Merge

src/share/classes/javax/crypto/JceSecurity.java

 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -257,12 +257,12 @@ final class JceSecurity {
      * user edit or an application call is required.
      *
      * Otherwise, if user has policy jar files installed in the legacy
-     * jre/lib/security/ directory, the JDK will honor whatever
+     * <java-home>/lib/security/ directory, the JDK will honor whatever
      * setting is set by those policy files. (legacy/current behavior)
      *
      * If none of the above 2 conditions are met, the JDK will default
-     * to using the limited crypto policy files found in the
-     * jre/lib/security/policy/limited/ directory
+     * to using the unlimited crypto policy files found in the
+     * <java-home>/lib/security/policy/unlimited/ directory
      */
     private static void setupJurisdictionPolicies() throws Exception {
         // Sanity check the crypto.policy Security property.  Single
@@ -300,9 +300,9 @@ final class JceSecurity {
                 !importJar.exists())) {
             // Compatibility set up. If crypto.policy is not defined.
             // check to see if legacy jars exist in lib directory. If
-            // they don't exist, we default to limited policy mode.
+            // they don't exist, we default to unlimited policy mode.
             cpPath = Paths.get(
-                    javaHomeProperty, "lib", "security", "policy", "limited");
+                    javaHomeProperty, "lib", "security", "policy", "unlimited");
             // point to the new jar files in limited directory
             exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
             importJar = new File(cpPath.toFile(),"local_policy.jar");

src/share/classes/sun/security/ssl/SSLSocketImpl.java

@@ -1778,7 +1778,12 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
                 try {
                     readRecord(inrec, true);
                 } catch (SocketTimeoutException e) {
-                    // if time out, ignore the exception and continue
+                    if ((debug != null) && Debug.isOn("ssl")) {
+                        System.out.println(
+                            Thread.currentThread().getName() +
+                            ", received Exception: " + e);
+                    }
+                    fatal((byte)(-1), "Did not receive close_notify from peer", e);
                 }
             }
             inrec = null;

src/share/lib/security/java.security-aix

@@ -737,69 +737,71 @@ jdk.tls.legacyAlgorithms= \
 
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, the JDK provides two different sets of
+# cryptographic policy files:
 #
-# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
-# TO DETERMINE THE EXACT REQUIREMENTS.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms.
 #
-# <java-home> (below) refers to the directory where the JRE was
-# installed. It is determined based on whether you are running JCE
-# on a JRE or a JRE contained within the Java Development Kit, or
-# JDK(TM). The JDK contains the JRE, but at a different level in the
-# file hierarchy. For example, if the JDK is installed in
-# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
-# <java-home> is:
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths, and are still available if your country or
+#                 usage requires the traditional restrictive policy.
 #
-#  /home/user1/jdk1.8.0/jre           [Unix]
-#  C:\jdk1.8.0\jre                    [Windows]
+# The JDK JCE framework uses the unlimited policy files by default.
+# However the user may explicitly choose a set either by defining the
+# "crypto.policy" Security property or by installing valid JCE policy
+# jar files into the traditional JDK installation location.  To better
+# support older JDK Update releases, the "crypto.policy" property is not
+# defined by default.  See below for more information.
 #
-# If on the other hand the JRE is installed in /home/user1/jre1.8.0
-# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
-# installed, then <java-home> is:
+# The following logic determines which policy files are used:
 #
-#  /home/user1/jre1.8.0               [Unix]
-#  C:\jre1.8.0                        [Windows]
+#         <java-home> refers to the directory where the JRE was
+#         installed and may be determined using the "java.home"
+#         System property.
 #
-# On Windows, for each JDK installation, there may be additional
-# JREs installed under the "Program Files" directory. Please make
-# sure that you install the unlimited strength policy JAR files
-# for all JREs that you plan to use.
+# 1.  If the Security property "crypto.policy" has been defined,
+#     then the following mechanism is used:
 #
-# The policy files are jar files organized into subdirectories of
+#     The policy files are stored as jar files in subdirectories of
 # <java-home>/lib/security/policy.  Each directory contains a complete
 # set of policy files.
 #
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
+#     The "crypto.policy" Security property controls the directory
+#     selection, and thus the effective cryptographic policy.
 #
 # The default set of directories is:
 #
 #     limited | unlimited
 #
-# however other directories can be created and configured.
-#
-# To support older JDK Update releases, the crypto.policy property
-# is not defined by default. When the property is not defined, an
-# update release binary aware of the new property will use the following
-# logic to decide what crypto policy files get used :
-#
-# * If the US_export_policy.jar and local_policy.jar files are located
-# in the (legacy) <java-home>/lib/security directory, then the rules
-# embedded in those jar files will be used. This helps preserve compatibility
+# 2.  If the "crypto.policy" property is not set and the traditional
+#     US_export_policy.jar and local_policy.jar files
+#     (e.g. limited/unlimited) are found in the legacy
+#     <java-home>/lib/security directory, then the rules embedded within
+#     those jar files will be used. This helps preserve compatibility
 # for users upgrading from an older installation.
 #
-# * If crypto.policy is not defined and no such jar files are present in
-# the legacy locations, then the JDK will use the limited settings
-# (equivalent to crypto.policy=limited)
+# 3.  If the jar files are not present in the legacy location
+#     and the "crypto.policy" Security property is not defined,
+#     then the JDK will use the unlimited settings (equivalent to
+#     crypto.policy=unlimited)
 #
 # Please see the JCA documentation for additional information on these
 # files and formats.
-#crypto.policy=unlimited
 #
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+#crypto.policy=unlimited
 
