xff: " + b);
+ if ((type == PAD_BLOCKTYPE_1) && (b != 0xff) &&
+ p == 0 && bpe == null) {
+ bpe = new BadPaddingException("Padding byte not 0xff: " + b);
}
}
- int n = padded.length - k;
- if (n > maxDataSize) {
- throw new BadPaddingException("Padding string too short");
+ int n = padded.length - p;
+ if (n > maxDataSize && bpe == null) {
+ bpe = new BadPaddingException("Padding string too short");
}
+
+ // copy useless padding array for a constant-time method
+ //
+ // Is it necessary?
+ byte[] padding = new byte[p];
+ System.arraycopy(padded, 0, padding, 0, p);
+
byte[] data = new byte[n];
- System.arraycopy(padded, padded.length - n, data, 0, n);
+ System.arraycopy(padded, p, data, 0, n);
+
+ if (bpe == null) {
+ bpe = new BadPaddingException("Unused exception");
+ } else {
+ throw bpe;
+ }
+
return data;
}
--- a/jdk/src/share/classes/sun/security/ssl/Handshaker.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/ssl/Handshaker.java Mon Oct 07 11:32:48 2013 +0100
@@ -1112,94 +1112,23 @@
clnt_random.random_bytes, svr_random.random_bytes,
prfHashAlg, prfHashLength, prfBlockSize);
- SecretKey masterSecret;
try {
KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
kg.init(spec);
- masterSecret = kg.generateKey();
- } catch (GeneralSecurityException e) {
+ return kg.generateKey();
+ } catch (InvalidAlgorithmParameterException |
+ NoSuchAlgorithmException iae) {
+ // unlikely to happen, otherwise, must be a provider exception
+ //
// For RSA premaster secrets, do not signal a protocol error
// due to the Bleichenbacher attack. See comments further down.
- if (!preMasterSecret.getAlgorithm().equals(
- "TlsRsaPremasterSecret")) {
- throw new ProviderException(e);
- }
-
if (debug != null && Debug.isOn("handshake")) {
System.out.println("RSA master secret generation error:");
- e.printStackTrace(System.out);
- }
-
- if (requestedVersion != null) {
- preMasterSecret =
- RSAClientKeyExchange.generateDummySecret(requestedVersion);
- } else {
- preMasterSecret =
- RSAClientKeyExchange.generateDummySecret(protocolVersion);
+ iae.printStackTrace(System.out);
}
-
- // recursive call with new premaster secret
- return calculateMasterSecret(preMasterSecret, null);
- }
-
- // if no version check requested (client side handshake), or version
- // information is not available (not an RSA premaster secret),
- // return master secret immediately.
- if ((requestedVersion == null) ||
- !(masterSecret instanceof TlsMasterSecret)) {
- return masterSecret;
- }
-
- // we have checked the ClientKeyExchange message when reading TLS
- // record, the following check is necessary to ensure that
- // JCE provider does not ignore the checking, or the previous
- // checking process bypassed the premaster secret version checking.
- TlsMasterSecret tlsKey = (TlsMasterSecret)masterSecret;
- int major = tlsKey.getMajorVersion();
- int minor = tlsKey.getMinorVersion();
- if ((major < 0) || (minor < 0)) {
- return masterSecret;
- }
+ throw new ProviderException(iae);
- // check if the premaster secret version is ok
- // the specification says that it must be the maximum version supported
- // by the client from its ClientHello message. However, many
- // implementations send the negotiated version, so accept both
- // for SSL v3.0 and TLS v1.0.
- // NOTE that we may be comparing two unsupported version numbers, which
- // is why we cannot use object reference equality in this special case.
- ProtocolVersion premasterVersion =
- ProtocolVersion.valueOf(major, minor);
- boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
-
- /*
- * we never checked the client_version in server side
- * for TLS v1.0 and SSL v3.0. For compatibility, we
- * maintain this behavior.
- */
- if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
- versionMismatch = (premasterVersion.v != protocolVersion.v);
}
-
- if (versionMismatch == false) {
- // check passed, return key
- return masterSecret;
- }
-
- // Due to the Bleichenbacher attack, do not signal a protocol error.
- // Generate a random premaster secret and continue with the handshake,
- // which will fail when verifying the finished messages.
- // For more information, see comments in PreMasterSecret.
- if (debug != null && Debug.isOn("handshake")) {
- System.out.println("RSA PreMasterSecret version error: expected"
- + protocolVersion + " or " + requestedVersion + ", decrypted: "
- + premasterVersion);
- }
- preMasterSecret =
- RSAClientKeyExchange.generateDummySecret(requestedVersion);
-
- // recursive call with new premaster secret
- return calculateMasterSecret(preMasterSecret, null);
}
/*
--- a/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java Mon Oct 07 11:32:48 2013 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -133,26 +133,37 @@
} else {
encrypted = new byte [messageSize];
if (input.read(encrypted) != messageSize) {
- throw new SSLProtocolException
- ("SSL: read PreMasterSecret: short read");
+ throw new SSLProtocolException(
+ "SSL: read PreMasterSecret: short read");
}
}
+ Exception failover = null;
+ byte[] encoded = null;
try {
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
- cipher.init(Cipher.UNWRAP_MODE, privateKey);
- preMaster = (SecretKey)cipher.unwrap(encrypted,
- "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+ // Cannot generate key here, please don't use Cipher.UNWRAP_MODE!
