changeset 53242:103ed9569fc8

8215443: The use of TransportContext.fatal() leads to bad coding style Reviewed-by: ascarpino
author xuelei
date Tue, 18 Dec 2018 12:08:51 -0800
parents b04860fd2e2c
children 2f41e4935c34
files src/java.base/share/classes/sun/security/ssl/Alert.java src/java.base/share/classes/sun/security/ssl/AlpnExtension.java src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java src/java.base/share/classes/sun/security/ssl/CertificateMessage.java src/java.base/share/classes/sun/security/ssl/CertificateRequest.java src/java.base/share/classes/sun/security/ssl/CertificateStatus.java src/java.base/share/classes/sun/security/ssl/CertificateVerify.java src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java src/java.base/share/classes/sun/security/ssl/ClientHello.java src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/CookieExtension.java src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java src/java.base/share/classes/sun/security/ssl/Finished.java src/java.base/share/classes/sun/security/ssl/HandshakeContext.java src/java.base/share/classes/sun/security/ssl/HelloRequest.java src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java src/java.base/share/classes/sun/security/ssl/KeyUpdate.java src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java src/java.base/share/classes/sun/security/ssl/SSLExtensions.java src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java src/java.base/share/classes/sun/security/ssl/SSLTransport.java src/java.base/share/classes/sun/security/ssl/ServerHello.java src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java src/java.base/share/classes/sun/security/ssl/TransportContext.java
diffstat 48 files changed, 454 insertions(+), 585 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/ssl/Alert.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/Alert.java	Tue Dec 18 12:08:51 2018 -0800
@@ -193,7 +193,7 @@
             //      AlertDescription description;
             //  } Alert;
             if (m.remaining() != 2) {
-                context.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid Alert message: no sufficient data");
             }
 
@@ -247,14 +247,14 @@
                 if (tc.peerUserCanceled) {
                     tc.closeOutbound();
                 } else if (tc.handshakeContext != null) {
-                    tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Received close_notify during handshake");
                 }
             } else if (alert == Alert.USER_CANCELED) {
                 if (level == Level.WARNING) {
                     tc.peerUserCanceled = true;
                 } else {
-                    tc.fatal(alert,
+                    throw tc.fatal(alert,
                             "Received fatal close_notify alert", true, null);
                 }
             } else if ((level == Level.WARNING) && (alert != null)) {
@@ -269,7 +269,7 @@
                             alert != Alert.NO_CERTIFICATE ||
                             (tc.sslConfig.clientAuthType !=
                                     ClientAuthType.CLIENT_AUTH_REQUESTED)) {
-                        tc.fatal(Alert.HANDSHAKE_FAILURE,
+                        throw tc.fatal(Alert.HANDSHAKE_FAILURE,
                             "received handshake warning: " + alert.description);
                     }  // Otherwise, ignore the warning
                 }   // Otherwise, ignore the warning.
@@ -282,7 +282,7 @@
                     diagnostic = "Received fatal alert: " + alert.description;
                 }
 
-                tc.fatal(alert, diagnostic, true, null);
+                throw tc.fatal(alert, diagnostic, true, null);
             }
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -174,7 +174,8 @@
                         SSLLogger.severe(
                                 "Application protocol name cannot be empty");
                     }
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                             "Application protocol name cannot be empty");
                 }
 
@@ -189,7 +190,8 @@
                                 ") exceeds the size limit (" +
                                 MAX_AP_LENGTH + " bytes)");
                     }
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                                 "Application protocol name (" + ap +
                                 ") exceeds the size limit (" +
                                 MAX_AP_LENGTH + " bytes)");
@@ -204,7 +206,8 @@
                                 ") exceed the size limit (" +
                                 MAX_AP_LIST_LENGTH + " bytes)");
                     }
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                                 "The configured application protocols (" +
                                 Arrays.toString(laps) +
                                 ") exceed the size limit (" +
@@ -283,8 +286,7 @@
             try {
                 spec = new AlpnSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -302,7 +304,7 @@
                 }
 
                 if (!matched) {
-                    shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                    throw shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
                             "No matching application layer protocol values");
                 }
             }   // Otherwise, applicationProtocol will be set by the
@@ -379,7 +381,8 @@
                     if ((shc.applicationProtocol == null) ||
                             (!shc.applicationProtocol.isEmpty() &&
                             !alps.contains(shc.applicationProtocol))) {
-                        shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                        throw shc.conContext.fatal(
+                            Alert.NO_APPLICATION_PROTOCOL,
                             "No matching application layer protocol values");
                     }
                 }
@@ -391,7 +394,8 @@
                     if ((shc.applicationProtocol == null) ||
                             (!shc.applicationProtocol.isEmpty() &&
                             !alps.contains(shc.applicationProtocol))) {
-                        shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                        throw shc.conContext.fatal(
+                            Alert.NO_APPLICATION_PROTOCOL,
                             "No matching application layer protocol values");
                     }
                 }
@@ -454,7 +458,7 @@
             if (requestedAlps == null ||
                     requestedAlps.applicationProtocols == null ||
                     requestedAlps.applicationProtocols.isEmpty()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected " + SSLExtension.CH_ALPN.name + " extension");
             }
 
@@ -463,13 +467,12 @@
             try {
                 spec = new AlpnSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Only one application protocol is allowed.
             if (spec.applicationProtocols.size() != 1) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
                     "Only one application protocol name " +
                     "is allowed in ServerHello message");
@@ -478,7 +481,7 @@
             // The respond application protocol must be one of the requested.
             if (!requestedAlps.applicationProtocols.containsAll(
                     spec.applicationProtocols)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
                     "Only client specified application protocol " +
                     "is allowed in ServerHello message");
--- a/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -153,8 +153,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -297,8 +296,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -606,8 +606,7 @@
             try {
                 spec = new CertStatusRequestSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -711,13 +710,13 @@
             CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
                     chc.handshakeExtensions.get(CH_STATUS_REQUEST);
             if (requestedCsr == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected status_request extension in ServerHello");
             }
 
             // Parse the extension.
             if (buffer.hasRemaining()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                   "Invalid status_request extension in ServerHello message: " +
                   "the extension data must be empty");
             }
@@ -964,8 +963,7 @@
             try {
                 spec = new CertStatusRequestV2Spec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -1067,13 +1065,13 @@
             CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
                     chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
             if (requestedCsr == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected status_request_v2 extension in ServerHello");
             }
 
             // Parse the extension.
             if (buffer.hasRemaining()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                   "Invalid status_request_v2 extension in ServerHello: " +
                   "the extension data must be empty");
             }
@@ -1157,10 +1155,10 @@
                                 respBytes);
                 producedData = certResp.toByteArray();
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                         "Failed to parse server certificates", ce);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
+                throw shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
                         "Failed to parse certificate status response", ioe);
             }
 
@@ -1188,8 +1186,7 @@
             try {
                 spec = new CertStatusResponseSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
             }
 
             if (chc.sslContext.isStaplingEnabled(true)) {
--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java	Tue Dec 18 12:08:51 2018 -0800
@@ -111,10 +111,10 @@
                     encodedCerts.add(cert.getEncoded());
                 } catch (CertificateEncodingException cee) {
                     // unlikely
-                    handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw handshakeContext.conContext.fatal(
+                            Alert.INTERNAL_ERROR,
                             "Could not encode certificate (" +
                             cert.getSubjectX500Principal() + ")", cee);
-                    break;
                 }
             }
 
@@ -127,7 +127,8 @@
 
             int listLen = Record.getInt24(m);
             if (listLen > m.remaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(
+                    Alert.ILLEGAL_PARAMETER,
                     "Error parsing certificate message:no sufficient data");
             }
             if (listLen > 0) {
@@ -248,10 +249,8 @@
             }
 
             if (x509Possession == null) {       // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No expected X.509 certificate for server authentication");
-
-                return null;        // make the compiler happy
             }
 
             shc.handshakeSession.setLocalPrivateKey(
@@ -375,7 +374,7 @@
                 if (shc.sslConfig.clientAuthType !=
                         ClientAuthType.CLIENT_AUTH_REQUESTED) {
                     // unexpected or require client authentication
-                    shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                         "Empty server certificate chain");
                 } else {
                     return;
@@ -392,7 +391,7 @@
                                     new ByteArrayInputStream(encodedCert));
                 }
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -410,7 +409,7 @@
                 T12CertificateMessage certificateMessage) throws IOException {
             List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
             if (encodedCerts == null || encodedCerts.isEmpty()) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Empty server certificate chain");
             }
 
@@ -424,7 +423,7 @@
                                     new ByteArrayInputStream(encodedCert));
                 }
             } catch (CertificateException ce) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -443,7 +442,7 @@
                 if ((identityAlg == null || identityAlg.isEmpty()) &&
                         !isIdentityEquivalent(x509Certs[0],
                                 chc.reservedServerCerts[0])) {
-                    chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                             "server certificate change is restricted " +
                             "during renegotiation");
                 }
@@ -639,7 +638,7 @@
                 // the certificate chain in the TLS session.
                 chc.handshakeSession.setPeerCertificates(certs);
             } catch (CertificateException ce) {
-                chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+                throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
             }
         }
 
@@ -685,7 +684,7 @@
                             "Improper X509TrustManager implementation");
                 }
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+                throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
             }
         }
 
@@ -942,22 +941,20 @@
 
             SSLPossession pos = choosePossession(shc, clientHello);
             if (pos == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No available authentication scheme");
-                return null;    // make the complier happy
             }
 
             if (!(pos instanceof X509Possession)) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No X.509 certificate for server authentication");
             }
 
             X509Possession x509Possession = (X509Possession)pos;
             X509Certificate[] localCerts = x509Possession.popCerts;
             if (localCerts == null || localCerts.length == 0) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No X.509 certificate for server authentication");
-                return null;    // make the complier happy
             }
 
             // update the context
@@ -969,9 +966,8 @@
             try {
                 cm = new T13CertificateMessage(shc, (new byte[0]), localCerts);
             } catch (SSLException | CertificateException ce) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to produce server Certificate message", ce);
-                return null;    // make the complier happy
             }
 
             // Check the OCSP stapling extensions and attempt
@@ -1108,9 +1104,8 @@
                 cm = new T13CertificateMessage(
                         chc, chc.certRequestContext, localCerts);
             } catch (SSLException | CertificateException ce) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to produce client Certificate message", ce);
-                return null;
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine("Produced client Certificate message", cm);
@@ -1163,7 +1158,7 @@
             if (certificateMessage.certEntries == null ||
                     certificateMessage.certEntries.isEmpty()) {
                 if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
-                    shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                         "Empty client certificate chain");
                 } else {
                     // optional client authentication
@@ -1187,7 +1182,7 @@
                 T13CertificateMessage certificateMessage )throws IOException {
             if (certificateMessage.certEntries == null ||
                     certificateMessage.certEntries.isEmpty()) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Empty server certificate chain");
             }
 
