Merge

cb5c062e · asaha · 11fa7d56 · 7b68fc6e · cb5c062e · cb5c062e
11 changed file
--- a/.hgtags
+++ b/.hgtags
@@ -862,6 +862,7 @@ f1792a59f1fa20e47fe5d4561754012440564bec jdk8u171-b01
 cac020298633fc736f5e21afddf00145665ef0a7 jdk8u171-b02
 c260afc0c5a13407aad4f066f81fba814bb0cbae jdk8u171-b03
 ac700f67341a20ddae093c319da1c65e41edcacd jdk8u171-b04
+863ef3413aa42c15fbdc14fef6732f2741f97046 jdk8u171-b05
 64df143be721d3ef031d765d86277c1e114d627a jdk8u172-b00
 25f7b0cd25cf13106783050fc8e6f4a78487a7bd jdk8u172-b01
 db8272cb8c99eea536a66c4c368c4bf2bf013a81 jdk8u172-b02

--- a/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java
+++ b/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java
@@ -473,6 +473,9 @@ public final class DESedeWrapCipher extends CipherSpi {
        } catch (InvalidKeyException ike) {
            // should never happen
            throw new RuntimeException("Internal cipher key is corrupted");
+        } catch (InvalidAlgorithmParameterException iape) {
+            // should never happen
+            throw new RuntimeException("Internal cipher IV is invalid");
        }
        byte[] out2 = new byte[out.length];
        cipher.encrypt(out, 0, out.length, out2, 0);
@@ -484,6 +487,9 @@ public final class DESedeWrapCipher extends CipherSpi {
        } catch (InvalidKeyException ike) {
            // should never happen
            throw new RuntimeException("Internal cipher key is corrupted");
+        } catch (InvalidAlgorithmParameterException iape) {
+            // should never happen
+            throw new RuntimeException("Internal cipher IV is invalid");
        }
        return out2;
    }
@@ -527,8 +533,12 @@ public final class DESedeWrapCipher extends CipherSpi {
        }
        iv = new byte[IV_LEN];
        System.arraycopy(buffer, 0, iv, 0, iv.length);
-        cipher.init(true, cipherKey.getAlgorithm(), cipherKey.getEncoded(),
+        try {
+            cipher.init(true, cipherKey.getAlgorithm(), cipherKey.getEncoded(),
                    iv);
+        } catch (InvalidAlgorithmParameterException iape) {
+            throw new InvalidKeyException("IV in wrapped key is invalid");
+        }
        byte[] buffer2 = new byte[buffer.length - iv.length];
        cipher.decrypt(buffer, iv.length, buffer2.length,
                       buffer2, 0);
@@ -541,8 +551,12 @@ public final class DESedeWrapCipher extends CipherSpi {
            }
        }
        // restore cipher state to prior to this call
-        cipher.init(decrypting, cipherKey.getAlgorithm(),
+        try {
+          cipher.init(decrypting, cipherKey.getAlgorithm(),
                    cipherKey.getEncoded(), IV2);
+        } catch (InvalidAlgorithmParameterException iape) {
+            throw new InvalidKeyException("IV in wrapped key is invalid");
+        }
        byte[] out = new byte[keyValLen];
        System.arraycopy(buffer2, 0, out, 0, keyValLen);
        return ConstructKeys.constructKey(out, wrappedKeyAlgorithm,

--- a/src/share/classes/com/sun/crypto/provider/FeedbackCipher.java
+++ b/src/share/classes/com/sun/crypto/provider/FeedbackCipher.java
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package com.sun.crypto.provider;

 import java.security.InvalidKeyException;
+import java.security.InvalidAlgorithmParameterException;
 import javax.crypto.*;

 /**
@@ -99,7 +100,8 @@ abstract class FeedbackCipher {
     * initializing this cipher
     */
    abstract void init(boolean decrypting, String algorithm, byte[] key,
-                       byte[] iv) throws InvalidKeyException;
+                       byte[] iv) throws InvalidKeyException,
+                                         InvalidAlgorithmParameterException;

   /**
     * Gets the initialization vector.

