Added tag jdk-11.0.1+8 for changeset c2b23a17d3ff

Reviewed-by: xuelei, mullan

.hgtags

@@ -502,3 +502,12 @@ ea900a7dc7d77dee30865c60eabd87fc24b1037c jdk-11+24
 945ba9278a272a5477ffb1b3ea1b04174fed8036 jdk-11+26
 9d7d74c6f2cbe522e39fa22dc557fdd3f79b32ad jdk-11+27
 76072a077ee1d815152d45d1692c4b36c53c5c49 jdk-11+28
+1353ec839c82de926bfacd2c7976b6b652d4afb0 jdk-11.0.1+1
+781b5d8f2f75ae4dfdafc85630e5dbd31e324ed1 jdk-11.0.1+3
+fc55f0667af5ea3b21e40a59e2a88b1b82e65e62 jdk-11.0.1+2
+c01cc45790f871adec30acc90742b521d57a2fff jdk-11.0.1+0
+b5b1dd7e6f9d86aedf7141e9279342fae257bd67 jdk-11.0.1+4
+d6efeebf554c918bfab50f89939eb11121e18432 jdk-11.0.1+5
+db768cfe2141b3eb9ef53d7104002a0532c8c977 jdk-11.0.1+6
+88a221c0bad0cee441767106776628550d660a82 jdk-11.0.1+7
+c2b23a17d3ff92235aed8e8d04642d7a6eaecf54 jdk-11.0.1+8

make/autoconf/version-numbers

@@ -27,9 +27,9 @@
 
 DEFAULT_VERSION_FEATURE=11
 DEFAULT_VERSION_INTERIM=0
-DEFAULT_VERSION_UPDATE=0
+DEFAULT_VERSION_UPDATE=1
 DEFAULT_VERSION_PATCH=0
-DEFAULT_VERSION_DATE=2018-09-25
+DEFAULT_VERSION_DATE=2018-10-16
 DEFAULT_VERSION_CLASSFILE_MAJOR=55  # "`$EXPR $DEFAULT_VERSION_FEATURE + 44`"
 DEFAULT_VERSION_CLASSFILE_MINOR=0
 DEFAULT_ACCEPTABLE_BOOT_VERSIONS="10 11"

src/hotspot/share/interpreter/linkResolver.cpp

@@ -987,12 +987,11 @@ void LinkResolver::resolve_field(fieldDescriptor& fd,
     THROW_MSG(vmSymbols::java_lang_NoSuchFieldError(), field->as_C_string());
   }
 
-  if (!link_info.check_access())
   // Access checking may be turned off when calling from within the VM.
-    return;
+  Klass* current_klass = link_info.current_klass();
+  if (link_info.check_access()) {
 
     // check access
-  Klass* current_klass = link_info.current_klass();
     check_field_accessability(current_klass, resolved_klass, sel_klass, fd, CHECK);
 
     // check for errors
@@ -1047,8 +1046,9 @@ void LinkResolver::resolve_field(fieldDescriptor& fd,
     if (is_static && initialize_class) {
       sel_klass->initialize(CHECK);
     }
+  }
 
-  if (sel_klass != current_klass) {
+  if ((sel_klass != current_klass) && (current_klass != NULL)) {
     check_field_loader_constraints(field, sig, current_klass, sel_klass, CHECK);
   }
 

src/java.base/share/classes/java/lang/AbstractStringBuilder.java

@@ -69,10 +69,13 @@ abstract class AbstractStringBuilder implements Appendable, CharSequence {
      */
     int count;
 
+    private static final byte[] EMPTYVALUE = new byte[0];
+
     /**
      * This no-arg constructor is necessary for serialization of subclasses.
      */
     AbstractStringBuilder() {
+        value = EMPTYVALUE;
     }
 
     /**

src/java.base/share/classes/java/net/InetAddress.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,7 @@ import java.io.FileNotFoundException;
 import java.io.ObjectStreamException;
 import java.io.ObjectStreamField;
 import java.io.IOException;
+import java.io.InvalidObjectException;
 import java.io.ObjectInputStream;
 import java.io.ObjectInputStream.GetField;
 import java.io.ObjectOutputStream;
@@ -1728,8 +1729,11 @@ class InetAddress implements java.io.Serializable {
         }
         GetField gf = s.readFields();
         String host = (String)gf.get("hostName", null);
-        int address= gf.get("address", 0);
+        int address = gf.get("address", 0);
-        int family= gf.get("family", 0);
+        int family = gf.get("family", 0);
+        if (family != IPv4 && family != IPv6) {
+            throw new InvalidObjectException("invalid address family type: " + family);
+        }
         InetAddressHolder h = new InetAddressHolder(host, address, family);
         UNSAFE.putObject(this, FIELDS_OFFSET, h);
     }

src/java.base/share/classes/java/net/NetworkInterface.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -321,8 +321,20 @@ public final class NetworkInterface {
         if (addr == null) {
             throw new NullPointerException();
         }
-        if (!(addr instanceof Inet4Address || addr instanceof Inet6Address)) {
+        if (addr instanceof Inet4Address) {
-            throw new IllegalArgumentException ("invalid address type");
+            Inet4Address inet4Address = (Inet4Address) addr;
+            if (inet4Address.holder.family != InetAddress.IPv4) {
+                throw new IllegalArgumentException("invalid family type: "
+                        + inet4Address.holder.family);
+            }
+        } else if (addr instanceof Inet6Address) {
+            Inet6Address inet6Address = (Inet6Address) addr;
+            if (inet6Address.holder.family != InetAddress.IPv6) {
+                throw new IllegalArgumentException("invalid family type: "
+                        + inet6Address.holder.family);
+            }
+        } else {
+            throw new IllegalArgumentException("invalid address type: " + addr);
         }
         return getByInetAddress0(addr);
     }

src/java.base/share/classes/java/net/URLClassLoader.java

@@ -570,13 +570,13 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
      * @spec JPMS
      */
     protected Package definePackage(String name, Manifest man, URL url) {
-        String path = name.replace('.', '/').concat("/");
         String specTitle = null, specVersion = null, specVendor = null;
         String implTitle = null, implVersion = null, implVendor = null;
         String sealed = null;
         URL sealBase = null;
 
-        Attributes attr = man.getAttributes(path);
+        Attributes attr = SharedSecrets.javaUtilJarAccess()
+                .getTrustedAttributes(man, name.replace('.', '/').concat("/"));
         if (attr != null) {
             specTitle   = attr.getValue(Name.SPECIFICATION_TITLE);
             specVersion = attr.getValue(Name.SPECIFICATION_VERSION);
@@ -620,10 +620,12 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
     /*
      * Returns true if the specified package name is sealed according to the
      * given manifest.
+     *
+     * @throws SecurityException if the package name is untrusted in the manifest
      */
     private boolean isSealed(String name, Manifest man) {
-        String path = name.replace('.', '/').concat("/");
+        Attributes attr = SharedSecrets.javaUtilJarAccess()
-        Attributes attr = man.getAttributes(path);
+                .getTrustedAttributes(man, name.replace('.', '/').concat("/"));
         String sealed = null;
         if (attr != null) {
             sealed = attr.getValue(Name.SEALED);

src/java.base/share/classes/java/util/jar/JarFile.java

@@ -417,10 +417,10 @@ class JarFile extends ZipFile {
             if (manEntry != null) {
                 if (verify) {
                     byte[] b = getBytes(manEntry);
-                    man = new Manifest(new ByteArrayInputStream(b));
                     if (!jvInitialized) {
                         jv = new JarVerifier(b);
                     }
+                    man = new Manifest(jv, new ByteArrayInputStream(b));
                 } else {
                     man = new Manifest(super.getInputStream(manEntry));
                 }
@@ -1010,29 +1010,13 @@ class JarFile extends ZipFile {
                     int i = match(MULTIRELEASE_CHARS, b, MULTIRELEASE_LASTOCC,
                             MULTIRELEASE_OPTOSFT);
                     if (i != -1) {
-                        i += MULTIRELEASE_CHARS.length;
+                        // Read the main attributes of the manifest
-                        if (i < b.length) {
+                        byte[] lbuf = new byte[512];
-                            byte c = b[i++];
+                        Attributes attr = new Attributes();
-                            // Check that the value is followed by a newline
+                        attr.read(new Manifest.FastInputStream(
-                            // and does not have a continuation
+                            new ByteArrayInputStream(b)), lbuf);
-                            if (c == '\n' &&
+                        isMultiRelease = Boolean.parseBoolean(
-                                    (i == b.length || b[i] != ' ')) {
+                            attr.getValue(Attributes.Name.MULTI_RELEASE));
-                                isMultiRelease = true;
-                            } else if (c == '\r') {
-                                if (i == b.length) {
-                                    isMultiRelease = true;
-                                } else {
-                                    c = b[i++];
-                                    if (c == '\n') {
-                                        if (i == b.length || b[i] != ' ') {
-                                            isMultiRelease = true;
-                                        }
-                                    } else if (c != ' ') {
-                                        isMultiRelease = true;
-                                    }
-                                }
-                            }
-                        }
                     }
                 }
             }
@@ -1040,7 +1024,7 @@ class JarFile extends ZipFile {
         }
     }
 
