diff --git a/.hgtags b/.hgtags index ee72975c27ee0cf0712248581756d62a772ed590..87b498aca647c2b445817641575952e2a00796c1 100644 --- a/.hgtags +++ b/.hgtags @@ -312,6 +312,8 @@ be30cb2a3088f2b7b334b499f7eddbd5312312a7 jdk8u20-b23 dfb9f24d56b51e5a2ca26e77fc69a2464d51a4d3 jdk8u20-b24 dfb9f24d56b51e5a2ca26e77fc69a2464d51a4d3 jdk8u20-b25 dd229c5f57bff4e75a70908294a13072b9a48385 jdk8u20-b26 +684a13a7d2ccc91d2ad709ecad1fddbcc992ee5a jdk8u20-b31 +eb459e6ac74a7db7b49393e470d04b6d854dfa89 jdk8u20-b32 abca9f6f1a10e9f91b2538bbe7870f54f550d986 jdk8u25-b00 7d0627679c9fdeaaaa9fe15c7cc11af0763621ec jdk8u25-b01 b0277ec994b751ebb761814675352506cd56bcd6 jdk8u25-b02 @@ -334,6 +336,21 @@ f07bc5dab84c67f5d1dccbab318ee1c5485c852d jdk8u25-b16 d067890f970f3a712f870f6311d20f3359b6eaf0 jdk8u25-b16 67b22a82345bfa1ae1492679bdf3c4d54f4eacde jdk8u25-b17 a4e88eaf15ea0569f3275a807a976fe0e04a086c jdk8u25-b18 +556c79ef8a1d2fa38f79b3d3e102e80e0b0c9731 jdk8u25-b31 +f935349e2c065487c745bc41f81ddc7869bd2d2d jdk8u31-b00 +caebf6158e9d522df41a2c89a1602e5013bac401 jdk8u31-b01 +b1cef4d76664564732004cf3aedb0cbaa1972683 jdk8u31-b02 +649c7ba692012fd93c532fea133cf14785674387 jdk8u31-b03 +ab6aa5ee3897ebfe4a04722a594fb2cecd6f3bef jdk8u31-b04 +1e79baf89075967bddc64921d2680d8c1123f654 jdk8u31-b05 +b6aeaae6dd9d3a17564130af142b4734c643267e jdk8u31-b06 +34a484abc5d5391623294743d15e234a99d04dd7 jdk8u31-b07 +ca1adc7c848370dda8dbf9e3a970c3e6427fb05b jdk8u31-b08 +1c0cc3bbe07d52906d7ffbb72fa4733c327f1326 jdk8u31-b09 +291505d802d9075e227f9ee865a67234e1d737cf jdk8u31-b10 +a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11 +6a12f34816d2ee12368274fc21225384a8893426 jdk8u31-b12 +1fbdd5d80d0671decd8acb5adb64866f609e986f jdk8u31-b13 e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00 6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01 4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02 @@ -354,4 +371,6 @@ ffc348308de2e872f5d510d440604c3726a67a18 jdk8u40-b14 fc4f5546417071c70cffd89ca83302309f6f7da9 jdk8u40-b17 20a3e2135e0867e55af72f0c66a3de558bc613e2 jdk8u40-b18 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u40-b19 +7784dab075ed82be2275f4694164bbb9cc1cde3f jdk8u40-b20 +564bca490631e4ed4f7993e6633ed9ee62067624 jdk8u40-b21 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00 diff --git a/src/share/classes/com/sun/java/swing/plaf/windows/WindowsFileChooserUI.java b/src/share/classes/com/sun/java/swing/plaf/windows/WindowsFileChooserUI.java index 48b5010946abe59bb6dcb32692840785c9b06b3e..b22ebf958ba68a0148eb49ffb19f9dfd6a548a32 100644 --- a/src/share/classes/com/sun/java/swing/plaf/windows/WindowsFileChooserUI.java +++ b/src/share/classes/com/sun/java/swing/plaf/windows/WindowsFileChooserUI.java @@ -1067,16 +1067,9 @@ public class WindowsFileChooserUI extends BasicFileChooserUI { directories.clear(); - File[] baseFolders; - if (useShellFolder) { - baseFolders = AccessController.doPrivileged(new PrivilegedAction() { - public File[] run() { - return (File[]) ShellFolder.get("fileChooserComboBoxFolders"); - } - }); - } else { - baseFolders = fsv.getRoots(); - } + File[] baseFolders = (useShellFolder) + ? (File[]) ShellFolder.get("fileChooserComboBoxFolders") + : fsv.getRoots(); directories.addAll(Arrays.asList(baseFolders)); // Get the canonical (full) path. This has the side diff --git a/src/share/classes/com/sun/jndi/ldap/BerDecoder.java b/src/share/classes/com/sun/jndi/ldap/BerDecoder.java index 103ce4714bee22fd9700dbe758b6d2ff9f3ee54e..9feefb47feb5307cf1251ca1ccb1ab58120800f6 100644 --- a/src/share/classes/com/sun/jndi/ldap/BerDecoder.java +++ b/src/share/classes/com/sun/jndi/ldap/BerDecoder.java @@ -95,6 +95,9 @@ public final class BerDecoder extends Ber { for( int i = 0; i < lengthbyte; i++) { retval = (retval << 8) + (buf[offset++] & 0xff); } + if (retval < 0) { + throw new DecodeException("Invalid length bytes"); + } return retval; } else { return lengthbyte; diff --git a/src/share/classes/java/lang/ClassLoader.java b/src/share/classes/java/lang/ClassLoader.java index 875f5ec8e9718cae6b60208443831e3c9bb6d520..8bde2f62f2324d212ab8f5cd2e26e31c3caf390a 100644 --- a/src/share/classes/java/lang/ClassLoader.java +++ b/src/share/classes/java/lang/ClassLoader.java @@ -1365,7 +1365,10 @@ public abstract class ClassLoader { return null; SecurityManager sm = System.getSecurityManager(); if (sm != null) { - checkClassLoaderPermission(this, Reflection.getCallerClass()); + // Check access to the parent class loader + // If the caller's class loader is same as this class loader, + // permission check is performed. + checkClassLoaderPermission(parent, Reflection.getCallerClass()); } return parent; } @@ -1508,6 +1511,11 @@ public abstract class ClassLoader { return caller.getClassLoader0(); } + /* + * Checks RuntimePermission("getClassLoader") permission + * if caller's class loader is not null and caller's class loader + * is not the same as or an ancestor of the given cl argument. + */ static void checkClassLoaderPermission(ClassLoader cl, Class caller) { SecurityManager sm = System.getSecurityManager(); if (sm != null) { diff --git a/src/share/classes/java/net/MulticastSocket.java b/src/share/classes/java/net/MulticastSocket.java index 1d42dfe6e87ebb3c4e6f6e64675ada1dca5fa862..40013f7fb6f5b4badf3b6581c5ce0492b39125b9 100644 --- a/src/share/classes/java/net/MulticastSocket.java +++ b/src/share/classes/java/net/MulticastSocket.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -569,7 +569,7 @@ class MulticastSocket extends DatagramSocket { public NetworkInterface getNetworkInterface() throws SocketException { NetworkInterface ni = (NetworkInterface)getImpl().getOption(SocketOptions.IP_MULTICAST_IF2); - if (ni.getIndex() == 0) { + if ((ni.getIndex() == 0) || (ni.getIndex() == -1)) { InetAddress[] addrs = new InetAddress[1]; addrs[0] = InetAddress.anyLocalAddress(); return new NetworkInterface(addrs[0].getHostName(), 0, addrs); diff --git a/src/share/classes/javax/swing/plaf/metal/MetalFileChooserUI.java b/src/share/classes/javax/swing/plaf/metal/MetalFileChooserUI.java index 677d1f88c8d1cfb1b7d6cdcb301c8c184c1e65af..ddc70c91ce00e78a86c7e6084400b36af6e63344 100644 --- a/src/share/classes/javax/swing/plaf/metal/MetalFileChooserUI.java +++ b/src/share/classes/javax/swing/plaf/metal/MetalFileChooserUI.java @@ -941,16 +941,9 @@ public class MetalFileChooserUI extends BasicFileChooserUI { directories.clear(); - File[] baseFolders; - if (useShellFolder) { - baseFolders = AccessController.doPrivileged(new PrivilegedAction() { - public File[] run() { - return (File[]) ShellFolder.get("fileChooserComboBoxFolders"); - } - }); - } else { - baseFolders = fsv.getRoots(); - } + File[] baseFolders = (useShellFolder) + ? (File[]) ShellFolder.get("fileChooserComboBoxFolders") + : fsv.getRoots(); directories.addAll(Arrays.asList(baseFolders)); // Get the canonical (full) path. This has the side diff --git a/src/share/classes/sun/launcher/resources/launcher_de.properties b/src/share/classes/sun/launcher/resources/launcher_de.properties index 347975cb3e922ca9f33504606b5f39b8100e3058..ea026947531073a802c0791333aa15dc704843b5 100644 --- a/src/share/classes/sun/launcher/resources/launcher_de.properties +++ b/src/share/classes/sun/launcher/resources/launcher_de.properties @@ -34,7 +34,7 @@ java.launcher.ergo.message1 =\ Die Standard-VM ist {0} java.launcher.ergo.message2 =\ weil die Ausf\u00FChrung auf einem Server-Class-Rechner erfolgt.\n # Translators please note do not translate the options themselves -java.launcher.opt.footer =\ -cp \n -classpath \n Eine durch {0} getrennte Liste mit Verzeichnissen, JAR-Archiven\n und ZIP-Archiven zur Suche nach Klassendateien.\n -D=\n Legt eine Systemeigenschaft fest\n -verbose:[class|gc|jni]\n Aktiviert die Verbose-Ausgabe\n -version Druckt Produktversion und beendet das Programm\n -version:\n Erfordert die angegebene Version zur Ausf\u00FChrung\n -showversion Druckt Produktversion und f\u00E4hrt fort\n -jre-restrict-search | -no-jre-restrict-search\n Bezieht private JREs des Benutzers in Versionssuche ein bzw. schlie\u00DFt sie aus\n -? -help Druckt diese Hilfemeldung\n -X Druckt Hilfe zu Nicht-Standardoptionen\n -ea[:...|:]\n -enableassertions[:...|:]\n Aktiviert Assertionen mit angegebener Granularit\u00E4t\n -da[:...|:]\n -disableassertions[:...|:]\n Deaktiviert Assertionen mit angegebener Granularit\u00E4t\n -esa | -enablesystemassertions\n Aktiviert Systemassertionen\n -dsa | -disablesystemassertions\n Deaktiviert Systemassertionen\n -agentlib:[=]\n L\u00E4dt native Agent Library , z.B. -agentlib:hprof\n siehe auch -agentlib:jdwp=help und -agentlib:hprof=help\n -agentpath:[=]\n L\u00E4dt native Agent Library nach vollem Pfadnamen\n -javaagent:[=]\n L\u00E4dt Java-Programmiersprachen-Agent, siehe java.lang.instrument\n -splash:\n Zeigt Startbildschirm mit angegebenem Bild\nWeitere Einzelheiten finden Sie unter http://www.oracle.com/technetwork/java/javase/documentation/index.html +java.launcher.opt.footer =\ -cp \n -classpath \n Eine durch {0} getrennte Liste mit Verzeichnissen, JAR-Archiven\n und ZIP-Archiven zur Suche nach Klassendateien.\n -D=\n Legt eine Systemeigenschaft fest\n -verbose:[class|gc|jni]\n Aktiviert die Verbose-Ausgabe\n -version Druckt Produktversion und beendet das Programm\n -version:\n Erfordert die angegebene Version zur Ausf\u00FChrung\n -showversion Druckt Produktversion und f\u00E4hrt fort\n -jre-restrict-search | -no-jre-restrict-search\n Bezieht private JREs des Benutzers in Versionssuche ein bzw. schlie\u00DFt sie aus\n -? -help Druckt diese Hilfemeldung\n -X Druckt Hilfe zu Nicht-Standardoptionen\n -ea[:...|:]\n -enableassertions[:...|:]\n Aktiviert Assertions mit angegebener Granularit\u00E4t\n -da[:...|:]\n -disableassertions[:...