changeset 10994:e5171238515c

Merge
author asaha
date Fri, 29 May 2015 10:15:38 -0700
parents f7a249818b71 192bda44c0c4
children ec8f5229c8e9
files .hgtags src/macosx/classes/sun/lwawt/macosx/CEmbeddedFrame.java src/share/classes/com/sun/crypto/provider/PBEKey.java src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java src/share/classes/javax/crypto/spec/SecretKeySpec.java src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java src/share/classes/sun/security/ssl/ClientHandshaker.java src/share/classes/sun/security/ssl/HandshakeMessage.java src/share/lib/security/java.security-aix src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows src/solaris/native/java/net/net_util_md.c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
diffstat 98 files changed, 1649 insertions(+), 732 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Wed May 27 13:20:55 2015 -0700
+++ b/.hgtags	Fri May 29 10:15:38 2015 -0700
@@ -353,9 +353,11 @@
 a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11
 6a12f34816d2ee12368274fc21225384a8893426 jdk8u31-b12
 1fbdd5d80d0671decd8acb5adb64866f609e986f jdk8u31-b13
-ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31
 367c7f061c5831ee54cd197f727e06109a67875b jdk8u31-b14
 287e3219f3f531b2f20b50b180802a563a782b26 jdk8u31-b15
+ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31
+46338075c4262057099e57638e0758817052da0d jdk8u31-b32
+a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33
 e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00
 6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01
 4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02
@@ -384,6 +386,8 @@
 f0d5cb59b0e6a67fa102465458cc4725c6e59089 jdk8u40-b25
 97f258823d7d8ee0ec7d774b79cd30492520cc10 jdk8u40-b26
 d4453d784fb6c52e4ed998b167588551e2fd43c5 jdk8u40-b27
+5a45234e0fc14ff943e13dc1f8966818acaeb4de jdk8u40-b31
+d8ac13c5eafe422d3425dc1aebebfcdf8ca67e2d jdk8u40-b32
 1ecc234bd38950a2bc047aa253a5e803f0836a4e jdk8u45-b00
 e0c7864bbca3f76cde680722f2ae58dff2bff61d jdk8u45-b01
 9505c0392cddbfb905401e9fccc23262edc3254f jdk8u45-b02
@@ -399,6 +403,24 @@
 6a8f9512afa687632f0a0d881bbdb446d984a74c jdk8u45-b12
 55a75b0db87693e1e186752f553c337cb035a38e jdk8u45-b13
 20e6cadfac43717a81d99daff5e769de695992cd jdk8u45-b14
+7087623dfa7033f8738d537864e4bac6b8528172 jdk8u45-b15
+c7fbbf6133c339fb56f03241de28666774023d5d jdk8u45-b31
+ea547c5a1217fe7916f366950d0e3156e4225aa5 jdk8u45-b32
+ac97b69b88e37c18c1b077be8b1f100b6803fea5 jdk8u51-b00
+2e0732282470f7a02d57af5fc8542efa9db7b3e4 jdk8u51-b01
+cc75137936f9a8e97017e7e18b1064b76238116f jdk8u51-b02
+f732971e3d20664164a3797cf0b1a4cb80470959 jdk8u51-b03
+6d6c0c93e822dc0e37d657060488de934ac2eb4c jdk8u51-b04
+7d9a58baae72804f0852890cf9fc75e6a759b608 jdk8u51-b05
+93e6b2bbc9ff46b3fea1fe89b810259d150a9fc4 jdk8u51-b06
+286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u51-b07
+f7da0b943b9381aaf378d0c7b337dd7654335293 jdk8u51-b08
+7e8459e7a45cb5b49de376893e3a95bfa92d0325 jdk8u51-b09
+dcc75a75d3a30270fbf52d0d0b0504319882e419 jdk8u51-b10
+3ed614d4eee7c3225d48ed7c90622dd888cd143e jdk8u51-b11
+0010682d9a2b81daf7c08239161f7c2a91977299 jdk8u51-b12
+217fa7205549d196c60f814bf3fc9795d756f493 jdk8u51-b13
+b7403e15864dc0c1f9740d66af91bddb3e2215e8 jdk8u51-b14
 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00
 c46daef6edb5385d11876ed40f292a4b62e96867 jdk8u60-b01
 c10fd784956cc7099657181029ac3e790267b678 jdk8u60-b02
--- a/src/macosx/bin/java_md_macosx.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/macosx/bin/java_md_macosx.c	Fri May 29 10:15:38 2015 -0700
@@ -616,7 +616,11 @@
         if (access(libjava, F_OK) == 0) {
             return JNI_TRUE;
         }
-
+        /* ensure storage for path + /jre + NULL */
+        if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
+            JLI_TraceLauncher("Insufficient space to store JRE path\n");
+            return JNI_FALSE;
+        }
         /* Does the app ship a private JRE in <apphome>/jre directory? */
         JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/" JAVA_DLL, path);
         if (access(libjava, F_OK) == 0) {
--- a/src/share/classes/com/sun/crypto/provider/AESCrypt.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/AESCrypt.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@
 package com.sun.crypto.provider;
 
 import java.security.InvalidKeyException;
-import java.util.Arrays;
+import java.security.MessageDigest;
 
 /**
  * Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit
@@ -88,7 +88,7 @@
                 key.length + " bytes");
         }
 
-        if (!Arrays.equals(key, lastKey)) {
+        if (!MessageDigest.isEqual(key, lastKey)) {
             // re-generate session key 'sessionK' when cipher key changes
             makeSessionKey(key);
             lastKey = key.clone();  // save cipher key
--- a/src/share/classes/com/sun/crypto/provider/CipherCore.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/CipherCore.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -568,7 +568,7 @@
                 // check key+iv for encryption in GCM mode
                 requireReinit =
                     Arrays.equals(ivBytes, lastEncIv) &&
-                    Arrays.equals(keyBytes, lastEncKey);
+                    MessageDigest.isEqual(keyBytes, lastEncKey);
                 if (requireReinit) {
                     throw new InvalidAlgorithmParameterException
                         ("Cannot reuse iv for GCM encryption");
--- a/src/share/classes/com/sun/crypto/provider/DESKey.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/DESKey.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package com.sun.crypto.provider;
 
+import java.security.MessageDigest;
 import java.security.KeyRep;
 import java.security.InvalidKeyException;
 import javax.crypto.SecretKey;
@@ -113,7 +114,7 @@
             return false;
 
         byte[] thatKey = ((SecretKey)obj).getEncoded();
-        boolean ret = java.util.Arrays.equals(this.key, thatKey);
+        boolean ret = MessageDigest.isEqual(this.key, thatKey);
         java.util.Arrays.fill(thatKey, (byte)0x00);
         return ret;
     }
--- a/src/share/classes/com/sun/crypto/provider/DESedeKey.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/DESedeKey.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package com.sun.crypto.provider;
 
+import java.security.MessageDigest;
 import java.security.KeyRep;
 import java.security.InvalidKeyException;
 import javax.crypto.SecretKey;
@@ -114,7 +115,7 @@
             return false;
 
         byte[] thatKey = ((SecretKey)obj).getEncoded();
-        boolean ret = java.util.Arrays.equals(this.key, thatKey);
+        boolean ret = MessageDigest.isEqual(this.key, thatKey);
         java.util.Arrays.fill(thatKey, (byte)0x00);
         return ret;
     }
--- a/src/share/classes/com/sun/crypto/provider/PBEKey.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/PBEKey.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package com.sun.crypto.provider;
 
+import java.security.MessageDigest;
 import java.security.KeyRep;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Locale;
@@ -108,7 +109,7 @@
             return false;
 
         byte[] thatEncoded = that.getEncoded();
-        boolean ret = java.util.Arrays.equals(this.key, thatEncoded);
+        boolean ret = MessageDigest.isEqual(this.key, thatEncoded);
         java.util.Arrays.fill(thatEncoded, (byte)0x00);
         return ret;
     }
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
 import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.util.Arrays;
+import java.security.MessageDigest;
 import java.util.Locale;
 import java.security.KeyRep;
 import java.security.GeneralSecurityException;
@@ -153,7 +154,7 @@
                     SecretKey sk = (SecretKey)obj;
                     return prf.getAlgorithm().equalsIgnoreCase(
                         sk.getAlgorithm()) &&
-                        Arrays.equals(password, sk.getEncoded());
+                        MessageDigest.isEqual(password, sk.getEncoded());
                 }
             };
             prf.init(macKey);
@@ -239,7 +240,7 @@
         if (!(that.getFormat().equalsIgnoreCase("RAW")))
             return false;
         byte[] thatEncoded = that.getEncoded();
-        boolean ret = Arrays.equals(key, that.getEncoded());
+        boolean ret = MessageDigest.isEqual(key, that.getEncoded());
         java.util.Arrays.fill(thatEncoded, (byte)0x00);
         return ret;
     }
--- a/src/share/classes/com/sun/jndi/dns/DnsClient.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/com/sun/jndi/dns/DnsClient.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -184,119 +184,124 @@
         Exception caughtException = null;
         boolean[] doNotRetry = new boolean[servers.length];
 
-        //
-        // The UDP retry strategy is to try the 1st server, and then
-        // each server in order. If no answer, double the timeout
-        // and try each server again.
-        //
-        for (int retry = 0; retry < retries; retry++) {
+        try {
+            //
+            // The UDP retry strategy is to try the 1st server, and then
+            // each server in order. If no answer, double the timeout
+            // and try each server again.
+            //
+            for (int retry = 0; retry < retries; retry++) {
 
-            // Try each name server.
-            for (int i = 0; i < servers.length; i++) {
-                if (doNotRetry[i]) {
-                    continue;
-                }
-
-                // send the request packet and wait for a response.
-                try {
-                    if (debug) {
-                        dprint("SEND ID (" + (retry + 1) + "): " + xid);
+                // Try each name server.
+                for (int i = 0; i < servers.length; i++) {
+                    if (doNotRetry[i]) {
+                        continue;
                     }
 
-                    byte[] msg = null;
-                    msg = doUdpQuery(pkt, servers[i], serverPorts[i],
-                                        retry, xid);
-                    //
-                    // If the matching response is not got within the
-                    // given timeout, check if the response was enqueued
-                    // by some other thread, if not proceed with the next
-                    // server or retry.
-                    //
-                    if (msg == null) {
-                        if (resps.size() > 0) {
-                            msg = lookupResponse(xid);
+                    // send the request packet and wait for a response.
+                    try {
+                        if (debug) {
+                            dprint("SEND ID (" + (retry + 1) + "): " + xid);
                         }
-                        if (msg == null) { // try next server or retry
+
+                        byte[] msg = null;
+                        msg = doUdpQuery(pkt, servers[i], serverPorts[i],
+                                            retry, xid);
+                        //
+                        // If the matching response is not got within the
+                        // given timeout, check if the response was enqueued
+                        // by some other thread, if not proceed with the next
+                        // server or retry.
+                        //
+                        if (msg == null) {
+                            if (resps.size() > 0) {
+                                msg = lookupResponse(xid);
+                            }
+                            if (msg == null) { // try next server or retry
+                                continue;
+                            }
+                        }
+                        Header hdr = new Header(msg, msg.length);
+
+                        if (auth && !hdr.authoritative) {
+                            caughtException = new NameNotFoundException(
+                                    "DNS response not authoritative");
+                            doNotRetry[i] = true;
                             continue;
                         }
-                    }
-                    Header hdr = new Header(msg, msg.length);
+                        if (hdr.truncated) {  // message is truncated -- try TCP
 
-                    if (auth && !hdr.authoritative) {
-                        caughtException = new NameNotFoundException(
-                                "DNS response not authoritative");
-                        doNotRetry[i] = true;
-                        continue;
-                    }
-                    if (hdr.truncated) {    // message is truncated -- try TCP
+                            // Try each server, starting with the one that just
+                            // provided the truncated message.
+                            for (int j = 0; j < servers.length; j++) {
+                                int ij = (i + j) % servers.length;
+                                if (doNotRetry[ij]) {
+                                    continue;
+                                }
+                                try {
+                                    Tcp tcp =
+                                        new Tcp(servers[ij], serverPorts[ij]);
+                                    byte[] msg2;
+                                    try {
+                                        msg2 = doTcpQuery(tcp, pkt);
+                                    } finally {
+                                        tcp.close();
+                                    }
+                                    Header hdr2 = new Header(msg2, msg2.length);
+                                    if (hdr2.query) {
+                                        throw new CommunicationException(
+                                            "DNS error: expecting response");
+                                    }
+                                    checkResponseCode(hdr2);
 
-                        // Try each server, starting with the one that just
-                        // provided the truncated message.
-                        for (int j = 0; j < servers.length; j++) {
-                            int ij = (i + j) % servers.length;
-                            if (doNotRetry[ij]) {
-                                continue;
-                            }
-                            try {
-                                Tcp tcp =
-                                    new Tcp(servers[ij], serverPorts[ij]);
-                                byte[] msg2;
-                                try {
-                                    msg2 = doTcpQuery(tcp, pkt);
-                                } finally {
-                                    tcp.close();
+                                    if (!auth || hdr2.authoritative) {
+                                        // Got a valid response
+                                        hdr = hdr2;
+                                        msg = msg2;
+                                        break;
+                                    } else {
+                                        doNotRetry[ij] = true;
+                                    }
+                                } catch (Exception e) {
+                                    // Try next server, or use UDP response
                                 }
-                                Header hdr2 = new Header(msg2, msg2.length);
-                                if (hdr2.query) {
-                                    throw new CommunicationException(
-                                        "DNS error: expecting response");
-                                }
-                                checkResponseCode(hdr2);
+                            } // servers
+                        }
+                        return new ResourceRecords(msg, msg.length, hdr, false);
 
-                                if (!auth || hdr2.authoritative) {
-                                    // Got a valid response
-                                    hdr = hdr2;
-                                    msg = msg2;
-                                    break;
-                                } else {
-                                    doNotRetry[ij] = true;
-                                }
-                            } catch (Exception e) {
-                                // Try next server, or use UDP response
-                            }
-                        } // servers
-                    }
-                    return new ResourceRecords(msg, msg.length, hdr, false);
-
-                } catch (IOException e) {
-                    if (debug) {
-                        dprint("Caught IOException:" + e);
-                    }
-                    if (caughtException == null) {
-                        caughtException = e;
-                    }
-                    // Use reflection to allow pre-1.4 compilation.
-                    // This won't be needed much longer.
-                    if (e.getClass().getName().equals(
-                            "java.net.PortUnreachableException")) {
+                    } catch (IOException e) {
+                        if (debug) {
+                            dprint("Caught IOException:" + e);
+                        }
+                        if (caughtException == null) {
+                            caughtException = e;
+                        }
+                        // Use reflection to allow pre-1.4 compilation.
+                        // This won't be needed much longer.
+                        if (e.getClass().getName().equals(
+                                "java.net.PortUnreachableException")) {
+                            doNotRetry[i] = true;
+                        }
+                    } catch (NameNotFoundException e) {
+                        // This is authoritative, so return immediately
+                        throw e;
+                    } catch (CommunicationException e) {
+                        if (caughtException == null) {
+                            caughtException = e;
+                        }
+                    } catch (NamingException e) {
+                        if (caughtException == null) {
+                            caughtException = e;
+                        }
                         doNotRetry[i] = true;
                     }
-                } catch (NameNotFoundException e) {
-                    throw e;
-                } catch (CommunicationException e) {
-                    if (caughtException == null) {
-                        caughtException = e;
-                    }
-                } catch (NamingException e) {
-                    if (caughtException == null) {
-                        caughtException = e;
-                    }
-                    doNotRetry[i] = true;
-                }
-            } // servers
-        } // retries
+                } // servers
+            } // retries
 
-        reqs.remove(xid);
+        } finally {
+            reqs.remove(xid); // cleanup
+        }
+
         if (caughtException instanceof NamingException) {
             throw (NamingException) caughtException;
         }
--- a/src/share/classes/java/io/ObjectInputStream.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/io/ObjectInputStream.java	Fri May 29 10:15:38 2015 -0700
@@ -1829,6 +1829,8 @@
         throws IOException
     {
         SerialCallbackContext oldContext = curContext;
+        if (oldContext != null)
+            oldContext.check();
         curContext = null;
         try {
             boolean blocked = desc.hasBlockExternalData();
@@ -1853,6 +1855,8 @@
                 skipCustomData();
             }
         } finally {
+            if (oldContext != null)
+                oldContext.check();
             curContext = oldContext;
         }
         /*
@@ -1883,12 +1887,12 @@
             ObjectStreamClass slotDesc = slots[i].desc;
 
             if (slots[i].hasData) {
-                if (obj != null &&
-                    slotDesc.hasReadObjectMethod() &&
-                    handles.lookupException(passHandle) == null)
-                {
+                if (obj == null || handles.lookupException(passHandle) != null) {
+                    defaultReadFields(null, slotDesc); // skip field values
+                } else if (slotDesc.hasReadObjectMethod()) {
                     SerialCallbackContext oldContext = curContext;
-
+                    if (oldContext != null)
+                        oldContext.check();
                     try {
                         curContext = new SerialCallbackContext(obj, slotDesc);
 
@@ -1905,6 +1909,8 @@
                         handles.markException(passHandle, ex);
                     } finally {
                         curContext.setUsed();
+                        if (oldContext!= null)
+                            oldContext.check();
                         curContext = oldContext;
                     }
 
@@ -1917,6 +1923,7 @@
                 } else {
                     defaultReadFields(obj, slotDesc);
                 }
+
                 if (slotDesc.hasWriteObjectData()) {
                     skipCustomData();
                 } else {
--- a/src/share/classes/java/io/SerialCallbackContext.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/io/SerialCallbackContext.java	Fri May 29 10:15:38 2015 -0700
@@ -60,6 +60,13 @@
         return desc;
     }
 
+    public void check() throws NotActiveException {
+        if (thread != null && thread != Thread.currentThread()) {
+            throw new NotActiveException(
+                "expected thread: " + thread + ", but got: " + Thread.currentThread());
+        }
+    }
+
     private void checkAndSetUsed() throws NotActiveException {
         if (thread != Thread.currentThread()) {
              throw new NotActiveException(
--- a/src/share/classes/java/net/InetAddress.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/net/InetAddress.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -203,16 +203,33 @@
     static transient boolean preferIPv6Address = false;
 
     static class InetAddressHolder {
+        /**
+         * Reserve the original application specified hostname.
+         *
+         * The original hostname is useful for domain-based endpoint
+         * identification (see RFC 2818 and RFC 6125).  If an address
+         * was created with a raw IP address, a reverse name lookup
+         * may introduce endpoint identification security issue via
+         * DNS forging.
+         *
+         * Oracle JSSE provider is using this original hostname, via
+         * sun.misc.JavaNetAccess, for SSL/TLS endpoint identification.
+         *
+         * Note: May define a new public method in the future if necessary.
+         */
+        private String originalHostName;
 
         InetAddressHolder() {}
 
         InetAddressHolder(String hostName, int address, int family) {
+            this.originalHostName = hostName;
             this.hostName = hostName;
             this.address = address;
             this.family = family;
         }
 
         void init(String hostName, int family) {
+            this.originalHostName = hostName;
             this.hostName = hostName;
             if (family != -1) {
                 this.family = family;
@@ -225,6 +242,10 @@
             return hostName;
         }
 
+        String getOriginalHostName() {
+            return originalHostName;
+        }
+
         /**
          * Holds a 32-bit IPv4 address.
          */
--- a/src/share/classes/java/net/URLClassLoader.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/net/URLClassLoader.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -774,6 +774,10 @@
                 public URLClassPath getURLClassPath (URLClassLoader u) {
                     return u.ucp;
                 }
+
+                public String getOriginalHostName(InetAddress ia) {
+                    return ia.holder.getOriginalHostName();
+                }
             }
         );
         ClassLoader.registerAsParallelCapable();
--- a/src/share/classes/java/rmi/server/RemoteObjectInvocationHandler.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/rmi/server/RemoteObjectInvocationHandler.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,7 @@
 import java.rmi.Remote;
 import java.rmi.UnexpectedException;
 import java.rmi.activation.Activatable;
+import java.security.PrivilegedAction;
 import java.util.Map;
 import java.util.WeakHashMap;
 import sun.rmi.server.Util;
@@ -56,6 +57,25 @@
 {
     private static final long serialVersionUID = 2L;
 