-    private synchronized void ensureInitialization() {
+    synchronized void ensureInitialization() {
         try {
             maybeInstantiateVerifier();
         } catch (IOException e) {

src/java.base/share/classes/java/util/jar/JarVerifier.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -858,4 +858,24 @@ class JarVerifier {
     static CodeSource getUnsignedCS(URL url) {
         return new VerifierCodeSource(null, url, (java.security.cert.Certificate[]) null);
     }
+
+    /**
+     * Returns whether the name is trusted. Used by
+     * {@link Manifest#getTrustedAttributes(String)}.
+     */
+    boolean isTrustedManifestEntry(String name) {
+        // How many signers? MANIFEST.MF is always verified
+        CodeSigner[] forMan = verifiedSigners.get(JarFile.MANIFEST_NAME);
+        if (forMan == null) {
+            return true;
+        }
+        // Check sigFileSigners first, because we are mainly dealing with
+        // non-file entries which will stay in sigFileSigners forever.
+        CodeSigner[] forName = sigFileSigners.get(name);
+        if (forName == null) {
+            forName = verifiedSigners.get(name);
+        }
+        // Returns trusted if all signers sign the entry
+        return forName != null && forName.length == forMan.length;
+    }
 }

src/java.base/share/classes/java/util/jar/JavaUtilJarAccessImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -60,4 +60,12 @@ class JavaUtilJarAccessImpl implements JavaUtilJarAccess {
     public List<Object> getManifestDigests(JarFile jar) {
         return jar.getManifestDigests();
     }
+
+    public Attributes getTrustedAttributes(Manifest man, String name) {
+        return man.getTrustedAttributes(name);
+    }
+
+    public void ensureInitialization(JarFile jar) {
+        jar.ensureInitialization();
+    }
 }

src/java.base/share/classes/java/util/jar/Manifest.java

@@ -32,7 +32,6 @@ import java.io.OutputStream;
 import java.io.IOException;
 import java.util.Map;
 import java.util.HashMap;
-import java.util.Iterator;
 
 /**
  * The Manifest class is used to maintain Manifest entry names and their
@@ -48,15 +47,19 @@ import java.util.Iterator;
  */
 public class Manifest implements Cloneable {
     // manifest main attributes
-    private Attributes attr = new Attributes();
+    private final Attributes attr = new Attributes();
 
     // manifest entries
-    private Map<String, Attributes> entries = new HashMap<>();
+    private final Map<String, Attributes> entries = new HashMap<>();
+
+    // associated JarVerifier, not null when called by JarFile::getManifest.
+    private final JarVerifier jv;
 
     /**
      * Constructs a new, empty Manifest.
      */
     public Manifest() {
+        jv = null;
     }
 
     /**
@@ -66,7 +69,16 @@ public class Manifest implements Cloneable {
      * @throws IOException if an I/O error has occurred
      */
     public Manifest(InputStream is) throws IOException {
+        this(null, is);
+    }
+
+    /**
+     * Constructs a new Manifest from the specified input stream
+     * and associates it with a JarVerifier.
+     */
+    Manifest(JarVerifier jv, InputStream is) throws IOException {
         read(is);
+        this.jv = jv;
     }
 
     /**
@@ -77,6 +89,7 @@ public class Manifest implements Cloneable {
     public Manifest(Manifest man) {
         attr.putAll(man.getMainAttributes());
         entries.putAll(man.getEntries());
+        jv = man.jv;
     }
 
     /**
@@ -126,6 +139,27 @@ public class Manifest implements Cloneable {
         return getEntries().get(name);
     }
 
+    /**
+     * Returns the Attributes for the specified entry name, if trusted.
+     *
+     * @param name entry name
+     * @return returns the same result as {@link #getAttributes(String)}
+     * @throws SecurityException if the associated jar is signed but this entry
+     *      has been modified after signing (i.e. the section in the manifest
+     *      does not exist in SF files of all signers).
+     */
+    Attributes getTrustedAttributes(String name) {
+        // Note: Before the verification of MANIFEST.MF/.SF/.RSA files is done,
+        // jv.isTrustedManifestEntry() isn't able to detect MANIFEST.MF change.
+        // Users of this method should call SharedSecrets.javaUtilJarAccess()
+        // .ensureInitialization() first.
+        Attributes result = getAttributes(name);
+        if (result != null && jv != null && ! jv.isTrustedManifestEntry(name)) {
+            throw new SecurityException("Untrusted manifest entry: " + name);
+        }
+        return result;
+    }
+
     /**
      * Clears the main Attributes as well as the entries in this Manifest.
      */

src/java.base/share/classes/javax/crypto/CipherInputStream.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -50,6 +50,13 @@ import javax.crypto.IllegalBlockSizeException;
  * that are not thrown by its ancestor classes.  In particular, the
  * <code>skip</code> method skips, and the <code>available</code>
  * method counts only data that have been processed by the encapsulated Cipher.
+ * This class may catch BadPaddingException and other exceptions thrown by
+ * failed integrity checks during decryption. These exceptions are not
+ * re-thrown, so the client may not be informed that integrity checks
+ * failed. Because of this behavior, this class may not be suitable
+ * for use with decryption in an authenticated mode of operation (e.g. GCM).
+ * Applications that require authenticated encryption can use the Cipher API
+ * directly as an alternative to using this class.
  *
  * <p> It is crucial for a programmer using this class not to use
  * methods that are not defined or overriden in this class (such as a

src/java.base/share/classes/javax/crypto/spec/GCMParameterSpec.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -120,7 +120,7 @@ public class GCMParameterSpec implements AlgorithmParameterSpec {
 
         // Input sanity check
         if ((src == null) ||(len < 0) || (offset < 0)
-                || ((len + offset) > src.length)) {
+                || (len > (src.length - offset))) {
             throw new IllegalArgumentException("Invalid buffer arguments");
         }
 

src/java.base/share/classes/jdk/internal/loader/BuiltinClassLoader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -60,6 +60,7 @@ import java.util.jar.Attributes;
 import java.util.jar.Manifest;
 import java.util.stream.Stream;
 
+import jdk.internal.misc.SharedSecrets;
 import jdk.internal.misc.VM;
 import jdk.internal.module.ModulePatcher.PatchedModuleReader;
 import jdk.internal.module.Resources;
@@ -863,6 +864,7 @@ public class BuiltinClassLoader
      *
      * @throws IllegalArgumentException if the package name duplicates an
      *      existing package either in this class loader or one of its ancestors
+     * @throws SecurityException if the package name is untrusted in the manifest
      */
     private Package definePackage(String pn, Manifest man, URL url) {
         String specTitle = null;
@@ -875,7 +877,8 @@ public class BuiltinClassLoader
         URL sealBase = null;
 
         if (man != null) {
-            Attributes attr = man.getAttributes(pn.replace('.', '/').concat("/"));
+            Attributes attr = SharedSecrets.javaUtilJarAccess()
+                    .getTrustedAttributes(man, pn.replace('.', '/').concat("/"));
             if (attr != null) {
                 specTitle = attr.getValue(Attributes.Name.SPECIFICATION_TITLE);
                 specVersion = attr.getValue(Attributes.Name.SPECIFICATION_VERSION);
@@ -921,10 +924,12 @@ public class BuiltinClassLoader
     /**
      * Returns {@code true} if the specified package name is sealed according to
      * the given manifest.
+     *
+     * @throws SecurityException if the package name is untrusted in the manifest
      */
     private boolean isSealed(String pn, Manifest man) {
-        String path = pn.replace('.', '/').concat("/");
+        Attributes attr = SharedSecrets.javaUtilJarAccess()
-        Attributes attr = man.getAttributes(path);
+                .getTrustedAttributes(man, pn.replace('.', '/').concat("/"));
         String sealed = null;
         if (attr != null)
             sealed = attr.getValue(Attributes.Name.SEALED);

src/java.base/share/classes/jdk/internal/loader/URLClassPath.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@ import java.io.InputStream;
 import java.net.HttpURLConnection;
 import java.net.JarURLConnection;
 import java.net.MalformedURLException;
+import java.net.URI;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
@@ -88,6 +89,8 @@ public class URLClassPath {
     private static final boolean DEBUG;
     private static final boolean DISABLE_JAR_CHECKING;
     private static final boolean DISABLE_ACC_CHECKING;
+    private static final boolean DISABLE_CP_URL_CHECK;
+    private static final boolean DEBUG_CP_URL_CHECK;
 
     static {
         Properties props = GetPropertyAction.privilegedGetProperties();
@@ -98,6 +101,12 @@ public class URLClassPath {
 
         p = props.getProperty("jdk.net.URLClassPath.disableRestrictedPermissions");
         DISABLE_ACC_CHECKING = p != null ? p.equals("true") || p.equals("") : false;
+
+        // This property will be removed in a later release
+        p = props.getProperty("jdk.net.URLClassPath.disableClassPathURLCheck");
+
+        DISABLE_CP_URL_CHECK = p != null ? p.equals("true") || p.isEmpty() : false;
+        DEBUG_CP_URL_CHECK = "debug".equals(p);
     }
 