@@ -1224,7 +1219,7 @@
                                     new ByteArrayInputStream(entry.encoded));
                 }
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -1270,7 +1265,7 @@
                 // the certificate chain in the TLS session.
                 shc.handshakeSession.setPeerCertificates(certs);
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+                throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
             }
 
             return certs;
@@ -1289,7 +1284,7 @@
                                     new ByteArrayInputStream(entry.encoded));
                 }
             } catch (CertificateException ce) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -1326,7 +1321,7 @@
                 // the certificate chain in the TLS session.
                 chc.handshakeSession.setPeerCertificates(certs);
             } catch (CertificateException ce) {
-                chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+                throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
             }
 
             return certs;
--- a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	Tue Dec 18 12:08:51 2018 -0800
@@ -171,14 +171,14 @@
             //     DistinguishedName certificate_authorities<0..2^16-1>;
             // } CertificateRequest;
             if (m.remaining() < 4) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorrect CertificateRequest message: no sufficient data");
             }
             this.types = Record.getBytes8(m);
 
             int listLen = Record.getInt16(m);
             if (listLen > m.remaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorrect CertificateRequest message:no sufficient data");
             }
 
@@ -407,7 +407,7 @@
             this.types = ClientCertificateType.CERT_TYPES;
 
             if (signatureSchemes == null || signatureSchemes.isEmpty()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "No signature algorithms specified for " +
                         "CertificateRequest hanshake message");
             }
@@ -437,7 +437,7 @@
 
             // certificate_authorities
             if (m.remaining() < 8) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
@@ -445,14 +445,14 @@
 
             // supported_signature_algorithms
             if (m.remaining() < 6) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
 
             byte[] algs = Record.getBytes16(m);
             if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "incomplete signature algorithms");
             }
@@ -466,14 +466,14 @@
 
             // certificate_authorities
             if (m.remaining() < 2) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
 
             int listLen = Record.getInt16(m);
             if (listLen > m.remaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateRequest message: no sufficient data");
             }
 
@@ -597,7 +597,7 @@
 
             if (shc.localSupportedSignAlgs == null ||
                     shc.localSupportedSignAlgs.isEmpty()) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No supported signature algorithm");
             }
 
@@ -783,14 +783,14 @@
             //      Extension extensions<2..2^16-1>;
             //  } CertificateRequest;
             if (m.remaining() < 5) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
             this.requestContext = Record.getBytes8(m);
 
             if (m.remaining() < 4) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient extensions data");
             }
--- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	Tue Dec 18 12:08:51 2018 -0800
@@ -154,7 +154,8 @@
                     encodedResponses.add(respDER);
                     encodedResponsesLen = 3 + respDER.length;
                 } else {
-                    handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw handshakeContext.conContext.fatal(
+                            Alert.HANDSHAKE_FAILURE,
                             "Zero-length OCSP Response");
                 }
             } else if (statusType == CertStatusRequestType.OCSP_MULTI) {
@@ -172,11 +173,13 @@
                 }
 
                 if (respListLen != 0) {
-                    handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw handshakeContext.conContext.fatal(
+                            Alert.INTERNAL_ERROR,
                             "Bad OCSP response list length");
                 }
             } else {
-                handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw handshakeContext.conContext.fatal(
+                        Alert.HANDSHAKE_FAILURE,
                         "Unsupported StatusResponseType: " + statusType);
             }
             messageLength = messageLength();
--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	Tue Dec 18 12:08:51 2018 -0800
@@ -83,11 +83,11 @@
                 signer.update(hashes);
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException nsae) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot produce CertificateVerify signature", gse);
             }
 
@@ -112,7 +112,7 @@
             //    };
             //  } Signature;
             if (m.remaining() < 2) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -128,7 +128,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -140,15 +140,15 @@
                         shc.handshakeSession.getMasterSecret());
                 signer.update(hashes);
                 if (!signer.verify(signature)) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify message: invalid signature");
                 }
             } catch (NoSuchAlgorithmException nsae) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", gse);
             }
         }
@@ -327,11 +327,11 @@
                 signer.update(hashes);
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException nsae) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Cannot produce CertificateVerify signature", gse);
             }
 
@@ -356,7 +356,7 @@
             //    };
             //  } Signature;
             if (m.remaining() < 2) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -372,7 +372,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -383,15 +383,15 @@
                 byte[] hashes = shc.handshakeHash.digest(algorithm);
                 signer.update(hashes);
                 if (!signer.verify(signature)) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify message: invalid signature");
                 }
             } catch (NoSuchAlgorithmException nsae) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", gse);
             }
         }
@@ -570,7 +570,7 @@
             if (signatureScheme == null) {
                 // Unlikely, the credentials generator should have
                 // selected the preferable signature algorithm properly.
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No preferred signature algorithm for CertificateVerify");
             }
 
@@ -582,12 +582,12 @@
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot produce CertificateVerify signature", ikse);
             }
 
@@ -607,7 +607,7 @@
             //     opaque signature<0..2^16-1>;
             // } DigitallySigned;
             if (m.remaining() < 4) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -615,13 +615,13 @@
             int ssid = Record.getInt16(m);
             this.signatureScheme = SignatureScheme.valueOf(ssid);
             if (signatureScheme == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature algorithm (" + ssid +
                         ") used in CertificateVerify handshake message");
             }
 
             if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message");
@@ -638,7 +638,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -649,17 +649,17 @@
                     signatureScheme.getSignature(x509Credentials.popPublicKey);
                 signer.update(shc.handshakeHash.archived());
                 if (!signer.verify(signature)) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify signature");
                 }
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", ikse);
             }
         }
@@ -871,7 +871,7 @@
             if (signatureScheme == null) {
                 // Unlikely, the credentials generator should have
                 // selected the preferable signature algorithm properly.
-                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No preferred signature algorithm for CertificateVerify");
             }
 
@@ -897,12 +897,12 @@
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot produce CertificateVerify signature", ikse);
             }
 
@@ -918,7 +918,7 @@
             //     opaque signature<0..2^16-1>;
             // } DigitallySigned;
             if (m.remaining() < 4) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -926,13 +926,13 @@
             int ssid = Record.getInt16(m);
             this.signatureScheme = SignatureScheme.valueOf(ssid);
             if (signatureScheme == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature algorithm (" + ssid +
                         ") used in CertificateVerify handshake message");
             }
 
             if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message");
@@ -949,7 +949,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -975,17 +975,17 @@
                     signatureScheme.getSignature(x509Credentials.popPublicKey);
                 signer.update(contentCovered);
                 if (!signer.verify(signature)) {
-                    context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify signature");
                 }
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", ikse);
             }
         }
--- a/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java	Tue Dec 18 12:08:51 2018 -0800
@@ -106,11 +106,9 @@
             }
 
             if (writeCipher == null) {
-                hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Illegal cipher suite (" + ncs +
                     ") and protocol version (" + hc.negotiatedProtocol + ")");
-
-                return null;
             }
 
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -144,7 +142,7 @@
 
             // parse
             if (message.remaining() != 1 || message.get() != 1) {
-                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Malformed or unexpected ChangeCipherSpec message");
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -153,7 +151,7 @@
 
             // validate
             if (tc.handshakeContext == null) {
-                tc.fatal(Alert.HANDSHAKE_FAILURE,
+                throw tc.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unexpected ChangeCipherSpec message");
             }
 
@@ -161,7 +159,7 @@
             HandshakeContext hc = tc.handshakeContext;
 
             if (hc.handshakeKeyDerivation == null) {
-                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ChangeCipherSpec message");
             }
 
@@ -205,12 +203,10 @@
                 }
 
                 if (readCipher == null) {
-                    hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Illegal cipher suite (" + hc.negotiatedCipherSuite +
                         ") and protocol version (" + hc.negotiatedProtocol +
                         ")");
-
-                    return;
                 }
 
                 tc.inputRecord.changeReadCiphers(readCipher);
@@ -243,7 +239,7 @@
 
             // parse
             if (message.remaining() != 1 || message.get() != 1) {
-                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Malformed or unexpected ChangeCipherSpec message");
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
--- a/src/java.base/share/classes/sun/security/ssl/ClientHello.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ClientHello.java	Tue Dec 18 12:08:51 2018 -0800
@@ -144,8 +144,8 @@
                     if (id == SSLExtension.CH_PRE_SHARED_KEY.id) {
                         // ensure pre_shared_key is the last extension
                         if (remaining > 0) {
-                            tc.fatal(Alert.ILLEGAL_PARAMETER,
-                            "pre_shared_key extension is not last");
+                            throw tc.fatal(Alert.ILLEGAL_PARAMETER,
+                                    "pre_shared_key extension is not last");
                         }
                         // read only up to the IDs
                         Record.getBytes16(m);
@@ -169,7 +169,8 @@
             try {
                 sessionId.checkLength(clientVersion);
             } catch (SSLProtocolException ex) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+                throw handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER, ex);
             }
             if (isDTLS) {
                 this.cookie = Record.getBytes8(m);
@@ -179,8 +180,9 @@
 
             byte[] encodedIds = Record.getBytes16(m);
             if (encodedIds.length == 0 || (encodedIds.length & 0x01) != 0) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
-                    "Invalid ClientHello message");
+                throw handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER,
+                        "Invalid ClientHello message");
             }
 
             this.cipherSuiteIds = new int[encodedIds.length >> 1];
@@ -702,7 +704,8 @@
                     try {
                         chc.kickstart();
                     } catch (IOException ioe) {
-                        chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, ioe);
+                        throw chc.conContext.fatal(
+                                Alert.HANDSHAKE_FAILURE, ioe);
                     }
 
                     // The handshake message has been delivered.
@@ -790,7 +793,7 @@
             // clean up this consumer
             shc.handshakeConsumers.remove(SSLHandshake.CLIENT_HELLO.id);
             if (!shc.handshakeConsumers.isEmpty()) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "No more handshake message allowed " +
                         "in a ClientHello flight");
             }
@@ -877,7 +880,7 @@
                     context.activeProtocols, chv);
             if (pv == null || pv == ProtocolVersion.NONE ||
                     pv == ProtocolVersion.SSL20Hello) {
-                context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Client requested protocol " +
                     ProtocolVersion.nameOf(clientHelloVersion) +
                     " is not enabled or supported in server context");
@@ -910,13 +913,11 @@
             }
 
