Merge

.hgtags

@@ -312,6 +312,8 @@ be30cb2a3088f2b7b334b499f7eddbd5312312a7 jdk8u20-b23
 dfb9f24d56b51e5a2ca26e77fc69a2464d51a4d3 jdk8u20-b24
 dfb9f24d56b51e5a2ca26e77fc69a2464d51a4d3 jdk8u20-b25
 dd229c5f57bff4e75a70908294a13072b9a48385 jdk8u20-b26
+684a13a7d2ccc91d2ad709ecad1fddbcc992ee5a jdk8u20-b31
+eb459e6ac74a7db7b49393e470d04b6d854dfa89 jdk8u20-b32
 abca9f6f1a10e9f91b2538bbe7870f54f550d986 jdk8u25-b00
 7d0627679c9fdeaaaa9fe15c7cc11af0763621ec jdk8u25-b01
 b0277ec994b751ebb761814675352506cd56bcd6 jdk8u25-b02
@@ -334,6 +336,21 @@ f07bc5dab84c67f5d1dccbab318ee1c5485c852d jdk8u25-b16
 d067890f970f3a712f870f6311d20f3359b6eaf0 jdk8u25-b16
 67b22a82345bfa1ae1492679bdf3c4d54f4eacde jdk8u25-b17
 a4e88eaf15ea0569f3275a807a976fe0e04a086c jdk8u25-b18
+556c79ef8a1d2fa38f79b3d3e102e80e0b0c9731 jdk8u25-b31
+f935349e2c065487c745bc41f81ddc7869bd2d2d jdk8u31-b00
+caebf6158e9d522df41a2c89a1602e5013bac401 jdk8u31-b01
+b1cef4d76664564732004cf3aedb0cbaa1972683 jdk8u31-b02
+649c7ba692012fd93c532fea133cf14785674387 jdk8u31-b03
+ab6aa5ee3897ebfe4a04722a594fb2cecd6f3bef jdk8u31-b04
+1e79baf89075967bddc64921d2680d8c1123f654 jdk8u31-b05
+b6aeaae6dd9d3a17564130af142b4734c643267e jdk8u31-b06
+34a484abc5d5391623294743d15e234a99d04dd7 jdk8u31-b07
+ca1adc7c848370dda8dbf9e3a970c3e6427fb05b jdk8u31-b08
+1c0cc3bbe07d52906d7ffbb72fa4733c327f1326 jdk8u31-b09
+291505d802d9075e227f9ee865a67234e1d737cf jdk8u31-b10
+a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11
+6a12f34816d2ee12368274fc21225384a8893426 jdk8u31-b12
+1fbdd5d80d0671decd8acb5adb64866f609e986f jdk8u31-b13
 e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00
 6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01
 4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02
@@ -354,4 +371,6 @@ ffc348308de2e872f5d510d440604c3726a67a18 jdk8u40-b14
 fc4f5546417071c70cffd89ca83302309f6f7da9 jdk8u40-b17
 20a3e2135e0867e55af72f0c66a3de558bc613e2 jdk8u40-b18
 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u40-b19
+7784dab075ed82be2275f4694164bbb9cc1cde3f jdk8u40-b20
+564bca490631e4ed4f7993e6633ed9ee62067624 jdk8u40-b21
 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00

src/share/classes/com/sun/java/swing/plaf/windows/WindowsFileChooserUI.java

@@ -1067,16 +1067,9 @@ public class WindowsFileChooserUI extends BasicFileChooserUI {
 
             directories.clear();
 
-            File[] baseFolders;
-            if (useShellFolder) {
-                baseFolders = AccessController.doPrivileged(new PrivilegedAction<File[]>() {
-                    public File[] run() {
-                        return (File[]) ShellFolder.get("fileChooserComboBoxFolders");
-                    }
-                });
-            } else {
-                baseFolders = fsv.getRoots();
-            }
+            File[] baseFolders = (useShellFolder)
+                    ? (File[]) ShellFolder.get("fileChooserComboBoxFolders")
+                    : fsv.getRoots();
             directories.addAll(Arrays.asList(baseFolders));
 
             // Get the canonical (full) path. This has the side

src/share/classes/com/sun/jndi/ldap/BerDecoder.java

@@ -95,6 +95,9 @@ public final class BerDecoder extends Ber {
             for( int i = 0; i < lengthbyte; i++) {
                 retval = (retval << 8) + (buf[offset++] & 0xff);
             }
+            if (retval < 0) {
+              throw new DecodeException("Invalid length bytes");
+            }
             return retval;
         } else {
             return lengthbyte;

src/share/classes/java/lang/ClassLoader.java

@@ -1365,7 +1365,10 @@ public abstract class ClassLoader {
             return null;
         SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            checkClassLoaderPermission(this, Reflection.getCallerClass());
+            // Check access to the parent class loader
+            // If the caller's class loader is same as this class loader,
+            // permission check is performed.
+            checkClassLoaderPermission(parent, Reflection.getCallerClass());
         }
         return parent;
     }
@@ -1508,6 +1511,11 @@ public abstract class ClassLoader {
         return caller.getClassLoader0();
     }
 
+    /*
+     * Checks RuntimePermission("getClassLoader") permission
+     * if caller's class loader is not null and caller's class loader
+     * is not the same as or an ancestor of the given cl argument.
+     */
     static void checkClassLoaderPermission(ClassLoader cl, Class<?> caller) {
         SecurityManager sm = System.getSecurityManager();
         if (sm != null) {

src/share/classes/java/net/MulticastSocket.java

 /*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -569,7 +569,7 @@ class MulticastSocket extends DatagramSocket {
     public NetworkInterface getNetworkInterface() throws SocketException {
         NetworkInterface ni
             = (NetworkInterface)getImpl().getOption(SocketOptions.IP_MULTICAST_IF2);
-        if (ni.getIndex() == 0) {
+        if ((ni.getIndex() == 0) || (ni.getIndex() == -1)) {
             InetAddress[] addrs = new InetAddress[1];
             addrs[0] = InetAddress.anyLocalAddress();
             return new NetworkInterface(addrs[0].getHostName(), 0, addrs);

src/share/classes/javax/swing/plaf/metal/MetalFileChooserUI.java

@@ -941,16 +941,9 @@ public class MetalFileChooserUI extends BasicFileChooserUI {
 
             directories.clear();
 
-            File[] baseFolders;
-            if (useShellFolder) {
-                baseFolders = AccessController.doPrivileged(new PrivilegedAction<File[]>() {
-                    public File[] run() {
-                        return (File[]) ShellFolder.get("fileChooserComboBoxFolders");
-                    }
-                });
-            } else {
-                baseFolders = fsv.getRoots();
-            }
+            File[] baseFolders = (useShellFolder)
+                    ? (File[]) ShellFolder.get("fileChooserComboBoxFolders")
+                    : fsv.getRoots();
             directories.addAll(Arrays.asList(baseFolders));
 
             // Get the canonical (full) path. This has the side

src/share/classes/sun/launcher/resources/launcher_de.properties

@@ -34,7 +34,7 @@ java.launcher.ergo.message1  =\                  Die Standard-VM ist {0}
 java.launcher.ergo.message2  =\                  weil die Ausf\u00FChrung auf einem Server-Class-Rechner erfolgt.\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer     =\    -cp <Klassensuchpfad von Verzeichnissen und ZIP-/JAR-Dateien>\n    -classpath <Klassensuchpfad von Verzeichnissen und ZIP-/JAR-Dateien>\n                  Eine durch {0} getrennte Liste mit Verzeichnissen, JAR-Archiven\n                  und ZIP-Archiven zur Suche nach Klassendateien.\n    -D<name>=<value>\n                  Legt eine Systemeigenschaft fest\n    -verbose:[class|gc|jni]\n                  Aktiviert die Verbose-Ausgabe\n    -version      Druckt Produktversion und beendet das Programm\n    -version:<value>\n                  Erfordert die angegebene Version zur Ausf\u00FChrung\n    -showversion  Druckt Produktversion und f\u00E4hrt fort\n    -jre-restrict-search | -no-jre-restrict-search\n                  Bezieht private JREs des Benutzers in Versionssuche ein bzw. schlie\u00DFt sie aus\n    -? -help      Druckt diese Hilfemeldung\n    -X            Druckt Hilfe zu Nicht-Standardoptionen\n    -ea[:<packagename>...|:<classname>]\n    -enableassertions[:<packagename>...|:<classname>]\n                  Aktiviert Assertionen mit angegebener Granularit\u00E4t\n    -da[:<packagename>...|:<classname>]\n    -disableassertions[:<packagename>...|:<classname>]\n                  Deaktiviert Assertionen mit angegebener Granularit\u00E4t\n    -esa | -enablesystemassertions\n                  Aktiviert Systemassertionen\n    -dsa | -disablesystemassertions\n                  Deaktiviert Systemassertionen\n    -agentlib:<libname>[=<options>]\n                  L\u00E4dt native Agent Library <libname>, z.B. -agentlib:hprof\n                  siehe auch -agentlib:jdwp=help und -agentlib:hprof=help\n    -agentpath:<pathname>[=<options>]\n                  L\u00E4dt native Agent Library nach vollem Pfadnamen\n    -javaagent:<jarpath>[=<options>]\n                  L\u00E4dt Java-Programmiersprachen-Agent, siehe java.lang.instrument\n    -splash:<imagepath>\n                  Zeigt Startbildschirm mit angegebenem Bild\nWeitere Einzelheiten finden Sie unter http://www.oracle.com/technetwork/java/javase/documentation/index.html
+java.launcher.opt.footer     =\    -cp <Klassensuchpfad von Verzeichnissen und ZIP-/JAR-Dateien>\n    -classpath <Klassensuchpfad von Verzeichnissen und ZIP-/JAR-Dateien>\n                  Eine durch {0} getrennte Liste mit Verzeichnissen, JAR-Archiven\n                  und ZIP-Archiven zur Suche nach Klassendateien.\n    -D<name>=<value>\n                  Legt eine Systemeigenschaft fest\n    -verbose:[class|gc|jni]\n                  Aktiviert die Verbose-Ausgabe\n    -version      Druckt Produktversion und beendet das Programm\n    -version:<value>\n                  Erfordert die angegebene Version zur Ausf\u00FChrung\n    -showversion  Druckt Produktversion und f\u00E4hrt fort\n    -jre-restrict-search | -no-jre-restrict-search\n                  Bezieht private JREs des Benutzers in Versionssuche ein bzw. schlie\u00DFt sie aus\n    -? -help      Druckt diese Hilfemeldung\n    -X            Druckt Hilfe zu Nicht-Standardoptionen\n    -ea[:<packagename>...|:<classname>]\n    -enableassertions[:<packagename>...|:<classname>]\n                  Aktiviert Assertions mit angegebener Granularit\u00E4t\n    -da[:<packagename>...|:<classname>]\n    -disableassertions[:<packagename>...|:<classname>]\n                  Deaktiviert Assertions mit angegebener Granularit\u00E4t\n    -esa | -enablesystemassertions\n                  Aktiviert Systemassertionen\n    -dsa | -disablesystemassertions\n                  Deaktiviert Systemassertionen\n    -agentlib:<libname>[=<options>]\n                  L\u00E4dt native Agent Library <libname>, z.B. -agentlib:hprof\n                  siehe auch -agentlib:jdwp=help und -agentlib:hprof=help\n    -agentpath:<pathname>[=<options>]\n                  L\u00E4dt native Agent Library nach vollem Pfadnamen\n    -javaagent:<jarpath>[=<options>]\n                  L\u00E4dt Java-Programmiersprachen-Agent, siehe java.lang.instrument\n    -splash:<imagepath>\n                  Zeigt Startbildschirm mit angegebenem Bild\nWeitere Einzelheiten finden Sie unter http://www.oracle.com/technetwork/java/javase/documentation/index.html
 