     /* The original search path of URLs. */
@@ -857,8 +866,10 @@ public class URLClassPath {
                     { return jar.getInputStream(entry); }
                 public int getContentLength()
                     { return (int)entry.getSize(); }
-                public Manifest getManifest() throws IOException
+                public Manifest getManifest() throws IOException {
-                    { return jar.getManifest(); };
+                    SharedSecrets.javaUtilJarAccess().ensureInitialization(jar);
+                    return jar.getManifest();
+                }
                 public Certificate[] getCertificates()
                     { return entry.getCertificates(); };
                 public CodeSigner[] getCodeSigners()
@@ -1081,11 +1092,51 @@ public class URLClassPath {
             int i = 0;
             while (st.hasMoreTokens()) {
                 String path = st.nextToken();
-                urls[i] = new URL(base, path);
+                URL url = DISABLE_CP_URL_CHECK ? new URL(base, path) : safeResolve(base, path);
+                if (url != null) {
+                    urls[i] = url;
                     i++;
                 }
+            }
+            if (i == 0) {
+                urls = null;
+            } else if (i != urls.length) {
+                // Truncate nulls from end of array
+                urls = Arrays.copyOf(urls, i);
+            }
             return urls;
         }
+
+        /*
+         * Return a URL for the given path resolved against the base URL, or
+         * null if the resulting URL is invalid.
+         */
+        static URL safeResolve(URL base, String path) {
+            String child = path.replace(File.separatorChar, '/');
+            try {
+                if (!URI.create(child).isAbsolute()) {
+                    URL url = new URL(base, child);
+                    if (base.getProtocol().equalsIgnoreCase("file")) {
+                        return url;
+                    } else {
+                        String bp = base.getPath();
+                        String urlp = url.getPath();
+                        int pos = bp.lastIndexOf('/');
+                        if (pos == -1) {
+                            pos = bp.length() - 1;
+                        }
+                        if (urlp.regionMatches(0, bp, 0, pos + 1)
+                            && urlp.indexOf("..", pos) == -1) {
+                            return url;
+                        }
+                    }
+                }
+            } catch (MalformedURLException | IllegalArgumentException e) {}
+            if (DEBUG_CP_URL_CHECK) {
+                System.err.println("Class-Path entry: \"" + path + "\" ignored in JAR file " + base);
+            }
+            return null;
+        }
     }
 
     /*

src/java.base/share/classes/jdk/internal/misc/JavaUtilJarAccess.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,8 +30,10 @@ import java.net.URL;
 import java.security.CodeSource;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.jar.Attributes;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
+import java.util.jar.Manifest;
 
 public interface JavaUtilJarAccess {
     public boolean jarFileHasClassPathAttribute(JarFile jar) throws IOException;
@@ -41,4 +43,6 @@ public interface JavaUtilJarAccess {
     public Enumeration<JarEntry> entries2(JarFile jar);
     public void setEagerValidation(JarFile jar, boolean eager);
     public List<Object> getManifestDigests(JarFile jar);
+    public Attributes getTrustedAttributes(Manifest man, String name);
+    public void ensureInitialization(JarFile jar);
 }

src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2725,6 +2725,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             // doesn't know about proxy.
             useProxyResponseCode = true;
         } else {
+            final URL prevURL = url;
+
             // maintain previous headers, just change the name
             // of the file we're getting
             url = locUrl;
@@ -2753,6 +2755,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                 poster = null;
                 if (!checkReuseConnection())
                     connect();
+
+                if (!sameDestination(prevURL, url)) {
+                    // Ensures pre-redirect user-set cookie will not be reset.
+                    // CookieHandler, if any, will be queried to determine
+                    // cookies for redirected URL, if any.
+                    userCookies = null;
+                    userCookies2 = null;
+                }
             } else {
                 if (!checkReuseConnection())
                     connect();
@@ -2775,8 +2785,49 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                     }
                     requests.set("Host", host);
                 }
+
+                if (!sameDestination(prevURL, url)) {
+                    // Redirecting to a different destination will drop any
+                    // security-sensitive headers, regardless of whether
+                    // they are user-set or not. CookieHandler, if any, will be
+                    // queried to determine cookies for redirected URL, if any.
+                    userCookies = null;
+                    userCookies2 = null;
+                    requests.remove("Cookie");
+                    requests.remove("Cookie2");
+                    requests.remove("Authorization");
+
+                    // check for preemptive authorization
+                    AuthenticationInfo sauth =
+                            AuthenticationInfo.getServerAuth(url, getAuthenticatorKey());
+                    if (sauth != null && sauth.supportsPreemptiveAuthorization() ) {
+                        // Sets "Authorization"
+                        requests.setIfNotSet(sauth.getHeaderName(), sauth.getHeaderValue(url,method));
+                        currentServerCredentials = sauth;
                     }
                 }
+            }
+        }
+        return true;
+    }
+
+    /* Returns true iff the given URLs have the same host and effective port. */
+    private static boolean sameDestination(URL firstURL, URL secondURL) {
+        assert firstURL.getProtocol().equalsIgnoreCase(secondURL.getProtocol()):
+               "protocols not equal: " + firstURL +  " - " + secondURL;
+
+        if (!firstURL.getHost().equalsIgnoreCase(secondURL.getHost()))
+            return false;
+
+        int firstPort = firstURL.getPort();
+        if (firstPort == -1)
+            firstPort = firstURL.getDefaultPort();
+        int secondPort = secondURL.getPort();
+        if (secondPort == -1)
+            secondPort = secondURL.getDefaultPort();
+        if (firstPort != secondPort)
+            return false;
+
         return true;
     }
 

src/java.base/share/classes/sun/security/ssl/CipherSuite.java

@@ -435,12 +435,12 @@ enum CipherSuite {
             0x0003, false, "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                            "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
             ProtocolVersion.PROTOCOLS_TO_10,
-            K_RSA_EXPORT, B_DES_40, M_MD5, H_NONE),
+            K_RSA_EXPORT, B_RC4_40, M_MD5, H_NONE),
     SSL_DH_anon_EXPORT_WITH_RC4_40_MD5(
             0x0017, false, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
                            "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
             ProtocolVersion.PROTOCOLS_TO_10,
-            K_DH_ANON, B_DES_40, M_MD5, H_NONE),
+            K_DH_ANON, B_RC4_40, M_MD5, H_NONE),
 
     // no traffic encryption cipher suites
     TLS_RSA_WITH_NULL_SHA256(

src/java.base/share/classes/sun/security/ssl/ClientHello.java

@@ -35,6 +35,7 @@ import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
+import java.util.Objects;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLPeerUnverifiedException;
@@ -510,6 +511,23 @@ final class ClientHello {
                 }
             }
 
+            // ensure that the endpoint identification algorithm matches the
+            // one in the session
+            String identityAlg = chc.sslConfig.identificationProtocol;
+            if (session != null && identityAlg != null) {
+                String sessionIdentityAlg =
+                    session.getIdentificationProtocol();
+                if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
+                    if (SSLLogger.isOn &&
+                    SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest("Can't resume, endpoint id" +
+                            " algorithm does not match, requested: " +
+                            identityAlg + ", cached: " + sessionIdentityAlg);
+                    }
+                    session = null;
+                }
+            }
+
             if (session != null) {
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
                     SSLLogger.finest("Try resuming session", session);
@@ -1011,6 +1029,23 @@ final class ClientHello {
                     }
                 }
 
+                // ensure that the endpoint identification algorithm matches the
+                // one in the session
+                String identityAlg = shc.sslConfig.identificationProtocol;
+                if (resumingSession && identityAlg != null) {
+                    String sessionIdentityAlg =
+                        previous.getIdentificationProtocol();
+                    if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
+                        if (SSLLogger.isOn &&
+                        SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest("Can't resume, endpoint id" +
+                            " algorithm does not match, requested: " +
+                            identityAlg + ", cached: " + sessionIdentityAlg);
+                        }
+                        resumingSession = false;
+                    }
+                }
+
                 // So far so good.  Note that the handshake extensions may reset
                 // the resuming options later.
                 shc.isResumption = resumingSession;

src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java

@@ -32,6 +32,7 @@ import java.util.List;
 import java.util.ArrayList;
 import java.util.Locale;
 import java.util.Arrays;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Collection;
 import javax.crypto.Mac;
@@ -443,6 +444,23 @@ final class PreSharedKeyExtension {
             }
         }
 