+ cipher.init(Cipher.DECRYPT_MODE, privateKey);
+ encoded = cipher.doFinal(encrypted);
+ } catch (BadPaddingException bpe) {
+ failover = bpe;
+ encoded = null;
+ } catch (IllegalBlockSizeException ibse) {
+ // the message it too big to process with RSA
+ throw new SSLProtocolException(
+ "Unable to process PreMasterSecret, may be too big");
+ } catch (Exception e) {
+ // unlikely to happen, otherwise, must be a provider exception
+ if (debug != null && Debug.isOn("handshake")) {
+ System.out.println("RSA premaster secret decryption error:");
+ e.printStackTrace(System.out);
+ }
+ throw new RuntimeException("Could not generate dummy secret", e);
+ }
- // polish the premaster secret
- preMaster = polishPreMasterSecretKey(currentVersion, maxVersion,
- generator, preMaster, null);
- } catch (Exception e) {
- // polish the premaster secret
- preMaster =
- polishPreMasterSecretKey(currentVersion, maxVersion,
- generator, null, e);
- }
+ // polish the premaster secret
+ preMaster = polishPreMasterSecretKey(
+ currentVersion, maxVersion, generator, encoded, failover);
}
/**
@@ -163,85 +174,74 @@
*
* RFC 5246 describes the approach as :
*
- * 1. Generate a string R of 46 random bytes
+ * 1. Generate a string R of 48 random bytes
*
* 2. Decrypt the message to recover the plaintext M
*
* 3. If the PKCS#1 padding is not correct, or the length of message
* M is not exactly 48 bytes:
- * pre_master_secret = ClientHello.client_version || R
+ * pre_master_secret = R
* else If ClientHello.client_version <= TLS 1.0, and version
* number check is explicitly disabled:
- * pre_master_secret = M
+ * premaster secret = M
+ * else If M[0..1] != ClientHello.client_version:
+ * premaster secret = R
* else:
- * pre_master_secret = ClientHello.client_version || M[2..47]
+ * premaster secret = M
+ *
+ * Note that #2 has completed before the call of this method.
*/
private SecretKey polishPreMasterSecretKey(ProtocolVersion currentVersion,
ProtocolVersion clientHelloVersion, SecureRandom generator,
- SecretKey secretKey, Exception failoverException) {
+ byte[] encoded, Exception failoverException) {
this.protocolVersion = clientHelloVersion;
+ if (generator == null) {
+ generator = new SecureRandom();
+ }
+ byte[] random = new byte[48];
+ generator.nextBytes(random);
- if (failoverException == null && secretKey != null) {
+ if (failoverException == null && encoded != null) {
// check the length
- byte[] encoded = secretKey.getEncoded();
- if (encoded == null) { // unable to get the encoded key
+ if (encoded.length != 48) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println(
- "unable to get the plaintext of the premaster secret");
+ "incorrect length of premaster secret: " +
+ encoded.length);
}
- int keySize = KeyUtil.getKeySize(secretKey);
- if (keySize > 0 && keySize != 384) { // 384 = 48 * 8
- if (debug != null && Debug.isOn("handshake")) {
- System.out.println(
- "incorrect length of premaster secret: " +
- (keySize/8));
- }
-
- return generateDummySecret(clientHelloVersion);
- }
+ return generatePreMasterSecret(
+ clientHelloVersion, random, generator);
+ }
- // The key size is exactly 48 bytes or not accessible.
- //
- // Conservatively, pass the checking to master secret
- // calculation.
- return secretKey;
- } else if (encoded.length == 48) {
- // check the version
- if (clientHelloVersion.major == encoded[0] &&
- clientHelloVersion.minor == encoded[1]) {
+ if (clientHelloVersion.major != encoded[0] ||
+ clientHelloVersion.minor != encoded[1]) {
- return secretKey;
- } else if (clientHelloVersion.v <= ProtocolVersion.TLS10.v &&
- currentVersion.major == encoded[0] &&
- currentVersion.minor == encoded[1]) {
+ if (clientHelloVersion.v <= ProtocolVersion.TLS10.v &&
+ currentVersion.major == encoded[0] &&
+ currentVersion.minor == encoded[1]) {
/*
* For compatibility, we maintain the behavior that the
* version in pre_master_secret can be the negotiated
* version for TLS v1.0 and SSL v3.0.