 # Translators please note do not translate the options themselves
 java.launcher.X.usage=\    -Xmixed           Ausf\u00FChrung im gemischten Modus (Standard)\n    -Xint             Nur Ausf\u00FChrung im interpretierten Modus\n    -Xbootclasspath:<Verzeichnisse und ZIP-/JAR-Dateien durch {0} getrennt>\n                      Legt Suchpfad f\u00FCr Bootstrap-Klassen und Ressourcen fest\n    -Xbootclasspath/a:<Verzeichnisse und ZIP-/JAR-Dateien durch {0} getrennt>\n                      H\u00E4ngt an das Ende des Bootstrap Classpath an\n    -Xbootclasspath/p:<Verzeichnisse und ZIP-/JAR-Dateien durch {0} getrennt>\n                      Stellt Bootstrap Classpath voran\n    -Xdiag            Zeigt zus\u00E4tzliche Diagnosemeldungen an\n    -Xnoclassgc       Deaktiviert Klassen-Garbage Collection\n    -Xincgc           Aktiviert inkrementelle Garbage Collection\n    -Xloggc:<file>    Loggt GC-Status in einer Datei mit Zeitstempeln\n    -Xbatch           Deaktiviert Hintergrundkompilierung\n    -Xms<size>        Legt anf\u00E4ngliche Java Heap-Gr\u00F6\u00DFe fest\n    -Xmx<size>        Legt maximale Java Heap-Gr\u00F6\u00DFe fest\n    -Xss<size>        Legt Java-Threadstackgr\u00F6\u00DFe fest\n    -Xprof            Gibt CPU-Profiling-Daten aus\n    -Xfuture          Aktiviert strengste Pr\u00FCfungen, antizipiert zuk\u00FCnftigen Standardwert\n    -Xrs              Reduziert Verwendung von BS-Signalen durch Java/VM (siehe Dokumentation)\n    -Xcheck:jni       F\u00FChrt zus\u00E4tzliche Pr\u00FCfungen f\u00FCr JNI-Funktionen durch\n    -Xshare:off       Kein Versuch, gemeinsame Klassendaten zu verwenden\n    -Xshare:auto      Verwendet gemeinsame Klassendaten, wenn m\u00F6glich (Standard)\n    -Xshare:on        Erfordert die Verwendung gemeinsamer Klassendaten, sonst verl\u00E4uft der Vorgang nicht erfolgreich.\n    -XshowSettings    Zeigt alle Einstellungen und f\u00E4hrt fort\n    -XshowSettings:all\n                      Zeigt alle Einstellungen und f\u00E4hrt fort\n    -XshowSettings:vm Zeigt alle VM-bezogenen Einstellungen und f\u00E4hrt fort\n    -XshowSettings:properties\n                      Zeigt alle Eigenschaftseinstellungen und f\u00E4hrt fort\n    -XshowSettings:locale\n                      Zeigt alle gebietsschemabezogenen Einstellungen und f\u00E4hrt fort\n\nDie -X-Optionen sind keine Standardoptionen und k\u00F6nnen ohne Vorank\u00FCndigung ge\u00E4ndert werden.\n

src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java

@@ -336,6 +336,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     /* try auth without calling Authenticator. Used for transparent NTLM authentication */
     private boolean tryTransparentNTLMServer = true;
     private boolean tryTransparentNTLMProxy = true;
+    private boolean useProxyResponseCode = false;
 
     /* Used by Windows specific code */
     private Object authObj;
@@ -2243,6 +2244,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                         if (tryTransparentNTLMProxy) {
                             tryTransparentNTLMProxy =
                                     NTLMAuthenticationProxy.supportsTransparentAuth;
+                            /* If the platform supports transparent authentication
+                             * then normally it's ok to do transparent auth to a proxy
+                             * because we generally trust proxies (chosen by the user)
+                             * But not in the case of 305 response where the server
+                             * chose it. */
+                            if (tryTransparentNTLMProxy && useProxyResponseCode) {
+                                tryTransparentNTLMProxy = false;
+                            }
                         }
                         a = null;
                         if (tryTransparentNTLMProxy) {
@@ -2614,6 +2623,10 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             requests.set(0, method + " " + getRequestURI()+" "  +
                              httpVersion, null);
             connected = true;
+            // need to remember this in case NTLM proxy authentication gets
+            // used. We can't use transparent authentication when user
+            // doesn't know about proxy.
+            useProxyResponseCode = true;
         } else {
             // maintain previous headers, just change the name
             // of the file we're getting

src/share/classes/sun/rmi/transport/Transport.java

 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,10 @@ import java.rmi.server.RemoteCall;
 import java.rmi.server.RemoteServer;
 import java.rmi.server.ServerNotActiveException;
 import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import sun.rmi.runtime.Log;
 import sun.rmi.server.Dispatcher;
 import sun.rmi.server.UnicastServerRef;
@@ -68,6 +72,15 @@ public abstract class Transport {
     /** ObjID for DGCImpl */
     private static final ObjID dgcID = new ObjID(ObjID.DGC_ID);
 
+    /** AccessControlContext for setting context ClassLoader */
+    private static final AccessControlContext SETCCL_ACC;
+    static {
+        Permissions perms = new Permissions();
+        perms.add(new RuntimePermission("setContextClassLoader"));
+        ProtectionDomain[] pd = { new ProtectionDomain(null, perms) };
+        SETCCL_ACC = new AccessControlContext(pd);
+    }
+
     /**
      * Returns a <I>Channel</I> that generates connections to the
      * endpoint <I>ep</I>. A Channel is an object that creates and
@@ -116,6 +129,16 @@ public abstract class Transport {
      */
     protected abstract void checkAcceptPermission(AccessControlContext acc);
 
+    /**
+     * Sets the context class loader for the current thread.
+     */
+    private static void setContextClassLoader(ClassLoader ccl) {
+        AccessController.doPrivileged((PrivilegedAction<Void>)() -> {
+                Thread.currentThread().setContextClassLoader(ccl);
+                return null;
+            }, SETCCL_ACC);
+    }
+
     /**
      * Service an incoming remote call. When a message arrives on the
      * connection indicating the beginning of a remote call, the
@@ -164,11 +187,10 @@ public abstract class Transport {
                     target.getAccessControlContext();
                 ClassLoader ccl = target.getContextClassLoader();
 
-                Thread t = Thread.currentThread();
-                ClassLoader savedCcl = t.getContextClassLoader();
+                ClassLoader savedCcl = Thread.currentThread().getContextClassLoader();
 
                 try {
-                    t.setContextClassLoader(ccl);
+                    setContextClassLoader(ccl);
                     currentTransport.set(this);
                     try {
                         java.security.AccessController.doPrivileged(
@@ -183,7 +205,7 @@ public abstract class Transport {
                         throw (IOException) pae.getException();
                     }
                 } finally {
-                    t.setContextClassLoader(savedCcl);
+                    setContextClassLoader(savedCcl);
                     currentTransport.set(null);
                 }
 

src/share/classes/sun/rmi/transport/tcp/TCPTransport.java

 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,6 +49,9 @@ import java.rmi.server.ServerNotActiveException;
 import java.rmi.server.UID;
 import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
@@ -123,6 +126,14 @@ public class TCPTransport extends Transport {
     private static final ThreadLocal<ConnectionHandler>
         threadConnectionHandler = new ThreadLocal<>();
 