+    // set to true if invocation handler allows finalize method (legacy behavior)
+    private static final boolean allowFinalizeInvocation;
+
+    static {
+        String propName = "sun.rmi.server.invocationhandler.allowFinalizeInvocation";
+        String allowProp = java.security.AccessController.doPrivileged(
+            new PrivilegedAction<String>() {
+                @Override
+                public String run() {
+                    return System.getProperty(propName);
+                }
+            });
+        if ("".equals(allowProp)) {
+            allowFinalizeInvocation = true;
+        } else {
+            allowFinalizeInvocation = Boolean.parseBoolean(allowProp);
+        }
+    }
+
     /**
      * A weak hash map, mapping classes to weak hash maps that map
      * method objects to method hashes.
@@ -144,6 +164,9 @@
     {
         if (method.getDeclaringClass() == Object.class) {
             return invokeObjectMethod(proxy, method, args);
+        } else if ("finalize".equals(method.getName()) && method.getParameterCount() == 0 &&
+            !allowFinalizeInvocation) {
+            return null; // ignore
         } else {
             return invokeRemoteMethod(proxy, method, args);
         }
--- a/src/share/classes/java/security/Identity.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/security/Identity.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -261,7 +261,7 @@
         certificates.addElement(certificate);
     }
 
-    private boolean keyEquals(Key aKey, Key anotherKey) {
+    private boolean keyEquals(PublicKey aKey, PublicKey anotherKey) {
         String aKeyFormat = aKey.getFormat();
         String anotherKeyFormat = anotherKey.getFormat();
         if ((aKeyFormat == null) ^ (anotherKeyFormat == null))
--- a/src/share/classes/java/security/MessageDigest.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/security/MessageDigest.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -440,6 +440,10 @@
      * @return true if the digests are equal, false otherwise.
      */
     public static boolean isEqual(byte[] digesta, byte[] digestb) {
+        if (digesta == digestb) return true;
+        if (digesta == null || digestb == null) {
+            return false;
+        }
         if (digesta.length != digestb.length) {
             return false;
         }
--- a/src/share/classes/java/security/Signature.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/security/Signature.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1316,7 +1316,7 @@
                 byte[] out = cipher.doFinal(sigBytes);
                 byte[] dataBytes = data.toByteArray();
                 data.reset();
-                return Arrays.equals(out, dataBytes);
+                return MessageDigest.isEqual(out, dataBytes);
             } catch (BadPaddingException e) {
                 // e.g. wrong public key used
                 // return false rather than throwing exception
--- a/src/share/classes/java/security/cert/X509CRLSelector.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/java/security/cert/X509CRLSelector.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -679,10 +679,14 @@
                 nowPlusSkew = new Date(dateAndTime.getTime() + skew);
                 nowMinusSkew = new Date(dateAndTime.getTime() - skew);
             }
+
+            // Check that the test date is within the validity interval:
+            //   [ thisUpdate - MAX_CLOCK_SKEW,
+            //     nextUpdate + MAX_CLOCK_SKEW ]
             if (nowMinusSkew.after(nextUpdate)
                 || nowPlusSkew.before(crlThisUpdate)) {
                 if (debug != null) {
-                    debug.println("X509CRLSelector.match: update out of range");
+                    debug.println("X509CRLSelector.match: update out-of-range");
                 }
                 return false;
             }
--- a/src/share/classes/javax/crypto/spec/SecretKeySpec.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/javax/crypto/spec/SecretKeySpec.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package javax.crypto.spec;
 
+import java.security.MessageDigest;
 import java.security.spec.KeySpec;
 import java.util.Locale;
 import javax.crypto.SecretKey;
@@ -228,6 +229,6 @@
 
         byte[] thatKey = ((SecretKey)obj).getEncoded();
 
-        return java.util.Arrays.equals(this.key, thatKey);
+        return MessageDigest.isEqual(this.key, thatKey);
     }
 }
--- a/src/share/classes/javax/management/MBeanServerInvocationHandler.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/javax/management/MBeanServerInvocationHandler.java	Fri May 29 10:15:38 2015 -0700
@@ -141,6 +141,12 @@
         if (connection == null) {
             throw new IllegalArgumentException("Null connection");
         }
+        if (Proxy.isProxyClass(connection.getClass())) {
+            if (MBeanServerInvocationHandler.class.isAssignableFrom(
+                    Proxy.getInvocationHandler(connection).getClass())) {
+                throw new IllegalArgumentException("Wrapping MBeanServerInvocationHandler");
+            }
+        }
         if (objectName == null) {
             throw new IllegalArgumentException("Null object name");
         }
@@ -418,6 +424,10 @@
                              new Class<?>[] {Object.class})
             && isLocal(proxy, method))
             return true;
+        if (methodName.equals("finalize")
+            && method.getParameterTypes().length == 0) {
+            return true;
+        }
         return false;
     }
 
@@ -453,6 +463,9 @@
                 connection + "[" + objectName + "])";
         } else if (methodName.equals("hashCode")) {
             return objectName.hashCode()+connection.hashCode();
+        } else if (methodName.equals("finalize")) {
+            // ignore the finalizer invocation via proxy
+            return null;
         }
 
         throw new RuntimeException("Unexpected method name: " + methodName);
--- a/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java	Fri May 29 10:15:38 2015 -0700
@@ -32,7 +32,6 @@
 import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.Permission;
-import java.security.PermissionCollection;
 import java.security.Permissions;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
@@ -59,6 +58,7 @@
 import com.sun.jmx.remote.util.ClassLogger;
 import com.sun.jmx.remote.util.EnvHelp;
 import com.sun.jmx.remote.util.OrderClassLoaders;
+import javax.management.loading.ClassLoaderRepository;
 
 /**
  * <p>Implementation of the {@link RMIConnection} interface.  User
@@ -131,20 +131,24 @@
 
         final ClassLoader dcl = defaultClassLoader;
 
-        this.classLoaderWithRepository =
-            AccessController.doPrivileged(
-                new PrivilegedAction<ClassLoaderWithRepository>() {
-                    public ClassLoaderWithRepository run() {
-                        return new ClassLoaderWithRepository(
-                                      mbeanServer.getClassLoaderRepository(),
-                                      dcl);
-                    }
-                },
-
-                withPermissions( new MBeanPermission("*", "getClassLoaderRepository"),
-                                 new RuntimePermission("createClassLoader"))
-            );
-
+        ClassLoaderRepository repository = AccessController.doPrivileged(
+            new PrivilegedAction<ClassLoaderRepository>() {
+                public ClassLoaderRepository run() {
+                    return mbeanServer.getClassLoaderRepository();
+                }
+            },
+            withPermissions(new MBeanPermission("*", "getClassLoaderRepository"))
+        );
+        this.classLoaderWithRepository = AccessController.doPrivileged(
+            new PrivilegedAction<ClassLoaderWithRepository>() {
+                public ClassLoaderWithRepository run() {
+                    return new ClassLoaderWithRepository(
+                        repository,
+                        dcl);
+                }
+            },
+            withPermissions(new RuntimePermission("createClassLoader"))
+        );
 
         this.defaultContextClassLoader =
             AccessController.doPrivileged(
--- a/src/share/classes/sun/misc/JavaNetAccess.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/misc/JavaNetAccess.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,10 +26,17 @@
 package sun.misc;
 
 import java.net.URLClassLoader;
+import java.net.InetAddress;
 
 public interface JavaNetAccess {
     /**
      * return the URLClassPath belonging to the given loader
      */
     URLClassPath getURLClassPath (URLClassLoader u);
+
+    /**
+     * Return the original application specified hostname of
+     * the given InetAddress object.
+     */
+    String getOriginalHostName(InetAddress ia);
 }
--- a/src/share/classes/sun/security/pkcs11/P11Key.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/pkcs11/P11Key.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -165,7 +165,7 @@
         } else {
             otherEnc = other.getEncoded();
         }
-        return Arrays.equals(thisEnc, otherEnc);
+        return MessageDigest.isEqual(thisEnc, otherEnc);
     }
 
     public int hashCode() {
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -447,22 +447,6 @@
     /**
      * Check the given arrays for equalitiy. This method considers both arrays as
      * equal, if both are <code>null</code> or both have the same length and
-     * contain exactly the same byte values.
-     *
-     * @param array1 The first array.
-     * @param array2 The second array.
-     * @return True, if both arrays are <code>null</code> or both have the same
-     *         length and contain exactly the same byte values. False, otherwise.
-     * @preconditions
-     * @postconditions
-     */
-    public static boolean equals(byte[] array1, byte[] array2) {
-        return Arrays.equals(array1, array2);
-    }
-
-    /**
-     * Check the given arrays for equalitiy. This method considers both arrays as
-     * equal, if both are <code>null</code> or both have the same length and
      * contain exactly the same char values.
      *
      * @param array1 The first array.
@@ -472,7 +456,7 @@
      * @preconditions
      * @postconditions
      */
-    public static boolean equals(char[] array1, char[] array2) {
+    private static boolean equals(char[] array1, char[] array2) {
         return Arrays.equals(array1, array2);
     }
 
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java	Fri May 29 10:15:38 2015 -0700
@@ -2011,7 +2011,7 @@
                         "(MAC algorithm: " + m.getAlgorithm() + ")");
                 }
 
-                if (!Arrays.equals(macData.getDigest(), macResult)) {
+                if (!MessageDigest.isEqual(macData.getDigest(), macResult)) {
                    throw new SecurityException("Failed PKCS12" +
                                         " integrity checking");
                 }
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -151,8 +151,8 @@
     private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
 
     /**
-     * Integer value indicating the maximum allowable clock skew, in seconds,
-     * to be used for the OCSP check.
+     * Integer value indicating the maximum allowable clock skew,
+     * in milliseconds, to be used for the OCSP check.
      */
     private static final int MAX_CLOCK_SKEW = initializeClockSkew();
 
@@ -586,13 +586,14 @@
                 "Unable to verify OCSP Response's signature");
         }
 
-        // Check freshness of OCSPResponse
         if (nonce != null) {
             if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
                 throw new CertPathValidatorException("Nonces don't match");
             }
         }
 
+        // Check freshness of OCSPResponse
+
         long now = (date == null) ? System.currentTimeMillis() : date.getTime();
         Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
         Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
@@ -602,13 +603,18 @@
                 if (sr.nextUpdate != null) {
                     until = " until " + sr.nextUpdate;
                 }
-                debug.println("Response's validity interval is from " +
+                debug.println("OCSP response validity interval is from " +
                               sr.thisUpdate + until);
+                debug.println("Checking validity of OCSP response on: " +
+                    new Date(now));
             }
 
-            // Check that the test date is within the validity interval
-            if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) ||
-                (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate)))
+            // Check that the test date is within the validity interval:
+            //   [ thisUpdate - MAX_CLOCK_SKEW,
+            //     MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ]
+            if (nowPlusSkew.before(sr.thisUpdate) ||
+                nowMinusSkew.after(
+                    sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate))
             {
                 throw new CertPathValidatorException(
                                       "Response is unreliable: its validity " +
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -159,12 +159,19 @@
                                                         ValidatorParams params)
         throws CertPathValidatorException
     {
+        // check if anchor is untrusted
+        UntrustedChecker untrustedChecker = new UntrustedChecker();
+        X509Certificate anchorCert = anchor.getTrustedCert();
+        if (anchorCert != null) {
+            untrustedChecker.check(anchorCert);
+        }
+
         int certPathLen = params.certificates().size();
 
         // create PKIXCertPathCheckers
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
-        certPathCheckers.add(new UntrustedChecker());
+        certPathCheckers.add(untrustedChecker);
         certPathCheckers.add(new AlgorithmChecker(anchor));
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));
--- a/src/share/classes/sun/security/rsa/RSASignature.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/rsa/RSASignature.java	Fri May 29 10:15:38 2015 -0700
@@ -27,7 +27,6 @@
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.util.Arrays;
 
 import java.security.*;
 import java.security.interfaces.*;
@@ -194,7 +193,7 @@
             byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
             byte[] unpadded = padding.unpad(decrypted);
             byte[] decodedDigest = decodeSignature(digestOID, unpadded);
-            return Arrays.equals(digest, decodedDigest);
+            return MessageDigest.isEqual(digest, decodedDigest);
         } catch (javax.crypto.BadPaddingException e) {
             // occurs if the app has used the wrong RSA public key
             // or if sigBytes is invalid
--- a/src/share/classes/sun/security/ssl/CipherSuite.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/CipherSuite.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -968,7 +968,7 @@
          * 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be
          *    changed later, see below).
          * 2. Prefer the stronger bulk cipher, in the order of AES_256(GCM),
-         *    AES_128(GCM), AES_256, AES_128, 3DES-EDE, RC-4.
+         *    AES_128(GCM), AES_256, AES_128, 3DES-EDE.
          * 3. Prefer the stronger MAC algorithm, in the order of SHA384,
          *    SHA256, SHA, MD5.
          * 4. Prefer the better performance of key exchange and digital
@@ -1115,20 +1115,6 @@
         add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
             0x0013, --p, K_DHE_DSS,     B_3DES,    N);
 
-        // RC-4
-        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-            0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
-        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-            0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
-        add("SSL_RSA_WITH_RC4_128_SHA",
-            0x0005, --p, K_RSA,         B_RC4_128, N);
-        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-            0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
-        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
-            0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
-        add("SSL_RSA_WITH_RC4_128_MD5",
-            0x0004, --p, K_RSA,         B_RC4_128, N);
-
         // Renegotiation protection request Signalling Cipher Suite Value (SCSV)
         add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
             0x00ff, --p, K_SCSV,        B_NULL,    T);
@@ -1178,6 +1164,20 @@
         add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
             0x001b, --p, K_DH_ANON,     B_3DES,    N);
 
+        // RC-4
+        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+            0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
+        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+            0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
+        add("SSL_RSA_WITH_RC4_128_SHA",
+            0x0005, --p, K_RSA,         B_RC4_128, N);
+        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+            0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
+        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
+            0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
+        add("SSL_RSA_WITH_RC4_128_MD5",
+            0x0004, --p, K_RSA,         B_RC4_128, N);
+
         add("TLS_ECDH_anon_WITH_RC4_128_SHA",
             0xC016, --p, K_ECDH_ANON,   B_RC4_128, N);
         add("SSL_DH_anon_WITH_RC4_128_MD5",
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java	Fri May 29 10:15:38 2015 -0700
@@ -489,7 +489,7 @@
                         0, clientVerifyData.length);
                 System.arraycopy(serverVerifyData, 0, verifyData,
                         clientVerifyData.length, serverVerifyData.length);
-                if (!Arrays.equals(verifyData,
+                if (!MessageDigest.isEqual(verifyData,
                                 serverHelloRI.getRenegotiatedConnection())) {
                     fatalSE(Alerts.alert_handshake_failure,
                         "Incorrect verify data in ServerHello " +
@@ -679,6 +679,14 @@
             // NOTREACHED
         }
         ephemeralServerKey = mesg.getPublicKey();
+
+        // check constraints of RSA PublicKey
+        if (!algorithmConstraints.permits(
+            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
+
+            throw new SSLHandshakeException("RSA ServerKeyExchange " +
+                    "does not comply to algorithm constraints");
+        }
     }
 
 
@@ -696,6 +704,9 @@
         dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
                                             sslContext.getSecureRandom());
         serverDH = mesg.getServerPublicKey();
+
+        // check algorithm constraints
+        dh.checkConstraints(algorithmConstraints, serverDH);
     }
 
     private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
@@ -706,6 +717,14 @@
         ECPublicKey key = mesg.getPublicKey();
         ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
         ephemeralServerKey = key;
+
+        // check constraints of EC PublicKey
+        if (!algorithmConstraints.permits(
+            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
+
+            throw new SSLHandshakeException("ECDH ServerKeyExchange " +
+                    "does not comply to algorithm constraints");
+        }
     }
 
     /*
--- a/src/share/classes/sun/security/ssl/DHCrypt.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/DHCrypt.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@
 import javax.crypto.KeyAgreement;
 import javax.crypto.interfaces.DHPublicKey;
 import javax.crypto.spec.*;
+import java.util.EnumSet;
 
 import sun.security.util.KeyUtil;
 
@@ -216,6 +217,28 @@
         }
     }
 
+    // Check constraints of the specified DH public key.
+    void checkConstraints(AlgorithmConstraints constraints,
+            BigInteger peerPublicValue) throws SSLHandshakeException {
+
+        try {
+            KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+            DHPublicKeySpec spec =
+                        new DHPublicKeySpec(peerPublicValue, modulus, base);
+            DHPublicKey publicKey = (DHPublicKey)kf.generatePublic(spec);
+
+            // check constraints of DHPublicKey
+            if (!constraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
+                throw new SSLHandshakeException(
+                    "DHPublicKey does not comply to algorithm constraints");
+            }
+        } catch (GeneralSecurityException gse) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate DHPublicKey").initCause(gse);
+        }
+    }
+
     // Generate and validate DHPublicKeySpec
     private DHPublicKeySpec generateDHPublicKeySpec(KeyPairGenerator kpg)
             throws GeneralSecurityException {
--- a/src/share/classes/sun/security/ssl/ECDHCrypt.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/ECDHCrypt.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
 import java.security.interfaces.ECPublicKey;
 import java.security.spec.*;
 
+import java.util.EnumSet;
 import javax.crypto.SecretKey;
 import javax.crypto.KeyAgreement;
 import javax.net.ssl.SSLHandshakeException;
@@ -88,8 +89,11 @@
         return publicKey;
     }
 
-    // called by ClientHandshaker with either the server's static or ephemeral public key
-    SecretKey getAgreedSecret(PublicKey peerPublicKey) throws SSLHandshakeException {
+    // called by ClientHandshaker with either the server's static or
+    // ephemeral public key
+    SecretKey getAgreedSecret(
+            PublicKey peerPublicKey) throws SSLHandshakeException {
+
         try {
             KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
             ka.init(privateKey);
@@ -102,10 +106,13 @@
     }
 
     // called by ServerHandshaker
-    SecretKey getAgreedSecret(byte[] encodedPoint) throws SSLHandshakeException {
+    SecretKey getAgreedSecret(
+            byte[] encodedPoint) throws SSLHandshakeException {
+
         try {
             ECParameterSpec params = publicKey.getParams();
-            ECPoint point = JsseJce.decodePoint(encodedPoint, params.getCurve());
+            ECPoint point =
+                    JsseJce.decodePoint(encodedPoint, params.getCurve());
             KeyFactory kf = JsseJce.getKeyFactory("EC");
             ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
             PublicKey peerPublicKey = kf.generatePublic(spec);
@@ -116,4 +123,30 @@
         }
     }
 
+    // Check constraints of the specified EC public key.
+    void checkConstraints(AlgorithmConstraints constraints,
+            byte[] encodedPoint) throws SSLHandshakeException {
+
+        try {
+
+            ECParameterSpec params = publicKey.getParams();
+            ECPoint point =
+                    JsseJce.decodePoint(encodedPoint, params.getCurve());
+            ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+
+            KeyFactory kf = JsseJce.getKeyFactory("EC");
+            ECPublicKey publicKey = (ECPublicKey)kf.generatePublic(spec);
+
+            // check constraints of ECPublicKey
+            if (!constraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
+                throw new SSLHandshakeException(
+                    "ECPublicKey does not comply to algorithm constraints");
+            }
+        } catch (GeneralSecurityException | java.io.IOException e) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate ECPublicKey").initCause(e);
+        }
+    }
+
 }
--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java	Fri May 29 10:15:38 2015 -0700
@@ -1912,7 +1912,7 @@
      */
     boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
         byte[] myFinished = getFinished(handshakeHash, sender, master);
-        return Arrays.equals(myFinished, verifyData);
+        return MessageDigest.isEqual(myFinished, verifyData);
     }
 
     /*
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -86,7 +86,7 @@
     String identificationProtocol;
 
     // The cryptographic algorithm constraints
-    private AlgorithmConstraints algorithmConstraints = null;
+    AlgorithmConstraints algorithmConstraints = null;
 
     // Local supported signature and algorithms
     Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,9 +34,9 @@
 import java.security.Key;
 
 import java.util.Set;
-import java.util.HashSet;
 
 import sun.security.util.DisabledAlgorithmConstraints;
+import static sun.security.util.DisabledAlgorithmConstraints.*;
 import sun.security.ssl.CipherSuite.*;
 
