Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk
提交 3c2c9588 编写于 作者: R robm
浏览文件
操作

Merge

上级 b4af5a44 a72c0695
隐藏空白更改
内联 并排
Showing with 1653 addition and 718 deletion
.hgtags
浏览文件 @ 3c2c9588
......@@ -353,9 +353,11 @@ ca1adc7c848370dda8dbf9e3a970c3e6427fb05b jdk8u31-b08
a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11
6a12f34816d2ee12368274fc21225384a8893426 jdk8u31-b12
1fbdd5d80d0671decd8acb5adb64866f609e986f jdk8u31-b13
ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31
367c7f061c5831ee54cd197f727e06109a67875b jdk8u31-b14
287e3219f3f531b2f20b50b180802a563a782b26 jdk8u31-b15
ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31
46338075c4262057099e57638e0758817052da0d jdk8u31-b32
a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33
e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00
6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01
4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02
......@@ -384,6 +386,8 @@ d168113f9841a77b3cee3a6a45fcd85b7351ac90 jdk8u40-b22
f0d5cb59b0e6a67fa102465458cc4725c6e59089 jdk8u40-b25
97f258823d7d8ee0ec7d774b79cd30492520cc10 jdk8u40-b26
d4453d784fb6c52e4ed998b167588551e2fd43c5 jdk8u40-b27
5a45234e0fc14ff943e13dc1f8966818acaeb4de jdk8u40-b31
d8ac13c5eafe422d3425dc1aebebfcdf8ca67e2d jdk8u40-b32
1ecc234bd38950a2bc047aa253a5e803f0836a4e jdk8u45-b00
e0c7864bbca3f76cde680722f2ae58dff2bff61d jdk8u45-b01
9505c0392cddbfb905401e9fccc23262edc3254f jdk8u45-b02
......@@ -399,6 +403,26 @@ c669323bd55ac59ad26c7ee4f47a6daefc82af8e jdk8u45-b11
6a8f9512afa687632f0a0d881bbdb446d984a74c jdk8u45-b12
55a75b0db87693e1e186752f553c337cb035a38e jdk8u45-b13
20e6cadfac43717a81d99daff5e769de695992cd jdk8u45-b14
7087623dfa7033f8738d537864e4bac6b8528172 jdk8u45-b15
c7fbbf6133c339fb56f03241de28666774023d5d jdk8u45-b31
ea547c5a1217fe7916f366950d0e3156e4225aa5 jdk8u45-b32
ac97b69b88e37c18c1b077be8b1f100b6803fea5 jdk8u51-b00
2e0732282470f7a02d57af5fc8542efa9db7b3e4 jdk8u51-b01
cc75137936f9a8e97017e7e18b1064b76238116f jdk8u51-b02
f732971e3d20664164a3797cf0b1a4cb80470959 jdk8u51-b03
6d6c0c93e822dc0e37d657060488de934ac2eb4c jdk8u51-b04
7d9a58baae72804f0852890cf9fc75e6a759b608 jdk8u51-b05
93e6b2bbc9ff46b3fea1fe89b810259d150a9fc4 jdk8u51-b06
286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u51-b07
f7da0b943b9381aaf378d0c7b337dd7654335293 jdk8u51-b08
7e8459e7a45cb5b49de376893e3a95bfa92d0325 jdk8u51-b09
dcc75a75d3a30270fbf52d0d0b0504319882e419 jdk8u51-b10
3ed614d4eee7c3225d48ed7c90622dd888cd143e jdk8u51-b11
0010682d9a2b81daf7c08239161f7c2a91977299 jdk8u51-b12
217fa7205549d196c60f814bf3fc9795d756f493 jdk8u51-b13
b7403e15864dc0c1f9740d66af91bddb3e2215e8 jdk8u51-b14
192bda44c0c463104c96058bb815a546b282ca43 jdk8u51-b15
ee86422973691bb7efae58d201e5a382ea0bb150 jdk8u51-b16
5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00
c46daef6edb5385d11876ed40f292a4b62e96867 jdk8u60-b01
c10fd784956cc7099657181029ac3e790267b678 jdk8u60-b02
......@@ -422,3 +446,4 @@ b2c55ff77112321472ec97c3a6931a999837d183 jdk8u60-b19
cc6c74b164dfd0636d9dba8f9865baa18a6f2338 jdk8u60-b20
63c9cedeeb9d0de656969f3deed7ddafae11754a jdk8u60-b21
e9f82302d5fdef8a0976640e09363895e9dcde3c jdk8u60-b22
c4b37246b92736adf5f40c785aabb67a7d227245 jdk8u60-b23
src/macosx/bin/java_md_macosx.c
浏览文件 @ 3c2c9588
......@@ -616,7 +616,11 @@ GetJREPath(char *path, jint pathsize, const char * arch, jboolean speculative)
if (access(libjava, F_OK) == 0) {
return JNI_TRUE;
}
/* ensure storage for path + /jre + NULL */
if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
JLI_TraceLauncher("Insufficient space to store JRE path\n");
return JNI_FALSE;
}
/* Does the app ship a private JRE in <apphome>/jre directory? */
JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/" JAVA_DLL, path);
if (access(libjava, F_OK) == 0) {
......
src/share/classes/com/sun/crypto/provider/AESCrypt.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -37,7 +37,7 @@
package com.sun.crypto.provider;
import java.security.InvalidKeyException;
import java.util.Arrays;
import java.security.MessageDigest;
/**
* Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit
......@@ -88,7 +88,7 @@ final class AESCrypt extends SymmetricCipher implements AESConstants
key.length + " bytes");
}
if (!Arrays.equals(key, lastKey)) {
if (!MessageDigest.isEqual(key, lastKey)) {
// re-generate session key 'sessionK' when cipher key changes
makeSessionKey(key);
lastKey = key.clone(); // save cipher key
......
src/share/classes/com/sun/crypto/provider/CipherCore.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -568,7 +568,7 @@ final class CipherCore {
// check key+iv for encryption in GCM mode
requireReinit =
Arrays.equals(ivBytes, lastEncIv) &&
Arrays.equals(keyBytes, lastEncKey);
MessageDigest.isEqual(keyBytes, lastEncKey);
if (requireReinit) {
throw new InvalidAlgorithmParameterException
("Cannot reuse iv for GCM encryption");
......
src/share/classes/com/sun/crypto/provider/DESKey.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.InvalidKeyException;
import javax.crypto.SecretKey;
......@@ -113,7 +114,7 @@ final class DESKey implements SecretKey {
return false;
byte[] thatKey = ((SecretKey)obj).getEncoded();
boolean ret = java.util.Arrays.equals(this.key, thatKey);
boolean ret = MessageDigest.isEqual(this.key, thatKey);
java.util.Arrays.fill(thatKey, (byte)0x00);
return ret;
}
......
src/share/classes/com/sun/crypto/provider/DESedeKey.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.InvalidKeyException;
import javax.crypto.SecretKey;
......@@ -114,7 +115,7 @@ final class DESedeKey implements SecretKey {
return false;
byte[] thatKey = ((SecretKey)obj).getEncoded();
boolean ret = java.util.Arrays.equals(this.key, thatKey);
boolean ret = MessageDigest.isEqual(this.key, thatKey);
java.util.Arrays.fill(thatKey, (byte)0x00);
return ret;
}
......
src/share/classes/com/sun/crypto/provider/PBEKey.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.spec.InvalidKeySpecException;
import java.util.Locale;
......@@ -108,7 +109,7 @@ final class PBEKey implements SecretKey {
return false;
byte[] thatEncoded = that.getEncoded();
boolean ret = java.util.Arrays.equals(this.key, thatEncoded);
boolean ret = MessageDigest.isEqual(this.key, thatEncoded);
java.util.Arrays.fill(thatEncoded, (byte)0x00);
return ret;
}
......
src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -30,6 +30,7 @@ import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.util.Arrays;
import java.security.MessageDigest;
import java.util.Locale;
import java.security.KeyRep;
import java.security.GeneralSecurityException;
......@@ -153,7 +154,7 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
SecretKey sk = (SecretKey)obj;
return prf.getAlgorithm().equalsIgnoreCase(
sk.getAlgorithm()) &&
Arrays.equals(password, sk.getEncoded());
MessageDigest.isEqual(password, sk.getEncoded());
}
};
prf.init(macKey);
......@@ -239,7 +240,7 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
if (!(that.getFormat().equalsIgnoreCase("RAW")))
return false;
byte[] thatEncoded = that.getEncoded();
boolean ret = Arrays.equals(key, that.getEncoded());
boolean ret = MessageDigest.isEqual(key, that.getEncoded());
java.util.Arrays.fill(thatEncoded, (byte)0x00);
return ret;
}
......
src/share/classes/com/sun/jndi/dns/DnsClient.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -184,119 +184,124 @@ public class DnsClient {
Exception caughtException = null;
boolean[] doNotRetry = new boolean[servers.length];
//
// The UDP retry strategy is to try the 1st server, and then
// each server in order. If no answer, double the timeout
// and try each server again.
//
for (int retry = 0; retry < retries; retry++) {
// Try each name server.
for (int i = 0; i < servers.length; i++) {
if (doNotRetry[i]) {
continue;
}
// send the request packet and wait for a response.
try {
if (debug) {
dprint("SEND ID (" + (retry + 1) + "): " + xid);
try {
//
// The UDP retry strategy is to try the 1st server, and then
// each server in order. If no answer, double the timeout
// and try each server again.
//
for (int retry = 0; retry < retries; retry++) {
// Try each name server.
for (int i = 0; i < servers.length; i++) {
if (doNotRetry[i]) {
continue;
}
byte[] msg = null;
msg = doUdpQuery(pkt, servers[i], serverPorts[i],
retry, xid);
//
// If the matching response is not got within the
// given timeout, check if the response was enqueued
// by some other thread, if not proceed with the next
// server or retry.
//
if (msg == null) {
if (resps.size() > 0) {
msg = lookupResponse(xid);
}
if (msg == null) { // try next server or retry
continue;
// send the request packet and wait for a response.
try {
if (debug) {
dprint("SEND ID (" + (retry + 1) + "): " + xid);
}
}
Header hdr = new Header(msg, msg.length);
if (auth && !hdr.authoritative) {
caughtException = new NameNotFoundException(
"DNS response not authoritative");
doNotRetry[i] = true;
continue;
}
if (hdr.truncated) { // message is truncated -- try TCP
// Try each server, starting with the one that just
// provided the truncated message.
for (int j = 0; j < servers.length; j++) {
int ij = (i + j) % servers.length;
if (doNotRetry[ij]) {
byte[] msg = null;
msg = doUdpQuery(pkt, servers[i], serverPorts[i],
retry, xid);
//
// If the matching response is not got within the
// given timeout, check if the response was enqueued
// by some other thread, if not proceed with the next
// server or retry.
//
if (msg == null) {
if (resps.size() > 0) {
msg = lookupResponse(xid);
}
if (msg == null) { // try next server or retry
continue;
}
try {
Tcp tcp =
new Tcp(servers[ij], serverPorts[ij]);
byte[] msg2;
try {
msg2 = doTcpQuery(tcp, pkt);
} finally {
tcp.close();
}
Header hdr2 = new Header(msg2, msg2.length);
if (hdr2.query) {
throw new CommunicationException(
"DNS error: expecting response");
}
Header hdr = new Header(msg, msg.length);
if (auth && !hdr.authoritative) {
caughtException = new NameNotFoundException(
"DNS response not authoritative");
doNotRetry[i] = true;
continue;
}
if (hdr.truncated) { // message is truncated -- try TCP
// Try each server, starting with the one that just
// provided the truncated message.
for (int j = 0; j < servers.length; j++) {
int ij = (i + j) % servers.length;
if (doNotRetry[ij]) {
continue;
}
checkResponseCode(hdr2);
if (!auth || hdr2.authoritative) {
// Got a valid response
hdr = hdr2;
msg = msg2;
break;
} else {
doNotRetry[ij] = true;
try {
Tcp tcp =
new Tcp(servers[ij], serverPorts[ij]);
byte[] msg2;
try {
msg2 = doTcpQuery(tcp, pkt);
} finally {
tcp.close();
}
Header hdr2 = new Header(msg2, msg2.length);
if (hdr2.query) {
throw new CommunicationException(
"DNS error: expecting response");
}
checkResponseCode(hdr2);
if (!auth || hdr2.authoritative) {
// Got a valid response
hdr = hdr2;
msg = msg2;
break;
} else {
doNotRetry[ij] = true;
}
} catch (Exception e) {
// Try next server, or use UDP response
}
} catch (Exception e) {
// Try next server, or use UDP response
}
} // servers
}
return new ResourceRecords(msg, msg.length, hdr, false);
} // servers
}
return new ResourceRecords(msg, msg.length, hdr, false);
} catch (IOException e) {
if (debug) {
dprint("Caught IOException:" + e);
}
if (caughtException == null) {
caughtException = e;
}
// Use reflection to allow pre-1.4 compilation.
// This won't be needed much longer.
if (e.getClass().getName().equals(
"java.net.PortUnreachableException")) {
} catch (IOException e) {
if (debug) {
dprint("Caught IOException:" + e);
}
if (caughtException == null) {
caughtException = e;
}
// Use reflection to allow pre-1.4 compilation.