+    /** an AccessControlContext with no permissions */
+    private static final AccessControlContext NOPERMS_ACC;
+    static {
+        Permissions perms = new Permissions();
+        ProtectionDomain[] pd = { new ProtectionDomain(null, perms) };
+        NOPERMS_ACC = new AccessControlContext(pd);
+    }
+
     /** endpoints for this transport */
     private final LinkedList<TCPEndpoint> epList;
     /** number of objects exported on this transport */
@@ -668,7 +679,10 @@ public class TCPTransport extends Transport {
                 t.setName("RMI TCP Connection(" +
                           connectionCount.incrementAndGet() +
                           ")-" + remoteHost);
+                AccessController.doPrivileged((PrivilegedAction<Void>)() -> {
                     run0();
+                    return null;
+                }, NOPERMS_ACC);
             } finally {
                 t.setName(name);
             }

src/share/classes/sun/security/jgss/GSSHeader.java

@@ -270,6 +270,9 @@ public class GSSHeader {
                 value <<= 8;
                 value += 0x0ff & in.read();
             }
+            if (value < 0) {
+                throw new IOException("Invalid length bytes");
+            }
         }
         return value;
     }

src/share/classes/sun/security/jgss/GSSNameImpl.java

@@ -257,7 +257,7 @@ public class GSSNameImpl implements GSSName {
                               ((0xFF & bytes[pos++]) << 16) |
                               ((0xFF & bytes[pos++]) << 8) |
                               (0xFF & bytes[pos++]));
-        if (pos > bytes.length - mechPortionLen) {
+        if (mechPortionLen < 0 || pos > bytes.length - mechPortionLen) {
              throw new GSSExceptionImpl(GSSException.BAD_NAME,
                      "Exported name mech name is corrupted!");
          }

src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java

@@ -233,6 +233,9 @@ public class GSSNameElement implements GSSNameSpi {
                               ((0xFF & nameVal[pos++]) << 16) |
                               ((0xFF & nameVal[pos++]) << 8) |
                               (0xFF & nameVal[pos++]));
+        if (mechPortionLen < 0) {
+            throw new GSSException(GSSException.BAD_NAME);
+        }
         byte[] mechPortion = new byte[mechPortionLen];
         System.arraycopy(nameVal, pos, mechPortion, 0, mechPortionLen);
         return mechPortion;

src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java

@@ -118,7 +118,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
         } else {
             type = read(4);
         }
-        length = read(4);
+        length = readLength4();
         List<String> result = new ArrayList<String>();
         /*
          * DCE includes the principal's realm in the count; the new format
@@ -127,7 +127,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
         if (version == KRB5_FCC_FVNO_1)
             length--;
         for (int i = 0; i <= length; i++) {
-            namelength = read(4);
+            namelength = readLength4();
             byte[] bytes = IOUtils.readFully(this, namelength, true);
             result.add(new String(bytes));
         }
@@ -184,7 +184,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
         keyType = read(2);
         if (version == KRB5_FCC_FVNO_3)
             read(2); /* keytype recorded twice in fvno 3 */
-        keyLen = read(4);
+        keyLen = readLength4();
         byte[] bytes = IOUtils.readFully(this, keyLen, true);
         return new EncryptionKey(bytes, keyType, new Integer(version));
     }
@@ -207,12 +207,12 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
 
     HostAddress[] readAddr() throws IOException, KrbApErrException {
         int numAddrs, addrType, addrLength;
-        numAddrs = read(4);
+        numAddrs = readLength4();
         if (numAddrs > 0) {
             List<HostAddress> addrs = new ArrayList<>();
             for (int i = 0; i < numAddrs; i++) {
                 addrType = read(2);
-                addrLength = read(4);
+                addrLength = readLength4();
                 if (!(addrLength == 4 || addrLength == 16)) {
                     if (DEBUG) {
                         System.out.println("Incorrect address format.");
@@ -231,13 +231,13 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
 
     AuthorizationDataEntry[] readAuth() throws IOException {
         int num, adtype, adlength;
-        num = read(4);
+        num = readLength4();
         if (num > 0) {
             List<AuthorizationDataEntry> auData = new ArrayList<>();
             byte[] data = null;
             for (int i = 0; i < num; i++) {
                 adtype = read(2);
-                adlength = read(4);
+                adlength = readLength4();
                 data = IOUtils.readFully(this, adlength, true);
                 auData.add(new AuthorizationDataEntry(adtype, data));
             }
@@ -248,7 +248,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
 
     byte[] readData() throws IOException {
         int length;
-        length = read(4);
+        length = readLength4();
         if (length == 0) {
             return null;
         } else {

src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java

@@ -151,18 +151,18 @@ public class FileCredentialsCache extends CredentialsCache
     synchronized void init(PrincipalName principal, String name)
         throws IOException, KrbException {
         primaryPrincipal = principal;
-        CCacheOutputStream cos =
-            new CCacheOutputStream(new FileOutputStream(name));
+        try (FileOutputStream fos = new FileOutputStream(name);
+             CCacheOutputStream cos = new CCacheOutputStream(fos)) {
             version = KRB5_FCC_FVNO_3;
             cos.writeHeader(primaryPrincipal, version);
-        cos.close();
+        }
         load(name);
     }
 
     synchronized void load(String name) throws IOException, KrbException {
         PrincipalName p;
-        CCacheInputStream cis =
-            new CCacheInputStream(new FileInputStream(name));
+        try (FileInputStream fis = new FileInputStream(name);
+             CCacheInputStream cis = new CCacheInputStream(fis)) {
             version = cis.readVersion();
             if (version == KRB5_FCC_FVNO_4) {
                 tag = cis.readTag();
@@ -180,14 +180,14 @@ public class FileCredentialsCache extends CredentialsCache
                 }
             } else
                 primaryPrincipal = p;
-        credentialsList = new Vector<Credentials> ();
+            credentialsList = new Vector<Credentials>();
             while (cis.available() > 0) {
                 Credentials cred = cis.readCred(version);
                 if (cred != null) {
                     credentialsList.addElement(cred);
                 }
             }
-        cis.close();
+        }
     }
 
 
@@ -246,8 +246,8 @@ public class FileCredentialsCache extends CredentialsCache
      * Saves the credentials cache file to the disk.
      */
     public synchronized void save() throws IOException, Asn1Exception {
-        CCacheOutputStream cos
-            = new CCacheOutputStream(new FileOutputStream(cacheName));
+        try (FileOutputStream fos = new FileOutputStream(cacheName);
+             CCacheOutputStream cos = new CCacheOutputStream(fos)) {
             cos.writeHeader(primaryPrincipal, version);
             Credentials[] tmp = null;
             if ((tmp = getCredsList()) != null) {
@@ -255,7 +255,7 @@ public class FileCredentialsCache extends CredentialsCache
                     cos.addCreds(tmp[i]);
                 }
             }
-        cos.close();
+        }
     }
 
     boolean match(String[] s1, String[] s2) {

src/share/classes/sun/security/krb5/internal/util/KrbDataInputStream.java

@@ -56,15 +56,33 @@ public class KrbDataInputStream extends BufferedInputStream{
     public KrbDataInputStream(InputStream is){
         super(is);
     }
+
+    /**
+     * Reads a length value which is represented in 4 bytes from
+     * this input stream. The value must be positive.
+     * @return the length value represented by this byte array.
+     * @throws IOException if there are not enough bytes or it represents
+     * a negative value
+     */
+    final public int readLength4() throws IOException {
+        int len = read(4);
+        if (len < 0) {
+            throw new IOException("Invalid encoding");
+        }
+        return len;
+    }
+
     /**
      * Reads up to the specific number of bytes from this input stream.
      * @param num the number of bytes to be read.
      * @return the int value of this byte array.
-     * @exception IOException.
+     * @throws IOException if there are not enough bytes
      */
-    public int read(int num) throws IOException{
+    public int read(int num) throws IOException {
         byte[] bytes = new byte[num];
-        read(bytes, 0, num);
+        if (read(bytes, 0, num) != num) {
+            throw new IOException("Premature end of stream reached");
+        }
         int result = 0;
         for (int i = 0; i < num; i++) {
             if (bigEndian) {

src/share/classes/sun/security/ssl/ClientHandshaker.java

@@ -345,6 +345,13 @@ final class ClientHandshaker extends Handshaker {
             break;
 
         case HandshakeMessage.ht_finished:
+            // A ChangeCipherSpec record must have been received prior to
+            // reception of the Finished message (RFC 5246, 7.4.9).
+            if (!receivedChangeCipherSpec()) {
+                fatalSE(Alerts.alert_handshake_failure,
+                        "Received Finished message before ChangeCipherSpec");
+            }
+
             this.serverFinished(
                 new Finished(protocolVersion, input, cipherSuite));
             break;

src/share/classes/sun/security/ssl/Handshaker.java

@@ -94,8 +94,6 @@ abstract class Handshaker {
     // Peer supported signature and algorithms
     Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;
 
-    /*
-
     /*
      * List of active protocols
      *
@@ -114,10 +112,8 @@ abstract class Handshaker {
     private CipherSuiteList activeCipherSuites;
 
