changeset 9036:ca700a3c1708

Merge
author chegar
date Sat, 14 Sep 2013 19:23:02 +0100
parents 22ea25e71b4c 432c348e15bc
children d931b672bfa9
files
diffstat 30 files changed, 363 insertions(+), 420 deletions(-) [+]
line wrap: on
line diff
--- a/make/common/Release.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/make/common/Release.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -835,10 +835,6 @@
 	    $(BOOT_JAVA_CMD) -jar $(BUILDMETAINDEX_JARFILE) \
 		-o meta-index *.jar
 	@$(CD) $(JRE_IMAGE_DIR)/lib/ext && $(java-vm-cleanup)
-ifeq ($(PLATFORM), macosx)
-	@#install jobjc, apple mac only
-	$(CP) $(OUTPUTDIR)/JObjC.build/JObjC.jar $(JRE_IMAGE_DIR)/lib/JObjC.jar
-endif
 ifeq ($(PLATFORM), windows)
 	@# Remove certain *.lib files
 	$(CD) $(JRE_IMAGE_DIR)/lib && \
--- a/make/java/Makefile	Sat Sep 14 19:21:07 2013 +0100
+++ b/make/java/Makefile	Sat Sep 14 19:23:02 2013 +0100
@@ -57,10 +57,6 @@
   SUBDIRS += jexec
 endif # PLATFORM
 
-ifeq ($(PLATFORM), macosx)
-  SUBDIRS += jobjc
-endif # PLATFORM
-
 include $(BUILDDIR)/common/Subdirs.gmk
 
 all build clean clobber::
--- a/makefiles/CompileJavaClasses.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/makefiles/CompileJavaClasses.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -270,11 +270,6 @@
                $(JDK_TOPDIR)/src/solaris/classes/sun/util/locale/provider/HostLocaleProviderAdapterImpl.java \
                $(JDK_TOPDIR)/src/solaris/classes/sun/nio/fs/GnomeFileTypeDetector.java
 
-     # JObjC.jar contains 1.5 byte-code...so skip it here :-(
-     # MACOSX_SRC_DIRS += $(JDK_TOPDIR)/src/macosx/native/jobjc/src
-     # EXCLUDES+= tests/java/com/apple/jobjc
-
-     EXCLUDES+= com/apple/jobjc
 endif
 
 # The exception handling of swing beaninfo
@@ -326,44 +321,6 @@
 
 ##########################################################################################
 
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-#
-# JObjC.jar is compiled with BOOT_JAVAC which (may) not support the "-h" flag.
-#   so we first compile classes with BOOT_JAVAC and then with JDK_JAVAC :-(
-#
-$(eval $(call SetupJavaCompiler,GENERATE_15BYTECODE,\
-     JAVAC:=$(JAVAC),\
-     FLAGS:=-source 1.5 -target 1.5 -g -bootclasspath $(BOOT_RTJAR) -cp $(JDK_OUTPUTDIR)/../langtools/dist/lib/classes.jar $(DISABLE_WARNINGS),\
-     SERVER_DIR:=$(SJAVAC_SERVER_DIR),\
-     SERVER_JVM:=$(SJAVAC_SERVER_JAVA)))
-
-$(eval $(call SetupJavaCompilation,BUILD_JOBJC,\
-		SETUP:=GENERATE_15BYTECODE,\
-		DISABLE_SJAVAC:=true,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/java \
-		     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/java \
-		     $(JDK_OUTPUTDIR)/gensrc_jobjc/src, \
-		INCLUDES := com/apple/jobjc,\
-                EXCLUDES := tests/java/com/apple/jobjc,\
-		BIN:=$(JDK_OUTPUTDIR)/jobjc_classes,\
-		JAR:=$(JDK_OUTPUTDIR)/lib/JObjC.jar, \
-		JARINDEX := true))
-
-$(BUILD_JOBJC) : $(BUILD_JDK)
-
-$(eval $(call SetupJavaCompilation,BUILD_JOBJC_HEADERS,\
-		SETUP:=GENERATE_JDKBYTECODE,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/java \
-		     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/java \
-		     $(JDK_OUTPUTDIR)/gensrc_jobjc/src, \
-		INCLUDES := com/apple/jobjc,\
-                EXCLUDES := tests/java/com/apple/jobjc,\
-		BIN:=$(JDK_OUTPUTDIR)/jobjc_classes_headers,\
-		HEADERS:=$(JDK_OUTPUTDIR)/gensrc_headers_jobjc))
-
-$(BUILD_JOBJC_HEADERS) : $(BUILD_JDK)
-
-endif
 
 ##########################################################################################
 
@@ -402,7 +359,7 @@
 
 ##########################################################################################
 
-all: $(BUILD_JDK) $(BUILD_ALTCLASSES) $(BUILD_JOBJC) $(BUILD_JOBJC_HEADERS) $(COPY_EXTRA) \
+all: $(BUILD_JDK) $(BUILD_ALTCLASSES) $(COPY_EXTRA) \
 	$(JDK_OUTPUTDIR)/classes/META-INF/services/com.sun.tools.xjc.Plugin \
 	$(BUILD_ACCESSBRIDGE_32) $(BUILD_ACCESSBRIDGE_64) \
 	$(BUILD_ACCESSBRIDGE_LEGACY)
--- a/makefiles/CompileNativeLibraries.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/makefiles/CompileNativeLibraries.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -3297,67 +3297,6 @@
 
 ##########################################################################################
 