+        // ensure that the endpoint identification algorithm matches the
+        // one in the session
+        String identityAlg = shc.sslConfig.identificationProtocol;
+        if (result && identityAlg != null) {
+            String sessionIdentityAlg = s.getIdentificationProtocol();
+            if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
+                if (SSLLogger.isOn &&
+                    SSLLogger.isOn("ssl,handshake,verbose")) {
+
+                    SSLLogger.finest("Can't resume, endpoint id" +
+                        " algorithm does not match, requested: " +
+                        identityAlg + ", cached: " + sessionIdentityAlg);
+                }
+                result = false;
+            }
+        }
+
         // Ensure cipher suite can be negotiated
         if (result && (!shc.isNegotiable(s.getSuite()) ||
             !clientHello.cipherSuites.contains(s.getSuite()))) {

src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java

@@ -132,6 +132,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
     // Counter used to create unique nonces in NewSessionTicket
     private BigInteger ticketNonceCounter = BigInteger.ONE;
 
+    // The endpoint identification algorithm used to check certificates
+    // in this session.
+    private final String              identificationProtocol;
+
     /*
      * Create a new non-rejoinable session, using the default (null)
      * cipher spec.  This constructor returns a session which could
@@ -149,6 +153,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
         this.requestedServerNames = Collections.<SNIServerName>emptyList();
         this.useExtendedMasterSecret = false;
         this.creationTime = System.currentTimeMillis();
+        this.identificationProtocol = null;
     }
 
     /*
@@ -198,6 +203,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
                 (!hc.negotiatedProtocol.useTLS13PlusSpec());
         }
         this.creationTime = creationTime;
+        this.identificationProtocol = hc.sslConfig.identificationProtocol;
 
         if (SSLLogger.isOn && SSLLogger.isOn("session")) {
              SSLLogger.finest("Session initialized:  " + this);
@@ -259,6 +265,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
         return ticketAgeAdd;
     }
 
+    String getIdentificationProtocol() {
+        return this.identificationProtocol;
+    }
+
     /*
      * Get the PSK identity. Take care not to use it in multiple connections.
      */

src/java.base/share/conf/security/java.security

@@ -675,8 +675,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC
 
 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

src/java.base/unix/native/libnet/NetworkInterface.c

@@ -331,9 +331,16 @@ JNIEXPORT jobject JNICALL Java_java_net_NetworkInterface_getByInetAddress0
     netif *ifs, *curr;
     jobject obj = NULL;
     jboolean match = JNI_FALSE;
-    int family = (getInetAddress_family(env, iaObj) == java_net_InetAddress_IPv4) ?
+    int family = getInetAddress_family(env, iaObj);
-        AF_INET : AF_INET6;
     JNU_CHECK_EXCEPTION_RETURN(env, NULL);
+
+    if (family == java_net_InetAddress_IPv4) {
+        family = AF_INET;
+    } else if (family == java_net_InetAddress_IPv6) {
+        family = AF_INET6;
+    } else {
+        return NULL; // Invalid family
+    }
     ifs = enumInterfaces(env);
     if (ifs == NULL) {
         return NULL;
@@ -351,7 +358,9 @@ JNIEXPORT jobject JNICALL Java_java_net_NetworkInterface_getByInetAddress0
                     int address1 = htonl(
                         ((struct sockaddr_in *)addrP->addr)->sin_addr.s_addr);
                     int address2 = getInetAddress_addr(env, iaObj);
-                    JNU_CHECK_EXCEPTION_RETURN(env, NULL);
+                    if ((*env)->ExceptionCheck(env)) {
+                        goto cleanup;
+                    }
                     if (address1 == address2) {
                         match = JNI_TRUE;
                         break;
@@ -397,6 +406,7 @@ JNIEXPORT jobject JNICALL Java_java_net_NetworkInterface_getByInetAddress0
         obj = createNetworkInterface(env, curr);
     }
 
+cleanup:
     // release the interface list
     freeif(ifs);
 

src/java.base/windows/native/libnet/NetworkInterface.c

@@ -280,6 +280,7 @@ int enumInterfaces(JNIEnv *env, netif **netifPP)
             if (curr->name == NULL || curr->displayName == NULL) {
                 if (curr->name) free(curr->name);
                 if (curr->displayName) free(curr->displayName);
+                free(curr);
                 curr = NULL;
             }
         }
@@ -586,7 +587,10 @@ jobject createNetworkInterface
             /* default ctor will set family to AF_INET */
 
             setInetAddress_addr(env, iaObj, ntohl(addrs->addr.sa4.sin_addr.s_addr));
-            JNU_CHECK_EXCEPTION_RETURN(env, NULL);
+            if ((*env)->ExceptionCheck(env)) {
+                free_netaddr(netaddrP);
+                return NULL;
+            }
             if (addrs->mask != -1) {
               ibObj = (*env)->NewObject(env, ni_ibcls, ni_ibctrID);
               if (ibObj == NULL) {
@@ -600,7 +604,10 @@ jobject createNetworkInterface
                 return NULL;
               }
               setInetAddress_addr(env, ia2Obj, ntohl(addrs->brdcast.sa4.sin_addr.s_addr));
-              JNU_CHECK_EXCEPTION_RETURN(env, NULL);
+              if ((*env)->ExceptionCheck(env)) {
+                  free_netaddr(netaddrP);
+                  return NULL;
+              }
               (*env)->SetObjectField(env, ibObj, ni_ibbroadcastID, ia2Obj);
               (*env)->SetShortField(env, ibObj, ni_ibmaskID, addrs->mask);
               (*env)->SetObjectArrayElement(env, bindsArr, bind_index++, ibObj);
@@ -611,6 +618,7 @@ jobject createNetworkInterface
             if (iaObj) {
                 jboolean ret = setInet6Address_ipaddress(env, iaObj,  (jbyte *)&(addrs->addr.sa6.sin6_addr.s6_addr));
                 if (ret == JNI_FALSE) {
+                    free_netaddr(netaddrP);
                     return NULL;
                 }
 

src/java.base/windows/native/libnet/NetworkInterface_winXP.c

@@ -521,8 +521,9 @@ static jobject createNetworkInterfaceXP(JNIEnv *env, netif *ifs)
     jobjectArray addrArr, bindsArr, childArr;
     netaddr *addrs;
     jint addr_index;
-    int netaddrCount=ifs->naddrs;
+    int netaddrCount = ifs->naddrs;
-    netaddr *netaddrP=ifs->addrs;
+    netaddr *netaddrP = ifs->addrs;
+    netaddr *netaddrPToFree = NULL;
     jint bind_index;
 
     /*
@@ -553,20 +554,22 @@ static jobject createNetworkInterfaceXP(JNIEnv *env, netif *ifs)
      * Note that 0 is a valid number of addresses.
      */
     if (netaddrCount < 0) {
-        netaddrCount = enumAddresses_win(env, ifs, &netaddrP);
+        netaddrCount = enumAddresses_win(env, ifs, &netaddrPToFree);
         if (netaddrCount == -1) {
             return NULL;
         }
+        netaddrP = netaddrPToFree;
     }
 
     addrArr = (*env)->NewObjectArray(env, netaddrCount, ia_class, NULL);
     if (addrArr == NULL) {
+        free_netaddr(netaddrPToFree);
         return NULL;
     }
 
     bindsArr = (*env)->NewObjectArray(env, netaddrCount, ni_ibcls, NULL);
     if (bindsArr == NULL) {
-      free_netaddr(netaddrP);
+        free_netaddr(netaddrPToFree);
         return NULL;
     }
 