// This won't be needed much longer.
if (e.getClass().getName().equals(
"java.net.PortUnreachableException")) {
doNotRetry[i] = true;
}
} catch (NameNotFoundException e) {
// This is authoritative, so return immediately
throw e;
} catch (CommunicationException e) {
if (caughtException == null) {
caughtException = e;
}
} catch (NamingException e) {
if (caughtException == null) {
caughtException = e;
}
doNotRetry[i] = true;
}
} catch (NameNotFoundException e) {
throw e;
} catch (CommunicationException e) {
if (caughtException == null) {
caughtException = e;
}
} catch (NamingException e) {
if (caughtException == null) {
caughtException = e;
}
doNotRetry[i] = true;
}
} // servers
} // retries
} // servers
} // retries
} finally {
reqs.remove(xid); // cleanup
}
reqs.remove(xid);
if (caughtException instanceof NamingException) {
throw (NamingException) caughtException;
}
......
src/share/classes/java/io/ObjectInputStream.java
浏览文件 @ 3c2c9588
......@@ -1829,6 +1829,8 @@ public class ObjectInputStream
throws IOException
{
SerialCallbackContext oldContext = curContext;
if (oldContext != null)
oldContext.check();
curContext = null;
try {
boolean blocked = desc.hasBlockExternalData();
......@@ -1853,6 +1855,8 @@ public class ObjectInputStream
skipCustomData();
}
} finally {
if (oldContext != null)
oldContext.check();
curContext = oldContext;
}
/*
......@@ -1883,12 +1887,12 @@ public class ObjectInputStream
ObjectStreamClass slotDesc = slots[i].desc;
if (slots[i].hasData) {
if (obj != null &&
slotDesc.hasReadObjectMethod() &&
handles.lookupException(passHandle) == null)
{
if (obj == null || handles.lookupException(passHandle) != null) {
defaultReadFields(null, slotDesc); // skip field values
} else if (slotDesc.hasReadObjectMethod()) {
SerialCallbackContext oldContext = curContext;
if (oldContext != null)
oldContext.check();
try {
curContext = new SerialCallbackContext(obj, slotDesc);
......@@ -1905,6 +1909,8 @@ public class ObjectInputStream
handles.markException(passHandle, ex);
} finally {
curContext.setUsed();
if (oldContext!= null)
oldContext.check();
curContext = oldContext;
}
......@@ -1917,6 +1923,7 @@ public class ObjectInputStream
} else {
defaultReadFields(obj, slotDesc);
}
if (slotDesc.hasWriteObjectData()) {
skipCustomData();
} else {
......
src/share/classes/java/io/SerialCallbackContext.java
浏览文件 @ 3c2c9588
......@@ -60,6 +60,13 @@ final class SerialCallbackContext {
return desc;
}
public void check() throws NotActiveException {
if (thread != null && thread != Thread.currentThread()) {
throw new NotActiveException(
"expected thread: " + thread + ", but got: " + Thread.currentThread());
}
}
private void checkAndSetUsed() throws NotActiveException {
if (thread != Thread.currentThread()) {
throw new NotActiveException(
......
src/share/classes/java/net/InetAddress.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -203,16 +203,33 @@ class InetAddress implements java.io.Serializable {
static transient boolean preferIPv6Address = false;
static class InetAddressHolder {
/**
* Reserve the original application specified hostname.
*
* The original hostname is useful for domain-based endpoint
* identification (see RFC 2818 and RFC 6125). If an address
* was created with a raw IP address, a reverse name lookup
* may introduce endpoint identification security issue via
* DNS forging.
*
* Oracle JSSE provider is using this original hostname, via
* sun.misc.JavaNetAccess, for SSL/TLS endpoint identification.
*
* Note: May define a new public method in the future if necessary.
*/
private String originalHostName;
InetAddressHolder() {}
InetAddressHolder(String hostName, int address, int family) {
this.originalHostName = hostName;
this.hostName = hostName;
this.address = address;
this.family = family;
}
void init(String hostName, int family) {
this.originalHostName = hostName;
this.hostName = hostName;
if (family != -1) {
this.family = family;
......@@ -225,6 +242,10 @@ class InetAddress implements java.io.Serializable {
return hostName;
}
String getOriginalHostName() {
return originalHostName;
}
/**
* Holds a 32-bit IPv4 address.
*/
......
src/share/classes/java/net/URLClassLoader.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -774,6 +774,10 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
public URLClassPath getURLClassPath (URLClassLoader u) {
return u.ucp;
}
public String getOriginalHostName(InetAddress ia) {
return ia.holder.getOriginalHostName();
}
}
);
ClassLoader.registerAsParallelCapable();
......
src/share/classes/java/rmi/server/RemoteObjectInvocationHandler.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -31,6 +31,7 @@ import java.lang.reflect.Proxy;
import java.rmi.Remote;
import java.rmi.UnexpectedException;
import java.rmi.activation.Activatable;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.WeakHashMap;
import sun.rmi.server.Util;
......@@ -56,6 +57,25 @@ public class RemoteObjectInvocationHandler
{
private static final long serialVersionUID = 2L;
// set to true if invocation handler allows finalize method (legacy behavior)
private static final boolean allowFinalizeInvocation;
static {
String propName = "sun.rmi.server.invocationhandler.allowFinalizeInvocation";
String allowProp = java.security.AccessController.doPrivileged(
new PrivilegedAction<String>() {
@Override
public String run() {
return System.getProperty(propName);
}
});
if ("".equals(allowProp)) {
allowFinalizeInvocation = true;
} else {
allowFinalizeInvocation = Boolean.parseBoolean(allowProp);
}
}
/**
* A weak hash map, mapping classes to weak hash maps that map
* method objects to method hashes.
......@@ -144,6 +164,9 @@ public class RemoteObjectInvocationHandler
{
if (method.getDeclaringClass() == Object.class) {
return invokeObjectMethod(proxy, method, args);
} else if ("finalize".equals(method.getName()) && method.getParameterCount() == 0 &&
!allowFinalizeInvocation) {
return null; // ignore
} else {
return invokeRemoteMethod(proxy, method, args);
}
......
src/share/classes/java/security/Identity.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -261,7 +261,7 @@ public abstract class Identity implements Principal, Serializable {
certificates.addElement(certificate);
}
private boolean keyEquals(Key aKey, Key anotherKey) {
private boolean keyEquals(PublicKey aKey, PublicKey anotherKey) {
String aKeyFormat = aKey.getFormat();
String anotherKeyFormat = anotherKey.getFormat();
if ((aKeyFormat == null) ^ (anotherKeyFormat == null))
......
src/share/classes/java/security/MessageDigest.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -440,6 +440,10 @@ public abstract class MessageDigest extends MessageDigestSpi {
* @return true if the digests are equal, false otherwise.
*/
public static boolean isEqual(byte[] digesta, byte[] digestb) {
if (digesta == digestb) return true;
if (digesta == null || digestb == null) {
return false;
}
if (digesta.length != digestb.length) {
return false;
}
......
src/share/classes/java/security/Signature.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -1316,7 +1316,7 @@ public abstract class Signature extends SignatureSpi {
byte[] out = cipher.doFinal(sigBytes);
byte[] dataBytes = data.toByteArray();
data.reset();
return Arrays.equals(out, dataBytes);
return MessageDigest.isEqual(out, dataBytes);
} catch (BadPaddingException e) {
// e.g. wrong public key used
// return false rather than throwing exception
......
src/share/classes/java/security/cert/X509CRLSelector.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -679,10 +679,14 @@ public class X509CRLSelector implements CRLSelector {
nowPlusSkew = new Date(dateAndTime.getTime() + skew);
nowMinusSkew = new Date(dateAndTime.getTime() - skew);
}
// Check that the test date is within the validity interval:
// [ thisUpdate - MAX_CLOCK_SKEW,
// nextUpdate + MAX_CLOCK_SKEW ]
if (nowMinusSkew.after(nextUpdate)
|| nowPlusSkew.before(crlThisUpdate)) {
if (debug != null) {
debug.println("X509CRLSelector.match: update out of range");
debug.println("X509CRLSelector.match: update out-of-range");
}
return false;
}
......
src/share/classes/javax/crypto/spec/SecretKeySpec.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,6 +25,7 @@
package javax.crypto.spec;
import java.security.MessageDigest;
import java.security.spec.KeySpec;
import java.util.Locale;
import javax.crypto.SecretKey;
......@@ -228,6 +229,6 @@ public class SecretKeySpec implements KeySpec, SecretKey {
byte[] thatKey = ((SecretKey)obj).getEncoded();
return java.util.Arrays.equals(this.key, thatKey);
return MessageDigest.isEqual(this.key, thatKey);
}
}
src/share/classes/javax/management/MBeanServerInvocationHandler.java
浏览文件 @ 3c2c9588
......@@ -141,6 +141,12 @@ public class MBeanServerInvocationHandler implements InvocationHandler {
if (connection == null) {
throw new IllegalArgumentException("Null connection");
}
if (Proxy.isProxyClass(connection.getClass())) {
if (MBeanServerInvocationHandler.class.isAssignableFrom(
Proxy.getInvocationHandler(connection).getClass())) {
throw new IllegalArgumentException("Wrapping MBeanServerInvocationHandler");
}
}
if (objectName == null) {
throw new IllegalArgumentException("Null object name");
}
......@@ -418,6 +424,10 @@ public class MBeanServerInvocationHandler implements InvocationHandler {
new Class<?>[] {Object.class})
&& isLocal(proxy, method))
return true;
if (methodName.equals("finalize")
&& method.getParameterTypes().length == 0) {
return true;
}
return false;
}
......@@ -453,6 +463,9 @@ public class MBeanServerInvocationHandler implements InvocationHandler {
connection + "[" + objectName + "])";
} else if (methodName.equals("hashCode")) {
return objectName.hashCode()+connection.hashCode();
} else if (methodName.equals("finalize")) {
// ignore the finalizer invocation via proxy
return null;
}
throw new RuntimeException("Unexpected method name: " + methodName);
......
src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
浏览文件 @ 3c2c9588
......@@ -32,7 +32,6 @@ import java.rmi.server.Unreferenced;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
......@@ -59,6 +58,7 @@ import com.sun.jmx.remote.util.ClassLoaderWithRepository;
import com.sun.jmx.remote.util.ClassLogger;
import com.sun.jmx.remote.util.EnvHelp;
import com.sun.jmx.remote.util.OrderClassLoaders;
import javax.management.loading.ClassLoaderRepository;
/**
* <p>Implementation of the {@link RMIConnection} interface. User
......@@ -131,20 +131,24 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
final ClassLoader dcl = defaultClassLoader;
this.classLoaderWithRepository =
AccessController.doPrivileged(
new PrivilegedAction<ClassLoaderWithRepository>() {
public ClassLoaderWithRepository run() {
return new ClassLoaderWithRepository(
mbeanServer.getClassLoaderRepository(),
dcl);
}
},
withPermissions( new MBeanPermission("*", "getClassLoaderRepository"),
new RuntimePermission("createClassLoader"))
);
ClassLoaderRepository repository = AccessController.doPrivileged(
new PrivilegedAction<ClassLoaderRepository>() {
public ClassLoaderRepository run() {
return mbeanServer.getClassLoaderRepository();
}
},
withPermissions(new MBeanPermission("*", "getClassLoaderRepository"))
);
this.classLoaderWithRepository = AccessController.doPrivileged(
new PrivilegedAction<ClassLoaderWithRepository>() {
public ClassLoaderWithRepository run() {
return new ClassLoaderWithRepository(
repository,
dcl);
}
},
withPermissions(new RuntimePermission("createClassLoader"))
);
this.defaultContextClassLoader =
AccessController.doPrivileged(
......
src/share/classes/sun/misc/JavaNetAccess.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -26,10 +26,17 @@
package sun.misc;
import java.net.URLClassLoader;
import java.net.InetAddress;
public interface JavaNetAccess {
/**
* return the URLClassPath belonging to the given loader
*/
URLClassPath getURLClassPath (URLClassLoader u);
/**
* Return the original application specified hostname of
* the given InetAddress object.
*/
String getOriginalHostName(InetAddress ia);
}
src/share/classes/sun/security/pkcs11/P11Key.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -164,7 +164,7 @@ abstract class P11Key implements Key, Length {
} else {
otherEnc = other.getEncoded();
}
return Arrays.equals(thisEnc, otherEnc);
return MessageDigest.isEqual(thisEnc, otherEnc);
}
public int hashCode() {
......
src/share/classes/sun/security/pkcs11/wrapper/Functions.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
*/
/* Copyright (c) 2002 Graz University of Technology. All rights reserved.
......@@ -444,22 +444,6 @@ public class Functions {
return getId(objectClassIds, name);
}
/**
* Check the given arrays for equalitiy. This method considers both arrays as
* equal, if both are <code>null</code> or both have the same length and
* contain exactly the same byte values.
*
* @param array1 The first array.
* @param array2 The second array.
* @return True, if both arrays are <code>null</code> or both have the same
* length and contain exactly the same byte values. False, otherwise.
* @preconditions
* @postconditions
*/
public static boolean equals(byte[] array1, byte[] array2) {
return Arrays.equals(array1, array2);
}
/**
* Check the given arrays for equalitiy. This method considers both arrays as
* equal, if both are <code>null</code> or both have the same length and
......@@ -472,7 +456,7 @@ public class Functions {
* @preconditions
* @postconditions
*/
public static boolean equals(char[] array1, char[] array2) {
private static boolean equals(char[] array1, char[] array2) {
return Arrays.equals(array1, array2);
}
......
src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
浏览文件 @ 3c2c9588
......@@ -2050,7 +2050,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
"(MAC algorithm: " + m.getAlgorithm() + ")");
}
if (!Arrays.equals(macData.getDigest(), macResult)) {
if (!MessageDigest.isEqual(macData.getDigest(), macResult)) {
throw new SecurityException("Failed PKCS12" +
" integrity checking");
}
......
src/share/classes/sun/security/provider/certpath/OCSPResponse.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -151,8 +151,8 @@ public final class OCSPResponse {
private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
/**
* Integer value indicating the maximum allowable clock skew, in seconds,
* to be used for the OCSP check.