     // The server name indication and matchers
-    List<SNIServerName>         serverNames =
-                                    Collections.<SNIServerName>emptyList();
-    Collection<SNIMatcher>      sniMatchers =
-                                    Collections.<SNIMatcher>emptyList();
+    List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList();
+    Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList();
 
     private boolean isClient;
     private boolean needCertVerify;
@@ -139,12 +135,16 @@ abstract class Handshaker {
     // current key exchange. Never null, initially K_NULL
     KeyExchange keyExchange;
 
-    /* True if this session is being resumed (fast handshake) */
+    // True if this session is being resumed (fast handshake)
     boolean resumingSession;
 
-    /* True if it's OK to start a new SSL session */
+    // True if it's OK to start a new SSL session
     boolean enableNewSession;
 
+    // True if session keys have been calculated and the caller may receive
+    // and process a ChangeCipherSpec message
+    private boolean sessKeysCalculated;
+
     // Whether local cipher suites preference should be honored during
     // handshaking?
     //
@@ -176,7 +176,7 @@ abstract class Handshaker {
     // here instead of using this lock.  Consider changing.
     private Object thrownLock = new Object();
 
-    /* Class and subclass dynamic debugging support */
+    // Class and subclass dynamic debugging support
     static final Debug debug = Debug.getInstance("ssl");
 
     // By default, disable the unsafe legacy session renegotiation
@@ -253,6 +253,7 @@ abstract class Handshaker {
         this.serverVerifyData = serverVerifyData;
         enableNewSession = true;
         invalidated = false;
+        sessKeysCalculated = false;
 
         setCipherSuite(CipherSuite.C_NULL);
         setEnabledProtocols(enabledProtocols);
@@ -359,6 +360,14 @@ abstract class Handshaker {
         }
     }
 
+    final boolean receivedChangeCipherSpec() {
+        if (conn != null) {
+            return conn.receivedChangeCipherSpec();
+        } else {
+            return engine.receivedChangeCipherSpec();
+        }
+    }
+
     String getEndpointIdentificationAlgorithmSE() {
         SSLParameters paras;
         if (conn != null) {
@@ -491,7 +500,9 @@ abstract class Handshaker {
 
         if (activeProtocols.collection().isEmpty() ||
                 activeProtocols.max.v == ProtocolVersion.NONE.v) {
-            throw new SSLHandshakeException("No appropriate protocol");
+            throw new SSLHandshakeException(
+                    "No appropriate protocol (protocol is disabled or " +
+                    "cipher suites are inappropriate)");
         }
 
         if (activeCipherSuites == null) {
@@ -670,6 +681,16 @@ abstract class Handshaker {
             boolean enabledSSL20Hello = false;
             ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
             for (ProtocolVersion protocol : enabledProtocols.collection()) {
+                if (!algorithmConstraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                        protocol.name, null)) {
+                    if (debug != null && Debug.isOn("verbose")) {
+                        System.out.println(
+                            "Ignoring disabled protocol: " + protocol);
+                    }
+
+                    continue;
+                }
                 // Need not to check the SSL20Hello protocol.
                 if (protocol.v == ProtocolVersion.SSL20Hello.v) {
                     enabledSSL20Hello = true;
@@ -1224,6 +1245,10 @@ abstract class Handshaker {
             throw new ProviderException(e);
         }
 
+        // Mark a flag that allows outside entities (like SSLSocket/SSLEngine)
+        // determine if a ChangeCipherSpec message could be processed.
+        sessKeysCalculated = true;
+
         //
         // Dump the connection keys as they're generated.
         //
@@ -1278,6 +1303,15 @@ abstract class Handshaker {
         }
     }
 
+    /**
+     * Return whether or not the Handshaker has derived session keys for
+     * this handshake.  This is used for determining readiness to process
+     * an incoming ChangeCipherSpec message.
+     */
+    boolean sessionKeysCalculated() {
+        return sessKeysCalculated;
+    }
+
     private static void printHex(HexDumpEncoder dump, byte[] bytes) {
         if (bytes == null) {
             System.out.println("(key bytes not available)");

src/share/classes/sun/security/ssl/ProtocolVersion.java

@@ -25,6 +25,9 @@
 
 package sun.security.ssl;
 
+import java.util.*;
+import java.security.CryptoPrimitive;
+
 /**
  * Type safe enum for an SSL/TLS protocol version. Instances are obtained
  * using the static factory methods or by referencing the static members
@@ -86,6 +89,11 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> {
     // Default version for hello messages (SSLv2Hello)
     final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;
 
+    // Available protocols
+    //
+    // Including all supported protocols except the disabled ones.
+    final static Set<ProtocolVersion> availableProtocols;
+
     // version in 16 bit MSB format as it appears in records and
     // messages, i.e. 0x0301 for TLS 1.0
     public final int v;
@@ -96,6 +104,24 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> {
     // name used in JSSE (e.g. TLSv1 for TLS 1.0)
     final String name;
 
+    // Initialize the available protocols.
+    static {
+        Set<ProtocolVersion> protocols = new HashSet<>(5);
+
+        ProtocolVersion[] pvs = new ProtocolVersion[] {
+                SSL20Hello, SSL30, TLS10, TLS11, TLS12};
+        for (ProtocolVersion p : pvs) {
+            if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                    p.name, null)) {
+                protocols.add(p);
+            }
+        }
+
+        availableProtocols =
+                Collections.<ProtocolVersion>unmodifiableSet(protocols);
+    }
+
     // private
     private ProtocolVersion(int v, String name) {
         this.v = v;

src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java

@@ -55,6 +55,14 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
 
     private boolean enabledX509DisabledAlgConstraints = true;
 
+    // the default algorithm constraints
+    final static AlgorithmConstraints DEFAULT =
+                        new SSLAlgorithmConstraints(null);
+
+    // the default SSL only algorithm constraints
+    final static AlgorithmConstraints DEFAULT_SSL_ONLY =
+                        new SSLAlgorithmConstraints((SSLSocket)null, false);
+
     SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
         userAlgConstraints = algorithmConstraints;
     }

src/share/classes/sun/security/ssl/SSLContextImpl.java

@@ -52,10 +52,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
     private X509TrustManager trustManager;
     private SecureRandom secureRandom;
 
-    // The default algrithm constraints
-    private AlgorithmConstraints defaultAlgorithmConstraints =
-                                 new SSLAlgorithmConstraints(null);
-
     // supported and default protocols
     private ProtocolList defaultServerProtocolList;
     private ProtocolList defaultClientProtocolList;
@@ -350,7 +346,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
                 if (suite.isAvailable() &&
                         suite.obsoleted > protocols.min.v &&
                         suite.supported <= protocols.max.v) {
-                    if (defaultAlgorithmConstraints.permits(
+                    if (SSLAlgorithmConstraints.DEFAULT.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                             suite.name, null)) {
                         suites.add(suite);
@@ -431,11 +427,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
      */
     private abstract static class AbstractSSLContext extends SSLContextImpl {
         // parameters
-        private final static SSLParameters defaultServerSSLParams;
-        private final static SSLParameters supportedSSLParams;
+        private static final SSLParameters defaultServerSSLParams;
+        private static final SSLParameters supportedSSLParams;
 
         static {
+            // supported SSL parameters
             supportedSSLParams = new SSLParameters();
+
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+
             if (SunJSSE.isFIPS()) {
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.TLS10.name,
@@ -443,7 +444,11 @@ public abstract class SSLContextImpl extends SSLContextSpi {
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             } else {
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.SSL20Hello.name,
@@ -453,8 +458,18 @@ public abstract class SSLContextImpl extends SSLContextSpi {
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL20Hello,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             }
+
+            defaultServerSSLParams = new SSLParameters();
+            defaultServerSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -466,6 +481,22 @@ public abstract class SSLContextImpl extends SSLContextSpi {
         SSLParameters getSupportedSSLParams() {
             return supportedSSLParams;
         }
+
+        static List<String> getAvailableProtocols(
+                ProtocolVersion[] protocolCandidates) {
+
+            List<String> availableProtocols = Collections.<String>emptyList();
+            if (protocolCandidates !=  null && protocolCandidates.length != 0) {
+                availableProtocols = new ArrayList<>(protocolCandidates.length);
+                for (ProtocolVersion p : protocolCandidates) {
+                    if (ProtocolVersion.availableProtocols.contains(p)) {
+                        availableProtocols.add(p.name);
+                    }
+                }
+            }
+
+            return availableProtocols;
+        }
     }
 
     /*
@@ -474,21 +505,25 @@ public abstract class SSLContextImpl extends SSLContextSpi {
      * @see SSLContext
      */
     public static final class TLS10Context extends AbstractSSLContext {
-        private final static SSLParameters defaultClientSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
 
         static {
-            defaultClientSSLParams = new SSLParameters();
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
             if (SunJSSE.isFIPS()) {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name
-                });
-
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10
+                };
             } else {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name
-                });
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10
+                };
             }
+
+            defaultClientSSLParams = new SSLParameters();
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -503,23 +538,27 @@ public abstract class SSLContextImpl extends SSLContextSpi {
      * @see SSLContext
      */
     public static final class TLS11Context extends AbstractSSLContext {
-        private final static SSLParameters defaultClientSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
 
         static {
-            defaultClientSSLParams = new SSLParameters();
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
             if (SunJSSE.isFIPS()) {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name
-                });
-
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11
+                };
             } else {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name
-                });
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11
+                };
             }
+
+            defaultClientSSLParams = new SSLParameters();
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -534,25 +573,29 @@ public abstract class SSLContextImpl extends SSLContextSpi {
      * @see SSLContext
      */
     public static final class TLS12Context extends AbstractSSLContext {
-        private final static SSLParameters defaultClientSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
 
         static {
-            defaultClientSSLParams = new SSLParameters();
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
             if (SunJSSE.isFIPS()) {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
-
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             } else {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             }
+
+            defaultClientSSLParams = new SSLParameters();
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -567,8 +610,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
      * @see SSLContext
      */
     private static class CustomizedSSLContext extends AbstractSSLContext {
-        private final static String PROPERTY_NAME = "jdk.tls.client.protocols";
-        private final static SSLParameters defaultClientSSLParams;
+        private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
+        private static final SSLParameters defaultClientSSLParams;
         private static IllegalArgumentException reservedException = null;
 