 /**
@@ -46,10 +46,15 @@
  * for the syntax of the disabled algorithm string.
  */
 final class SSLAlgorithmConstraints implements AlgorithmConstraints {
+
     private final static AlgorithmConstraints tlsDisabledAlgConstraints =
-            new TLSDisabledAlgConstraints();
+            new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS,
+                    new SSLAlgorithmDecomposer());
+
     private final static AlgorithmConstraints x509DisabledAlgConstraints =
-            new X509DisabledAlgConstraints();
+            new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS,
+                    new SSLAlgorithmDecomposer(true));
+
     private AlgorithmConstraints userAlgConstraints = null;
     private AlgorithmConstraints peerAlgConstraints = null;
 
@@ -267,217 +272,4 @@
         }
     }
 
-    static private class BasicDisabledAlgConstraints
-            extends DisabledAlgorithmConstraints {
-        BasicDisabledAlgConstraints(String propertyName) {
-            super(propertyName);
-        }
-
-        protected Set<String> decomposes(KeyExchange keyExchange,
-                        boolean forCertPathOnly) {
-            Set<String> components = new HashSet<>();
-            switch (keyExchange) {
-                case K_NULL:
-                    if (!forCertPathOnly) {
-                        components.add("NULL");
-                    }
-                    break;
-                case K_RSA:
-                    components.add("RSA");
-                    break;
-                case K_RSA_EXPORT:
-                    components.add("RSA");
-                    components.add("RSA_EXPORT");
-                    break;
-                case K_DH_RSA:
-                    components.add("RSA");
-                    components.add("DH");
-                    components.add("DiffieHellman");
-                    components.add("DH_RSA");
-                    break;
-                case K_DH_DSS:
-                    components.add("DSA");
-                    components.add("DSS");
-                    components.add("DH");
-                    components.add("DiffieHellman");
-                    components.add("DH_DSS");
-                    break;
-                case K_DHE_DSS:
-                    components.add("DSA");
-                    components.add("DSS");
-                    components.add("DH");
-                    components.add("DHE");
-                    components.add("DiffieHellman");
-                    components.add("DHE_DSS");
-                    break;
-                case K_DHE_RSA:
-                    components.add("RSA");
-                    components.add("DH");
-                    components.add("DHE");
-                    components.add("DiffieHellman");
-                    components.add("DHE_RSA");
-                    break;
-                case K_DH_ANON:
-                    if (!forCertPathOnly) {
-                        components.add("ANON");
-                        components.add("DH");
-                        components.add("DiffieHellman");
-                        components.add("DH_ANON");
-                    }
-                    break;
-                case K_ECDH_ECDSA:
-                    components.add("ECDH");
-                    components.add("ECDSA");
-                    components.add("ECDH_ECDSA");
-                    break;
-                case K_ECDH_RSA:
-                    components.add("ECDH");
-                    components.add("RSA");
-                    components.add("ECDH_RSA");
-                    break;
-                case K_ECDHE_ECDSA:
-                    components.add("ECDHE");
-                    components.add("ECDSA");
-                    components.add("ECDHE_ECDSA");
-                    break;
-                case K_ECDHE_RSA:
-                    components.add("ECDHE");
-                    components.add("RSA");
-                    components.add("ECDHE_RSA");
-                    break;
-                case K_ECDH_ANON:
-                    if (!forCertPathOnly) {
-                        components.add("ECDH");
-                        components.add("ANON");
-                        components.add("ECDH_ANON");
-                    }
-                    break;
-                case K_KRB5:
-                    if (!forCertPathOnly) {
-                        components.add("KRB5");
-                    }
-                    break;
-                case K_KRB5_EXPORT:
-                    if (!forCertPathOnly) {
-                        components.add("KRB5_EXPORT");
-                    }
-                    break;
-                default:
-                    // ignore
-            }
-
-            return components;
-        }
-
-        protected Set<String> decomposes(BulkCipher bulkCipher) {
-            Set<String> components = new HashSet<>();
-
-            if (bulkCipher.transformation != null) {
-                components.addAll(super.decomposes(bulkCipher.transformation));
-            }
-
-            return components;
-        }
-
-        protected Set<String> decomposes(MacAlg macAlg) {
-            Set<String> components = new HashSet<>();
-
-            if (macAlg == CipherSuite.M_MD5) {
-                components.add("MD5");
-                components.add("HmacMD5");
-            } else if (macAlg == CipherSuite.M_SHA) {
-                components.add("SHA1");
-                components.add("SHA-1");
-                components.add("HmacSHA1");
-            } else if (macAlg == CipherSuite.M_SHA256) {
-                components.add("SHA256");
-                components.add("SHA-256");
-                components.add("HmacSHA256");
-            } else if (macAlg == CipherSuite.M_SHA384) {
-                components.add("SHA384");
-                components.add("SHA-384");
-                components.add("HmacSHA384");
-            }
-
-            return components;
-        }
-    }
-
-    static private class TLSDisabledAlgConstraints
-            extends BasicDisabledAlgConstraints {
-
-        TLSDisabledAlgConstraints() {
-            super(DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS);
-        }
-
-        @Override
-        protected Set<String> decomposes(String algorithm) {
-            if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
-                CipherSuite cipherSuite = null;
-                try {
-                    cipherSuite = CipherSuite.valueOf(algorithm);
-                } catch (IllegalArgumentException iae) {
-                    // ignore: unknown or unsupported ciphersuite
-                }
-
-                if (cipherSuite != null) {
-                    Set<String> components = new HashSet<>();
-
-                    if(cipherSuite.keyExchange != null) {
-                        components.addAll(
-                            decomposes(cipherSuite.keyExchange, false));
-                    }
-
-                    if (cipherSuite.cipher != null) {
-                        components.addAll(decomposes(cipherSuite.cipher));
-                    }
-
-                    if (cipherSuite.macAlg != null) {
-                        components.addAll(decomposes(cipherSuite.macAlg));
-                    }
-
-                    return components;
-                }
-            }
-
-            return super.decomposes(algorithm);
-        }
-    }
-
-    static private class X509DisabledAlgConstraints
-            extends BasicDisabledAlgConstraints {
-
-        X509DisabledAlgConstraints() {
-            super(DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
-        }
-
-        @Override
-        protected Set<String> decomposes(String algorithm) {
-            if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
-                CipherSuite cipherSuite = null;
-                try {
-                    cipherSuite = CipherSuite.valueOf(algorithm);
-                } catch (IllegalArgumentException iae) {
-                    // ignore: unknown or unsupported ciphersuite
-                }
-
-                if (cipherSuite != null) {
-                    Set<String> components = new HashSet<>();
-
-                    if(cipherSuite.keyExchange != null) {
-                        components.addAll(
-                            decomposes(cipherSuite.keyExchange, true));
-                    }
-
-                    // Certification path algorithm constraints do not apply
-                    // to cipherSuite.cipher and cipherSuite.macAlg.
-
-                    return components;
-                }
-            }
-
-            return super.decomposes(algorithm);
-        }
-    }
 }
-
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java	Fri May 29 10:15:38 2015 -0700
@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.util.HashSet;
+import java.util.Set;
+import sun.security.util.AlgorithmDecomposer;
+import static sun.security.ssl.CipherSuite.*;
+import static sun.security.ssl.CipherSuite.KeyExchange.*;
+
+/**
+ * The class decomposes standard SSL/TLS cipher suites into sub-elements.
+ */
+class SSLAlgorithmDecomposer extends AlgorithmDecomposer {
+
+    // indicates that only certification path algorithms need to be used
+    private final boolean onlyX509;
+
+    SSLAlgorithmDecomposer(boolean onlyX509) {
+        this.onlyX509 = onlyX509;
+    }
+
+    SSLAlgorithmDecomposer() {
+        this(false);
+    }
+
+    private Set<String> decomposes(CipherSuite.KeyExchange keyExchange) {
+        Set<String> components = new HashSet<>();
+        switch (keyExchange) {
+            case K_NULL:
+                if (!onlyX509) {
+                    components.add("K_NULL");
+                }
+                break;
+            case K_RSA:
+                components.add("RSA");
+                break;
+            case K_RSA_EXPORT:
+                components.add("RSA");
+                components.add("RSA_EXPORT");
+                break;
+            case K_DH_RSA:
+                components.add("RSA");
+                components.add("DH");
+                components.add("DiffieHellman");
+                components.add("DH_RSA");
+                break;
+            case K_DH_DSS:
+                components.add("DSA");
+                components.add("DSS");
+                components.add("DH");
+                components.add("DiffieHellman");
+                components.add("DH_DSS");
+                break;
+            case K_DHE_DSS:
+                components.add("DSA");
+                components.add("DSS");
+                components.add("DH");
+                components.add("DHE");
+                components.add("DiffieHellman");
+                components.add("DHE_DSS");
+                break;
+            case K_DHE_RSA:
+                components.add("RSA");
+                components.add("DH");
+                components.add("DHE");
+                components.add("DiffieHellman");
+                components.add("DHE_RSA");
+                break;
+            case K_DH_ANON:
+                if (!onlyX509) {
+                    components.add("ANON");
+                    components.add("DH");
+                    components.add("DiffieHellman");
+                    components.add("DH_ANON");
+                }
+                break;
+            case K_ECDH_ECDSA:
+                components.add("ECDH");
+                components.add("ECDSA");
+                components.add("ECDH_ECDSA");
+                break;
+            case K_ECDH_RSA:
+                components.add("ECDH");
+                components.add("RSA");
+                components.add("ECDH_RSA");
+                break;
+            case K_ECDHE_ECDSA:
+                components.add("ECDHE");
+                components.add("ECDSA");
+                components.add("ECDHE_ECDSA");
+                break;
+            case K_ECDHE_RSA:
+                components.add("ECDHE");
+                components.add("RSA");
+                components.add("ECDHE_RSA");
+                break;
+            case K_ECDH_ANON:
+                if (!onlyX509) {
+                    components.add("ECDH");
+                    components.add("ANON");
+                    components.add("ECDH_ANON");
+                }
+                break;
+            case K_KRB5:
+                if (!onlyX509) {
+                    components.add("KRB5");
+                }
+                break;
+            case K_KRB5_EXPORT:
+                if (!onlyX509) {
+                    components.add("KRB5_EXPORT");
+                }
+                break;
+            default:
+                // ignore
+            }
+
+        return components;
+    }
+
+    private Set<String> decomposes(CipherSuite.BulkCipher bulkCipher) {
+        Set<String> components = new HashSet<>();
+
+        if (bulkCipher.transformation != null) {
+            components.addAll(super.decompose(bulkCipher.transformation));
+        }
+
+        if (bulkCipher == B_NULL) {
+            components.add("C_NULL");
+        } else if (bulkCipher == B_RC2_40) {
+            components.add("RC2_CBC_40");
+        } else if (bulkCipher == B_RC4_40) {
+            components.add("RC4_40");
+        } else if (bulkCipher == B_RC4_128) {
+            components.add("RC4_128");
+        } else if (bulkCipher == B_DES_40) {
+            components.add("DES40_CBC");
+            components.add("DES_CBC_40");
+        } else if (bulkCipher == B_DES) {
+            components.add("DES_CBC");
+        } else if (bulkCipher == B_3DES) {
+            components.add("3DES_EDE_CBC");
+        } else if (bulkCipher == B_AES_128) {
+            components.add("AES_128_CBC");
+        } else if (bulkCipher == B_AES_256) {
+            components.add("AES_256_CBC");
+        } else if (bulkCipher == B_AES_128_GCM) {
+            components.add("AES_128_GCM");
+        } else if (bulkCipher == B_AES_256_GCM) {
+            components.add("AES_256_GCM");
+        }
+
+        return components;
+    }
+
+    private Set<String> decomposes(CipherSuite.MacAlg macAlg,
+            BulkCipher cipher) {
+        Set<String> components = new HashSet<>();
+
+        if (macAlg == M_NULL
+                && cipher.cipherType != CipherType.AEAD_CIPHER) {
+            components.add("M_NULL");
+        } else if (macAlg == M_MD5) {
+            components.add("MD5");
+            components.add("HmacMD5");
+        } else if (macAlg == M_SHA) {
+            components.add("SHA1");
+            components.add("SHA-1");
+            components.add("HmacSHA1");
+        } else if (macAlg == M_SHA256) {
+            components.add("SHA256");
+            components.add("SHA-256");
+            components.add("HmacSHA256");
+        } else if (macAlg == M_SHA384) {
+            components.add("SHA384");
+            components.add("SHA-384");
+            components.add("HmacSHA384");
+        }
+
+        return components;
+    }
+
+    private Set<String> decompose(KeyExchange keyExchange, BulkCipher cipher,
+            MacAlg macAlg) {
+        Set<String> components = new HashSet<>();
+
+        if (keyExchange != null) {
+            components.addAll(decomposes(keyExchange));
+        }
+
+        if (onlyX509) {
+            // Certification path algorithm constraints do not apply
+            // to cipher and macAlg.
+            return components;
+        }
+
+        if (cipher != null) {
+            components.addAll(decomposes(cipher));
+        }
+
+        if (macAlg != null) {
+            components.addAll(decomposes(macAlg, cipher));
+        }
+
+        return components;
+    }
+
+    @Override
+    public Set<String> decompose(String algorithm) {
+        if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
+            CipherSuite cipherSuite = null;
+            try {
+                cipherSuite = CipherSuite.valueOf(algorithm);
+            } catch (IllegalArgumentException iae) {
+                // ignore: unknown or unsupported ciphersuite
+            }
+
+            if (cipherSuite != null) {
+                return decompose(cipherSuite.keyExchange, cipherSuite.cipher,
+                        cipherSuite.macAlg);
+            }
+        }
+
+        return super.decompose(algorithm);
+    }
+
+}
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,9 @@
 import javax.crypto.BadPaddingException;
 import javax.net.ssl.*;
 
+import sun.misc.JavaNetAccess;
+import sun.misc.SharedSecrets;
+
 /**
  * Implementation of an SSL socket.  This is a normal connection type
  * socket, implementing SSL over some lower level socket, such as TCP.
@@ -389,6 +392,15 @@
      */
     private boolean preferLocalCipherSuites = false;
 
+    /*
+     * Is the local name service trustworthy?
+     *
+     * If the local name service is not trustworthy, reverse host name
+     * resolution should not be performed for endpoint identification.
+     */
+    static final boolean trustNameService =
+            Debug.getBooleanProperty("jdk.tls.trustNameService", false);
+
     //
     // CONSTRUCTORS AND INITIALIZATION CODE
     //
@@ -2149,11 +2161,41 @@
     synchronized String getHost() {
         // Note that the host may be null or empty for localhost.
         if (host == null || host.length() == 0) {
-            host = getInetAddress().getHostName();
+            if (!trustNameService) {
+                // If the local name service is not trustworthy, reverse host
+                // name resolution should not be performed for endpoint
+                // identification.  Use the application original specified
+                // hostname or IP address instead.
+                host = getOriginalHostname(getInetAddress());
+            } else {
+                host = getInetAddress().getHostName();
+            }
         }
+
         return host;
     }
 
+    /*
+     * Get the original application specified hostname.
+     */
+    private static String getOriginalHostname(InetAddress inetAddress) {
+        /*
+         * Get the original hostname via sun.misc.SharedSecrets.
+         */
+        JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
+        String originalHostname = jna.getOriginalHostName(inetAddress);
+
+        /*
+         * If no application specified hostname, use the IP address.
+         */
+        if (originalHostname == null || originalHostname.length() == 0) {
+            originalHostname = inetAddress.getHostAddress();
+        }
+
+        return originalHostname;
+    }
+
+
     // ONLY used by HttpsClient to setup the URI specified hostname
     //
     // Please NOTE that this method MUST be called before calling to
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
 import java.security.cert.*;
 import java.security.interfaces.*;
 import java.security.spec.ECParameterSpec;
+import java.math.BigInteger;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
@@ -41,6 +42,7 @@
 import javax.security.auth.Subject;
 
 import sun.security.util.KeyUtil;
+import sun.security.util.LegacyAlgorithmConstraints;
 import sun.security.action.GetPropertyAction;
 import sun.security.ssl.HandshakeMessage.*;
 import sun.security.ssl.CipherSuite.*;
@@ -106,6 +108,12 @@
     // The customized ephemeral DH key size for non-exportable cipher suites.
     private static final int customizedDHKeySize;
 
+    // legacy algorithm constraints
+    private static final AlgorithmConstraints legacyAlgorithmConstraints =
+            new LegacyAlgorithmConstraints(
+                    LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
+                    new SSLAlgorithmDecomposer());
+
     static {
         String property = AccessController.doPrivileged(
                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
@@ -406,7 +414,7 @@
                 }
 
                 // verify the client_verify_data value
-                if (!Arrays.equals(clientVerifyData,
+                if (!MessageDigest.isEqual(clientVerifyData,
                                 clientHelloRI.getRenegotiatedConnection())) {
                     fatalSE(Alerts.alert_handshake_failure,
                         "Incorrect verify data in ClientHello " +
@@ -995,6 +1003,7 @@
             proposed = getActiveCipherSuites();
         }
 
+        List<CipherSuite> legacySuites = new ArrayList<>();
         for (CipherSuite suite : prefered.collection()) {
             if (isNegotiable(proposed, suite) == false) {
                 continue;
@@ -1006,11 +1015,24 @@
                     continue;
                 }
             }
+
+            if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
+                legacySuites.add(suite);
+                continue;
+            }
+
             if (trySetCipherSuite(suite) == false) {
                 continue;
             }
             return;
         }
+
+        for (CipherSuite suite : legacySuites) {
+            if (trySetCipherSuite(suite)) {
+                return;
+            }
+        }
+
         fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
     }
 
@@ -1543,7 +1565,13 @@
         if (debug != null && Debug.isOn("handshake")) {
             mesg.print(System.out);
         }
-        return dh.getAgreedSecret(mesg.getClientPublicKey(), false);
+
+        BigInteger publicKeyValue = mesg.getClientPublicKey();
+
+        // check algorithm constraints
+        dh.checkConstraints(algorithmConstraints, publicKeyValue);
+
+        return dh.getAgreedSecret(publicKeyValue, false);
     }
 
     private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
@@ -1552,7 +1580,13 @@
         if (debug != null && Debug.isOn("handshake")) {
             mesg.print(System.out);
         }
-        return ecdh.getAgreedSecret(mesg.getEncodedPoint());
+
+        byte[] publicPoint = mesg.getEncodedPoint();
+
+        // check algorithm constraints
+        ecdh.checkConstraints(algorithmConstraints, publicPoint);
+
+        return ecdh.getAgreedSecret(publicPoint);
     }
 