             // No protocol version can be negotiated.
-            context.conContext.fatal(Alert.PROTOCOL_VERSION,
+            throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
                 "The client supported protocol versions " + Arrays.toString(
                     ProtocolVersion.toStringArray(clientSupportedVersions)) +
                 " are not accepted by server preferences " +
                 context.activeProtocols);
-
-            return null;        // make the compiler happy
         }
     }
 
@@ -957,13 +958,13 @@
             if (shc.conContext.isNegotiated) {
                 if (!shc.conContext.secureRenegotiation &&
                         !HandshakeContext.allowUnsafeRenegotiation) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsafe renegotiation is not allowed");
                 }
 
                 if (ServerHandshakeContext.rejectClientInitiatedRenego &&
                         !shc.kickstartMessageDelivered) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Client initiated renegotiation is not allowed");
                 }
             }
@@ -1170,13 +1171,13 @@
                     handshakeProducer.produce(shc, clientHello);
             } else {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No HelloRetryRequest producer: " + shc.handshakeProducers);
             }
 
             if (!shc.handshakeProducers.isEmpty()) {
                 // unlikely, but please double check.
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "unknown handshake producers: " + shc.handshakeProducers);
             }
         }
@@ -1264,13 +1265,13 @@
             if (shc.conContext.isNegotiated) {
                 if (!shc.conContext.secureRenegotiation &&
                         !HandshakeContext.allowUnsafeRenegotiation) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsafe renegotiation is not allowed");
                 }
 
                 if (ServerHandshakeContext.rejectClientInitiatedRenego &&
                         !shc.kickstartMessageDelivered) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Client initiated renegotiation is not allowed");
                 }
             }
--- a/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -68,9 +68,8 @@
             }
 
             // not consumer defined.
-            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ClientKeyExchange handshake message.");
-            return null;    // make the compiler happe
         }
     }
 
@@ -105,7 +104,7 @@
             }
 
             // not consumer defined.
-            shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ClientKeyExchange handshake message.");
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/CookieExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CookieExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -163,8 +163,7 @@
             try {
                 spec = new CookieSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec);
@@ -201,9 +200,8 @@
             HelloCookieManager hcm =
                 shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
             if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "unrecognized cookie");
-                return;     // fatal() always throws, make the compiler happy.
             }
         }
     }
@@ -270,8 +268,7 @@
             try {
                 spec = new CookieSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec);
--- a/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -87,7 +87,7 @@
 
             if (dhePossession == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No DHE credentials negotiated for client key exchange");
             }
 
@@ -104,14 +104,14 @@
                     (ServerHandshakeContext)handshakeContext;
 
             if (m.remaining() < 3) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid DH ClientKeyExchange message: insufficient data");
             }
 
             this.y = Record.getBytes16(m);
 
             if (m.hasRemaining()) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid DH ClientKeyExchange message: unknown extra data");
             }
         }
@@ -177,7 +177,7 @@
             }
 
             if (dheCredentials == null) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No DHE credentials negotiated for client key exchange");
             }
 
@@ -202,7 +202,7 @@
                     chc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -214,7 +214,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -254,7 +254,7 @@
 
             if (dhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No expected DHE possessions for client key exchange");
             }
 
@@ -263,7 +263,7 @@
                     shc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             }
 
@@ -310,7 +310,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Not supported key derivation: " + shc.negotiatedProtocol);
             } else {
                 shc.handshakeKeyDerivation =
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -438,7 +438,7 @@
             }
 
             if (dhePossession == null || dheCredentials == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient DHE key agreement parameters negotiated");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -106,7 +106,7 @@
 
             if (dhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No DHE credentials negotiated for server key exchange");
             }
             DHPublicKey publicKey = dhePossession.publicKey;
@@ -132,7 +132,7 @@
                     if (signatureScheme == null) {
                         // Unlikely, the credentials generator should have
                         // selected the preferable signature algorithm properly.
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "No preferred signature algorithm");
                     }
                     try {
@@ -140,7 +140,7 @@
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException |
                             InvalidAlgorithmParameterException nsae) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             signatureScheme.name, nsae);
                     }
@@ -151,7 +151,7 @@
                                 x509Possession.popPrivateKey.getAlgorithm(),
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             x509Possession.popPrivateKey.getAlgorithm(), e);
                     }
@@ -163,7 +163,7 @@
                             shc.serverHelloRandom.randomBytes);
                     signature = signer.sign();
                 } catch (SignatureException ex) {
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failed to sign dhe parameters: " +
                         x509Possession.popPrivateKey.getAlgorithm(), ex);
                 }
@@ -189,7 +189,7 @@
                         new BigInteger(1, p),
                         new BigInteger(1, p)));
             } catch (InvalidKeyException ike) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid DH ServerKeyExchange: invalid parameters", ike);
             }
 
@@ -204,7 +204,7 @@
             if (x509Credentials == null) {
                 // anonymous, no authentication, no signature
                 if (m.hasRemaining()) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid DH ServerKeyExchange: unknown extra data");
                 }
 
@@ -221,13 +221,13 @@
                 int ssid = Record.getInt16(m);
                 signatureScheme = SignatureScheme.valueOf(ssid);
                 if (signatureScheme == null) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Invalid signature algorithm (" + ssid +
                             ") used in DH ServerKeyExchange handshake message");
                 }
 
                 if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsupported signature algorithm (" +
                             signatureScheme.name +
                             ") used in DH ServerKeyExchange handshake message");
@@ -245,11 +245,9 @@
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException |
                         InvalidAlgorithmParameterException nsae) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             signatureScheme.name, nsae);
-
-                    return;     // make the compiler happe
                 }
             } else {
                 try {
@@ -257,11 +255,9 @@
                             x509Credentials.popPublicKey.getAlgorithm(),
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             x509Credentials.popPublicKey.getAlgorithm(), e);
-
-                    return;     // make the compiler happe
                 }
             }
 
@@ -271,11 +267,11 @@
                         chc.serverHelloRandom.randomBytes);
 
                 if (!signer.verify(paramsSignature)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature on DH ServerKeyExchange message");
                 }
             } catch (SignatureException ex) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify DH ServerKeyExchange signature", ex);
             }
         }
@@ -535,15 +531,13 @@
                         new BigInteger(1, skem.g));
                 publicKey = (DHPublicKey)kf.generatePublic(spec);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                     "Could not generate DHPublicKey", gse);
-
-                return;     // make the compiler happy
             }
 
             if (!chc.algorithmConstraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "DH ServerKeyExchange does not comply to " +
                         "algorithm constraints");
             }
--- a/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -190,20 +190,20 @@
             }
 
             if (x509Credentials == null) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No server certificate for ECDH client key exchange");
             }
 
             PublicKey publicKey = x509Credentials.popPublicKey;
             if (!publicKey.getAlgorithm().equals("EC")) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not EC server certificate for ECDH client key exchange");
             }
 
             ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
             NamedGroup namedGroup = NamedGroup.valueOf(params);
             if (namedGroup == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported EC server cert for ECDH client key exchange");
             }
 
@@ -228,7 +228,7 @@
                     chc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -240,7 +240,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -280,15 +280,14 @@
 
             if (x509Possession == null) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No expected EC server cert for ECDH client key exchange");
-                return;     // make the compiler happy
             }
 
             PrivateKey privateKey = x509Possession.popPrivateKey;
             if (!privateKey.getAlgorithm().equals("EC")) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not EC server cert for ECDH client key exchange");
             }
 
@@ -296,7 +295,7 @@
             NamedGroup namedGroup = NamedGroup.valueOf(params);
             if (namedGroup == null) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported EC server cert for ECDH client key exchange");
             }
 
@@ -305,9 +304,8 @@
                     shc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
-                return;     // make the compiler happy
             }
 
             // parse the handshake message
@@ -353,7 +351,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Not supported key derivation: " + shc.negotiatedProtocol);
             } else {
                 shc.handshakeKeyDerivation =
@@ -387,7 +385,7 @@
             }
 
             if (ecdheCredentials == null) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No ECDHE credentials negotiated for client key exchange");
             }
 
@@ -412,7 +410,7 @@
                     chc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -424,7 +422,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -463,16 +461,15 @@
             }
             if (ecdhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No expected ECDHE possessions for client key exchange");
-                return;     // make the compiler happy
             }
 
             ECParameterSpec params = ecdhePossession.publicKey.getParams();
             NamedGroup namedGroup = NamedGroup.valueOf(params);
             if (namedGroup == null) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported EC server cert for ECDHE client key exchange");
             }
 
@@ -481,9 +478,8 @@
                     shc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
-                return;     // make the compiler happy
             }
 
             // parse the handshake message
@@ -529,7 +525,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Not supported key derivation: " + shc.negotiatedProtocol);
             } else {
                 shc.handshakeKeyDerivation =
--- a/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -274,7 +274,7 @@
                 NamedGroup ng = NamedGroup.valueOf(params);
                 if (ng == null) {
                     // unlikely, have been checked during cipher suite negotiation.
-                    shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Unsupported EC server cert for ECDH key exchange");
                 }
 
@@ -295,7 +295,7 @@
             }
 
             if (x509Possession == null || ecdheCredentials == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient ECDHE key agreement parameters negotiated");
             }
 
@@ -327,7 +327,7 @@
                     NamedGroup namedGroup = NamedGroup.valueOf(params);
                     if (namedGroup == null) {
                         // unlikely, should have been checked previously
-                        chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                             "Unsupported EC server cert for ECDH key exchange");
                     }
 
@@ -344,7 +344,7 @@
             }
 
             if (ecdhePossession == null || x509Credentials == null) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient ECDH key agreement parameters negotiated");
             }
 
@@ -388,7 +388,7 @@
             }
 
             if (ecdhePossession == null || ecdheCredentials == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient ECDHE key agreement parameters negotiated");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -113,7 +113,7 @@
 
             if (ecdhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No ECDHE credentials negotiated for server key exchange");
             }
 
@@ -125,7 +125,7 @@
             this.namedGroup = NamedGroup.valueOf(params);
             if ((namedGroup == null) || (namedGroup.oid == null) ) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unnamed EC parameter spec: " + params);
             }
 