@@ -579,25 +582,32 @@ static jobject createNetworkInterfaceXP(JNIEnv *env, netif *ifs)
         if (addrs->addr.sa.sa_family == AF_INET) {
             iaObj = (*env)->NewObject(env, ia4_class, ia4_ctrID);
             if (iaObj == NULL) {
+                free_netaddr(netaddrPToFree);
                 return NULL;
             }
             /* default ctor will set family to AF_INET */
 
             setInetAddress_addr(env, iaObj, ntohl(addrs->addr.sa4.sin_addr.s_addr));
-            JNU_CHECK_EXCEPTION_RETURN(env, NULL);
+            if ((*env)->ExceptionCheck(env)) {
+                free_netaddr(netaddrPToFree);
+                return NULL;
+            }
             ibObj = (*env)->NewObject(env, ni_ibcls, ni_ibctrID);
             if (ibObj == NULL) {
-              free_netaddr(netaddrP);
+                free_netaddr(netaddrPToFree);
                 return NULL;
             }
             (*env)->SetObjectField(env, ibObj, ni_ibaddressID, iaObj);
             ia2Obj = (*env)->NewObject(env, ia4_class, ia4_ctrID);
             if (ia2Obj == NULL) {
-              free_netaddr(netaddrP);
+                free_netaddr(netaddrPToFree);
                 return NULL;
             }
             setInetAddress_addr(env, ia2Obj, ntohl(addrs->brdcast.sa4.sin_addr.s_addr));
-            JNU_CHECK_EXCEPTION_RETURN(env, NULL);
+            if ((*env)->ExceptionCheck(env)) {
+                free_netaddr(netaddrPToFree);
+                return NULL;
+            }
             (*env)->SetObjectField(env, ibObj, ni_ibbroadcastID, ia2Obj);
             (*env)->SetShortField(env, ibObj, ni_ibmaskID, addrs->mask);
             (*env)->SetObjectArrayElement(env, bindsArr, bind_index++, ibObj);
@@ -606,10 +616,12 @@ static jobject createNetworkInterfaceXP(JNIEnv *env, netif *ifs)
             jboolean ret;
             iaObj = (*env)->NewObject(env, ia6_class, ia6_ctrID);
             if (iaObj == NULL) {
+                free_netaddr(netaddrPToFree);
                 return NULL;
             }
             ret = setInet6Address_ipaddress(env, iaObj, (jbyte *)&(addrs->addr.sa6.sin6_addr.s6_addr));
             if (ret == JNI_FALSE) {
+                free_netaddr(netaddrPToFree);
                 return NULL;
             }
             scope = addrs->addr.sa6.sin6_scope_id;
@@ -619,7 +631,7 @@ static jobject createNetworkInterfaceXP(JNIEnv *env, netif *ifs)
             }
             ibObj = (*env)->NewObject(env, ni_ibcls, ni_ibctrID);
             if (ibObj == NULL) {
-              free_netaddr(netaddrP);
+                free_netaddr(netaddrPToFree);
                 return NULL;
             }
             (*env)->SetObjectField(env, ibObj, ni_ibaddressID, iaObj);
@@ -633,6 +645,8 @@ static jobject createNetworkInterfaceXP(JNIEnv *env, netif *ifs)
     (*env)->SetObjectField(env, netifObj, ni_addrsID, addrArr);
     (*env)->SetObjectField(env, netifObj, ni_bindsID, bindsArr);
 
+    free_netaddr(netaddrPToFree);
+
     /*
      * Windows doesn't have virtual interfaces, so child array
      * is always empty.
@@ -672,7 +686,7 @@ JNIEXPORT jobject JNICALL Java_java_net_NetworkInterface_getByName0_XP
     }
 
     /* if found create a NetworkInterface */
-    if (curr != NULL) {;
+    if (curr != NULL) {
         netifObj = createNetworkInterfaceXP(env, curr);
     }
 
@@ -799,6 +813,7 @@ JNIEXPORT jobjectArray JNICALL Java_java_net_NetworkInterface_getAll_XP
     /* allocate a NetworkInterface array */
     netIFArr = (*env)->NewObjectArray(env, count, cls, NULL);
     if (netIFArr == NULL) {
+        free_netif(ifList);
         return NULL;
     }
 
@@ -813,6 +828,7 @@ JNIEXPORT jobjectArray JNICALL Java_java_net_NetworkInterface_getAll_XP
 
         netifObj = createNetworkInterfaceXP(env, curr);
         if (netifObj == NULL) {
+            free_netif(ifList);
             return NULL;
         }
 

src/java.desktop/windows/classes/sun/awt/shell/Win32ShellFolder2.java

@@ -736,7 +736,7 @@ final class Win32ShellFolder2 extends ShellFolder {
         }
 
         try {
-            return invoke(new Callable<File[]>() {
+            File[] files = invoke(new Callable<File[]>() {
                 public File[] call() throws InterruptedException {
                     if (!isDirectory()) {
                         return null;
@@ -791,6 +791,8 @@ final class Win32ShellFolder2 extends ShellFolder {
                         : list.toArray(new ShellFolder[list.size()]);
                 }
             }, InterruptedException.class);
+
+            return Win32ShellFolderManager2.checkFiles(files);
         } catch (InterruptedException e) {
             return new File[0];
         }

src/java.desktop/windows/classes/sun/awt/shell/Win32ShellFolderManager2.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -387,21 +387,30 @@ final class Win32ShellFolderManager2 extends ShellFolderManager {
         return null;
     }
 
-    private File checkFile(File file) {
+    private static File checkFile(File file) {
         SecurityManager sm = System.getSecurityManager();
         return (sm == null || file == null) ? file : checkFile(file, sm);
     }
 
-    private File checkFile(File file, SecurityManager sm) {
+    private static File checkFile(File file, SecurityManager sm) {
         try {
             sm.checkRead(file.getPath());
+
+            if (file instanceof Win32ShellFolder2) {
+                Win32ShellFolder2 f = (Win32ShellFolder2)file;
+                if (f.isLink()) {
+                    Win32ShellFolder2 link = (Win32ShellFolder2)f.getLinkLocation();
+                    if (link != null)
+                        sm.checkRead(link.getPath());
+                }
+            }
             return file;
         } catch (SecurityException se) {
             return null;
         }
     }
 
-    private File[] checkFiles(File[] files) {
+    static File[] checkFiles(File[] files) {
         SecurityManager sm = System.getSecurityManager();
         if (sm == null || files == null || files.length == 0) {
             return files;
@@ -409,7 +418,7 @@ final class Win32ShellFolderManager2 extends ShellFolderManager {
         return checkFiles(Arrays.stream(files), sm);
     }
 
-    private File[] checkFiles(List<File> files) {
+    private static File[] checkFiles(List<File> files) {
         SecurityManager sm = System.getSecurityManager();
         if (sm == null || files.isEmpty()) {
             return files.toArray(new File[files.size()]);
@@ -417,7 +426,7 @@ final class Win32ShellFolderManager2 extends ShellFolderManager {
         return checkFiles(files.stream(), sm);
     }
 
-    private File[] checkFiles(Stream<File> filesStream, SecurityManager sm) {
+    private static File[] checkFiles(Stream<File> filesStream, SecurityManager sm) {
         return filesStream.filter((file) -> checkFile(file, sm) != null)
                 .toArray(File[]::new);
     }

src/java.desktop/windows/native/libjsound/PLATFORM_API_WinOS_MidiIn.cpp

@@ -252,7 +252,7 @@ INT32 MIDI_IN_GetNumDevices() {
 }
 
 INT32 getMidiInCaps(INT32 deviceID, MIDIINCAPSW* caps, INT32* err) {
-    (*err) = midiInGetDevCapsW(deviceID, caps, sizeof(MIDIINCAPS));
+    (*err) = midiInGetDevCapsW(deviceID, caps, sizeof(MIDIINCAPSW));
     return ((*err) == MMSYSERR_NOERROR);
 }
 
@@ -260,6 +260,7 @@ INT32 MIDI_IN_GetDeviceName(INT32 deviceID, char *name, UINT32 nameLength) {
     MIDIINCAPSW midiInCaps;
     INT32 err;
 
+    memset(&midiInCaps, 0, sizeof(midiInCaps));
     if (getMidiInCaps(deviceID, &midiInCaps, &err)) {
         UnicodeToUTF8AndCopy(name, midiInCaps.szPname, nameLength);
         return MIDI_SUCCESS;
@@ -284,6 +285,7 @@ INT32 MIDI_IN_GetDeviceVersion(INT32 deviceID, char *name, UINT32 nameLength) {
     MIDIINCAPSW midiInCaps;
     INT32 err = MIDI_NOT_SUPPORTED;
 
+    memset(&midiInCaps, 0, sizeof(midiInCaps));
     if (getMidiInCaps(deviceID, &midiInCaps, &err) && (nameLength>7)) {
         sprintf(name, "%d.%d", (midiInCaps.vDriverVersion & 0xFF00) >> 8, midiInCaps.vDriverVersion & 0xFF);
         return MIDI_SUCCESS;

src/java.desktop/windows/native/libjsound/PLATFORM_API_WinOS_MidiOut.c

@@ -70,12 +70,13 @@ INT32 MIDI_OUT_GetNumDevices() {
 
 
 INT32 getMidiOutCaps(INT32 deviceID, MIDIOUTCAPSW* caps, INT32* err) {
+    UINT_PTR id;
     if (deviceID == 0) {
-        deviceID = MIDI_MAPPER;
+        id = MIDI_MAPPER;
     } else {
-        deviceID--;
+        id = (UINT_PTR)(deviceID-1);
     }
-    (*err) = (INT32) midiOutGetDevCapsW(deviceID, caps, sizeof(MIDIOUTCAPS));
+    (*err) = (INT32) midiOutGetDevCapsW(id, caps, sizeof(MIDIOUTCAPSW));
     return ((*err) == MMSYSERR_NOERROR);
 }
 