|:]\n Deaktiviert Assertions mit angegebener Granularit\u00E4t\n -esa | -enablesystemassertions\n Aktiviert Systemassertionen\n -dsa | -disablesystemassertions\n Deaktiviert Systemassertionen\n -agentlib:[=]\n L\u00E4dt native Agent Library , z.B. -agentlib:hprof\n siehe auch -agentlib:jdwp=help und -agentlib:hprof=help\n -agentpath:[=]\n L\u00E4dt native Agent Library nach vollem Pfadnamen\n -javaagent:[=]\n L\u00E4dt Java-Programmiersprachen-Agent, siehe java.lang.instrument\n -splash:\n Zeigt Startbildschirm mit angegebenem Bild\nWeitere Einzelheiten finden Sie unter http://www.oracle.com/technetwork/java/javase/documentation/index.html # Translators please note do not translate the options themselves java.launcher.X.usage=\ -Xmixed Ausf\u00FChrung im gemischten Modus (Standard)\n -Xint Nur Ausf\u00FChrung im interpretierten Modus\n -Xbootclasspath:\n Legt Suchpfad f\u00FCr Bootstrap-Klassen und Ressourcen fest\n -Xbootclasspath/a:\n H\u00E4ngt an das Ende des Bootstrap Classpath an\n -Xbootclasspath/p:\n Stellt Bootstrap Classpath voran\n -Xdiag Zeigt zus\u00E4tzliche Diagnosemeldungen an\n -Xnoclassgc Deaktiviert Klassen-Garbage Collection\n -Xincgc Aktiviert inkrementelle Garbage Collection\n -Xloggc: Loggt GC-Status in einer Datei mit Zeitstempeln\n -Xbatch Deaktiviert Hintergrundkompilierung\n -Xms Legt anf\u00E4ngliche Java Heap-Gr\u00F6\u00DFe fest\n -Xmx Legt maximale Java Heap-Gr\u00F6\u00DFe fest\n -Xss Legt Java-Threadstackgr\u00F6\u00DFe fest\n -Xprof Gibt CPU-Profiling-Daten aus\n -Xfuture Aktiviert strengste Pr\u00FCfungen, antizipiert zuk\u00FCnftigen Standardwert\n -Xrs Reduziert Verwendung von BS-Signalen durch Java/VM (siehe Dokumentation)\n -Xcheck:jni F\u00FChrt zus\u00E4tzliche Pr\u00FCfungen f\u00FCr JNI-Funktionen durch\n -Xshare:off Kein Versuch, gemeinsame Klassendaten zu verwenden\n -Xshare:auto Verwendet gemeinsame Klassendaten, wenn m\u00F6glich (Standard)\n -Xshare:on Erfordert die Verwendung gemeinsamer Klassendaten, sonst verl\u00E4uft der Vorgang nicht erfolgreich.\n -XshowSettings Zeigt alle Einstellungen und f\u00E4hrt fort\n -XshowSettings:all\n Zeigt alle Einstellungen und f\u00E4hrt fort\n -XshowSettings:vm Zeigt alle VM-bezogenen Einstellungen und f\u00E4hrt fort\n -XshowSettings:properties\n Zeigt alle Eigenschaftseinstellungen und f\u00E4hrt fort\n -XshowSettings:locale\n Zeigt alle gebietsschemabezogenen Einstellungen und f\u00E4hrt fort\n\nDie -X-Optionen sind keine Standardoptionen und k\u00F6nnen ohne Vorank\u00FCndigung ge\u00E4ndert werden.\n diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 6197861bf3a91465bbc707c5b79a53d3bef622fc..77c2e886916257201c01cc210796e7f60c084e07 100644 --- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -336,6 +336,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { /* try auth without calling Authenticator. Used for transparent NTLM authentication */ private boolean tryTransparentNTLMServer = true; private boolean tryTransparentNTLMProxy = true; + private boolean useProxyResponseCode = false; /* Used by Windows specific code */ private Object authObj; @@ -2243,6 +2244,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection { if (tryTransparentNTLMProxy) { tryTransparentNTLMProxy = NTLMAuthenticationProxy.supportsTransparentAuth; + /* If the platform supports transparent authentication + * then normally it's ok to do transparent auth to a proxy + * because we generally trust proxies (chosen by the user) + * But not in the case of 305 response where the server + * chose it. */ + if (tryTransparentNTLMProxy && useProxyResponseCode) { + tryTransparentNTLMProxy = false; + } } a = null; if (tryTransparentNTLMProxy) { @@ -2614,6 +2623,10 @@ public class HttpURLConnection extends java.net.HttpURLConnection { requests.set(0, method + " " + getRequestURI()+" " + httpVersion, null); connected = true; + // need to remember this in case NTLM proxy authentication gets + // used. We can't use transparent authentication when user + // doesn't know about proxy. + useProxyResponseCode = true; } else { // maintain previous headers, just change the name // of the file we're getting diff --git a/src/share/classes/sun/rmi/transport/Transport.java b/src/share/classes/sun/rmi/transport/Transport.java index 217c93682bd1d1ebf365dddde513a0b619c23a97..2fa3f502f1d4fef4193afcd6b6d6b960abf72caa 100644 --- a/src/share/classes/sun/rmi/transport/Transport.java +++ b/src/share/classes/sun/rmi/transport/Transport.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,10 @@ import java.rmi.server.RemoteCall; import java.rmi.server.RemoteServer; import java.rmi.server.ServerNotActiveException; import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.Permissions; +import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import sun.rmi.runtime.Log; import sun.rmi.server.Dispatcher; import sun.rmi.server.UnicastServerRef; @@ -68,6 +72,15 @@ public abstract class Transport { /** ObjID for DGCImpl */ private static final ObjID dgcID = new ObjID(ObjID.DGC_ID); + /** AccessControlContext for setting context ClassLoader */ + private static final AccessControlContext SETCCL_ACC; + static { + Permissions perms = new Permissions(); + perms.add(new RuntimePermission("setContextClassLoader")); + ProtectionDomain[] pd = { new ProtectionDomain(null, perms) }; + SETCCL_ACC = new AccessControlContext(pd); + } + /** * Returns a Channel that generates connections to the * endpoint ep. A Channel is an object that creates and @@ -116,6 +129,16 @@ public abstract class Transport { */ protected abstract void checkAcceptPermission(AccessControlContext acc); + /** + * Sets the context class loader for the current thread. + */ + private static void setContextClassLoader(ClassLoader ccl) { + AccessController.doPrivileged((PrivilegedAction)() -> { + Thread.currentThread().setContextClassLoader(ccl); + return null; + }, SETCCL_ACC); + } + /** * Service an incoming remote call. When a message arrives on the * connection indicating the beginning of a remote call, the @@ -164,11 +187,10 @@ public abstract class Transport { target.getAccessControlContext(); ClassLoader ccl = target.getContextClassLoader(); - Thread t = Thread.currentThread(); - ClassLoader savedCcl = t.getContextClassLoader(); + ClassLoader savedCcl = Thread.currentThread().getContextClassLoader(); try { - t.setContextClassLoader(ccl); + setContextClassLoader(ccl); currentTransport.set(this); try { java.security.AccessController.doPrivileged( @@ -183,7 +205,7 @@ public abstract class Transport { throw (IOException) pae.getException(); } } finally { - t.setContextClassLoader(savedCcl); + setContextClassLoader(savedCcl); currentTransport.set(null); } diff --git a/src/share/classes/sun/rmi/transport/tcp/TCPTransport.java b/src/share/classes/sun/rmi/transport/tcp/TCPTransport.java index 24655c2f0b59a0b9d4e4bcdc3b8c268bf67845ac..790e7ac3d827ba6d1eaf47ec24aec33a2e15d5a4 100644 --- a/src/share/classes/sun/rmi/transport/tcp/TCPTransport.java +++ b/src/share/classes/sun/rmi/transport/tcp/TCPTransport.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -49,6 +49,9 @@ import java.rmi.server.ServerNotActiveException; import java.rmi.server.UID; import java.security.AccessControlContext; import java.security.AccessController; +import java.security.Permissions; +import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.LinkedList; import java.util.List; @@ -123,6 +126,14 @@ public class TCPTransport extends Transport { private static final ThreadLocal threadConnectionHandler = new ThreadLocal<>(); + /** an AccessControlContext with no permissions */ + private static final AccessControlContext NOPERMS_ACC; + static { + Permissions perms = new Permissions(); + ProtectionDomain[] pd = { new ProtectionDomain(null, perms) }; + NOPERMS_ACC = new AccessControlContext(pd); + } + /** endpoints for this transport */ private final LinkedList epList; /** number of objects exported on this transport */ @@ -668,7 +679,10 @@ public class TCPTransport extends Transport { t.setName("RMI TCP Connection(" + connectionCount.incrementAndGet() + ")-" + remoteHost); - run0(); + AccessController.doPrivileged((PrivilegedAction)() -> { + run0(); + return null; + }, NOPERMS_ACC); } finally { t.setName(name); } diff --git a/src/share/classes/sun/security/jgss/GSSHeader.java b/src/share/classes/sun/security/jgss/GSSHeader.java index 2eec4b41057e9fc3c42f7e2fd1d1b0577c7010ce..fc34eaeba0f868e60ed7fb3e60727f8671486b41 100644 --- a/src/share/classes/sun/security/jgss/GSSHeader.java +++ b/src/share/classes/sun/security/jgss/GSSHeader.java @@ -270,6 +270,9 @@ public class GSSHeader { value <<= 8; value += 0x0ff & in.read(); } + if (value < 0) { + throw new IOException("Invalid length bytes"); + } } return value; } diff --git a/src/share/classes/sun/security/jgss/GSSNameImpl.java b/src/share/classes/sun/security/jgss/GSSNameImpl.java index 4c44ff44bd4b84334c03fd1c7163ef71efdc1f2d..93ca0858fd5f4d9f0613ac243b9c7571f6eb7e8d 100644 --- a/src/share/classes/sun/security/jgss/GSSNameImpl.java +++ b/src/share/classes/sun/security/jgss/GSSNameImpl.java @@ -257,10 +257,10 @@ public class GSSNameImpl implements GSSName { ((0xFF & bytes[pos++]) << 16) | ((0xFF & bytes[pos++]) << 8) | (0xFF & bytes[pos++])); - if (pos > bytes.length - mechPortionLen) { - throw new GSSExceptionImpl(GSSException.BAD_NAME, - "Exported name mech name is corrupted!"); - } + if (mechPortionLen < 0 || pos > bytes.length - mechPortionLen) { + throw new GSSExceptionImpl(GSSException.BAD_NAME, + "Exported name mech name is corrupted!"); + } byte[] mechPortion = new byte[mechPortionLen]; System.arraycopy(bytes, pos, mechPortion, 0, mechPortionLen); diff --git a/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java b/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java index b98dcea6fce1998831a95370261b3dfa4e952edd..46f895bef2a5980767a173564705acec640b9c41 100644 --- a/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java +++ b/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java @@ -233,6 +233,9 @@ public class GSSNameElement implements GSSNameSpi { ((0xFF & nameVal[pos++]) << 16) | ((0xFF & nameVal[pos++]) << 8) | (0xFF & nameVal[pos++])); + if (mechPortionLen < 0) { + throw new GSSException(GSSException.BAD_NAME); + } byte[] mechPortion = new byte[mechPortionLen]; System.arraycopy(nameVal, pos, mechPortion, 0, mechPortionLen); return mechPortion; diff --git a/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java b/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java index e7707e84807acf06eaedd390be19dae91ce89976..8ca6e11de2c62bf734b774b6b3716d1a5169b87e 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java @@ -118,7 +118,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC } else { type = read(4); } - length = read(4); + length = readLength4(); List result = new ArrayList(); /* * DCE includes the principal's realm in the count; the new format @@ -127,7 +127,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC if (version == KRB5_FCC_FVNO_1) length--; for (int i = 0; i <= length; i++) { - namelength = read(4); + namelength = readLength4(); byte[] bytes = IOUtils.readFully(this, namelength, true); result.add(new String(bytes)); } @@ -184,7 +184,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC keyType = read(2); if (version == KRB5_FCC_FVNO_3) read(2); /* keytype recorded twice in fvno 3 */ - keyLen = read(4); + keyLen = readLength4(); byte[] bytes = IOUtils.readFully(this, keyLen, true); return new EncryptionKey(bytes, keyType, new Integer(version)); } @@ -207,12 +207,12 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC HostAddress[] readAddr() throws IOException, KrbApErrException { int numAddrs, addrType, addrLength; - numAddrs = read(4); + numAddrs = readLength4(); if (numAddrs > 0) { List addrs = new ArrayList<>(); for (int i = 0; i < numAddrs; i++) { addrType = read(2); - addrLength = read(4); + addrLength = readLength4(); if (!