         // Don't want a java.lang.LinkageError for illegal system property.
@@ -578,60 +621,74 @@ public abstract class SSLContextImpl extends SSLContextSpi {
         // the provider service. Instead, let's handle the initialization
         // exception in constructor.
         static {
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+
             String property = AccessController.doPrivileged(
                     new GetPropertyAction(PROPERTY_NAME));
-            defaultClientSSLParams = new SSLParameters();
             if (property == null || property.length() == 0) {
                 // the default enabled client TLS protocols
                 if (SunJSSE.isFIPS()) {
-                    defaultClientSSLParams.setProtocols(new String[] {
-                        ProtocolVersion.TLS10.name,
-                        ProtocolVersion.TLS11.name,
-                        ProtocolVersion.TLS12.name
-                    });
-
+                    candidates = new ProtocolVersion[] {
+                        ProtocolVersion.TLS10,
+                        ProtocolVersion.TLS11,
+                        ProtocolVersion.TLS12
+                    };
                 } else {
-                    defaultClientSSLParams.setProtocols(new String[] {
-                        ProtocolVersion.SSL30.name,
-                        ProtocolVersion.TLS10.name,
-                        ProtocolVersion.TLS11.name,
-                        ProtocolVersion.TLS12.name
-                    });
+                    candidates = new ProtocolVersion[] {
+                        ProtocolVersion.SSL30,
+                        ProtocolVersion.TLS10,
+                        ProtocolVersion.TLS11,
+                        ProtocolVersion.TLS12
+                    };
                 }
             } else {
                 // remove double quote marks from beginning/end of the property
-                if (property.charAt(0) == '"' &&
+                if (property.length() > 1 && property.charAt(0) == '"' &&
                         property.charAt(property.length() - 1) == '"') {
                     property = property.substring(1, property.length() - 1);
                 }
 
-                String[] protocols = property.split(",");
+                String[] protocols = null;
+                if (property != null && property.length() != 0) {
+                    protocols = property.split(",");
+                } else {
+                    reservedException = new IllegalArgumentException(
+                        "No protocol specified in " +
+                        PROPERTY_NAME + " system property");
+                    protocols = new String[0];
+                }
+
+                candidates = new ProtocolVersion[protocols.length];
                 for (int i = 0; i < protocols.length; i++) {
                     protocols[i] = protocols[i].trim();
                     // Is it a supported protocol name?
                     try {
-                        ProtocolVersion.valueOf(protocols[i]);
+                        candidates[i] = ProtocolVersion.valueOf(protocols[i]);
                     } catch (IllegalArgumentException iae) {
                         reservedException = new IllegalArgumentException(
                             PROPERTY_NAME + ": " + protocols[i] +
-                                " is not a standard SSL protocol name", iae);
+                            " is not a standard SSL/TLS protocol name", iae);
+                        break;
                     }
                 }
 
                 if ((reservedException == null) && SunJSSE.isFIPS()) {
-                    for (String protocol : protocols) {
-                        if (ProtocolVersion.SSL20Hello.name.equals(protocol) ||
-                                ProtocolVersion.SSL30.name.equals(protocol)) {
+                    for (ProtocolVersion protocolVersion : candidates) {
+                        if (ProtocolVersion.SSL20Hello.v == protocolVersion.v ||
+                                ProtocolVersion.SSL30.v == protocolVersion.v) {
                             reservedException = new IllegalArgumentException(
-                                    PROPERTY_NAME + ": " + protocol +
+                                    PROPERTY_NAME + ": " + protocolVersion +
                                     " is not FIPS compliant");
                         }
                     }
                 }
+            }
 
+            defaultClientSSLParams = new SSLParameters();
             if (reservedException == null) {
-                    defaultClientSSLParams.setProtocols(protocols);
-               }
+                defaultClientSSLParams.setProtocols(
+                    getAvailableProtocols(candidates).toArray(new String[0]));
             }
         }
 

src/share/classes/sun/security/ssl/SSLEngineImpl.java

 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -211,6 +211,11 @@ final public class SSLEngineImpl extends SSLEngine {
     static final byte           clauth_requested = 1;
     static final byte           clauth_required = 2;
 
+    /*
+     * Flag indicating that the engine has received a ChangeCipherSpec message.
+     */
+    private boolean             receivedCCS;
+
     /*
      * Flag indicating if the next record we receive MUST be a Finished
      * message. Temporarily set during the handshake to ensure that
@@ -372,6 +377,7 @@ final public class SSLEngineImpl extends SSLEngine {
          */
         roleIsServer = true;
         connectionState = cs_START;
+        receivedCCS = false;
 
         // default server name indication
         serverNames =
@@ -1021,6 +1027,7 @@ final public class SSLEngineImpl extends SSLEngine {
 
                     if (handshaker.invalidated) {
                         handshaker = null;
+                        receivedCCS = false;
                         // if state is cs_RENEGOTIATE, revert it to cs_DATA
                         if (connectionState == cs_RENEGOTIATE) {
                             connectionState = cs_DATA;
@@ -1039,6 +1046,7 @@ final public class SSLEngineImpl extends SSLEngine {
                         }
                         handshaker = null;
                         connectionState = cs_DATA;
+                        receivedCCS = false;
 
                         // No handshakeListeners here.  That's a
                         // SSLSocket thing.
@@ -1078,13 +1086,25 @@ final public class SSLEngineImpl extends SSLEngine {
                 case Record.ct_change_cipher_spec:
                     if ((connectionState != cs_HANDSHAKE
                                 && connectionState != cs_RENEGOTIATE)
-                            || inputRecord.available() != 1
+                            || !handshaker.sessionKeysCalculated()
+                            || receivedCCS) {
+                        // For the CCS message arriving in the wrong state
+                        fatal(Alerts.alert_unexpected_message,
+                                "illegal change cipher spec msg, conn state = "
+                                + connectionState + ", handshake state = "
+                                + handshaker.state);
+                    } else if (inputRecord.available() != 1
                             || inputRecord.read() != 1) {
+                        // For structural/content issues with the CCS
                         fatal(Alerts.alert_unexpected_message,
-                            "illegal change cipher spec msg, state = "
-                            + connectionState);
+                                "Malformed change cipher spec msg");
                     }
 
+                    // Once we've received CCS, update the flag.
+                    // If the remote endpoint sends it again in this handshake
+                    // we won't process it.
+                    receivedCCS = true;
+
                     //
                     // The first message after a change_cipher_spec
                     // record MUST be a "Finished" handshake record,
@@ -2120,6 +2140,14 @@ final public class SSLEngineImpl extends SSLEngine {
         }
     }
 
+    /*
+     * Returns a boolean indicating whether the ChangeCipherSpec message
+     * has been received for this handshake.
+     */
+    boolean receivedChangeCipherSpec() {
+        return receivedCCS;
+    }
+
     /**
      * Returns a printable representation of this end of the connection.
      */

src/share/classes/sun/security/ssl/SSLSocketImpl.java

 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -171,6 +171,12 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
      */
     private volatile int        connectionState;
 
+    /*
+     * Flag indicating that the engine's handshaker has done the necessary
+     * steps so the engine may process a ChangeCipherSpec message.
+     */
+    private boolean             receivedCCS;
+
     /*
      * Flag indicating if the next record we receive MUST be a Finished
      * message. Temporarily set during the handshake to ensure that
@@ -587,6 +593,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
          */
         roleIsServer = isServer;
         connectionState = cs_START;
+        receivedCCS = false;
 
         /*
          * default read and write side cipher and MAC support
@@ -1045,6 +1052,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
 
                     if (handshaker.invalidated) {
                         handshaker = null;
+                        receivedCCS = false;
                         // if state is cs_RENEGOTIATE, revert it to cs_DATA
                         if (connectionState == cs_RENEGOTIATE) {
                             connectionState = cs_DATA;
@@ -1060,6 +1068,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
                         handshakeSession = null;
                         handshaker = null;
                         connectionState = cs_DATA;
+                        receivedCCS = false;
 
                         //
                         // Tell folk about handshake completion, but do
@@ -1107,13 +1116,24 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
                 case Record.ct_change_cipher_spec:
                     if ((connectionState != cs_HANDSHAKE
                                 && connectionState != cs_RENEGOTIATE)
-                            || r.available() != 1
-                            || r.read() != 1) {
+                            || !handshaker.sessionKeysCalculated()
+                            || receivedCCS) {
+                        // For the CCS message arriving in the wrong state
                         fatal(Alerts.alert_unexpected_message,
-                            "illegal change cipher spec msg, state = "
-                            + connectionState);
+                                "illegal change cipher spec msg, conn state = "
+                                + connectionState + ", handshake state = "
+                                + handshaker.state);
+                    } else if (r.available() != 1 || r.read() != 1) {
+                        // For structural/content issues with the CCS
+                        fatal(Alerts.alert_unexpected_message,
+                                "Malformed change cipher spec msg");
                     }
 