@@ -84,6 +85,7 @@ INT32 MIDI_OUT_GetDeviceName(INT32 deviceID, char *name, UINT32 nameLength) {
     MIDIOUTCAPSW midiOutCaps;
     INT32 err;
 
+    memset(&midiOutCaps, 0, sizeof(midiOutCaps));
     if (getMidiOutCaps(deviceID, &midiOutCaps, &err)) {
         UnicodeToUTF8AndCopy(name, midiOutCaps.szPname, nameLength);
         return MIDI_SUCCESS;
@@ -103,6 +105,7 @@ INT32 MIDI_OUT_GetDeviceDescription(INT32 deviceID, char *name, UINT32 nameLengt
     char *desc;
     INT32 err;
 
+    memset(&midiOutCaps, 0, sizeof(midiOutCaps));
     if (getMidiOutCaps(deviceID, &midiOutCaps, &err)) {
         int tech = (int)midiOutCaps.wTechnology;
         switch(tech) {
@@ -139,6 +142,7 @@ INT32 MIDI_OUT_GetDeviceVersion(INT32 deviceID, char *name, UINT32 nameLength) {
     MIDIOUTCAPSW midiOutCaps;
     INT32 err;
 
+    memset(&midiOutCaps, 0, sizeof(midiOutCaps));
     if (getMidiOutCaps(deviceID, &midiOutCaps, &err) && nameLength>7) {
         sprintf(name, "%d.%d", (midiOutCaps.vDriverVersion & 0xFF00) >> 8, midiOutCaps.vDriverVersion & 0xFF);
         return MIDI_SUCCESS;

src/java.desktop/windows/native/libjsound/PLATFORM_API_WinOS_Ports.c

@@ -357,7 +357,7 @@ int lineHasControls(HMIXER handle, MIXERLINE* line, MIXERLINECONTROLS* controls)
 
 INT32 PORT_GetPortMixerDescription(INT32 mixerIndex, PortMixerDescription* description) {
     MIXERCAPSW mixerCaps;
-    if (mixerGetDevCapsW(mixerIndex, &mixerCaps, sizeof(MIXERCAPS)) == MMSYSERR_NOERROR) {
+    if (mixerGetDevCapsW(mixerIndex, &mixerCaps, sizeof(MIXERCAPSW)) == MMSYSERR_NOERROR) {
         UnicodeToUTF8AndCopy(description->name, mixerCaps.szPname, PORT_STRING_LENGTH);
         sprintf(description->version, "%d.%d", (mixerCaps.vDriverVersion & 0xFF00) >> 8, mixerCaps.vDriverVersion & 0xFF);
         strncpy(description->description, "Port Mixer", PORT_STRING_LENGTH-1);
@@ -368,9 +368,9 @@ INT32 PORT_GetPortMixerDescription(INT32 mixerIndex, PortMixerDescription* descr
 
 int getDestinationCount(HMIXER handle) {
     int ret = 0;
-    MIXERCAPS mixerCaps;
+    MIXERCAPSW mixerCaps;
 
-    if (mixerGetDevCaps((UINT_PTR) handle, &mixerCaps, sizeof(MIXERCAPS)) == MMSYSERR_NOERROR) {
+    if (mixerGetDevCapsW((UINT_PTR) handle, &mixerCaps, sizeof(MIXERCAPSW)) == MMSYSERR_NOERROR) {
         ret = mixerCaps.cDestinations;
     }
     return ret;

src/java.naming/share/classes/com/sun/naming/internal/VersionHelper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,6 +53,20 @@ import java.util.*;
 public final class VersionHelper {
     private static final VersionHelper helper = new VersionHelper();
 
+    /**
+     * Determines whether classes may be loaded from an arbitrary URL code base.
+     */
+    private static final boolean TRUST_URL_CODE_BASE;
+
+    static {
+        // System property to control whether classes may be loaded from an
+        // arbitrary URL code base
+        PrivilegedAction<String> act
+                = () -> System.getProperty("com.sun.jndi.ldap.object.trustURLCodebase", "false");
+        String trust = AccessController.doPrivileged(act);
+        TRUST_URL_CODE_BASE = "true".equalsIgnoreCase(trust);
+    }
+
     final static String[] PROPS = new String[]{
         javax.naming.Context.INITIAL_CONTEXT_FACTORY,
         javax.naming.Context.OBJECT_FACTORIES,
@@ -88,12 +102,14 @@ public final class VersionHelper {
      */
     public Class<?> loadClass(String className, String codebase)
             throws ClassNotFoundException, MalformedURLException {
-
+        if (TRUST_URL_CODE_BASE) {
             ClassLoader parent = getContextClassLoader();
-        ClassLoader cl =
+            ClassLoader cl
-                URLClassLoader.newInstance(getUrlArray(codebase), parent);
+                    = URLClassLoader.newInstance(getUrlArray(codebase), parent);
-
             return loadClass(className, cl);
+        } else {
+            return null;
+        }
     }
 
     /**

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/datatype/XMLGregorianCalendarImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -190,6 +190,7 @@ import jdk.xml.internal.SecuritySupport;
  * @author Sunitha Reddy
  * @see javax.xml.datatype.Duration
  * @since 1.5
+ * @LastModified: June 2018
  */
 
 public class XMLGregorianCalendarImpl
@@ -2755,7 +2756,7 @@ public class XMLGregorianCalendarImpl
             if ((fractional.compareTo(DECIMAL_ZERO) < 0) ||
                     (fractional.compareTo(DECIMAL_ONE) > 0)) {
                 throw new IllegalArgumentException(DatatypeMessageFormatter.formatMessage(null,
-                        "InvalidFractional", new Object[]{fractional}));
+                        "InvalidFractional", new Object[]{fractional.toString()}));
             }
         }
         this.fractionalSecond = fractional;

src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp

@@ -311,6 +311,9 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed
             }
 
             result = env->NewByteArray(length);
+            if (result == NULL) {
+                __leave;
+            }
             env->SetByteArrayRegion(result, 0, length, (jbyte*) pbData);
 
         } else { // length == 0

src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/objects/Global.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1601,13 +1601,14 @@ public final class Global extends Scope {
             }
         }
 
-        switch (nameStr) {
+        if ("context".equals(nameStr)) {
-        case "context":
             return sctxt;
-        case "engine":
+        } else if ("engine".equals(nameStr)) {
+            // expose "engine" variable only when there is no security manager
+            // or when no class filter is set.
+            if (System.getSecurityManager() == null || global.getClassFilter() == null) {
                 return global.engine;
-        default:
+            }
-            break;
         }
 
         if (self == UNDEFINED) {

test/jdk/java/util/jar/JarFile/mrjar/MultiReleaseJarAPI.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8132734 8144062 8165723
+ * @bug 8132734 8144062 8165723 8199172
  * @summary Test the extended API and the aliasing additions in JarFile that
  *          support multi-release jar files
  * @library /lib/testlibrary/java/util/jar /test/lib
@@ -100,16 +100,30 @@ public class MultiReleaseJarAPI {
         testCustomMultiReleaseValue("true", true);
         testCustomMultiReleaseValue("true\r\nOther: value", true);
         testCustomMultiReleaseValue("true\nOther: value", true);
-        testCustomMultiReleaseValue("true\rOther: value", true);
+        // JDK-8200530: '\r' support in Manifest/Attributes will be addressed separately
+        // testCustomMultiReleaseValue("true\rOther: value", true);
 
         testCustomMultiReleaseValue("false", false);
         testCustomMultiReleaseValue(" true", false);
         testCustomMultiReleaseValue("true ", false);
-        testCustomMultiReleaseValue("true\n ", false);
-        testCustomMultiReleaseValue("true\r ", false);
         testCustomMultiReleaseValue("true\n true", false);
+
+        // JDK-8200530: '\r' support in Manifest/Attributes will be addressed separately
+        testCustomMultiReleaseValue("true\r true", false);
         testCustomMultiReleaseValue("true\r\n true", false);
 