 # The policy for the XML Signature secure validation mode. The mode is
 # enabled by setting the property "org.jcp.xml.dsig.secureValidation" to

src/share/lib/security/java.security-linux

@@ -737,67 +737,70 @@ jdk.tls.legacyAlgorithms= \
 
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, the JDK provides two different sets of
+# cryptographic policy files:
 #
-# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
-# TO DETERMINE THE EXACT REQUIREMENTS.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms.
 #
-# <java-home> (below) refers to the directory where the JRE was
-# installed. It is determined based on whether you are running JCE
-# on a JRE or a JRE contained within the Java Development Kit, or
-# JDK(TM). The JDK contains the JRE, but at a different level in the
-# file hierarchy. For example, if the JDK is installed in
-# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
-# <java-home> is:
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths, and are still available if your country or
+#                 usage requires the traditional restrictive policy.
 #
-#  /home/user1/jdk1.8.0/jre           [Unix]
-#  C:\jdk1.8.0\jre                    [Windows]
+# The JDK JCE framework uses the unlimited policy files by default.
+# However the user may explicitly choose a set either by defining the
+# "crypto.policy" Security property or by installing valid JCE policy
+# jar files into the traditional JDK installation location.  To better
+# support older JDK Update releases, the "crypto.policy" property is not
+# defined by default.  See below for more information.
 #
-# If on the other hand the JRE is installed in /home/user1/jre1.8.0
-# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
-# installed, then <java-home> is:
+# The following logic determines which policy files are used:
 #
-#  /home/user1/jre1.8.0               [Unix]
-#  C:\jre1.8.0                        [Windows]
+#         <java-home> refers to the directory where the JRE was
+#         installed and may be determined using the "java.home"
+#         System property.
 #
-# On Windows, for each JDK installation, there may be additional
-# JREs installed under the "Program Files" directory. Please make
-# sure that you install the unlimited strength policy JAR files
-# for all JREs that you plan to use.
+# 1.  If the Security property "crypto.policy" has been defined,
+#     then the following mechanism is used:
 #
-# The policy files are jar files organized into subdirectories of
+#     The policy files are stored as jar files in subdirectories of
 # <java-home>/lib/security/policy.  Each directory contains a complete
 # set of policy files.
 #
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
+#     The "crypto.policy" Security property controls the directory
+#     selection, and thus the effective cryptographic policy.
 #
 # The default set of directories is:
 #
 #     limited | unlimited
 #
-# however other directories can be created and configured.
-#
-# To support older JDK Update releases, the crypto.policy property
-# is not defined by default. When the property is not defined, an
-# update release binary aware of the new property will use the following
-# logic to decide what crypto policy files get used :
-#
-# * If the US_export_policy.jar and local_policy.jar files are located
-# in the (legacy) <java-home>/lib/security directory, then the rules
-# embedded in those jar files will be used. This helps preserve compatibility
+# 2.  If the "crypto.policy" property is not set and the traditional
+#     US_export_policy.jar and local_policy.jar files
+#     (e.g. limited/unlimited) are found in the legacy
+#     <java-home>/lib/security directory, then the rules embedded within
+#     those jar files will be used. This helps preserve compatibility
 # for users upgrading from an older installation.
 #
-# * If crypto.policy is not defined and no such jar files are present in
-# the legacy locations, then the JDK will use the limited settings
-# (equivalent to crypto.policy=limited)
+# 3.  If the jar files are not present in the legacy location
+#     and the "crypto.policy" Security property is not defined,
+#     then the JDK will use the unlimited settings (equivalent to
+#     crypto.policy=unlimited)
 #
 # Please see the JCA documentation for additional information on these
 # files and formats.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
 #crypto.policy=unlimited
 
 #

src/share/lib/security/java.security-macosx

@@ -740,67 +740,70 @@ jdk.tls.legacyAlgorithms= \
 
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, the JDK provides two different sets of
+# cryptographic policy files:
 #
-# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
-# TO DETERMINE THE EXACT REQUIREMENTS.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms.
 #
-# <java-home> (below) refers to the directory where the JRE was
-# installed. It is determined based on whether you are running JCE
-# on a JRE or a JRE contained within the Java Development Kit, or
-# JDK(TM). The JDK contains the JRE, but at a different level in the
-# file hierarchy. For example, if the JDK is installed in
-# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
-# <java-home> is:
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths, and are still available if your country or
+#                 usage requires the traditional restrictive policy.
 #
-#  /home/user1/jdk1.8.0/jre           [Unix]
-#  C:\jdk1.8.0\jre                    [Windows]
+# The JDK JCE framework uses the unlimited policy files by default.
+# However the user may explicitly choose a set either by defining the
+# "crypto.policy" Security property or by installing valid JCE policy
+# jar files into the traditional JDK installation location.  To better
+# support older JDK Update releases, the "crypto.policy" property is not
+# defined by default.  See below for more information.
 #
-# If on the other hand the JRE is installed in /home/user1/jre1.8.0
-# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
-# installed, then <java-home> is:
+# The following logic determines which policy files are used:
 #
-#  /home/user1/jre1.8.0               [Unix]
-#  C:\jre1.8.0                        [Windows]
+#         <java-home> refers to the directory where the JRE was
+#         installed and may be determined using the "java.home"
+#         System property.
 #
-# On Windows, for each JDK installation, there may be additional
-# JREs installed under the "Program Files" directory. Please make
-# sure that you install the unlimited strength policy JAR files
-# for all JREs that you plan to use.
+# 1.  If the Security property "crypto.policy" has been defined,
+#     then the following mechanism is used:
 #
-# The policy files are jar files organized into subdirectories of
+#     The policy files are stored as jar files in subdirectories of
 # <java-home>/lib/security/policy.  Each directory contains a complete
 # set of policy files.
 #
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
+#     The "crypto.policy" Security property controls the directory
+#     selection, and thus the effective cryptographic policy.
 #
 # The default set of directories is:
 #
 #     limited | unlimited
 #
-# however other directories can be created and configured.
-#
-# To support older JDK Update releases, the crypto.policy property
-# is not defined by default. When the property is not defined, an
-# update release binary aware of the new property will use the following
-# logic to decide what crypto policy files get used :
-#
-# * If the US_export_policy.jar and local_policy.jar files are located
-# in the (legacy) <java-home>/lib/security directory, then the rules
-# embedded in those jar files will be used. This helps preserve compatibility
+# 2.  If the "crypto.policy" property is not set and the traditional
+#     US_export_policy.jar and local_policy.jar files
+#     (e.g. limited/unlimited) are found in the legacy
+#     <java-home>/lib/security directory, then the rules embedded within
+#     those jar files will be used. This helps preserve compatibility
 # for users upgrading from an older installation.
 #
-# * If crypto.policy is not defined and no such jar files are present in
-# the legacy locations, then the JDK will use the limited settings
-# (equivalent to crypto.policy=limited)
+# 3.  If the jar files are not present in the legacy location
+#     and the "crypto.policy" Security property is not defined,
+#     then the JDK will use the unlimited settings (equivalent to
+#     crypto.policy=unlimited)
 #
 # Please see the JCA documentation for additional information on these
 # files and formats.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
 #crypto.policy=unlimited
 