* Integer value indicating the maximum allowable clock skew,
* in milliseconds, to be used for the OCSP check.
*/
private static final int MAX_CLOCK_SKEW = initializeClockSkew();
......@@ -586,13 +586,14 @@ public final class OCSPResponse {
"Unable to verify OCSP Response's signature");
}
// Check freshness of OCSPResponse
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
// Check freshness of OCSPResponse
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
......@@ -602,13 +603,18 @@ public final class OCSPResponse {
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
debug.println("Response's validity interval is from " +
debug.println("OCSP response validity interval is from " +
sr.thisUpdate + until);
debug.println("Checking validity of OCSP response on: " +
new Date(now));
}
// Check that the test date is within the validity interval
if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) ||
(sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate)))
// Check that the test date is within the validity interval:
// [ thisUpdate - MAX_CLOCK_SKEW,
// MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ]
if (nowPlusSkew.before(sr.thisUpdate) ||
nowMinusSkew.after(
sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate))
{
throw new CertPathValidatorException(
"Response is unreliable: its validity " +
......
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -159,12 +159,19 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
ValidatorParams params)
throws CertPathValidatorException
{
// check if anchor is untrusted
UntrustedChecker untrustedChecker = new UntrustedChecker();
X509Certificate anchorCert = anchor.getTrustedCert();
if (anchorCert != null) {
untrustedChecker.check(anchorCert);
}
int certPathLen = params.certificates().size();
// create PKIXCertPathCheckers
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using
certPathCheckers.add(new UntrustedChecker());
certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor));
certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints()));
......
src/share/classes/sun/security/rsa/RSASignature.java
浏览文件 @ 3c2c9588
......@@ -27,7 +27,6 @@ package sun.security.rsa;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.security.*;
import java.security.interfaces.*;
......@@ -194,7 +193,7 @@ public abstract class RSASignature extends SignatureSpi {
byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
byte[] unpadded = padding.unpad(decrypted);
byte[] decodedDigest = decodeSignature(digestOID, unpadded);
return Arrays.equals(digest, decodedDigest);
return MessageDigest.isEqual(digest, decodedDigest);
} catch (javax.crypto.BadPaddingException e) {
// occurs if the app has used the wrong RSA public key
// or if sigBytes is invalid
......
src/share/classes/sun/security/ssl/CipherSuite.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -968,7 +968,7 @@ final class CipherSuite implements Comparable<CipherSuite> {
* 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be
* changed later, see below).
* 2. Prefer the stronger bulk cipher, in the order of AES_256(GCM),
* AES_128(GCM), AES_256, AES_128, 3DES-EDE, RC-4.
* AES_128(GCM), AES_256, AES_128, 3DES-EDE.
* 3. Prefer the stronger MAC algorithm, in the order of SHA384,
* SHA256, SHA, MD5.
* 4. Prefer the better performance of key exchange and digital
......@@ -1115,20 +1115,6 @@ final class CipherSuite implements Comparable<CipherSuite> {
add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
0x0013, --p, K_DHE_DSS, B_3DES, N);
// RC-4
add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
0xC011, --p, K_ECDHE_RSA, B_RC4_128, N);
add("SSL_RSA_WITH_RC4_128_SHA",
0x0005, --p, K_RSA, B_RC4_128, N);
add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N);
add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
0xC00C, --p, K_ECDH_RSA, B_RC4_128, N);
add("SSL_RSA_WITH_RC4_128_MD5",
0x0004, --p, K_RSA, B_RC4_128, N);
// Renegotiation protection request Signalling Cipher Suite Value (SCSV)
add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
0x00ff, --p, K_SCSV, B_NULL, T);
......@@ -1178,6 +1164,20 @@ final class CipherSuite implements Comparable<CipherSuite> {
add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
0x001b, --p, K_DH_ANON, B_3DES, N);
// RC-4
add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
0xC011, --p, K_ECDHE_RSA, B_RC4_128, N);
add("SSL_RSA_WITH_RC4_128_SHA",
0x0005, --p, K_RSA, B_RC4_128, N);
add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N);
add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
0xC00C, --p, K_ECDH_RSA, B_RC4_128, N);
add("SSL_RSA_WITH_RC4_128_MD5",
0x0004, --p, K_RSA, B_RC4_128, N);
add("TLS_ECDH_anon_WITH_RC4_128_SHA",
0xC016, --p, K_ECDH_ANON, B_RC4_128, N);
add("SSL_DH_anon_WITH_RC4_128_MD5",
......
src/share/classes/sun/security/ssl/ClientHandshaker.java
浏览文件 @ 3c2c9588
......@@ -489,7 +489,7 @@ final class ClientHandshaker extends Handshaker {
0, clientVerifyData.length);
System.arraycopy(serverVerifyData, 0, verifyData,
clientVerifyData.length, serverVerifyData.length);
if (!Arrays.equals(verifyData,
if (!MessageDigest.isEqual(verifyData,
serverHelloRI.getRenegotiatedConnection())) {
fatalSE(Alerts.alert_handshake_failure,
"Incorrect verify data in ServerHello " +
......@@ -679,6 +679,14 @@ final class ClientHandshaker extends Handshaker {
// NOTREACHED
}
ephemeralServerKey = mesg.getPublicKey();
// check constraints of RSA PublicKey
if (!algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
throw new SSLHandshakeException("RSA ServerKeyExchange " +
"does not comply to algorithm constraints");
}
}
......@@ -696,6 +704,9 @@ final class ClientHandshaker extends Handshaker {
dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
sslContext.getSecureRandom());
serverDH = mesg.getServerPublicKey();
// check algorithm constraints
dh.checkConstraints(algorithmConstraints, serverDH);
}
private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
......@@ -706,6 +717,14 @@ final class ClientHandshaker extends Handshaker {
ECPublicKey key = mesg.getPublicKey();
ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
ephemeralServerKey = key;
// check constraints of EC PublicKey
if (!algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
throw new SSLHandshakeException("ECDH ServerKeyExchange " +
"does not comply to algorithm constraints");
}
}
/*
......
src/share/classes/sun/security/ssl/DHCrypt.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -34,6 +34,7 @@ import javax.crypto.SecretKey;
import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.*;
import java.util.EnumSet;
import sun.security.util.KeyUtil;
......@@ -216,6 +217,28 @@ final class DHCrypt {
}
}
// Check constraints of the specified DH public key.
void checkConstraints(AlgorithmConstraints constraints,
BigInteger peerPublicValue) throws SSLHandshakeException {
try {
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
DHPublicKeySpec spec =
new DHPublicKeySpec(peerPublicValue, modulus, base);
DHPublicKey publicKey = (DHPublicKey)kf.generatePublic(spec);
// check constraints of DHPublicKey
if (!constraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
throw new SSLHandshakeException(
"DHPublicKey does not comply to algorithm constraints");
}
} catch (GeneralSecurityException gse) {
throw (SSLHandshakeException) new SSLHandshakeException(
"Could not generate DHPublicKey").initCause(gse);
}
}
// Generate and validate DHPublicKeySpec
private DHPublicKeySpec generateDHPublicKeySpec(KeyPairGenerator kpg)
throws GeneralSecurityException {
......
src/share/classes/sun/security/ssl/ECDHCrypt.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2006, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -29,6 +29,7 @@ import java.security.*;
import java.security.interfaces.ECPublicKey;
import java.security.spec.*;
import java.util.EnumSet;
import javax.crypto.SecretKey;
import javax.crypto.KeyAgreement;
import javax.net.ssl.SSLHandshakeException;
......@@ -88,8 +89,11 @@ final class ECDHCrypt {
return publicKey;
}
// called by ClientHandshaker with either the server's static or ephemeral public key
SecretKey getAgreedSecret(PublicKey peerPublicKey) throws SSLHandshakeException {
// called by ClientHandshaker with either the server's static or
// ephemeral public key
SecretKey getAgreedSecret(
PublicKey peerPublicKey) throws SSLHandshakeException {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
ka.init(privateKey);
......@@ -102,10 +106,13 @@ final class ECDHCrypt {
}
// called by ServerHandshaker
SecretKey getAgreedSecret(byte[] encodedPoint) throws SSLHandshakeException {
SecretKey getAgreedSecret(
byte[] encodedPoint) throws SSLHandshakeException {
try {
ECParameterSpec params = publicKey.getParams();
ECPoint point = JsseJce.decodePoint(encodedPoint, params.getCurve());
ECPoint point =
JsseJce.decodePoint(encodedPoint, params.getCurve());
KeyFactory kf = JsseJce.getKeyFactory("EC");
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
PublicKey peerPublicKey = kf.generatePublic(spec);
......@@ -116,4 +123,30 @@ final class ECDHCrypt {
}
}
// Check constraints of the specified EC public key.
void checkConstraints(AlgorithmConstraints constraints,
byte[] encodedPoint) throws SSLHandshakeException {
try {
ECParameterSpec params = publicKey.getParams();
ECPoint point =
JsseJce.decodePoint(encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
KeyFactory kf = JsseJce.getKeyFactory("EC");
ECPublicKey publicKey = (ECPublicKey)kf.generatePublic(spec);
// check constraints of ECPublicKey
if (!constraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
throw new SSLHandshakeException(
"ECPublicKey does not comply to algorithm constraints");
}
} catch (GeneralSecurityException | java.io.IOException e) {
throw (SSLHandshakeException) new SSLHandshakeException(
"Could not generate ECPublicKey").initCause(e);
}
}
}
src/share/classes/sun/security/ssl/HandshakeMessage.java
浏览文件 @ 3c2c9588
......@@ -1912,7 +1912,7 @@ static final class Finished extends HandshakeMessage {
*/
boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
byte[] myFinished = getFinished(handshakeHash, sender, master);
return Arrays.equals(myFinished, verifyData);
return MessageDigest.isEqual(myFinished, verifyData);
}
/*
......
src/share/classes/sun/security/ssl/Handshaker.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -86,7 +86,7 @@ abstract class Handshaker {
String identificationProtocol;
// The cryptographic algorithm constraints
private AlgorithmConstraints algorithmConstraints = null;
AlgorithmConstraints algorithmConstraints = null;
// Local supported signature and algorithms
Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
......
src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -34,9 +34,9 @@ import javax.net.ssl.*;
import java.security.Key;
import java.util.Set;
import java.util.HashSet;
import sun.security.util.DisabledAlgorithmConstraints;
import static sun.security.util.DisabledAlgorithmConstraints.*;
import sun.security.ssl.CipherSuite.*;
/**
......@@ -46,10 +46,15 @@ import sun.security.ssl.CipherSuite.*;
* for the syntax of the disabled algorithm string.