+        // "Multi-Release: true/false" not in main attributes
+        testCustomMultiReleaseValue("\r\n\r\nName: test\r\nMulti-Release: true\r\n",
+                                    false);
+        testCustomMultiReleaseValue("\n\nName: entryname\nMulti-Release: true\n",
+                                    false);
+        testCustomMultiReleaseValue("EndOfMainAttr: whatever\r\n" +
+                                    "\r\nName: entryname\r\nMulti-Release: true\r\n",
+                                    false);
+        testCustomMultiReleaseValue("EndOfMainAttr: whatever\r\n" +
+                                    "\nName: entryname\nMulti-Release: true\n",
+                                    false);
+
         // generate "random" Strings to use as extra attributes, and
         // verify that Multi-Release: true is always properly matched
         for (int i = 0; i < 100; i++) {

test/jdk/lib/testlibrary/java/util/jar/CreateMultiReleaseTestJars.java

@@ -142,6 +142,12 @@ public class CreateMultiReleaseTestJars {
     }
 
     public void buildSignedMultiReleaseJar() throws Exception {
+        buildSignedMultiReleaseJar("multi-release.jar", "signed-multi-release.jar");
+    }
+
+    public void buildSignedMultiReleaseJar(String multiReleaseJar,
+                                           String signedMultiReleaseJar) throws Exception
+    {
         String testsrc = System.getProperty("test.src",".");
         String testdir = findTestDir(testsrc);
         String keystore = testdir + "/sun/security/tools/jarsigner/JarSigning.keystore";
@@ -155,8 +161,8 @@ public class CreateMultiReleaseTestJars {
         CertPath cp = CertificateFactory.getInstance("X.509")
                 .generateCertPath(Arrays.asList(ks.getCertificateChain("b")));
         JarSigner js = new JarSigner.Builder(pkb, cp).build();
-        try (ZipFile in = new ZipFile("multi-release.jar");
+        try (ZipFile in = new ZipFile(multiReleaseJar);
-             FileOutputStream os = new FileOutputStream("signed-multi-release.jar"))
+             FileOutputStream os = new FileOutputStream(signedMultiReleaseJar))
         {
             js.sign(in, os);
         }

test/jdk/sun/security/ssl/CipherSuite/NoDesRC4CiphSuite.java

@@ -0,0 +1,346 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8208350
+ * @summary Disable all DES cipher suites
+ * @run main/othervm NoDesRC4CiphSuite
+ */
+
+/*
+ * SunJSSE does not support dynamic system properties, no way to re-use
+ * system properties in samevm/agentvm mode.
+ */
+
+import java.security.Security;
+import javax.net.ssl.*;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+public class NoDesRC4CiphSuite {
+
+    private static final boolean DEBUG = false;
+
+    private static final byte RECTYPE_HS = 0x16;
+    private static final byte HSMSG_CLIHELLO = 0x01;
+
+    // These are some groups of Cipher Suites by names and IDs
+    private static final List<Integer> DES_CS_LIST = Arrays.asList(
+        0x0009, 0x0015, 0x0012, 0x001A, 0x0008, 0x0014, 0x0011, 0x0019
+    );
+    private static final String[] DES_CS_LIST_NAMES = new String[] {
+        "SSL_RSA_WITH_DES_CBC_SHA",
+        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
+        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
+        "SSL_DH_anon_WITH_DES_CBC_SHA",
+        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA"
+    };
+    private static final List<Integer> RC4_CS_LIST = Arrays.asList(
+        0xC007, 0xC011, 0x0005, 0xC002, 0xC00C, 0x0004, 0xC016, 0x0018,
+        0x0003, 0x0017
+    );
+    private static final String[] RC4_CS_LIST_NAMES = new String[] {
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
+        "TLS_ECDH_anon_WITH_RC4_128_SHA",
+        "SSL_DH_anon_WITH_RC4_128_MD5",
+        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
+        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"
+    };
+
+    private static final ByteBuffer CLIOUTBUF =
+            ByteBuffer.wrap("Client Side".getBytes());
+
+    public static void main(String[] args) throws Exception {
+        boolean allGood = true;
+        String disAlg = Security.getProperty("jdk.tls.disabledAlgorithms");
+        System.err.println("Disabled Algs: " + disAlg);
+
+        // Disabled DES tests
+        allGood &= testDefaultCase(DES_CS_LIST);
+        allGood &= testEngAddDisabled(DES_CS_LIST_NAMES, DES_CS_LIST);
+        allGood &= testEngOnlyDisabled(DES_CS_LIST_NAMES);
+
+        // Disabled RC4 tests
+        allGood &= testDefaultCase(RC4_CS_LIST);
+        allGood &= testEngAddDisabled(RC4_CS_LIST_NAMES, RC4_CS_LIST);
+        allGood &= testEngOnlyDisabled(RC4_CS_LIST_NAMES);
+
+        if (allGood) {
+            System.err.println("All tests passed");
+        } else {
+            throw new RuntimeException("One or more tests failed");
+        }
+    }
+
+    /**
+     * Create an engine with the default set of cipher suites enabled and make
+     * sure none of the disabled suites are present in the client hello.
+     *
+     * @param disabledSuiteIds the {@code List} of disabled cipher suite IDs
+     *      to be checked for.
+     *
+     * @return true if the test passed (No disabled suites), false otherwise
+     */
+    private static boolean testDefaultCase(List<Integer> disabledSuiteIds)
+            throws Exception {
+        System.err.println("\nTest: Default SSLEngine suite set");
+        SSLEngine ssle = makeEngine();
+        if (DEBUG) {
+            listCiphers("Suite set upon creation", ssle);
+        }
+        SSLEngineResult clientResult;
+        ByteBuffer cTOs = makeClientBuf(ssle);
+        clientResult = ssle.wrap(CLIOUTBUF, cTOs);
+        if (DEBUG) {
+            dumpResult("ClientHello: ", clientResult);
+        }
+        cTOs.flip();
+        boolean foundSuite = areSuitesPresentCH(cTOs, disabledSuiteIds);
+        if (foundSuite) {
+            System.err.println("FAIL: Found disabled suites!");
+            return false;
+        } else {
+            System.err.println("PASS: No disabled suites found.");
+            return true;
+        }
+    }
+
+    /**
+     * Create an engine and set only disabled cipher suites.
+     * The engine should not create the client hello message since the only
+     * available suites to assert in the client hello are disabled ones.
+     *
+     * @param disabledSuiteNames an array of cipher suite names that
+     *      should be disabled cipher suites.
+     *
+     * @return true if the engine throws SSLHandshakeException during client
+     *      hello creation, false otherwise.
+     */
+    private static boolean testEngOnlyDisabled(String[] disabledSuiteNames)
+            throws Exception {
+        System.err.println(
+                "\nTest: SSLEngine configured with only disabled suites");
+        try {
+            SSLEngine ssle = makeEngine();
+            ssle.setEnabledCipherSuites(disabledSuiteNames);
+            if (DEBUG) {
+                listCiphers("Suite set upon creation", ssle);
+            }
+            SSLEngineResult clientResult;
+            ByteBuffer cTOs = makeClientBuf(ssle);
+            clientResult = ssle.wrap(CLIOUTBUF, cTOs);
+            if (DEBUG) {
+                dumpResult("ClientHello: ", clientResult);
+            }
+            cTOs.flip();
+        } catch (SSLHandshakeException shse) {
+            System.err.println("PASS: Caught expected exception: " + shse);
+            return true;
+        }
+        System.err.println("FAIL: Expected SSLHandshakeException not thrown");
+        return false;
+    }
+
+    /**
+     * Create an engine and add some disabled suites to the default
+     * set of cipher suites.  Make sure none of the disabled suites show up
+     * in the client hello even though they were explicitly added.
+     *
+     * @param disabledSuiteNames an array of cipher suite names that
+     *      should be disabled cipher suites.
+     * @param disabledIds the {@code List} of disabled cipher suite IDs
+     *      to be checked for.
+     *
+     * @return true if the test passed (No disabled suites), false otherwise
+     */
+    private static boolean testEngAddDisabled(String[] disabledNames,
+            List<Integer> disabledIds) throws Exception {
+        System.err.println("\nTest: SSLEngine with disabled suites added");
+        SSLEngine ssle = makeEngine();
+
+        // Add disabled suites to the existing engine's set of enabled suites
+        String[] initialSuites = ssle.getEnabledCipherSuites();
+        String[] plusDisSuites = Arrays.copyOf(initialSuites,
+                initialSuites.length + disabledNames.length);
+        System.arraycopy(disabledNames, 0, plusDisSuites,
+                initialSuites.length, disabledNames.length);
+        ssle.setEnabledCipherSuites(plusDisSuites);
+
+        if (DEBUG) {
+            listCiphers("Suite set upon creation", ssle);
+        }
+        SSLEngineResult clientResult;
+        ByteBuffer cTOs = makeClientBuf(ssle);
+        clientResult = ssle.wrap(CLIOUTBUF, cTOs);
+        if (DEBUG) {
+            dumpResult("ClientHello: ", clientResult);
+        }
+        cTOs.flip();
+        boolean foundDisabled = areSuitesPresentCH(cTOs, disabledIds);
+        if (foundDisabled) {
+            System.err.println("FAIL: Found disabled suites!");
+            return false;
+        } else {
+            System.err.println("PASS: No disabled suites found.");
+            return true;
+        }
+    }
+
+    private static SSLEngine makeEngine() throws GeneralSecurityException {
+        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
+        ctx.init(null, null, null);
+        return ctx.createSSLEngine();
+    }
+
+    private static ByteBuffer makeClientBuf(SSLEngine ssle) {
+        ssle.setUseClientMode(true);
+        ssle.setNeedClientAuth(false);
+        SSLSession sess = ssle.getSession();
+        ByteBuffer cTOs = ByteBuffer.allocateDirect(sess.getPacketBufferSize());
+        return cTOs;
+    }
+
+    private static void listCiphers(String prefix, SSLEngine ssle) {
+        System.err.println(prefix + "\n---------------");
+        String[] suites = ssle.getEnabledCipherSuites();
+        for (String suite : suites) {
+            System.err.println(suite);
+        }
+        System.err.println("---------------");
+    }
+
+    /**
+     * Walk a TLS 1.2 or earlier ClientHello looking for any of the suites
+     * in the suiteIdList.
+     *
+     * @param clientHello a ByteBuffer containing the ClientHello message as
+     *      a complete TLS record.  The position of the buffer should be
+     *      at the first byte of the TLS record header.
+     * @param suiteIdList a List of integer values corresponding to
+     *      TLS cipher suite identifiers.
+     *
+     * @return true if at least one of the suites in {@code suiteIdList}
+     * is found in the ClientHello's cipher suite list
+     *
+     * @throws IOException if the data in the {@code clientHello}
+     *      buffer is not a TLS handshake message or is not a client hello.
+     */
+    private static boolean areSuitesPresentCH(ByteBuffer clientHello,
+            List<Integer> suiteIdList) throws IOException {
+        byte val;
+
+        // Process the TLS Record
+        val = clientHello.get();
+        if (val != RECTYPE_HS) {
+            throw new IOException(
+                    "Not a handshake record, type = " + val);
+        }
+
+        // Just skip over the version and length
+        clientHello.position(clientHello.position() + 4);
+
+        // Check the handshake message type
+        val = clientHello.get();
+        if (val != HSMSG_CLIHELLO) {
+            throw new IOException(
+                    "Not a ClientHello handshake message, type = " + val);
+        }
+
+        // Skip over the length
+        clientHello.position(clientHello.position() + 3);
+
+        // Skip over the protocol version (2) and random (32);
+        clientHello.position(clientHello.position() + 34);
+
+        // Skip past the session ID (variable length <= 32)
+        int len = Byte.toUnsignedInt(clientHello.get());
+        if (len > 32) {
+            throw new IOException("Session ID is too large, len = " + len);
+        }
+        clientHello.position(clientHello.position() + len);
+
+        // Finally, we are at the cipher suites.  Walk the list and place them
+        // into a List.
+        int csLen = Short.toUnsignedInt(clientHello.getShort());
+        if (csLen % 2 != 0) {
+            throw new IOException("CipherSuite length is invalid, len = " +
+                    csLen);
+        }
+        int csCount = csLen / 2;
+        List<Integer> csSuiteList = new ArrayList<>(csCount);
+        log("Found following suite IDs in hello:");
+        for (int i = 0; i < csCount; i++) {
+            int curSuite = Short.toUnsignedInt(clientHello.getShort());
+            log(String.format("Suite ID: 0x%04x", curSuite));
+            csSuiteList.add(curSuite);
+        }
+
+        // Now check to see if any of the suites passed in match what is in
+        // the suite list.
+        boolean foundMatch = false;
+        for (Integer cs : suiteIdList) {
+            if (csSuiteList.contains(cs)) {
+                System.err.format("Found match for suite ID 0x%04x\n", cs);
+                foundMatch = true;
+                break;
+            }
+        }
+
+        // We don't care about the rest of the ClientHello message.
+        // Rewind and return whether we found a match or not.
+        clientHello.rewind();
+        return foundMatch;
+    }
+
+    private static void dumpResult(String str, SSLEngineResult result) {
+        System.err.println("The format of the SSLEngineResult is: \n" +
+            "\t\"getStatus() / getHandshakeStatus()\" +\n" +
+            "\t\"bytesConsumed() / bytesProduced()\"\n");
+        HandshakeStatus hsStatus = result.getHandshakeStatus();
+        System.err.println(str + result.getStatus() + "/" + hsStatus + ", " +
+            result.bytesConsumed() + "/" + result.bytesProduced() + " bytes");
+        if (hsStatus == HandshakeStatus.FINISHED) {
+            System.err.println("\t...ready for application data");
+        }
+    }
+
+    private static void log(String str) {
+        if (DEBUG) {
+            System.err.println(str);
+        }
+    }
+}