@@ -146,7 +146,7 @@
                     if (signatureScheme == null) {
                         // Unlikely, the credentials generator should have
                         // selected the preferable signature algorithm properly.
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                                 "No preferred signature algorithm for " +
                                 x509Possession.popPrivateKey.getAlgorithm() +
                                 "  key");
@@ -156,7 +156,7 @@
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException |
                             InvalidAlgorithmParameterException nsae) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             signatureScheme.name, nsae);
                     }
@@ -167,7 +167,7 @@
                                 x509Possession.popPrivateKey.getAlgorithm(),
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             x509Possession.popPrivateKey.getAlgorithm(), e);
                     }
@@ -180,7 +180,7 @@
                             namedGroup.id, publicPoint);
                     signature = signer.sign();
                 } catch (SignatureException ex) {
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failed to sign ecdhe parameters: " +
                         x509Possession.popPrivateKey.getAlgorithm(), ex);
                 }
@@ -199,37 +199,37 @@
             byte curveType = (byte)Record.getInt8(m);
             if (curveType != CURVE_NAMED_CURVE) {
                 // Unlikely as only the named curves should be negotiated.
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported ECCurveType: " + curveType);
             }
 
             int namedGroupId = Record.getInt16(m);
             this.namedGroup = NamedGroup.valueOf(namedGroupId);
             if (namedGroup == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unknown named group ID: " + namedGroupId);
             }
 
             if (!SupportedGroups.isSupported(namedGroup)) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported named group: " + namedGroup);
             }
 
             if (namedGroup.oid == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unknown named EC curve: " + namedGroup);
             }
 
             ECParameterSpec parameters =
                     JsseJce.getECParameterSpec(namedGroup.oid);
             if (parameters == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No supported EC parameter: " + namedGroup);
             }
 
             publicPoint = Record.getBytes8(m);
             if (publicPoint.length == 0) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Insufficient ECPoint data: " + namedGroup);
             }
 
@@ -242,7 +242,7 @@
                     new ECPublicKeySpec(point, parameters));
             } catch (NoSuchAlgorithmException |
                     InvalidKeySpecException | IOException ex) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid ECPoint: " + namedGroup, ex);
             }
 
@@ -259,7 +259,7 @@
             if (x509Credentials == null) {
                 // anonymous, no authentication, no signature
                 if (m.hasRemaining()) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid DH ServerKeyExchange: unknown extra data");
                 }
                 this.signatureScheme = null;
@@ -275,13 +275,13 @@
                 int ssid = Record.getInt16(m);
                 signatureScheme = SignatureScheme.valueOf(ssid);
                 if (signatureScheme == null) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature algorithm (" + ssid +
                         ") used in ECDH ServerKeyExchange handshake message");
                 }
 
                 if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in ECDH ServerKeyExchange handshake message");
@@ -299,11 +299,9 @@
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException |
                         InvalidAlgorithmParameterException nsae) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm: " +
                         signatureScheme.name, nsae);
-
-                    return;     // make the compiler happe
                 }
             } else {
                 try {
@@ -311,11 +309,9 @@
                             x509Credentials.popPublicKey.getAlgorithm(),
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm: " +
                         x509Credentials.popPublicKey.getAlgorithm(), e);
-
-                    return;     // make the compiler happe
                 }
             }
 
@@ -326,11 +322,11 @@
                         namedGroup.id, publicPoint);
 
                 if (!signer.verify(paramsSignature)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid ECDH ServerKeyExchange signature");
                 }
             } catch (SignatureException ex) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify ECDH ServerKeyExchange signature", ex);
             }
         }
@@ -546,7 +542,7 @@
             if (!chc.algorithmConstraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                     skem.publicKey)) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "ECDH ServerKeyExchange does not comply " +
                         "to algorithm constraints");
             }
--- a/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -231,13 +231,12 @@
             try {
                 spec = new ECPointFormatsSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // per RFC 4492, uncompressed points must always be supported.
             if (!spec.hasUncompressedFormat()) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid ec_point_formats extension data: " +
                     "peer does not support uncompressed points");
             }
@@ -272,7 +271,7 @@
             ECPointFormatsSpec requestedSpec = (ECPointFormatsSpec)
                     chc.handshakeExtensions.get(CH_EC_POINT_FORMATS);
             if (requestedSpec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected ec_point_formats extension in ServerHello");
             }
 
@@ -281,13 +280,12 @@
             try {
                 spec = new ECPointFormatsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // per RFC 4492, uncompressed points must always be supported.
             if (!spec.hasUncompressedFormat()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Invalid ec_point_formats extension data: " +
                         "peer does not support uncompressed points");
             }
--- a/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java	Tue Dec 18 12:08:51 2018 -0800
@@ -60,7 +60,7 @@
             //     Extension extensions<0..2^16-1>;
             // } EncryptedExtensions;
             if (m.remaining() < 2) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid EncryptedExtensions handshake message: " +
                         "no sufficient data");
             }
--- a/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -172,8 +172,7 @@
             try {
                 spec = new ExtendedMasterSecretSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (shc.isResumption && shc.resumingSession != null &&
@@ -232,7 +231,7 @@
                 //
                 // As if extended master extension is required for full
                 // handshake, it MUST be used in abbreviated handshake too.
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Extended Master Secret extension is required");
             }
 
@@ -242,7 +241,7 @@
                     // session used the "extended_master_secret" extension
                     // but the new ClientHello does not contain it, the
                     // server MUST abort the abbreviated handshake.
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Missing Extended Master Secret extension " +
                             "on session resumption");
                 } else {
@@ -250,7 +249,7 @@
                     // original session nor the new ClientHello uses the
                     // extension, the server SHOULD abort the handshake.
                     if (!SSLConfiguration.allowLegacyResumption) {
-                        shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Missing Extended Master Secret extension " +
                             "on session resumption");
                     } else {  // Otherwise, continue with a full handshake.
@@ -318,7 +317,7 @@
             ExtendedMasterSecretSpec requstedSpec = (ExtendedMasterSecretSpec)
                     chc.handshakeExtensions.get(CH_EXTENDED_MASTER_SECRET);
             if (requstedSpec == null) {
-                chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
                         "Server sent the extended_master_secret " +
                         "extension improperly");
             }
@@ -328,13 +327,12 @@
             try {
                 spec = new ExtendedMasterSecretSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (chc.isResumption && chc.resumingSession != null &&
                     !chc.resumingSession.useExtendedMasterSecret) {
-                chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
                         "Server sent an unexpected extended_master_secret " +
                         "extension on session resumption");
             }
@@ -364,7 +362,7 @@
                 // For full handshake, if a client receives a ServerHello
                 // without the extension, it SHOULD abort the handshake if
                 // it does not wish to interoperate with legacy servers.
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Extended Master Secret extension is required");
             }
 
@@ -374,14 +372,14 @@
                     // the "extended_master_secret" extension but the new
                     // ServerHello does not contain the extension, the client
                     // MUST abort the handshake.
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Missing Extended Master Secret extension " +
                             "on session resumption");
                 } else if (SSLConfiguration.useExtendedMasterSecret &&
                         !SSLConfiguration.allowLegacyResumption &&
                         chc.negotiatedProtocol.useTLS10PlusSpec()) {
                     // Unlikely, abbreviated handshake should be discarded.
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Extended Master Secret extension is required");
                 }
             }
--- a/src/java.base/share/classes/sun/security/ssl/Finished.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/Finished.java	Tue Dec 18 12:08:51 2018 -0800
@@ -83,7 +83,7 @@
             try {
                 vd = vds.createVerifyData(context, false);
             } catch (IOException ioe) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Failed to generate verify_data", ioe);
             }
 
@@ -102,7 +102,7 @@
             }
 
             if (m.remaining() != verifyDataLen) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Inappropriate finished message: need " + verifyDataLen +
                     " but remaining " + m.remaining() + " bytes verify_data");
             }
@@ -116,12 +116,11 @@
             try {
                 myVerifyData = vd.createVerifyData(context, true);
             } catch (IOException ioe) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Failed to generate verify_data", ioe);
-                return;
             }
             if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "The Finished message cannot be verified.");
             }
         }
@@ -518,7 +517,7 @@
             // we have received ChangeCipherSpec
             if (hc.conContext.consumers.containsKey(
                     ContentType.CHANGE_CIPHER_SPEC.id)) {
-                hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Missing ChangeCipherSpec message");
             }
 
@@ -679,19 +678,17 @@
             SSLKeyDerivation kd = chc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return null;
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         chc.negotiatedProtocol);
-                return null;
             }
 
             try {
@@ -714,12 +711,10 @@
                                 chc.sslContext.getSecureRandom());
 
                 if (writeCipher == null) {
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Illegal cipher suite (" + chc.negotiatedCipherSuite +
                         ") and protocol version (" + chc.negotiatedProtocol +
                         ")");
-
-                    return null;
                 }
 
                 chc.baseWriteSecret = writeSecret;
@@ -727,9 +722,8 @@
                         writeCipher, false);
 
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return null;
             }
 
             // The resumption master secret is stored in the session so
@@ -772,19 +766,17 @@
             SSLKeyDerivation kd = shc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return null;
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         shc.negotiatedProtocol);
-                return null;
             }
 
             // derive salt secret
@@ -821,12 +813,10 @@
                                 shc.sslContext.getSecureRandom());
 
                 if (writeCipher == null) {
-                    shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Illegal cipher suite (" + shc.negotiatedCipherSuite +
                         ") and protocol version (" + shc.negotiatedProtocol +
                         ")");
-
-                    return null;
                 }
 
                 shc.baseWriteSecret = writeSecret;
@@ -836,9 +826,8 @@
                 // update the context for the following key derivation
                 shc.handshakeKeyDerivation = secretKD;
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return null;
             }
 
             /*
@@ -911,19 +900,17 @@
             SSLKeyDerivation kd = chc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return;
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         chc.negotiatedProtocol);
-                return;
             }
 
             // save the session
@@ -967,12 +954,10 @@
                                 chc.sslContext.getSecureRandom());
 
                 if (readCipher == null) {
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Illegal cipher suite (" + chc.negotiatedCipherSuite +
                         ") and protocol version (" + chc.negotiatedProtocol +
                         ")");
-
-                    return;
                 }
 
                 chc.baseReadSecret = readSecret;
@@ -981,9 +966,8 @@
                 // update the context for the following key derivation
                 chc.handshakeKeyDerivation = secretKD;
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return;
             }
 
             //
@@ -1031,19 +1015,17 @@
             SSLKeyDerivation kd = shc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return;
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         shc.negotiatedProtocol);
-                return;
             }
 
             // save the session
@@ -1073,12 +1055,10 @@
                                 shc.sslContext.getSecureRandom());
 
                 if (readCipher == null) {
-                    shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Illegal cipher suite (" + shc.negotiatedCipherSuite +
                         ") and protocol version (" + shc.negotiatedProtocol +
                         ")");
-
-                    return;
                 }
 
                 shc.baseReadSecret = readSecret;
@@ -1094,9 +1074,8 @@
                 shc.handshakeSession.setResumptionMasterSecret(
                         resumptionMasterSecret);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return;
             }
 