 #

src/share/lib/security/java.security-solaris

@@ -739,67 +739,70 @@ jdk.tls.legacyAlgorithms= \
 
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, the JDK provides two different sets of
+# cryptographic policy files:
 #
-# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
-# TO DETERMINE THE EXACT REQUIREMENTS.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms.
 #
-# <java-home> (below) refers to the directory where the JRE was
-# installed. It is determined based on whether you are running JCE
-# on a JRE or a JRE contained within the Java Development Kit, or
-# JDK(TM). The JDK contains the JRE, but at a different level in the
-# file hierarchy. For example, if the JDK is installed in
-# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
-# <java-home> is:
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths, and are still available if your country or
+#                 usage requires the traditional restrictive policy.
 #
-#  /home/user1/jdk1.8.0/jre           [Unix]
-#  C:\jdk1.8.0\jre                    [Windows]
+# The JDK JCE framework uses the unlimited policy files by default.
+# However the user may explicitly choose a set either by defining the
+# "crypto.policy" Security property or by installing valid JCE policy
+# jar files into the traditional JDK installation location.  To better
+# support older JDK Update releases, the "crypto.policy" property is not
+# defined by default.  See below for more information.
 #
-# If on the other hand the JRE is installed in /home/user1/jre1.8.0
-# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
-# installed, then <java-home> is:
+# The following logic determines which policy files are used:
 #
-#  /home/user1/jre1.8.0               [Unix]
-#  C:\jre1.8.0                        [Windows]
+#         <java-home> refers to the directory where the JRE was
+#         installed and may be determined using the "java.home"
+#         System property.
 #
-# On Windows, for each JDK installation, there may be additional
-# JREs installed under the "Program Files" directory. Please make
-# sure that you install the unlimited strength policy JAR files
-# for all JREs that you plan to use.
+# 1.  If the Security property "crypto.policy" has been defined,
+#     then the following mechanism is used:
 #
-# The policy files are jar files organized into subdirectories of
+#     The policy files are stored as jar files in subdirectories of
 # <java-home>/lib/security/policy.  Each directory contains a complete
 # set of policy files.
 #
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
+#     The "crypto.policy" Security property controls the directory
+#     selection, and thus the effective cryptographic policy.
 #
 # The default set of directories is:
 #
 #     limited | unlimited
 #
-# however other directories can be created and configured.
-#
-# To support older JDK Update releases, the crypto.policy property
-# is not defined by default. When the property is not defined, an
-# update release binary aware of the new property will use the following
-# logic to decide what crypto policy files get used :
-#
-# * If the US_export_policy.jar and local_policy.jar files are located
-# in the (legacy) <java-home>/lib/security directory, then the rules
-# embedded in those jar files will be used. This helps preserve compatibility
+# 2.  If the "crypto.policy" property is not set and the traditional
+#     US_export_policy.jar and local_policy.jar files
+#     (e.g. limited/unlimited) are found in the legacy
+#     <java-home>/lib/security directory, then the rules embedded within
+#     those jar files will be used. This helps preserve compatibility
 # for users upgrading from an older installation.
 #
-# * If crypto.policy is not defined and no such jar files are present in
-# the legacy locations, then the JDK will use the limited settings
-# (equivalent to crypto.policy=limited)
+# 3.  If the jar files are not present in the legacy location
+#     and the "crypto.policy" Security property is not defined,
+#     then the JDK will use the unlimited settings (equivalent to
+#     crypto.policy=unlimited)
 #
 # Please see the JCA documentation for additional information on these
 # files and formats.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
 #crypto.policy=unlimited
 
