Changeset 309 for trunk/openjdk/jdk/src/share/classes

Timestamp:

Feb 13, 2012, 10:07:12 PM (14 years ago)

Author:

dmik

Message:

trunk: Merged in openjdk6 b24 from branches/vendor/oracle.

Location:

trunk/openjdk

Files:

• . (modified) (1 prop)
• jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java (modified) (1 diff)
• jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageWriter.java (modified) (1 diff)
• jdk/src/share/classes/com/sun/imageio/plugins/png/PNGMetadata.java (modified) (1 diff)
• jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKPainter.java (modified) (1 diff)
• jdk/src/share/classes/com/sun/net/ssl/HttpsURLConnection.java (modified) (2 diffs)
• jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java (modified) (7 diffs)
• jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java (modified) (3 diffs)
• jdk/src/share/classes/java/awt/AWTEvent.java (modified) (1 diff)
• jdk/src/share/classes/java/awt/AWTKeyStroke.java (modified) (8 diffs)
• jdk/src/share/classes/java/awt/Component.java (modified) (1 diff)
• jdk/src/share/classes/java/awt/EventDispatchThread.java (modified) (1 diff)
• jdk/src/share/classes/java/awt/EventQueue.java (modified) (1 diff)
• jdk/src/share/classes/java/awt/MenuComponent.java (modified) (1 diff)
• jdk/src/share/classes/java/awt/TrayIcon.java (modified) (1 diff)
• jdk/src/share/classes/java/io/InputStream.java (modified) (4 diffs)
• jdk/src/share/classes/java/net/AbstractPlainDatagramSocketImpl.java (modified) (1 diff)
• jdk/src/share/classes/java/net/AbstractPlainSocketImpl.java (modified) (1 diff)
• jdk/src/share/classes/java/net/NetworkInterface.java (modified) (1 diff)
• jdk/src/share/classes/java/security/AccessControlContext.java (modified) (1 diff)
• jdk/src/share/classes/java/security/SignedObject.java (modified) (2 diffs)
• jdk/src/share/classes/java/sql/Timestamp.java (modified) (1 diff)
• jdk/src/share/classes/javax/net/ssl/HttpsURLConnection.java (modified) (2 diffs)
• jdk/src/share/classes/javax/swing/ImageIcon.java (modified) (5 diffs)
• jdk/src/share/classes/javax/swing/Timer.java (modified) (1 diff)
• jdk/src/share/classes/javax/swing/TransferHandler.java (modified) (1 diff)
• jdk/src/share/classes/sun/awt/SunToolkit.java (modified) (1 diff)
• jdk/src/share/classes/sun/font/FileFont.java (modified) (1 diff)
• jdk/src/share/classes/sun/font/TrueTypeFont.java (modified) (1 diff)
• jdk/src/share/classes/sun/font/Type1Font.java (modified) (1 diff)
• jdk/src/share/classes/sun/java2d/pipe/DrawImage.java (modified) (1 diff)
• jdk/src/share/classes/sun/misc/FloatingDecimal.java (modified) (1 diff)
• jdk/src/share/classes/sun/misc/SharedSecrets.java (modified) (1 diff)
• jdk/src/share/classes/sun/net/ResourceManager.java (modified) (1 diff)
• jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java (modified) (1 diff)
• jdk/src/share/classes/sun/nio/ch/Net.java (modified) (1 diff)
• jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java (modified) (2 diffs)
• jdk/src/share/classes/sun/reflect/annotation/AnnotationTypeMismatchExceptionProxy.java (modified) (2 diffs)
• jdk/src/share/classes/sun/reflect/annotation/EnumConstantNotPresentExceptionProxy.java (modified) (2 diffs)
• jdk/src/share/classes/sun/reflect/annotation/TypeNotPresentExceptionProxy.java (modified) (2 diffs)
• jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java (modified) (6 diffs)
• jdk/src/share/classes/sun/rmi/server/LoaderHandler.java (modified) (2 diffs)
• jdk/src/share/classes/sun/rmi/server/UnicastServerRef.java (modified) (2 diffs)
• jdk/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java (modified) (1 diff)
• jdk/src/share/classes/sun/security/jgss/spnego/NegTokenInit.java (modified) (4 diffs)
• jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java (modified) (3 diffs)
• jdk/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java (modified) (3 diffs)
• jdk/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java (modified) (2 diffs)
• jdk/src/share/classes/sun/security/provider/SeedGenerator.java (modified) (6 diffs)
• jdk/src/share/classes/sun/security/ssl/AppOutputStream.java (modified) (2 diffs)
• jdk/src/share/classes/sun/security/ssl/CipherBox.java (modified) (5 diffs)
• jdk/src/share/classes/sun/security/ssl/CipherSuite.java (modified) (3 diffs)
• jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java (modified) (4 diffs)
• jdk/src/share/classes/sun/security/ssl/Record.java (modified) (2 diffs)
• jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java (modified) (4 diffs)
• jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java (modified) (4 diffs)
• jdk/src/share/classes/sun/security/validator/EndEntityChecker.java (modified) (1 diff)
• jdk/src/share/classes/sun/swing/table/DefaultTableCellHeaderRenderer.java (modified) (4 diffs)

trunk/openjdk/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageWriter.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGMetadata.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKPainter.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/com/sun/net/ssl/HttpsURLConnection.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -180 +180 @@
                 "no SSLSocketFactory specified");
         }
+
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkSetFactory();
+        }
+
         sslSocketFactory = sf;
     }

trunk/openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -30 +30 @@
 import java.lang.reflect.Method;
 import java.io.*;
+import java.security.*;
 import java.util.*;
 