             //  update connection context
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java	Tue Dec 18 12:08:51 2018 -0800
@@ -365,26 +365,20 @@
         //     } Handshake;
 
         if (plaintext.contentType != ContentType.HANDSHAKE.id) {
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Unexpected operation for record: " + plaintext.contentType);
-
-            return 0;
         }
 
         if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid handshake message: insufficient data");
-
-            return 0;
         }
 
         byte handshakeType = (byte)Record.getInt8(plaintext.fragment);
         int handshakeLen = Record.getInt24(plaintext.fragment);
         if (handshakeLen != plaintext.fragment.remaining()) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid handshake message: insufficient handshake body");
-
-            return 0;
         }
 
         return handshakeType;
@@ -438,16 +432,15 @@
         }
 
         if (consumer == null) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected handshake message: " +
                     SSLHandshake.nameOf(handshakeType));
-            return;
         }
 
         try {
             consumer.consume(this, fragment);
         } catch (UnsupportedOperationException unsoe) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unsupported handshake message: " +
                     SSLHandshake.nameOf(handshakeType), unsoe);
         }
--- a/src/java.base/share/classes/sun/security/ssl/HelloRequest.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/HelloRequest.java	Tue Dec 18 12:08:51 2018 -0800
@@ -59,7 +59,7 @@
                 ByteBuffer m) throws IOException {
             super(handshakeContext);
             if (m.hasRemaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Error parsing HelloRequest message: not empty");
             }
         }
@@ -185,7 +185,7 @@
             if (!chc.kickstartMessageDelivered) {
                 if (!chc.conContext.secureRenegotiation &&
                         !HandshakeContext.allowUnsafeRenegotiation) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsafe renegotiation is not allowed");
                 }
 
--- a/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java	Tue Dec 18 12:08:51 2018 -0800
@@ -73,7 +73,7 @@
             //      opaque cookie<0..2^8-1>;
             //  } HelloVerifyRequest;
             if (m.remaining() < 3) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid HelloVerifyRequest: no sufficient data");
             }
 
@@ -186,7 +186,7 @@
                 chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
             }
             if (!chc.handshakeConsumers.isEmpty()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "No more message expected before " +
                         "HelloVerifyRequest is processed");
             }
--- a/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -337,8 +337,7 @@
             try {
                 spec = new CHKeyShareSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             List<SSLCredentials> credentials = new LinkedList<>();
@@ -610,16 +609,14 @@
             if (chc.clientRequestedNamedGroups == null ||
                     chc.clientRequestedNamedGroups.isEmpty()) {
                 // No supported groups.
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected key_share extension in ServerHello");
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             // Is it a supported and enabled extension?
             if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in ServerHello");
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             // Parse the extension
@@ -627,25 +624,22 @@
             try {
                 spec = new SHKeyShareSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             KeyShareEntry keyShare = spec.serverShare;
             NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
             if (ng == null || !SupportedGroups.isActivatable(
                     chc.sslConfig.algorithmConstraints, ng)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported named group: " +
                         NamedGroup.nameOf(keyShare.namedGroupId));
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
             if (ke == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "No key exchange for named group " + ng.name);
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             SSLCredentials credentials = null;
@@ -657,7 +651,7 @@
                         if (!chc.algorithmConstraints.permits(
                                 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 ecdhec.popPublicKey)) {
-                            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                                     "ECDHE key share entry does not " +
                                     "comply to algorithm constraints");
                         } else {
@@ -665,7 +659,7 @@
                         }
                     }
                 } catch (IOException | GeneralSecurityException ex) {
-                    chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Cannot decode named group: " +
                             NamedGroup.nameOf(keyShare.namedGroupId));
                 }
@@ -677,7 +671,7 @@
                         if (!chc.algorithmConstraints.permits(
                                 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 dhec.popPublicKey)) {
-                            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                                     "DHE key share entry does not " +
                                     "comply to algorithm constraints");
                         } else {
@@ -685,18 +679,18 @@
                         }
                     }
                 } catch (IOException | GeneralSecurityException ex) {
-                    chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Cannot decode named group: " +
                             NamedGroup.nameOf(keyShare.namedGroupId));
                 }
             } else {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported named group: " +
                         NamedGroup.nameOf(keyShare.namedGroupId));
             }
 
             if (credentials == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported named group: " + ng.name);
             }
 
@@ -794,17 +788,15 @@
 
             // Is it a supported and enabled extension?
             if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in HelloRetryRequest");
-                return null;    // make the compiler happy.
             }
 
             if (shc.clientRequestedNamedGroups == null ||
                     shc.clientRequestedNamedGroups.isEmpty()) {
                 // No supported groups.
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected key_share extension in HelloRetryRequest");
-                return null;    // make the compiler happy.
             }
 
             NamedGroup selectedGroup = null;
@@ -823,9 +815,8 @@
             }
 
             if (selectedGroup == null) {
-                shc.conContext.fatal(
+                throw shc.conContext.fatal(
                         Alert.UNEXPECTED_MESSAGE, "No common named group");
-                return null;    // make the complier happy
             }
 
             byte[] extdata = new byte[] {
@@ -861,9 +852,8 @@
 
             // Is it a supported and enabled extension?
             if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in HelloRetryRequest");
-                return null;    // make the compiler happy.
             }
 
             CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
@@ -903,17 +893,15 @@
 
             // Is it a supported and enabled extension?
             if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in HelloRetryRequest");
-                return;     // make the compiler happy.
             }
 
             if (chc.clientRequestedNamedGroups == null ||
                     chc.clientRequestedNamedGroups.isEmpty()) {
                 // No supported groups.
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected key_share extension in HelloRetryRequest");
-                return;     // make the compiler happy.
             }
 
             // Parse the extension
@@ -921,23 +909,20 @@
             try {
                 spec = new HRRKeyShareSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
             if (serverGroup == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported HelloRetryRequest selected group: " +
                                 NamedGroup.nameOf(spec.selectedGroup));
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected HelloRetryRequest selected group: " +
                                 serverGroup.name);
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             // update the context
--- a/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java	Tue Dec 18 12:08:51 2018 -0800
@@ -78,7 +78,7 @@
             super(context);
 
             if (m.remaining() != 1) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "KeyUpdate has an unexpected length of "+
                         m.remaining());
             }
@@ -86,7 +86,7 @@
             byte request = m.get();
             this.status = KeyUpdateRequest.valueOf(request);
             if (status == null) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid KeyUpdate message value: " +
                         KeyUpdateRequest.nameOf(request));
             }
@@ -198,18 +198,17 @@
                 SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
             if (kdg == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                                 hc.conContext.protocolVersion);
-                return;
             }
 
             SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
                     hc.conContext.inputRecord.readCipher.baseSecret);
             if (skd == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
-                return;
+                throw hc.conContext.fatal(
+                        Alert.INTERNAL_ERROR, "no key derivation");
             }
 
             SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@@ -225,12 +224,10 @@
                         hc.sslContext.getSecureRandom());
 
                 if (rc == null) {
-                    hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Illegal cipher suite (" + hc.negotiatedCipherSuite +
                         ") and protocol version (" + hc.negotiatedProtocol +
                         ")");
-
-                    return;
                 }
 
                 rc.baseSecret = nplus1;
@@ -239,9 +236,8 @@
                     SSLLogger.fine("KeyUpdate: read key updated");
                 }
             } catch (GeneralSecurityException gse) {
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive read secrets", gse);
-                return;
             }
 
             if (km.status == KeyUpdateRequest.REQUESTED) {
@@ -281,18 +277,17 @@
                 SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
             if (kdg == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                                 hc.conContext.protocolVersion);
-                return null;
             }
 
             SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
                     hc.conContext.outputRecord.writeCipher.baseSecret);
             if (skd == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
-                return null;
+                throw hc.conContext.fatal(
+                        Alert.INTERNAL_ERROR, "no key derivation");
             }
 
             SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@@ -308,17 +303,14 @@
                         hc.conContext.protocolVersion, key, ivSpec,
                         hc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive write secrets", gse);
-                return null;
             }
 
             if (wc == null) {
-                hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Illegal cipher suite (" + hc.negotiatedCipherSuite +
                     ") and protocol version (" + hc.negotiatedProtocol + ")");
-
-                return null;
             }
 
             // Output the handshake message and change the write cipher.
--- a/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -253,13 +253,12 @@
             try {
                 spec = new MaxFragLenSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
             if (mfle == null) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "the requested maximum fragment length is other " +
                     "than the allowed values");
             }
@@ -359,7 +358,7 @@
             MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
                     chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
             if (requestedSpec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected max_fragment_length extension in ServerHello");
             }
 
@@ -368,18 +367,17 @@
             try {
                 spec = new MaxFragLenSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (spec.id != requestedSpec.id) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "The maximum fragment length response is not requested");
             }
 
             MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
             if (mfle == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "the requested maximum fragment length is other " +
                     "than the allowed values");
             }
@@ -532,7 +530,7 @@
             MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
                     chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
             if (requestedSpec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected max_fragment_length extension in ServerHello");
             }
 
@@ -541,18 +539,17 @@
             try {
                 spec = new MaxFragLenSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (spec.id != requestedSpec.id) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "The maximum fragment length response is not requested");
             }
 
             MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
             if (mfle == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "the requested maximum fragment length is other " +
                     "than the allowed values");
             }
--- a/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java	Tue Dec 18 12:08:51 2018 -0800
@@ -86,7 +86,7 @@
             //     Extension extensions<0..2^16-2>;
             // } NewSessionTicket;
             if (m.remaining() < 14) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid NewSessionTicket message: no sufficient data");
             }
 
@@ -95,18 +95,18 @@
             this.ticketNonce = Record.getBytes8(m);
 
             if (m.remaining() < 5) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid NewSessionTicket message: no sufficient data");
             }
 
             this.ticket = Record.getBytes16(m);
             if (ticket.length == 0) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No ticket in the NewSessionTicket handshake message");
             }
 
             if (m.remaining() < 2) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid NewSessionTicket message: no sufficient data");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java	Tue Dec 18 12:08:51 2018 -0800
@@ -43,7 +43,7 @@
         super(context);
 
         if (!negotiatedProtocol.useTLS13PlusSpec()) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                 "Post-handshake not supported in " + negotiatedProtocol.name);
         }
 