-ifeq ($(OPENJDK_TARGET_OS), macosx)
-
-# Ugly hack to mimic behaviour in old build where this is built as an xcode project.
-SET_SHARED_LIBRARY_NAME=-Xlinker -install_name -Xlinker /usr/local/lib/libJObjC.dylib
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJOBJC32,\
-		LIBRARY:=JObjC,\
-                OUTPUT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc32,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/native \
-                     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/native ,\
-		LANG:=C,\
-		OPTIMIZATION:=LOW, \
-		CFLAGS:=-fpascal-strings \
-                        -fobjc-gc \
-                        -gdwarf-2 \
-                        $(CFLAGS_JDKLIB) -I$(JDK_OUTPUTDIR)/gensrc_headers_jobjc \
-                        -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-			-m32,\
-		LDFLAGS:=$(LDFLAGS_JDKLIB)\
-			-m32, \
-		LDFLAGS_SUFFIX:=-framework Foundation -framework JavaVM \
-                                  -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-                                  -framework JavaNativeFoundation \
-                                  -lffi, \
-		OBJECT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc32,\
-		DEBUG_SYMBOLS:=$(DEBUG_ALL_BINARIES)))
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJOBJC64,\
-		LIBRARY:=JObjC,\
-                OUTPUT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc64,\
-		SRC:=$(JDK_TOPDIR)/src/macosx/native/jobjc/src/core/native \
-                     $(JDK_TOPDIR)/src/macosx/native/jobjc/src/runtime-additions/native ,\
-		LANG:=C,\
-		OPTIMIZATION:=LOW, \
-		CFLAGS:=-fpascal-strings \
-                        -fobjc-gc \
-                        -gdwarf-2 \
-                        $(CFLAGS_JDKLIB) -I$(JDK_OUTPUTDIR)/gensrc_headers_jobjc \
-                        -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-			, \
-		LDFLAGS:=-fpascal-strings \
-                         -fobjc-gc \
-                         -gdwarf-2 \
-                         $(LDFLAGS_JDKLIB)\
-			 $(call SET_SHARED_LIBRARY_ORIGIN), \
-		LDFLAGS_SUFFIX:=-framework Foundation -framework JavaVM \
-                                  -F/System/Library/Frameworks/JavaVM.framework/Frameworks \
-                                  -framework JavaNativeFoundation \
-                                  -lffi, \
-		OBJECT_DIR:=$(JDK_OUTPUTDIR)/objs/libjobjc64,\
-		DEBUG_SYMBOLS:=$(DEBUG_ALL_BINARIES)))
-
-$(INSTALL_LIBRARIES_HERE)/$(LIBRARY_PREFIX)JObjC$(SHARED_LIBRARY_SUFFIX): $(BUILD_LIBJOBJC32) $(BUILD_LIBJOBJC64)
-	$(LIPO) -create -output $@ $(BUILD_LIBJOBJC32) $(BUILD_LIBJOBJC64)
-
-BUILD_LIBRARIES += $(INSTALL_LIBRARIES_HERE)/$(LIBRARY_PREFIX)JObjC$(SHARED_LIBRARY_SUFFIX)
-
-endif
-
-##########################################################################################
-
 ifndef OPENJDK
 ifeq ($(OPENJDK_TARGET_OS), windows)
 
--- a/makefiles/CreateJars.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/makefiles/CreateJars.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -1028,15 +1028,6 @@
 
 ##########################################################################################
 
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-    $(eval $(call SetupArchive,BUILD_JOBJC_JAR,,\
-		SRCS:=$(JDK_OUTPUTDIR)/jobjc_classes,\
-		JAR:=$(IMAGES_OUTPUTDIR)/lib/JObjC.jar, \
-		JARINDEX:=true))
-endif
-
-##########################################################################################
-
 ifndef OPENJDK
     $(eval $(call SetupArchive,BUILD_ALT_RT_JAR,,\
 		SRCS:=$(JDK_OUTPUTDIR)/altclasses_classes,\
--- a/makefiles/GenerateJavaSources.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/makefiles/GenerateJavaSources.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -83,11 +83,6 @@
 include GensrcSwing.gmk
 GENSRC += $(GENSRC_SWING_BEANINFO) $(GENSRC_SWING_NIMBUS)
 
-ifeq ($(OPENJDK_TARGET_OS), macosx)
-     include GensrcJObjC.gmk
-     GENSRC += $(GENSRC_JOBJC)
-endif
-
 $(GENSRC) : $(BUILD_TOOLS)
 
 all: $(GENSRC)
--- a/makefiles/Images.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/makefiles/Images.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -283,14 +283,13 @@
 	$(ECHO) $(LOG_INFO) Creating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
 	$(MKDIR) -p $@
 
-# In the old build, JObjC.jar is not part of the meta-index
 $(JRE_IMAGE_DIR)/lib/meta-index: $(JRE_LIB_TARGETS)
 	$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
-	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index `$(LS) *.jar | $(SED) 's/JObjC\.jar//g'`
+	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index *.jar
 
 $(JDK_IMAGE_DIR)/jre/lib/meta-index: $(JDKJRE_LIB_TARGETS)
 	$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
-	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index `$(LS) *.jar | $(SED) 's/JObjC\.jar//g'`
+	$(CD) $(@D) && $(TOOL_BUILDMETAINDEX) -o meta-index *.jar
 
 $(JRE_IMAGE_DIR)/lib/ext/meta-index: $(JRE_LIB_TARGETS)
 	$(ECHO) $(LOG_INFO) Generating $(patsubst $(OUTPUT_ROOT)/%,%,$@)
--- a/makefiles/Profiles.gmk	Sat Sep 14 19:21:07 2013 +0100
+++ b/makefiles/Profiles.gmk	Sat Sep 14 19:23:02 2013 +0100
@@ -109,10 +109,6 @@
     ALL_JARS += $(IMAGES_OUTPUTDIR)/lib/ext/sunmscapi.jar
 endif 
 
-ifeq ($(OPENJDK_TARGET_OS),macosx)
-    ALL_JARS += $(IMAGES_OUTPUTDIR)/lib/JObjC.jar
-endif
-
 ifeq ($(PROFILE), profile_1)
     PROFILE_JARS := $(PROFILE_1_JARS)
 else ifeq ($(PROFILE), profile_2)
--- a/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m	Sat Sep 14 19:23:02 2013 +0100
@@ -290,8 +290,8 @@
         SplashUnlock(splash);
         rc = poll(pfd, 1, timeout);
         SplashLock(splash);
-        if (splash->isVisible>0 && SplashTime() >= splash->time +
-                splash->frames[splash->currentFrame].delay) {
+        if (splash->isVisible > 0 && splash->currentFrame >= 0 &&
+                SplashTime() >= splash->time + splash->frames[splash->currentFrame].delay) {
             SplashNextFrame(splash);
             SplashRedrawWindow(splash);
         }
--- a/src/share/classes/com/sun/beans/decoder/DocumentHandler.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/com/sun/beans/decoder/DocumentHandler.java	Sat Sep 14 19:23:02 2013 +0100
@@ -29,6 +29,7 @@
 import java.beans.ExceptionListener;
 
 import java.io.IOException;
+import java.io.StringReader;
 
 import java.lang.ref.Reference;
 import java.lang.ref.WeakReference;
@@ -246,6 +247,14 @@
     }
 
     /**
+     * Disables any external entities.
+     */
+    @Override
+    public InputSource resolveEntity(String publicId, String systemId) {
+        return new InputSource(new StringReader(""));
+    }
+
+    /**
      * Prepares this handler to read objects from XML document.
      */
     @Override
--- a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -72,13 +72,17 @@
             throw new IllegalStateException(
                 "TlsRsaPremasterSecretGenerator must be initialized");
         }
-        if (random == null) {
-            random = new SecureRandom();
+        byte[] b = spec.getEncodedSecret();
+        if (b == null) {
+            if (random == null) {
+                random = new SecureRandom();
+            }
+            b = new byte[48];
+            random.nextBytes(b);
+            b[0] = (byte)spec.getMajorVersion();
+            b[1] = (byte)spec.getMinorVersion();
         }
-        byte[] b = new byte[48];
-        random.nextBytes(b);
-        b[0] = (byte)spec.getMajorVersion();
-        b[1] = (byte)spec.getMinorVersion();
+
         return new SecretKeySpec(b, "TlsRsaPremasterSecret");
     }
 