(addrLength == 4 || addrLength == 16)) { if (DEBUG) { System.out.println("Incorrect address format."); @@ -231,13 +231,13 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC AuthorizationDataEntry[] readAuth() throws IOException { int num, adtype, adlength; - num = read(4); + num = readLength4(); if (num > 0) { List auData = new ArrayList<>(); byte[] data = null; for (int i = 0; i < num; i++) { adtype = read(2); - adlength = read(4); + adlength = readLength4(); data = IOUtils.readFully(this, adlength, true); auData.add(new AuthorizationDataEntry(adtype, data)); } @@ -248,7 +248,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC byte[] readData() throws IOException { int length; - length = read(4); + length = readLength4(); if (length == 0) { return null; } else { diff --git a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java index ee2a8f09ad79270b1811ba8c676b5526c1d5af86..a682dddcba693a25d4548f8cca7ecdc59ea99c97 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java @@ -151,43 +151,43 @@ public class FileCredentialsCache extends CredentialsCache synchronized void init(PrincipalName principal, String name) throws IOException, KrbException { primaryPrincipal = principal; - CCacheOutputStream cos = - new CCacheOutputStream(new FileOutputStream(name)); - version = KRB5_FCC_FVNO_3; - cos.writeHeader(primaryPrincipal, version); - cos.close(); + try (FileOutputStream fos = new FileOutputStream(name); + CCacheOutputStream cos = new CCacheOutputStream(fos)) { + version = KRB5_FCC_FVNO_3; + cos.writeHeader(primaryPrincipal, version); + } load(name); } synchronized void load(String name) throws IOException, KrbException { PrincipalName p; - CCacheInputStream cis = - new CCacheInputStream(new FileInputStream(name)); - version = cis.readVersion(); - if (version == KRB5_FCC_FVNO_4) { - tag = cis.readTag(); - } else { - tag = null; - if (version == KRB5_FCC_FVNO_1 || version == KRB5_FCC_FVNO_2) { - cis.setNativeByteOrder(); + try (FileInputStream fis = new FileInputStream(name); + CCacheInputStream cis = new CCacheInputStream(fis)) { + version = cis.readVersion(); + if (version == KRB5_FCC_FVNO_4) { + tag = cis.readTag(); + } else { + tag = null; + if (version == KRB5_FCC_FVNO_1 || version == KRB5_FCC_FVNO_2) { + cis.setNativeByteOrder(); + } } - } - p = cis.readPrincipal(version); + p = cis.readPrincipal(version); - if (primaryPrincipal != null) { - if (!(primaryPrincipal.match(p))) { - throw new IOException("Primary principals don't match."); - } - } else - primaryPrincipal = p; - credentialsList = new Vector (); - while (cis.available() > 0) { - Credentials cred = cis.readCred(version); - if (cred != null) { - credentialsList.addElement(cred); + if (primaryPrincipal != null) { + if (!(primaryPrincipal.match(p))) { + throw new IOException("Primary principals don't match."); + } + } else + primaryPrincipal = p; + credentialsList = new Vector(); + while (cis.available() > 0) { + Credentials cred = cis.readCred(version); + if (cred != null) { + credentialsList.addElement(cred); + } } } - cis.close(); } @@ -246,16 +246,16 @@ public class FileCredentialsCache extends CredentialsCache * Saves the credentials cache file to the disk. */ public synchronized void save() throws IOException, Asn1Exception { - CCacheOutputStream cos - = new CCacheOutputStream(new FileOutputStream(cacheName)); - cos.writeHeader(primaryPrincipal, version); - Credentials[] tmp = null; - if ((tmp = getCredsList()) != null) { - for (int i = 0; i < tmp.length; i++) { - cos.addCreds(tmp[i]); + try (FileOutputStream fos = new FileOutputStream(cacheName); + CCacheOutputStream cos = new CCacheOutputStream(fos)) { + cos.writeHeader(primaryPrincipal, version); + Credentials[] tmp = null; + if ((tmp = getCredsList()) != null) { + for (int i = 0; i < tmp.length; i++) { + cos.addCreds(tmp[i]); + } } } - cos.close(); } boolean match(String[] s1, String[] s2) { diff --git a/src/share/classes/sun/security/krb5/internal/util/KrbDataInputStream.java b/src/share/classes/sun/security/krb5/internal/util/KrbDataInputStream.java index b0057303629035288dd6c0e1c6e853e568794ae8..d7a531bede9fb3076219c18838e03d07eb37bd77 100644 --- a/src/share/classes/sun/security/krb5/internal/util/KrbDataInputStream.java +++ b/src/share/classes/sun/security/krb5/internal/util/KrbDataInputStream.java @@ -56,15 +56,33 @@ public class KrbDataInputStream extends BufferedInputStream{ public KrbDataInputStream(InputStream is){ super(is); } + + /** + * Reads a length value which is represented in 4 bytes from + * this input stream. The value must be positive. + * @return the length value represented by this byte array. + * @throws IOException if there are not enough bytes or it represents + * a negative value + */ + final public int readLength4() throws IOException { + int len = read(4); + if (len < 0) { + throw new IOException("Invalid encoding"); + } + return len; + } + /** * Reads up to the specific number of bytes from this input stream. * @param num the number of bytes to be read. * @return the int value of this byte array. - * @exception IOException. + * @throws IOException if there are not enough bytes */ - public int read(int num) throws IOException{ + public int read(int num) throws IOException { byte[] bytes = new byte[num]; - read(bytes, 0, num); + if (read(bytes, 0, num) != num) { + throw new IOException("Premature end of stream reached"); + } int result = 0; for (int i = 0; i < num; i++) { if (bigEndian) { diff --git a/src/share/classes/sun/security/ssl/ClientHandshaker.java b/src/share/classes/sun/security/ssl/ClientHandshaker.java index 5108528f283b42d7b4806b935b5f967f308da7df..5e253a78227a5f63c5fce35786259ec01aed662c 100644 --- a/src/share/classes/sun/security/ssl/ClientHandshaker.java +++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java @@ -345,6 +345,13 @@ final class ClientHandshaker extends Handshaker { break; case HandshakeMessage.ht_finished: + // A ChangeCipherSpec record must have been received prior to + // reception of the Finished message (RFC 5246, 7.4.9). + if (!receivedChangeCipherSpec()) { + fatalSE(Alerts.alert_handshake_failure, + "Received Finished message before ChangeCipherSpec"); + } + this.serverFinished( new Finished(protocolVersion, input, cipherSuite)); break; diff --git a/src/share/classes/sun/security/ssl/Handshaker.java b/src/share/classes/sun/security/ssl/Handshaker.java index 80c2a518c1bbbc623c23169c5778dff7146411c3..278a75824aded3b2b06cf68bb3ab720a5c27fbe2 100644 --- a/src/share/classes/sun/security/ssl/Handshaker.java +++ b/src/share/classes/sun/security/ssl/Handshaker.java @@ -66,27 +66,27 @@ abstract class Handshaker { ProtocolVersion protocolVersion; // the currently active protocol version during a renegotiation - ProtocolVersion activeProtocolVersion; + ProtocolVersion activeProtocolVersion; // security parameters for secure renegotiation. - boolean secureRenegotiation; - byte[] clientVerifyData; - byte[] serverVerifyData; + boolean secureRenegotiation; + byte[] clientVerifyData; + byte[] serverVerifyData; // Is it an initial negotiation or a renegotiation? - boolean isInitialHandshake; + boolean isInitialHandshake; // List of enabled protocols - private ProtocolList enabledProtocols; + private ProtocolList enabledProtocols; // List of enabled CipherSuites - private CipherSuiteList enabledCipherSuites; + private CipherSuiteList enabledCipherSuites; // The endpoint identification protocol - String identificationProtocol; + String identificationProtocol; // The cryptographic algorithm constraints - private AlgorithmConstraints algorithmConstraints = null; + private AlgorithmConstraints algorithmConstraints = null; // Local supported signature and algorithms Collection localSupportedSignAlgs; @@ -94,8 +94,6 @@ abstract class Handshaker { // Peer supported signature and algorithms Collection peerSupportedSignAlgs; - /* - /* * List of active protocols * @@ -103,7 +101,7 @@ abstract class Handshaker { * contain only those protocols that have vaild cipher suites * enabled. */ - private ProtocolList activeProtocols; + private ProtocolList activeProtocols; /* * List of active cipher suites @@ -111,39 +109,41 @@ abstract class Handshaker { * Active cipher suites is a subset of enabled cipher suites, and will * contain only those cipher suites available for the active protocols. */ - private CipherSuiteList activeCipherSuites; + private CipherSuiteList activeCipherSuites; // The server name indication and matchers - List serverNames = - Collections.emptyList(); - Collection sniMatchers = - Collections.emptyList(); + List serverNames = Collections.emptyList(); + Collection sniMatchers = Collections.emptyList(); - private boolean isClient; - private boolean needCertVerify; + private boolean isClient; + private boolean needCertVerify; - SSLSocketImpl conn = null; - SSLEngineImpl engine = null; + SSLSocketImpl conn = null; + SSLEngineImpl engine = null; - HandshakeHash handshakeHash; - HandshakeInStream input; - HandshakeOutStream output; - int state; - SSLContextImpl sslContext; - RandomCookie clnt_random, svr_random; - SSLSessionImpl session; + HandshakeHash handshakeHash; + HandshakeInStream input; + HandshakeOutStream output; + int state; + SSLContextImpl sslContext; + RandomCookie clnt_random, svr_random; + SSLSessionImpl session; // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL - CipherSuite cipherSuite; + CipherSuite cipherSuite; // current key exchange. Never null, initially K_NULL - KeyExchange keyExchange; + KeyExchange keyExchange; + + // True if this session is being resumed (fast handshake) + boolean resumingSession; - /* True if this session is being resumed (fast handshake) */ - boolean resumingSession; + // True if it's OK to start a new SSL session + boolean enableNewSession; - /* True if it's OK to start a new SSL session */ - boolean enableNewSession; + // True if session keys have been calculated and the caller may receive + // and process a ChangeCipherSpec message + private boolean sessKeysCalculated; // Whether local cipher suites preference should be honored during // handshaking? @@ -176,7 +176,7 @@ abstract class Handshaker { // here instead of using this lock. Consider changing. private Object thrownLock = new Object(); - /* Class and subclass dynamic debugging support */ + // Class and subclass dynamic debugging support static final Debug debug = Debug.getInstance("ssl"); // By default, disable the unsafe legacy session renegotiation @@ -253,6 +253,7 @@ abstract class Handshaker { this.serverVerifyData = serverVerifyData; enableNewSession = true; invalidated = false; + sessKeysCalculated = false; setCipherSuite(CipherSuite.C_NULL); setEnabledProtocols(enabledProtocols); @@ -359,6 +360,14 @@ abstract class Handshaker { } } + final boolean receivedChangeCipherSpec() { + if (conn != null) { + return conn.receivedChangeCipherSpec(); + } else { + return engine.receivedChangeCipherSpec(); + } + } + String getEndpointIdentificationAlgorithmSE() { SSLParameters paras; if (conn != null) { @@ -491,7 +500,9 @@ abstract class Handshaker { if (activeProtocols.collection().isEmpty() || activeProtocols.max.v == ProtocolVersion.NONE.v) { - throw new SSLHandshakeException("No appropriate protocol"); + throw new SSLHandshakeException( + "No appropriate protocol (protocol is disabled or " + + "cipher suites are inappropriate)"); } if (activeCipherSuites == null) { @@ -670,6 +681,16 @@ abstract class Handshaker { boolean enabledSSL20Hello = false; ArrayList protocols = new ArrayList<>(4); for (ProtocolVersion protocol : enabledProtocols.collection()) { + if (!algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + protocol.name, null)) { + if (debug != null && Debug.isOn("verbose")) { + System.out.println( + "Ignoring disabled protocol: " + protocol); + } + + continue; + } // Need not to check the SSL20Hello protocol. if (protocol.v == ProtocolVersion.SSL20Hello.v) { enabledSSL20Hello = true; @@ -1224,6 +1245,10 @@ abstract class Handshaker { throw new ProviderException(e); } + // Mark a flag that allows outside entities (like SSLSocket/SSLEngine) + // determine if a ChangeCipherSpec message could be processed. + sessKeysCalculated = true; + // // Dump the connection keys as they're generated. // @@ -1278,6 +1303,15 @@ abstract class Handshaker { } } + /** + * Return whether or not the Handshaker has derived session keys for + * this handshake. This is used for determining readiness to process + * an incoming ChangeCipherSpec message. + */ + boolean sessionKeysCalculated() { + return sessKeysCalculated; + } + private static void printHex(HexDumpEncoder dump, byte[] bytes) { if (bytes == null) { System.out.println("(key bytes not available)"); diff --git a/src/share/classes/sun/security/ssl/ProtocolVersion.java b/src/share/classes/sun/security/ssl/ProtocolVersion.java index fb476416a37d61a8b665162017aafcd8cbc8e9a2..879d0f0040e4bf6d578b260f3600d46a15195456 100644 --- a/src/share/classes/sun/security/ssl/ProtocolVersion.java +++ b/src/share/classes/sun/security/ssl/ProtocolVersion.java @@ -25,6 +25,9 @@ package sun.security.ssl; +import java.util.*; +import java.security.CryptoPrimitive; + /** * Type safe enum for an SSL/TLS protocol version. Instances are obtained * using the static factory methods or by referencing the static members @@ -86,6 +89,11 @@ public final class ProtocolVersion implements Comparable { // Default version for hello messages (SSLv2Hello) final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30; + // Available protocols + // + // Including all supported protocols except the disabled ones. + final static Set availableProtocols; + // version in 16 bit MSB format as it appears in records and // messages, i.e. 0x0301 for TLS 1.0 public final int v; @@ -96,6 +104,24 @@ public final class ProtocolVersion implements Comparable { // name used in JSSE (e.g. TLSv1 for TLS 1.0) final String name; + // Initialize the available protocols. + static { + Set protocols = new HashSet<>(5); + + ProtocolVersion[] pvs = new ProtocolVersion[] { + SSL20Hello, SSL30, TLS10, TLS11, TLS12}; + for (ProtocolVersion p : pvs) { + if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + p.name, null)) { + protocols.add(p); + } + } + + availableProtocols = + Collections.unmodifiableSet(protocols); + } + // private private ProtocolVersion(int v, String name) { this.v = v; diff --git a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java index d62641bf724657b47690043da42c97b5125a814e..1a8a973e8530ea5380e07366980cb5138f98edc2 100644 --- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java +++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java @@ -55,6 +55,14 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints { private boolean enabledX509DisabledAlgConstraints = true; + // the default algorithm constraints + final static AlgorithmConstraints DEFAULT = + new SSLAlgorithmConstraints(null); + + // the default SSL only algorithm constraints + final static AlgorithmConstraints DEFAULT_SSL_ONLY = + new SSLAlgorithmConstraints((SSLSocket)null, false); + SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { userAlgConstraints = algorithmConstraints; } diff --git a/src/share/classes/sun/security/ssl/SSLContextImpl.java b/src/share/classes/sun/security/ssl/SSLContextImpl.java index 8f8fb4d44e43e0743b750d9896ebe599d8265ddc..b00a26d3265d293e0af4d98c688f642a042c21e0 100644 --- a/src/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java @@ -52,10 +52,6 @@ public abstract class SSLContextImpl extends SSLContextSpi { private X509TrustManager trustManager; private SecureRandom secureRandom; - // The default algrithm constraints - private AlgorithmConstraints defaultAlgorithmConstraints = - new SSLAlgorithmConstraints(null); - // supported and default protocols private ProtocolList defaultServerProtocolList; private ProtocolList defaultClientProtocolList; @@ -350,7 +346,7 @@ public abstract class SSLContextImpl extends SSLContextSpi { if (suite.isAvailable() && suite.obsoleted > protocols.min.v && suite.supported <= protocols.max.v) { - if (defaultAlgorithmConstraints.permits( + if (SSLAlgorithmConstraints.DEFAULT.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { suites.add(suite); @@ -431,11 +427,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { */ private abstract static class AbstractSSLContext extends SSLContextImpl { // parameters - private final static SSLParameters defaultServerSSLParams; - private final static SSLParameters supportedSSLParams; + private static final SSLParameters defaultServerSSLParams; + private static final SSLParameters supportedSSLParams; static { + // supported SSL parameters supportedSSLParams = new SSLParameters(); + + // candidates for available protocols + ProtocolVersion[] candidates; + if (SunJSSE.isFIPS()) { supportedSSLParams.setProtocols(new String[] { ProtocolVersion.TLS10.name, @@ -443,7 +444,11 @@ public abstract class SSLContextImpl extends SSLContextSpi { ProtocolVersion.TLS12.name }); - defaultServerSSLParams = supportedSSLParams; + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { supportedSSLParams.setProtocols(new String[] { ProtocolVersion.SSL20Hello.name, @@ -453,8 +458,18 @@ public abstract class SSLContextImpl extends SSLContextSpi { ProtocolVersion.TLS12.name }); - defaultServerSSLParams = supportedSSLParams; + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL20Hello, + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } + + defaultServerSSLParams = new SSLParameters(); + defaultServerSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -466,6 +481,22 @@ public abstract class SSLContextImpl extends SSLContextSpi { SSLParameters getSupportedSSLParams() { return supportedSSLParams; } + + static List getAvailableProtocols( + ProtocolVersion[] protocolCandidates) { + + List availableProtocols = Collections.emptyList(); + if (protocolCandidates != null && protocolCandidates.length != 0) { + availableProtocols = new ArrayList<>(protocolCandidates.length); + for (ProtocolVersion p : protocolCandidates) { + if (ProtocolVersion.availableProtocols.contains(p)) { + availableProtocols.add(p.name); + } + } + } + + return availableProtocols; + } } /* @@ -474,21 +505,25 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ public static final class TLS10Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10 + }; } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -503,23 +538,27 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ public static final class TLS11Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11 + }; } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -534,25 +573,29 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ public static final class TLS12Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -567,8 +610,8 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ private static class CustomizedSSLContext extends AbstractSSLContext { - private final static String PROPERTY_NAME = "jdk.tls.client.protocols"; - private final static SSLParameters defaultClientSSLParams; + private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; + private static final SSLParameters defaultClientSSLParams; private static IllegalArgumentException reservedException = null; // Don't want a java.lang.LinkageError for illegal system property. @@ -578,60 +621,74 @@ public abstract class SSLContextImpl extends SSLContextSpi { // the provider service. Instead, let's handle the initialization // exception in constructor. static { + // candidates for available protocols + ProtocolVersion[] candidates; + String property = AccessController.doPrivileged( new GetPropertyAction(PROPERTY_NAME)); - defaultClientSSLParams = new SSLParameters(); if (property == null || property.length() == 0) { // the default enabled client TLS protocols if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } } else { // remove double quote marks from beginning/end of the property - if (property.charAt(0) == '"' && + if (property.length() > 1 && property.charAt(0) == '"' && property.charAt(property.length() - 1) == '"') { property = property.substring(1, property.length() - 1); } - String[] protocols = property.split(","); + String[] protocols = null; + if (property != null && property.length() != 0) { + protocols = property.split(","); + } else { + reservedException = new IllegalArgumentException( + "No protocol specified in " + + PROPERTY_NAME + " system property"); + protocols = new String[0]; + } + + candidates = new ProtocolVersion[protocols.length]; for (int i = 0; i < protocols.length; i++) { protocols[i] = protocols[i].trim(); // Is it a supported protocol name? try { - ProtocolVersion.valueOf(protocols[i]); + candidates[i] = ProtocolVersion.valueOf(protocols[i]); } catch (IllegalArgumentException iae) { reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocols[i] + - " is not a standard SSL protocol name", iae); + PROPERTY_NAME + ": " + protocols[i] + + " is not a standard SSL/TLS protocol name", iae); + break; } } if ((reservedException == null) && SunJSSE.isFIPS()) { - for (String protocol : protocols) { - if (ProtocolVersion.SSL20Hello.name.equals(protocol) || - ProtocolVersion.SSL30.name.equals(protocol)) { + for (ProtocolVersion protocolVersion : candidates) { + if (ProtocolVersion.SSL20Hello.v == protocolVersion.v || + ProtocolVersion.SSL30.v == protocolVersion.v) { reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocol + + PROPERTY_NAME + ": " + protocolVersion + " is not FIPS compliant"); } } } + } - if (reservedException == null) { - defaultClientSSLParams.setProtocols(protocols); - } + defaultClientSSLParams = new SSLParameters(); + if (reservedException == null) { + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } } diff --git a/src/share/classes/sun/security/ssl/SSLEngineImpl.java b/src/share/classes/sun/security/ssl/SSLEngineImpl.java index 7a71a0ecab11a549d9221871ca547a721cd4c030..e021d8ee2c27968ad02c5f2376cdb33e10722d9b 100644 --- a/src/share/classes/sun/security/ssl/SSLEngineImpl.java +++ b/src/share/classes/sun/security/ssl/SSLEngineImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -211,6 +211,11 @@ final public class SSLEngineImpl extends SSLEngine { static final byte clauth_requested = 1; static final byte clauth_required = 2; + /* + * Flag indicating that the engine has received a ChangeCipherSpec message. + */ + private boolean receivedCCS; + /* * Flag indicating if the next record we receive MUST be a Finished * message. Temporarily set during the handshake to ensure that @@ -372,6 +377,7 @@ final public class SSLEngineImpl extends SSLEngine { */ roleIsServer = true; connectionState = cs_START; + receivedCCS = false; // default server name indication serverNames = @@ -1021,6 +1027,7 @@ final public class SSLEngineImpl extends SSLEngine { if (handshaker.invalidated) { handshaker = null; + receivedCCS = false; // if state is cs_RENEGOTIATE, revert it to cs_DATA if (connectionState == cs_RENEGOTIATE) { connectionState = cs_DATA; @@ -1039,6 +1046,7 @@ final public class SSLEngineImpl extends SSLEngine { } handshaker = null; connectionState = cs_DATA; + receivedCCS = false; // No handshakeListeners here. That's a // SSLSocket thing. @@ -1078,13 +1086,25 @@ final public class SSLEngineImpl extends SSLEngine { case Record.ct_change_cipher_spec: if ((connectionState != cs_HANDSHAKE && connectionState != cs_RENEGOTIATE) - || inputRecord.available() != 1 + || !handshaker.sessionKeysCalculated() + || receivedCCS) { + // For the CCS message arriving in the wrong state + fatal(Alerts.alert_unexpected_message, + "illegal change cipher spec msg, conn state = " + + connectionState + ", handshake state = " + + handshaker.state); + } else if (inputRecord.available() != 1 || inputRecord.read() != 1) { + // For structural/content issues with the CCS fatal(Alerts.alert_unexpected_message, - "illegal change cipher spec msg, state = " - + connectionState); + "Malformed change cipher spec msg"); } + // Once we've received CCS, update the flag. + // If the remote endpoint sends it again in this handshake + // we won't process it. + receivedCCS = true; + // // The first message after a change_cipher_spec // record MUST be a "Finished" handshake record, @@ -2120,6 +2140,14 @@ final public class SSLEngineImpl extends SSLEngine { } } + /* + * Returns a boolean indicating whether the ChangeCipherSpec message + * has been received for this handshake. + */ + boolean receivedChangeCipherSpec() { + return receivedCCS; + } + /** * Returns a printable representation of this end of the connection. */ diff --git a/src/share/classes/sun/security/ssl/SSLSocketImpl.java b/src/share/classes/sun/security/ssl/SSLSocketImpl.java index 395a36608fa568a2c6ba5f7ee38b612d73f1a5a1..7b91f3e01da132a6b33097b60c1d03b09c716b00 100644 --- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java +++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -171,6 +171,12 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { */ private volatile int connectionState; + /* + * Flag indicating that the engine's handshaker has done the necessary + * steps so the engine may process a ChangeCipherSpec message. + */ + private boolean receivedCCS; + /* * Flag indicating if the next record we receive MUST be a Finished * message. Temporarily set during the handshake to ensure that @@ -587,6 +593,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { */ roleIsServer = isServer; connectionState = cs_START; + receivedCCS = false; /* * default read and write side cipher and MAC support @@ -1045,6 +1052,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { if (handshaker.invalidated) { handshaker = null; + receivedCCS = false; // if state is cs_RENEGOTIATE, revert it to cs_DATA if (connectionState == cs_RENEGOTIATE) { connectionState = cs_DATA; @@ -1060,6 +1068,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { handshakeSession = null; handshaker = null; connectionState = cs_DATA; + receivedCCS = false; // // Tell folk about handshake completion, but do @@ -1107,13 +1116,24 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { case Record.ct_change_cipher_spec: if ((connectionState != cs_HANDSHAKE && connectionState != cs_RENEGOTIATE) - || r.available() != 1 - || r.read() != 1) { + || !handshaker.sessionKeysCalculated() + || receivedCCS) { + // For the CCS message arriving in the wrong state fatal(Alerts.alert_unexpected_message, - "illegal change cipher spec msg, state = " - + connectionState); + "illegal change cipher spec msg, conn state = " + + connectionState + ", handshake state = " + + handshaker.state); + } else if (r.available() != 1 || r.read() != 1) { + // For structural/content issues with the CCS + fatal(Alerts.alert_unexpected_message, + "Malformed change cipher spec msg"); } + // Once we've received CCS, update the flag. + // If the remote endpoint sends it again in this handshake + // we won't process it. + receivedCCS = true; + // // The first message after a change_cipher_spec // record MUST be a "Finished" handshake record, @@ -2550,6 +2570,14 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { } } + /* + * Returns a boolean indicating whether the ChangeCipherSpec message + * has been received for this handshake. + */ + boolean receivedChangeCipherSpec() { + return receivedCCS; + } + // // We allocate a separate thread to deliver handshake completion // events. This ensures that the notifications don't block the diff --git a/src/share/classes/sun/security/ssl/ServerHandshaker.java b/src/share/classes/sun/security/ssl/ServerHandshaker.java index 85c1b4d56f3abff7722be5fd3a1088985f595632..37babc748cf8fbf5103884cd0d9a2078acb27924 100644 --- a/src/share/classes/sun/security/ssl/ServerHandshaker.java +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java @@ -287,6 +287,13 @@ final class ServerHandshaker extends Handshaker { break; case HandshakeMessage.ht_finished: + // A ChangeCipherSpec record must have been received prior to + // reception of the Finished message (RFC 5246, 7.4.9). + if (!receivedChangeCipherSpec()) { + fatalSE(Alerts.alert_handshake_failure, + "Received Finished message before ChangeCipherSpec"); + } + this.clientFinished( new Finished(protocolVersion, input, cipherSuite)); break; diff --git a/src/share/classes/sun/security/util/DerIndefLenConverter.java b/src/share/classes/sun/security/util/DerIndefLenConverter.java index 66351374e0318446d996b38e316bb405007e2d1f..cbd5ecc00e705b5fa2d745daa4f67589d6b9e6bb 100644 --- a/src/share/classes/sun/security/util/DerIndefLenConverter.java +++ b/src/share/classes/sun/security/util/DerIndefLenConverter.java @@ -156,12 +156,18 @@ class DerIndefLenConverter { } if (isLongForm(lenByte)) { lenByte &= LEN_MASK; - if (lenByte > 4) + if (lenByte > 4) { throw new IOException("Too much data"); - if ((dataSize - dataPos) < (lenByte + 1)) + } + if ((dataSize - dataPos) < (lenByte + 1)) { throw new IOException("Too little data"); - for (int i = 0; i < lenByte; i++) + } + for (int i = 0; i < lenByte; i++) { curLen = (curLen << 8) + (data[dataPos++] & 0xff); + } + if (curLen < 0) { + throw new IOException("Invalid length bytes"); + } } else { curLen = (lenByte & LEN_MASK); } @@ -188,10 +194,15 @@ class DerIndefLenConverter { } if (isLongForm(lenByte)) { lenByte &= LEN_MASK; - for (int i = 0; i < lenByte; i++) + for (int i = 0; i < lenByte; i++) { curLen = (curLen << 8) + (data[dataPos++] & 0xff); - } else + } + if (curLen < 0) { + throw new IOException("Invalid length bytes"); + } + } else { curLen = (lenByte & LEN_MASK); + } writeLength(curLen); writeValue(curLen); } diff --git a/src/share/classes/sun/security/util/DerInputStream.java b/src/share/classes/sun/security/util/DerInputStream.java index e0f77ee7981935aec62b80f11b9b1a698292f502..fc4aee847fae679548c14272aac917472a0ea4cc 100644 --- a/src/share/classes/sun/security/util/DerInputStream.java +++ b/src/share/classes/sun/security/util/DerInputStream.java @@ -566,6 +566,10 @@ public class DerInputStream { value <<= 8; value += 0x0ff & in.read(); } + if (value < 0) { + throw new IOException("DerInputStream.getLength(): " + + "Invalid length bytes"); + } } return value; } diff --git a/src/share/classes/sun/swing/FilePane.java b/src/share/classes/sun/swing/FilePane.java index 6cf3c4d192c6b1ccf36a3f2bf0e7554bde5ed82f..9ae60b5345ad5a4125efd6992cfa5667e02f6a17 100644 --- a/src/share/classes/sun/swing/FilePane.java +++ b/src/share/classes/sun/swing/FilePane.java @@ -1979,20 +1979,24 @@ public class FilePane extends JPanel implements PropertyChangeListener { return false; } - if (f instanceof ShellFolder) { - return f.canWrite(); - } else { - if (usesShellFolder(getFileChooser())) { - try { - return ShellFolder.getShellFolder(f).canWrite(); - } catch (FileNotFoundException ex) { - // File doesn't exist - return false; - } - } else { - // Ordinary file + try { + if (f instanceof ShellFolder) { return f.canWrite(); + } else { + if (usesShellFolder(getFileChooser())) { + try { + return ShellFolder.getShellFolder(f).canWrite(); + } catch (FileNotFoundException ex) { + // File doesn't exist + return false; + } + } else { + // Ordinary file + return f.canWrite(); + } } + } catch (SecurityException e) { + return false; } } diff --git a/src/share/classes/sun/swing/WindowsPlacesBar.java b/src/share/classes/sun/swing/WindowsPlacesBar.java index 8b033ca3e7f7774b46fe6e51745b4914fbcb4c72..2a693294c9e082f3954e4b005813ede2b21ac485 100644 --- a/src/share/classes/sun/swing/WindowsPlacesBar.java +++ b/src/share/classes/sun/swing/WindowsPlacesBar.java @@ -81,11 +81,7 @@ public class WindowsPlacesBar extends JToolBar setBackground(bgColor); FileSystemView fsv = fc.getFileSystemView(); - files = AccessController.doPrivileged(new PrivilegedAction() { - public File[] run() { - return (File[]) ShellFolder.get("fileChooserShortcutPanelFolders"); - } - }); + files = (File[]) ShellFolder.get("fileChooserShortcutPanelFolders"); buttons = new JToggleButton[files.length]; buttonGroup = new ButtonGroup(); diff --git a/src/share/classes/sun/swing/plaf/synth/SynthFileChooserUIImpl.java b/src/share/classes/sun/swing/plaf/synth/SynthFileChooserUIImpl.java index 37792070d2eaf18a5b08e47adb23baedd63895f6..047952cd69c453b1c7a0e58a3a3f05efdbf74b85 100644 --- a/src/share/classes/sun/swing/plaf/synth/SynthFileChooserUIImpl.java +++ b/src/share/classes/sun/swing/plaf/synth/SynthFileChooserUIImpl.java @@ -769,16 +769,9 @@ public class SynthFileChooserUIImpl extends SynthFileChooserUI { fireIntervalRemoved(this, 0, oldSize); } - File[] baseFolders; - if (useShellFolder) { - baseFolders = AccessController.doPrivileged(new PrivilegedAction() { - public File[] run() { - return (File[]) ShellFolder.get("fileChooserComboBoxFolders"); - } - }); - } else { - baseFolders = fsv.getRoots(); - } + File[] baseFolders = (useShellFolder) + ? (File[]) ShellFolder.get("fileChooserComboBoxFolders") + : fsv.getRoots(); directories.addAll(Arrays.asList(baseFolders)); // Get the canonical (full) path. This has the side diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix index d31a1e37005a0fb8f56709a9718d56162504faec..81ce1d72f87519e5a63e89f56a4ff9bb34b50004 100644 --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -210,8 +210,8 @@ package.access=sun.,\ org.jcp.xml.dsig.internal.,\ jdk.internal.,\ jdk.nashorn.internal.,\ - jdk.nashorn.tools. - + jdk.nashorn.tools.,\ + com.sun.activation.registries. # # List of comma-separated packages that start with or equal this string @@ -257,8 +257,8 @@ package.definition=sun.,\ org.jcp.xml.dsig.internal.,\ jdk.internal.,\ jdk.nashorn.internal.,\ - jdk.nashorn.tools. - + jdk.nashorn.tools.,\ + com.sun.activation.registries. # # Determines whether this properties file can be appended to @@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index bb71a15a4e8fa83cf7dd90a8a64de013f0df9c3e..81ce1d72f87519e5a63e89f56a4ff9bb34b50004 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 78eeb8e1d1028bf2eeaef5d99c7a5fd2eaf4e2e7..d72511b81e40dd7515bf44eee5d7b9d83d06be71 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index e153e1585dbb1589a56d6bfb67709da40f03a6f3..92d0358bfd51c0384d3823ee02f6ec2d51aff385 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -481,8 +481,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -497,4 +501,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index e10b953e914df2186f96c15d073e59cf76514a49..41907ee673bfed97b5bae70f35be6a999d3a5599 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp b/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp index e985b81cb53e643520baa9960dadb580d177bbdb..cbee0ba7097a2a3826cf5d44f032eb5cacd8038e 100644 --- a/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp +++ b/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp @@ -583,6 +583,8 @@ le_uint32 ChainingContextualSubstitutionFormat2Subtable::process(const LETableRe LEReferenceTo chainSubClassRuleTable(chainSubClassSetTable, success, chainSubClassRuleTableOffset); le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount); + LEReferenceToArrayOf backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount); + if( LE_FAILURE(success) ) { return 0; } le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1; LEReferenceToArrayOf inputClassArray(base, success, &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1],inputGlyphCount+2); // +2 for the lookaheadGlyphCount count le_uint16 lookaheadGlyphCount = SWAPW(inputClassArray.getObject(inputGlyphCount, success)); @@ -599,8 +601,6 @@ le_uint32 ChainingContextualSubstitutionFormat2Subtable::process(const LETableRe } tempIterator.prev(); - LEReferenceToArrayOf backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount); - if( LE_FAILURE(success) ) { return 0; } if (! matchGlyphClasses(backtrackClassArray, backtrackGlyphCount, &tempIterator, backtrackClassDefinitionTable, success, TRUE)) { continue; diff --git a/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp b/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp index 63583289fd7e1d9c60cc001eff77b425ba293571..f2c9f95ac7065614e6d4d71cd59c0e942154b803 100644 --- a/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp +++ b/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp @@ -45,6 +45,9 @@ le_uint32 CursiveAttachmentSubtable::process(const LEReferenceTo + entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex); + if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) { glyphIterator->setCursiveGlyph(); return 0; diff --git a/src/share/native/sun/font/layout/Features.cpp b/src/share/native/sun/font/layout/Features.cpp index b44ae2e8e874eaf6af370708083bf80acc1bde62..6c6bcc8b331f2a7f234cffcfabf61078a0ef6742 100644 --- a/src/share/native/sun/font/layout/Features.cpp +++ b/src/share/native/sun/font/layout/Features.cpp @@ -40,6 +40,9 @@ U_NAMESPACE_BEGIN LEReferenceTo FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const { + LEReferenceToArrayOf + featureRecordArrayRef(base, success, featureRecordArray, featureIndex); + if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) { return LEReferenceTo(); } diff --git a/src/share/native/sun/font/layout/LETableReference.h b/src/share/native/sun/font/layout/LETableReference.h index ea12c18cb0690e9a4b21c891b4ba9b04f3ccb281..6afd3c1c13bafdf9864eba382bb1919803c1631e 100644 --- a/src/share/native/sun/font/layout/LETableReference.h +++ b/src/share/native/sun/font/layout/LETableReference.h @@ -470,7 +470,12 @@ _TRTRACE("INFO: new RTAO") #endif const T& getObject(le_uint32 i, LEErrorCode &success) const { - return *getAlias(i,success); + const T *ret = getAlias(i, success); + if (LE_FAILURE(success) || ret==NULL) { + return *(new T(0)); + } else { + return *ret; + } } /** diff --git a/src/share/native/sun/font/layout/LigatureSubstSubtables.cpp b/src/share/native/sun/font/layout/LigatureSubstSubtables.cpp index 9e7120eb64bcc6dda4b4471d85e98a19d002fed5..8e0e7cdd2b86fff361051d02c9f5fa98c4e8fdeb 100644 --- a/src/share/native/sun/font/layout/LigatureSubstSubtables.cpp +++ b/src/share/native/sun/font/layout/LigatureSubstSubtables.cpp @@ -64,6 +64,9 @@ le_uint32 LigatureSubstitutionSubtable::process(const LETableReference &base, Gl LEReferenceTo ligTable(ligSetTable, success, ligTableOffset); if(LE_FAILURE(success)) { return 0; } le_uint16 compCount = SWAPW(ligTable->compCount) - 1; + LEReferenceToArrayOf + componentArrayRef(base, success, ligTable->componentArray, compCount); + if (LE_FAILURE(success)) { return 0; } le_int32 startPosition = glyphIterator->getCurrStreamPosition(); TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph); le_uint16 comp; diff --git a/src/share/native/sun/font/layout/MultipleSubstSubtables.cpp b/src/share/native/sun/font/layout/MultipleSubstSubtables.cpp index 5ff16fe48b245c7118a8aa784e32c4c36c9bea71..5ed9a3a532cb5b36856025691953c573ff9bf9dd 100644 --- a/src/share/native/sun/font/layout/MultipleSubstSubtables.cpp +++ b/src/share/native/sun/font/layout/MultipleSubstSubtables.cpp @@ -61,6 +61,8 @@ le_uint32 MultipleSubstitutionSubtable::process(const LETableReference &base, Gl le_int32 coverageIndex = getGlyphCoverage(base, glyph, success); le_uint16 seqCount = SWAPW(sequenceCount); + LEReferenceToArrayOf + sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount); if (LE_FAILURE(success)) { return 0; diff --git a/src/solaris/native/java/net/NetworkInterface.c b/src/solaris/native/java/net/NetworkInterface.c index 7ee0c38c64accb4cf9b825e720c284c8d6b83b70..09ab89c2fef497edd4d9627dc7db92abd3e633aa 100644 --- a/src/solaris/native/java/net/NetworkInterface.c +++ b/src/solaris/native/java/net/NetworkInterface.