@@ -63,16 +63,15 @@
     void dispatch(byte handshakeType, ByteBuffer fragment) throws IOException {
         SSLConsumer consumer = handshakeConsumers.get(handshakeType);
         if (consumer == null) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected post-handshake message: " +
                             SSLHandshake.nameOf(handshakeType));
-            return;
         }
 
         try {
             consumer.consume(this, fragment);
         } catch (UnsupportedOperationException unsoe) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unsupported post-handshake message: " +
                             SSLHandshake.nameOf(handshakeType), unsoe);
         }
--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -111,14 +111,14 @@
             //     PskBinderEntry binders<33..2^16-1>;
             // } OfferedPsks;
             if (m.remaining() < 44) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid pre_shared_key extension: " +
                     "insufficient data (length=" + m.remaining() + ")");
             }
 
             int idEncodedLength = Record.getInt16(m);
             if (idEncodedLength < 7) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid pre_shared_key extension: " +
                     "insufficient identities (length=" + idEncodedLength + ")");
             }
@@ -128,7 +128,7 @@
             while (idReadLength < idEncodedLength) {
                 byte[] id = Record.getBytes16(m);
                 if (id.length < 1) {
-                    context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient identity (length=" + id.length + ")");
                 }
@@ -140,7 +140,7 @@
             }
 
             if (m.remaining() < 35) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient binders data (length=" +
                         m.remaining() + ")");
@@ -148,7 +148,7 @@
 
             int bindersEncodedLen = Record.getInt16(m);
             if (bindersEncodedLen < 33) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient binders (length=" +
                         bindersEncodedLen + ")");
@@ -159,7 +159,7 @@
             while (bindersReadLength < bindersEncodedLen) {
                 byte[] binder = Record.getBytes8(m);
                 if (binder.length < 32) {
-                    context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                             "Invalid pre_shared_key extension: " +
                             "insufficient binder entry (length=" +
                             binder.length + ")");
@@ -271,7 +271,7 @@
         SHPreSharedKeySpec(HandshakeContext context,
                 ByteBuffer m) throws IOException {
             if (m.remaining() < 2) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient selected_identity (length=" +
                         m.remaining() + ")");
@@ -348,21 +348,20 @@
             try {
                 pskSpec = new CHPreSharedKeySpec(shc, buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // The "psk_key_exchange_modes" extension should have been loaded.
             if (!shc.handshakeExtensions.containsKey(
                     SSLExtension.PSK_KEY_EXCHANGE_MODES)) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Client sent PSK but not PSK modes, or the PSK " +
                         "extension is not the last extension");
             }
 
             // error if id and binder lists are not the same length
             if (pskSpec.identities.size() != pskSpec.binders.size()) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "PSK extension has incorrect number of binders");
             }
 
@@ -506,7 +505,7 @@
             SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)
                     shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
             if (chPsk == null || shPsk == null) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Required extensions are unavailable");
             }
 
@@ -533,7 +532,7 @@
             HandshakeHash pskBinderHash, byte[] binder) throws IOException {
         Optional<SecretKey> pskOpt = session.getPreSharedKey();
         if (!pskOpt.isPresent()) {
-            shc.conContext.fatal(Alert.INTERNAL_ERROR,
+            throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Session has no PSK");
         }
         SecretKey psk = pskOpt.get();
@@ -542,7 +541,7 @@
         byte[] computedBinder =
                 computeBinder(shc, binderKey, session, pskBinderHash);
         if (!Arrays.equals(binder, computedBinder)) {
-            shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+            throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorect PSK binder value");
         }
     }
@@ -770,12 +769,10 @@
                 hmac.init(finishedKey);
                 return hmac.doFinal(digest);
             } catch (NoSuchAlgorithmException | InvalidKeyException ex) {
-                context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
-                return null; // fatal() always throws, make the compiler happy.
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
             }
         } catch (GeneralSecurityException ex) {
-            context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
-            return null; // fatal() always throws, make the compiler happy.
+            throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
         }
     }
 
@@ -794,8 +791,7 @@
             return hkdf.expand(earlySecret,
                     hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
         } catch (GeneralSecurityException ex) {
-            context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
-            return null; // fatal() always throws, make the compiler happy.
+            throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
         }
     }
 
@@ -834,7 +830,7 @@
             // Is it a response of the specific request?
             if (!chc.handshakeExtensions.containsKey(
                     SSLExtension.CH_PRE_SHARED_KEY)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Server sent unexpected pre_shared_key extension");
             }
 
@@ -845,7 +841,7 @@
             }
 
             if (shPsk.selectedIdentity != 0) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Selected identity index is not in correct range.");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -201,8 +201,7 @@
             try {
                 spec = new PskKeyExchangeModesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -324,7 +323,7 @@
             SSLExtensionSpec spec =
                 shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
             if (spec != null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "pre_shared_key key extension is offered " +
                         "without a psk_key_exchange_modes extension");
             }
--- a/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -75,7 +75,7 @@
             super(context);
 
             if (m.remaining() < 2) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid RSA ClientKeyExchange message: insufficient data");
             }
 
@@ -167,14 +167,14 @@
             }
 
             if (rsaCredentials == null && x509Credentials == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA credentials negotiated for client key exchange");
             }
 
             PublicKey publicKey = (rsaCredentials != null) ?
                     rsaCredentials.popPublicKey : x509Credentials.popPublicKey;
             if (!publicKey.getAlgorithm().equals("RSA")) {      // unlikely
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not RSA public key for client key exchange");
             }
 
@@ -186,10 +186,8 @@
                 ckem = new RSAClientKeyExchangeMessage(
                         chc, premaster, publicKey);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Cannot generate RSA premaster secret", gse);
-
-                return null;    // make the compiler happy
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine(
@@ -205,7 +203,7 @@
                     chc.negotiatedCipherSuite.keyExchange,
                     chc.negotiatedProtocol);
             if (ke == null) {   // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -217,7 +215,7 @@
                 SSLTrafficKeyDerivation kd =
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {   // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -262,14 +260,14 @@
             }
 
             if (rsaPossession == null && x509Possession == null) {  // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA possessions negotiated for client key exchange");
             }
 
             PrivateKey privateKey = (rsaPossession != null) ?
                     rsaPossession.popPrivateKey : x509Possession.popPrivateKey;
             if (!privateKey.getAlgorithm().equals("RSA")) {     // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not RSA private key for client key exchange");
             }
 
@@ -287,7 +285,7 @@
                     RSAPremasterSecret.decode(shc, privateKey, ckem.encrypted);
                 shc.handshakeCredentials.add(premaster);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Cannot decode RSA premaster secret", gse);
             }
 
@@ -296,7 +294,7 @@
                     shc.negotiatedCipherSuite.keyExchange,
                     shc.negotiatedProtocol);
             if (ke == null) {   // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
@@ -308,7 +306,7 @@
                 SSLTrafficKeyDerivation kd =
                         SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
                 if (kd == null) {       // unlikely
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             shc.negotiatedProtocol);
                 } else {
--- a/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -274,7 +274,7 @@
             }
 
             if (premaster == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient RSA key agreement parameters negotiated");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -94,7 +94,7 @@
                 signature = signer.sign();
             } catch (NoSuchAlgorithmException |
                     InvalidKeyException | SignatureException ex) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failed to sign ephemeral RSA parameters", ex);
             }
 
@@ -122,7 +122,7 @@
             }
 
             if (x509Credentials == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA credentials negotiated for server key exchange");
             }
 
@@ -133,12 +133,12 @@
                           chc.clientHelloRandom.randomBytes,
                           chc.serverHelloRandom.randomBytes);
                 if (!signer.verify(paramsSignature)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature of RSA ServerKeyExchange message");
                 }
             } catch (NoSuchAlgorithmException |
                     InvalidKeyException | SignatureException ex) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Failed to sign ephemeral RSA parameters", ex);
             }
         }
@@ -250,12 +250,12 @@
                 return null;
             } else if (x509Possession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA certificate negotiated for server key exchange");
             } else if (!"RSA".equals(
                     x509Possession.popPrivateKey.getAlgorithm())) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "No X.509 possession can be used for " +
                         "ephemeral RSA ServerKeyExchange");
             }
@@ -312,15 +312,13 @@
                     new BigInteger(1, skem.exponent));
                 publicKey = (RSAPublicKey)kf.generatePublic(spec);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "Could not generate RSAPublicKey", gse);
-
-                return;     // make the compiler happy
             }
 
             if (!chc.algorithmConstraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "RSA ServerKeyExchange does not comply to " +
                         "algorithm constraints");
             }
@@ -328,7 +326,8 @@
             //
             // update
             //
-            chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));
+            chc.handshakeCredentials.add(
+                    new EphemeralRSACredentials(publicKey));
 
             //
             // produce
--- a/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -185,12 +185,10 @@
                     return null;
                 } else {
                     // terminate the session.
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "insecure renegotiation is not allowed");
                 }
             }
-
-            return null;
         }
     }
 
@@ -226,14 +224,13 @@
             try {
                 spec = new RenegotiationInfoSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (!shc.conContext.isNegotiated) {
                 // initial handshaking.
                 if (spec.renegotiatedConnection.length != 0) {
-                    shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Invalid renegotiation_info extension data: not empty");
                 }
                 shc.conContext.secureRenegotiation = true;
@@ -241,14 +238,14 @@
                 if (!shc.conContext.secureRenegotiation) {
                     // Unexpected RI extension for insecure renegotiation,
                     // abort the handshake with a fatal handshake_failure alert.
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "The renegotiation_info is present in a insecure " +
                             "renegotiation");
                 } else {
                     // verify the client_verify_data value
                     if (!Arrays.equals(shc.conContext.clientVerifyData,
                             spec.renegotiatedConnection)) {
-                        shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Invalid renegotiation_info extension data: " +
                             "incorrect verify data in ClientHello");
                     }
@@ -295,7 +292,7 @@
                 }
 
                 if (!HandshakeContext.allowLegacyHelloMessages) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to negotiate the use of secure renegotiation");
                 }   // otherwise, allow legacy hello message
 
@@ -307,7 +304,7 @@
                 shc.conContext.secureRenegotiation = false;
             } else if (shc.conContext.secureRenegotiation) {
                 // Require secure renegotiation, terminate the connection.
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Inconsistent secure renegotiation indication");
             } else {    // renegotiation, not secure
                 if (HandshakeContext.allowUnsafeRenegotiation) {
@@ -320,7 +317,7 @@
                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                         SSLLogger.fine("Terminate insecure renegotiation");
                     }
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsafe renegotiation is not allowed");
                 }
             }
@@ -430,7 +427,7 @@
             if (requestedSpec == null &&
                     !chc.activeCipherSuites.contains(
                             CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Missing renegotiation_info and SCSV detected in " +
                     "ClientHello");
             }
@@ -440,8 +437,7 @@
             try {
                 spec = new RenegotiationInfoSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
 