*/
this.protocolVersion = currentVersion;
- return secretKey;
- }
-
- if (debug != null && Debug.isOn("handshake")) {
- System.out.println("Mismatching Protocol Versions, " +
- "ClientHello.client_version is " + clientHelloVersion +
- ", while PreMasterSecret.client_version is " +
- ProtocolVersion.valueOf(encoded[0], encoded[1]));
- }
+ } else {
+ if (debug != null && Debug.isOn("handshake")) {
+ System.out.println("Mismatching Protocol Versions, " +
+ "ClientHello.client_version is " +
+ clientHelloVersion +
+ ", while PreMasterSecret.client_version is " +
+ ProtocolVersion.valueOf(encoded[0], encoded[1]));
+ }
- return generateDummySecret(clientHelloVersion);
- } else {
- if (debug != null && Debug.isOn("handshake")) {
- System.out.println(
- "incorrect length of premaster secret: " +
- encoded.length);
+ encoded = random;
}
+ }
- return generateDummySecret(clientHelloVersion);
- }
+ return generatePreMasterSecret(
+ clientHelloVersion, encoded, generator);
}
if (debug != null && Debug.isOn("handshake") &&
@@ -250,11 +250,14 @@
failoverException.printStackTrace(System.out);
}
- return generateDummySecret(clientHelloVersion);
+ return generatePreMasterSecret(clientHelloVersion, random, generator);
}
// generate a premaster secret with the specified version number
- static SecretKey generateDummySecret(ProtocolVersion version) {
+ private static SecretKey generatePreMasterSecret(
+ ProtocolVersion version, byte[] encodedSecret,
+ SecureRandom generator) {
+
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Generating a random fake premaster secret");
}
@@ -263,11 +266,17 @@
String s = ((version.v >= ProtocolVersion.TLS12.v) ?
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
KeyGenerator kg = JsseJce.getKeyGenerator(s);
- kg.init(new TlsRsaPremasterSecretParameterSpec
- (version.major, version.minor));
+ kg.init(new TlsRsaPremasterSecretParameterSpec(
+ version.major, version.minor, encodedSecret), generator);
return kg.generateKey();
- } catch (GeneralSecurityException e) {
- throw new RuntimeException("Could not generate dummy secret", e);
+ } catch (InvalidAlgorithmParameterException |
+ NoSuchAlgorithmException iae) {
+ // unlikely to happen, otherwise, must be a provider exception
+ if (debug != null && Debug.isOn("handshake")) {
+ System.out.println("RSA premaster secret generation error:");
+ iae.printStackTrace(System.out);
+ }
+ throw new RuntimeException("Could not generate dummy secret", iae);
}
}
--- a/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java Mon Oct 07 11:32:48 2013 +0100
@@ -158,8 +158,13 @@
private String altSignerClasspath = null;
private ZipFile zipFile = null;
+ // Informational warnings
+ private boolean hasExpiringCert = false;
+ private boolean noTimestamp = false;
+ private Date expireDate = new Date(0L); // used in noTimestamp warning
+
+ // Severe warnings
private boolean hasExpiredCert = false;
- private boolean hasExpiringCert = false;
private boolean notYetValidCert = false;
private boolean chainNotValidated = false;
private boolean notSignedByAlias = false;
@@ -258,9 +263,6 @@
if (strict) {
int exitCode = 0;
- if (hasExpiringCert) {
- exitCode |= 2;
- }
if (chainNotValidated || hasExpiredCert || notYetValidCert) {
exitCode |= 4;
}
@@ -754,14 +756,25 @@
System.out.println(rb.getString(
"jar.is.unsigned.signatures.missing.or.not.parsable."));
} else {
- System.out.println(rb.getString("jar.verified."));
- if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert ||
- badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
- notYetValidCert || chainNotValidated ||
- aliasNotInStore || notSignedByAlias) {
+ boolean warningAppeared = false;
+ boolean errorAppeared = false;
+ if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
+ notYetValidCert || chainNotValidated || hasExpiredCert ||
+ hasUnsignedEntry ||
+ aliasNotInStore || notSignedByAlias) {
- System.out.println();
- System.out.println(rb.getString("Warning."));
+ if (strict) {
+ System.out.println(rb.getString("jar.verified.with.signer.errors."));