     /*
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java	Fri May 29 10:15:38 2015 -0700
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.security.AccessController;
+import java.security.AlgorithmConstraints;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * The class contains common functionality for algorithm constraints classes.
+ */
+public abstract class AbstractAlgorithmConstraints
+        implements AlgorithmConstraints {
+
+    protected final AlgorithmDecomposer decomposer;
+
+    protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) {
+        this.decomposer = decomposer;
+    }
+
+    // Get algorithm constraints from the specified security property.
+    private static void loadAlgorithmsMap(Map<String, String[]> algorithmsMap,
+            String propertyName) {
+        String property = AccessController.doPrivileged(
+                (PrivilegedAction<String>) () -> Security.getProperty(
+                        propertyName));
+
+        String[] algorithmsInProperty = null;
+        if (property != null && !property.isEmpty()) {
+            // remove double quote marks from beginning/end of the property
+            if (property.charAt(0) == '"'
+                    && property.charAt(property.length() - 1) == '"') {
+                property = property.substring(1, property.length() - 1);
+            }
+            algorithmsInProperty = property.split(",");
+            for (int i = 0; i < algorithmsInProperty.length;
+                    i++) {
+                algorithmsInProperty[i] = algorithmsInProperty[i].trim();
+            }
+        }
+
+        // map the disabled algorithms
+        if (algorithmsInProperty == null) {
+            algorithmsInProperty = new String[0];
+        }
+        algorithmsMap.put(propertyName, algorithmsInProperty);
+    }
+
+    static String[] getAlgorithms(Map<String, String[]> algorithmsMap,
+            String propertyName) {
+        synchronized (algorithmsMap) {
+            if (!algorithmsMap.containsKey(propertyName)) {
+                loadAlgorithmsMap(algorithmsMap, propertyName);
+            }
+
+            return algorithmsMap.get(propertyName);
+        }
+    }
+
+    static boolean checkAlgorithm(String[] algorithms, String algorithm,
+            AlgorithmDecomposer decomposer) {
+        if (algorithm == null || algorithm.length() == 0) {
+            throw new IllegalArgumentException("No algorithm name specified");
+        }
+
+        Set<String> elements = null;
+        for (String item : algorithms) {
+            if (item == null || item.isEmpty()) {
+                continue;
+            }
+
+            // check the full name
+            if (item.equalsIgnoreCase(algorithm)) {
+                return false;
+            }
+
+            // decompose the algorithm into sub-elements
+            if (elements == null) {
+                elements = decomposer.decompose(algorithm);
+            }
+
+            // check the items of the algorithm
+            for (String element : elements) {
+                if (item.equalsIgnoreCase(element)) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/util/AlgorithmDecomposer.java	Fri May 29 10:15:38 2015 -0700
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * The class decomposes standard algorithms into sub-elements.
+ */
+public class AlgorithmDecomposer {
+
+    private static final Pattern transPattern = Pattern.compile("/");
+    private static final Pattern pattern =
+                    Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
+
+    /**
+     * Decompose the standard algorithm name into sub-elements.
+     * <p>
+     * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
+     * so that we can check the "SHA1" and "RSA" algorithm constraints
+     * separately.
+     * <p>
+     * Please override the method if need to support more name pattern.
+     */
+    public Set<String> decompose(String algorithm) {
+        if (algorithm == null || algorithm.length() == 0) {
+            return new HashSet<>();
+        }
+
+        // algorithm/mode/padding
+        String[] transTockens = transPattern.split(algorithm);
+
+        Set<String> elements = new HashSet<>();
+        for (String transTocken : transTockens) {
+            if (transTocken == null || transTocken.length() == 0) {
+                continue;
+            }
+
+            // PBEWith<digest>And<encryption>
+            // PBEWith<prf>And<encryption>
+            // OAEPWith<digest>And<mgf>Padding
+            // <digest>with<encryption>
+            // <digest>with<encryption>and<mgf>
+            String[] tokens = pattern.split(transTocken);
+
+            for (String token : tokens) {
+                if (token == null || token.length() == 0) {
+                    continue;
+                }
+
+                elements.add(token);
+            }
+        }
+
+        // In Java standard algorithm name specification, for different
+        // purpose, the SHA-1 and SHA-2 algorithm names are different. For
+        // example, for MessageDigest, the standard name is "SHA-256", while
+        // for Signature, the digest algorithm component is "SHA256" for
+        // signature algorithm "SHA256withRSA". So we need to check both
+        // "SHA-256" and "SHA256" to make the right constraint checking.
+
+        // handle special name: SHA-1 and SHA1
+        if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
+            elements.add("SHA-1");
+        }
+        if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
+            elements.add("SHA1");
+        }
+
+        // handle special name: SHA-224 and SHA224
+        if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
+            elements.add("SHA-224");
+        }
+        if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
+            elements.add("SHA224");
+        }
+
+        // handle special name: SHA-256 and SHA256
+        if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
+            elements.add("SHA-256");
+        }
+        if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
+            elements.add("SHA256");
+        }
+
+        // handle special name: SHA-384 and SHA384
+        if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
+            elements.add("SHA-384");
+        }
+        if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
+            elements.add("SHA384");
+        }
+
+        // handle special name: SHA-512 and SHA512
+        if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
+            elements.add("SHA-512");
+        }
+        if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
+            elements.add("SHA512");
+        }
+
+        return elements;
+    }
+
+}
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,15 +25,9 @@
 
 package sun.security.util;
 
-import java.security.AlgorithmConstraints;
 import java.security.CryptoPrimitive;
 import java.security.AlgorithmParameters;
-
 import java.security.Key;
-import java.security.Security;
-import java.security.PrivilegedAction;
-import java.security.AccessController;
-
 import java.util.Locale;
 import java.util.Set;
 import java.util.Collections;
@@ -49,7 +43,7 @@
  * See the "jdk.certpath.disabledAlgorithms" specification in java.security
  * for the syntax of the disabled algorithm string.
  */
-public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
+public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
 
     // the known security property, jdk.certpath.disabledAlgorithms
     public final static String PROPERTY_CERTPATH_DISABLED_ALGS =
@@ -64,8 +58,8 @@
     private final static Map<String, KeySizeConstraints> keySizeConstraintsMap =
                                                             new HashMap<>();
 
-    private String[] disabledAlgorithms;
-    private KeySizeConstraints keySizeConstraints;
+    private final String[] disabledAlgorithms;
+    private final KeySizeConstraints keySizeConstraints;
 
     /**
      * Initialize algorithm constraints with the specified security property.
@@ -74,56 +68,27 @@
      *        algorithm constraints
      */
     public DisabledAlgorithmConstraints(String propertyName) {
-        // Both disabledAlgorithmsMap and keySizeConstraintsMap are
-        // synchronized with the lock of disabledAlgorithmsMap.
-        synchronized (disabledAlgorithmsMap) {
-            if(!disabledAlgorithmsMap.containsKey(propertyName)) {
-                loadDisabledAlgorithmsMap(propertyName);
-            }
+        this(propertyName, new AlgorithmDecomposer());
+    }
 
-            disabledAlgorithms = disabledAlgorithmsMap.get(propertyName);
-            keySizeConstraints = keySizeConstraintsMap.get(propertyName);
-        }
+    public DisabledAlgorithmConstraints(String propertyName,
+            AlgorithmDecomposer decomposer) {
+        super(decomposer);
+        disabledAlgorithms = getAlgorithms(disabledAlgorithmsMap, propertyName);
+        keySizeConstraints = getKeySizeConstraints(disabledAlgorithms,
+                propertyName);
     }
 
     @Override
     final public boolean permits(Set<CryptoPrimitive> primitives,
             String algorithm, AlgorithmParameters parameters) {
 
-        if (algorithm == null || algorithm.length() == 0) {
-            throw new IllegalArgumentException("No algorithm name specified");
-        }
-
         if (primitives == null || primitives.isEmpty()) {
             throw new IllegalArgumentException(
                         "No cryptographic primitive specified");
         }
 
-        Set<String> elements = null;
-        for (String disabled : disabledAlgorithms) {
-            if (disabled == null || disabled.isEmpty()) {
-                continue;
-            }
-
-            // check the full name
-            if (disabled.equalsIgnoreCase(algorithm)) {
-                return false;
-            }
-
-            // decompose the algorithm into sub-elements
-            if (elements == null) {
-                elements = decomposes(algorithm);
-            }
-
-            // check the items of the algorithm
-            for (String element : elements) {
-                if (disabled.equalsIgnoreCase(element)) {
-                    return false;
-                }
-            }
-        }
-
-        return true;
+        return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
     }
 
     @Override
@@ -142,98 +107,6 @@
         return checkConstraints(primitives, algorithm, key, parameters);
     }
 
-    /**
-     * Decompose the standard algorithm name into sub-elements.
-     * <p>
-     * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
-     * so that we can check the "SHA1" and "RSA" algorithm constraints
-     * separately.
-     * <p>
-     * Please override the method if need to support more name pattern.
-     */
-    protected Set<String> decomposes(String algorithm) {
-        if (algorithm == null || algorithm.length() == 0) {
-            return new HashSet<String>();
-        }
-
-        // algorithm/mode/padding
-        Pattern transPattern = Pattern.compile("/");
-        String[] transTockens = transPattern.split(algorithm);
-
-        Set<String> elements = new HashSet<String>();
-        for (String transTocken : transTockens) {
-            if (transTocken == null || transTocken.length() == 0) {
-                continue;
-            }
-
-            // PBEWith<digest>And<encryption>
-            // PBEWith<prf>And<encryption>
-            // OAEPWith<digest>And<mgf>Padding
-            // <digest>with<encryption>
-            // <digest>with<encryption>and<mgf>
-            Pattern pattern =
-                    Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
-            String[] tokens = pattern.split(transTocken);
-
-            for (String token : tokens) {
-                if (token == null || token.length() == 0) {
-                    continue;
-                }
-
-                elements.add(token);
-            }
-        }
-
-        // In Java standard algorithm name specification, for different
-        // purpose, the SHA-1 and SHA-2 algorithm names are different. For
-        // example, for MessageDigest, the standard name is "SHA-256", while
-        // for Signature, the digest algorithm component is "SHA256" for
-        // signature algorithm "SHA256withRSA". So we need to check both
-        // "SHA-256" and "SHA256" to make the right constraint checking.
-
-        // handle special name: SHA-1 and SHA1
-        if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
-            elements.add("SHA-1");
-        }
-        if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
-            elements.add("SHA1");
-        }
-
-        // handle special name: SHA-224 and SHA224
-        if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
-            elements.add("SHA-224");
-        }
-        if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
-            elements.add("SHA224");
-        }
-
-        // handle special name: SHA-256 and SHA256
-        if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
-            elements.add("SHA-256");
-        }
-        if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
-            elements.add("SHA256");
-        }
-
-        // handle special name: SHA-384 and SHA384
-        if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
-            elements.add("SHA-384");
-        }
-        if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
-            elements.add("SHA384");
-        }
-
-        // handle special name: SHA-512 and SHA512
-        if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
-            elements.add("SHA-512");
-        }
-        if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
-            elements.add("SHA512");
-        }
-
-        return elements;
-    }
-
     // Check algorithm constraints
     private boolean checkConstraints(Set<CryptoPrimitive> primitives,
             String algorithm, Key key, AlgorithmParameters parameters) {
@@ -263,43 +136,18 @@
         return true;
     }
 
-    // Get disabled algorithm constraints from the specified security property.
-    private static void loadDisabledAlgorithmsMap(
-            final String propertyName) {
-
-        String property = AccessController.doPrivileged(
-            new PrivilegedAction<String>() {
-                public String run() {
-                    return Security.getProperty(propertyName);
-                }
-            });
-
-        String[] algorithmsInProperty = null;
-
-        if (property != null && !property.isEmpty()) {
-
-            // remove double quote marks from beginning/end of the property
-            if (property.charAt(0) == '"' &&
-                    property.charAt(property.length() - 1) == '"') {
-                property = property.substring(1, property.length() - 1);
+    private static KeySizeConstraints getKeySizeConstraints(
+            String[] disabledAlgorithms, String propertyName) {
+        synchronized (keySizeConstraintsMap) {
+            if(!keySizeConstraintsMap.containsKey(propertyName)) {
+                // map the key constraints
+                KeySizeConstraints keySizeConstraints =
+                        new KeySizeConstraints(disabledAlgorithms);
+                keySizeConstraintsMap.put(propertyName, keySizeConstraints);
             }
 
-            algorithmsInProperty = property.split(",");
-            for (int i = 0; i < algorithmsInProperty.length; i++) {
-                algorithmsInProperty[i] = algorithmsInProperty[i].trim();
-            }
+            return keySizeConstraintsMap.get(propertyName);
         }
-
-        // map the disabled algorithms
-        if (algorithmsInProperty == null) {
-            algorithmsInProperty = new String[0];
-        }
-        disabledAlgorithmsMap.put(propertyName, algorithmsInProperty);
-
-        // map the key constraints
-        KeySizeConstraints keySizeConstraints =
-            new KeySizeConstraints(algorithmsInProperty);
-        keySizeConstraintsMap.put(propertyName, keySizeConstraints);
     }
 
     /**
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/util/LegacyAlgorithmConstraints.java	Fri May 29 10:15:38 2015 -0700
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.Key;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+import static sun.security.util.AbstractAlgorithmConstraints.getAlgorithms;
+
+/**
+ * Algorithm constraints for legacy algorithms.
+ */
+public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints {
+
+    // the known security property, jdk.tls.legacyAlgorithms
+    public final static String PROPERTY_TLS_LEGACY_ALGS =
+            "jdk.tls.legacyAlgorithms";
+
+    private final static Map<String, String[]> legacyAlgorithmsMap =
+                                                          new HashMap<>();
+
+    private final String[] legacyAlgorithms;
+
+    public LegacyAlgorithmConstraints(String propertyName,
+            AlgorithmDecomposer decomposer) {
+        super(decomposer);
+        legacyAlgorithms = getAlgorithms(legacyAlgorithmsMap, propertyName);
+    }
+
+    @Override
+    final public boolean permits(Set<CryptoPrimitive> primitives,
+            String algorithm, AlgorithmParameters parameters) {
+        return checkAlgorithm(legacyAlgorithms, algorithm, decomposer);
+    }
+
+    @Override
+    final public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
+        return true;
+    }
+
+    @Override
+    final public boolean permits(Set<CryptoPrimitive> primitives,
+            String algorithm, Key key, AlgorithmParameters parameters) {
+        return checkAlgorithm(legacyAlgorithms, algorithm, decomposer);
+    }
+
+}
--- a/src/share/classes/sun/security/validator/SimpleValidator.java	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/security/validator/SimpleValidator.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -141,8 +141,18 @@
         // create distrusted certificates checker
         UntrustedChecker untrustedChecker = new UntrustedChecker();
 
+        // check if anchor is untrusted
+        X509Certificate anchorCert = chain[chain.length - 1];
+        try {
+            untrustedChecker.check(anchorCert);
+        } catch (CertPathValidatorException cpve) {
+            throw new ValidatorException(
+                "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
+                ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
+        }
+
         // create default algorithm constraints checker
-        TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
+        TrustAnchor anchor = new TrustAnchor(anchorCert, null);
         AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
 
         // create application level algorithm constraints checker
--- a/src/share/classes/sun/tools/jar/resources/jar_de.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_de.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ vergr\u00F6\u00DFert: {0}
 out.size=(ein = {0}) (aus = {1})
 
-usage=Verwendung: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] Dateien ...\nOptionen:\n    -c  Neues Archiv erstellen\n    -t  Inhaltsverzeichnis f\u00FCr Archiv anzeigen\n    -x  Benannte (oder alle) Dateien aus dem Archiv extrahieren\n    -u  Vorhandenes Archiv aktualisieren\n    -v  Ausgabe im Verbose-Modus aus Standard-Ausgabe generieren\n    -f  Dateinamen f\u00FCr Archiv angeben\n    -m  Manifest-Informationen aus angegebener Manifest-Datei einschlie\u00DFen\n    -n  Pack200-Normalisierung nach Erstellung eines neuen Archivs ausf\u00FChren\n    -e  Anwendungs-Einstiegspunkt f\u00FCr alleinstehende Anwendung angeben\n        in einer ausf\u00FChrbaren JAR-Datei geb\u00FCndelt\n    -0  nur speichern; keine ZIP-Komprimierung verwenden\n    -M  keine Manifest-Datei f\u00FCr die Eintr\u00E4ge erstellen\n    -i  Index-Informationen f\u00FCr die angegebenen JAR-Dateien generieren\n    -C  zu angegebenem Verzeichnis wechseln und die folgende Datei einschlie\u00DFen\nDateien, die Verzeichnisse sind, werden rekursiv verarbeitet.\nDie Namen der Manifest-Datei, der Archiv-Datei und des Einstiegspunkts sind\nin derselben Reihenfolge wie die Kennzeichen f\u00FCr "m", "f" und "e" angegeben.\n\nBeispiel 1: Archivieren von zwei Klassendateien in einem Archiv mit dem Namen "classes.jar": \n       jar cvf classes.jar Foo.class Bar.class \nBeispiel 2: Verwenden einer vorhandenen Manifest-Datei mit dem Namen "mymanifest" und Archivieren aller\n           Dateien im Verzeichnis mit dem Namen "foo/" in die Archiv-Datei "classes.jar": \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=Verwendung: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] Dateien ...\nOptionen:\n    -c  Neues Archiv erstellen\n    -t  Inhaltsverzeichnis f\u00FCr Archiv anzeigen\n    -x  Benannte (oder alle) Dateien aus dem Archiv extrahieren\n    -u  Vorhandenes Archiv aktualisieren\n    -v  Ausgabe im Verbose-Modus aus Standard-Ausgabe generieren\n    -f  Dateinamen f\u00FCr Archiv angeben\n    -m  Manifestinformationen aus angegebener Manifestdatei einschlie\u00DFen\n    -n  Pack200-Normalisierung nach Erstellung eines neuen Archivs ausf\u00FChren\n    -e  Anwendungseinstiegspunkt f\u00FCr Standalone-Anwendung angeben \n        in einer ausf\u00FChrbaren JAR-Datei geb\u00FCndelt\n    -0  Nur speichern; keine ZIP-Komprimierung verwenden\n    -P  Komponenten mit vorangestelltem "/" (absoluter Pfad) und ".." (\u00FCbergeordnetes Verzeichnis) aus Dateinamen beibehalten\n    -M  Keine Manifest-Datei f\u00FCr die Eintr\u00E4ge erstellen\n    -i  Indexinformationen f\u00FCr die angegebenen JAR-Dateien erstellen\n    -C  Zum angegebenen Verzeichnis wechseln und folgende Datei einschlie\u00DFen\nFalls eine Datei ein Verzeichnis ist, wird dieses rekursiv verarbeitet.\nDer Name der Manifestdatei, der Name der Archivdatei und der Name des Einstiegspunkts werden\nin derselben Reihenfolge wie die Kennzeichen "m", "f" und "e" angegeben.\n\nBeispiel 1: Archivieren Sie zwei Klassendateien in ein Archiv mit Namen "classes.jar": \n       jar cvf classes.jar Foo.class Bar.class \nBeispiel 2: Verwenden Sie die vorhandenen Manifestdatei "mymanifest", und archivieren Sie alle\n           Dateien im Verzeichnis foo/ directory in "classes.jar": \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_es.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_es.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ inflado: {0}
 out.size=(entrada = {0}) (salida = {1})
 
-usage=Sintaxis: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] archivos...\nOpciones:\n    -c  crear nuevo archivo\n    -t  crear la tabla de contenido del archivo\n    -x   extraer el archive mencionado (o todos) del archivo\n    -u  actualizar archive existente\n    -v  generar salida detallada de los datos de salida est\u00E1ndar\n    -f  especificar nombre de archive de almacenamiento\n    -m  incluir informaci\u00F3n de manifiesto del archive de manifiesto especificado\n    -n  realizar normalizaci\u00F3n de Pack200 despu\u00E9s de crear un nuevo archivo\n    -e  especificar punto de entrada de la aplicaci\u00F3n para la aplicaci\u00F3n aut\u00F3noma \n        que se incluye dentro de un archive jar ejecutable\n    -0  s\u00F3lo almacenar; no utilizar compresi\u00F3n ZIP\n    -M  no crear un archive de manifiesto para las entradas\n    -i  generar informaci\u00F3n de \u00EDndice para los archives jar especificados\n    -C  cambiar al directorio especificado e incluir el archivo siguiente\nSi alg\u00FAn archivo es un directorio, se procesar\u00E1 de forma recurrente.\nEl nombre del archivo de manifiesto, el nombre del archivo de almacenamiento y el nombre del punto de entrada se\nespecifican en el mismo orden que los indicadores 'm', 'f' y 'e'.\n\nEjemplo 1: para archivar archivos de dos clases en un archivo llamado classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nEjemplo 2: utilice un archivo de manifiesto existente 'mymanifest' y archive todos los\n           archivos del directorio foo/ en 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=Sintaxis: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\nOpciones:\n    -c  crear nuevo archivo\n    -t  crear la tabla de contenido del archivo\n    -x   extraer el archivo mencionado (o todos) del archivo\n    -u  actualizar archivo existente\n    -v  generar salida detallada de los datos de salida est\u00E1ndar\n    -f  especificar nombre de archivo de almacenamiento\n    -m  incluir informaci\u00F3n de manifiesto del archivo de manifiesto especificado\n    -e  especificar punto de entrada de la aplicaci\u00F3n para la aplicaci\u00F3n aut\u00F3noma \n        que se incluye dentro de un archivo jar ejecutable\n    -0  s\u00F3lo almacenar; no utilizar compresi\u00F3n ZIP\n    -P  conservar componentes iniciales '/' (ruta absoluta) y ".." (directorio principal) en los nombres de archivo\n    -M  no crear un archivo de manifiesto para las entradas\n    -i  generar informaci\u00F3n de \u00EDndice para los archivos jar especificados\n    -C  cambiar al directorio especificado e incluir el archivo siguiente\nSi alg\u00FAn archivo es un directorio, se procesar\u00E1 de forma recurrente.\nEl nombre del archivo de manifiesto, el nombre del archivo de almacenamiento y el nombre del punto de entrada se\nespecifican en el mismo orden que los indicadores 'm', 'f' y 'e'.\n\nEjemplo 1: para archivar archivos de dos clases en un archivo llamado classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nEjemplo 2: utilice un archivo de manifiesto existente 'mymanifest' y archive todos los\n           archivos del directorio foo/ en 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_fr.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_fr.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ d\u00E9compress\u00E9 : {0}
 out.size=(entr\u00E9e = {0}) (sortie = {1})
 