@@ -452,7 +448,7 @@
                 // and if it is not, MUST abort the handshake (by sending
                 // a fatal handshake_failure alert). [RFC 5746]
                 if (spec.renegotiatedConnection.length != 0) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "not empty renegotiated_connection");
                 }
@@ -467,7 +463,7 @@
                 int infoLen = chc.conContext.clientVerifyData.length +
                               chc.conContext.serverVerifyData.length;
                 if (spec.renegotiatedConnection.length != infoLen) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "invalid renegotiated_connection length (" +
                         spec.renegotiatedConnection.length + ")");
@@ -476,14 +472,14 @@
                 byte[] cvd = chc.conContext.clientVerifyData;
                 if (!Arrays.equals(spec.renegotiatedConnection,
                         0, cvd.length, cvd, 0, cvd.length)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "unmatched client_verify_data value");
                 }
                 byte[] svd = chc.conContext.serverVerifyData;
                 if (!Arrays.equals(spec.renegotiatedConnection,
                         cvd.length, infoLen, svd, 0, svd.length)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "unmatched server_verify_data value");
                 }
@@ -516,7 +512,7 @@
             if (requestedSpec == null &&
                     !chc.activeCipherSuites.contains(
                             CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Missing renegotiation_info and SCSV detected in " +
                     "ClientHello");
             }
@@ -524,7 +520,7 @@
             if (!chc.conContext.isNegotiated) {
                 // initial handshaking.
                 if (!HandshakeContext.allowLegacyHelloMessages) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to negotiate the use of secure renegotiation");
                 }   // otherwise, allow legacy hello message
 
@@ -536,7 +532,7 @@
                 chc.conContext.secureRenegotiation = false;
             } else if (chc.conContext.secureRenegotiation) {
                 // Require secure renegotiation, terminate the connection.
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Inconsistent secure renegotiation indication");
             } else {    // renegotiation, not secure
                 if (HandshakeContext.allowUnsafeRenegotiation) {
@@ -549,7 +545,7 @@
                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                         SSLLogger.fine("Terminate insecure renegotiation");
                     }
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsafe renegotiation is not allowed");
                 }
             }
--- a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java	Tue Dec 18 12:08:51 2018 -0800
@@ -102,10 +102,10 @@
         try {
             conContext.kickstart();
         } catch (IOException ioe) {
-            conContext.fatal(Alert.HANDSHAKE_FAILURE,
+            throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
                 "Couldn't kickstart handshaking", ioe);
         } catch (Exception ex) {     // including RuntimeException
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Fail to begin handshake", ex);
         }
     }
@@ -137,16 +137,14 @@
                 srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLProtocolException spe) {
             // may be an unexpected handshake message
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
         } catch (IOException ioe) {
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "problem wrapping app data", ioe);
         } catch (Exception ex) {     // including RuntimeException
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Fail to wrap application data", ex);
         }
-
-        return null;    // make compiler happy
     }
 
     private SSLEngineResult writeRecord(
@@ -275,9 +273,9 @@
                 srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLHandshakeException she) {
             // may be record sequence number overflow
-            conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+            throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
         } catch (IOException e) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
         }
 
         if (ciphertext == null) {
@@ -444,7 +442,7 @@
                 srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLProtocolException spe) {
             // may be an unexpected handshake message
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     spe.getMessage(), spe);
         } catch (IOException ioe) {
             /*
@@ -453,14 +451,12 @@
              * got us into this situation, so report that much back.
              * Our days of consuming are now over anyway.
              */
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                     "problem unwrapping net record", ioe);
         } catch (Exception ex) {     // including RuntimeException
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Fail to unwrap network record", ex);
         }
-
-        return null;    // make compiler happy
     }
 
     private SSLEngineResult readRecord(
@@ -721,7 +717,7 @@
         if (!conContext.isInputCloseNotified &&
             (conContext.isNegotiated || conContext.handshakeContext != null)) {
 
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                     "closing inbound before receiving peer's close_notify");
         }
 
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java	Tue Dec 18 12:08:51 2018 -0800
@@ -60,7 +60,8 @@
             int extId = Record.getInt16(m);
             int extLen = Record.getInt16(m);
             if (extLen > m.remaining()) {
-                hm.handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw hm.handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER,
                         "Error parsing extension (" + extId +
                         "): no sufficient data");
             }
@@ -86,7 +87,7 @@
                                 "in the ServerHello handshake message");
                     }
                 } else {
-                    hm.handshakeContext.conContext.fatal(
+                    throw hm.handshakeContext.conContext.fatal(
                         Alert.UNSUPPORTED_EXTENSION,
                         "extension (" + extId +
                         ") should not be presented in " + handshakeType.name);
@@ -102,7 +103,7 @@
                     }
 
                     if (extension.handshakeType != handshakeType) {
-                        hm.handshakeContext.conContext.fatal(
+                        throw hm.handshakeContext.conContext.fatal(
                                 Alert.UNSUPPORTED_EXTENSION,
                                 "extension (" + extId + ") should not be " +
                                 "presented in " + handshakeType.name);
--- a/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java	Tue Dec 18 12:08:51 2018 -0800
@@ -402,7 +402,7 @@
                     readHandshakeRecord();
                 }
             } catch (IOException ioe) {
-                conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Couldn't kickstart handshaking", ioe);
             } catch (Exception oe) {    // including RuntimeException
                 handleException(oe);
@@ -642,7 +642,7 @@
         if (checkCloseNotify && !conContext.isInputCloseNotified &&
             (conContext.isNegotiated || conContext.handshakeContext != null)) {
 
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                     "closing inbound before receiving peer's close_notify");
         }
 
@@ -982,9 +982,9 @@
                 conContext.outputRecord.deliver(b, off, len);
             } catch (SSLHandshakeException she) {
                 // may be record sequence number overflow
-                conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+                throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
             } catch (IOException e) {
-                conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+                throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
             }
 
             // Is the sequence number is nearly overflow, or has the key usage
@@ -1309,7 +1309,8 @@
                 alert = Alert.INTERNAL_ERROR;
             }
         }
-        conContext.fatal(alert, cause);
+
+        throw conContext.fatal(alert, cause);
     }
 
     private Plaintext handleEOF(EOFException eofe) throws IOException {
--- a/src/java.base/share/classes/sun/security/ssl/SSLTransport.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLTransport.java	Tue Dec 18 12:08:51 2018 -0800
@@ -115,7 +115,7 @@
                 }
             }
 
-            context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
+            throw context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
         } catch (BadPaddingException bpe) {
             /*
              * The basic SSLv3 record protection involves (optional)
@@ -126,15 +126,15 @@
             Alert alert = (context.handshakeContext != null) ?
                     Alert.HANDSHAKE_FAILURE :
                     Alert.BAD_RECORD_MAC;
-            context.fatal(alert, bpe);
+            throw context.fatal(alert, bpe);
         } catch (SSLHandshakeException she) {
             // may be record sequence number overflow
-            context.fatal(Alert.HANDSHAKE_FAILURE, she);
+            throw context.fatal(Alert.HANDSHAKE_FAILURE, she);
         } catch (EOFException eofe) {
             // rethrow EOFException, the call will handle it if neede.
             throw eofe;
         } catch (IOException ioe) {
-            context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+            throw context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
         }
 
         if (plaintexts == null || plaintexts.length == 0) {
@@ -191,7 +191,7 @@
                     }
 
                     if (remains > 0) {
-                        context.fatal(Alert.INTERNAL_ERROR,
+                        throw context.fatal(Alert.INTERNAL_ERROR,
                             "no sufficient room in the destination buffers");
                     }
                 }
--- a/src/java.base/share/classes/sun/security/ssl/ServerHello.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHello.java	Tue Dec 18 12:08:51 2018 -0800
@@ -133,7 +133,7 @@
             this.serverVersion = ProtocolVersion.valueOf(major, minor);
             if (this.serverVersion == null) {
                 // The client should only request for known protocol versions.
-                context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Unsupported protocol version: " +
                     ProtocolVersion.nameOf(major, minor));
             }
@@ -143,20 +143,21 @@
             try {
                 sessionId.checkLength(serverVersion.id);
             } catch (SSLProtocolException ex) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+                throw handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER, ex);
             }
 
             int cipherSuiteId = Record.getInt16(m);
             this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
             if (cipherSuite == null || !context.isNegotiable(cipherSuite)) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Server selected improper ciphersuite " +
                     CipherSuite.nameOf(cipherSuiteId));
             }
 
             this.compressionMethod = m.get();
             if (compressionMethod != 0) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "compression type not supported, " + compressionMethod);
             }
 
@@ -293,10 +294,8 @@
                 KeyExchangeProperties credentials =
                         chooseCipherSuite(shc, clientHello);
                 if (credentials == null) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "no cipher suites in common");
-
-                    return null;
                 }
                 shc.negotiatedCipherSuite = credentials.cipherSuite;
                 shc.handshakeKeyExchange = credentials.keyExchange;
@@ -374,7 +373,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
                 if (kdg == null) {
                     // unlikely
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             shc.negotiatedProtocol);
                 } else {
@@ -458,10 +457,8 @@
                 }
             }
 
-            shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+            throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "no cipher suites in common");
-
-            return null;
         }
 
         private static final class KeyExchangeProperties {
@@ -524,9 +521,8 @@
                 // negotiate the cipher suite.
                 CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
                 if (cipherSuite == null) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "no cipher suites in common");
-                    return null;
                 }
                 shc.negotiatedCipherSuite = cipherSuite;
                 shc.handshakeSession.setSuite(cipherSuite);
@@ -592,9 +588,8 @@
             SSLKeyExchange ke = shc.handshakeKeyExchange;
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not negotiated key shares");
-                return null;
             }
 
             SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
@@ -605,10 +600,9 @@
                 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         shc.negotiatedProtocol);
-                return null;
             }
 
             SSLKeyDerivation kd =
@@ -634,18 +628,15 @@
                         shc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return null;
             }
 
             if (readCipher == null) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Illegal cipher suite (" + shc.negotiatedCipherSuite +
                     ") and protocol version (" + shc.negotiatedProtocol +
                     ")");
-
-                return null;
             }
 
             shc.baseReadSecret = readSecret;
@@ -671,18 +662,15 @@
                         shc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return null;
             }
 
             if (writeCipher == null) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Illegal cipher suite (" + shc.negotiatedCipherSuite +
                     ") and protocol version (" + shc.negotiatedProtocol +
                     ")");
-
-                return null;
             }
 
             shc.baseWriteSecret = writeSecret;
@@ -764,9 +752,8 @@
             CipherSuite cipherSuite =
                     T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
             if (cipherSuite == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "no cipher suites in common for hello retry request");
-                return null;
             }
 