 #

src/share/lib/security/java.security-windows

@@ -740,67 +740,70 @@ jdk.tls.legacyAlgorithms= \
 
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, the JDK provides two different sets of
+# cryptographic policy files:
 #
-# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
-# TO DETERMINE THE EXACT REQUIREMENTS.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms.
 #
-# <java-home> (below) refers to the directory where the JRE was
-# installed. It is determined based on whether you are running JCE
-# on a JRE or a JRE contained within the Java Development Kit, or
-# JDK(TM). The JDK contains the JRE, but at a different level in the
-# file hierarchy. For example, if the JDK is installed in
-# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
-# <java-home> is:
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths, and are still available if your country or
+#                 usage requires the traditional restrictive policy.
 #
-#  /home/user1/jdk1.8.0/jre           [Unix]
-#  C:\jdk1.8.0\jre                    [Windows]
+# The JDK JCE framework uses the unlimited policy files by default.
+# However the user may explicitly choose a set either by defining the
+# "crypto.policy" Security property or by installing valid JCE policy
+# jar files into the traditional JDK installation location.  To better
+# support older JDK Update releases, the "crypto.policy" property is not
+# defined by default.  See below for more information.
 #
-# If on the other hand the JRE is installed in /home/user1/jre1.8.0
-# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
-# installed, then <java-home> is:
+# The following logic determines which policy files are used:
 #
-#  /home/user1/jre1.8.0               [Unix]
-#  C:\jre1.8.0                        [Windows]
+#         <java-home> refers to the directory where the JRE was
+#         installed and may be determined using the "java.home"
+#         System property.
 #
-# On Windows, for each JDK installation, there may be additional
-# JREs installed under the "Program Files" directory. Please make
-# sure that you install the unlimited strength policy JAR files
-# for all JREs that you plan to use.
+# 1.  If the Security property "crypto.policy" has been defined,
+#     then the following mechanism is used:
 #
-# The policy files are jar files organized into subdirectories of
+#     The policy files are stored as jar files in subdirectories of
 # <java-home>/lib/security/policy.  Each directory contains a complete
 # set of policy files.
 #
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
+#     The "crypto.policy" Security property controls the directory
+#     selection, and thus the effective cryptographic policy.
 #
 # The default set of directories is:
 #
 #     limited | unlimited
 #
-# however other directories can be created and configured.
-#
-# To support older JDK Update releases, the crypto.policy property
-# is not defined by default. When the property is not defined, an
-# update release binary aware of the new property will use the following
-# logic to decide what crypto policy files get used :
-#
-# * If the US_export_policy.jar and local_policy.jar files are located
-# in the (legacy) <java-home>/lib/security directory, then the rules
-# embedded in those jar files will be used. This helps preserve compatibility
+# 2.  If the "crypto.policy" property is not set and the traditional
+#     US_export_policy.jar and local_policy.jar files
+#     (e.g. limited/unlimited) are found in the legacy
+#     <java-home>/lib/security directory, then the rules embedded within
+#     those jar files will be used. This helps preserve compatibility
 # for users upgrading from an older installation.
 #
-# * If crypto.policy is not defined and no such jar files are present in
-# the legacy locations, then the JDK will use the limited settings
-# (equivalent to crypto.policy=limited)
+# 3.  If the jar files are not present in the legacy location
+#     and the "crypto.policy" Security property is not defined,
+#     then the JDK will use the unlimited settings (equivalent to
+#     crypto.policy=unlimited)
 #
 # Please see the JCA documentation for additional information on these
 # files and formats.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
 #crypto.policy=unlimited
 
 #

test/com/sun/crypto/provider/Cipher/AES/TestAESCiphers/Dynamic.java

 /*
- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -150,19 +150,8 @@ public class Dynamic {
             int offset = ci.update(plainText, 0, plainText.length, cipherText,
                     0);
             ci.doFinal(cipherText, offset);
+            ci.init(Cipher.DECRYPT_MODE, key, ci.getParameters());
 
-            if (!mo.equalsIgnoreCase("ECB")) {
-                iv = ci.getIV();
-                aps = new IvParameterSpec(iv);
-            } else {
-                aps = null;
-            }
-
-            if (!mo.equalsIgnoreCase("GCM")) {
-                ci.init(Cipher.DECRYPT_MODE, key, aps);
-            } else {
-                ci.init(Cipher.DECRYPT_MODE, key, ci.getParameters());
-            }
             byte[] recoveredText = new byte[ci.getOutputSize(cipherText.length)];
             int len = ci.doFinal(cipherText, 0, cipherText.length,
                     recoveredText);
@@ -174,12 +163,14 @@ public class Dynamic {
 
             result = Arrays.equals(plainText, tmp);
         } catch (NoSuchAlgorithmException nsaEx) {
-            nsaEx.printStackTrace();
             // CFB7 and OFB150 are negative test,SunJCE not support this
             // algorithm
             result = mo.equalsIgnoreCase("CFB7")
                     || mo.equalsIgnoreCase("OFB150");
-
+            if (!result) {
+                // only report unexpected exception
+                nsaEx.printStackTrace();
+            }
         }
         return result;
     }

test/com/sun/crypto/provider/Cipher/Blowfish/TestCipherBlowfish.java

 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,7 +42,7 @@ public class TestCipherBlowfish extends TestCipher {
                     "OFB", "OFB8", "OFB16", "OFB24", "OFB32", "OFB40", "OFB48", "OFB56",
                     "OFB64"},
                 new String[]{"NoPaDDing", "PKCS5Padding"},
-                true);
+                32, 448);
     }
 
     public static void main(String[] args) throws Exception {

test/com/sun/crypto/provider/Cipher/PBE/PBESameBuffer/AESPBEWrapper.java

 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 import java.io.PrintStream;
 import java.security.AlgorithmParameters;
 import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
 import javax.crypto.Cipher;
 import javax.crypto.SecretKeyFactory;
@@ -69,6 +70,15 @@ public class AESPBEWrapper extends PBEWrapper {
      */
     @Override
     public boolean execute(int edMode, byte[] inputText, int offset, int len) {
+        boolean isUnlimited;
+        try {
+            isUnlimited =
+                (Cipher.getMaxAllowedKeyLength(this.algo) == Integer.MAX_VALUE);
+        } catch (NoSuchAlgorithmException nsae) {
+            out.println("Got unexpected exception for " + this.algo);
+            nsae.printStackTrace(out);
+            return false;
+        }
         try {
             // init Cipher
             if (Cipher.ENCRYPT_MODE == edMode) {
@@ -78,6 +88,11 @@ public class AESPBEWrapper extends PBEWrapper {
                 ci.init(Cipher.DECRYPT_MODE, this.key, pbeParams);
             }
 
+            if (this.algo.endsWith("AES_256") && !isUnlimited) {
+                out.print("Expected exception not thrown for " + this.algo);
+                return false;
+            }
+
             // First, generate the cipherText at an allocated buffer
             byte[] outputText = ci.doFinal(inputText, offset, len);
 
@@ -86,29 +101,19 @@ public class AESPBEWrapper extends PBEWrapper {
             int off = ci.update(inputText, offset, len, inputText, myoff);
             ci.doFinal(inputText, myoff + off);
 