-usage=Syntaxe : jar {ctxui}[vfmn0Me] [fichier-jar] [fichier-manifeste] [point-entr\u00E9e] [-C r\u00E9p] fichiers...\nOptions :\n    -c  cr\u00E9e une archive\n    -t  affiche la table des mati\u00E8res de l'archive\n    -x  extrait les fichiers nomm\u00E9s (ou tous les fichiers) de l'archive\n    -u  met \u00E0 jour l'archive existante\n    -v  g\u00E9n\u00E8re une version d\u00E9taill\u00E9e d'une sortie standard\n    -f  sp\u00E9cifie le nom du fichier archive\n    -m  inclut les informations de manifeste \u00E0 partir du fichier manifeste sp\u00E9cifi\u00E9\n    -n  effectue une normalisation Pack200 apr\u00E8s la cr\u00E9ation d'une archive\n    -e  sp\u00E9cifie le point d'entr\u00E9e d'une application en mode autonome \n        int\u00E9gr\u00E9e \u00E0 un fichier JAR ex\u00E9cutable\n    -0  stockage uniquement, pas de compression ZIP\n    -M  ne cr\u00E9e pas de fichier manifeste pour les entr\u00E9es\n    -i  g\u00E9n\u00E8re les informations d'index des fichiers JAR sp\u00E9cifi\u00E9s\n    -C  passe au r\u00E9pertoire sp\u00E9cifi\u00E9 et inclut le fichier suivant\nSi l'un des fichiers est un r\u00E9pertoire, celui-ci est trait\u00E9 r\u00E9cursivement.\nLes noms du fichier manifeste, du fichier d'archive et du point d'entr\u00E9e sont\nsp\u00E9cifi\u00E9s dans le m\u00EAme ordre que celui des indicateurs m, f et e.\n\nExemple 1 : pour archiver deux fichiers de classe dans une archive intitul\u00E9e classes.jar : \n       jar cvf classes.jar Foo.class Bar.class \nExemple 2 : pour utiliser un fichier manifeste existant 'monmanifeste', puis archiver tous les\n           fichiers du r\u00E9pertoire foo/ dans 'classes.jar' : \n       jar cvfm classes.jar monmanifeste -C foo/ .\n
+usage=Syntaxe : jar {ctxui}[vfmn0PMe] [fichier-jar] [fichier-manifeste] [point-entr\u00E9e] [-C r\u00E9p] fichiers...\nOptions :\n    -c  cr\u00E9e une archive\n    -t  affiche la table des mati\u00E8res de l'archive\n    -x  extrait les fichiers nomm\u00E9s (ou tous les fichiers) de l'archive\n    -u  met \u00E0 jour l'archive existante\n    -v  g\u00E9n\u00E8re une version d\u00E9taill\u00E9e d'une sortie standard\n    -f  sp\u00E9cifie le nom du fichier archive\n    -m  inclut les informations de manifeste \u00E0 partir du fichier manifeste sp\u00E9cifi\u00E9\n    -n  effectue une normalisation Pack200 apr\u00E8s la cr\u00E9ation d'une archive\n    -e  sp\u00E9cifie le point d'entr\u00E9e d'une application en mode autonome \n        int\u00E9gr\u00E9e \u00E0 un fichier JAR ex\u00E9cutable\n    -0  stockage uniquement, pas de compression ZIP\n    -P  pr\u00E9serve les signes de d\u00E9but '/' (chemin absolu) et ".." (r\u00E9pertoire parent) dans les noms de fichier\n    -M  ne cr\u00E9e pas de fichier manifeste pour les entr\u00E9es\n    -i  g\u00E9n\u00E8re les informations d'index des fichiers JAR sp\u00E9cifi\u00E9s\n    -C  passe au r\u00E9pertoire sp\u00E9cifi\u00E9 et inclut le fichier suivant\nSi l'un des fichiers est un r\u00E9pertoire, celui-ci est trait\u00E9 r\u00E9cursivement.\nLes noms du fichier manifeste, du fichier archive et du point d'entr\u00E9e sont\nsp\u00E9cifi\u00E9s dans le m\u00EAme ordre que celui des indicateurs m, f et e.\n\nExemple 1 : pour archiver deux fichiers de classe dans une archive intitul\u00E9e classes.jar : \n       jar cvf classes.jar Foo.class Bar.class \nExemple 2 : pour utiliser un fichier manifeste existant 'monmanifeste', puis archiver tous les\n           fichiers du r\u00E9pertoire foo/ dans 'classes.jar' : \n       jar cvfm classes.jar monmanifeste -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_it.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_it.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ decompresso: {0}
 out.size=(in = {0}) (out = {1})
 
-usage=Uso: jar {ctxui}[vfmn0Me] [file-jar] [file-manifest] [punto di ingresso] [-C dir] file ...\nOpzioni:\n    -c  crea un nuovo archivio\n    -t  visualizza l'indice dell'archivio\n    -x  estrae i file con nome (o tutti i file) dall'archivio\n    -u  aggiorna l'archivio esistente\n    -v  genera output commentato dall'output standard\n    -f  specifica il nome file dell'archivio\n    -m  include informazioni manifest dal file manifest specificato\n    -n  esegue la normalizzazione Pack200 dopo la creazione di un nuovo archivio\n    -e  specifica il punto di ingresso per l'applicazione standalone \n        inclusa nel file jar eseguibile\n    -0  solo memorizzazione; senza compressione ZIP\n    -M  consente di non creare un file manifest per le voci\n    -i  genera informazioni sull'indice per i file jar specificati\n    -C  imposta la directory specificata e include il file seguente\nSe un file \u00E8 una directory, verr\u00E0 elaborato in modo ricorsivo.\nIl nome del file manifest, del file di archivio e del punto di ingresso devono\nessere specificati nello stesso ordine dei flag 'm', 'f' ed 'e'.\n\nEsempio 1: archiviazione di due file di classe in un archivio con il nome classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nEsempio 2: utilizzo del file manifest esistente 'mymanifest' e archiviazione di tutti i\n           file della directory foo/ in 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=Uso: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\nOpzioni:\n    -c  crea un nuovo archivio\n    -t  visualizza l'indice dell'archivio\n    -x  estrae i file con nome (o tutti i file) dall'archivio\n    -u  aggiorna l'archivio esistente\n    -v  genera output commentato dall'output standard\n    -f  specifica il nome file dell'archivio\n    -m  include informazioni manifest dal file manifest specificato\n    -n  esegue normalizzazione Pack200 dopo la creazione di un nuovo archivio\n    -e  specifica il punto di ingresso per l'applicazione stand-alone \n        inclusa nel file jar eseguibile\n    -0  solo memorizzazione; senza compressione ZIP\n    -P  conserva i componenti iniziali '/' (percorso assoluto) e \\"..\\" (directory padre) dai nomi file\n    -M  consente di non creare un file manifest per le voci\n    -i  genera informazioni sull'indice per i file jar specificati\n    -C  imposta la directory specificata e include il file seguente\nSe un file \u00E8 una directory, verr\u00E0 elaborato in modo ricorsivo.\nIl nome del file manifest, del file di archivio e del punto di ingresso devono\nessere specificati nello stesso ordine dei flag 'm', 'f' ed 'e'.\n\nEsempio 1: archiviazione di due file di classe in un archivio con il nome classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nEsempio 2: utilizzo del file manifest esistente 'mymanifest' e archiviazione di tutti i\n           file della directory foo/ in 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_ja.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_ja.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ {0}\u304C\u5C55\u958B\u3055\u308C\u307E\u3057\u305F
 out.size=(\u5165={0})(\u51FA={1})
 
-usage=\u4F7F\u7528\u65B9\u6CD5: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\u30AA\u30D7\u30B7\u30E7\u30F3:\n    -c  \u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u65B0\u898F\u4F5C\u6210\u3059\u308B\n    -t  \u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u5185\u5BB9\u3092\u4E00\u89A7\u8868\u793A\u3059\u308B\n    -x  \u6307\u5B9A\u306E(\u307E\u305F\u306F\u3059\u3079\u3066\u306E)\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6\u304B\u3089\u62BD\u51FA\u3059\u308B\n    -u  \u65E2\u5B58\u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u66F4\u65B0\u3059\u308B\n    -v  \u6A19\u6E96\u51FA\u529B\u306B\u8A73\u7D30\u306A\u51FA\u529B\u3092\u751F\u6210\u3059\u308B\n    -f  \u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3092\u6307\u5B9A\u3059\u308B\n    -m  \u6307\u5B9A\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u304B\u3089\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u60C5\u5831\u3092\u53D6\u308A\u8FBC\u3080\n    -n  \u65B0\u898F\u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u4F5C\u6210\u5F8C\u306BPack200\u6B63\u898F\u5316\u3092\u5B9F\u884C\u3059\u308B\n    -e  \u5B9F\u884C\u53EF\u80FDjar\u30D5\u30A1\u30A4\u30EB\u306B\u30D0\u30F3\u30C9\u30EB\u3055\u308C\u305F\u30B9\u30BF\u30F3\u30C9\u30A2\u30ED\u30F3\u30FB\n        \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306E\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u3092\u6307\u5B9A\u3059\u308B\n    -0  \u683C\u7D0D\u306E\u307F\u3002ZIP\u5727\u7E2E\u3092\u4F7F\u7528\u3057\u306A\u3044\n    -M  \u30A8\u30F3\u30C8\u30EA\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u4F5C\u6210\u3057\u306A\u3044\n    -i  \u6307\u5B9A\u306Ejar\u30D5\u30A1\u30A4\u30EB\u306E\u7D22\u5F15\u60C5\u5831\u3092\u751F\u6210\u3059\u308B\n    -C  \u6307\u5B9A\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306B\u5909\u66F4\u3057\u3001\u6B21\u306E\u30D5\u30A1\u30A4\u30EB\u3092\u53D6\u308A\u8FBC\u3080\n\u30D5\u30A1\u30A4\u30EB\u304C\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\u5834\u5408\u306F\u518D\u5E30\u7684\u306B\u51E6\u7406\u3055\u308C\u307E\u3059\u3002\n\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3001\u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u304A\u3088\u3073\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u540D\u306F\u3001\n\u30D5\u30E9\u30B0'm'\u3001'f'\u3001'e'\u306E\u6307\u5B9A\u3068\u540C\u3058\u9806\u756A\u3067\u6307\u5B9A\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\n\n\u4F8B1: 2\u3064\u306E\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6classes.jar\u306B\u4FDD\u5B58\u3059\u308B: \n       jar cvf classes.jar Foo.class Bar.class \n\u4F8B2: \u65E2\u5B58\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB'mymanifest'\u3092\u4F7F\u7528\u3057\u3001foo/\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\n           \u5168\u30D5\u30A1\u30A4\u30EB\u3092'classes.jar'\u306B\u30A2\u30FC\u30AB\u30A4\u30D6\u3059\u308B: \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=\u4F7F\u7528\u65B9\u6CD5: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\u30AA\u30D7\u30B7\u30E7\u30F3:\n    -c  \u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u65B0\u898F\u4F5C\u6210\u3059\u308B\n    -t  \u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u5185\u5BB9\u3092\u4E00\u89A7\u8868\u793A\u3059\u308B\n    -x  \u6307\u5B9A\u306E(\u307E\u305F\u306F\u3059\u3079\u3066\u306E)\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6\u304B\u3089\u62BD\u51FA\u3059\u308B\n    -u  \u65E2\u5B58\u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u66F4\u65B0\u3059\u308B\n    -v  \u6A19\u6E96\u51FA\u529B\u306B\u8A73\u7D30\u306A\u51FA\u529B\u3092\u751F\u6210\u3059\u308B\n    -f  \u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3092\u6307\u5B9A\u3059\u308B\n    -m  \u6307\u5B9A\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u304B\u3089\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u60C5\u5831\u3092\u53D6\u308A\u8FBC\u3080\n    -n  \u65B0\u898F\u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u4F5C\u6210\u5F8C\u306BPack200\u6B63\u898F\u5316\u3092\u5B9F\u884C\u3059\u308B\n    -e  \u5B9F\u884C\u53EF\u80FDjar\u30D5\u30A1\u30A4\u30EB\u306B\u30D0\u30F3\u30C9\u30EB\u3055\u308C\u305F\u30B9\u30BF\u30F3\u30C9\u30A2\u30ED\u30F3\u30FB\n        \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306E\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u3092\u6307\u5B9A\u3059\u308B\n    -0  \u683C\u7D0D\u306E\u307F\u3002ZIP\u5727\u7E2E\u3092\u4F7F\u7528\u3057\u306A\u3044\n    -P  \u30D5\u30A1\u30A4\u30EB\u540D\u306E\u5148\u982D\u306E'/' (\u7D76\u5BFE\u30D1\u30B9)\u304A\u3088\u3073\\"..\\" (\u89AA\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA)\u30B3\u30F3\u30DD\u30FC\u30CD\u30F3\u30C8\u3092\u4FDD\u6301\u3059\u308B\n    -M  \u30A8\u30F3\u30C8\u30EA\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u4F5C\u6210\u3057\u306A\u3044\n    -i  \u6307\u5B9A\u306Ejar\u30D5\u30A1\u30A4\u30EB\u306E\u7D22\u5F15\u60C5\u5831\u3092\u751F\u6210\u3059\u308B\n    -C  \u6307\u5B9A\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306B\u5909\u66F4\u3057\u3001\u6B21\u306E\u30D5\u30A1\u30A4\u30EB\u3092\u53D6\u308A\u8FBC\u3080\n\u30D5\u30A1\u30A4\u30EB\u304C\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\u5834\u5408\u306F\u518D\u5E30\u7684\u306B\u51E6\u7406\u3055\u308C\u307E\u3059\u3002\n\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3001\u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u304A\u3088\u3073\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u540D\u306F\u3001\n\u30D5\u30E9\u30B0'm'\u3001'f'\u3001'e'\u306E\u6307\u5B9A\u3068\u540C\u3058\u9806\u756A\u3067\u6307\u5B9A\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\n\n\u4F8B1: 2\u3064\u306E\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6classes.jar\u306B\u4FDD\u5B58\u3059\u308B: \n       jar cvf classes.jar Foo.class Bar.class \n\u4F8B2: \u65E2\u5B58\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB'mymanifest'\u3092\u4F7F\u7528\u3057\u3001foo/\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\n           \u5168\u30D5\u30A1\u30A4\u30EB\u3092'classes.jar'\u306B\u30A2\u30FC\u30AB\u30A4\u30D6\u3059\u308B: \n       jar cvfm classes.jar mymanifest -C foo/ \n
--- a/src/share/classes/sun/tools/jar/resources/jar_ko.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_ko.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ \uC99D\uAC00\uB428: {0}
 out.size=(\uC785\uB825 = {0}) (\uCD9C\uB825 = {1})
 
-usage=\uC0AC\uC6A9\uBC95: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\uC635\uC158:\n    -c  \uC0C8 \uC544\uCE74\uC774\uBE0C\uB97C \uC0DD\uC131\uD569\uB2C8\uB2E4.\n    -t  \uC544\uCE74\uC774\uBE0C\uC5D0 \uB300\uD55C \uBAA9\uCC28\uB97C \uB098\uC5F4\uD569\uB2C8\uB2E4.\n    -x  \uBA85\uBA85\uB41C(\uB610\uB294 \uBAA8\uB4E0) \uD30C\uC77C\uC744 \uC544\uCE74\uC774\uBE0C\uC5D0\uC11C \uCD94\uCD9C\uD569\uB2C8\uB2E4.\n    -u  \uAE30\uC874 \uC544\uCE74\uC774\uBE0C\uB97C \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n    -v  \uD45C\uC900 \uCD9C\uB825\uC5D0 \uC0C1\uC138 \uC815\uBCF4 \uCD9C\uB825\uC744 \uC0DD\uC131\uD569\uB2C8\uB2E4.\n    -f  \uC544\uCE74\uC774\uBE0C \uD30C\uC77C \uC774\uB984\uC744 \uC9C0\uC815\uD569\uB2C8\uB2E4.\n    -m  \uC9C0\uC815\uB41C Manifest \uD30C\uC77C\uC758 Manifest \uC815\uBCF4\uB97C \uD3EC\uD568\uD569\uB2C8\uB2E4.\n    -n  \uC0C8 \uC544\uCE74\uC774\uBE0C\uB97C \uC0DD\uC131\uD55C \uD6C4 Pack200 \uC815\uADDC\uD654\uB97C \uC218\uD589\uD569\uB2C8\uB2E4.\n    -e  jar \uC2E4\uD589 \uD30C\uC77C\uC5D0 \uBC88\uB4E4\uB85C \uC81C\uACF5\uB41C \uB3C5\uB9BD\uD615 \uC751\uC6A9 \uD504\uB85C\uADF8\uB7A8\uC758 \n        \uC751\uC6A9 \uD504\uB85C\uADF8\uB7A8 \uC2DC\uC791 \uC9C0\uC810\uC744 \uC9C0\uC815\uD569\uB2C8\uB2E4.\n    -0  \uC800\uC7A5 \uC804\uC6A9: ZIP \uC555\uCD95\uC744 \uC0AC\uC6A9\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.\n    -M  \uD56D\uBAA9\uC5D0 \uB300\uD574 Manifest \uD30C\uC77C\uC744 \uC0DD\uC131\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.\n    -i  \uC9C0\uC815\uB41C jar \uD30C\uC77C\uC5D0 \uB300\uD55C \uC778\uB371\uC2A4 \uC815\uBCF4\uB97C \uC0DD\uC131\uD569\uB2C8\uB2E4.\n    -C  \uC9C0\uC815\uB41C \uB514\uB809\uD1A0\uB9AC\uB85C \uBCC0\uACBD\uD558\uACE0 \uB2E4\uC74C \uD30C\uC77C\uC744 \uD3EC\uD568\uD569\uB2C8\uB2E4.\n\uD2B9\uC815 \uD30C\uC77C\uC774 \uB514\uB809\uD1A0\uB9AC\uC77C \uACBD\uC6B0 \uC21C\uD658\uC801\uC73C\uB85C \uCC98\uB9AC\uB429\uB2C8\uB2E4.\nManifest \uD30C\uC77C \uC774\uB984, \uC544\uCE74\uC774\uBE0C \uD30C\uC77C \uC774\uB984 \uBC0F \uC2DC\uC791 \uC9C0\uC810 \uC774\uB984\uC740\n'm', 'f' \uBC0F 'e' \uD50C\uB798\uADF8\uC640 \uB3D9\uC77C\uD55C \uC21C\uC11C\uB85C \uC9C0\uC815\uB429\uB2C8\uB2E4.\n\n\uC608 1: classes.jar\uB77C\uB294 \uC544\uCE74\uC774\uBE0C\uC5D0 \uB450 \uD074\uB798\uC2A4 \uD30C\uC77C\uC744 \uC544\uCE74\uC774\uBE0C\uD558\uB294 \uBC29\uBC95: \n       jar cvf classes.jar Foo.class Bar.class \n\uC608 2: \uAE30\uC874 Manifest \uD30C\uC77C 'mymanifest'\uB97C \uC0AC\uC6A9\uD558\uC5EC\n           foo/ \uB514\uB809\uD1A0\uB9AC\uC758 \uBAA8\uB4E0 \uD30C\uC77C\uC744 'classes.jar'\uB85C \uC544\uCE74\uC774\uBE0C\uD558\uB294 \uBC29\uBC95: \n       jar cvfm classes.jar mymanifest -C foo/ .
+usage=\uC0AC\uC6A9\uBC95: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\uC635\uC158:\n    -c  \uC0C8 \uC544\uCE74\uC774\uBE0C\uB97C \uC0DD\uC131\uD569\uB2C8\uB2E4.\n    -t  \uC544\uCE74\uC774\uBE0C\uC5D0 \uB300\uD55C \uBAA9\uCC28\uB97C \uB098\uC5F4\uD569\uB2C8\uB2E4.\n    -x  \uBA85\uBA85\uB41C(\uB610\uB294 \uBAA8\uB4E0) \uD30C\uC77C\uC744 \uC544\uCE74\uC774\uBE0C\uC5D0\uC11C \uCD94\uCD9C\uD569\uB2C8\uB2E4.\n    -u  \uAE30\uC874 \uC544\uCE74\uC774\uBE0C\uB97C \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n    -v  \uD45C\uC900 \uCD9C\uB825\uC5D0 \uC0C1\uC138 \uC815\uBCF4 \uCD9C\uB825\uC744 \uC0DD\uC131\uD569\uB2C8\uB2E4.\n    -f  \uC544\uCE74\uC774\uBE0C \uD30C\uC77C \uC774\uB984\uC744 \uC9C0\uC815\uD569\uB2C8\uB2E4.\n    -m  \uC9C0\uC815\uB41C Manifest \uD30C\uC77C\uC758 Manifest \uC815\uBCF4\uB97C \uD3EC\uD568\uD569\uB2C8\uB2E4.\n    -n  \uC0C8 \uC544\uCE74\uC774\uBE0C\uB97C \uC0DD\uC131\uD55C \uD6C4 Pack200 \uC815\uADDC\uD654\uB97C \uC218\uD589\uD569\uB2C8\uB2E4.\n    -e  jar \uC2E4\uD589 \uD30C\uC77C\uC5D0 \uBC88\uB4E4\uB85C \uC81C\uACF5\uB41C \uB3C5\uB9BD\uD615 \uC751\uC6A9 \uD504\uB85C\uADF8\uB7A8\uC758 \n        \uC751\uC6A9 \uD504\uB85C\uADF8\uB7A8 \uC2DC\uC791 \uC9C0\uC810\uC744 \uC9C0\uC815\uD569\uB2C8\uB2E4.\n    -0  \uC800\uC7A5 \uC804\uC6A9: ZIP \uC555\uCD95\uC744 \uC0AC\uC6A9\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.\n    -P  \uD30C\uC77C \uC774\uB984\uC5D0\uC11C \uC120\uD589 '/'(\uC808\uB300 \uACBD\uB85C) \uBC0F ".."(\uC0C1\uC704 \uB514\uB809\uD1A0\uB9AC) \uAD6C\uC131 \uC694\uC18C\uB97C \uC720\uC9C0\uD569\uB2C8\uB2E4.\n    -M  \uD56D\uBAA9\uC5D0 \uB300\uD574 Manifest \uD30C\uC77C\uC744 \uC0DD\uC131\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.\n    -i  \uC9C0\uC815\uB41C jar \uD30C\uC77C\uC5D0 \uB300\uD55C \uC778\uB371\uC2A4 \uC815\uBCF4\uB97C \uC0DD\uC131\uD569\uB2C8\uB2E4.\n    -C  \uC9C0\uC815\uB41C \uB514\uB809\uD1A0\uB9AC\uB85C \uBCC0\uACBD\uD558\uACE0 \uB2E4\uC74C \uD30C\uC77C\uC744 \uD3EC\uD568\uD569\uB2C8\uB2E4.\n\uD2B9\uC815 \uD30C\uC77C\uC774 \uB514\uB809\uD1A0\uB9AC\uC77C \uACBD\uC6B0 \uC21C\uD658\uC801\uC73C\uB85C \uCC98\uB9AC\uB429\uB2C8\uB2E4.\nManifest \uD30C\uC77C \uC774\uB984, \uC544\uCE74\uC774\uBE0C \uD30C\uC77C \uC774\uB984 \uBC0F \uC2DC\uC791 \uC9C0\uC810 \uC774\uB984\uC740\n'm', 'f' \uBC0F 'e' \uD50C\uB798\uADF8\uC640 \uB3D9\uC77C\uD55C \uC21C\uC11C\uB85C \uC9C0\uC815\uB429\uB2C8\uB2E4.\n\n\uC608 1: classes.jar\uB77C\uB294 \uC544\uCE74\uC774\uBE0C\uC5D0 \uB450 \uD074\uB798\uC2A4 \uD30C\uC77C\uC744 \uC544\uCE74\uC774\uBE0C\uD558\uB294 \uBC29\uBC95: \n       jar cvf classes.jar Foo.class Bar.class \n\uC608 2: \uAE30\uC874 Manifest \uD30C\uC77C 'mymanifest'\uB97C \uC0AC\uC6A9\uD558\uC5EC\n           foo/ \uB514\uB809\uD1A0\uB9AC\uC758 \uBAA8\uB4E0 \uD30C\uC77C\uC744 'classes.jar'\uB85C \uC544\uCE74\uC774\uBE0C\uD558\uB294 \uBC29\uBC95: \n       jar cvfm classes.jar mymanifest -C foo/ .
--- a/src/share/classes/sun/tools/jar/resources/jar_pt_BR.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_pt_BR.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ inflado: {0}
 out.size=(entrada = {0}) (sa\u00EDda= {1})
 