+ System.out.println();
+ System.out.println(rb.getString("Error."));
+ errorAppeared = true;
+ } else {
+ System.out.println(rb.getString("jar.verified."));
+ System.out.println();
+ System.out.println(rb.getString("Warning."));
+ warningAppeared = true;
+ }
+
if (badKeyUsage) {
System.out.println(
rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
@@ -785,10 +798,6 @@
System.out.println(rb.getString(
"This.jar.contains.entries.whose.signer.certificate.has.expired."));
}
- if (hasExpiringCert) {
- System.out.println(rb.getString(
- "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
- }
if (notYetValidCert) {
System.out.println(rb.getString(
"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
@@ -807,10 +816,29 @@
if (aliasNotInStore) {
System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
}
+ } else {
+ System.out.println(rb.getString("jar.verified."));
+ }
+ if (hasExpiringCert || noTimestamp) {
+ if (!warningAppeared) {
+ System.out.println();
+ System.out.println(rb.getString("Warning."));
+ warningAppeared = true;
+ }
+ if (hasExpiringCert) {
+ System.out.println(rb.getString(
+ "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
+ }
+ if (noTimestamp) {
+ System.out.println(
+ String.format(rb.getString("no.timestamp.verifying"), expireDate));
+ }
+ }
+ if (warningAppeared || errorAppeared) {
if (! (verbose != null && showcerts)) {
System.out.println();
System.out.println(rb.getString(
- "Re.run.with.the.verbose.and.certs.options.for.more.details."));
+ "Re.run.with.the.verbose.and.certs.options.for.more.details."));
}
}
}
@@ -870,6 +898,9 @@
try {
boolean printValidity = true;
if (timestamp == null) {
+ if (expireDate.getTime() == 0 || expireDate.after(notAfter)) {
+ expireDate = notAfter;
+ }
x509Cert.checkValidity();
// test if cert will expire within six months
if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
@@ -1233,6 +1264,10 @@
tsaCert = getTsaCert(tsaAlias);
}
+ if (tsaUrl == null && tsaCert == null) {
+ noTimestamp = true;
+ }
+
SignatureFile.Block block = null;
try {
@@ -1380,12 +1415,20 @@
}
}
- if (hasExpiredCert || hasExpiringCert || notYetValidCert
- || badKeyUsage || badExtendedKeyUsage
- || badNetscapeCertType || chainNotValidated) {
- System.out.println();
+ boolean warningAppeared = false;
+ if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
+ notYetValidCert || chainNotValidated || hasExpiredCert) {
+ if (strict) {
+ System.out.println(rb.getString("jar.signed.with.signer.errors."));
+ System.out.println();
+ System.out.println(rb.getString("Error."));
+ } else {
+ System.out.println(rb.getString("jar.signed."));
+ System.out.println();
+ System.out.println(rb.getString("Warning."));
+ warningAppeared = true;
+ }
- System.out.println(rb.getString("Warning."));
if (badKeyUsage) {
System.out.println(
rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
@@ -1404,9 +1447,6 @@
if (hasExpiredCert) {
System.out.println(
rb.getString("The.signer.certificate.has.expired."));
- } else if (hasExpiringCert) {
- System.out.println(
- rb.getString("The.signer.certificate.will.expire.within.six.months."));
} else if (notYetValidCert) {
System.out.println(
rb.getString("The.signer.certificate.is.not.yet.valid."));
@@ -1416,6 +1456,24 @@
System.out.println(
rb.getString("The.signer.s.certificate.chain.is.not.validated."));
}
+ } else {
+ System.out.println(rb.getString("jar.signed."));
+ }
+ if (hasExpiringCert || noTimestamp) {
+ if (!warningAppeared) {
+ System.out.println();
+ System.out.println(rb.getString("Warning."));
+ }
+
+ if (hasExpiringCert) {
+ System.out.println(
+ rb.getString("The.signer.certificate.will.expire.within.six.months."));
+ }
+
+ if (noTimestamp) {
+ System.out.println(
+ String.format(rb.getString("no.timestamp.signing"), expireDate));
+ }
}
// no IOException thrown in the above try clause, so disable
@@ -1502,6 +1560,7 @@
timestamp = ts.getTimestamp();
} else {
timestamp = null;
+ noTimestamp = true;
}
// display the certificate(s). The first one is end-entity cert and
// its KeyUsage should be checked.