+                    // Once we've received CCS, update the flag.
+                    // If the remote endpoint sends it again in this handshake
+                    // we won't process it.
+                    receivedCCS = true;
+
                     //
                     // The first message after a change_cipher_spec
                     // record MUST be a "Finished" handshake record,
@@ -2550,6 +2570,14 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
         }
     }
 
+    /*
+     * Returns a boolean indicating whether the ChangeCipherSpec message
+     * has been received for this handshake.
+     */
+    boolean receivedChangeCipherSpec() {
+        return receivedCCS;
+    }
+
     //
     // We allocate a separate thread to deliver handshake completion
     // events.  This ensures that the notifications don't block the

src/share/classes/sun/security/ssl/ServerHandshaker.java

@@ -287,6 +287,13 @@ final class ServerHandshaker extends Handshaker {
                 break;
 
             case HandshakeMessage.ht_finished:
+                // A ChangeCipherSpec record must have been received prior to
+                // reception of the Finished message (RFC 5246, 7.4.9).
+                if (!receivedChangeCipherSpec()) {
+                    fatalSE(Alerts.alert_handshake_failure,
+                        "Received Finished message before ChangeCipherSpec");
+                }
+
                 this.clientFinished(
                     new Finished(protocolVersion, input, cipherSuite));
                 break;

src/share/classes/sun/security/util/DerIndefLenConverter.java

@@ -156,12 +156,18 @@ class DerIndefLenConverter {
         }
         if (isLongForm(lenByte)) {
             lenByte &= LEN_MASK;
-            if (lenByte > 4)
+            if (lenByte > 4) {
                 throw new IOException("Too much data");
-            if ((dataSize - dataPos) < (lenByte + 1))
+            }
+            if ((dataSize - dataPos) < (lenByte + 1)) {
                 throw new IOException("Too little data");
-            for (int i = 0; i < lenByte; i++)
+            }
+            for (int i = 0; i < lenByte; i++) {
                 curLen = (curLen << 8) + (data[dataPos++] & 0xff);
+            }
+            if (curLen < 0) {
+                throw new IOException("Invalid length bytes");
+            }
         } else {
            curLen = (lenByte & LEN_MASK);
         }
@@ -188,10 +194,15 @@ class DerIndefLenConverter {
         }
         if (isLongForm(lenByte)) {
             lenByte &= LEN_MASK;
-            for (int i = 0; i < lenByte; i++)
+            for (int i = 0; i < lenByte; i++) {
                 curLen = (curLen << 8) + (data[dataPos++] & 0xff);
-        } else
+            }
+            if (curLen < 0) {
+                throw new IOException("Invalid length bytes");
+            }
+        } else {
             curLen = (lenByte & LEN_MASK);
+        }
         writeLength(curLen);
         writeValue(curLen);
     }

src/share/classes/sun/security/util/DerInputStream.java

@@ -566,6 +566,10 @@ public class DerInputStream {
                 value <<= 8;
                 value += 0x0ff & in.read();
             }
+            if (value < 0) {
+                throw new IOException("DerInputStream.getLength(): "
+                        + "Invalid length bytes");
+            }
         }
         return value;
     }

src/share/classes/sun/swing/FilePane.java

@@ -1979,6 +1979,7 @@ public class FilePane extends JPanel implements PropertyChangeListener {
             return false;
         }
 
+        try {
             if (f instanceof ShellFolder) {
                 return f.canWrite();
             } else {
@@ -1994,6 +1995,9 @@ public class FilePane extends JPanel implements PropertyChangeListener {
                     return f.canWrite();
                 }
             }
+        } catch (SecurityException e) {
+            return false;
+        }
     }
 
     /**

src/share/classes/sun/swing/WindowsPlacesBar.java

@@ -81,11 +81,7 @@ public class WindowsPlacesBar extends JToolBar
         setBackground(bgColor);
         FileSystemView fsv = fc.getFileSystemView();
 
-        files = AccessController.doPrivileged(new PrivilegedAction<File[]>() {
-            public File[] run() {
-                return (File[]) ShellFolder.get("fileChooserShortcutPanelFolders");
-            }
-        });
+        files = (File[]) ShellFolder.get("fileChooserShortcutPanelFolders");
 
         buttons = new JToggleButton[files.length];
         buttonGroup = new ButtonGroup();

src/share/classes/sun/swing/plaf/synth/SynthFileChooserUIImpl.java

@@ -769,16 +769,9 @@ public class SynthFileChooserUIImpl extends SynthFileChooserUI {
                 fireIntervalRemoved(this, 0, oldSize);
             }
 
-            File[] baseFolders;
-            if (useShellFolder) {
-                baseFolders = AccessController.doPrivileged(new PrivilegedAction<File[]>() {
-                    public File[] run() {
-                        return (File[]) ShellFolder.get("fileChooserComboBoxFolders");
-                    }
-                });
-            } else {
-                baseFolders = fsv.getRoots();
-            }
+            File[] baseFolders = (useShellFolder)
+                    ? (File[]) ShellFolder.get("fileChooserComboBoxFolders")
+                    : fsv.getRoots();
             directories.addAll(Arrays.asList(baseFolders));
 
             // Get the canonical (full) path. This has the side

src/share/lib/security/java.security-aix

@@ -210,8 +210,8 @@ package.access=sun.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
-               jdk.nashorn.tools.
-
+               jdk.nashorn.tools.,\
+               com.sun.activation.registries.
 
 #
 # List of comma-separated packages that start with or equal this string
@@ -257,8 +257,8 @@ package.definition=sun.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
-                   jdk.nashorn.tools.
-
+                   jdk.nashorn.tools.,\
+                   com.sun.activation.registries.
 
 #
 # Determines whether this properties file can be appended to
@@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3

src/share/lib/security/java.security-linux

@@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3

src/share/lib/security/java.security-macosx

@@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3

src/share/lib/security/java.security-solaris

@@ -481,8 +481,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -497,4 +501,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3

src/share/lib/security/java.security-windows

@@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3

src/share/native/sun/font/layout/ContextualSubstSubtables.cpp

@@ -583,6 +583,8 @@ le_uint32 ChainingContextualSubstitutionFormat2Subtable::process(const LETableRe
                 LEReferenceTo<ChainSubClassRuleTable>
                      chainSubClassRuleTable(chainSubClassSetTable, success, chainSubClassRuleTableOffset);
                 le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount);
+                LEReferenceToArrayOf<le_uint16>   backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount);
+                if( LE_FAILURE(success) ) { return 0; }
                 le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1;
                 LEReferenceToArrayOf<le_uint16>   inputClassArray(base, success, &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1],inputGlyphCount+2); // +2 for the lookaheadGlyphCount count
                 le_uint16 lookaheadGlyphCount = SWAPW(inputClassArray.getObject(inputGlyphCount, success));
@@ -599,8 +601,6 @@ le_uint32 ChainingContextualSubstitutionFormat2Subtable::process(const LETableRe
                 }
 
                 tempIterator.prev();
-                LEReferenceToArrayOf<le_uint16>   backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount);
-                if( LE_FAILURE(success) ) { return 0; }
                 if (! matchGlyphClasses(backtrackClassArray, backtrackGlyphCount,
                                         &tempIterator, backtrackClassDefinitionTable, success, TRUE)) {
                     continue;

src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp

@@ -45,6 +45,9 @@ le_uint32 CursiveAttachmentSubtable::process(const LEReferenceTo<CursiveAttachme
     le_int32  coverageIndex = getGlyphCoverage(base, glyphID, success);
     le_uint16 eeCount       = SWAPW(entryExitCount);
 
+    LEReferenceToArrayOf<EntryExitRecord>
+        entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex);
+
     if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) {
         glyphIterator->setCursiveGlyph();
         return 0;

src/share/native/sun/font/layout/Features.cpp

@@ -40,6 +40,9 @@ U_NAMESPACE_BEGIN
 
 LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
 {
+    LEReferenceToArrayOf<FeatureRecord>
+        featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
+
   if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
     return LEReferenceTo<FeatureTable>();
   }

src/share/native/sun/font/layout/LETableReference.h

@@ -470,7 +470,12 @@ _TRTRACE("INFO: new RTAO")
 #endif
 
   const T& getObject(le_uint32 i, LEErrorCode &success) const {
-    return *getAlias(i,success);
+      const T *ret = getAlias(i, success);
+      if (LE_FAILURE(success) || ret==NULL) {
+          return *(new T(0));
+      } else {
+          return *ret;
+     }
   }
 