*/
final class SSLAlgorithmConstraints implements AlgorithmConstraints {
private final static AlgorithmConstraints tlsDisabledAlgConstraints =
new TLSDisabledAlgConstraints();
new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS,
new SSLAlgorithmDecomposer());
private final static AlgorithmConstraints x509DisabledAlgConstraints =
new X509DisabledAlgConstraints();
new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS,
new SSLAlgorithmDecomposer(true));
private AlgorithmConstraints userAlgConstraints = null;
private AlgorithmConstraints peerAlgConstraints = null;
......@@ -267,217 +272,4 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
}
}
static private class BasicDisabledAlgConstraints
extends DisabledAlgorithmConstraints {
BasicDisabledAlgConstraints(String propertyName) {
super(propertyName);
}
protected Set<String> decomposes(KeyExchange keyExchange,
boolean forCertPathOnly) {
Set<String> components = new HashSet<>();
switch (keyExchange) {
case K_NULL:
if (!forCertPathOnly) {
components.add("NULL");
}
break;
case K_RSA:
components.add("RSA");
break;
case K_RSA_EXPORT:
components.add("RSA");
components.add("RSA_EXPORT");
break;
case K_DH_RSA:
components.add("RSA");
components.add("DH");
components.add("DiffieHellman");
components.add("DH_RSA");
break;
case K_DH_DSS:
components.add("DSA");
components.add("DSS");
components.add("DH");
components.add("DiffieHellman");
components.add("DH_DSS");
break;
case K_DHE_DSS:
components.add("DSA");
components.add("DSS");
components.add("DH");
components.add("DHE");
components.add("DiffieHellman");
components.add("DHE_DSS");
break;
case K_DHE_RSA:
components.add("RSA");
components.add("DH");
components.add("DHE");
components.add("DiffieHellman");
components.add("DHE_RSA");
break;
case K_DH_ANON:
if (!forCertPathOnly) {
components.add("ANON");
components.add("DH");
components.add("DiffieHellman");
components.add("DH_ANON");
}
break;
case K_ECDH_ECDSA:
components.add("ECDH");
components.add("ECDSA");
components.add("ECDH_ECDSA");
break;
case K_ECDH_RSA:
components.add("ECDH");
components.add("RSA");
components.add("ECDH_RSA");
break;
case K_ECDHE_ECDSA:
components.add("ECDHE");
components.add("ECDSA");
components.add("ECDHE_ECDSA");
break;
case K_ECDHE_RSA:
components.add("ECDHE");
components.add("RSA");
components.add("ECDHE_RSA");
break;
case K_ECDH_ANON:
if (!forCertPathOnly) {
components.add("ECDH");
components.add("ANON");
components.add("ECDH_ANON");
}
break;
case K_KRB5:
if (!forCertPathOnly) {
components.add("KRB5");
}
break;
case K_KRB5_EXPORT:
if (!forCertPathOnly) {
components.add("KRB5_EXPORT");
}
break;
default:
// ignore
}
return components;
}
protected Set<String> decomposes(BulkCipher bulkCipher) {
Set<String> components = new HashSet<>();
if (bulkCipher.transformation != null) {
components.addAll(super.decomposes(bulkCipher.transformation));
}
return components;
}
protected Set<String> decomposes(MacAlg macAlg) {
Set<String> components = new HashSet<>();
if (macAlg == CipherSuite.M_MD5) {
components.add("MD5");
components.add("HmacMD5");
} else if (macAlg == CipherSuite.M_SHA) {
components.add("SHA1");
components.add("SHA-1");
components.add("HmacSHA1");
} else if (macAlg == CipherSuite.M_SHA256) {
components.add("SHA256");
components.add("SHA-256");
components.add("HmacSHA256");
} else if (macAlg == CipherSuite.M_SHA384) {
components.add("SHA384");
components.add("SHA-384");
components.add("HmacSHA384");
}
return components;
}
}
static private class TLSDisabledAlgConstraints
extends BasicDisabledAlgConstraints {
TLSDisabledAlgConstraints() {
super(DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS);
}
@Override
protected Set<String> decomposes(String algorithm) {
if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
CipherSuite cipherSuite = null;
try {
cipherSuite = CipherSuite.valueOf(algorithm);
} catch (IllegalArgumentException iae) {
// ignore: unknown or unsupported ciphersuite
}
if (cipherSuite != null) {
Set<String> components = new HashSet<>();
if(cipherSuite.keyExchange != null) {
components.addAll(
decomposes(cipherSuite.keyExchange, false));
}
if (cipherSuite.cipher != null) {
components.addAll(decomposes(cipherSuite.cipher));
}
if (cipherSuite.macAlg != null) {
components.addAll(decomposes(cipherSuite.macAlg));
}
return components;
}
}
return super.decomposes(algorithm);
}
}
static private class X509DisabledAlgConstraints
extends BasicDisabledAlgConstraints {
X509DisabledAlgConstraints() {
super(DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
}
@Override
protected Set<String> decomposes(String algorithm) {
if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
CipherSuite cipherSuite = null;
try {
cipherSuite = CipherSuite.valueOf(algorithm);
} catch (IllegalArgumentException iae) {
// ignore: unknown or unsupported ciphersuite
}
if (cipherSuite != null) {
Set<String> components = new HashSet<>();
if(cipherSuite.keyExchange != null) {
components.addAll(
decomposes(cipherSuite.keyExchange, true));
}
// Certification path algorithm constraints do not apply
// to cipherSuite.cipher and cipherSuite.macAlg.
return components;
}
}
return super.decomposes(algorithm);
}
}
}
src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java 0 → 100644
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ssl;
import java.util.HashSet;
import java.util.Set;
import sun.security.util.AlgorithmDecomposer;
import static sun.security.ssl.CipherSuite.*;
import static sun.security.ssl.CipherSuite.KeyExchange.*;
/**
* The class decomposes standard SSL/TLS cipher suites into sub-elements.
*/
class SSLAlgorithmDecomposer extends AlgorithmDecomposer {
// indicates that only certification path algorithms need to be used
private final boolean onlyX509;
SSLAlgorithmDecomposer(boolean onlyX509) {
this.onlyX509 = onlyX509;
}
SSLAlgorithmDecomposer() {
this(false);
}
private Set<String> decomposes(CipherSuite.KeyExchange keyExchange) {
Set<String> components = new HashSet<>();
switch (keyExchange) {
case K_NULL:
if (!onlyX509) {
components.add("K_NULL");
}
break;
case K_RSA:
components.add("RSA");
break;
case K_RSA_EXPORT:
components.add("RSA");
components.add("RSA_EXPORT");
break;
case K_DH_RSA:
components.add("RSA");
components.add("DH");
components.add("DiffieHellman");
components.add("DH_RSA");
break;
case K_DH_DSS:
components.add("DSA");
components.add("DSS");
components.add("DH");
components.add("DiffieHellman");
components.add("DH_DSS");
break;
case K_DHE_DSS:
components.add("DSA");
components.add("DSS");
components.add("DH");
components.add("DHE");
components.add("DiffieHellman");
components.add("DHE_DSS");
break;
case K_DHE_RSA:
components.add("RSA");
components.add("DH");
components.add("DHE");
components.add("DiffieHellman");
components.add("DHE_RSA");
break;
case K_DH_ANON:
if (!onlyX509) {
components.add("ANON");
components.add("DH");
components.add("DiffieHellman");
components.add("DH_ANON");
}
break;
case K_ECDH_ECDSA:
components.add("ECDH");
components.add("ECDSA");
components.add("ECDH_ECDSA");
break;
case K_ECDH_RSA:
components.add("ECDH");
components.add("RSA");
components.add("ECDH_RSA");
break;
case K_ECDHE_ECDSA:
components.add("ECDHE");
components.add("ECDSA");
components.add("ECDHE_ECDSA");
break;
case K_ECDHE_RSA:
components.add("ECDHE");
components.add("RSA");
components.add("ECDHE_RSA");
break;
case K_ECDH_ANON:
if (!onlyX509) {
components.add("ECDH");
components.add("ANON");
components.add("ECDH_ANON");
}
break;
case K_KRB5:
if (!onlyX509) {
components.add("KRB5");
}
break;
case K_KRB5_EXPORT:
if (!onlyX509) {
components.add("KRB5_EXPORT");
}
break;
default:
// ignore
}
return components;
}
private Set<String> decomposes(CipherSuite.BulkCipher bulkCipher) {
Set<String> components = new HashSet<>();
if (bulkCipher.transformation != null) {
components.addAll(super.decompose(bulkCipher.transformation));
}
if (bulkCipher == B_NULL) {
components.add("C_NULL");
} else if (bulkCipher == B_RC2_40) {
components.add("RC2_CBC_40");
} else if (bulkCipher == B_RC4_40) {
components.add("RC4_40");
} else if (bulkCipher == B_RC4_128) {
components.add("RC4_128");
} else if (bulkCipher == B_DES_40) {
components.add("DES40_CBC");
components.add("DES_CBC_40");
} else if (bulkCipher == B_DES) {
components.add("DES_CBC");
} else if (bulkCipher == B_3DES) {
components.add("3DES_EDE_CBC");
} else if (bulkCipher == B_AES_128) {
components.add("AES_128_CBC");
} else if (bulkCipher == B_AES_256) {
components.add("AES_256_CBC");
} else if (bulkCipher == B_AES_128_GCM) {
components.add("AES_128_GCM");
} else if (bulkCipher == B_AES_256_GCM) {
components.add("AES_256_GCM");
}
return components;
}
private Set<String> decomposes(CipherSuite.MacAlg macAlg,
BulkCipher cipher) {
Set<String> components = new HashSet<>();
if (macAlg == M_NULL
&& cipher.cipherType != CipherType.AEAD_CIPHER) {
components.add("M_NULL");
} else if (macAlg == M_MD5) {
components.add("MD5");
components.add("HmacMD5");
} else if (macAlg == M_SHA) {
components.add("SHA1");
components.add("SHA-1");
components.add("HmacSHA1");
} else if (macAlg == M_SHA256) {
components.add("SHA256");
components.add("SHA-256");
components.add("HmacSHA256");
} else if (macAlg == M_SHA384) {
components.add("SHA384");
components.add("SHA-384");
components.add("HmacSHA384");
}
return components;
}
private Set<String> decompose(KeyExchange keyExchange, BulkCipher cipher,
MacAlg macAlg) {
Set<String> components = new HashSet<>();
if (keyExchange != null) {
components.addAll(decomposes(keyExchange));
}
if (onlyX509) {
// Certification path algorithm constraints do not apply
// to cipher and macAlg.
return components;
}
if (cipher != null) {
components.addAll(decomposes(cipher));
}
if (macAlg != null) {
components.addAll(decomposes(macAlg, cipher));
}
return components;
}
@Override
public Set<String> decompose(String algorithm) {
if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
CipherSuite cipherSuite = null;
try {
cipherSuite = CipherSuite.valueOf(algorithm);
} catch (IllegalArgumentException iae) {
// ignore: unknown or unsupported ciphersuite
}
if (cipherSuite != null) {
return decompose(cipherSuite.keyExchange, cipherSuite.cipher,
cipherSuite.macAlg);
}
}
return super.decompose(algorithm);
}
}
src/share/classes/sun/security/ssl/SSLSocketImpl.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -40,6 +40,9 @@ import java.util.concurrent.locks.ReentrantLock;
import javax.crypto.BadPaddingException;
import javax.net.ssl.*;
import sun.misc.JavaNetAccess;
import sun.misc.SharedSecrets;
/**
* Implementation of an SSL socket. This is a normal connection type
* socket, implementing SSL over some lower level socket, such as TCP.
......@@ -389,6 +392,15 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
*/
private boolean preferLocalCipherSuites = false;
/*
* Is the local name service trustworthy?
*
* If the local name service is not trustworthy, reverse host name
* resolution should not be performed for endpoint identification.
*/
static final boolean trustNameService =
Debug.getBooleanProperty("jdk.tls.trustNameService", false);
//
// CONSTRUCTORS AND INITIALIZATION CODE
//
......@@ -2149,11 +2161,41 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
synchronized String getHost() {
// Note that the host may be null or empty for localhost.
if (host == null || host.length() == 0) {
host = getInetAddress().getHostName();
if (!trustNameService) {
// If the local name service is not trustworthy, reverse host
// name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
host = getOriginalHostname(getInetAddress());
} else {
host = getInetAddress().getHostName();
}
}
return host;
}
/*
* Get the original application specified hostname.
*/
private static String getOriginalHostname(InetAddress inetAddress) {
/*
* Get the original hostname via sun.misc.SharedSecrets.
*/
JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
String originalHostname = jna.getOriginalHostName(inetAddress);
/*
* If no application specified hostname, use the IP address.
*/
if (originalHostname == null || originalHostname.length() == 0) {
originalHostname = inetAddress.getHostAddress();
}
return originalHostname;
}
// ONLY used by HttpsClient to setup the URI specified hostname
//
// Please NOTE that this method MUST be called before calling to
......
src/share/classes/sun/security/ssl/ServerHandshaker.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -32,6 +32,7 @@ import java.security.*;
import java.security.cert.*;
import java.security.interfaces.*;
import java.security.spec.ECParameterSpec;
import java.math.BigInteger;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
......@@ -41,6 +42,7 @@ import javax.net.ssl.*;
import javax.security.auth.Subject;
import sun.security.util.KeyUtil;
import sun.security.util.LegacyAlgorithmConstraints;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.HandshakeMessage.*;
import sun.security.ssl.CipherSuite.*;
......@@ -106,6 +108,12 @@ final class ServerHandshaker extends Handshaker {
// The customized ephemeral DH key size for non-exportable cipher suites.
private static final int customizedDHKeySize;
// legacy algorithm constraints
private static final AlgorithmConstraints legacyAlgorithmConstraints =
new LegacyAlgorithmConstraints(
LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
new SSLAlgorithmDecomposer());
static {
String property = AccessController.doPrivileged(
new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
......@@ -406,7 +414,7 @@ final class ServerHandshaker extends Handshaker {
}
// verify the client_verify_data value
if (!Arrays.equals(clientVerifyData,
if (!MessageDigest.isEqual(clientVerifyData,
clientHelloRI.getRenegotiatedConnection())) {
fatalSE(Alerts.alert_handshake_failure,
"Incorrect verify data in ClientHello " +
......@@ -995,6 +1003,7 @@ final class ServerHandshaker extends Handshaker {
proposed = getActiveCipherSuites();
}
List<CipherSuite> legacySuites = new ArrayList<>();
for (CipherSuite suite : prefered.collection()) {
if (isNegotiable(proposed, suite) == false) {
continue;
......@@ -1006,11 +1015,24 @@ final class ServerHandshaker extends Handshaker {
continue;
}
}
if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
legacySuites.add(suite);
continue;
}
if (trySetCipherSuite(suite) == false) {
continue;
}
return;
}
for (CipherSuite suite : legacySuites) {
if (trySetCipherSuite(suite)) {
return;
}
}
fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
}
......@@ -1543,7 +1565,13 @@ final class ServerHandshaker extends Handshaker {
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
return dh.getAgreedSecret(mesg.getClientPublicKey(), false);
BigInteger publicKeyValue = mesg.getClientPublicKey();
// check algorithm constraints
dh.checkConstraints(algorithmConstraints, publicKeyValue);
return dh.getAgreedSecret(publicKeyValue, false);
}
private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
......@@ -1552,7 +1580,13 @@ final class ServerHandshaker extends Handshaker {
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
return ecdh.getAgreedSecret(mesg.getEncodedPoint());
byte[] publicPoint = mesg.getEncodedPoint();
// check algorithm constraints
ecdh.checkConstraints(algorithmConstraints, publicPoint);
return ecdh.getAgreedSecret(publicPoint);
}
/*
......
src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java 0 → 100644
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import java.security.AccessController;
import java.security.AlgorithmConstraints;
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.Map;
import java.util.Set;
/**
* The class contains common functionality for algorithm constraints classes.