--- a/jdk/src/share/classes/sun/security/tools/jarsigner/Resources.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/classes/sun/security/tools/jarsigner/Resources.java Mon Oct 07 11:32:48 2013 +0100
@@ -135,7 +135,10 @@
{".Unsigned.entries.", "(Unsigned entries)"},
{"jar.is.unsigned.signatures.missing.or.not.parsable.",
"jar is unsigned. (signatures missing or not parsable)"},
+ {"jar.signed.", "jar signed."},
+ {"jar.signed.with.signer.errors.", "jar signed, with signer errors."},
{"jar.verified.", "jar verified."},
+ {"jar.verified.with.signer.errors.", "jar verified, with signer errors."},
{"jarsigner.", "jarsigner: "},
{"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
"signature filename must consist of the following characters: A-Z, 0-9, _ or -"},
@@ -193,6 +196,7 @@
"using an alternative signing mechanism"},
{"entry.was.signed.on", "entry was signed on {0}"},
{"Warning.", "Warning: "},
+ {"Error.", "Error: "},
{"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
"This jar contains unsigned entries which have not been integrity-checked. "},
{"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -229,6 +233,10 @@
"The signer's certificate chain is not validated."},
{"This.jar.contains.entries.whose.certificate.chain.is.not.validated.",
"This jar contains entries whose certificate chain is not validated."},
+ {"no.timestamp.signing",
+ "No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
+ {"no.timestamp.verifying",
+ "This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
{"Unknown.password.type.", "Unknown password type: "},
{"Cannot.find.environment.variable.",
"Cannot find environment variable: "},
--- a/jdk/src/share/lib/security/java.security-linux Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-linux Mon Oct 07 11:32:48 2013 +0100
@@ -182,6 +182,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -204,7 +205,7 @@
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
- oracle.jrockit.jfr.,\
+ oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
@@ -227,6 +228,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -249,7 +251,7 @@
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
- oracle.jrockit.jfr.,\
+ oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
--- a/jdk/src/share/lib/security/java.security-macosx Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-macosx Mon Oct 07 11:32:48 2013 +0100
@@ -183,6 +183,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -228,6 +229,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
--- a/jdk/src/share/lib/security/java.security-solaris Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-solaris Mon Oct 07 11:32:48 2013 +0100
@@ -184,6 +184,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -206,7 +207,7 @@
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
- oracle.jrockit.jfr.,\
+ oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
@@ -228,6 +229,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -250,7 +252,7 @@
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
- oracle.jrockit.jfr.,\
+ oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
--- a/jdk/src/share/lib/security/java.security-windows Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/lib/security/java.security-windows Mon Oct 07 11:32:48 2013 +0100
@@ -183,6 +183,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -205,7 +206,7 @@
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
- oracle.jrockit.jfr.,\
+ oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
@@ -228,6 +229,7 @@
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
+ com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
@@ -250,7 +252,7 @@
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
- oracle.jrockit.jfr.,\
+ oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.c Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.c Mon Oct 07 11:32:48 2013 +0100
@@ -111,8 +111,9 @@
int
SplashIsStillLooping(Splash * splash)
{
- if (splash->currentFrame < 0)
+ if (splash->currentFrame < 0) {
return 0;
+ }
return splash->loopCount != 1 ||
splash->currentFrame + 1 < splash->frameCount;
}
@@ -121,17 +122,22 @@
SplashUpdateScreenData(Splash * splash)
{
ImageRect srcRect, dstRect;
+ if (splash->currentFrame < 0) {
+ return;
+ }
initRect(&srcRect, 0, 0, splash->width, splash->height, 1,
splash->width * sizeof(rgbquad_t),
splash->frames[splash->currentFrame].bitmapBits, &splash->imageFormat);
- if (splash->screenData)
+ if (splash->screenData) {
free(splash->screenData);
+ }
splash->screenStride = splash->width * splash->screenFormat.depthBytes;