test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,47 +31,47 @@
  * @run main/othervm
  *      CustomizedCipherSuites Default true
  *      TLS_RSA_WITH_AES_128_CBC_SHA
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  * @run main/othervm
  *      -Djdk.tls.client.cipherSuites="unknown"
  *      CustomizedCipherSuites Default true
  *      TLS_RSA_WITH_AES_128_CBC_SHA
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  * @run main/othervm
  *      -Djdk.tls.client.cipherSuites=""
  *      CustomizedCipherSuites Default true
  *      TLS_RSA_WITH_AES_128_CBC_SHA
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  * @run main/othervm
- *      -Djdk.tls.client.cipherSuites="SSL_RSA_WITH_DES_CBC_SHA"
+ *      -Djdk.tls.client.cipherSuites="TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
  *      CustomizedCipherSuites Default true
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  *      TLS_RSA_WITH_AES_128_CBC_SHA
  * @run main/othervm
- *      -Djdk.tls.server.cipherSuites="SSL_RSA_WITH_DES_CBC_SHA"
+ *      -Djdk.tls.server.cipherSuites="TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
  *      CustomizedCipherSuites Default false
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  *      TLS_RSA_WITH_AES_128_CBC_SHA
  * @run main/othervm
- *      -Djdk.tls.client.cipherSuites="TLS_RSA_WITH_AES_128_CBC_SHA,unknown,SSL_RSA_WITH_DES_CBC_SHA"
+ *      -Djdk.tls.client.cipherSuites="TLS_RSA_WITH_AES_128_CBC_SHA,unknown,TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
  *      CustomizedCipherSuites Default true
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  *      ""
  * @run main/othervm
- *      -Djdk.tls.server.cipherSuites="TLS_RSA_WITH_AES_128_CBC_SHA,unknown,SSL_RSA_WITH_DES_CBC_SHA"
+ *      -Djdk.tls.server.cipherSuites="TLS_RSA_WITH_AES_128_CBC_SHA,unknown,TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
  *      CustomizedCipherSuites Default false
  *      TLS_RSA_WITH_AES_128_CBC_SHA
  *      ""
  * @run main/othervm
- *      -Djdk.tls.server.cipherSuites="SSL_RSA_WITH_DES_CBC_SHA"
+ *      -Djdk.tls.server.cipherSuites="TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
  *      CustomizedCipherSuites Default true
  *      TLS_RSA_WITH_AES_128_CBC_SHA
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  * @run main/othervm
- *      -Djdk.tls.client.cipherSuites="SSL_RSA_WITH_DES_CBC_SHA"
+ *      -Djdk.tls.client.cipherSuites="TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
  *      CustomizedCipherSuites Default false
  *      TLS_RSA_WITH_AES_128_CBC_SHA
- *      SSL_RSA_WITH_DES_CBC_SHA
+ *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  */
 
 import javax.net.ssl.*;
@@ -79,7 +79,7 @@ import javax.net.ssl.*;
 /**
  * Test the customized default cipher suites.
  *
- * This test is based on the behavior that SSL_RSA_WITH_DES_CBC_SHA is
+ * This test is based on the behavior that TLS_ECDH_anon_WITH_AES_128_CBC_SHA is
  * disabled by default, and TLS_RSA_WITH_AES_128_CBC_SHA is enabled by
  * default in JDK.  If the behavior is changed in the future, please
  * update the test cases above accordingly.

test/lib/jdk/test/lib/util/JarUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
 
 package jdk.test.lib.util;
 
+import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
@@ -126,6 +127,11 @@ public final class JarUtils {
         changes = new HashMap<>(changes);
 
         System.out.printf("Creating %s from %s...\n", dest, src);
+
+        if (dest.equals(src)) {
+            throw new IOException("src and dest cannot be the same");
+        }
+
         try (JarOutputStream jos = new JarOutputStream(
                 new FileOutputStream(dest))) {
 
@@ -153,6 +159,22 @@ public final class JarUtils {
         System.out.println();
     }
 
+    /**
+     * Update the Manifest inside a jar.
+     *
+     * @param src the original jar file name
+     * @param dest the new jar file name
+     * @param man the Manifest
+     *
+     * @throws IOException
+     */
+    public static void updateManifest(String src, String dest, Manifest man)
+            throws IOException {
+        ByteArrayOutputStream bout = new ByteArrayOutputStream();
+        man.write(bout);
+        updateJar(src, dest, Map.of(JarFile.MANIFEST_NAME, bout.toByteArray()));
+    }
+
     private static void updateEntry(JarOutputStream jos, String name, Object content)
            throws IOException {
         if (content instanceof Boolean) {