-            if (this.algo.endsWith("AES_256")) {
-                out.print("Expected exception uncaught, "
-                        + "keyStrength > 128 within " + this.algo);
-
-                return false;
-            }
-
             // Compare to see whether the two results are the same or not
             return equalsBlock(inputText, myoff, outputText, 0,
                     outputText.length);
         } catch (Exception ex) {
             if ((ex instanceof InvalidKeyException)
-                    && this.algo.endsWith("AES_256")) {
-                out.println("Expected InvalidKeyException exception: "
-                        + ex.getMessage());
-
+                    && this.algo.endsWith("AES_256") && !isUnlimited) {
+                out.println("Expected InvalidKeyException thrown");
                 return true;
+            } else {
+                out.println("Got unexpected exception for " + algo);
+                ex.printStackTrace(out);
+                return false;
             }
-
-            out.println("Catch unexpected exception within " + algo);
-            ex.printStackTrace(out);
-
-            return false;
         }
     }
 }

test/com/sun/crypto/provider/Cipher/PBE/PBESameBuffer/PBECipherWrapper.java

 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@ import java.security.spec.AlgorithmParameterSpec;
 import java.util.StringTokenizer;
 
 import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
 
 import java.io.PrintStream;
@@ -64,9 +65,25 @@ public class PBECipherWrapper extends PBEWrapper {
         StringTokenizer st = new StringTokenizer(algo, "/");
         String baseAlgo = st.nextToken().toUpperCase();
 
+        boolean isUnlimited;
+        try {
+            isUnlimited =
+                (Cipher.getMaxAllowedKeyLength(this.algo) == Integer.MAX_VALUE);
+        } catch (NoSuchAlgorithmException nsae) {
+            out.println("Got unexpected exception for " + this.algo);
+            nsae.printStackTrace(out);
+            return false;
+        }
+
         // Perform encryption or decryption depends on the specified edMode
         try {
             ci.init(edMode, key, aps);
+            if ((baseAlgo.endsWith("TRIPLEDES")
+                    || baseAlgo.endsWith("AES_256")) && !isUnlimited) {
+                out.print("Expected InvalidKeyException not thrown: "
+                    + this.algo);
+                return false;
+            }
 
             // First, generate the cipherText at an allocated buffer
             byte[] outputText = ci.doFinal(inputText, offset, len);
@@ -78,33 +95,24 @@ public class PBECipherWrapper extends PBEWrapper {
 
             ci.doFinal(inputText, myoff + off);
 
-            if (baseAlgo.endsWith("TRIPLEDES")
-                    || baseAlgo.endsWith("AES_256")) {
-                out.print("Expected exception uncaught,"
-                        + "keyStrength > 128 within " + this.algo);
-
-                return false;
-            }
-
             // Compare to see whether the two results are the same or not
             boolean result = equalsBlock(inputText, myoff, outputText, 0,
                     outputText.length);
 
             return result;
         } catch (Exception ex) {
-            if ((ex instanceof InvalidKeyException)
-                    && (baseAlgo.endsWith("TRIPLEDES")
-                    || baseAlgo.endsWith("AES_256"))) {
-                out.println("Expected InvalidKeyException exception: "
-                        + ex.getMessage());
-
+            if ((ex instanceof InvalidKeyException) &&
+                    (baseAlgo.endsWith("TRIPLEDES")
+                        || baseAlgo.endsWith("AES_256")) &&
+                !isUnlimited) {
+                out.println("Expected InvalidKeyException thrown for "
+                    + algo);
                 return true;
+            } else {
+                out.println("Got unexpected exception for " + algo);
+                ex.printStackTrace(out);
+                return false;
             }
-
-            out.println("Catch unexpected exception within " + algo);
-            ex.printStackTrace(out);
-
-            return false;
         }
     }
 }

test/com/sun/crypto/provider/Cipher/PBE/TestCipherKeyWrapperPBEKey.java

 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -119,6 +119,9 @@ public class TestCipherKeyWrapperPBEKey {
                 = new StringTokenizer(algo, "/").nextToken().toUpperCase();
         boolean isAES = baseAlgo.contains("AES");
 
+        boolean isUnlimited =
+            (Cipher.getMaxAllowedKeyLength(algo) == Integer.MAX_VALUE);
+
         try {
             // Initialization
             new Random().nextBytes(salt);
@@ -128,7 +131,6 @@ public class TestCipherKeyWrapperPBEKey {
             SecretKey key = skf.generateSecret(new PBEKeySpec(
                     "Secret Key".toCharArray()));
             Cipher ci = Cipher.getInstance(algo);
-
             if (isAES) {
                 ci.init(Cipher.WRAP_MODE, key);
                 pbeParams = ci.getParameters();
@@ -145,10 +147,10 @@ public class TestCipherKeyWrapperPBEKey {
 
             Key unwrappedKey = ci.unwrap(keyWrapper, algo, Cipher.SECRET_KEY);
 
-            if (baseAlgo.endsWith("TRIPLEDES")
-                    || baseAlgo.endsWith("AES_256")) {
+            if ((baseAlgo.endsWith("TRIPLEDES")
+                    || baseAlgo.endsWith("AES_256")) && !isUnlimited) {
                 out.print(
-                        "InvalidKeyException not thrown when keyStrength > 128");
+                        "Expected InvalidKeyException not thrown");
                 return false;
             }
 
@@ -157,8 +159,9 @@ public class TestCipherKeyWrapperPBEKey {
         } catch (InvalidKeyException ex) {
 
             if ((baseAlgo.endsWith("TRIPLEDES")
-                    || baseAlgo.endsWith("AES_256"))) {
-                out.println("Expected InvalidKeyException, keyStrength > 128");
+                    || baseAlgo.endsWith("AES_256")) && !isUnlimited) {
+                out.print(
+                        "Expected InvalidKeyException thrown");
                 return true;
             } else {
                 throw ex;

test/com/sun/crypto/provider/Cipher/PBE/TestCipherPBE.java

 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -79,6 +79,9 @@ public class TestCipherPBE {
 
         out.println("=> Testing: " + algorithm);
 
+        boolean isUnlimited =
+            (Cipher.getMaxAllowedKeyLength(algorithm) == Integer.MAX_VALUE);
+
         try {
             // Initialization
             AlgorithmParameterSpec algoParamSpec
@@ -98,9 +101,9 @@ public class TestCipherPBE {
             ci.init(Cipher.DECRYPT_MODE, secretKey, algoParamSpec);
             byte[] recoveredText = ci.doFinal(cipherText);
 
-            if (algorithm.contains("TripleDES")) {
+            if (algorithm.contains("TripleDES") && !isUnlimited) {
                 throw new RuntimeException(
-                        "Expected InvalidKeyException exception uncaugh");
+                        "Expected InvalidKeyException not thrown");
             }
 