*/
public abstract class AbstractAlgorithmConstraints
implements AlgorithmConstraints {
protected final AlgorithmDecomposer decomposer;
protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) {
this.decomposer = decomposer;
}
// Get algorithm constraints from the specified security property.
private static void loadAlgorithmsMap(Map<String, String[]> algorithmsMap,
String propertyName) {
String property = AccessController.doPrivileged(
(PrivilegedAction<String>) () -> Security.getProperty(
propertyName));
String[] algorithmsInProperty = null;
if (property != null && !property.isEmpty()) {
// remove double quote marks from beginning/end of the property
if (property.charAt(0) == '"'
&& property.charAt(property.length() - 1) == '"') {
property = property.substring(1, property.length() - 1);
}
algorithmsInProperty = property.split(",");
for (int i = 0; i < algorithmsInProperty.length;
i++) {
algorithmsInProperty[i] = algorithmsInProperty[i].trim();
}
}
// map the disabled algorithms
if (algorithmsInProperty == null) {
algorithmsInProperty = new String[0];
}
algorithmsMap.put(propertyName, algorithmsInProperty);
}
static String[] getAlgorithms(Map<String, String[]> algorithmsMap,
String propertyName) {
synchronized (algorithmsMap) {
if (!algorithmsMap.containsKey(propertyName)) {
loadAlgorithmsMap(algorithmsMap, propertyName);
}
return algorithmsMap.get(propertyName);
}
}
static boolean checkAlgorithm(String[] algorithms, String algorithm,
AlgorithmDecomposer decomposer) {
if (algorithm == null || algorithm.length() == 0) {
throw new IllegalArgumentException("No algorithm name specified");
}
Set<String> elements = null;
for (String item : algorithms) {
if (item == null || item.isEmpty()) {
continue;
}
// check the full name
if (item.equalsIgnoreCase(algorithm)) {
return false;
}
// decompose the algorithm into sub-elements
if (elements == null) {
elements = decomposer.decompose(algorithm);
}
// check the items of the algorithm
for (String element : elements) {
if (item.equalsIgnoreCase(element)) {
return false;
}
}
}
return true;
}
}
src/share/classes/sun/security/util/AlgorithmDecomposer.java 0 → 100644
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
/**
* The class decomposes standard algorithms into sub-elements.
*/
public class AlgorithmDecomposer {
private static final Pattern transPattern = Pattern.compile("/");
private static final Pattern pattern =
Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
/**
* Decompose the standard algorithm name into sub-elements.
* <p>
* For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
* so that we can check the "SHA1" and "RSA" algorithm constraints
* separately.
* <p>
* Please override the method if need to support more name pattern.
*/
public Set<String> decompose(String algorithm) {
if (algorithm == null || algorithm.length() == 0) {
return new HashSet<>();
}
// algorithm/mode/padding
String[] transTockens = transPattern.split(algorithm);
Set<String> elements = new HashSet<>();
for (String transTocken : transTockens) {
if (transTocken == null || transTocken.length() == 0) {
continue;
}
// PBEWith<digest>And<encryption>
// PBEWith<prf>And<encryption>
// OAEPWith<digest>And<mgf>Padding
// <digest>with<encryption>
// <digest>with<encryption>and<mgf>
String[] tokens = pattern.split(transTocken);
for (String token : tokens) {
if (token == null || token.length() == 0) {
continue;
}
elements.add(token);
}
}
// In Java standard algorithm name specification, for different
// purpose, the SHA-1 and SHA-2 algorithm names are different. For
// example, for MessageDigest, the standard name is "SHA-256", while
// for Signature, the digest algorithm component is "SHA256" for
// signature algorithm "SHA256withRSA". So we need to check both
// "SHA-256" and "SHA256" to make the right constraint checking.
// handle special name: SHA-1 and SHA1
if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
elements.add("SHA-1");
}
if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
elements.add("SHA1");
}
// handle special name: SHA-224 and SHA224
if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
elements.add("SHA-224");
}
if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
elements.add("SHA224");
}
// handle special name: SHA-256 and SHA256
if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
elements.add("SHA-256");
}
if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
elements.add("SHA256");
}
// handle special name: SHA-384 and SHA384
if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
elements.add("SHA-384");
}
if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
elements.add("SHA384");
}
// handle special name: SHA-512 and SHA512
if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
elements.add("SHA-512");
}
if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
elements.add("SHA512");
}
return elements;
}
}
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,15 +25,9 @@
package sun.security.util;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.AlgorithmParameters;
import java.security.Key;
import java.security.Security;
import java.security.PrivilegedAction;
import java.security.AccessController;
import java.util.Locale;
import java.util.Set;
import java.util.Collections;
......@@ -49,7 +43,7 @@ import java.util.regex.Matcher;
* See the "jdk.certpath.disabledAlgorithms" specification in java.security
* for the syntax of the disabled algorithm string.
*/
public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
// the known security property, jdk.certpath.disabledAlgorithms
public final static String PROPERTY_CERTPATH_DISABLED_ALGS =
......@@ -64,8 +58,8 @@ public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
private final static Map<String, KeySizeConstraints> keySizeConstraintsMap =
new HashMap<>();
private String[] disabledAlgorithms;
private KeySizeConstraints keySizeConstraints;
private final String[] disabledAlgorithms;
private final KeySizeConstraints keySizeConstraints;
/**
* Initialize algorithm constraints with the specified security property.
......@@ -74,56 +68,27 @@ public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
* algorithm constraints
*/
public DisabledAlgorithmConstraints(String propertyName) {
// Both disabledAlgorithmsMap and keySizeConstraintsMap are
// synchronized with the lock of disabledAlgorithmsMap.
synchronized (disabledAlgorithmsMap) {
if(!disabledAlgorithmsMap.containsKey(propertyName)) {
loadDisabledAlgorithmsMap(propertyName);
}
this(propertyName, new AlgorithmDecomposer());
}
disabledAlgorithms = disabledAlgorithmsMap.get(propertyName);
keySizeConstraints = keySizeConstraintsMap.get(propertyName);
}
public DisabledAlgorithmConstraints(String propertyName,
AlgorithmDecomposer decomposer) {
super(decomposer);
disabledAlgorithms = getAlgorithms(disabledAlgorithmsMap, propertyName);
keySizeConstraints = getKeySizeConstraints(disabledAlgorithms,
propertyName);
}
@Override
final public boolean permits(Set<CryptoPrimitive> primitives,
String algorithm, AlgorithmParameters parameters) {
if (algorithm == null || algorithm.length() == 0) {
throw new IllegalArgumentException("No algorithm name specified");
}
if (primitives == null || primitives.isEmpty()) {
throw new IllegalArgumentException(
"No cryptographic primitive specified");
}
Set<String> elements = null;
for (String disabled : disabledAlgorithms) {
if (disabled == null || disabled.isEmpty()) {
continue;
}
// check the full name
if (disabled.equalsIgnoreCase(algorithm)) {
return false;
}
// decompose the algorithm into sub-elements
if (elements == null) {
elements = decomposes(algorithm);
}
// check the items of the algorithm
for (String element : elements) {
if (disabled.equalsIgnoreCase(element)) {
return false;
}
}
}
return true;
return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
}
@Override
......@@ -142,98 +107,6 @@ public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
return checkConstraints(primitives, algorithm, key, parameters);
}
/**
* Decompose the standard algorithm name into sub-elements.
* <p>
* For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
* so that we can check the "SHA1" and "RSA" algorithm constraints
* separately.
* <p>
* Please override the method if need to support more name pattern.
*/
protected Set<String> decomposes(String algorithm) {
if (algorithm == null || algorithm.length() == 0) {
return new HashSet<String>();
}
// algorithm/mode/padding
Pattern transPattern = Pattern.compile("/");
String[] transTockens = transPattern.split(algorithm);
Set<String> elements = new HashSet<String>();
for (String transTocken : transTockens) {
if (transTocken == null || transTocken.length() == 0) {
continue;
}
// PBEWith<digest>And<encryption>
// PBEWith<prf>And<encryption>
// OAEPWith<digest>And<mgf>Padding
// <digest>with<encryption>
// <digest>with<encryption>and<mgf>
Pattern pattern =
Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
String[] tokens = pattern.split(transTocken);
for (String token : tokens) {
if (token == null || token.length() == 0) {
continue;
}
elements.add(token);
}
}
// In Java standard algorithm name specification, for different
// purpose, the SHA-1 and SHA-2 algorithm names are different. For
// example, for MessageDigest, the standard name is "SHA-256", while
// for Signature, the digest algorithm component is "SHA256" for
// signature algorithm "SHA256withRSA". So we need to check both
// "SHA-256" and "SHA256" to make the right constraint checking.
// handle special name: SHA-1 and SHA1
if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
elements.add("SHA-1");
}
if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
elements.add("SHA1");
}
// handle special name: SHA-224 and SHA224
if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
elements.add("SHA-224");
}
if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
elements.add("SHA224");
}
// handle special name: SHA-256 and SHA256
if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
elements.add("SHA-256");
}
if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
elements.add("SHA256");
}
// handle special name: SHA-384 and SHA384
if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
elements.add("SHA-384");
}
if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
elements.add("SHA384");
}
// handle special name: SHA-512 and SHA512
if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
elements.add("SHA-512");
}
if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
elements.add("SHA512");
}
return elements;
}
// Check algorithm constraints
private boolean checkConstraints(Set<CryptoPrimitive> primitives,
String algorithm, Key key, AlgorithmParameters parameters) {
......@@ -263,43 +136,18 @@ public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
return true;
}
// Get disabled algorithm constraints from the specified security property.
private static void loadDisabledAlgorithmsMap(
final String propertyName) {
String property = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return Security.getProperty(propertyName);
}
});
String[] algorithmsInProperty = null;
if (property != null && !property.isEmpty()) {
// remove double quote marks from beginning/end of the property
if (property.charAt(0) == '"' &&
property.charAt(property.length() - 1) == '"') {
property = property.substring(1, property.length() - 1);
private static KeySizeConstraints getKeySizeConstraints(
String[] disabledAlgorithms, String propertyName) {
synchronized (keySizeConstraintsMap) {
if(!keySizeConstraintsMap.containsKey(propertyName)) {
// map the key constraints
KeySizeConstraints keySizeConstraints =
new KeySizeConstraints(disabledAlgorithms);
keySizeConstraintsMap.put(propertyName, keySizeConstraints);
}
algorithmsInProperty = property.split(",");
for (int i = 0; i < algorithmsInProperty.length; i++) {
algorithmsInProperty[i] = algorithmsInProperty[i].trim();
}
return keySizeConstraintsMap.get(propertyName);
}
// map the disabled algorithms
if (algorithmsInProperty == null) {
algorithmsInProperty = new String[0];
}
disabledAlgorithmsMap.put(propertyName, algorithmsInProperty);
// map the key constraints
KeySizeConstraints keySizeConstraints =
new KeySizeConstraints(algorithmsInProperty);
keySizeConstraintsMap.put(propertyName, keySizeConstraints);
}
/**
......
src/share/classes/sun/security/util/LegacyAlgorithmConstraints.java 0 → 100644
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import java.security.AlgorithmParameters;
import java.security.CryptoPrimitive;
import java.security.Key;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import static sun.security.util.AbstractAlgorithmConstraints.getAlgorithms;
/**
* Algorithm constraints for legacy algorithms.
*/
public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints {
// the known security property, jdk.tls.legacyAlgorithms
public final static String PROPERTY_TLS_LEGACY_ALGS =
"jdk.tls.legacyAlgorithms";
private final static Map<String, String[]> legacyAlgorithmsMap =
new HashMap<>();
private final String[] legacyAlgorithms;
public LegacyAlgorithmConstraints(String propertyName,
AlgorithmDecomposer decomposer) {
super(decomposer);
legacyAlgorithms = getAlgorithms(legacyAlgorithmsMap, propertyName);
}
@Override
final public boolean permits(Set<CryptoPrimitive> primitives,
String algorithm, AlgorithmParameters parameters) {
return checkAlgorithm(legacyAlgorithms, algorithm, decomposer);
}
@Override
final public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
return true;
}
@Override
final public boolean permits(Set<CryptoPrimitive> primitives,
String algorithm, Key key, AlgorithmParameters parameters) {
return checkAlgorithm(legacyAlgorithms, algorithm, decomposer);
}
}
src/share/classes/sun/security/validator/SimpleValidator.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -141,8 +141,18 @@ public final class SimpleValidator extends Validator {
// create distrusted certificates checker
UntrustedChecker untrustedChecker = new UntrustedChecker();
// check if anchor is untrusted
X509Certificate anchorCert = chain[chain.length - 1];
try {
untrustedChecker.check(anchorCert);
} catch (CertPathValidatorException cpve) {
throw new ValidatorException(
"Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
}
// create default algorithm constraints checker
TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
TrustAnchor anchor = new TrustAnchor(anchorCert, null);
AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
// create application level algorithm constraints checker
......