             ServerHelloMessage hhrm = new ServerHelloMessage(shc,
@@ -875,7 +862,7 @@
                         SSLHandshake.HELLO_VERIFY_REQUEST.id);
             }
             if (!chc.handshakeConsumers.isEmpty()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "No more message expected before ServerHello is processed");
             }
 
@@ -913,14 +900,14 @@
             }
 
             if (!chc.activeProtocols.contains(serverVersion)) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The server selected protocol version " + serverVersion +
                     " is not accepted by client preferences " +
                     chc.activeProtocols);
             }
 
             if (!serverVersion.useTLS13PlusSpec()) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Unexpected HelloRetryRequest for " + serverVersion.name);
             }
 
@@ -965,7 +952,7 @@
             }
 
             if (!chc.activeProtocols.contains(serverVersion)) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The server selected protocol version " + serverVersion +
                     " is not accepted by client preferences " +
                     chc.activeProtocols);
@@ -982,7 +969,7 @@
             }
 
             if (serverHello.serverRandom.isVersionDowngrade(chc)) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "A potential protocol version downgrade attack");
             }
 
@@ -1025,7 +1012,7 @@
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             ServerHelloMessage serverHello = (ServerHelloMessage)message;
             if (!chc.isNegotiable(serverHello.serverVersion)) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Server chose " + serverHello.serverVersion +
                     ", but that protocol version is not enabled or " +
                     "not supported by the client.");
@@ -1037,7 +1024,7 @@
                     chc.negotiatedProtocol, chc.negotiatedCipherSuite);
             chc.serverHelloRandom = serverHello.serverRandom;
             if (chc.negotiatedCipherSuite.keyExchange == null) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "TLS 1.2 or prior version does not support the " +
                     "server cipher suite: " + chc.negotiatedCipherSuite.name);
             }
@@ -1063,7 +1050,7 @@
                     // Verify that the session ciphers are unchanged.
                     CipherSuite sessionSuite = chc.resumingSession.getSuite();
                     if (chc.negotiatedCipherSuite != sessionSuite) {
-                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                             "Server returned wrong cipher suite for session");
                     }
 
@@ -1071,7 +1058,7 @@
                     ProtocolVersion sessionVersion =
                             chc.resumingSession.getProtocolVersion();
                     if (chc.negotiatedProtocol != sessionVersion) {
-                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                             "Server resumed with wrong protocol version");
                     }
 
@@ -1090,7 +1077,7 @@
                     }
                     chc.isResumption = false;
                     if (!chc.sslConfig.enableSessionCreation) {
-                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                             "New session creation is disabled");
                     }
                 }
@@ -1109,7 +1096,7 @@
                 }
 
                 if (!chc.sslConfig.enableSessionCreation) {
-                    chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                         "New session creation is disabled");
                 }
                 chc.handshakeSession = new SSLSessionImpl(chc,
@@ -1130,7 +1117,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kdg == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -1201,7 +1188,7 @@
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             ServerHelloMessage serverHello = (ServerHelloMessage)message;
             if (serverHello.serverVersion != ProtocolVersion.TLS12) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The ServerHello.legacy_version field is not TLS 1.2");
             }
 
@@ -1226,7 +1213,7 @@
                 }
 
                 if (!chc.sslConfig.enableSessionCreation) {
-                    chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                         "New session creation is disabled");
                 }
                 chc.handshakeSession = new SSLSessionImpl(chc,
@@ -1239,7 +1226,7 @@
                 Optional<SecretKey> psk =
                         chc.resumingSession.consumePreSharedKey();
                 if(!psk.isPresent()) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No PSK available. Unable to resume.");
                 }
 
@@ -1260,9 +1247,8 @@
             SSLKeyExchange ke = chc.handshakeKeyExchange;
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not negotiated key shares");
-                return;
             }
 
             SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
@@ -1272,10 +1258,9 @@
                 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         chc.negotiatedProtocol);
-                return;
             }
 
             SSLKeyDerivation secretKD =
@@ -1302,18 +1287,15 @@
                         chc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return;
             }
 
             if (readCipher == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Illegal cipher suite (" + chc.negotiatedCipherSuite +
                     ") and protocol version (" + chc.negotiatedProtocol +
                     ")");
-
-                return;
             }
 
             chc.baseReadSecret = readSecret;
@@ -1339,18 +1321,15 @@
                         chc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return;
             }
 
             if (writeCipher == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Illegal cipher suite (" + chc.negotiatedCipherSuite +
                     ") and protocol version (" + chc.negotiatedProtocol +
                     ")");
-
-                return;
             }
 
             chc.baseWriteSecret = writeSecret;
@@ -1412,7 +1391,7 @@
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
             if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The HelloRetryRequest.legacy_version is not TLS 1.2");
             }
 
@@ -1442,7 +1421,7 @@
                 chc.initialClientHelloMsg.write(hos);
             } catch (IOException ioe) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Failed to construct message hash", ioe);
             }
             chc.handshakeHash.deliver(hos.toByteArray());
--- a/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	Tue Dec 18 12:08:51 2018 -0800
@@ -50,7 +50,7 @@
                 ByteBuffer m) throws IOException {
             super(handshakeContext);
             if (m.hasRemaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Error parsing ServerHelloDone message: not empty");
             }
         }
--- a/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	Tue Dec 18 12:08:51 2018 -0800
@@ -68,9 +68,8 @@
             }
 
             // not producer defined.
-            shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+            throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No ServerKeyExchange handshake message can be produced.");
-            return null;    // make the compiler happe
         }
     }
 
@@ -107,7 +106,7 @@
             }
 
             // no consumer defined.
-            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ServerKeyExchange handshake message.");
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -295,8 +295,7 @@
             try {
                 spec = new CHServerNamesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -314,7 +313,7 @@
                     }
                 } else {
                     // We do not reject client without SNI extension currently.
-                    shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
+                    throw shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
                             "Unrecognized server name indication");
                 }
             } else {
@@ -483,13 +482,13 @@
             CHServerNamesSpec spec = (CHServerNamesSpec)
                     chc.handshakeExtensions.get(CH_SERVER_NAME);
             if (spec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected ServerHello server_name extension");
             }
 
             // Parse the extension.
             if (buffer.remaining() != 0) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid ServerHello server_name extension");
             }
 
@@ -570,13 +569,13 @@
             CHServerNamesSpec spec = (CHServerNamesSpec)
                     chc.handshakeExtensions.get(CH_SERVER_NAME);
             if (spec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected EncryptedExtensions server_name extension");
             }
 
             // Parse the extension.
             if (buffer.remaining() != 0) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid EncryptedExtensions server_name extension");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -238,8 +238,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -329,7 +328,7 @@
             // We may support the server authentication other than X.509
             // certificate later.
             if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
-                shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
                     "No mandatory signature_algorithms extension in the " +
                     "received CertificateRequest handshake message");
             }
@@ -403,10 +402,9 @@
             // handshake message in TLS 1.3.
             if (!shc.sslConfig.isAvailable(
                     SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
-                shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
                         "No available signature_algorithms extension " +
                         "for client certificate authentication");
-                return null;    // make the compiler happy
             }
 
             // Produce the extension.
@@ -454,10 +452,9 @@
             // handshake message in TLS 1.3.
             if (!chc.sslConfig.isAvailable(
                     SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No available signature_algorithms extension " +
                         "for client certificate authentication");
-                return;     // make the compiler happy
             }
 
             // Parse the extension.
@@ -465,8 +462,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             List<SignatureScheme> knownSignatureSchemes = new LinkedList<>();
@@ -545,7 +541,7 @@
 
             // This is a mandatory extension for CertificateRequest handshake
             // message in TLS 1.3.
-            chc.conContext.fatal(Alert.MISSING_EXTENSION,
+            throw chc.conContext.fatal(Alert.MISSING_EXTENSION,
                     "No mandatory signature_algorithms extension in the " +
                     "received CertificateRequest handshake message");
         }
--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -900,8 +900,7 @@
             try {
                 spec = new SupportedGroupsSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -1024,8 +1023,7 @@
             try {
                 spec = new SupportedGroupsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java	Tue Dec 18 12:08:51 2018 -0800
@@ -225,8 +225,7 @@
             try {
                 spec = new CHSupportedVersionsSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -368,8 +367,7 @@
             try {
                 spec = new SHSupportedVersionsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -458,8 +456,7 @@
             try {
                 spec = new SHSupportedVersionsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java	Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java	Tue Dec 18 12:08:51 2018 -0800
@@ -148,9 +148,8 @@
 
         ContentType ct = ContentType.valueOf(plaintext.contentType);
         if (ct == null) {
-            fatal(Alert.UNEXPECTED_MESSAGE,
+            throw fatal(Alert.UNEXPECTED_MESSAGE,
                 "Unknown content type: " + plaintext.contentType);
-            return;
         }
 
         switch (ct) {
@@ -164,7 +163,7 @@
                                 protocolVersion.useTLS13PlusSpec()) {
                             handshakeContext = new PostHandshakeContext(this);
                         } else {
-                            fatal(Alert.UNEXPECTED_MESSAGE,
+                            throw fatal(Alert.UNEXPECTED_MESSAGE,
                                     "Unexpected post-handshake message: " +
                                     SSLHandshake.nameOf(type));
                         }
@@ -185,7 +184,7 @@
                 if (consumer != null) {
                     consumer.consume(this, plaintext.fragment);
                 } else {
-                    fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected content: " + plaintext.contentType);
                 }
         }
@@ -250,22 +249,22 @@
         }
     }
 
-    void fatal(Alert alert,
+    SSLException fatal(Alert alert,
             String diagnostic) throws SSLException {
-        fatal(alert, diagnostic, null);
+        return fatal(alert, diagnostic, null);
     }
 
-    void fatal(Alert alert, Throwable cause) throws SSLException {
-        fatal(alert, null, cause);
+    SSLException fatal(Alert alert, Throwable cause) throws SSLException {
+        return fatal(alert, null, cause);
     }
 
-    void fatal(Alert alert,
+    SSLException fatal(Alert alert,
             String diagnostic, Throwable cause) throws SSLException {
-        fatal(alert, diagnostic, false, cause);
+        return fatal(alert, diagnostic, false, cause);
     }
 
     // Note: close_notify is not delivered via fatal() methods.
-    void fatal(Alert alert, String diagnostic,
+    SSLException fatal(Alert alert, String diagnostic,
             boolean recvFatalAlert, Throwable cause) throws SSLException {
         // If we've already shutdown because of an error, there is nothing we
         // can do except rethrow the exception.