--- a/src/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -660,7 +660,7 @@
                      //Added the handling for Class tags to take care of maps
                      //Makes an entry into the map upon end of class tag
                      try{
-                          typeMap.put(Key_map,Class.forName(Value_map));
+                          typeMap.put(Key_map,sun.reflect.misc.ReflectUtil.forName(Value_map));
 
                         }catch(ClassNotFoundException ex) {
                           throw new SAXException(MessageFormat.format(resBundle.handleGetObject("xmlrch.errmap").toString(), ex.getMessage()));
--- a/src/share/classes/java/util/jar/JarVerifier.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/java/util/jar/JarVerifier.java	Sat Sep 14 19:23:02 2013 +0100
@@ -179,7 +179,9 @@
             name = name.substring(1);
 
         // only set the jev object for entries that have a signature
-        if (sigFileSigners.get(name) != null) {
+        // (either verified or not)
+        if (sigFileSigners.get(name) != null ||
+                verifiedSigners.get(name) != null) {
             mev.setEntry(name, je);
             return;
         }
--- a/src/share/classes/javax/security/auth/Subject.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/javax/security/auth/Subject.java	Sat Sep 14 19:23:02 2013 +0100
@@ -964,6 +964,10 @@
 
         s.defaultReadObject();
 
+        // Rewrap the principals into a SecureSet
+        principals = Collections.synchronizedSet(new SecureSet<Principal>
+                                (this, PRINCIPAL_SET, principals));
+
         // The Credential {@code Set} is not serialized, but we do not
         // want the default deserialization routine to set it to null.
         this.pubCredentials = Collections.synchronizedSet
--- a/src/share/classes/javax/sql/rowset/spi/SyncFactory.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/javax/sql/rowset/spi/SyncFactory.java	Sat Sep 14 19:23:02 2013 +0100
@@ -35,6 +35,8 @@
 import java.io.InputStream;
 import java.io.IOException;
 import java.io.FileNotFoundException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import javax.naming.*;
 
@@ -348,7 +350,17 @@
                 /*
                  * Dependent on application
                  */
-                String strRowsetProperties = System.getProperty("rowset.properties");
+                String strRowsetProperties;
+                try {
+                    strRowsetProperties = AccessController.doPrivileged(new PrivilegedAction<String>() {
+                        public String run() {
+                            return System.getProperty("rowset.properties");
+                        }
+                    }, null, new PropertyPermission("rowset.properties","read"));
+                } catch (Exception ex) {
+                    strRowsetProperties = null;
+                }
+
                 if (strRowsetProperties != null) {
                     // Load user's implementation of SyncProvider
                     // here. -Drowset.properties=/abc/def/pqr.txt
@@ -393,7 +405,16 @@
              * load additional properties from -D command line
              */
             properties.clear();
-            String providerImpls = System.getProperty(ROWSET_SYNC_PROVIDER);
+            String providerImpls;
+            try {
+                providerImpls = AccessController.doPrivileged(new PrivilegedAction<String>() {
+                    public String run() {
+                        return System.getProperty(ROWSET_SYNC_PROVIDER);
+                    }
+                }, null, new PropertyPermission(ROWSET_SYNC_PROVIDER,"read"));
+            } catch (Exception ex) {
+                providerImpls = null;
+            }
 
             if (providerImpls != null) {
                 int i = 0;
--- a/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,11 +45,12 @@
 
     private final int majorVersion;
     private final int minorVersion;
+    private final byte[] encodedSecret;
 
     /**
      * Constructs a new TlsRsaPremasterSecretParameterSpec.
-     *
-     * <p>The version numbers will be placed inside the premaster secret to
+     * <P>
+     * The version numbers will be placed inside the premaster secret to
      * detect version rollbacks attacks as described in the TLS specification.
      * Note that they do not indicate the protocol version negotiated for
      * the handshake.
@@ -65,7 +66,42 @@
         this.majorVersion =
             TlsMasterSecretParameterSpec.checkVersion(majorVersion);
         this.minorVersion =
-            TlsMasterSecretParameterSpec.checkVersion(minorVersion); }
+            TlsMasterSecretParameterSpec.checkVersion(minorVersion);
+        this.encodedSecret = null;
+    }
+
+    /**
+     * Constructs a new TlsRsaPremasterSecretParameterSpec.
+     * <P>
+     * The version numbers will be placed inside the premaster secret to
+     * detect version rollbacks attacks as described in the TLS specification.
+     * Note that they do not indicate the protocol version negotiated for
+     * the handshake.
+     * <P>
+     * Usually, the encoded secret key is a random number that acts as
+     * dummy pre_master_secret to avoid vulnerabilities described by
+     * section 7.4.7.1, RFC 5246.
+     *
+     * @param majorVersion the major number of the protocol version
+     * @param minorVersion the minor number of the protocol version
+     * @param encodedSecret the encoded secret key
+     *
+     * @throws IllegalArgumentException if minorVersion or majorVersion are
+     *   negative or larger than 255, or encodedSecret is not exactly 48 bytes.
+     */
+    public TlsRsaPremasterSecretParameterSpec(int majorVersion,
+            int minorVersion, byte[] encodedSecret) {
+        this.majorVersion =
+            TlsMasterSecretParameterSpec.checkVersion(majorVersion);
+        this.minorVersion =
+            TlsMasterSecretParameterSpec.checkVersion(minorVersion);
+
+        if (encodedSecret == null || encodedSecret.length != 48) {
+            throw new IllegalArgumentException(
+                        "Encoded secret is not exactly 48 bytes");
+        }
+        this.encodedSecret = encodedSecret.clone();
+    }
 