             // Comparison
@@ -110,8 +113,8 @@ public class TestCipherPBE {
             }
             out.println("Test Passed.");
         } catch (InvalidKeyException ex) {
-            if (algorithm.contains("TripleDES")) {
-                out.println("Expected InvalidKeyException raised");
+            if (algorithm.contains("TripleDES") && !isUnlimited) {
+                out.println("Expected InvalidKeyException thrown");
             } else {
                 throw new RuntimeException(ex);
             }

test/com/sun/crypto/provider/Cipher/TestCipher.java

@@ -49,14 +49,13 @@ public abstract class TestCipher {
     private final String[] MODES;
     private final String[] PADDINGS;
 
-    /* Used to test cipher with different key strengths
-       Key size tested is increment of KEYCUTTER from MINIMUM_KEY_SIZE to
-       maximum allowed keysize.
-       DES/DESede/Blowfish work with currently selected key sizes.
+    /* Used to test variable-key-length ciphers:
+       Key size tested is increment of KEYCUTTER from minKeySize
+       to min(maxKeySize, Cipher.getMaxAllowedKeyLength(algo)).
     */
-    private final int variousKeySize;
     private final int KEYCUTTER = 8;
-    private final int MINIMUM_KEY_SIZE = 32;
+    private final int minKeySize;
+    private final int maxKeySize;
 
     // Used to assert that Encryption/Decryption works with same buffer
     // TEXT_LEN is multiple of blocks in order to work against ciphers w/ NoPadding
@@ -68,23 +67,28 @@ public abstract class TestCipher {
     private final byte[] IV;
     private final byte[] INPUT_TEXT;
 
+    // for variable-key-length ciphers
     TestCipher(String algo, String[] modes, String[] paddings,
-            boolean keyStrength) throws NoSuchAlgorithmException {
+            int minKeySize, int maxKeySize) throws NoSuchAlgorithmException {
         ALGORITHM = algo;
         MODES = modes;
         PADDINGS = paddings;
-        this.variousKeySize
-                = keyStrength ? Cipher.getMaxAllowedKeyLength(ALGORITHM) : 0;
-
+        this.minKeySize = minKeySize;
+        int maxAllowedKeySize = Cipher.getMaxAllowedKeyLength(ALGORITHM);
+        if (maxKeySize > maxAllowedKeySize) {
+            maxKeySize = maxAllowedKeySize;
+        }
+        this.maxKeySize = maxKeySize;
         IV = generateBytes(8);
         INPUT_TEXT = generateBytes(TEXT_LEN + PAD_BYTES + ENC_OFFSET);
     }
 
+    // for fixed-key-length ciphers
     TestCipher(String algo, String[] modes, String[] paddings) {
         ALGORITHM = algo;
         MODES = modes;
         PADDINGS = paddings;
-        variousKeySize = 0;
+        this.minKeySize = this.maxKeySize = 0;
 
         IV = generateBytes(8);
         INPUT_TEXT = generateBytes(TEXT_LEN + PAD_BYTES + ENC_OFFSET);
@@ -98,8 +102,8 @@ public abstract class TestCipher {
         return bytes;
     }
 
-    private boolean isKeyStrenthSupported() {
-        return (variousKeySize != 0);
+    private boolean isMultipleKeyLengthSupported() {
+        return (maxKeySize != minKeySize);
     }
 
     public void runAll() throws InvalidKeyException,
@@ -110,11 +114,11 @@ public abstract class TestCipher {
 
         for (String mode : MODES) {
             for (String padding : PADDINGS) {
-                if (!isKeyStrenthSupported()) {
-                    runTest(mode, padding, 0);
+                if (!isMultipleKeyLengthSupported()) {
+                    runTest(mode, padding, minKeySize);
                 } else {
-                    int keySize = variousKeySize;
-                    while (keySize >= MINIMUM_KEY_SIZE) {
+                    int keySize = maxKeySize;
+                    while (keySize >= minKeySize) {
                         out.println("With Key Strength: " + keySize);
                         runTest(mode, padding, keySize);
                         keySize -= KEYCUTTER;
@@ -139,6 +143,7 @@ public abstract class TestCipher {
         if (keySize != 0) {
             kg.init(keySize);
         }
+
         SecretKey key = kg.generateKey();
         SecretKeySpec skeySpec = new SecretKeySpec(key.getEncoded(), ALGORITHM);
 
@@ -150,7 +155,6 @@ public abstract class TestCipher {
         }
 
         // Encryption
-
         byte[] plainText = INPUT_TEXT.clone();
 