src/share/lib/security/java.security-aix
浏览文件 @ 3c2c9588
......@@ -509,4 +509,61 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
# cannot be disabled because of its use in legacy applications. Legacy
# algorithms may still be supported, but applications should not use them
# as the security strength of legacy algorithms are usually not strong enough
# in practice.
#
# During SSL/TLS security parameters negotiation, legacy algorithms will
# not be negotiated unless there are no other candidates.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# LegacyAlgorithms:
# " LegacyAlgorithm { , LegacyAlgorithm } "
#
# LegacyAlgorithm:
# AlgorithmName (standard JSSE algorithm name)
#
# See the specification of security property "jdk.certpath.disabledAlgorithms"
# for the syntax and description of the "AlgorithmName" notation.
#
# Per SSL/TLS specifications, cipher suites have the form:
# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
# or
# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
#
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
# algorithm for HMAC.
#
# The LegacyAlgorithm can be one of the following standard algorithm names:
# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
# 2. JSSE key exchange algorithm name, e.g., RSA
# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
# 4. JSSE message digest algorithm name, e.g., SHA
#
# See SSL/TLS specifications and "Java Cryptography Architecture Standard
# Algorithm Name Documentation" for information about the algorithm names.
#
# Note: This property is currently used by Oracle's JSSE implementation.
# It is not guaranteed to be examined and used by other implementations.
# There is no guarantee the property will continue to exist or be of the
# same syntax in future releases.
#
# Example:
# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC
src/share/lib/security/java.security-linux
浏览文件 @ 3c2c9588
......@@ -509,4 +509,61 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
# cannot be disabled because of its use in legacy applications. Legacy
# algorithms may still be supported, but applications should not use them
# as the security strength of legacy algorithms are usually not strong enough
# in practice.
#
# During SSL/TLS security parameters negotiation, legacy algorithms will
# not be negotiated unless there are no other candidates.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# LegacyAlgorithms:
# " LegacyAlgorithm { , LegacyAlgorithm } "
#
# LegacyAlgorithm:
# AlgorithmName (standard JSSE algorithm name)
#
# See the specification of security property "jdk.certpath.disabledAlgorithms"
# for the syntax and description of the "AlgorithmName" notation.
#
# Per SSL/TLS specifications, cipher suites have the form:
# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
# or
# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
#
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
# algorithm for HMAC.
#
# The LegacyAlgorithm can be one of the following standard algorithm names:
# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
# 2. JSSE key exchange algorithm name, e.g., RSA
# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
# 4. JSSE message digest algorithm name, e.g., SHA
#
# See SSL/TLS specifications and "Java Cryptography Architecture Standard
# Algorithm Name Documentation" for information about the algorithm names.
#
# Note: This property is currently used by Oracle's JSSE implementation.
# It is not guaranteed to be examined and used by other implementations.
# There is no guarantee the property will continue to exist or be of the
# same syntax in future releases.
#
# Example:
# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC
src/share/lib/security/java.security-macosx
浏览文件 @ 3c2c9588
......@@ -512,4 +512,61 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
# cannot be disabled because of its use in legacy applications. Legacy
# algorithms may still be supported, but applications should not use them
# as the security strength of legacy algorithms are usually not strong enough
# in practice.
#
# During SSL/TLS security parameters negotiation, legacy algorithms will
# not be negotiated unless there are no other candidates.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# LegacyAlgorithms:
# " LegacyAlgorithm { , LegacyAlgorithm } "
#
# LegacyAlgorithm:
# AlgorithmName (standard JSSE algorithm name)
#
# See the specification of security property "jdk.certpath.disabledAlgorithms"
# for the syntax and description of the "AlgorithmName" notation.
#
# Per SSL/TLS specifications, cipher suites have the form:
# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
# or
# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
#
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
# algorithm for HMAC.
#
# The LegacyAlgorithm can be one of the following standard algorithm names:
# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
# 2. JSSE key exchange algorithm name, e.g., RSA
# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
# 4. JSSE message digest algorithm name, e.g., SHA
#
# See SSL/TLS specifications and "Java Cryptography Architecture Standard
# Algorithm Name Documentation" for information about the algorithm names.
#
# Note: This property is currently used by Oracle's JSSE implementation.
# It is not guaranteed to be examined and used by other implementations.
# There is no guarantee the property will continue to exist or be of the
# same syntax in future releases.
#
# Example:
# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC
src/share/lib/security/java.security-solaris
浏览文件 @ 3c2c9588
......@@ -511,4 +511,61 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
# cannot be disabled because of its use in legacy applications. Legacy
# algorithms may still be supported, but applications should not use them
# as the security strength of legacy algorithms are usually not strong enough
# in practice.
#
# During SSL/TLS security parameters negotiation, legacy algorithms will
# not be negotiated unless there are no other candidates.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# LegacyAlgorithms:
# " LegacyAlgorithm { , LegacyAlgorithm } "
#
# LegacyAlgorithm:
# AlgorithmName (standard JSSE algorithm name)
#
# See the specification of security property "jdk.certpath.disabledAlgorithms"
# for the syntax and description of the "AlgorithmName" notation.
#
# Per SSL/TLS specifications, cipher suites have the form:
# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
# or
# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
#
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
# algorithm for HMAC.
#
# The LegacyAlgorithm can be one of the following standard algorithm names:
# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
# 2. JSSE key exchange algorithm name, e.g., RSA
# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
# 4. JSSE message digest algorithm name, e.g., SHA
#
# See SSL/TLS specifications and "Java Cryptography Architecture Standard
# Algorithm Name Documentation" for information about the algorithm names.
#
# Note: This property is currently used by Oracle's JSSE implementation.
# It is not guaranteed to be examined and used by other implementations.
# There is no guarantee the property will continue to exist or be of the
# same syntax in future releases.
#
# Example:
# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC
src/share/lib/security/java.security-windows
浏览文件 @ 3c2c9588
......@@ -512,4 +512,61 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
#
# In some environments, a certain algorithm may be undesirable but it
# cannot be disabled because of its use in legacy applications. Legacy
# algorithms may still be supported, but applications should not use them
# as the security strength of legacy algorithms are usually not strong enough
# in practice.
#
# During SSL/TLS security parameters negotiation, legacy algorithms will
# not be negotiated unless there are no other candidates.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# LegacyAlgorithms:
# " LegacyAlgorithm { , LegacyAlgorithm } "
#
# LegacyAlgorithm:
# AlgorithmName (standard JSSE algorithm name)
#
# See the specification of security property "jdk.certpath.disabledAlgorithms"
# for the syntax and description of the "AlgorithmName" notation.
#
# Per SSL/TLS specifications, cipher suites have the form:
# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
# or
# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
#
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
# algorithm for HMAC.
#
# The LegacyAlgorithm can be one of the following standard algorithm names:
# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
# 2. JSSE key exchange algorithm name, e.g., RSA
# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
# 4. JSSE message digest algorithm name, e.g., SHA
#
# See SSL/TLS specifications and "Java Cryptography Architecture Standard
# Algorithm Name Documentation" for information about the algorithm names.
#
# Note: This property is currently used by Oracle's JSSE implementation.
# It is not guaranteed to be examined and used by other implementations.
# There is no guarantee the property will continue to exist or be of the
# same syntax in future releases.
#
# Example:
# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC
src/share/native/sun/font/layout/AlternateSubstSubtables.cpp
浏览文件 @ 3c2c9588
......@@ -53,6 +53,7 @@ le_uint32 AlternateSubstitutionSubtable::process(const LEReferenceTo<AlternateSu
Offset alternateSetTableOffset = SWAPW(alternateSetTableOffsetArray[coverageIndex]);
const LEReferenceTo<AlternateSetTable> alternateSetTable(base, success,
(const AlternateSetTable *) ((char *) this + alternateSetTableOffset));
if (!LE_SUCCESS(success)) return 0;
TTGlyphID alternate = SWAPW(alternateSetTable->alternateArray[0]);
if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, alternate), success)) {
......
src/share/native/sun/font/layout/AnchorTables.cpp
浏览文件 @ 3c2c9588
......@@ -44,21 +44,27 @@ void AnchorTable::getAnchor(const LETableReference &base, LEGlyphID glyphID, con
case 1:
{
LEReferenceTo<Format1AnchorTable> f1(base, success);
f1->getAnchor(f1, fontInstance, anchor, success);
if (LE_SUCCESS(success)) {
f1->getAnchor(f1, fontInstance, anchor, success);
}
break;
}
case 2:
{
LEReferenceTo<Format2AnchorTable> f2(base, success);
f2->getAnchor(f2, glyphID, fontInstance, anchor, success);
if (LE_SUCCESS(success)) {
f2->getAnchor(f2, glyphID, fontInstance, anchor, success);
}
break;
}
case 3:
{
LEReferenceTo<Format3AnchorTable> f3(base, success);
f3->getAnchor(f3, fontInstance, anchor, success);
if (LE_SUCCESS(success)) {
f3->getAnchor(f3, fontInstance, anchor, success);
}
break;
}
......@@ -66,7 +72,9 @@ void AnchorTable::getAnchor(const LETableReference &base, LEGlyphID glyphID, con
{
// unknown format: just use x, y coordinate, like format 1...
LEReferenceTo<Format1AnchorTable> f1(base, success);
f1->getAnchor(f1, fontInstance, anchor, success);
if (LE_SUCCESS(success)) {
f1->getAnchor(f1, fontInstance, anchor, success);
}
break;
}
}
......@@ -112,16 +120,18 @@ void Format3AnchorTable::getAnchor(const LEReferenceTo<Format3AnchorTable> &base
if (dtxOffset != 0) {
LEReferenceTo<DeviceTable> dt(base, success, dtxOffset);
le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success);
pixels.fX += adjx;
if (LE_SUCCESS(success)) {
le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success);
pixels.fX += adjx;
}
}
if (dtyOffset != 0) {
LEReferenceTo<DeviceTable> dt(base, success, dtyOffset);
le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success);
pixels.fY += adjy;
if (LE_SUCCESS(success)) {
le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success);
pixels.fY += adjy;
}
}
fontInstance->pixelsToUnits(pixels, anchor);
......
src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp
浏览文件 @ 3c2c9588
......@@ -107,6 +107,10 @@ le_uint16 ContextualGlyphInsertionProcessor2::processStateEntry(LEGlyphStorage &
le_int16 markIndex = SWAPW(entry->markedInsertionListIndex);
if (markIndex > 0) {
if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
le_int16 count = (flags & cgiMarkedInsertCountMask) >> 5;
le_bool isKashidaLike = (flags & cgiMarkedIsKashidaLike);
le_bool isBefore = (flags & cgiMarkInsertBefore);
......@@ -115,6 +119,10 @@ le_uint16 ContextualGlyphInsertionProcessor2::processStateEntry(LEGlyphStorage &
le_int16 currIndex = SWAPW(entry->currentInsertionListIndex);
if (currIndex > 0) {
if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
le_int16 count = flags & cgiCurrentInsertCountMask;
le_bool isKashidaLike = (flags & cgiCurrentIsKashidaLike);
le_bool isBefore = (flags & cgiCurrentInsertBefore);
......
src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp
浏览文件 @ 3c2c9588
......@@ -76,6 +76,10 @@ ByteOffset ContextualGlyphSubstitutionProcessor::processStateEntry(LEGlyphStorag
WordOffset currOffset = SWAPW(entry->currOffset);
if (markOffset != 0 && LE_SUCCESS(success)) {
if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
LEGlyphID mGlyph = glyphStorage[markGlyph];
TTGlyphID newGlyph = SWAPW(int16Table.getObject(markOffset + LE_GET_GLYPH(mGlyph), success)); // whew.
......@@ -83,6 +87,10 @@ ByteOffset ContextualGlyphSubstitutionProcessor::processStateEntry(LEGlyphStorag
}
if (currOffset != 0) {
if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
LEGlyphID thisGlyph = glyphStorage[currGlyph];
TTGlyphID newGlyph = SWAPW(int16Table.getObject(currOffset + LE_GET_GLYPH(thisGlyph), success)); // whew.
......
src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp
浏览文件 @ 3c2c9588
......@@ -70,17 +70,25 @@ le_uint16 ContextualGlyphSubstitutionProcessor2::processStateEntry(LEGlyphStorag
if(LE_FAILURE(success)) return 0;
le_uint16 newState = SWAPW(entry->newStateIndex);
le_uint16 flags = SWAPW(entry->flags);
le_int16 markIndex = SWAPW(entry->markIndex);
le_int16 currIndex = SWAPW(entry->currIndex);
le_uint16 markIndex = SWAPW(entry->markIndex);
le_uint16 currIndex = SWAPW(entry->currIndex);
if (markIndex != -1) {
if (markIndex != 0x0FFFF) {
if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
le_uint32 offset = SWAPL(perGlyphTable(markIndex, success));
LEGlyphID mGlyph = glyphStorage[markGlyph];
TTGlyphID newGlyph = lookup(offset, mGlyph, success);
glyphStorage[markGlyph] = LE_SET_GLYPH(mGlyph, newGlyph);
}
if (currIndex != -1) {
if (currIndex != 0x0FFFF) {
if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
le_uint32 offset = SWAPL(perGlyphTable(currIndex, success));
LEGlyphID thisGlyph = glyphStorage[currGlyph];
TTGlyphID newGlyph = lookup(offset, thisGlyph, success);
......
src/share/native/sun/font/layout/Features.cpp
浏览文件 @ 3c2c9588
......@@ -41,7 +41,7 @@ U_NAMESPACE_BEGIN
LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
{
LEReferenceToArrayOf<FeatureRecord>
featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
featureRecordArrayRef(base, success, featureRecordArray, featureIndex+1);
if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
return LEReferenceTo<FeatureTable>();
......
src/share/native/sun/font/layout/GXLayoutEngine.cpp
浏览文件 @ 3c2c9588
......@@ -73,7 +73,7 @@ le_int32 GXLayoutEngine::computeGlyphs(const LEUnicode chars[], le_int32 offset,
fMorphTable->process(fMorphTable, glyphStorage, success);
return count;
return glyphStorage.getGlyphCount();
}
// apply positional tables
......