     /**
      * Returns the major version.
@@ -84,4 +120,13 @@
     public int getMinorVersion() {
         return minorVersion;
     }
+
+    /**
+     * Returns the encoded secret.
+     *
+     * @return the encoded secret, may be null if no encoded secret.
+     */
+    public byte[] getEncodedSecret() {
+        return encodedSecret == null ? null : encodedSecret.clone();
+    }
 }
--- a/src/share/classes/sun/security/pkcs11/P11RSACipher.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/pkcs11/P11RSACipher.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -451,30 +451,7 @@
     // see JCE spec
     protected Key engineUnwrap(byte[] wrappedKey, String algorithm,
             int type) throws InvalidKeyException, NoSuchAlgorithmException {
-        if (algorithm.equals("TlsRsaPremasterSecret")) {
-            // the instance variable "session" has been initialized for
-            // decrypt mode, so use a local variable instead.
-            Session s = null;
-            try {
-                s = token.getObjSession();
-                long keyType = CKK_GENERIC_SECRET;
-                CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
-                    new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-                    new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
-                };
-                attributes = token.getAttributes
-                    (O_IMPORT, CKO_SECRET_KEY, keyType, attributes);
-                long keyID = token.p11.C_UnwrapKey(s.id(),
-                        new CK_MECHANISM(mechanism), p11Key.keyID, wrappedKey,
-                        attributes);
-                return P11Key.secretKey(s, keyID, algorithm, 48 << 3,
-                        attributes);
-            } catch (PKCS11Exception e) {
-                throw new InvalidKeyException("unwrap() failed", e);
-            } finally {
-                token.releaseSession(s);
-            }
-        }
+
         // XXX implement unwrap using C_Unwrap() for all keys
         implInit(Cipher.DECRYPT_MODE, p11Key);
         if (wrappedKey.length > maxInputSize) {
--- a/src/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -88,23 +88,33 @@
             throw new IllegalStateException
                         ("TlsRsaPremasterSecretGenerator must be initialized");
         }
-        CK_VERSION version =
-                new CK_VERSION(spec.getMajorVersion(), spec.getMinorVersion());
-        Session session = null;
-        try {
-            session = token.getObjSession();
-            CK_ATTRIBUTE[] attributes = token.getAttributes
-                (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
-            long keyID = token.p11.C_GenerateKey
-                (session.id(), new CK_MECHANISM(mechanism, version), attributes);
-            SecretKey key = P11Key.secretKey
-                (session, keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
-            return key;
-        } catch (PKCS11Exception e) {
-            throw new ProviderException("Could not generate premaster secret", e);
-        } finally {
-            token.releaseSession(session);
+
+        byte[] b = spec.getEncodedSecret();
+        if (b == null) {
+            CK_VERSION version = new CK_VERSION(
+                        spec.getMajorVersion(), spec.getMinorVersion());
+            Session session = null;
+            try {
+                session = token.getObjSession();
+                CK_ATTRIBUTE[] attributes = token.getAttributes(
+                        O_GENERATE, CKO_SECRET_KEY,
+                        CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+                long keyID = token.p11.C_GenerateKey(session.id(),
+                        new CK_MECHANISM(mechanism, version), attributes);
+                SecretKey key = P11Key.secretKey(session,
+                        keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
+                return key;
+            } catch (PKCS11Exception e) {
+                throw new ProviderException(
+                        "Could not generate premaster secret", e);
+            } finally {
+                token.releaseSession(session);
+            }
         }
+
+        // Won't worry, the TlsRsaPremasterSecret will be soon converted to
+        // TlsMasterSecret.
+        return new SecretKeySpec(b, "TlsRsaPremasterSecret");
     }
 
 }
--- a/src/share/classes/sun/security/provider/ByteArrayAccess.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/provider/ByteArrayAccess.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,10 +43,8 @@
  * These are the only platforms we currently support, but other optimized
  * variants could be added as needed.
  *
- * NOTE that because this code performs unchecked direct memory access, it
- * MUST be restricted to trusted code. It is imperative that the caller protects
- * against out of bounds memory access by performing the necessary bounds
- * checks before calling methods in this class.
+ * NOTE that ArrayIndexOutOfBoundsException will be thrown if the bounds checks
+ * failed.
  *
  * This class may also be helpful in improving the performance of the
  * crypto code in the SunJCE provider. However, for now it is only accessible by
@@ -103,6 +101,10 @@
      * byte[] to int[] conversion, little endian byte order.
      */
     static void b2iLittle(byte[] in, int inOfs, int[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+            (outOfs < 0) || ((out.length - outOfs) < len/4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             len += inOfs;
@@ -131,6 +133,10 @@
 
     // Special optimization of b2iLittle(in, inOfs, out, 0, 64)
     static void b2iLittle64(byte[] in, int inOfs, int[] out) {
+        if ((inOfs < 0) || ((in.length - inOfs) < 64) ||
+            (out.length < 16)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             out[ 0] = unsafe.getInt(in, (long)(inOfs     ));
@@ -176,6 +182,10 @@
      * int[] to byte[] conversion, little endian byte order.
      */
     static void i2bLittle(int[] in, int inOfs, byte[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len/4) ||
+            (outOfs < 0) || ((out.length - outOfs) < len)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             outOfs += byteArrayOfs;
             len += outOfs;
@@ -204,6 +214,9 @@
 
     // Store one 32-bit value into out[outOfs..outOfs+3] in little endian order.
     static void i2bLittle4(int val, byte[] out, int outOfs) {
+        if ((outOfs < 0) || ((out.length - outOfs) < 4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             unsafe.putInt(out, (long)(byteArrayOfs + outOfs), val);
         } else if (bigEndian && ((outOfs & 3) == 0)) {
@@ -220,6 +233,10 @@
      * byte[] to int[] conversion, big endian byte order.
      */
     static void b2iBig(byte[] in, int inOfs, int[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+            (outOfs < 0) || ((out.length - outOfs) < len/4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             len += inOfs;
@@ -248,6 +265,10 @@
 
     // Special optimization of b2iBig(in, inOfs, out, 0, 64)
     static void b2iBig64(byte[] in, int inOfs, int[] out) {
+        if ((inOfs < 0) || ((in.length - inOfs) < 64) ||
+            (out.length < 16)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             out[ 0] = reverseBytes(unsafe.getInt(in, (long)(inOfs     )));
@@ -293,6 +314,10 @@
      * int[] to byte[] conversion, big endian byte order.
      */
     static void i2bBig(int[] in, int inOfs, byte[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len/4) ||
+            (outOfs < 0) || ((out.length - outOfs) < len)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             outOfs += byteArrayOfs;
             len += outOfs;
@@ -321,6 +346,9 @@
 
     // Store one 32-bit value into out[outOfs..outOfs+3] in big endian order.
     static void i2bBig4(int val, byte[] out, int outOfs) {
+        if ((outOfs < 0) || ((out.length - outOfs) < 4)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             unsafe.putInt(out, (long)(byteArrayOfs + outOfs), reverseBytes(val));
         } else if (bigEndian && ((outOfs & 3) == 0)) {
@@ -337,6 +365,10 @@
      * byte[] to long[] conversion, big endian byte order.
      */
     static void b2lBig(byte[] in, int inOfs, long[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len) ||
+            (outOfs < 0) || ((out.length - outOfs) < len/8)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             len += inOfs;
@@ -378,6 +410,10 @@
 