-usage=Uso: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] arquivos ...\nOp\u00E7\u00F5es:\n    -c  cria novo arquivo compactado\n    -t  lista o sum\u00E1rio do arquivo compactado\n    -x  extrai arquivos com o nome (ou todos) do arquivo compactado\n    -u  atualiza o arquivo compactado existente\n    -v  gera sa\u00EDda detalhada na sa\u00EDda padr\u00E3o\n    -f  especifica o nome do arquivo do arquivo compactado\n    -m  inclui as informa\u00E7\u00F5es do manifesto do arquivo de manifesto especificado\n    -n   executa a normaliza\u00E7\u00E3o Pack200 ap\u00F3s a cria\u00E7\u00E3o de um novo arquivo compactado\n    -e  especifica o ponto de entrada da aplica\u00E7\u00E3o para aplica\u00E7\u00E3o stand-alone \n        empacotada em um arquivo jar execut\u00E1vel\n    -0  armazena somente; n\u00E3o usa compacta\u00E7\u00E3o ZIP\n    -M  n\u00E3o cria um arquivo de manifesto para as entradas\n    -i  gera informa\u00E7\u00F5es de \u00EDndice para os arquivos especificados\n    -C  passa para o diret\u00F3rio especificado e inclui o arquivo a seguir\nSe um arquivo tamb\u00E9m for um diret\u00F3rio, ele ser\u00E1 processado repetidamente.\nO nome do arquivo de manifesto, o nome do arquivo compactado e o nome do ponto de entrada s\u00E3o\nespecificados na mesma ordem dos flags 'm', 'f' e 'e'.\n\nExemplo 1: para arquivar dois arquivos de classe em um arquivo compactado denominado classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nExemplo 2: use um arquivo de manifesto existente 'mymanifest' e arquive todos os\n           arquivos no diret\u00F3rio foo/ na 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=Uso: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] arquivos ...\nOp\u00E7\u00F5es:\n    -c  cria novo arquivo compactado\n    -t  lista o sum\u00E1rio do arquivo compactado\n    -x  extrai arquivos com o nome (ou todos) do arquivo compactado\n    -u  atualiza o arquivo compactado existente\n    -v  gera sa\u00EDda detalhada na sa\u00EDda padr\u00E3o\n    -f  especifica o nome do arquivo do arquivo compactado\n    -m  inclui as informa\u00E7\u00F5es do manifesto do arquivo de manifesto especificado\n    -n   executa a normaliza\u00E7\u00E3o Pack200 ap\u00F3s a cria\u00E7\u00E3o de um novo arquivo compactado\n    -e  especifica o ponto de entrada da aplica\u00E7\u00E3o para aplica\u00E7\u00E3o stand-alone \n        empacotada em um arquivo jar execut\u00E1vel\n    -0  armazena somente; n\u00E3o usa compacta\u00E7\u00E3o ZIP\n    -P  preserva os componentes '/' inicial (caminho absoluto) e ".." (diret\u00F3rio pai) nos nomes dos arquivos\n    -M  n\u00E3o cria um arquivo de manifesto para as entradas\n    -i  gera informa\u00E7\u00F5es de \u00EDndice para os arquivos especificados\n    -C  passa para o diret\u00F3rio especificado e inclui o arquivo a seguir\nSe um arquivo tamb\u00E9m for um diret\u00F3rio, ele ser\u00E1 processado repetidamente.\nO nome do arquivo de manifesto, o nome do arquivo compactado e o nome do ponto de entrada s\u00E3o\nespecificados na mesma ordem dos flags 'm', 'f' e 'e'.\n\nExemplo 1: para arquivar dois arquivos de classe em um arquivo compactado denominado classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nExemplo 2: use um arquivo de manifesto existente 'mymanifest' e arquive todos os\n           arquivos no diret\u00F3rio foo/ na 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_sv.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_sv.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ uppackat: {0}
 out.size=(in = {0}) (ut = {1})
 
-usage=Syntax: jar {ctxui}[vfmn0Me] [jar-fil] [manifestfil] [startpunkt] [-C katalog] filer ...\nAlternativ:\n    -c  skapa nytt arkiv\n    -t  lista inneh\u00E5llsf\u00F6rteckning f\u00F6r arkiv\n    -x  extrahera namngivna (eller alla) filer fr\u00E5n arkiv\n    -u  uppdatera befintligt arkiv\n    -v  generera utf\u00F6rliga utdata vid standardutmatning\n    -f  ange arkivfilens namn\n    -m  inkludera manifestinformation fr\u00E5n angivet manifest\n    -n  utf\u00F6r Pack200-normalisering efter att ha skapat ett nytt arkiv\n    -e  ange programstartpunkt f\u00F6r frist\u00E5ende applikation \n        som medf\u00F6ljer i en jar-programfil\n    -0  endast lagra  (ingen zip-komprimering)\n    -M  skapa inte n\u00E5gon manifestfil f\u00F6r posterna\n    -i  generera indexinformation f\u00F6r de angivna jar-filerna\n    -C  \u00E4ndra till den angivna katalogen och inkludera f\u00F6ljande fil\nOm en fil \u00E4r en katalog bearbetas den rekursivt.\nNamnen p\u00E5 manifestfilen, arkivfilen och startpunkten anges\ni samma ordning som m-, f- och e-flaggorna.\n\nExempel 1: S\u00E5 h\u00E4r arkiverar du tv\u00E5 klassfiler i ett arkiv med namnet classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nExempel 2: Anv\u00E4nd en befintlig manifestfil (mymanifest) och arkivera alla\n           filer fr\u00E5n katalogen foo/ i classes.jar: \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=Syntax: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\nAlternativ:\n    -c  skapa nytt arkiv\n    -t  lista inneh\u00E5llsf\u00F6rteckning f\u00F6r arkiv\n    -x  extrahera namngivna (eller alla) filer fr\u00E5n arkivet\n    -u  uppdatera befintligt arkiv\n    -v  generera utf\u00F6rliga utdata vid standardutmatning\n    -f  ange arkivfilens namn\n    -m  inkludera manifestinformation fr\u00E5n angivet manifest\n    -n  utf\u00F6r Pack200-normalisering efter att ett nytt arkiv har skapats\n    -e  ange programstartpunkt f\u00F6r frist\u00E5ende applikation \n        som medf\u00F6ljer i en jar-programfil\n    -0  lagra endast; anv\u00E4nd inte zip-komprimering\n    -P  beh\u00E5ll komponenter f\u00F6r inledande '/' (absolut s\u00F6kv\u00E4g) och ".." (\u00F6verordnad  katalog) fr\u00E5n filnamn\n    -M  skapa inte n\u00E5gon manifestfil f\u00F6r posterna\n    -i  generera indexinformation f\u00F6r de angivna jar-filerna\n    -C  \u00E4ndra till den angivna katalogen och inkludera f\u00F6ljande fil\nOm en fil \u00E4r en katalog bearbetas den rekursivt.\nNamnen p\u00E5 manifestfilen, arkivfilen och startpunkten anges i samma\nordning som flaggorna 'm', 'f' och 'e'.\n\nExempel 1: S\u00E5 h\u00E4r arkiverar du tv\u00E5 klassfiler i ett arkiv med namnet classes.jar: \n       jar cvf classes.jar Foo.class Bar.class \nExempel 2: Anv\u00E4nd en befintlig manifestfil (mymanifest) och arkivera alla\n           filer fr\u00E5n katalogen 'foo/' till 'classes.jar': \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_zh_CN.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_zh_CN.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\  \u5DF2\u89E3\u538B: {0}
 out.size=(\u8F93\u5165 = {0}) (\u8F93\u51FA = {1})
 
-usage=\u7528\u6CD5: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\u9009\u9879:\n    -c  \u521B\u5EFA\u65B0\u6863\u6848\n    -t  \u5217\u51FA\u6863\u6848\u76EE\u5F55\n    -x  \u4ECE\u6863\u6848\u4E2D\u63D0\u53D6\u6307\u5B9A\u7684 (\u6216\u6240\u6709) \u6587\u4EF6\n    -u  \u66F4\u65B0\u73B0\u6709\u6863\u6848\n    -v  \u5728\u6807\u51C6\u8F93\u51FA\u4E2D\u751F\u6210\u8BE6\u7EC6\u8F93\u51FA\n    -f  \u6307\u5B9A\u6863\u6848\u6587\u4EF6\u540D\n    -m  \u5305\u542B\u6307\u5B9A\u6E05\u5355\u6587\u4EF6\u4E2D\u7684\u6E05\u5355\u4FE1\u606F\n    -n  \u521B\u5EFA\u65B0\u6863\u6848\u540E\u6267\u884C Pack200 \u89C4\u8303\u5316\n    -e  \u4E3A\u7ED1\u5B9A\u5230\u53EF\u6267\u884C jar \u6587\u4EF6\u7684\u72EC\u7ACB\u5E94\u7528\u7A0B\u5E8F\n        \u6307\u5B9A\u5E94\u7528\u7A0B\u5E8F\u5165\u53E3\u70B9\n    -0  \u4EC5\u5B58\u50A8; \u4E0D\u4F7F\u7528\u4EFB\u4F55 ZIP \u538B\u7F29\n    -M  \u4E0D\u521B\u5EFA\u6761\u76EE\u7684\u6E05\u5355\u6587\u4EF6\n    -i  \u4E3A\u6307\u5B9A\u7684 jar \u6587\u4EF6\u751F\u6210\u7D22\u5F15\u4FE1\u606F\n    -C  \u66F4\u6539\u4E3A\u6307\u5B9A\u7684\u76EE\u5F55\u5E76\u5305\u542B\u4EE5\u4E0B\u6587\u4EF6\n\u5982\u679C\u4EFB\u4F55\u6587\u4EF6\u4E3A\u76EE\u5F55, \u5219\u5BF9\u5176\u8FDB\u884C\u9012\u5F52\u5904\u7406\u3002\n\u6E05\u5355\u6587\u4EF6\u540D, \u6863\u6848\u6587\u4EF6\u540D\u548C\u5165\u53E3\u70B9\u540D\u79F0\u7684\u6307\u5B9A\u987A\u5E8F\n\u4E0E 'm', 'f' \u548C 'e' \u6807\u8BB0\u7684\u6307\u5B9A\u987A\u5E8F\u76F8\u540C\u3002\n\n\u793A\u4F8B 1: \u5C06\u4E24\u4E2A\u7C7B\u6587\u4EF6\u5F52\u6863\u5230\u4E00\u4E2A\u540D\u4E3A classes.jar \u7684\u6863\u6848\u4E2D: \n       jar cvf classes.jar Foo.class Bar.class \n\u793A\u4F8B 2: \u4F7F\u7528\u73B0\u6709\u7684\u6E05\u5355\u6587\u4EF6 'mymanifest' \u5E76\n           \u5C06 foo/ \u76EE\u5F55\u4E2D\u7684\u6240\u6709\u6587\u4EF6\u5F52\u6863\u5230 'classes.jar' \u4E2D: \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=\u7528\u6CD5: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\u9009\u9879:\n    -c  \u521B\u5EFA\u65B0\u6863\u6848\n    -t  \u5217\u51FA\u6863\u6848\u76EE\u5F55\n    -x  \u4ECE\u6863\u6848\u4E2D\u63D0\u53D6\u6307\u5B9A\u7684 (\u6216\u6240\u6709) \u6587\u4EF6\n    -u  \u66F4\u65B0\u73B0\u6709\u6863\u6848\n    -v  \u5728\u6807\u51C6\u8F93\u51FA\u4E2D\u751F\u6210\u8BE6\u7EC6\u8F93\u51FA\n    -f  \u6307\u5B9A\u6863\u6848\u6587\u4EF6\u540D\n    -m  \u5305\u542B\u6307\u5B9A\u6E05\u5355\u6587\u4EF6\u4E2D\u7684\u6E05\u5355\u4FE1\u606F\n    -n  \u521B\u5EFA\u65B0\u6863\u6848\u540E\u6267\u884C Pack200 \u89C4\u8303\u5316\n    -e  \u4E3A\u6346\u7ED1\u5230\u53EF\u6267\u884C jar \u6587\u4EF6\u7684\u72EC\u7ACB\u5E94\u7528\u7A0B\u5E8F\n        \u6307\u5B9A\u5E94\u7528\u7A0B\u5E8F\u5165\u53E3\u70B9\n    -0  \u4EC5\u5B58\u50A8; \u4E0D\u4F7F\u7528\u4EFB\u4F55 ZIP \u538B\u7F29\n    -P  \u4FDD\u7559\u6587\u4EF6\u540D\u4E2D\u7684\u524D\u5BFC '/' (\u7EDD\u5BF9\u8DEF\u5F84) \u548C ".." (\u7236\u76EE\u5F55) \u7EC4\u4EF6\n    -M  \u4E0D\u521B\u5EFA\u6761\u76EE\u7684\u6E05\u5355\u6587\u4EF6\n    -i  \u4E3A\u6307\u5B9A\u7684 jar \u6587\u4EF6\u751F\u6210\u7D22\u5F15\u4FE1\u606F\n    -C  \u66F4\u6539\u4E3A\u6307\u5B9A\u7684\u76EE\u5F55\u5E76\u5305\u542B\u4EE5\u4E0B\u6587\u4EF6\n\u5982\u679C\u4EFB\u4F55\u6587\u4EF6\u4E3A\u76EE\u5F55, \u5219\u5BF9\u5176\u8FDB\u884C\u9012\u5F52\u5904\u7406\u3002\n\u6E05\u5355\u6587\u4EF6\u540D, \u6863\u6848\u6587\u4EF6\u540D\u548C\u5165\u53E3\u70B9\u540D\u79F0\u7684\u6307\u5B9A\u987A\u5E8F\n\u4E0E 'm', 'f' \u548C 'e' \u6807\u8BB0\u7684\u6307\u5B9A\u987A\u5E8F\u76F8\u540C\u3002\n\n\u793A\u4F8B 1: \u5C06\u4E24\u4E2A\u7C7B\u6587\u4EF6\u5F52\u6863\u5230\u4E00\u4E2A\u540D\u4E3A classes.jar \u7684\u6863\u6848\u4E2D: \n       jar cvf classes.jar Foo.class Bar.class \n\u793A\u4F8B 2: \u4F7F\u7528\u73B0\u6709\u7684\u6E05\u5355\u6587\u4EF6 'mymanifest' \u5E76\n           \u5C06 foo/ \u76EE\u5F55\u4E2D\u7684\u6240\u6709\u6587\u4EF6\u5F52\u6863\u5230 'classes.jar' \u4E2D: \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/classes/sun/tools/jar/resources/jar_zh_TW.properties	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/classes/sun/tools/jar/resources/jar_zh_TW.properties	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,4 +45,4 @@
 out.inflated=\ \u64F4\u5C55: {0}
 out.size=\ (\u8B80={0})(\u5BEB={1})
 