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -570,9 +570,14 @@ JNIEXPORT jint JNICALL Java_java_net_NetworkInterface_getMTU0(JNIEnv *env, jclas jboolean isCopy; int ret = -1; int sock; - const char* name_utf; + const char* name_utf = NULL; - name_utf = (*env)->GetStringUTFChars(env, name, &isCopy); + if (name != NULL) { + name_utf = (*env)->GetStringUTFChars(env, name, &isCopy); + } else { + JNU_ThrowNullPointerException(env, "network interface name is NULL"); + return ret; + } if (name_utf == NULL) { if (!(*env)->ExceptionCheck(env)) JNU_ThrowOutOfMemoryError(env, NULL); @@ -600,7 +605,12 @@ static int getFlags0(JNIEnv *env, jstring name) { const char* name_utf; int flags = 0; - name_utf = (*env)->GetStringUTFChars(env, name, &isCopy); + if (name != NULL) { + name_utf = (*env)->GetStringUTFChars(env, name, &isCopy); + } else { + JNU_ThrowNullPointerException(env, "network interface name is NULL"); + return -1; + } if (name_utf == NULL) { if (!(*env)->ExceptionCheck(env)) JNU_ThrowOutOfMemoryError(env, NULL); @@ -1474,7 +1484,12 @@ static int getMTU(JNIEnv *env, int sock, const char *ifname) { struct ifreq if2; memset((char *) &if2, 0, sizeof(if2)); - strcpy(if2.ifr_name, ifname); + if (ifname != NULL) { + strcpy(if2.ifr_name, ifname); + } else { + JNU_ThrowNullPointerException(env, "network interface name is NULL"); + return -1; + } if (ioctl(sock, SIOCGIFMTU, (char *)&if2) < 0) { NET_ThrowByNameWithLastError(env, JNU_JAVANETPKG "SocketException", "IOCTL SIOCGIFMTU failed"); diff --git a/src/solaris/native/java/net/PlainDatagramSocketImpl.c b/src/solaris/native/java/net/PlainDatagramSocketImpl.c index 86c3a70404c77c9f9003415669d78c6719cc78dd..0a8a3a4d8f132f22aeb8b2d597045a26f5d2473b 100644 --- a/src/solaris/native/java/net/PlainDatagramSocketImpl.c +++ b/src/solaris/native/java/net/PlainDatagramSocketImpl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1474,10 +1474,12 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) { static jmethodID ni_ctrID; static jfieldID ni_indexID; static jfieldID ni_addrsID; + static jfieldID ni_nameID; jobjectArray addrArray; jobject addr; jobject ni; + jobject ni_name; struct in_addr in; struct in_addr *inP = ∈ @@ -1527,6 +1529,8 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) { ni_addrsID = (*env)->GetFieldID(env, c, "addrs", "[Ljava/net/InetAddress;"); CHECK_NULL_RETURN(ni_addrsID, NULL); + ni_nameID = (*env)->GetFieldID(env, c,"name", "Ljava/lang/String;"); + CHECK_NULL_RETURN(ni_nameID, NULL); ni_class = (*env)->NewGlobalRef(env, c); CHECK_NULL_RETURN(ni_class, NULL); } @@ -1548,6 +1552,10 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) { CHECK_NULL_RETURN(addrArray, NULL); (*env)->SetObjectArrayElement(env, addrArray, 0, addr); (*env)->SetObjectField(env, ni, ni_addrsID, addrArray); + ni_name = (*env)->NewStringUTF(env, ""); + if (ni_name != NULL) { + (*env)->SetObjectField(env, ni, ni_nameID, ni_name); + } return ni; } @@ -1564,14 +1572,16 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) { static jfieldID ni_indexID; static jfieldID ni_addrsID; static jclass ia_class; + static jfieldID ni_nameID; static jmethodID ia_anyLocalAddressID; - int index; + int index = 0; int len = sizeof(index); jobjectArray addrArray; jobject addr; jobject ni; + jobject ni_name; if (JVM_GetSockOpt(fd, IPPROTO_IPV6, IPV6_MULTICAST_IF, (char*)&index, &len) < 0) { @@ -1600,6 +1610,8 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) { "anyLocalAddress", "()Ljava/net/InetAddress;"); CHECK_NULL_RETURN(ia_anyLocalAddressID, NULL); + ni_nameID = (*env)->GetFieldID(env, c,"name", "Ljava/lang/String;"); + CHECK_NULL_RETURN(ni_nameID, NULL); ni_class = (*env)->NewGlobalRef(env, c); CHECK_NULL_RETURN(ni_class, NULL); } @@ -1660,6 +1672,10 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) { CHECK_NULL_RETURN(addrArray, NULL); (*env)->SetObjectArrayElement(env, addrArray, 0, addr); (*env)->SetObjectField(env, ni, ni_addrsID, addrArray); + ni_name = (*env)->NewStringUTF(env, ""); + if (ni_name != NULL) { + (*env)->SetObjectField(env, ni, ni_nameID, ni_name); + } return ni; } #endif diff --git a/src/windows/classes/sun/awt/shell/Win32ShellFolderManager2.java b/src/windows/classes/sun/awt/shell/Win32ShellFolderManager2.java index 41ba690f304556ce872a9ac3be30dc0c73ce58f2..0a0c3fb6ab53f069aad19d596695c16313635913 100644 --- a/src/windows/classes/sun/awt/shell/Win32ShellFolderManager2.java +++ b/src/windows/classes/sun/awt/shell/Win32ShellFolderManager2.java @@ -36,6 +36,7 @@ import java.security.PrivilegedAction; import java.util.*; import java.util.List; import java.util.concurrent.*; +import java.util.stream.Stream; import static sun.awt.shell.Win32ShellFolder2.*; import sun.awt.OSInfo; @@ -251,7 +252,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { if (file == null) { file = getDesktop(); } - return file; + return checkFile(file); } else if (key.equals("roots")) { // Should be "History" and "Desktop" ? if (roots == null) { @@ -262,11 +263,11 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { roots = (File[])super.get(key); } } - return roots; + return checkFiles(roots); } else if (key.equals("fileChooserComboBoxFolders")) { Win32ShellFolder2 desktop = getDesktop(); - if (desktop != null) { + if (desktop != null && checkFile(desktop) != null) { ArrayList folders = new ArrayList(); Win32ShellFolder2 drives = getDrives(); @@ -277,7 +278,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { folders.add(desktop); // Add all second level folders - File[] secondLevelFolders = desktop.listFiles(); + File[] secondLevelFolders = checkFiles(desktop.listFiles()); Arrays.sort(secondLevelFolders); for (File secondLevelFolder : secondLevelFolders) { Win32ShellFolder2 folder = (Win32ShellFolder2) secondLevelFolder; @@ -285,7 +286,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { folders.add(folder); // Add third level for "My Computer" if (folder.equals(drives)) { - File[] thirdLevelFolders = folder.listFiles(); + File[] thirdLevelFolders = checkFiles(folder.listFiles()); if (thirdLevelFolders != null && thirdLevelFolders.length > 0) { List thirdLevelFoldersList = Arrays.asList(thirdLevelFolders); @@ -295,7 +296,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { } } } - return folders.toArray(new File[folders.size()]); + return checkFiles(folders); } else { return super.get(key); } @@ -332,7 +333,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { } } } - return folders.toArray(new File[folders.size()]); + return checkFiles(folders); } else if (key.startsWith("fileChooserIcon ")) { String name = key.substring(key.indexOf(" ") + 1); @@ -378,6 +379,41 @@ public class Win32ShellFolderManager2 extends ShellFolderManager { return null; } + private File checkFile(File file) { + SecurityManager sm = System.getSecurityManager(); + return (sm == null || file == null) ? file : checkFile(file, sm); + } + + private File checkFile(File file, SecurityManager sm) { + try { + sm.checkRead(file.getPath()); + return file; + } catch (SecurityException se) { + return null; + } + } + + private File[] checkFiles(File[] files) { + SecurityManager sm = System.getSecurityManager(); + if (sm == null || files == null || files.length == 0) { + return files; + } + return checkFiles(Arrays.stream(files), sm); + } + + private File[] checkFiles(List files) { + SecurityManager sm = System.getSecurityManager(); + if (sm == null || files.isEmpty()) { + return files.toArray(new File[files.size()]); + } + return checkFiles(files.stream(), sm); + } + + private File[] checkFiles(Stream filesStream, SecurityManager sm) { + return filesStream.filter((file) -> checkFile(file, sm) != null) + .toArray(File[]::new); + } + /** * Does dir represent a "computer" such as a node on the network, or * "My Computer" on the desktop. diff --git a/test/javax/swing/JFileChooser/8062561/bug8062561.java b/test/javax/swing/JFileChooser/8062561/bug8062561.java new file mode 100644 index 0000000000000000000000000000000000000000..3802de38b2244980b5a2ba675a769d94659a809a --- /dev/null +++ b/test/javax/swing/JFileChooser/8062561/bug8062561.java @@ -0,0 +1,210 @@ +/* + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.awt.Robot; +import java.awt.event.KeyEvent; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.PrintWriter; +import java.util.concurrent.TimeUnit; +import javax.swing.JFileChooser; +import javax.swing.SwingUtilities; +import javax.swing.filechooser.FileSystemView; +import sun.awt.OSInfo; + +/** + * @test + * @bug 8062561 + * @summary File system view returns null default directory + * @run main/othervm bug8062561 GENERATE_POLICY + * @run main/othervm/policy=security.policy bug8062561 CHECK_DEFAULT_DIR run + */ +public class bug8062561 { + + private static final String POLICY_FILE = "security2.policy"; + private static volatile boolean fileChooserIsShown = false; + + public static void main(String[] args) throws Exception { + + String test = args[0]; + + switch (test) { + case "GENERATE_POLICY": + generatePolicyFile(); + break; + case "CHECK_DEFAULT_DIR": + checkDefaultDirectory(); + break; + case "CHECK_FILE_CHOOSER": + checkFileChooser(); + break; + default: + throw new RuntimeException("Wrong argument!"); + } + } + + private static void checkDefaultDirectory() { + if (System.getSecurityManager() == null) { + throw new RuntimeException("Security manager is not set!"); + } + + File defaultDirectory = FileSystemView.getFileSystemView(). + getDefaultDirectory(); + if (defaultDirectory != null) { + throw new RuntimeException("File