     // Special optimization of b2lBig(in, inOfs, out, 0, 128)
     static void b2lBig128(byte[] in, int inOfs, long[] out) {
+        if ((inOfs < 0) || ((in.length - inOfs) < 128) ||
+            (out.length < 16)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         if (littleEndianUnaligned) {
             inOfs += byteArrayOfs;
             out[ 0] = reverseBytes(unsafe.getLong(in, (long)(inOfs      )));
@@ -406,6 +442,10 @@
      * long[] to byte[] conversion, big endian byte order.
      */
     static void l2bBig(long[] in, int inOfs, byte[] out, int outOfs, int len) {
+        if ((inOfs < 0) || ((in.length - inOfs) < len/8) ||
+            (outOfs < 0) || ((out.length - outOfs) < len)) {
+            throw new ArrayIndexOutOfBoundsException();
+        }
         len += outOfs;
         while (outOfs < len) {
             long i = in[inOfs++];
@@ -419,5 +459,4 @@
             out[outOfs++] = (byte)(i      );
         }
     }
-
 }
--- a/src/share/classes/sun/security/rsa/RSAPadding.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/rsa/RSAPadding.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -318,33 +318,53 @@
 
     /**
      * PKCS#1 v1.5 unpadding (blocktype 1 and 2).
+     *
+     * Note that we want to make it a constant-time operation
      */
     private byte[] unpadV15(byte[] padded) throws BadPaddingException {
         int k = 0;
+        BadPaddingException bpe = null;
+
         if (padded[k++] != 0) {
-            throw new BadPaddingException("Data must start with zero");
+            bpe = new BadPaddingException("Data must start with zero");
         }
-        if (padded[k++] != type) {
-            throw new BadPaddingException("Blocktype mismatch: " + padded[1]);
+        if (padded[k++] != type && bpe == null) {
+            bpe = new BadPaddingException("Blocktype mismatch: " + padded[1]);
         }
-        while (true) {
+        int p = 0;
+        while (k < padded.length) {
             int b = padded[k++] & 0xff;
-            if (b == 0) {
-                break;
+            if (b == 0 && p == 0) {
+                p = k;
             }
-            if (k == padded.length) {
-                throw new BadPaddingException("Padding string not terminated");
+            if (k == padded.length && p == 0 && bpe == null) {
+                bpe = new BadPaddingException("Padding string not terminated");
             }
-            if ((type == PAD_BLOCKTYPE_1) && (b != 0xff)) {
-                throw new BadPaddingException("Padding byte not 0xff: " + b);
+            if ((type == PAD_BLOCKTYPE_1) && (b != 0xff) &&
+                    p == 0 && bpe == null) {
+                bpe = new BadPaddingException("Padding byte not 0xff: " + b);
             }
         }
-        int n = padded.length - k;
-        if (n > maxDataSize) {
-            throw new BadPaddingException("Padding string too short");
+        int n = padded.length - p;
+        if (n > maxDataSize && bpe == null) {
+            bpe = new BadPaddingException("Padding string too short");
         }
+
+        // copy useless padding array for a constant-time method
+        //
+        // Is it necessary?
+        byte[] padding = new byte[p];
+        System.arraycopy(padded, 0, padding, 0, p);
+
         byte[] data = new byte[n];
-        System.arraycopy(padded, padded.length - n, data, 0, n);
+        System.arraycopy(padded, p, data, 0, n);
+
+        if (bpe == null) {
+            bpe = new BadPaddingException("Unused exception");
+        } else {
+            throw bpe;
+        }
+
         return data;
     }
 
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1085,94 +1085,23 @@
                 clnt_random.random_bytes, svr_random.random_bytes,
                 prfHashAlg, prfHashLength, prfBlockSize);
 
-        SecretKey masterSecret;
         try {
             KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
             kg.init(spec);
-            masterSecret = kg.generateKey();
-        } catch (GeneralSecurityException e) {
+            return kg.generateKey();
+        } catch (InvalidAlgorithmParameterException |
+                NoSuchAlgorithmException iae) {
+            // unlikely to happen, otherwise, must be a provider exception
+            //
             // For RSA premaster secrets, do not signal a protocol error
             // due to the Bleichenbacher attack. See comments further down.
-            if (!preMasterSecret.getAlgorithm().equals(
-                    "TlsRsaPremasterSecret")) {
-                throw new ProviderException(e);
-            }
-
             if (debug != null && Debug.isOn("handshake")) {
                 System.out.println("RSA master secret generation error:");
-                e.printStackTrace(System.out);
+                iae.printStackTrace(System.out);
             }
+            throw new ProviderException(iae);
 
-            if (requestedVersion != null) {
-                preMasterSecret =
-                    RSAClientKeyExchange.generateDummySecret(requestedVersion);
-            } else {
-                preMasterSecret =
-                    RSAClientKeyExchange.generateDummySecret(protocolVersion);
-            }
-
-            // recursive call with new premaster secret
-            return calculateMasterSecret(preMasterSecret, null);
         }
-
-        // if no version check requested (client side handshake), or version
-        // information is not available (not an RSA premaster secret),
-        // return master secret immediately.
-        if ((requestedVersion == null) ||
-                !(masterSecret instanceof TlsMasterSecret)) {
-            return masterSecret;
-        }
-
-        // we have checked the ClientKeyExchange message when reading TLS
-        // record, the following check is necessary to ensure that
-        // JCE provider does not ignore the checking, or the previous
-        // checking process bypassed the premaster secret version checking.
-        TlsMasterSecret tlsKey = (TlsMasterSecret)masterSecret;
-        int major = tlsKey.getMajorVersion();
-        int minor = tlsKey.getMinorVersion();
-        if ((major < 0) || (minor < 0)) {
-            return masterSecret;
-        }
-
-        // check if the premaster secret version is ok
-        // the specification says that it must be the maximum version supported
-        // by the client from its ClientHello message. However, many
-        // implementations send the negotiated version, so accept both
-        // for SSL v3.0 and TLS v1.0.
-        // NOTE that we may be comparing two unsupported version numbers, which
-        // is why we cannot use object reference equality in this special case.
-        ProtocolVersion premasterVersion =
-                                    ProtocolVersion.valueOf(major, minor);
-        boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
-
-        /*
-         * we never checked the client_version in server side
-         * for TLS v1.0 and SSL v3.0. For compatibility, we
-         * maintain this behavior.
-         */
-        if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
-            versionMismatch = (premasterVersion.v != protocolVersion.v);
-        }
-
-        if (versionMismatch == false) {
-            // check passed, return key
-            return masterSecret;
-        }
-
-        // Due to the Bleichenbacher attack, do not signal a protocol error.
-        // Generate a random premaster secret and continue with the handshake,
-        // which will fail when verifying the finished messages.
-        // For more information, see comments in PreMasterSecret.
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println("RSA PreMasterSecret version error: expected"
-                + protocolVersion + " or " + requestedVersion + ", decrypted: "
-                + premasterVersion);
-        }
-        preMasterSecret =
-            RSAClientKeyExchange.generateDummySecret(requestedVersion);
-
-        // recursive call with new premaster secret
-        return calculateMasterSecret(preMasterSecret, null);
     }
 