- if (splash->byteAlignment > 1)
+ if (splash->byteAlignment > 1) {
splash->screenStride =
(splash->screenStride + splash->byteAlignment - 1) &
~(splash->byteAlignment - 1);
+ }
splash->screenData = malloc(splash->height * splash->screenStride);
initRect(&dstRect, 0, 0, splash->width, splash->height, 1,
splash->screenStride, splash->screenData, &splash->screenFormat);
@@ -146,16 +152,19 @@
void
SplashNextFrame(Splash * splash)
{
- if (splash->currentFrame < 0)
+ if (splash->currentFrame < 0) {
return;
+ }
do {
- if (!SplashIsStillLooping(splash))
+ if (!SplashIsStillLooping(splash)) {
return;
+ }
splash->time += splash->frames[splash->currentFrame].delay;
if (++splash->currentFrame >= splash->frameCount) {
splash->currentFrame = 0;
- if (splash->loopCount > 0)
+ if (splash->loopCount > 0) {
splash->loopCount--;
+ }
}
} while (splash->time + splash->frames[splash->currentFrame].delay -
SplashTime() <= 0);
@@ -183,8 +192,9 @@
pSrc += pSrcRect->depthBytes;
++i;
}
- if (i >= pSrcRect->numSamples)
+ if (i >= pSrcRect->numSamples) {
break;
+ }
i0 = i;
while (i < pSrcRect->numSamples &&
getRGBA(pSrc, pSrcRect->format) >= ALPHA_THRESHOLD) {
--- a/jdk/src/share/native/sun/font/layout/LookupProcessor.cpp Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/native/sun/font/layout/LookupProcessor.cpp Mon Oct 07 11:32:48 2013 +0100
@@ -138,7 +138,7 @@
le_int32 LookupProcessor::selectLookups(const LEReferenceTo<FeatureTable> &featureTable, FeatureMask featureMask, le_int32 order, LEErrorCode &success)
{
le_uint16 lookupCount = featureTable.isValid()? SWAPW(featureTable->lookupCount) : 0;
- le_int32 store = order;
+ le_uint32 store = (le_uint32)order;
LEReferenceToArrayOf<le_uint16> lookupListIndexArray(featureTable, success, featureTable->lookupListIndexArray, lookupCount);
@@ -147,6 +147,9 @@
if (lookupListIndex >= lookupSelectCount) {
continue;
}
+ if (store >= lookupOrderCount) {
+ continue;
+ }
lookupSelectArray[lookupListIndex] |= featureMask;
lookupOrderArray[store++] = lookupListIndex;
@@ -246,7 +249,7 @@
if (requiredFeatureIndex != 0xFFFF) {
requiredFeatureTable = featureListTable->getFeatureTable(featureListTable, requiredFeatureIndex, &requiredFeatureTag, success);
- featureReferences += SWAPW(featureTable->lookupCount);
+ featureReferences += SWAPW(requiredFeatureTable->lookupCount);
}
lookupOrderArray = LE_NEW_ARRAY(le_uint16, featureReferences);
@@ -254,6 +257,7 @@
success = LE_MEMORY_ALLOCATION_ERROR;
return;
}
+ lookupOrderCount = featureReferences;
for (le_int32 f = 0; f < featureMapCount; f += 1) {
FeatureMap fm = featureMap[f];
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsintrp.c Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsintrp.c Mon Oct 07 11:32:48 2013 +0100
@@ -215,6 +215,11 @@
Output[0] = LinearInterp(rest, y0, y1);
}
+// To prevent out of bounds indexing
+cmsINLINE cmsFloat32Number fclamp(cmsFloat32Number v)
+{
+ return v < 0.0f ? 0.0f : (v > 1.0f ? 1.0f : v);
+}
// Floating-point version of 1D interpolation
static
@@ -227,13 +232,15 @@
int cell0, cell1;
const cmsFloat32Number* LutTable = (cmsFloat32Number*) p ->Table;
+ val2 = fclamp(Value[0]);
+
// if last value...
- if (Value[0] == 1.0) {
+ if (val2 == 1.0) {
Output[0] = LutTable[p -> Domain[0]];
return;
}
- val2 = p -> Domain[0] * Value[0];
+ val2 *= p -> Domain[0];
cell0 = (int) floor(val2);
cell1 = (int) ceil(val2);
@@ -292,13 +299,15 @@
cmsUInt32Number OutChan;
const cmsFloat32Number* LutTable = (cmsFloat32Number*) p ->Table;
+ val2 = fclamp(Value[0]);
+
// if last value...
- if (Value[0] == 1.0) {
+ if (val2 == 1.0) {
Output[0] = LutTable[p -> Domain[0]];
return;
}
- val2 = p -> Domain[0] * Value[0];
+ val2 *= p -> Domain[0];
cell0 = (int) floor(val2);
cell1 = (int) ceil(val2);
@@ -339,8 +348,8 @@
dxy;
TotalOut = p -> nOutputs;
- px = Input[0] * p->Domain[0];
- py = Input[1] * p->Domain[1];
+ px = fclamp(Input[0]) * p->Domain[0];
+ py = fclamp(Input[1]) * p->Domain[1];
x0 = (int) _cmsQuickFloor(px); fx = px - (cmsFloat32Number) x0;
y0 = (int) _cmsQuickFloor(py); fy = py - (cmsFloat32Number) y0;
@@ -454,20 +463,9 @@
TotalOut = p -> nOutputs;
// We need some clipping here
- px = Input[0];
- py = Input[1];
- pz = Input[2];
-
- if (px < 0) px = 0;
- if (px > 1) px = 1;
- if (py < 0) py = 0;
- if (py > 1) py = 1;
- if (pz < 0) pz = 0;
- if (pz > 1) pz = 1;
-
- px *= p->Domain[0];
- py *= p->Domain[1];
- pz *= p->Domain[2];
+ px = fclamp(Input[0]) * p->Domain[0];
+ py = fclamp(Input[1]) * p->Domain[1];
+ pz = fclamp(Input[2]) * p->Domain[2];