   /**

src/share/native/sun/font/layout/LigatureSubstSubtables.cpp

@@ -64,6 +64,9 @@ le_uint32 LigatureSubstitutionSubtable::process(const LETableReference &base, Gl
             LEReferenceTo<LigatureTable>   ligTable(ligSetTable, success, ligTableOffset);
             if(LE_FAILURE(success)) { return 0; }
             le_uint16 compCount = SWAPW(ligTable->compCount) - 1;
+            LEReferenceToArrayOf<TTGlyphID>
+                componentArrayRef(base, success, ligTable->componentArray, compCount);
+            if (LE_FAILURE(success)) { return 0; }
             le_int32 startPosition = glyphIterator->getCurrStreamPosition();
             TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph);
             le_uint16 comp;

src/share/native/sun/font/layout/MultipleSubstSubtables.cpp

@@ -61,6 +61,8 @@ le_uint32 MultipleSubstitutionSubtable::process(const LETableReference &base, Gl
 
     le_int32 coverageIndex = getGlyphCoverage(base, glyph, success);
     le_uint16 seqCount = SWAPW(sequenceCount);
+    LEReferenceToArrayOf<Offset>
+        sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount);
 
     if (LE_FAILURE(success)) {
         return 0;

src/solaris/native/java/net/NetworkInterface.c

 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -570,9 +570,14 @@ JNIEXPORT jint JNICALL Java_java_net_NetworkInterface_getMTU0(JNIEnv *env, jclas
     jboolean isCopy;
     int ret = -1;
     int sock;
-    const char* name_utf;
+    const char* name_utf = NULL;
 
+    if (name != NULL) {
         name_utf = (*env)->GetStringUTFChars(env, name, &isCopy);
+    } else {
+        JNU_ThrowNullPointerException(env, "network interface name is NULL");
+        return ret;
+    }
     if (name_utf == NULL) {
        if (!(*env)->ExceptionCheck(env))
            JNU_ThrowOutOfMemoryError(env, NULL);
@@ -600,7 +605,12 @@ static int getFlags0(JNIEnv *env, jstring name) {
     const char* name_utf;
     int flags = 0;
 
+    if (name != NULL) {
         name_utf = (*env)->GetStringUTFChars(env, name, &isCopy);
+    } else {
+        JNU_ThrowNullPointerException(env, "network interface name is NULL");
+        return -1;
+    }
     if (name_utf == NULL) {
        if (!(*env)->ExceptionCheck(env))
            JNU_ThrowOutOfMemoryError(env, NULL);
@@ -1474,7 +1484,12 @@ static int getMTU(JNIEnv *env, int sock,  const char *ifname) {
     struct ifreq if2;
 
     memset((char *) &if2, 0, sizeof(if2));
+    if (ifname != NULL) {
         strcpy(if2.ifr_name, ifname);
+    } else {
+        JNU_ThrowNullPointerException(env, "network interface name is NULL");
+        return -1;
+    }
 
     if (ioctl(sock, SIOCGIFMTU, (char *)&if2) < 0) {
         NET_ThrowByNameWithLastError(env, JNU_JAVANETPKG "SocketException", "IOCTL SIOCGIFMTU failed");

src/solaris/native/java/net/PlainDatagramSocketImpl.c

 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1474,10 +1474,12 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) {
         static jmethodID ni_ctrID;
         static jfieldID ni_indexID;
         static jfieldID ni_addrsID;
+        static jfieldID ni_nameID;
 
         jobjectArray addrArray;
         jobject addr;
         jobject ni;
+        jobject ni_name;
 
         struct in_addr in;
         struct in_addr *inP = ∈
@@ -1527,6 +1529,8 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) {
             ni_addrsID = (*env)->GetFieldID(env, c, "addrs",
                                             "[Ljava/net/InetAddress;");
             CHECK_NULL_RETURN(ni_addrsID, NULL);
+            ni_nameID = (*env)->GetFieldID(env, c,"name", "Ljava/lang/String;");
+            CHECK_NULL_RETURN(ni_nameID, NULL);
             ni_class = (*env)->NewGlobalRef(env, c);
             CHECK_NULL_RETURN(ni_class, NULL);
         }
@@ -1548,6 +1552,10 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) {
         CHECK_NULL_RETURN(addrArray, NULL);
         (*env)->SetObjectArrayElement(env, addrArray, 0, addr);
         (*env)->SetObjectField(env, ni, ni_addrsID, addrArray);
+        ni_name = (*env)->NewStringUTF(env, "");
+        if (ni_name != NULL) {
+            (*env)->SetObjectField(env, ni, ni_nameID, ni_name);
+        }
         return ni;
     }
 
@@ -1564,14 +1572,16 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) {
         static jfieldID ni_indexID;
         static jfieldID ni_addrsID;
         static jclass ia_class;
+        static jfieldID ni_nameID;
         static jmethodID ia_anyLocalAddressID;
 
-        int index;
+        int index = 0;
         int len = sizeof(index);
 
         jobjectArray addrArray;
         jobject addr;
         jobject ni;
+        jobject ni_name;
 
         if (JVM_GetSockOpt(fd, IPPROTO_IPV6, IPV6_MULTICAST_IF,
                            (char*)&index, &len) < 0) {
@@ -1600,6 +1610,8 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) {
                                                              "anyLocalAddress",
                                                              "()Ljava/net/InetAddress;");
             CHECK_NULL_RETURN(ia_anyLocalAddressID, NULL);
+            ni_nameID = (*env)->GetFieldID(env, c,"name", "Ljava/lang/String;");
+            CHECK_NULL_RETURN(ni_nameID, NULL);
             ni_class = (*env)->NewGlobalRef(env, c);
             CHECK_NULL_RETURN(ni_class, NULL);
         }
@@ -1660,6 +1672,10 @@ jobject getMulticastInterface(JNIEnv *env, jobject this, int fd, jint opt) {
         CHECK_NULL_RETURN(addrArray, NULL);
         (*env)->SetObjectArrayElement(env, addrArray, 0, addr);
         (*env)->SetObjectField(env, ni, ni_addrsID, addrArray);
+        ni_name = (*env)->NewStringUTF(env, "");
+        if (ni_name != NULL) {
+            (*env)->SetObjectField(env, ni, ni_nameID, ni_name);
+        }
         return ni;
     }
 #endif

src/windows/classes/sun/awt/shell/Win32ShellFolderManager2.java

@@ -36,6 +36,7 @@ import java.security.PrivilegedAction;
 import java.util.*;
 import java.util.List;
 import java.util.concurrent.*;
+import java.util.stream.Stream;
 
 import static sun.awt.shell.Win32ShellFolder2.*;
 import sun.awt.OSInfo;
@@ -251,7 +252,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
             if (file == null) {
                 file = getDesktop();
             }
-            return file;
+            return checkFile(file);
         } else if (key.equals("roots")) {
             // Should be "History" and "Desktop" ?
             if (roots == null) {
@@ -262,11 +263,11 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
                     roots = (File[])super.get(key);
                 }
             }
-            return roots;
+            return checkFiles(roots);
         } else if (key.equals("fileChooserComboBoxFolders")) {
             Win32ShellFolder2 desktop = getDesktop();
 
-            if (desktop != null) {
+            if (desktop != null && checkFile(desktop) != null) {
                 ArrayList<File> folders = new ArrayList<File>();
                 Win32ShellFolder2 drives = getDrives();
 
@@ -277,7 +278,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
 
                 folders.add(desktop);
                 // Add all second level folders
-                File[] secondLevelFolders = desktop.listFiles();
+                File[] secondLevelFolders = checkFiles(desktop.listFiles());
                 Arrays.sort(secondLevelFolders);
                 for (File secondLevelFolder : secondLevelFolders) {
                     Win32ShellFolder2 folder = (Win32ShellFolder2) secondLevelFolder;
@@ -285,7 +286,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
                         folders.add(folder);
                         // Add third level for "My Computer"
                         if (folder.equals(drives)) {
-                            File[] thirdLevelFolders = folder.listFiles();
+                            File[] thirdLevelFolders = checkFiles(folder.listFiles());
                             if (thirdLevelFolders != null && thirdLevelFolders.length > 0) {
                                 List<File> thirdLevelFoldersList = Arrays.asList(thirdLevelFolders);
 
@@ -295,7 +296,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
                         }
                     }
                 }
-                return folders.toArray(new File[folders.size()]);
+                return checkFiles(folders);
             } else {
                 return super.get(key);
             }
@@ -332,7 +333,7 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
                     }
                 }
             }
-            return folders.toArray(new File[folders.size()]);
+            return checkFiles(folders);
         } else if (key.startsWith("fileChooserIcon ")) {
             String name = key.substring(key.indexOf(" ") + 1);
 
@@ -378,6 +379,41 @@ public class Win32ShellFolderManager2 extends ShellFolderManager {
         return null;
     }
 
+    private File checkFile(File file) {
+        SecurityManager sm = System.getSecurityManager();
+        return (sm == null || file == null) ? file : checkFile(file, sm);
+    }
+
+    private File checkFile(File file, SecurityManager sm) {
+        try {
+            sm.checkRead(file.getPath());
+            return file;
+        } catch (SecurityException se) {
+            return null;
+        }
+    }
+
+    private File[] checkFiles(File[] files) {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm == null || files == null || files.length == 0) {
+            return files;
+        }
+        return checkFiles(Arrays.stream(files), sm);
+    }
+
+    private File[] checkFiles(List<File> files) {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm == null || files.isEmpty()) {
+            return files.toArray(new File[files.size()]);
+        }
+        return checkFiles(files.stream(), sm);
+    }
+
+    private File[] checkFiles(Stream<File> filesStream, SecurityManager sm) {
+        return filesStream.filter((file) -> checkFile(file, sm) != null)
+                .toArray(File[]::new);
+    }
+
     /**
      * Does <code>dir</code> represent a "computer" such as a node on the network, or
      * "My Computer" on the desktop.