     /*
--- a/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Sat Sep 14 19:23:02 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -133,26 +133,37 @@
         } else {
             encrypted = new byte [messageSize];
             if (input.read(encrypted) != messageSize) {
-                throw new SSLProtocolException
-                        ("SSL: read PreMasterSecret: short read");
+                throw new SSLProtocolException(
+                        "SSL: read PreMasterSecret: short read");
             }
         }
 
+        Exception failover = null;
+        byte[] encoded = null;
         try {
             Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
-            cipher.init(Cipher.UNWRAP_MODE, privateKey);
-            preMaster = (SecretKey)cipher.unwrap(encrypted,
-                                "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            // Cannot generate key here, please don't use Cipher.UNWRAP_MODE!
+            cipher.init(Cipher.DECRYPT_MODE, privateKey);
+            encoded = cipher.doFinal(encrypted);
+        } catch (BadPaddingException bpe) {
+            failover = bpe;
+            encoded = null;
+        } catch (IllegalBlockSizeException ibse) {
+            // the message it too big to process with RSA
+            throw new SSLProtocolException(
+                "Unable to process PreMasterSecret, may be too big");
+        } catch (Exception e) {
+            // unlikely to happen, otherwise, must be a provider exception
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("RSA premaster secret decryption error:");
+                e.printStackTrace(System.out);
+            }
+            throw new RuntimeException("Could not generate dummy secret", e);
+        }
 
-            // polish the premaster secret
-            preMaster = polishPreMasterSecretKey(currentVersion, maxVersion,
-                                                generator, preMaster, null);
-        } catch (Exception e) {
-            // polish the premaster secret
-            preMaster =
-                    polishPreMasterSecretKey(currentVersion, maxVersion,
-                                                generator, null, e);
-        }
+        // polish the premaster secret
+        preMaster = polishPreMasterSecretKey(
+                    currentVersion, maxVersion, generator, encoded, failover);
     }
 
     /**
@@ -163,85 +174,74 @@
      *
      * RFC 5246 describes the approach as :
      *
-     *  1. Generate a string R of 46 random bytes
+     *  1. Generate a string R of 48 random bytes
      *
      *  2. Decrypt the message to recover the plaintext M
      *
      *  3. If the PKCS#1 padding is not correct, or the length of message
      *     M is not exactly 48 bytes:
-     *        pre_master_secret = ClientHello.client_version || R
+     *        pre_master_secret = R
      *     else If ClientHello.client_version <= TLS 1.0, and version
      *     number check is explicitly disabled:
-     *        pre_master_secret = M
+     *        premaster secret = M
+     *     else If M[0..1] != ClientHello.client_version:
+     *        premaster secret = R
      *     else:
-     *        pre_master_secret = ClientHello.client_version || M[2..47]
+     *        premaster secret = M
+     *
+     * Note that #2 has completed before the call of this method.
      */
     private SecretKey polishPreMasterSecretKey(ProtocolVersion currentVersion,
             ProtocolVersion clientHelloVersion, SecureRandom generator,
-            SecretKey secretKey, Exception failoverException) {
+            byte[] encoded, Exception failoverException) {
 
         this.protocolVersion = clientHelloVersion;
+        if (generator == null) {
+            generator = new SecureRandom();
+        }
+        byte[] random = new byte[48];
+        generator.nextBytes(random);
 
-        if (failoverException == null && secretKey != null) {
+        if (failoverException == null && encoded != null) {
             // check the length
-            byte[] encoded = secretKey.getEncoded();
-            if (encoded == null) {      // unable to get the encoded key
+            if (encoded.length != 48) {
                 if (debug != null && Debug.isOn("handshake")) {
                     System.out.println(
-                        "unable to get the plaintext of the premaster secret");
+                        "incorrect length of premaster secret: " +
+                        encoded.length);
                 }
 
-                int keySize = KeyUtil.getKeySize(secretKey);
-                if (keySize > 0 && keySize != 384) {       // 384 = 48 * 8
-                    if (debug != null && Debug.isOn("handshake")) {
-                        System.out.println(
-                            "incorrect length of premaster secret: " +
-                            (keySize/8));
-                    }
+                return generatePreMasterSecret(
+                        clientHelloVersion, random, generator);
+            }
 
-                    return generateDummySecret(clientHelloVersion);
-                }
+            if (clientHelloVersion.major != encoded[0] ||
+                        clientHelloVersion.minor != encoded[1]) {
 
-                // The key size is exactly 48 bytes or not accessible.
-                //
-                // Conservatively, pass the checking to master secret
-                // calculation.
-                return secretKey;
-            } else if (encoded.length == 48) {
-                // check the version
-                if (clientHelloVersion.major == encoded[0] &&
-                    clientHelloVersion.minor == encoded[1]) {
-
-                    return secretKey;
-                } else if (clientHelloVersion.v <= ProtocolVersion.TLS10.v &&
-                           currentVersion.major == encoded[0] &&
-                           currentVersion.minor == encoded[1]) {
+                if (clientHelloVersion.v <= ProtocolVersion.TLS10.v &&
+                       currentVersion.major == encoded[0] &&
+                       currentVersion.minor == encoded[1]) {
                     /*
                      * For compatibility, we maintain the behavior that the
                      * version in pre_master_secret can be the negotiated
                      * version for TLS v1.0 and SSL v3.0.
                      */
                     this.protocolVersion = currentVersion;
-                    return secretKey;
+                } else {
+                    if (debug != null && Debug.isOn("handshake")) {
+                        System.out.println("Mismatching Protocol Versions, " +
+                            "ClientHello.client_version is " +
+                            clientHelloVersion +
+                            ", while PreMasterSecret.client_version is " +
+                            ProtocolVersion.valueOf(encoded[0], encoded[1]));
+                    }
+
+                    encoded = random;
                 }
+            }
 
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Mismatching Protocol Versions, " +
-                        "ClientHello.client_version is " + clientHelloVersion +
-                        ", while PreMasterSecret.client_version is " +
-                        ProtocolVersion.valueOf(encoded[0], encoded[1]));
-                }
-
-                return generateDummySecret(clientHelloVersion);
-            } else {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println(
-                        "incorrect length of premaster secret: " +
-                        encoded.length);
-                }
-
-                return generateDummySecret(clientHelloVersion);
-            }
+            return generatePreMasterSecret(
+                    clientHelloVersion, encoded, generator);
         }
 
         if (debug != null && Debug.isOn("handshake") &&
@@ -250,11 +250,14 @@
             failoverException.printStackTrace(System.out);
         }
 
-        return generateDummySecret(clientHelloVersion);
+        return generatePreMasterSecret(clientHelloVersion, random, generator);
     }
 