         // Generate cipher and save to separate buffer

test/javax/crypto/CryptoPermission/CryptoPolicyFallback.java

+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8169335
+ * @summary Add a crypto policy fallback in case Security Property
+ * 'crypto.policy' does not exist.
+ * @run main/othervm CryptoPolicyFallback
+ */
+import java.io.*;
+import java.nio.file.*;
+import java.util.stream.*;
+import javax.crypto.*;
+
+/*
+ * Take the current java.security file, strip out the 'crypto.policy' entry,
+ * write to a new file in the current directory, then use that file as the
+ * replacement java.security file.  This test will fail if the crypto.policy
+ * entry doesn't match the compiled in value.
+ */
+public class CryptoPolicyFallback {
+
+    private static final String FILENAME = "java.security";
+
+    public static void main(String[] args) throws Exception {
+
+        String javaHome = System.getProperty("java.home");
+
+        Path path = Paths.get(javaHome, "lib", "security", FILENAME);
+
+        /*
+         * Get the default value.
+         */
+        String defaultPolicy;
+        try (Stream<String> lines = Files.lines(path)) {
+            /*
+             * If the input java.security file is malformed
+             * (missing crypto.policy, attribute/no value, etc), throw
+             * exception.  split() might throw AIOOB which
+             * is ok behavior.
+             */
+             String s = lines.filter(x -> x.startsWith("crypto.policy="))
+                    .findFirst().orElse("");
+             if (!s.isEmpty()) {
+                 defaultPolicy = s.split("=")[1].trim();
+             } else {
+                 defaultPolicy = s;
+             }
+        }
+
+        /*
+         * We know there is at least one crypto.policy entry, strip
+         * all of them out of the java.security file.
+         */
+        try (PrintWriter out = new PrintWriter(FILENAME);
+                Stream<String> lines = Files.lines(path)) {
+            lines.filter(x -> !x.trim().startsWith("crypto.policy="))
+                    .forEach(out::println);
+        }
+
+        /*
+         * "-Djava.security.properties==file" does a complete replacement
+         * of the system java.security file.  i.e. value must be "=file"
+         */
+        System.setProperty("java.security.properties", "=" + FILENAME);
+
+        /*
+         * Find out expected value.
+         */
+        int expected;
+        switch (defaultPolicy) {
+        case "limited":
+            expected = 128;
+            break;
+        case "":
+        case "unlimited":
+            expected = Integer.MAX_VALUE;
+            break;
+        default:
+            throw new Exception(
+                    "Unexpected Default Policy Value: " + defaultPolicy);
+        }
+
+        /*
+         * Do the actual check.  If the JCE Framework can't initialize
+         * an Exception is normally thrown here.
+         */
+        int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
+
+        System.out.println("Default Policy: " + defaultPolicy
+                + "\nExpected max AES key length: " + expected
+                + ", received : " + maxKeyLen);
+
+        if (expected != maxKeyLen) {
+            throw new Exception("Wrong Key Length size!");
+        }
+
+        System.out.println("PASSED!");
+    }
+}

test/javax/crypto/CryptoPermission/TestUnlimited.java

@@ -25,12 +25,13 @@
 
 /**
  * @test
- * @bug 8157561
- * @summary Ship the unlimited policy files in JDK Updates
+ * @bug 8061842
+ * @summary Package jurisdiction policy files as something other than JAR
+ * @run main/othervm TestUnlimited use_default default
  * @run main/othervm TestUnlimited "" exception
- * @run main/othervm TestUnlimited limited fail
- * @run main/othervm TestUnlimited unlimited pass
- * @run main/othervm TestUnlimited unlimited/ pass
+ * @run main/othervm TestUnlimited limited limited
+ * @run main/othervm TestUnlimited unlimited unlimited
+ * @run main/othervm TestUnlimited unlimited/ unlimited
  * @run main/othervm TestUnlimited NosuchDir exception
  * @run main/othervm TestUnlimited . exception
  * @run main/othervm TestUnlimited /tmp/unlimited exception
@@ -40,9 +41,39 @@
  */
 import javax.crypto.*;
 import java.security.Security;
+import java.nio.file.*;
+import java.util.stream.*;
 
 public class TestUnlimited {
 
+    private enum Result {
+        UNLIMITED,
+        LIMITED,
+        EXCEPTION,
+        UNKNOWN
+    };
+
+    /*
+     * Grab the default policy entry from java.security.
+     *
+     * If the input java.security file is malformed
+     * (missing crypto.policy, attribute/no value, etc), throw
+     * exception.  split() might throw AIOOB which
+     * is ok behavior.
+     */
+    private static String getDefaultPolicy() throws Exception {
+        String javaHome = System.getProperty("java.home");
+        Path path = Paths.get(javaHome, "lib", "security", "java.security");
+
+        try (Stream<String> lines = Files.lines(path)) {
+            String s = lines.filter(x -> x.startsWith("crypto.policy="))
+                    .findFirst().orElse("");
+            if (!s.isEmpty())
+                return s.split("=")[1].trim();
+            return s;
+        }
+    }
+
     public static void main(String[] args) throws Exception {
         /*
          * Override the Security property to allow for unlimited policy.
@@ -53,16 +84,38 @@ public class TestUnlimited {
             throw new Exception("Two args required");
         }
 
-        boolean expected = args[1].equals("pass");
-        boolean exception = args[1].equals("exception");
-        boolean result = false;
+        String testStr = args[0];
+        String expectedStr = args[1];
+        if (testStr.equals("use_default")) {
+            expectedStr = getDefaultPolicy();
+        }
+
+        Result expected = Result.UNKNOWN;  // avoid NPE warnings
+        Result result;
 
-        System.out.println("Testing: " + args[0]);
+        switch (expectedStr) {
+        case "":
+        case "unlimited":
+            expected = Result.UNLIMITED;
+            break;
+        case "limited":
+            expected = Result.LIMITED;
+            break;
+        case "exception":
+            expected = Result.EXCEPTION;
+            break;
+        default:
+            throw new Exception("Unexpected argument");
+        }
 
-        if (args[0].equals("\"\"")) {
+        System.out.println("Testing: " + testStr);
+        if (testStr.equals("\"\"")) {
             Security.setProperty("crypto.policy", "");
         } else {
-            Security.setProperty("crypto.policy", args[0]);
+            // skip default case.
+            if (!testStr.equals("use_default")) {
+                Security.setProperty("crypto.policy", testStr);
+            }
         }
 
         /*
@@ -74,21 +127,20 @@ public class TestUnlimited {
             System.out.println("max AES key len:" + maxKeyLen);
             if (maxKeyLen > 128) {
                 System.out.println("Unlimited policy is active");
-                result = true;
+                result = Result.UNLIMITED;
             } else {
                 System.out.println("Unlimited policy is NOT active");
-                result = false;
+                result = Result.LIMITED;
             }
         } catch (Throwable e) {
-            if (!exception) {
-                throw new Exception();
-            }
+            //ExceptionInInitializerError's
+            result = Result.EXCEPTION;
         }
 
         System.out.println(
                 "Expected:\t" + expected + "\nResult:\t\t" + result);
-        if (expected != result) {
-            throw new Exception();
+        if (!expected.equals(result)) {
+            throw new Exception("Didn't match");
         }
 