--- a/src/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
+++ b/src/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
 /*
- * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -262,8 +262,9 @@ final class GaloisCounterMode extends FeedbackCipher {
     * @exception InvalidKeyException if the given key is inappropriate for
     * initializing this cipher
     */
+    @Override
    void init(boolean decrypting, String algorithm, byte[] key, byte[] iv)
-            throws InvalidKeyException {
+            throws InvalidKeyException, InvalidAlgorithmParameterException {
        init(decrypting, algorithm, key, iv, DEFAULT_TAG_LEN);
    }

@@ -282,10 +283,16 @@ final class GaloisCounterMode extends FeedbackCipher {
     */
    void init(boolean decrypting, String algorithm, byte[] keyValue,
              byte[] ivValue, int tagLenBytes)
-              throws InvalidKeyException {
-        if (keyValue == null || ivValue == null) {
+              throws InvalidKeyException, InvalidAlgorithmParameterException {
+        if (keyValue == null) {
            throw new InvalidKeyException("Internal error");
        }
+        if (ivValue == null) {
+            throw new InvalidAlgorithmParameterException("Internal error");
+        }
+        if (ivValue.length == 0) {
+            throw new InvalidAlgorithmParameterException("IV is empty");
+        }

        // always encrypt mode for embedded cipher
        this.embeddedCipher.init(false, algorithm, keyValue);

--- a/src/share/lib/security/java.security-aix
+++ b/src/share/lib/security/java.security-aix
@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40
+    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-linux
+++ b/src/share/lib/security/java.security-linux
@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40
+    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-macosx
+++ b/src/share/lib/security/java.security-macosx
@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40
+    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-solaris
+++ b/src/share/lib/security/java.security-solaris
@@ -622,7 +622,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40
+    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-windows
+++ b/src/share/lib/security/java.security-windows
@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40
+    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/test/sun/security/ssl/sun/net/www/protocol/https/NewImpl/ComHostnameVerifier.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/NewImpl/ComHostnameVerifier.java
 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -21,21 +21,20 @@
 * questions.
 */

+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+
 /*
 * @test
- * @bug 4474255
- * @test 1.1 01/06/27
- * @bug 4484246
+ * @bug 4474255 4484246
 * @summary When an application enables anonymous SSL cipher suite,
 *        Hostname verification is not required
 * @run main/othervm ComHostnameVerifier
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
 */

 import java.io.*;
 import java.net.*;
+import java.security.Security;
 import javax.net.ssl.*;
 import javax.security.cert.*;
 import com.sun.net.ssl.HostnameVerifier;
@@ -249,6 +248,8 @@ public class ComHostnameVerifier {
    volatile Exception clientException = null;

    public static void main(String[] args) throws Exception {
+        // re-enable 3DES
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/sun/net/www/protocol/https/NewImpl/JavaxHostnameVerifier.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/NewImpl/JavaxHostnameVerifier.java
 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -21,21 +21,20 @@
 * questions.
 */

+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+
 /*
 * @test
- * @bug 4474255
- * @test 1.1 01/06/27
- * @bug 4484246
+ * @bug 4474255 4484246
 * @summary When an application enables anonymous SSL cipher suite,
 *        Hostname verification is not required
 * @run main/othervm JavaxHostnameVerifier
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
 */

 import java.io.*;
 import java.net.*;
+import java.security.Security;
 import java.security.cert.*;
 import javax.net.ssl.*;

@@ -244,6 +243,8 @@ public class JavaxHostnameVerifier {
    volatile Exception clientException = null;

    public static void main(String[] args) throws Exception {
+        // re-enable 3DES
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

        if (debug)
            System.setProperty("javax.net.debug", "all");