     // generate a premaster secret with the specified version number
-    static SecretKey generateDummySecret(ProtocolVersion version) {
+    private static SecretKey generatePreMasterSecret(
+            ProtocolVersion version, byte[] encodedSecret,
+            SecureRandom generator) {
+
         if (debug != null && Debug.isOn("handshake")) {
             System.out.println("Generating a random fake premaster secret");
         }
@@ -263,11 +266,17 @@
             String s = ((version.v >= ProtocolVersion.TLS12.v) ?
                 "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
             KeyGenerator kg = JsseJce.getKeyGenerator(s);
-            kg.init(new TlsRsaPremasterSecretParameterSpec
-                    (version.major, version.minor));
+            kg.init(new TlsRsaPremasterSecretParameterSpec(
+                    version.major, version.minor, encodedSecret), generator);
             return kg.generateKey();
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException("Could not generate dummy secret", e);
+        } catch (InvalidAlgorithmParameterException |
+                NoSuchAlgorithmException iae) {
+            // unlikely to happen, otherwise, must be a provider exception
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("RSA premaster secret generation error:");
+                iae.printStackTrace(System.out);
+            }
+            throw new RuntimeException("Could not generate dummy secret", iae);
         }
     }
 
--- a/src/share/lib/security/java.security-linux	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/lib/security/java.security-linux	Sat Sep 14 19:23:02 2013 +0100
@@ -182,6 +182,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -204,7 +205,7 @@
                com.sun.org.glassfish.,\
                com.oracle.xmlns.internal.,\
                com.oracle.webservices.internal.,\
-	       oracle.jrockit.jfr.,\
+               oracle.jrockit.jfr.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
@@ -227,6 +228,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
@@ -249,7 +251,7 @@
                    com.sun.org.glassfish.,\
                    com.oracle.xmlns.internal.,\
                    com.oracle.webservices.internal.,\
-		   oracle.jrockit.jfr.,\
+                   oracle.jrockit.jfr.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
--- a/src/share/lib/security/java.security-macosx	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/lib/security/java.security-macosx	Sat Sep 14 19:23:02 2013 +0100
@@ -183,6 +183,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -228,6 +229,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
--- a/src/share/lib/security/java.security-solaris	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/lib/security/java.security-solaris	Sat Sep 14 19:23:02 2013 +0100
@@ -184,6 +184,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -206,7 +207,7 @@
                com.sun.org.glassfish.,\
                com.oracle.xmlns.internal.,\
                com.oracle.webservices.internal.,\
-	       oracle.jrockit.jfr.,\
+               oracle.jrockit.jfr.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
@@ -228,6 +229,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
@@ -250,7 +252,7 @@
                    com.sun.org.glassfish.,\
                    com.oracle.xmlns.internal.,\
                    com.oracle.webservices.internal.,\
-		   oracle.jrockit.jfr.,\
+                   oracle.jrockit.jfr.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
--- a/src/share/lib/security/java.security-windows	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/lib/security/java.security-windows	Sat Sep 14 19:23:02 2013 +0100
@@ -183,6 +183,7 @@
                com.sun.istack.internal.,\
                com.sun.jmx.,\
                com.sun.media.sound.,\
+               com.sun.naming.internal.,\
                com.sun.proxy.,\
                com.sun.org.apache.bcel.internal.,\
                com.sun.org.apache.regexp.internal.,\
@@ -205,7 +206,7 @@
                com.sun.org.glassfish.,\
                com.oracle.xmlns.internal.,\
                com.oracle.webservices.internal.,\
-	       oracle.jrockit.jfr.,\
+               oracle.jrockit.jfr.,\
                org.jcp.xml.dsig.internal.,\
                jdk.internal.,\
                jdk.nashorn.internal.,\
@@ -228,6 +229,7 @@
                    com.sun.istack.internal.,\
                    com.sun.jmx.,\
                    com.sun.media.sound.,\
+                   com.sun.naming.internal.,\
                    com.sun.proxy.,\
                    com.sun.org.apache.bcel.internal.,\
                    com.sun.org.apache.regexp.internal.,\
@@ -250,7 +252,7 @@
                    com.sun.org.glassfish.,\
                    com.oracle.xmlns.internal.,\
                    com.oracle.webservices.internal.,\
-		   oracle.jrockit.jfr.,\
+                   oracle.jrockit.jfr.,\
                    org.jcp.xml.dsig.internal.,\
                    jdk.internal.,\
                    jdk.nashorn.internal.,\
--- a/src/share/native/sun/awt/splashscreen/splashscreen_impl.c	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/native/sun/awt/splashscreen/splashscreen_impl.c	Sat Sep 14 19:23:02 2013 +0100
@@ -111,8 +111,9 @@
 int
 SplashIsStillLooping(Splash * splash)
 {
-    if (splash->currentFrame < 0)
+    if (splash->currentFrame < 0) {
         return 0;
+    }
     return splash->loopCount != 1 ||
         splash->currentFrame + 1 < splash->frameCount;
 }
@@ -121,17 +122,22 @@
 SplashUpdateScreenData(Splash * splash)
 {
     ImageRect srcRect, dstRect;
+    if (splash->currentFrame < 0) {
+        return;
+    }
 
     initRect(&srcRect, 0, 0, splash->width, splash->height, 1,
         splash->width * sizeof(rgbquad_t),
         splash->frames[splash->currentFrame].bitmapBits, &splash->imageFormat);
-    if (splash->screenData)
+    if (splash->screenData) {
         free(splash->screenData);
+    }
     splash->screenStride = splash->width * splash->screenFormat.depthBytes;
-    if (splash->byteAlignment > 1)
+    if (splash->byteAlignment > 1) {
         splash->screenStride =
             (splash->screenStride + splash->byteAlignment - 1) &
             ~(splash->byteAlignment - 1);
+    }
     splash->screenData = malloc(splash->height * splash->screenStride);
     initRect(&dstRect, 0, 0, splash->width, splash->height, 1,
         splash->screenStride, splash->screenData, &splash->screenFormat);
@@ -146,16 +152,19 @@
 void
 SplashNextFrame(Splash * splash)
 {
-    if (splash->currentFrame < 0)
+    if (splash->currentFrame < 0) {
         return;
+    }
     do {
-        if (!SplashIsStillLooping(splash))
+        if (!SplashIsStillLooping(splash)) {
             return;
+        }
         splash->time += splash->frames[splash->currentFrame].delay;
         if (++splash->currentFrame >= splash->frameCount) {
             splash->currentFrame = 0;
-            if (splash->loopCount > 0)
+            if (splash->loopCount > 0) {
                 splash->loopCount--;
+            }
         }
     } while (splash->time + splash->frames[splash->currentFrame].delay -
         SplashTime() <= 0);
@@ -183,8 +192,9 @@
                 pSrc += pSrcRect->depthBytes;
                 ++i;
             }
-            if (i >= pSrcRect->numSamples)
+            if (i >= pSrcRect->numSamples) {
                 break;
+            }
             i0 = i;
             while (i < pSrcRect->numSamples &&
                    getRGBA(pSrc, pSrcRect->format) >= ALPHA_THRESHOLD) {
--- a/src/share/native/sun/java2d/cmm/lcms/cmsintrp.c	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/share/native/sun/java2d/cmm/lcms/cmsintrp.c	Sat Sep 14 19:23:02 2013 +0100
@@ -215,6 +215,11 @@
     Output[0] = LinearInterp(rest, y0, y1);
 }
 