system default directory is null!"); + } + } + private static volatile JFileChooser fileChooser; + + private static void checkFileChooser() throws Exception { + if (System.getSecurityManager() == null) { + throw new RuntimeException("Security manager is not set!"); + } + + Robot robot = new Robot(); + robot.setAutoDelay(50); + + SwingUtilities.invokeLater(new Runnable() { + + public void run() { + fileChooser = new JFileChooser(); + fileChooser.showOpenDialog(null); + fileChooserIsShown = true; + System.out.println("Start file chooser: " + fileChooserIsShown); + } + }); + + long time = System.currentTimeMillis(); + while (fileChooser == null) { + if (System.currentTimeMillis() - time >= 10000) { + throw new RuntimeException("FileChoser is not shown!"); + } + Thread.sleep(500); + } + + Thread.sleep(500); + robot.keyPress(KeyEvent.VK_ESCAPE); + robot.keyRelease(KeyEvent.VK_ESCAPE); + System.exit(0); + } + + private static void generatePolicyFile() throws Exception { + if (System.getSecurityManager() != null) { + throw new RuntimeException("Security manager should be null!"); + } + + if (!OSInfo.getOSType().equals(OSInfo.OSType.WINDOWS)) { + return; + } + + File defaultDirectory = FileSystemView.getFileSystemView(). + getDefaultDirectory(); + + if (defaultDirectory == null) { + throw new RuntimeException("Default directory is null!"); + } + + File policyFile = new File(POLICY_FILE); + if (!policyFile.exists()) { + policyFile.createNewFile(); + } + + try (PrintWriter writer = new PrintWriter(policyFile, "UTF-8")) { + writer.println("grant {"); + String documents = defaultDirectory.getCanonicalPath(); + documents = documents.replace('\\', '/'); + // Documents permission + writer.print(" permission java.io.FilePermission"); + writer.print(" \"" + documents + "\","); + writer.println(" \"read\";"); + // Desktop permission + writer.print(" permission java.io.FilePermission"); + writer.print(" \"" + documents.replace("Documents", "Desktop") + "\","); + writer.println(" \"read\";"); + // robot permission // "java.awt.AWTPermission" "createRobot" + writer.print(" permission java.awt.AWTPermission"); + writer.println(" \"createRobot\";"); + writer.println("};"); + } + + performTest(); + } + + private static void performTest() throws Exception { + String javaPath = System.getProperty("java.home", ""); + String command = javaPath + File.separator + "bin" + File.separator + "java" + + " -Djava.security.manager -Djava.security.policy=" + POLICY_FILE + + " bug8062561 CHECK_FILE_CHOOSER"; + System.out.println(command); + boolean processExit = false; + + Process process = Runtime.getRuntime().exec(command); + + try { + processExit = process.waitFor(20, TimeUnit.SECONDS); + } catch (IllegalThreadStateException e) { + throw new RuntimeException(e); + } + System.out.println("[RESULT] : " + + "The sub process has cleanly exited : PASS"); + + InputStream errorStream = process.getErrorStream(); + System.out.println("========= Child process stderr ========"); + boolean exception = dumpStream(errorStream); + if (exception) { + throw new RuntimeException("[RESULT] :" + + " Exception in child process : FAIL"); + } + System.out.println("======================================="); + + InputStream processInputStream = process.getInputStream(); + System.out.println("========= Child process output ========"); + dumpStream(processInputStream); + System.out.println("======================================="); + + if (!processExit) { + process.destroy(); + throw new RuntimeException("[RESULT] : " + + "The sub process has not exited : FAIL"); + } + } + + public static boolean dumpStream(InputStream in) throws IOException { + String tempString; + int count = in.available(); + boolean exception = false; + while (count > 0) { + byte[] b = new byte[count]; + in.read(b); + tempString = new String(b); + if (!exception) { + exception = tempString.indexOf("Exception") != -1; + } + System.out.println(tempString); + count = in.available(); + } + + return exception; + } +} diff --git a/test/javax/swing/JFileChooser/8062561/security.policy b/test/javax/swing/JFileChooser/8062561/security.policy new file mode 100644 index 0000000000000000000000000000000000000000..50d3e102fcf3563e27cc64acbbd3dc3ceeef0d58 --- /dev/null +++ b/test/javax/swing/JFileChooser/8062561/security.policy @@ -0,0 +1,4 @@ +grant { + + permission java.util.PropertyPermission "user.home", "read"; +}; diff --git a/test/javax/swing/JFileChooser/8062561/security2.policy b/test/javax/swing/JFileChooser/8062561/security2.policy new file mode 100644 index 0000000000000000000000000000000000000000..30de1d078d3d8fd5802c015209534eeea79f4ddf --- /dev/null +++ b/test/javax/swing/JFileChooser/8062561/security2.policy @@ -0,0 +1 @@ +// Autogenerated file \ No newline at end of file diff --git a/test/sun/security/ec/TestEC.java b/test/sun/security/ec/TestEC.java index 155e06ab0272e20dc643b5042ad77e4783ff4d37..1542c7d379299fb9976e8d06033829eed6110d14 100644 --- a/test/sun/security/ec/TestEC.java +++ b/test/sun/security/ec/TestEC.java @@ -68,6 +68,10 @@ public class TestEC { } public static void main0(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Provider p = Security.getProvider("SunEC"); if (p == null) { diff --git a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java index 2788f03f8adc48186e762929fcdf9c8f53d80fb8..d6d788a31799bd765b0f38d1730ae1158f30987d 100644 --- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java +++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java @@ -43,6 +43,10 @@ public class ClientJSSEServerJSSE extends PKCS11Test { private static String[] cmdArgs; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + cmdArgs = args; main(new ClientJSSEServerJSSE()); } diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java index bcdc16d4a3cccfd461a63dcc6e834e9489486fc4..78774f74aca9ac6aef1e8e285d01ae40fb3721ac 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java @@ -32,6 +32,7 @@ import java.io.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; public class HttpsProtocols implements HostnameVerifier { @@ -177,6 +178,10 @@ public class HttpsProtocols implements HostnameVerifier { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java index 3045064d0ad50fa30822db5881aa4e8f52d189f7..9505b587da35e47839d24c9b3b9837d4a17af7b8 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java @@ -35,6 +35,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class CustomizedDefaultProtocols { static enum ContextVersion { @@ -93,6 +94,10 @@ public class CustomizedDefaultProtocols { } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java index 20381c6b5779a3843e5d560608014f82c7e107b3..3915d223a6b7de6842042a3d6abdadef5ab052b3 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java @@ -34,6 +34,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class DefaultEnabledProtocols { static enum ContextVersion { @@ -92,6 +93,10 @@ public class DefaultEnabledProtocols { } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java index d7b1abdeffc8514b1dc523198fb30402babe8a8e..dd85c22b6af11c56f1626f47aa7f8c2df8f7e39e 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java @@ -35,6 +35,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class NoOldVersionContext { static enum ContextVersion { @@ -93,6 +94,10 @@ public class NoOldVersionContext { } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java index 06366eb37b937818f9413790f43c5980211b4054..7d57c3fb0f1d3246561de2a3d755cdc06777b603 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java @@ -115,6 +115,9 @@ public class DelegatedTaskWrongException { } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); DelegatedTaskWrongException test; diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java index 5774049ba6eaa9382abad06fee063c354259c5e3..9aa185986e67bf526e66c88e8d85cdd98dde3c38 100644 --- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java @@ -21,6 +21,11 @@ * questions. */ +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + /* * @test * @bug 4416068 4478803 4479736 @@ -31,9 +36,6 @@ * 4701722 protocol mismatch exceptions should be consistent between * SSLv3 and TLSv1 * @run main/othervm testEnabledProtocols - * - * SunJSSE does not support dynamic system properties, no way to re-use - * system properties in samevm/agentvm mode. * @author Ram Marti */ @@ -120,6 +122,10 @@ public class testEnabledProtocols { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java index 2cd4635401063eef72e61c0812818b6b50f13897..f84b15b38855f3db1c0ee73fd14c6567e13ed3cf 100644 --- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java +++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java @@ -44,6 +44,7 @@ import java.nio.*; import java.net.*; import java.util.*; import java.nio.channels.*; +import java.security.Security; public class SSLEngineExplorer extends SSLEngineService { @@ -231,6 +232,10 @@ public class SSLEngineExplorer extends SSLEngineService { volatile int serverPort = 0; public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (debug) System.setProperty("javax.net.debug", "all"); diff --git a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java index 27e2b6abce7c1df32647cddfea50c2b9be07e132..f35cf0daeb205a56e76100c1520e7867de8d4327 100644 --- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java +++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java @@ -45,6 +45,7 @@ import java.nio.channels.*; import java.util.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; public class SSLSocketExplorer { @@ -224,6 +225,10 @@ public class SSLSocketExplorer { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java index 953d2ea8e5f40886ba139b447836ec060f435ee4..e83a6b48f3b2643b34d77925010e3ec194356a90 100644 --- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java +++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java @@ -29,9 +29,15 @@ * @run main/othervm/timeout=300 ClientJSSEServerJSSE */ +import java.security.Security; + public class ClientJSSEServerJSSE { public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + CipherTest.main(new JSSEFactory(), args); }