         System.out.println("DONE!");

test/sun/security/ssl/SSLSocketImpl/SSLSocketCloseHang.java

+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8184328
+ * @summary JDK8u131-b34-socketRead0 hang at SSL read
+ * @run main/othervm SSLSocketCloseHang
+ */
+
+import java.io.*;
+import java.net.*;
+import java.util.*;
+import java.security.*;
+import javax.net.ssl.*;
+
+public class SSLSocketCloseHang {
+
+    /*
+     * =============================================================
+     * Set the various variables needed for the tests, then
+     * specify what tests to run on each side.
+     */
+
+    /*
+     * Should we run the client or server in a separate thread?
+     * Both sides can throw exceptions, but do you have a preference
+     * as to which side should be the main thread.
+     */
+    static boolean separateServerThread = true;
+
+    /*
+     * Where do we find the keystores?
+     */
+    static String pathToStores = "../../../../sun/security/ssl/etc";
+    static String keyStoreFile = "keystore";
+    static String trustStoreFile = "truststore";
+    static String passwd = "passphrase";
+
+    /*
+     * Is the server ready to serve?
+     */
+    volatile static boolean serverReady = false;
+
+    /*
+     * Was the client responsible for closing the socket
+     */
+    volatile static boolean clientClosed = false;
+
+    /*
+     * Turn on SSL debugging?
+     */
+    static boolean debug = false;
+
+    /*
+     * If the client or server is doing some kind of object creation
+     * that the other side depends on, and that thread prematurely
+     * exits, you may experience a hang.  The test harness will
+     * terminate all hung threads after its timeout has expired,
+     * currently 3 minutes by default, but you might try to be
+     * smart about it....
+     */
+
+    /*
+     * Define the server side of the test.
+     *
+     * If the server prematurely exits, serverReady will be set to true
+     * to avoid infinite hangs.
+     */
+    void doServerSide() throws Exception {
+        SSLServerSocketFactory sslssf =
+            (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
+        SSLServerSocket sslServerSocket =
+            (SSLServerSocket) sslssf.createServerSocket(serverPort);
+
+        serverPort = sslServerSocket.getLocalPort();
+
+        /*
+         * Signal Client, we're ready for his connect.
+         */
+        serverReady = true;
+
+        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
+        sslSocket.startHandshake();
+        while (!clientClosed) {
+            Thread.sleep(500);
+        }
+    }
+
+    /*
+     * Define the client side of the test.
+     *
+     * If the server prematurely exits, serverReady will be set to true
+     * to avoid infinite hangs.
+     */
+    void doClientSide() throws Exception {
+        boolean caught = false;
+
+        /*
+         * Wait for server to get started.
+         */
+        System.out.println("waiting on server");
+        while (!serverReady) {
+            Thread.sleep(50);
+        }
+        System.out.println("server ready");
+
+        Socket baseSocket = new Socket("localhost", serverPort);
+        baseSocket.setSoTimeout(100);
+
+        SSLSocketFactory sslsf =
+            (SSLSocketFactory) SSLSocketFactory.getDefault();
+        SSLSocket sslSocket = (SSLSocket)
+            sslsf.createSocket(baseSocket, "localhost", serverPort, false);
+
+        // handshaking
+        sslSocket.startHandshake();
+        System.out.println("handshake done");
+
+        Thread.sleep(500);
+        System.out.println("client closing");
+
+        sslSocket.close();
+        clientClosed = true;
+        System.out.println("client closed");
+    }
+
+    /*
+     * =============================================================
+     * The remainder is just support stuff
+     */
+
+    // use any free port by default
+    volatile int serverPort = 0;
+
+    volatile Exception serverException = null;
+    volatile Exception clientException = null;
+
+    volatile byte[] serverDigest = null;
+
+    public static void main(String[] args) throws Exception {
+        String keyFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + keyStoreFile;
+        String trustFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + trustStoreFile;
+
+        System.setProperty("javax.net.ssl.keyStore", keyFilename);
+        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
+        System.setProperty("javax.net.ssl.trustStore", trustFilename);
+        System.setProperty("javax.net.ssl.trustStorePassword", passwd);
+
+        if (debug)
+            System.setProperty("javax.net.debug", "all");
+
+        /*
+         * Start the tests.
+         */
+        new SSLSocketCloseHang();
+    }
+
+    Thread clientThread = null;
+    Thread serverThread = null;
+
+    /*
+     * Primary constructor, used to drive remainder of the test.
+     *
+     * Fork off the other side, then do your work.
+     */
+    SSLSocketCloseHang() throws Exception {
+        if (separateServerThread) {
+            startServer(true);
+            startClient(false);
+        } else {
+            startClient(true);
+            startServer(false);
+        }
+
+        /*
+         * Wait for other side to close down.
+         */
+        if (separateServerThread) {
+            serverThread.join();
+        } else {
+            clientThread.join();
+        }
+
+        /*
+         * When we get here, the test is pretty much over.
+         *
+         * If the main thread excepted, that propagates back
+         * immediately.  If the other thread threw an exception, we
+         * should report back.
+         */
+        if (serverException != null) {
+            System.out.print("Server Exception:");
+            throw serverException;
+        }
+        if (clientException != null) {
+            System.out.print("Client Exception:");
+            throw clientException;
+        }
+    }
+
+    void startServer(boolean newThread) throws Exception {
+        if (newThread) {
+            serverThread = new Thread() {
+                public void run() {
+                    try {
+                        doServerSide();
+                    } catch (Exception e) {
+                        /*
+                         * Our server thread just died.
+                         *
+                         * Release the client, if not active already...
+                         */
+                        System.err.println("Server died...");
+                        System.err.println(e);
+                        serverReady = true;
+                        serverException = e;
+                    }
+                }
+            };
+            serverThread.start();
+        } else {
+            doServerSide();
+        }
+    }
+
+    void startClient(boolean newThread) throws Exception {
+        if (newThread) {
+            clientThread = new Thread() {
+                public void run() {
+                    try {
+                        doClientSide();
+                    } catch (Exception e) {
+                        /*
+                         * Our client thread just died.
+                         */
+                        System.err.println("Client died...");
+                        clientException = e;
+                    }
+                }
+            };
+            clientThread.start();
+        } else {
+            doClientSide();
+        }
+    }
+}