+// To prevent out of bounds indexing
+cmsINLINE cmsFloat32Number fclamp(cmsFloat32Number v)
+{
+    return v < 0.0f ? 0.0f : (v > 1.0f ? 1.0f : v);
+}
 
 // Floating-point version of 1D interpolation
 static
@@ -227,13 +232,15 @@
        int cell0, cell1;
        const cmsFloat32Number* LutTable = (cmsFloat32Number*) p ->Table;
 
+       val2 = fclamp(Value[0]);
+
        // if last value...
-       if (Value[0] == 1.0) {
+       if (val2 == 1.0) {
            Output[0] = LutTable[p -> Domain[0]];
            return;
        }
 
-       val2 = p -> Domain[0] * Value[0];
+       val2 *= p -> Domain[0];
 
        cell0 = (int) floor(val2);
        cell1 = (int) ceil(val2);
@@ -292,13 +299,15 @@
     cmsUInt32Number OutChan;
     const cmsFloat32Number* LutTable = (cmsFloat32Number*) p ->Table;
 
+    val2 = fclamp(Value[0]);
+
         // if last value...
-       if (Value[0] == 1.0) {
+       if (val2 == 1.0) {
            Output[0] = LutTable[p -> Domain[0]];
            return;
        }
 
-       val2 = p -> Domain[0] * Value[0];
+       val2 *= p -> Domain[0];
 
        cell0 = (int) floor(val2);
        cell1 = (int) ceil(val2);
@@ -339,8 +348,8 @@
         dxy;
 
     TotalOut   = p -> nOutputs;
-    px = Input[0] * p->Domain[0];
-    py = Input[1] * p->Domain[1];
+    px = fclamp(Input[0]) * p->Domain[0];
+    py = fclamp(Input[1]) * p->Domain[1];
 
     x0 = (int) _cmsQuickFloor(px); fx = px - (cmsFloat32Number) x0;
     y0 = (int) _cmsQuickFloor(py); fy = py - (cmsFloat32Number) y0;
@@ -454,20 +463,9 @@
     TotalOut   = p -> nOutputs;
 
     // We need some clipping here
-    px = Input[0];
-    py = Input[1];
-    pz = Input[2];
-
-    if (px < 0) px = 0;
-    if (px > 1) px = 1;
-    if (py < 0) py = 0;
-    if (py > 1) py = 1;
-    if (pz < 0) pz = 0;
-    if (pz > 1) pz = 1;
-
-    px *= p->Domain[0];
-    py *= p->Domain[1];
-    pz *= p->Domain[2];
+    px = fclamp(Input[0]) * p->Domain[0];
+    py = fclamp(Input[1]) * p->Domain[1];
+    pz = fclamp(Input[2]) * p->Domain[2];
 
     x0 = (int) _cmsQuickFloor(px); fx = px - (cmsFloat32Number) x0;
     y0 = (int) _cmsQuickFloor(py); fy = py - (cmsFloat32Number) y0;
@@ -609,20 +607,9 @@
     TotalOut   = p -> nOutputs;
 
     // We need some clipping here
-    px = Input[0];
-    py = Input[1];
-    pz = Input[2];
-
-    if (px < 0) px = 0;
-    if (px > 1) px = 1;
-    if (py < 0) py = 0;
-    if (py > 1) py = 1;
-    if (pz < 0) pz = 0;
-    if (pz > 1) pz = 1;
-
-    px *= p->Domain[0];
-    py *= p->Domain[1];
-    pz *= p->Domain[2];
+    px = fclamp(Input[0]) * p->Domain[0];
+    py = fclamp(Input[1]) * p->Domain[1];
+    pz = fclamp(Input[2]) * p->Domain[2];
 
     x0 = (int) _cmsQuickFloor(px); rx = (px - (cmsFloat32Number) x0);
     y0 = (int) _cmsQuickFloor(py); ry = (py - (cmsFloat32Number) y0);
@@ -1039,8 +1026,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1127,7 +1113,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1214,7 +1200,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1299,7 +1285,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
@@ -1384,7 +1370,7 @@
        cmsFloat32Number Tmp1[MAX_STAGE_CHANNELS], Tmp2[MAX_STAGE_CHANNELS];
        cmsInterpParams p1;
 
-       pk = Input[0] * p->Domain[0];
+       pk = fclamp(Input[0]) * p->Domain[0];
        k0 = _cmsQuickFloor(pk);
        rest = pk - (cmsFloat32Number) k0;
 
--- a/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c	Sat Sep 14 19:21:07 2013 +0100
+++ b/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c	Sat Sep 14 19:23:02 2013 +0100
@@ -577,8 +577,8 @@
         SplashUnlock(splash);
         rc = poll(pfd, 2, timeout);
         SplashLock(splash);
-        if (splash->isVisible>0 && SplashTime() >= splash->time +
-                splash->frames[splash->currentFrame].delay) {
+        if (splash->isVisible > 0 && splash->currentFrame >= 0 &&
+                SplashTime() >= splash->time + splash->frames[splash->currentFrame].delay) {
             SplashNextFrame(splash);
             SplashUpdateShape(splash);
             SplashRedrawWindow(splash);
--- a/test/java/lang/SecurityManager/CheckPackageAccess.java	Sat Sep 14 19:21:07 2013 +0100
+++ b/test/java/lang/SecurityManager/CheckPackageAccess.java	Sat Sep 14 19:23:02 2013 +0100
@@ -23,7 +23,7 @@
 
 /*
  *  @test
- *  @bug 6741606 7146431 8000450 8019830
+ *  @bug 6741606 7146431 8000450 8019830 8022945
  *  @summary Make sure all restricted packages listed in the package.access
  *           property in the java.security file are blocked
  *  @run main/othervm CheckPackageAccess
@@ -55,6 +55,7 @@
         "com.sun.istack.internal.",
         "com.sun.jmx.",
         "com.sun.media.sound.",
+        "com.sun.naming.internal.",
         "com.sun.proxy.",
         "com.sun.org.apache.bcel.internal.",
         "com.sun.org.apache.regexp.internal.",