test/javax/swing/JFileChooser/8062561/bug8062561.java

+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.awt.Robot;
+import java.awt.event.KeyEvent;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+import java.util.concurrent.TimeUnit;
+import javax.swing.JFileChooser;
+import javax.swing.SwingUtilities;
+import javax.swing.filechooser.FileSystemView;
+import sun.awt.OSInfo;
+
+/**
+ * @test
+ * @bug 8062561
+ * @summary File system view returns null default directory
+ * @run main/othervm bug8062561 GENERATE_POLICY
+ * @run main/othervm/policy=security.policy bug8062561 CHECK_DEFAULT_DIR run
+ */
+public class bug8062561 {
+
+    private static final String POLICY_FILE = "security2.policy";
+    private static volatile boolean fileChooserIsShown = false;
+
+    public static void main(String[] args) throws Exception {
+
+        String test = args[0];
+
+        switch (test) {
+            case "GENERATE_POLICY":
+                generatePolicyFile();
+                break;
+            case "CHECK_DEFAULT_DIR":
+                checkDefaultDirectory();
+                break;
+            case "CHECK_FILE_CHOOSER":
+                checkFileChooser();
+                break;
+            default:
+                throw new RuntimeException("Wrong argument!");
+        }
+    }
+
+    private static void checkDefaultDirectory() {
+        if (System.getSecurityManager() == null) {
+            throw new RuntimeException("Security manager is not set!");
+        }
+
+        File defaultDirectory = FileSystemView.getFileSystemView().
+                getDefaultDirectory();
+        if (defaultDirectory != null) {
+            throw new RuntimeException("File system default directory is null!");
+        }
+    }
+    private static volatile JFileChooser fileChooser;
+
+    private static void checkFileChooser() throws Exception {
+        if (System.getSecurityManager() == null) {
+            throw new RuntimeException("Security manager is not set!");
+        }
+
+        Robot robot = new Robot();
+        robot.setAutoDelay(50);
+
+        SwingUtilities.invokeLater(new Runnable() {
+
+            public void run() {
+                fileChooser = new JFileChooser();
+                fileChooser.showOpenDialog(null);
+                fileChooserIsShown = true;
+                System.out.println("Start file chooser: " + fileChooserIsShown);
+            }
+        });
+
+        long time = System.currentTimeMillis();
+        while (fileChooser == null) {
+            if (System.currentTimeMillis() - time >= 10000) {
+                throw new RuntimeException("FileChoser is not shown!");
+            }
+            Thread.sleep(500);
+        }
+
+        Thread.sleep(500);
+        robot.keyPress(KeyEvent.VK_ESCAPE);
+        robot.keyRelease(KeyEvent.VK_ESCAPE);
+        System.exit(0);
+    }
+
+    private static void generatePolicyFile() throws Exception {
+        if (System.getSecurityManager() != null) {
+            throw new RuntimeException("Security manager should be null!");
+        }
+
+        if (!OSInfo.getOSType().equals(OSInfo.OSType.WINDOWS)) {
+            return;
+        }
+
+        File defaultDirectory = FileSystemView.getFileSystemView().
+                getDefaultDirectory();
+
+        if (defaultDirectory == null) {
+            throw new RuntimeException("Default directory is null!");
+        }
+
+        File policyFile = new File(POLICY_FILE);
+        if (!policyFile.exists()) {
+            policyFile.createNewFile();
+        }
+
+        try (PrintWriter writer = new PrintWriter(policyFile, "UTF-8")) {
+            writer.println("grant {");
+            String documents = defaultDirectory.getCanonicalPath();
+            documents = documents.replace('\\', '/');
+            // Documents permission
+            writer.print("  permission java.io.FilePermission");
+            writer.print(" \"" + documents + "\",");
+            writer.println(" \"read\";");
+            // Desktop permission
+            writer.print("  permission java.io.FilePermission");
+            writer.print(" \"" + documents.replace("Documents", "Desktop") + "\",");
+            writer.println(" \"read\";");
+            // robot permission // "java.awt.AWTPermission" "createRobot"
+            writer.print("  permission java.awt.AWTPermission");
+            writer.println(" \"createRobot\";");
+            writer.println("};");
+        }
+
+        performTest();
+    }
+
+    private static void performTest() throws Exception {
+        String javaPath = System.getProperty("java.home", "");
+        String command = javaPath + File.separator + "bin" + File.separator + "java"
+                + "  -Djava.security.manager -Djava.security.policy=" + POLICY_FILE
+                + " bug8062561 CHECK_FILE_CHOOSER";
+        System.out.println(command);
+        boolean processExit = false;
+
+        Process process = Runtime.getRuntime().exec(command);
+
+        try {
+            processExit = process.waitFor(20, TimeUnit.SECONDS);
+        } catch (IllegalThreadStateException e) {
+            throw new RuntimeException(e);
+        }
+        System.out.println("[RESULT] : "
+                + "The sub process has cleanly exited : PASS");
+
+        InputStream errorStream = process.getErrorStream();
+        System.out.println("========= Child process stderr ========");
+        boolean exception = dumpStream(errorStream);
+        if (exception) {
+            throw new RuntimeException("[RESULT] :"
+                    + " Exception in child process : FAIL");
+        }
+        System.out.println("=======================================");
+
+        InputStream processInputStream = process.getInputStream();
+        System.out.println("========= Child process output ========");
+        dumpStream(processInputStream);
+        System.out.println("=======================================");
+
+        if (!processExit) {
+            process.destroy();
+            throw new RuntimeException("[RESULT] : "
+                    + "The sub process has not exited : FAIL");
+        }
+    }
+
+    public static boolean dumpStream(InputStream in) throws IOException {
+        String tempString;
+        int count = in.available();
+        boolean exception = false;
+        while (count > 0) {
+            byte[] b = new byte[count];
+            in.read(b);
+            tempString = new String(b);
+            if (!exception) {
+                exception = tempString.indexOf("Exception") != -1;
+            }
+            System.out.println(tempString);
+            count = in.available();
+        }
+
+        return exception;
+    }
+}

test/javax/swing/JFileChooser/8062561/security.policy

+grant {
+
+    permission java.util.PropertyPermission  "user.home", "read";
+};

test/javax/swing/JFileChooser/8062561/security2.policy

+// Autogenerated file
\ No newline at end of file

test/sun/security/ec/TestEC.java

@@ -68,6 +68,10 @@ public class TestEC {
     }
 
     public static void main0(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         Provider p = Security.getProvider("SunEC");
 
         if (p == null) {

test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java

@@ -43,6 +43,10 @@ public class ClientJSSEServerJSSE extends PKCS11Test {
     private static String[] cmdArgs;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         cmdArgs = args;
         main(new ClientJSSEServerJSSE());
     }

test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java

@@ -32,6 +32,7 @@
 import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class HttpsProtocols implements HostnameVerifier {
 
@@ -177,6 +178,10 @@ public class HttpsProtocols implements HostnameVerifier {
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;

test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java

@@ -35,6 +35,7 @@
 import javax.net.*;
 import javax.net.ssl.*;
 import java.util.Arrays;
+import java.security.Security;
 
 public class CustomizedDefaultProtocols {
     static enum ContextVersion {
@@ -93,6 +94,10 @@ public class CustomizedDefaultProtocols {
     }
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         boolean failed = false;
         for (ContextVersion cv : ContextVersion.values()) {
             System.out.println("Checking SSLContext of " + cv.contextVersion);

test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java

@@ -34,6 +34,7 @@
 import javax.net.*;
 import javax.net.ssl.*;
 import java.util.Arrays;
+import java.security.Security;
 
 public class DefaultEnabledProtocols {
     static enum ContextVersion {
@@ -92,6 +93,10 @@ public class DefaultEnabledProtocols {
     }
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         boolean failed = false;
         for (ContextVersion cv : ContextVersion.values()) {
             System.out.println("Checking SSLContext of " + cv.contextVersion);

test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java

@@ -35,6 +35,7 @@
 import javax.net.*;
 import javax.net.ssl.*;
 import java.util.Arrays;
+import java.security.Security;
 
 public class NoOldVersionContext {
     static enum ContextVersion {
@@ -93,6 +94,10 @@ public class NoOldVersionContext {
     }
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         boolean failed = false;
         for (ContextVersion cv : ContextVersion.values()) {
             System.out.println("Checking SSLContext of " + cv.contextVersion);

test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java

@@ -115,6 +115,9 @@ public class DelegatedTaskWrongException {
     }
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
 
         DelegatedTaskWrongException test;
 

test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java

@@ -21,6 +21,11 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 4416068 4478803 4479736
@@ -31,9 +36,6 @@
  *          4701722 protocol mismatch exceptions should be consistent between
  *                  SSLv3 and TLSv1
  * @run main/othervm testEnabledProtocols
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Ram Marti
  */
 
@@ -120,6 +122,10 @@ public class testEnabledProtocols {
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;

test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java

@@ -44,6 +44,7 @@ import java.nio.*;
 import java.net.*;
 import java.util.*;
 import java.nio.channels.*;
+import java.security.Security;
 
 public class SSLEngineExplorer extends SSLEngineService {
 
@@ -231,6 +232,10 @@ public class SSLEngineExplorer extends SSLEngineService {
     volatile int serverPort = 0;
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 

test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java

@@ -45,6 +45,7 @@ import java.nio.channels.*;
 import java.util.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class SSLSocketExplorer {
 
@@ -224,6 +225,10 @@ public class SSLSocketExplorer {
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;

test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java

@@ -29,9 +29,15 @@
  * @run main/othervm/timeout=300 ClientJSSEServerJSSE
  */
 
+import java.security.Security;
+
 public class ClientJSSEServerJSSE {
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         CipherTest.main(new JSSEFactory(), args);
     }