x0 = (int) _cmsQuickFloor(px); fx = px - (cmsFloat32Number) x0;
y0 = (int) _cmsQuickFloor(py); fy = py - (cmsFloat32Number) y0;
@@ -609,20 +607,9 @@
TotalOut = p -> nOutputs;
// We need some clipping here
- px = Input[0];
- py = Input[1];
- pz = Input[2];
-
- if (px < 0) px = 0;
- if (px > 1) px = 1;
- if (py < 0) py = 0;
- if (py > 1) py = 1;
- if (pz < 0) pz = 0;
- if (pz > 1) pz = 1;
-
- px *= p->Domain[0];
- py *= p->Domain[1];
- pz *= p->Domain[2];
+ px = fclamp(Input[0]) * p->Domain[0];
+ py = fclamp(Input[1]) * p->Domain[1];
+ pz = fclamp(Input[2]) * p->Domain[2];
x0 = (int) _cmsQuickFloor(px); rx = (px - (cmsFloat32Number) x0);
y0 = (int) _cmsQuickFloor(py); ry = (py - (cmsFloat32Number) y0);
@@ -1039,8 +1026,7 @@
cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
cmsInterpParams p1;
-
- pk = Input[0] * p->Domain[0];
+ pk = fclamp(Input[0]) * p->Domain[0];
k0 = _cmsQuickFloor(pk);
rest = pk - (cmsFloat32Number) k0;
@@ -1127,7 +1113,7 @@
cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
cmsInterpParams p1;
- pk = Input[0] * p->Domain[0];
+ pk = fclamp(Input[0]) * p->Domain[0];
k0 = _cmsQuickFloor(pk);
rest = pk - (cmsFloat32Number) k0;
@@ -1214,7 +1200,7 @@
cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
cmsInterpParams p1;
- pk = Input[0] * p->Domain[0];
+ pk = fclamp(Input[0]) * p->Domain[0];
k0 = _cmsQuickFloor(pk);
rest = pk - (cmsFloat32Number) k0;
@@ -1299,7 +1285,7 @@
cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
cmsInterpParams p1;
- pk = Input[0] * p->Domain[0];
+ pk = fclamp(Input[0]) * p->Domain[0];
k0 = _cmsQuickFloor(pk);
rest = pk - (cmsFloat32Number) k0;
@@ -1384,7 +1370,7 @@
cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
cmsInterpParams p1;
- pk = Input[0] * p->Domain[0];
+ pk = fclamp(Input[0]) * p->Domain[0];
k0 = _cmsQuickFloor(pk);
rest = pk - (cmsFloat32Number) k0;
--- a/jdk/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c Mon Oct 07 11:32:48 2013 +0100
@@ -577,8 +577,8 @@
SplashUnlock(splash);
rc = poll(pfd, 2, timeout);
SplashLock(splash);
- if (splash->isVisible>0 && SplashTime() >= splash->time +
- splash->frames[splash->currentFrame].delay) {
+ if (splash->isVisible > 0 && splash->currentFrame >= 0 &&
+ SplashTime() >= splash->time + splash->frames[splash->currentFrame].delay) {
SplashNextFrame(splash);
SplashUpdateShape(splash);
SplashRedrawWindow(splash);
--- a/jdk/test/java/lang/SecurityManager/CheckPackageAccess.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/java/lang/SecurityManager/CheckPackageAccess.java Mon Oct 07 11:32:48 2013 +0100
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 6741606 7146431 8000450 8019830
+ * @bug 6741606 7146431 8000450 8019830 8022945
* @summary Make sure all restricted packages listed in the package.access
* property in the java.security file are blocked
* @run main/othervm CheckPackageAccess
@@ -55,6 +55,7 @@
"com.sun.istack.internal.",
"com.sun.jmx.",
"com.sun.media.sound.",
+ "com.sun.naming.internal.",
"com.sun.proxy.",
"com.sun.org.apache.bcel.internal.",
"com.sun.org.apache.regexp.internal.",
--- a/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java Mon Oct 07 11:32:48 2013 +0100
@@ -239,13 +239,13 @@
" -J-Djava.security.egd=file:/dev/./urandom" +
" -debug -keystore " + TSKS + " -storepass changeit" +
" -tsa http://localhost:" + port + "/%d" +
- " -signedjar new.jar " + JAR + " old";
+ " -signedjar new_%d.jar " + JAR + " old";
} else {
cmd = System.getProperty("java.home") + "/bin/jarsigner" +
" -J-Djava.security.egd=file:/dev/./urandom" +
" -debug -keystore " + TSKS + " -storepass changeit" +
" -tsa http://localhost:" + port + "/%d" +
- " -signedjar new.jar " + JAR + " old";
+ " -signedjar new_%d.jar " + JAR + " old";
}
try {
@@ -280,7 +280,7 @@
static void jarsigner(String cmd, int path, boolean expected)
throws Exception {
System.err.println("Test " + path);
- Process p = Runtime.getRuntime().exec(String.format(cmd, path));
+ Process p = Runtime.getRuntime().exec(String.format(cmd, path, path));
BufferedReader reader = new BufferedReader(
new InputStreamReader(p.getErrorStream()));
while (true) {
@@ -288,9 +288,25 @@
if (s == null) break;
System.err.println(s);
}
+
+ // Will not see noTimestamp warning
+ boolean seeWarning = false;
+ reader = new BufferedReader(
+ new InputStreamReader(p.getInputStream()));
+ while (true) {
+ String s = reader.readLine();
+ if (s == null) break;
+ System.err.println(s);
+ if (s.indexOf("Warning:") >= 0) {
+ seeWarning = true;
+ }
+ }
int result = p.waitFor();
if (expected && result != 0 || !expected && result == 0) {