-usage=\u7528\u6CD5: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] \u6A94\u6848 ...\n\u9078\u9805:\n    -c  \u5EFA\u7ACB\u65B0\u7684\u6B78\u6A94\n    -t  \u5217\u51FA\u6B78\u6A94\u7684\u76EE\u9304\n    -x  \u5F9E\u6B78\u6A94\u4E2D\u64F7\u53D6\u5DF2\u547D\u540D\u7684 (\u6216\u6240\u6709) \u6A94\u6848\n    -u  \u66F4\u65B0\u73FE\u6709\u6B78\u6A94\n    -v  \u5728\u6A19\u6E96\u8F38\u51FA\u4E2D\u7522\u751F\u8A73\u7D30\u8F38\u51FA\n    -f  \u6307\u5B9A\u6B78\u6A94\u6A94\u6848\u540D\u7A31\n    -m  \u5305\u542B\u6307\u5B9A\u8CC7\u8A0A\u6E05\u55AE\u4E2D\u7684\u8CC7\u8A0A\u6E05\u55AE\u8CC7\u8A0A\n    -n  \u5728\u5EFA\u7ACB\u65B0\u6B78\u6A94\u4E4B\u5F8C\u57F7\u884C Pack200 \u6B63\u898F\u5316\n    -e  \u70BA\u5DF2\u96A8\u9644\u65BC\u53EF\u57F7\u884C jar \u6A94\u6848\u4E2D\u7684\u7368\u7ACB\u61C9\u7528\u7A0B\u5F0F\n        \u6307\u5B9A\u61C9\u7528\u7A0B\u5F0F\u9032\u5165\u9EDE\n    -0  \u50C5\u5132\u5B58; \u4E0D\u4F7F\u7528 ZIP \u58D3\u7E2E\u65B9\u5F0F\n    -M  \u4E0D\u70BA\u9805\u76EE\u5EFA\u7ACB\u8CC7\u8A0A\u6E05\u55AE\u6A94\u6848\n    -i  \u70BA\u6307\u5B9A\u7684 jar \u6A94\u6848\u7522\u751F\u7D22\u5F15\u8CC7\u8A0A\n    -C  \u8B8A\u66F4\u81F3\u6307\u5B9A\u76EE\u9304\u4E26\u5305\u542B\u5F8C\u9762\u6240\u5217\u7684\u6A94\u6848\n\u5982\u679C\u6709\u4EFB\u4F55\u6A94\u6848\u662F\u76EE\u9304\uFF0C\u5247\u6703\u5C0D\u5176\u9032\u884C\u905E\u8FF4\u8655\u7406\u3002\n\u6E05\u55AE\u6A94\u6848\u540D\u7A31\u3001\u6B78\u6A94\u6A94\u6848\u540D\u7A31\u548C\u9032\u5165\u9EDE\u540D\u7A31\n\u7684\u6307\u5B9A\u9806\u5E8F\u8207\u6307\u5B9A 'm' \u65D7\u6A19\u3001'f' \u65D7\u6A19\u548C 'e' \u65D7\u6A19\u7684\u9806\u5E8F\u76F8\u540C\u3002\n\n\u7BC4\u4F8B 1: \u5C07\u5169\u500B\u985E\u5225\u6A94\u6848\u6B78\u6A94\u81F3\u540D\u70BA classes.jar \u7684\u6B78\u6A94\u4E2D: \n       jar cvf classes.jar Foo.class Bar.class\n\u7BC4\u4F8B 2: \u4F7F\u7528\u73FE\u6709\u8CC7\u8A0A\u6E05\u55AE\u6A94\u6848 'mymanifest' \u4E26\u5C07\n           foo/ \u76EE\u9304\u4E2D\u7684\u6240\u6709\u6A94\u6848\u6B78\u6A94\u81F3 'classes.jar' \u4E2D: \n       jar cvfm classes.jar mymanifest -C foo/ .\n
+usage=\u7528\u6CD5: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] \u6A94\u6848 ...\n\u9078\u9805:\n    -c  \u5EFA\u7ACB\u65B0\u7684\u6B78\u6A94\n    -t  \u5217\u51FA\u6B78\u6A94\u7684\u76EE\u9304\n    -x  \u5F9E\u6B78\u6A94\u4E2D\u64F7\u53D6\u6307\u5B9A (\u6216\u6240\u6709) \u6A94\u6848\n    -u  \u66F4\u65B0\u73FE\u6709\u6B78\u6A94\n    -v  \u5728\u6A19\u6E96\u8F38\u51FA\u4E2D\u7522\u751F\u8A73\u7D30\u8F38\u51FA\n    -f  \u6307\u5B9A\u6B78\u6A94\u6A94\u6848\u540D\u7A31\n    -m  \u5305\u542B\u6307\u5B9A\u8CC7\u8A0A\u6E05\u55AE\u4E2D\u7684\u8CC7\u8A0A\u6E05\u55AE\u8CC7\u8A0A\n    -n  \u5728\u5EFA\u7ACB\u65B0\u6B78\u6A94\u4E4B\u5F8C\u57F7\u884C Pack200 \u6B63\u898F\u5316\n    -e  \u70BA\u5DF2\u96A8\u9644\u65BC\u53EF\u57F7\u884C jar \u6A94\u6848\u4E2D\u7684\u7368\u7ACB\u61C9\u7528\u7A0B\u5F0F\n        \u6307\u5B9A\u61C9\u7528\u7A0B\u5F0F\u9032\u5165\u9EDE\n    -0  \u50C5\u5132\u5B58; \u4E0D\u4F7F\u7528 ZIP \u58D3\u7E2E\u65B9\u5F0F\n    -P  \u4FDD\u7559\u6A94\u6848\u540D\u7A31\u524D\u9762\u7684 '/' (\u7D55\u5C0D\u8DEF\u5F91) \u548C ".." (\u4E0A\u5C64\u76EE\u9304) \u5143\u4EF6\n    -M  \u4E0D\u70BA\u9805\u76EE\u5EFA\u7ACB\u8CC7\u8A0A\u6E05\u55AE\u6A94\u6848\n    -i  \u70BA\u6307\u5B9A\u7684 jar \u6A94\u6848\u7522\u751F\u7D22\u5F15\u8CC7\u8A0A\n    -C  \u8B8A\u66F4\u81F3\u6307\u5B9A\u76EE\u9304\u4E26\u5305\u542B\u5F8C\u9762\u6240\u5217\u7684\u6A94\u6848\n\u5982\u679C\u6709\u4EFB\u4F55\u6A94\u6848\u662F\u76EE\u9304\uFF0C\u5247\u6703\u5C0D\u5176\u9032\u884C\u905E\u8FF4\u8655\u7406\u3002\n\u8CC7\u8A0A\u6E05\u55AE\u6A94\u6848\u540D\u7A31\u3001\u6B78\u6A94\u6A94\u6848\u540D\u7A31\u548C\u9032\u5165\u9EDE\u540D\u7A31\n\u7684\u6307\u5B9A\u9806\u5E8F\u8207\u6307\u5B9A 'm' \u65D7\u6A19\u3001'f' \u65D7\u6A19\u548C 'e' \u65D7\u6A19\u7684\u9806\u5E8F\u76F8\u540C\u3002\n\n\u7BC4\u4F8B 1: \u5C07\u5169\u500B\u985E\u5225\u6A94\u6848\u6B78\u6A94\u81F3\u540D\u70BA classes.jar \u7684\u6B78\u6A94\u4E2D: \n       jar cvf classes.jar Foo.class Bar.class\n\u7BC4\u4F8B 2: \u4F7F\u7528\u73FE\u6709\u8CC7\u8A0A\u6E05\u55AE\u6A94\u6848 'mymanifest' \u4E26\u5C07\n           foo/ \u76EE\u9304\u4E2D\u7684\u6240\u6709\u6A94\u6848\u6B78\u6A94\u81F3 'classes.jar' \u4E2D: \n       jar cvfm classes.jar mymanifest -C foo/ .\n
--- a/src/share/lib/security/java.security-aix	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/lib/security/java.security-aix	Fri May 29 10:15:38 2015 -0700
@@ -500,4 +500,61 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications.  Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+#   LegacyAlgorithms:
+#       " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+#   LegacyAlgorithm:
+#       AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+#     2. JSSE key exchange algorithm name, e.g., RSA
+#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+#     4. JSSE message digest algorithm name, e.g., SHA
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+        DH_RSA_EXPORT, RSA_EXPORT, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-linux	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/lib/security/java.security-linux	Fri May 29 10:15:38 2015 -0700
@@ -500,4 +500,61 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications.  Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+#   LegacyAlgorithms:
+#       " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+#   LegacyAlgorithm:
+#       AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+#     2. JSSE key exchange algorithm name, e.g., RSA
+#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+#     4. JSSE message digest algorithm name, e.g., SHA
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+        DH_RSA_EXPORT, RSA_EXPORT, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-macosx	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/lib/security/java.security-macosx	Fri May 29 10:15:38 2015 -0700
@@ -503,4 +503,61 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications.  Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+#   LegacyAlgorithms:
+#       " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+#   LegacyAlgorithm:
+#       AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+#     2. JSSE key exchange algorithm name, e.g., RSA
+#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+#     4. JSSE message digest algorithm name, e.g., SHA
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+        DH_RSA_EXPORT, RSA_EXPORT, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-solaris	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/lib/security/java.security-solaris	Fri May 29 10:15:38 2015 -0700
@@ -502,4 +502,61 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications.  Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+#   LegacyAlgorithms:
+#       " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+#   LegacyAlgorithm:
+#       AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+#     2. JSSE key exchange algorithm name, e.g., RSA
+#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+#     4. JSSE message digest algorithm name, e.g., SHA
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+        DH_RSA_EXPORT, RSA_EXPORT, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/lib/security/java.security-windows	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/lib/security/java.security-windows	Fri May 29 10:15:38 2015 -0700
@@ -503,4 +503,61 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+# processing in JSSE implementation.
+#
+# In some environments, a certain algorithm may be undesirable but it
+# cannot be disabled because of its use in legacy applications.  Legacy
+# algorithms may still be supported, but applications should not use them
+# as the security strength of legacy algorithms are usually not strong enough
+# in practice.
+#
+# During SSL/TLS security parameters negotiation, legacy algorithms will
+# not be negotiated unless there are no other candidates.
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
+#   LegacyAlgorithms:
+#       " LegacyAlgorithm { , LegacyAlgorithm } "
+#
+#   LegacyAlgorithm:
+#       AlgorithmName (standard JSSE algorithm name)
+#
+# See the specification of security property "jdk.certpath.disabledAlgorithms"
+# for the syntax and description of the "AlgorithmName" notation.
+#
+# Per SSL/TLS specifications, cipher suites have the form:
+#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+# or
+#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
+#
+# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
+# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
+# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
+# algorithm for HMAC.
+#
+# The LegacyAlgorithm can be one of the following standard algorithm names:
+#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
+#     2. JSSE key exchange algorithm name, e.g., RSA
+#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
+#     4. JSSE message digest algorithm name, e.g., SHA
+#
+# See SSL/TLS specifications and "Java Cryptography Architecture Standard
+# Algorithm Name Documentation" for information about the algorithm names.
+#
+# Note: This property is currently used by Oracle's JSSE implementation.
+# It is not guaranteed to be examined and used by other implementations.
+# There is no guarantee the property will continue to exist or be of the
+# same syntax in future releases.
+#
+# Example:
+#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
+#
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+        DH_RSA_EXPORT, RSA_EXPORT, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC
--- a/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/AlternateSubstSubtables.cpp	Fri May 29 10:15:38 2015 -0700
@@ -53,6 +53,7 @@
             Offset alternateSetTableOffset = SWAPW(alternateSetTableOffsetArray[coverageIndex]);
             const LEReferenceTo<AlternateSetTable> alternateSetTable(base, success,
                                   (const AlternateSetTable *) ((char *) this + alternateSetTableOffset));
+            if (!LE_SUCCESS(success)) return 0;
             TTGlyphID alternate = SWAPW(alternateSetTable->alternateArray[0]);
 
             if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, alternate), success)) {
--- a/src/share/native/sun/font/layout/AnchorTables.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/AnchorTables.cpp	Fri May 29 10:15:38 2015 -0700
@@ -44,21 +44,27 @@
     case 1:
     {
         LEReferenceTo<Format1AnchorTable> f1(base, success);
-        f1->getAnchor(f1, fontInstance, anchor, success);
+        if (LE_SUCCESS(success)) {
+            f1->getAnchor(f1, fontInstance, anchor, success);
+        }
         break;
     }
 
     case 2:
     {
         LEReferenceTo<Format2AnchorTable> f2(base, success);
-        f2->getAnchor(f2, glyphID, fontInstance, anchor, success);
+        if (LE_SUCCESS(success)) {
+            f2->getAnchor(f2, glyphID, fontInstance, anchor, success);
+        }
         break;
     }
 
     case 3:
     {
         LEReferenceTo<Format3AnchorTable> f3(base, success);
-        f3->getAnchor(f3, fontInstance, anchor, success);
+        if (LE_SUCCESS(success)) {
+            f3->getAnchor(f3, fontInstance, anchor, success);
+        }
         break;
     }
 
@@ -66,7 +72,9 @@
     {
         // unknown format: just use x, y coordinate, like format 1...
         LEReferenceTo<Format1AnchorTable> f1(base, success);
-        f1->getAnchor(f1, fontInstance, anchor, success);
+        if (LE_SUCCESS(success)) {
+            f1->getAnchor(f1, fontInstance, anchor, success);
+        }
         break;
     }
   }
@@ -112,16 +120,18 @@
 
     if (dtxOffset != 0) {
         LEReferenceTo<DeviceTable> dt(base, success, dtxOffset);
-        le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success);
-
-        pixels.fX += adjx;
+        if (LE_SUCCESS(success)) {
+            le_int16 adjx = dt->getAdjustment(dt, (le_int16) fontInstance->getXPixelsPerEm(), success);
+            pixels.fX += adjx;
+        }
     }
 
     if (dtyOffset != 0) {
         LEReferenceTo<DeviceTable> dt(base, success, dtyOffset);
-        le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success);
-
-        pixels.fY += adjy;
+        if (LE_SUCCESS(success)) {
+            le_int16 adjy = dt->getAdjustment(dt, (le_int16) fontInstance->getYPixelsPerEm(), success);
+            pixels.fY += adjy;
+        }
     }
 
     fontInstance->pixelsToUnits(pixels, anchor);
--- a/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/ContextualGlyphInsertionProc2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -107,6 +107,10 @@
 
     le_int16 markIndex = SWAPW(entry->markedInsertionListIndex);
     if (markIndex > 0) {
+        if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
+           success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+           return 0;
+        }
         le_int16 count = (flags & cgiMarkedInsertCountMask) >> 5;
         le_bool isKashidaLike = (flags & cgiMarkedIsKashidaLike);
         le_bool isBefore = (flags & cgiMarkInsertBefore);
@@ -115,6 +119,10 @@
 
     le_int16 currIndex = SWAPW(entry->currentInsertionListIndex);
     if (currIndex > 0) {
+        if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+           success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+           return 0;
+        }
         le_int16 count = flags & cgiCurrentInsertCountMask;
         le_bool isKashidaLike = (flags & cgiCurrentIsKashidaLike);
         le_bool isBefore = (flags & cgiCurrentInsertBefore);
--- a/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/ContextualGlyphSubstProc.cpp	Fri May 29 10:15:38 2015 -0700
@@ -76,6 +76,10 @@
   WordOffset currOffset = SWAPW(entry->currOffset);
 
   if (markOffset != 0 && LE_SUCCESS(success)) {
+    if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
+       success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+       return 0;
+    }
     LEGlyphID mGlyph = glyphStorage[markGlyph];
     TTGlyphID newGlyph = SWAPW(int16Table.getObject(markOffset + LE_GET_GLYPH(mGlyph), success)); // whew.
 
@@ -83,6 +87,10 @@
   }
 
   if (currOffset != 0) {
+    if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+       success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+       return 0;
+    }
     LEGlyphID thisGlyph = glyphStorage[currGlyph];
     TTGlyphID newGlyph = SWAPW(int16Table.getObject(currOffset + LE_GET_GLYPH(thisGlyph), success)); // whew.
 
--- a/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/ContextualGlyphSubstProc2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -70,17 +70,25 @@
     if(LE_FAILURE(success)) return 0;
     le_uint16 newState = SWAPW(entry->newStateIndex);
     le_uint16 flags = SWAPW(entry->flags);
-    le_int16 markIndex = SWAPW(entry->markIndex);
-    le_int16 currIndex = SWAPW(entry->currIndex);
+    le_uint16 markIndex = SWAPW(entry->markIndex);
+    le_uint16 currIndex = SWAPW(entry->currIndex);
 
-    if (markIndex != -1) {
+    if (markIndex != 0x0FFFF) {
+        if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) {
+           success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+           return 0;
+        }
         le_uint32 offset = SWAPL(perGlyphTable(markIndex, success));
         LEGlyphID mGlyph = glyphStorage[markGlyph];
         TTGlyphID newGlyph = lookup(offset, mGlyph, success);
         glyphStorage[markGlyph] = LE_SET_GLYPH(mGlyph, newGlyph);
     }
 
-    if (currIndex != -1) {
+    if (currIndex != 0x0FFFF) {
+        if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+           success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+           return 0;
+        }
         le_uint32 offset = SWAPL(perGlyphTable(currIndex, success));
         LEGlyphID thisGlyph = glyphStorage[currGlyph];
         TTGlyphID newGlyph = lookup(offset, thisGlyph, success);
--- a/src/share/native/sun/font/layout/Features.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/Features.cpp	Fri May 29 10:15:38 2015 -0700
@@ -41,7 +41,7 @@
 LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
 {
     LEReferenceToArrayOf<FeatureRecord>
-        featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
+        featureRecordArrayRef(base, success, featureRecordArray, featureIndex+1);
 
   if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
     return LEReferenceTo<FeatureTable>();
--- a/src/share/native/sun/font/layout/GXLayoutEngine.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/GXLayoutEngine.cpp	Fri May 29 10:15:38 2015 -0700
@@ -73,7 +73,7 @@
 
     fMorphTable->process(fMorphTable, glyphStorage, success);
 
-    return count;
+    return glyphStorage.getGlyphCount();
 }
 
 // apply positional tables
--- a/src/share/native/sun/font/layout/GXLayoutEngine2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/GXLayoutEngine2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -69,7 +69,7 @@
     }
 
     fMorphTable->process(fMorphTable, glyphStorage, fTypoFlags, success);
-    return count;
+    return glyphStorage.getGlyphCount();
 }
 
 // apply positional tables
--- a/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp	Fri May 29 10:15:38 2015 -0700
@@ -70,6 +70,11 @@
     ByteOffset newState = SWAPW(entry->newStateOffset);
     IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags);
 
+    if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+       success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+       return 0;
+    }
+
     if (flags & irfMarkFirst) {
         firstGlyph = currGlyph;
     }
--- a/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/IndicRearrangementProcessor2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -68,6 +68,11 @@
     le_uint16 newState = SWAPW(entry->newStateIndex); // index to the new state
     IndicRearrangementFlags  flags =  (IndicRearrangementFlags) SWAPW(entry->flags);
 
+    if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) {
+       success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+       return 0;
+    }
+
     if (flags & irfMarkFirst) {
         firstGlyph = currGlyph;
     }
--- a/src/share/native/sun/font/layout/LETableReference.h	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/LETableReference.h	Fri May 29 10:15:38 2015 -0700
@@ -188,7 +188,7 @@
 
   void addOffset(size_t offset, LEErrorCode &success) {
     if(hasBounds()) {
-      if(offset > fLength) {
+      if(offset >= fLength) {
         LE_DEBUG_TR("addOffset off end");
         success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
         return;
@@ -203,7 +203,7 @@
     if(atPtr==NULL) return 0;
     if(LE_FAILURE(success)) return LE_UINTPTR_MAX;
     if((atPtr < fStart) ||
-       (hasBounds() && (atPtr > fStart+fLength))) {
+       (hasBounds() && (atPtr >= fStart+fLength))) {
       LE_DEBUG_TR3("ptrToOffset args out of range: %p", atPtr, 0);
       success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
       return LE_UINTPTR_MAX;
@@ -240,6 +240,18 @@
   }
 
   /**
+  * Throw an error if size*count overflows
+  */
+  size_t verifyLength(size_t offset, size_t size, le_uint32 count, LEErrorCode &success) {
+    if(count!=0 && size>LE_UINT32_MAX/count) {
+      LE_DEBUG_TR3("verifyLength failed size=%u, count=%u", size, count);
+      success = LE_INDEX_OUT_OF_BOUNDS_ERROR;
+      return 0;
+    }
+    return verifyLength(offset, size*count, success);
+  }
+
+  /**
    * Change parent link to another
    */
   LETableReference &reparent(const LETableReference &base) {
@@ -424,7 +436,7 @@
       if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
         fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
       }
-      LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
+      LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
     }
     if(LE_FAILURE(success)) {
       fCount=0;
@@ -439,7 +451,7 @@
       if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
         fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
       }
-      LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
+      LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
     }
     if(LE_FAILURE(success)) clear();
   }
@@ -450,7 +462,7 @@
       if(fCount == LE_UNBOUNDED_ARRAY) { // not a known length
         fCount = getLength()/LETableVarSizer<T>::getSize(); // fit to max size
       }
-      LETableReference::verifyLength(0, LETableVarSizer<T>::getSize()*fCount, success);
+      LETableReference::verifyLength(0, LETableVarSizer<T>::getSize(), fCount, success);
     }
     if(LE_FAILURE(success)) clear();
   }
--- a/src/share/native/sun/font/layout/LigatureSubstProc.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/LigatureSubstProc.cpp	Fri May 29 10:15:38 2015 -0700
@@ -73,7 +73,7 @@
   const LigatureSubstitutionStateEntry *entry = entryTable.getAlias(index, success);
 