src/share/native/sun/font/layout/GXLayoutEngine2.cpp
浏览文件 @ 3c2c9588
......@@ -69,7 +69,7 @@ le_int32 GXLayoutEngine2::computeGlyphs(const LEUnicode chars[], le_int32 offset
}
fMorphTable->process(fMorphTable, glyphStorage, fTypoFlags, success);
return count;
return glyphStorage.getGlyphCount();
}
// apply positional tables
......
src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp
浏览文件 @ 3c2c9588
......@@ -70,6 +70,11 @@ ByteOffset IndicRearrangementProcessor::processStateEntry(LEGlyphStorage &glyphS
ByteOffset newState = SWAPW(entry->newStateOffset);
IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags);
if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
if (flags & irfMarkFirst) {
firstGlyph = currGlyph;
}
......
src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp
浏览文件 @ 3c2c9588
......@@ -68,6 +68,11 @@ le_uint16 IndicRearrangementProcessor2::processStateEntry(LEGlyphStorage &glyphS
le_uint16 newState = SWAPW(entry->newStateIndex); // index to the new state
IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags);
if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
if (flags & irfMarkFirst) {
firstGlyph = currGlyph;
}
......
src/share/native/sun/font/layout/LETableReference.h
浏览文件 @ 3c2c9588
......@@ -188,7 +188,7 @@ public:
void addOffset(size_t offset, LEErrorCode &success) {
if(hasBounds()) {
if(offset > fLength) {
if(offset >= fLength) {
LE_DEBUG_TR("addOffset off end");
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return;
......@@ -203,7 +203,7 @@ public:
if(atPtr==NULL) return 0;
if(LE_FAILURE(success)) return LE_UINTPTR_MAX;
if((atPtr < fStart) ||
(hasBounds() && (atPtr > fStart+fLength))) {
(hasBounds() && (atPtr >= fStart+fLength))) {
LE_DEBUG_TR3("ptrToOffset args out of range: %p", atPtr, 0);
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return LE_UINTPTR_MAX;
......@@ -239,6 +239,18 @@ public:
return fLength;
}
/**
* Throw an error if size*count overflows
*/
size_t verifyLength(size_t offset, size_t size, le_uint32 count, LEErrorCode &success) {
if(count!=0 && size>LE_UINT32_MAX/count) {
LE_DEBUG_TR3("verifyLength failed size=%u, count=%u", size, count);
success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
return 0;
}
return verifyLength(offset, size*count, success);
}
/**
* Change parent link to another
*/
......@@ -424,7 +436,7 @@ public:
if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
}
LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
}
if(LE_FAILURE(success)) {
fCount=0;
......@@ -439,7 +451,7 @@ _TRTRACE("INFO: new RTAO")
if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
}
LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
}
if(LE_FAILURE(success)) clear();
}
......@@ -450,7 +462,7 @@ _TRTRACE("INFO: new RTAO")
if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
}
LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
}
if(LE_FAILURE(success)) clear();
}
......
src/share/native/sun/font/layout/LigatureSubstProc.cpp
浏览文件 @ 3c2c9588
......@@ -73,7 +73,7 @@ ByteOffset LigatureSubstitutionProcessor::processStateEntry(LEGlyphStorage &glyp
const LigatureSubstitutionStateEntry *entry = entryTable.getAlias(index, success);
ByteOffset newState = SWAPW(entry->newStateOffset);
le_int16 flags = SWAPW(entry->flags);
le_uint16 flags = SWAPW(entry->flags);
if (flags & lsfSetComponent) {
if (++m >= nComponents) {
......@@ -92,15 +92,18 @@ ByteOffset LigatureSubstitutionProcessor::processStateEntry(LEGlyphStorage &glyp
if (actionOffset != 0) {
LEReferenceTo<LigatureActionEntry> ap(stHeader, success, actionOffset);
LigatureActionEntry action;
le_int32 offset, i = 0;
le_int32 offset, i = 0, j = 0;
le_int32 stack[nComponents];
le_int16 mm = -1;
do {
le_uint32 componentGlyph = componentStack[m--];
if (j++ > 0) {
ap.addObject(success);
}
action = SWAPL(*ap.getAlias());
ap.addObject(success); // ap++
if (m < 0) {
m = nComponents - 1;
......
src/share/native/sun/font/layout/LigatureSubstProc2.cpp
浏览文件 @ 3c2c9588
......@@ -98,7 +98,7 @@ le_uint16 LigatureSubstitutionProcessor2::processStateEntry(LEGlyphStorage &glyp
ap.addObject(ligActionIndex, success);
LEReferenceToArrayOf<TTGlyphID> ligatureTable(stHeader, success, ligatureOffset, LE_UNBOUNDED_ARRAY);
LigatureActionEntry action;
le_int32 offset, i = 0;
le_int32 offset, i = 0, j = 0;
le_int32 stack[nComponents];
le_int16 mm = -1;
......@@ -111,6 +111,10 @@ le_uint16 LigatureSubstitutionProcessor2::processStateEntry(LEGlyphStorage &glyp
do {
le_uint32 componentGlyph = componentStack[m--]; // pop off
if (j++ > 0) {
ap.addObject(success);
}
action = SWAPL(*ap.getAlias());
if (m < 0) {
......@@ -144,7 +148,6 @@ le_uint16 LigatureSubstitutionProcessor2::processStateEntry(LEGlyphStorage &glyp
LE_DEBUG_BAD_FONT("m<0")
}
#endif
ap.addObject(success);
} while (LE_SUCCESS(success) && !(action & lafLast) && (m>=0) ); // stop if last bit is set, or if run out of items
while (mm >= 0) {
......
src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp
浏览文件 @ 3c2c9588
......@@ -97,13 +97,9 @@ le_int32 MarkToBasePositioningSubtable::process(const LETableReference &base, Gl
if( LE_FAILURE(success) ) { return 0; }
Offset anchorTableOffset = SWAPW(baseRecord->baseAnchorTableOffsetArray[markClass]);
if (anchorTableOffset <= 0) {
// this means the table is mal-formed...
glyphIterator->setCurrGlyphBaseOffset(baseIterator.getCurrStreamPosition());
return 0;
}
LEReferenceTo<AnchorTable> anchorTable(baseArray, success, anchorTableOffset);
if( LE_FAILURE(success) ) { return 0; }
LEPoint baseAnchor, markAdvance, pixels;
......
src/share/native/sun/font/layout/MorphTables.cpp
浏览文件 @ 3c2c9588
......@@ -52,8 +52,15 @@ void MorphTableHeader::process(const LETableReference &base, LEGlyphStorage &gly
le_uint32 chain;
for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain += 1) {
if (chain > 0) {
le_uint32 chainLength = SWAPL(chainHeader->chainLength);
if (chainLength & 0x03) { // incorrect alignment for 32 bit tables
success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
return;
}
chainHeader.addOffset(chainLength, success);
}
FeatureFlags defaultFlags = SWAPL(chainHeader->defaultFlags);
le_uint32 chainLength = SWAPL(chainHeader->chainLength);
le_int16 nFeatureEntries = SWAPW(chainHeader->nFeatureEntries);
le_int16 nSubtables = SWAPW(chainHeader->nSubtables);
LEReferenceTo<MorphSubtableHeader> subtableHeader =
......@@ -61,7 +68,14 @@ void MorphTableHeader::process(const LETableReference &base, LEGlyphStorage &gly
le_int16 subtable;
for (subtable = 0; LE_SUCCESS(success) && (subtable < nSubtables); subtable += 1) {
le_int16 length = SWAPW(subtableHeader->length);
if (subtable > 0) {
le_int16 length = SWAPW(subtableHeader->length);
if (length & 0x03) { // incorrect alignment for 32 bit tables
success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
return;
}
subtableHeader.addOffset(length, success);
}
SubtableCoverage coverage = SWAPW(subtableHeader->coverage);
FeatureFlags subtableFeatures = SWAPL(subtableHeader->subtableFeatures);
......@@ -69,10 +83,7 @@ void MorphTableHeader::process(const LETableReference &base, LEGlyphStorage &gly
if ((coverage & scfVertical) == 0 && (subtableFeatures & defaultFlags) != 0 && LE_SUCCESS(success)) {
subtableHeader->process(subtableHeader, glyphStorage, success);
}
subtableHeader.addOffset(length, success);
}
chainHeader.addOffset(chainLength, success);
}
}
......
src/share/native/sun/font/layout/MorphTables2.cpp
浏览文件 @ 3c2c9588
......@@ -59,6 +59,10 @@ void MorphTableHeader2::process(const LEReferenceTo<MorphTableHeader2> &base, LE
for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain++) {
if (chain>0) {
le_uint32 chainLength = SWAPL(chainHeader->chainLength);
if (chainLength & 0x03) { // incorrect alignment for 32 bit tables
success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
return;
}
chainHeader.addOffset(chainLength, success); // Don't increment the first time
}
FeatureFlags flag = SWAPL(chainHeader->defaultFlags);
......@@ -188,6 +192,10 @@ void MorphTableHeader2::process(const LEReferenceTo<MorphTableHeader2> &base, LE
for (subtable = 0; LE_SUCCESS(success) && subtable < nSubtables; subtable++) {
if(subtable>0) {
le_uint32 length = SWAPL(subtableHeader->length);
if (length & 0x03) { // incorrect alignment for 32 bit tables
success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
return;
}
subtableHeader.addOffset(length, success); // Don't addOffset for the last entry.
}
le_uint32 coverage = SWAPL(subtableHeader->coverage);
......
src/share/native/sun/font/layout/PairPositioningSubtables.cpp
浏览文件 @ 3c2c9588
......@@ -179,12 +179,13 @@ PairPositioningFormat1Subtable::findPairValueRecord(TTGlyphID glyphID, LEReferen
LEReferenceTo<PairValueRecord> record(records);
for(le_int32 r = 0; r < recordCount; r += 1) {
if (r > 0) {
record.addOffset(recordSize, success);
}
if(LE_FAILURE(success)) return LEReferenceTo<PairValueRecord>();
if (SWAPW(record->secondGlyph) == glyphID) {
return record;
}
record.addOffset(recordSize, success);
}
#else
#error dead code - not updated.
......
src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp
浏览文件 @ 3c2c9588
......@@ -94,7 +94,9 @@ le_uint32 SingleSubstitutionFormat2Subtable::process(const LEReferenceTo<SingleS
return 0;
}
if (coverageIndex >= 0) {
LEReferenceToArrayOf<TTGlyphID> substituteArrayRef(base, success, substituteArray, SWAPW(glyphCount));
if (coverageIndex >= 0 && LE_SUCCESS(success) && coverageIndex < substituteArrayRef.getCount()) {
TTGlyphID substitute = SWAPW(substituteArray[coverageIndex]);
if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, substitute), success)) {
......
src/share/native/sun/font/layout/StateTableProcessor.cpp
浏览文件 @ 3c2c9588
......@@ -85,6 +85,7 @@ void StateTableProcessor::process(LEGlyphStorage &glyphStorage, LEErrorCode &suc
if (currGlyph == glyphCount) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
break;
} else {
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
......
src/share/native/sun/font/layout/StateTableProcessor2.cpp
浏览文件 @ 3c2c9588
......@@ -103,6 +103,7 @@ void StateTableProcessor2::process(LEGlyphStorage &glyphStorage, LEErrorCode &su
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
break;
} else {
LEGlyphID gid = glyphStorage[currGlyph];
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid);
......@@ -134,6 +135,7 @@ void StateTableProcessor2::process(LEGlyphStorage &glyphStorage, LEErrorCode &su
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
break;
} else {
LEGlyphID gid = glyphStorage[currGlyph];
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid);
......@@ -171,6 +173,7 @@ void StateTableProcessor2::process(LEGlyphStorage &glyphStorage, LEErrorCode &su
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
break;
} else if(currGlyph > glyphCount) {
// note if > glyphCount, we've run off the end (bad font)
currGlyph = glyphCount;
......@@ -211,6 +214,7 @@ void StateTableProcessor2::process(LEGlyphStorage &glyphStorage, LEErrorCode &su
if (currGlyph == glyphCount || currGlyph == -1) {
// XXX: How do we handle EOT vs. EOL?
classCode = classCodeEOT;
break;
} else {
TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
if (glyphCode == 0xFFFF) {
......
src/share/native/sun/font/layout/StateTables.h
浏览文件 @ 3c2c9588
......@@ -126,7 +126,7 @@ typedef le_uint8 EntryTableIndex;
struct StateEntry
{
ByteOffset newStateOffset;
le_int16 flags;
le_uint16 flags;
};
typedef le_uint16 EntryTableIndex2;
......
src/share/native/sun/security/ec/impl/ec.c
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
......@@ -34,6 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
* Last Modified Date from the Original Code: April 2015
*********************************************************************** */
#include "mplogic.h"
......@@ -585,6 +586,10 @@ ECDH_Derive(SECItem *publicValue,
return SECFailure;
}
if (EC_ValidatePublicKey(ecParams, publicValue, kmflag) != SECSuccess) {
return SECFailure;
}
memset(derivedSecret, 0, sizeof *derivedSecret);
len = (ecParams->fieldID.size + 7) >> 3;
pointQ.len = 2*len + 1;
......
src/share/native/sun/security/ec/impl/ecc_impl.h
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2007, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
......@@ -34,6 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
* Last Modified Date from the Original Code: November 2013
*********************************************************************** */
#ifndef _ECC_IMPL_H
......
src/share/native/sun/security/ec/impl/ecdecode.c
浏览文件 @ 3c2c9588
......@@ -34,6 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
* Last Modified Date from the Original Code: March 2012
*********************************************************************** */
#include <sys/types.h>
......