throw new Exception("Failed");
}
+ if (seeWarning) {
+ throw new Exception("See warning");
+ }
}
}
--- a/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Oct 07 11:32:48 2013 +0100
@@ -139,7 +139,6 @@
# 16 and 32 already covered in the first part
# ==========================================================
-$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m
$KT -genkeypair -alias expired -dname CN=expired -startdate -10m
$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
$KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
@@ -154,9 +153,6 @@
$KT -importcert -alias badchain
$KT -delete -alias ca
-$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring
-[ $? = 2 ] || exit $LINENO
-
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
[ $? = 4 ] || exit $LINENO
--- a/jdk/test/sun/security/tools/jarsigner/ts.sh Mon Oct 07 11:31:37 2013 +0100
+++ b/jdk/test/sun/security/tools/jarsigner/ts.sh Mon Oct 07 11:32:48 2013 +0100
@@ -22,7 +22,7 @@
#
# @test
-# @bug 6543842 6543440 6939248 8009636
+# @bug 6543842 6543440 6939248 8009636 8024302
# @summary checking response of timestamp
#
# @run shell/timeout=600 ts.sh
@@ -53,7 +53,7 @@
JAR="${TESTJAVA}${FS}bin${FS}jar"
JAVA="${TESTJAVA}${FS}bin${FS}java"
JAVAC="${TESTJAVA}${FS}bin${FS}javac"
-KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit"
+KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit -validity 200"
rm tsks
echo Nothing > A
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/jarsigner/warnings.sh Mon Oct 07 11:32:48 2013 +0100
@@ -0,0 +1,117 @@
+#
+# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 8024302
+# @summary Clarify jar verifications
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVAC_CMD=`which javac`
+ TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KS=warnings.jks
+JFILE=warnings.jar
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit \
+ -keystore $KS"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner -keystore $KS -storepass changeit"
+
+rm $KS 2> /dev/null
+
+export LANG=C
+
+echo 12345 > file
+
+ERR=""
+
+# Normal signer expiring on 2100-01-01
+$KT -alias s1 -dname CN=s1 -genkey -startdate 2000/01/01 -validity 36525 || ERR="$ERR keytool s1,"
+# Cert expiring soon, informational warning
+$KT -alias s2 -dname CN=s2 -genkey -validity 100 || ERR="$ERR keytool s2,"
+# Cert expired, severe warning
+$KT -alias s3 -dname CN=s3 -genkey -startdate -200d -validity 100 || ERR="$ERR keytool s3,"
+
+# noTimestamp is informatiional warning and includes a date
+$JAR cvf $JFILE file
+$JARSIGNER $JFILE s1 > output1 || ERR="$ERR jarsigner s1,"
+$JARSIGNER -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict,"
+$JARSIGNER -verify $JFILE s1 >> output1 || ERR="$ERR jarsigner s1,"
+$JARSIGNER -verify -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict,"
+
+cat output1 | grep Warning || ERR="$ERR s1 warning,"
+cat output1 | grep Error && ERR="$ERR s1 error,"
+cat output1 | grep timestamp | grep 2100-01-01 || ERR="$ERR s1 timestamp,"
+cat output1 | grep "with signer errors" && ERR="$ERR s1 err,"
+
+# hasExpiringCert is informatiional warning
+$JAR cvf $JFILE file
+$JARSIGNER $JFILE s2 > output2 || ERR="$ERR jarsigner s2,"
+$JARSIGNER -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict,"
+$JARSIGNER -verify $JFILE s2 >> output2 || ERR="$ERR jarsigner s2,"
+$JARSIGNER -verify -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict,"
+
+cat output2 | grep Warning || ERR="$ERR s2 warning,"
+cat output2 | grep Error && ERR="$ERR s2 error,"
+cat output2 | grep timestamp || ERR="$ERR s2 timestamp,"
+cat output2 | grep "will expire" || ERR="$ERR s2 expiring,"
+cat output2 | grep "with signer errors" && ERR="$ERR s2 err,"
+
+# hasExpiredCert is severe warning
+$JAR cvf $JFILE file
+$JARSIGNER $JFILE s3 > output3 || ERR="$ERR jarsigner s3,"
+$JARSIGNER -strict $JFILE s3 > output3s && ERR="$ERR jarsigner s3 strict,"
+$JARSIGNER -verify $JFILE s3 >> output3 || ERR="$ERR jarsigner s3,"
+$JARSIGNER -verify -strict $JFILE s3 >> output3s && ERR="$ERR jarsigner s3 strict,"
+
+# warning without -strict
+cat output3 | grep Warning || ERR="$ERR s3 warning,"
+cat output3 | grep Error && ERR="$ERR s3 error,"
+cat output3 | grep "with signer errors" && ERR="$ERR s3 err,"
+
+# error with -strict
+cat output3s | grep Warning || ERR="$ERR s3s warning,"
+cat output3s | grep Error || ERR="$ERR s3s error,"
+cat output3s | grep "with signer errors" || ERR="$ERR s3 err,"
+
+if [ "$ERR" = "" ]; then
+ exit 0
+else
+ echo "ERR is $ERR"
+ exit 1
+fi
+
+