     ByteOffset newState = SWAPW(entry->newStateOffset);
-    le_int16 flags = SWAPW(entry->flags);
+    le_uint16 flags = SWAPW(entry->flags);
 
     if (flags & lsfSetComponent) {
         if (++m >= nComponents) {
@@ -92,15 +92,18 @@
     if (actionOffset != 0) {
       LEReferenceTo<LigatureActionEntry> ap(stHeader, success, actionOffset);
         LigatureActionEntry action;
-        le_int32 offset, i = 0;
+        le_int32 offset, i = 0, j = 0;
         le_int32 stack[nComponents];
         le_int16 mm = -1;
 
         do {
             le_uint32 componentGlyph = componentStack[m--];
 
+            if (j++ > 0) {
+                ap.addObject(success);
+            }
+
             action = SWAPL(*ap.getAlias());
-            ap.addObject(success); // ap++
 
             if (m < 0) {
                 m = nComponents - 1;
--- a/src/share/native/sun/font/layout/LigatureSubstProc2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/LigatureSubstProc2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -98,7 +98,7 @@
         ap.addObject(ligActionIndex, success);
         LEReferenceToArrayOf<TTGlyphID> ligatureTable(stHeader, success, ligatureOffset, LE_UNBOUNDED_ARRAY);
         LigatureActionEntry action;
-        le_int32 offset, i = 0;
+        le_int32 offset, i = 0, j = 0;
         le_int32 stack[nComponents];
         le_int16 mm = -1;
 
@@ -111,6 +111,10 @@
         do {
             le_uint32 componentGlyph = componentStack[m--]; // pop off
 
+            if (j++ > 0) {
+                ap.addObject(success);
+            }
+
             action = SWAPL(*ap.getAlias());
 
             if (m < 0) {
@@ -144,7 +148,6 @@
               LE_DEBUG_BAD_FONT("m<0")
             }
 #endif
-            ap.addObject(success);
         } while (LE_SUCCESS(success) && !(action & lafLast) && (m>=0) ); // stop if last bit is set, or if run out of items
 
         while (mm >= 0) {
--- a/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp	Fri May 29 10:15:38 2015 -0700
@@ -97,13 +97,9 @@
 
     if( LE_FAILURE(success) ) { return 0; }
     Offset anchorTableOffset = SWAPW(baseRecord->baseAnchorTableOffsetArray[markClass]);
-    if (anchorTableOffset <= 0) {
-        // this means the table is mal-formed...
-        glyphIterator->setCurrGlyphBaseOffset(baseIterator.getCurrStreamPosition());
-        return 0;
-    }
+    LEReferenceTo<AnchorTable> anchorTable(baseArray, success, anchorTableOffset);
+    if( LE_FAILURE(success) ) { return 0; }
 
-    LEReferenceTo<AnchorTable> anchorTable(baseArray, success, anchorTableOffset);
     LEPoint baseAnchor, markAdvance, pixels;
 
 
--- a/src/share/native/sun/font/layout/MorphTables.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/MorphTables.cpp	Fri May 29 10:15:38 2015 -0700
@@ -52,8 +52,15 @@
     le_uint32 chain;
 
     for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain += 1) {
+        if (chain > 0) {
+            le_uint32 chainLength = SWAPL(chainHeader->chainLength);
+            if (chainLength & 0x03) { // incorrect alignment for 32 bit tables
+                success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+                return;
+            }
+            chainHeader.addOffset(chainLength, success);
+        }
         FeatureFlags defaultFlags = SWAPL(chainHeader->defaultFlags);
-        le_uint32 chainLength = SWAPL(chainHeader->chainLength);
         le_int16 nFeatureEntries = SWAPW(chainHeader->nFeatureEntries);
         le_int16 nSubtables = SWAPW(chainHeader->nSubtables);
         LEReferenceTo<MorphSubtableHeader> subtableHeader =
@@ -61,7 +68,14 @@
         le_int16 subtable;
 
         for (subtable = 0; LE_SUCCESS(success) && (subtable < nSubtables); subtable += 1) {
-            le_int16 length = SWAPW(subtableHeader->length);
+            if (subtable > 0) {
+                le_int16 length = SWAPW(subtableHeader->length);
+                if (length & 0x03) { // incorrect alignment for 32 bit tables
+                    success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+                    return;
+                }
+                subtableHeader.addOffset(length, success);
+            }
             SubtableCoverage coverage = SWAPW(subtableHeader->coverage);
             FeatureFlags subtableFeatures = SWAPL(subtableHeader->subtableFeatures);
 
@@ -69,10 +83,7 @@
             if ((coverage & scfVertical) == 0 && (subtableFeatures & defaultFlags) != 0  && LE_SUCCESS(success)) {
               subtableHeader->process(subtableHeader, glyphStorage, success);
             }
-
-            subtableHeader.addOffset(length, success);
         }
-        chainHeader.addOffset(chainLength, success);
     }
 }
 
--- a/src/share/native/sun/font/layout/MorphTables2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/MorphTables2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -59,6 +59,10 @@
   for (chain = 0; LE_SUCCESS(success) && (chain < chainCount); chain++) {
         if (chain>0) {
           le_uint32 chainLength = SWAPL(chainHeader->chainLength);
+          if (chainLength & 0x03) { // incorrect alignment for 32 bit tables
+              success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+              return;
+          }
           chainHeader.addOffset(chainLength, success); // Don't increment the first time
         }
         FeatureFlags flag = SWAPL(chainHeader->defaultFlags);
@@ -188,6 +192,10 @@
         for (subtable = 0;  LE_SUCCESS(success) && subtable < nSubtables; subtable++) {
             if(subtable>0)  {
               le_uint32 length = SWAPL(subtableHeader->length);
+              if (length & 0x03) { // incorrect alignment for 32 bit tables
+                  success = LE_MEMORY_ALLOCATION_ERROR; // as good a choice as any
+                  return;
+              }
               subtableHeader.addOffset(length, success); // Don't addOffset for the last entry.
             }
             le_uint32 coverage = SWAPL(subtableHeader->coverage);
--- a/src/share/native/sun/font/layout/PairPositioningSubtables.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/PairPositioningSubtables.cpp	Fri May 29 10:15:38 2015 -0700
@@ -179,12 +179,13 @@
         LEReferenceTo<PairValueRecord> record(records);
 
         for(le_int32 r = 0; r < recordCount; r += 1) {
+          if (r > 0) {
+            record.addOffset(recordSize, success);
+          }
           if(LE_FAILURE(success)) return LEReferenceTo<PairValueRecord>();
           if (SWAPW(record->secondGlyph) == glyphID) {
             return record;
           }
-
-          record.addOffset(recordSize, success);
         }
 #else
   #error dead code - not updated.
--- a/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/SingleSubstitutionSubtables.cpp	Fri May 29 10:15:38 2015 -0700
@@ -94,7 +94,9 @@
         return 0;
     }
 
-    if (coverageIndex >= 0) {
+    LEReferenceToArrayOf<TTGlyphID> substituteArrayRef(base, success, substituteArray, SWAPW(glyphCount));
+
+    if (coverageIndex >= 0 && LE_SUCCESS(success) && coverageIndex < substituteArrayRef.getCount()) {
         TTGlyphID substitute = SWAPW(substituteArray[coverageIndex]);
 
         if (filter == NULL || filter->accept(LE_SET_GLYPH(glyph, substitute), success)) {
--- a/src/share/native/sun/font/layout/StateTableProcessor.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/StateTableProcessor.cpp	Fri May 29 10:15:38 2015 -0700
@@ -85,6 +85,7 @@
         if (currGlyph == glyphCount) {
             // XXX: How do we handle EOT vs. EOL?
             classCode = classCodeEOT;
+            break;
         } else {
             TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
 
--- a/src/share/native/sun/font/layout/StateTableProcessor2.cpp	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/StateTableProcessor2.cpp	Fri May 29 10:15:38 2015 -0700
@@ -103,6 +103,7 @@
                 if (currGlyph == glyphCount || currGlyph == -1) {
                     // XXX: How do we handle EOT vs. EOL?
                     classCode = classCodeEOT;
+                    break;
                 } else {
                     LEGlyphID gid = glyphStorage[currGlyph];
                     TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid);
@@ -134,6 +135,7 @@
                 if (currGlyph == glyphCount || currGlyph == -1) {
                     // XXX: How do we handle EOT vs. EOL?
                     classCode = classCodeEOT;
+                    break;
                 } else {
                     LEGlyphID gid = glyphStorage[currGlyph];
                     TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid);
@@ -171,6 +173,7 @@
                 if (currGlyph == glyphCount || currGlyph == -1) {
                     // XXX: How do we handle EOT vs. EOL?
                     classCode = classCodeEOT;
+                    break;
                 } else if(currGlyph > glyphCount) {
                   // note if > glyphCount, we've run off the end (bad font)
                   currGlyph = glyphCount;
@@ -211,6 +214,7 @@
                 if (currGlyph == glyphCount || currGlyph == -1) {
                     // XXX: How do we handle EOT vs. EOL?
                     classCode = classCodeEOT;
+                    break;
                 } else {
                     TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]);
                     if (glyphCode == 0xFFFF) {
--- a/src/share/native/sun/font/layout/StateTables.h	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/font/layout/StateTables.h	Fri May 29 10:15:38 2015 -0700
@@ -126,7 +126,7 @@
 struct StateEntry
 {
     ByteOffset  newStateOffset;
-    le_int16    flags;
+    le_uint16    flags;
 };
 
 typedef le_uint16 EntryTableIndex2;
--- a/src/share/native/sun/security/ec/impl/ec.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/security/ec/impl/ec.c	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
  *   Dr Vipul Gupta <vipul.gupta@sun.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: April 2015
  *********************************************************************** */
 
 #include "mplogic.h"
@@ -585,6 +586,10 @@
         return SECFailure;
     }
 
+    if (EC_ValidatePublicKey(ecParams, publicValue, kmflag) != SECSuccess) {
+        return SECFailure;
+    }
+
     memset(derivedSecret, 0, sizeof *derivedSecret);
     len = (ecParams->fieldID.size + 7) >> 3;
     pointQ.len = 2*len + 1;
--- a/src/share/native/sun/security/ec/impl/ecc_impl.h	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/security/ec/impl/ecc_impl.h	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
  *   Dr Vipul Gupta <vipul.gupta@sun.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: November 2013
  *********************************************************************** */
 
 #ifndef _ECC_IMPL_H
--- a/src/share/native/sun/security/ec/impl/ecdecode.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/security/ec/impl/ecdecode.c	Fri May 29 10:15:38 2015 -0700
@@ -34,6 +34,7 @@
  *   Dr Vipul Gupta <vipul.gupta@sun.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: March 2012
  *********************************************************************** */
 
 #include <sys/types.h>
--- a/src/share/native/sun/security/ec/impl/mpi.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/security/ec/impl/mpi.c	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
  *   Netscape Communications Corporation
  *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
  *
+ * Last Modified Date from the Original Code: June 2014
  *********************************************************************** */
 
 /*  Arbitrary precision integer arithmetic library */
--- a/src/share/native/sun/security/ec/impl/oid.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/security/ec/impl/oid.c	Fri May 29 10:15:38 2015 -0700
@@ -33,6 +33,7 @@
  * Contributor(s):
  *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: March 2012
  *********************************************************************** */
 
 #include <sys/types.h>
--- a/src/share/native/sun/security/ec/impl/secitem.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/share/native/sun/security/ec/impl/secitem.c	Fri May 29 10:15:38 2015 -0700
@@ -32,6 +32,7 @@
  *
  * Contributor(s):
  *
+ * Last Modified Date from the Original Code: March 2012
  *********************************************************************** */
 
 /*
--- a/src/solaris/bin/java_md_solinux.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/solaris/bin/java_md_solinux.c	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -613,13 +613,14 @@
             /* runpath contains current effective LD_LIBRARY_PATH setting */
 
             jvmpath = JLI_StringDup(jvmpath);
-            new_runpath = JLI_MemAlloc(((runpath != NULL) ? JLI_StrLen(runpath) : 0) +
+            size_t new_runpath_size = ((runpath != NULL) ? JLI_StrLen(runpath) : 0) +
                     2 * JLI_StrLen(jrepath) + 2 * JLI_StrLen(arch) +
 #ifdef AIX
                     /* On AIX we additionally need 'jli' in the path because ld doesn't support $ORIGIN. */
                     JLI_StrLen(jrepath) + JLI_StrLen(arch) + JLI_StrLen("/lib//jli:") +
 #endif
-                    JLI_StrLen(jvmpath) + 52);
+                    JLI_StrLen(jvmpath) + 52;
+            new_runpath = JLI_MemAlloc(new_runpath_size);
             newpath = new_runpath + JLI_StrLen(LD_LIBRARY_PATH "=");
 
 
@@ -679,6 +680,11 @@
              * loop of execv() because we test for the prefix, above.
              */
             if (runpath != 0) {
+                /* ensure storage for runpath + colon + NULL */
+                if ((JLI_StrLen(runpath) + 1 + 1) > new_runpath_size) {
+                    JLI_ReportErrorMessageSys(JRE_ERROR11);
+                    exit(1);
+                }
                 JLI_StrCat(new_runpath, ":");
                 JLI_StrCat(new_runpath, runpath);
             }
@@ -811,7 +817,11 @@
             JLI_TraceLauncher("JRE path is %s\n", path);
             return JNI_TRUE;
         }
-
+        /* ensure storage for path + /jre + NULL */
+        if ((JLI_StrLen(path) + 4  + 1) > pathsize) {
+            JLI_TraceLauncher("Insufficient space to store JRE path\n");
+            return JNI_FALSE;
+        }
         /* Does the app ship a private JRE in <apphome>/jre directory? */
         JLI_Snprintf(libjava, sizeof(libjava), "%s/jre/lib/%s/" JAVA_DLL, path, arch);
         if (access(libjava, F_OK) == 0) {
--- a/src/solaris/native/java/net/net_util_md.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/solaris/native/java/net/net_util_md.c	Fri May 29 10:15:38 2015 -0700
@@ -1528,6 +1528,7 @@
     int exclbind = -1;
 #endif
     int rv;
+    int arg, alen;
 
 #ifdef __linux__
     /*
@@ -1544,7 +1545,7 @@
     }
 #endif
 
-#if defined(__solaris__) && defined(AF_INET6)
+#if defined(__solaris__)
     /*
      * Solaris has separate IPv4 and IPv6 port spaces so we
      * use an exclusive bind when SO_REUSEADDR is not used to
@@ -1554,35 +1555,31 @@
      * results in a late bind that fails because the
      * corresponding IPv4 port is in use.
      */
-    if (ipv6_available()) {
-        int arg, len;
+    alen = sizeof(arg);
+    if (useExclBind || getsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
+                   (char *)&arg, &alen) == 0) {
+        if (useExclBind || arg == 0) {
+            /*
+             * SO_REUSEADDR is disabled or sun.net.useExclusiveBind
+             * property is true so enable TCP_EXCLBIND or
+             * UDP_EXCLBIND
+             */
+            alen = sizeof(arg);
+            if (getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&arg,
+                           &alen) == 0) {
+                if (arg == SOCK_STREAM) {
+                    level = IPPROTO_TCP;
+                    exclbind = TCP_EXCLBIND;
+                } else {
+                    level = IPPROTO_UDP;
+                    exclbind = UDP_EXCLBIND;
+                }
+            }
 
-        len = sizeof(arg);
-        if (useExclBind || getsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
-                       (char *)&arg, &len) == 0) {
-            if (useExclBind || arg == 0) {
-                /*
-                 * SO_REUSEADDR is disabled or sun.net.useExclusiveBind
-                 * property is true so enable TCP_EXCLBIND or
-                 * UDP_EXCLBIND
-                 */
-                len = sizeof(arg);
-                if (getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&arg,
-                               &len) == 0) {
-                    if (arg == SOCK_STREAM) {
-                        level = IPPROTO_TCP;
-                        exclbind = TCP_EXCLBIND;
-                    } else {
-                        level = IPPROTO_UDP;
-                        exclbind = UDP_EXCLBIND;
-                    }
-                }
-
-                arg = 1;
-                setsockopt(fd, level, exclbind, (char *)&arg,
-                           sizeof(arg));
+            arg = 1;
+            setsockopt(fd, level, exclbind, (char *)&arg,
+                       sizeof(arg));
             }
-        }
     }
 
 #endif
--- a/src/windows/bin/java_md.c	Wed May 27 13:20:55 2015 -0700
+++ b/src/windows/bin/java_md.c	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -318,7 +318,11 @@
             JLI_TraceLauncher("JRE path is %s\n", path);
             return JNI_TRUE;
         }
-
+        /* ensure storage for path + \jre + NULL */
+        if ((JLI_StrLen(path) + 4 + 1) > pathsize) {
+            JLI_TraceLauncher("Insufficient space to store JRE path\n");
+            return JNI_FALSE;
+        }
         /* Does this app ship a private JRE in <apphome>\jre directory? */
         JLI_Snprintf(javadll, sizeof (javadll), "%s\\jre\\bin\\" JAVA_DLL, path);
         if (stat(javadll, &s) == 0) {
--- a/test/sun/security/ec/TestEC.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ec/TestEC.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -59,6 +59,11 @@
 public class TestEC {
 
     public static void main(String[] args) throws Exception {
+        // reset security properties to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
         ProvidersSnapshot snapshot = ProvidersSnapshot.create();
         try {
             main0(args);
@@ -68,10 +73,6 @@
     }
 
     public static void main0(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
-        // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
-
         Provider p = Security.getProvider("SunEC");
 
         if (p == null) {
--- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,9 +43,10 @@
     private static String[] cmdArgs;
 
     public static void main(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
+        // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
 
         cmdArgs = args;
         main(new ClientJSSEServerJSSE());
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Fri May 29 10:15:38 2015 -0700
@@ -100,6 +100,7 @@
 import javax.net.ssl.SSLEngineResult.*;
 import java.io.*;
 import java.nio.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.Security;
@@ -377,9 +378,10 @@
     }
 
     public static void main(String args[]) throws Exception {
-        // reset the security property to make sure that the algorithms
+        // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
 
         if (args.length != 4) {
             System.out.println(
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,11 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 4392475
@@ -34,6 +39,7 @@
 import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class AnonCipherWithWantClientAuth {
 
@@ -156,6 +162,11 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset security properties to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Fri May 29 10:15:38 2015 -0700
@@ -81,6 +81,9 @@
         ssle1.setEnabledCipherSuites(new String [] {
             "SSL_RSA_WITH_RC4_128_MD5"});
 
+        ssle2.setEnabledCipherSuites(new String [] {
+            "SSL_RSA_WITH_RC4_128_MD5"});
+
         createBuffers();
     }
 
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Fri May 29 10:15:38 2015 -0700
@@ -92,6 +92,7 @@
         createSSLEngines();
 
         System.out.println("Using " + cipher);
+        ssle1.setEnabledCipherSuites(new String [] { cipher });
         ssle2.setEnabledCipherSuites(new String [] { cipher });
 
         createBuffers();
--- a/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java	Fri May 29 10:15:38 2015 -0700
@@ -31,7 +31,7 @@
  * @bug 7188657
  * @summary There should be a way to reorder the JSSE ciphers
  * @run main/othervm UseCipherSuitesOrder
- *     TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
+ *     TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
  */
 
 import java.io.*;
--- a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Fri May 29 10:15:38 2015 -0700
@@ -93,6 +93,10 @@
         SSLServerSocket sslServerSocket =
             (SSLServerSocket) sslssf.createServerSocket(serverPort);
 
+        // enable a stream cipher
+        sslServerSocket.setEnabledCipherSuites(
+            new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
+
         serverPort = sslServerSocket.getLocalPort();
 
         /*
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -93,13 +93,6 @@
         "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
 
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_MD5",
-
         "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 
         "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
@@ -113,8 +106,16 @@
         "TLS_DH_anon_WITH_AES_128_CBC_SHA",
         "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
         "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
         "SSL_DH_anon_WITH_RC4_128_MD5",
+
         "SSL_RSA_WITH_DES_CBC_SHA",
         "SSL_DHE_RSA_WITH_DES_CBC_SHA",
         "SSL_DHE_DSS_WITH_DES_CBC_SHA",
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Wed May 27 13:20:55 2015 -0700
+++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Fri May 29 10:15:38 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,9 +34,10 @@
 public class ClientJSSEServerJSSE {
 
     public static void main(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
+        // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
 
         CipherTest.main(new JSSEFactory(), args);
     }