src/share/native/sun/security/ec/impl/mpi.c
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
......@@ -34,6 +34,7 @@
* Netscape Communications Corporation
* Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
*
* Last Modified Date from the Original Code: June 2014
*********************************************************************** */
/* Arbitrary precision integer arithmetic library */
......
src/share/native/sun/security/ec/impl/oid.c
浏览文件 @ 3c2c9588
......@@ -33,6 +33,7 @@
* Contributor(s):
* Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
*
* Last Modified Date from the Original Code: March 2012
*********************************************************************** */
#include <sys/types.h>
......
src/share/native/sun/security/ec/impl/secitem.c
浏览文件 @ 3c2c9588
......@@ -32,6 +32,7 @@
*
* Contributor(s):
*
* Last Modified Date from the Original Code: March 2012
*********************************************************************** */
/*
......
src/solaris/bin/java_md_solinux.c
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -613,13 +613,14 @@ CreateExecutionEnvironment(int *pargc, char ***pargv,
/* runpath contains current effective LD_LIBRARY_PATH setting */
jvmpath = JLI_StringDup(jvmpath);
new_runpath = JLI_MemAlloc(((runpath != NULL) ? JLI_StrLen(runpath) : 0) +
size_t new_runpath_size = ((runpath != NULL) ? JLI_StrLen(runpath) : 0) +
2 * JLI_StrLen(jrepath) + 2 * JLI_StrLen(arch) +
#ifdef AIX
/* On AIX we additionally need 'jli' in the path because ld doesn't support $ORIGIN. */
JLI_StrLen(jrepath) + JLI_StrLen(arch) + JLI_StrLen("/lib//jli:") +
#endif
JLI_StrLen(jvmpath) + 52);
JLI_StrLen(jvmpath) + 52;
new_runpath = JLI_MemAlloc(new_runpath_size);
newpath = new_runpath + JLI_StrLen(LD_LIBRARY_PATH "=");
......@@ -679,6 +680,11 @@ CreateExecutionEnvironment(int *pargc, char ***pargv,
* loop of execv() because we test for the prefix, above.
*/
if (runpath != 0) {
/* ensure storage for runpath + colon + NULL */
if ((JLI_StrLen(runpath) + 1 + 1) > new_runpath_size) {
JLI_ReportErrorMessageSys(JRE_ERROR11);
exit(1);
}
JLI_StrCat(new_runpath, ":");
JLI_StrCat(new_runpath, runpath);
}
......@@ -811,7 +817,11 @@ GetJREPath(char *path, jint pathsize, const char * arch, jboolean speculative)
JLI_TraceLauncher("JRE path is %s\n", path);
return JNI_TRUE;
}
/* ensure storage for path + /jre + NULL */
if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
JLI_TraceLauncher("Insufficient space to store JRE path\n");
return JNI_FALSE;
}
/* Does the app ship a private JRE in <apphome>/jre directory? */
JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/%s/" JAVA_DLL, path, arch);
if (access(libjava, F_OK) == 0) {
......
src/solaris/native/java/net/net_util_md.c
浏览文件 @ 3c2c9588
......@@ -1518,6 +1518,7 @@ NET_Bind(int fd, struct sockaddr *him, int len)
int exclbind = -1;
#endif
int rv;
int arg, alen;
#ifdef __linux__
/*
......@@ -1534,7 +1535,7 @@ NET_Bind(int fd, struct sockaddr *him, int len)
}
#endif
#if defined(__solaris__) && defined(AF_INET6)
#if defined(__solaris__)
/*
* Solaris has separate IPv4 and IPv6 port spaces so we
* use an exclusive bind when SO_REUSEADDR is not used to
......@@ -1544,35 +1545,31 @@ NET_Bind(int fd, struct sockaddr *him, int len)
* results in a late bind that fails because the
* corresponding IPv4 port is in use.
*/
if (ipv6_available()) {
int arg, len;
len = sizeof(arg);
if (useExclBind || getsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
(char *)&arg, &len) == 0) {
if (useExclBind || arg == 0) {
/*
* SO_REUSEADDR is disabled or sun.net.useExclusiveBind
* property is true so enable TCP_EXCLBIND or
* UDP_EXCLBIND
*/
len = sizeof(arg);
if (getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&arg,
&len) == 0) {
if (arg == SOCK_STREAM) {
level = IPPROTO_TCP;
exclbind = TCP_EXCLBIND;
} else {
level = IPPROTO_UDP;
exclbind = UDP_EXCLBIND;
}
alen = sizeof(arg);
if (useExclBind || getsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
(char *)&arg, &alen) == 0) {
if (useExclBind || arg == 0) {
/*
* SO_REUSEADDR is disabled or sun.net.useExclusiveBind
* property is true so enable TCP_EXCLBIND or
* UDP_EXCLBIND
*/
alen = sizeof(arg);
if (getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&arg,
&alen) == 0) {
if (arg == SOCK_STREAM) {
level = IPPROTO_TCP;
exclbind = TCP_EXCLBIND;
} else {
level = IPPROTO_UDP;
exclbind = UDP_EXCLBIND;
}
}
arg = 1;
setsockopt(fd, level, exclbind, (char *)&arg,
sizeof(arg));
arg = 1;
setsockopt(fd, level, exclbind, (char *)&arg,
sizeof(arg));
}
}
}
#endif
......
src/windows/bin/java_md.c
浏览文件 @ 3c2c9588
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -318,7 +318,11 @@ GetJREPath(char *path, jint pathsize)
JLI_TraceLauncher("JRE path is %s\n", path);
return JNI_TRUE;
}
/* ensure storage for path + \jre + NULL */
if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
JLI_TraceLauncher("Insufficient space to store JRE path\n");
return JNI_FALSE;
}
/* Does this app ship a private JRE in <apphome>\jre directory? */
JLI_Snprintf(javadll, sizeof (javadll), "%s\\jre\\bin\\" JAVA_DLL, path);
if (stat(javadll, &s) == 0) {
......
test/lib/testlibrary/AssertsTest.java
浏览文件 @ 3c2c9588
......@@ -25,7 +25,6 @@ import static jdk.testlibrary.Asserts.*;
/* @test
* @summary Tests the different assertions in the Assert class
* @library /testlibrary
*/
public class AssertsTest {
private static class Foo implements Comparable<Foo> {
......
test/lib/testlibrary/OutputAnalyzerReportingTest.java
浏览文件 @ 3c2c9588
......@@ -27,7 +27,6 @@
* @summary Test the OutputAnalyzer reporting functionality,
* such as printing additional diagnostic info
* (exit code, stdout, stderr, command line, etc.)
* @library /testlibrary
*/
import java.io.ByteArrayOutputStream;
......
test/lib/testlibrary/OutputAnalyzerTest.java
浏览文件 @ 3c2c9588
......@@ -24,7 +24,6 @@
/*
* @test
* @summary Test the OutputAnalyzer utility class
* @library /testlibrary
*/
import jdk.testlibrary.OutputAnalyzer;
......
test/sun/management/jmxremote/bootstrap/RmiBootstrapTest.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -43,6 +43,8 @@ import javax.management.*;
import sun.management.AgentConfigurationError;
import java.security.Security;
import util.TestLogger;
/**
......@@ -133,6 +135,8 @@ public class RmiBootstrapTest {
"com.sun.management.jmxremote.ssl.enabled.protocols";
public static final String SSL_NEED_CLIENT_AUTH =
"com.sun.management.jmxremote.ssl.need.client.auth";
public static final String SSL_CLIENT_ENABLED_CIPHER_SUITES =
"javax.rmi.ssl.client.enabledCipherSuites";
}
/**
......@@ -434,7 +438,7 @@ public class RmiBootstrapTest {
}
private void setSslProperties() {
private void setSslProperties(String clientEnabledCipherSuites) {
final String defaultKeyStore =
getDefaultStoreName(DefaultValues.KEYSTORE);
final String defaultTrustStore =
......@@ -465,6 +469,13 @@ public class RmiBootstrapTest {
System.setProperty(PropertyNames.TRUSTSTORE_PASSWD,trustword);
log.trace("setSslProperties",
PropertyNames.TRUSTSTORE_PASSWD+"="+trustword);
if (clientEnabledCipherSuites != null) {
System.setProperty("javax.rmi.ssl.client.enabledCipherSuites",
clientEnabledCipherSuites);
} else {
System.clearProperty("javax.rmi.ssl.client.enabledCipherSuites");
}
}
private void checkSslConfiguration() {
......@@ -517,7 +528,10 @@ public class RmiBootstrapTest {
PropertyNames.SSL_ENABLED_PROTOCOLS + "=" +
sslProtocols);
if (useSsl) setSslProperties();
if (useSsl) {
setSslProperties(props.getProperty(
PropertyNames.SSL_CLIENT_ENABLED_CIPHER_SUITES));
}
} catch (Exception x) {
System.out.println("Failed to setup SSL configuration: " + x);
log.debug("checkSslConfiguration",x);
......@@ -871,6 +885,8 @@ public class RmiBootstrapTest {
* exit(1) if the test fails.
**/
public static void main(String args[]) throws Exception {
Security.setProperty("jdk.tls.disabledAlgorithms", "");
setupBasePort();
RmiBootstrapTest manager = new RmiBootstrapTest();
try {
......
test/sun/management/jmxremote/bootstrap/management_ssltest07_ok.properties.in
浏览文件 @ 3c2c9588
......@@ -2,3 +2,4 @@ com.sun.management.jmxremote.ssl.enabled.cipher.suites=SSL_RSA_WITH_RC4_128_SHA,
com.sun.management.jmxremote.ssl.enabled.protocols=SSLv2Hello,SSLv3,TLSv1
com.sun.management.jmxremote.ssl.need.client.auth=true
com.sun.management.jmxremote.authenticate=false
javax.rmi.ssl.client.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5
test/sun/management/jmxremote/bootstrap/management_ssltest11_ok.properties.in
浏览文件 @ 3c2c9588
......@@ -3,3 +3,4 @@ com.sun.management.jmxremote.ssl.enabled.protocols=SSLv2Hello,SSLv3,TLSv1
com.sun.management.jmxremote.ssl.need.client.auth=true
com.sun.management.jmxremote.ssl.config.file=@TEST-SRC@/jmxremote_ssltest11_ok.ssl
com.sun.management.jmxremote.authenticate=false
javax.rmi.ssl.client.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5
test/sun/security/ec/TestEC.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -59,6 +59,11 @@ import java.security.Security;
public class TestEC {
public static void main(String[] args) throws Exception {
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
ProvidersSnapshot snapshot = ProvidersSnapshot.create();
try {
main0(args);
......@@ -68,10 +73,6 @@ public class TestEC {
}
public static void main0(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Provider p = Security.getProvider("SunEC");
if (p == null) {
......
test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -43,9 +43,10 @@ public class ClientJSSEServerJSSE extends PKCS11Test {
private static String[] cmdArgs;
public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
cmdArgs = args;
main(new ClientJSSEServerJSSE());
......
test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
浏览文件 @ 3c2c9588
......@@ -100,6 +100,7 @@ import javax.net.ssl.*;
import javax.net.ssl.SSLEngineResult.*;
import java.io.*;
import java.nio.*;
import java.security.Security;
import java.security.KeyStore;
import java.security.KeyFactory;
import java.security.Security;
......@@ -377,9 +378,10 @@ public class DHEKeySizing {
}
public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
if (args.length != 4) {
System.out.println(
......
test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -21,6 +21,11 @@
* questions.
*/
//
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
//
/*
* @test
* @bug 4392475
......@@ -34,6 +39,7 @@
import java.io.*;
import java.net.*;
import javax.net.ssl.*;
import java.security.Security;
public class AnonCipherWithWantClientAuth {
......@@ -156,6 +162,11 @@ public class AnonCipherWithWantClientAuth {
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;
......
test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
浏览文件 @ 3c2c9588
......@@ -81,6 +81,9 @@ public class ConnectionTest {
ssle1.setEnabledCipherSuites(new String [] {
"SSL_RSA_WITH_RC4_128_MD5"});
ssle2.setEnabledCipherSuites(new String [] {
"SSL_RSA_WITH_RC4_128_MD5"});
createBuffers();
}
......
test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
浏览文件 @ 3c2c9588
......@@ -92,6 +92,7 @@ public class LargeBufs {
createSSLEngines();
System.out.println("Using " + cipher);
ssle1.setEnabledCipherSuites(new String [] { cipher });
ssle2.setEnabledCipherSuites(new String [] { cipher });
createBuffers();
......
test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java
浏览文件 @ 3c2c9588
......@@ -31,7 +31,7 @@
* @bug 7188657
* @summary There should be a way to reorder the JSSE ciphers
* @run main/othervm UseCipherSuitesOrder
* TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
*/
import java.io.*;
......
test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
浏览文件 @ 3c2c9588
......@@ -93,6 +93,10 @@ public class GenericStreamCipher {
SSLServerSocket sslServerSocket =
(SSLServerSocket) sslssf.createServerSocket(serverPort);
// enable a stream cipher
sslServerSocket.setEnabledCipherSuites(
new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
serverPort = sslServerSocket.getLocalPort();
/*
......
test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -93,13 +93,6 @@ public class CipherSuitesInOrder {
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
......@@ -113,8 +106,16 @@ public class CipherSuitesInOrder {
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
......
test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
浏览文件 @ 3c2c9588
/*
* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -34,9 +34,10 @@ import java.security.Security;
public class ClientJSSEServerJSSE {
public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
CipherTest.main(new JSSEFactory(), args);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册