@@ -46 +47 @@
     private static final boolean DEBUG = false;
 
+    private AccessControlContext accCtxt;
+
     /* Scope where standard JavaScript objects and our
      * extensions to it are stored. Note that these are not
@@ -64 +67 @@
     static {
         ContextFactory.initGlobal(new ContextFactory() {
+            /**
+             * Create new Context instance to be associated with the current thread.
+             */
+            @Override
             protected Context makeContext() {
                 Context cx = super.makeContext();
@@ -69 +76 @@
                 cx.setWrapFactory(RhinoWrapFactory.getInstance());
                 return cx;
+            }
+
+
+            /**
+             * Execute top call to script or function. When the runtime is about to 
+             * execute a script or function that will create the first stack frame 
+             * with scriptable code, it calls this method to perform the real call. 
+             * In this way execution of any script happens inside this function.
+             */
+            @Override
+            protected Object doTopCall(final Callable callable,
+                               final Context cx, final Scriptable scope,
+                               final Scriptable thisObj, final Object[] args) {
+                AccessControlContext accCtxt = null;
+                Scriptable global = ScriptableObject.getTopLevelScope(scope);
+                Scriptable globalProto = global.getPrototype();
+                if (globalProto instanceof RhinoTopLevel) {
+                    accCtxt = ((RhinoTopLevel)globalProto).getAccessContext();
+                }
+
+                if (accCtxt != null) {
+                    return AccessController.doPrivileged(new PrivilegedAction<Object>() {
+                        public Object run() {
+                            return superDoTopCall(callable, cx, scope, thisObj, args);
+                        }
+                    }, accCtxt);
+                } else {
+                    return superDoTopCall(callable, cx, scope, thisObj, args);
+                }
+            }
+
+            private  Object superDoTopCall(Callable callable,
+                               Context cx, Scriptable scope,
+                               Scriptable thisObj, Object[] args) {
+                return super.doTopCall(callable, cx, scope, thisObj, args);
             }
 
@@ -87 +129 @@
      */
     public RhinoScriptEngine() {
+
+        if (System.getSecurityManager() != null) {
+            accCtxt = AccessController.getContext();
+        }
 
         Context cx = enterContext();
@@ -315 +361 @@
     }
 
+    AccessControlContext getAccessContext() {
+        return accCtxt;
+    }
+
     Object[] wrapArguments(Object[] args) {
         if (args == null) {

trunk/openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -48 +48 @@
 
     RhinoTopLevel(Context cx, RhinoScriptEngine engine) {
-        super(cx);
+        // second boolean parameter to super constructor tells whether
+        // to seal standard JavaScript objects or not. If security manager
+        // is present, we seal the standard objects.
+        super(cx, System.getSecurityManager() != null);
         this.engine = engine;
 
@@ -165 +168 @@
     }
 
+    AccessControlContext getAccessContext() {
+        return engine.getAccessContext();
+    }
+
     private RhinoScriptEngine engine;
 }

trunk/openjdk/jdk/src/share/classes/java/awt/AWTEvent.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/awt/AWTKeyStroke.java

@@ -26 +26 @@
 
 import java.awt.event.KeyEvent;
+import sun.awt.AppContext;
 import java.awt.event.InputEvent;
 import java.util.Collections;
@@ -67 +68 @@
     static final long serialVersionUID = -6430539691155161871L;
 
-    private static Map cache;
-    private static AWTKeyStroke cacheKey;
-    private static Constructor ctor = getCtor(AWTKeyStroke.class);
     private static Map modifierKeywords;
     /**
@@ -77 +75 @@
      */
     private static VKCollection vks;
+
+    //A key for the collection of AWTKeyStrokes within AppContext.
+    private static Object APP_CONTEXT_CACHE_KEY = new Object();
+    //A key withing the cache
+    private static AWTKeyStroke APP_CONTEXT_KEYSTROKE_KEY = new AWTKeyStroke();
+
+    /*
+     * Reads keystroke class from AppContext and if null, puts there the
+     * AWTKeyStroke class.
+     * Must be called under locked AWTKeyStroke.class 
+     */
+    private static Class getAWTKeyStrokeClass() {
+        Class clazz = (Class)AppContext.getAppContext().get(AWTKeyStroke.class);
+        if (clazz == null) {
+            clazz = AWTKeyStroke.class;
+            AppContext.getAppContext().put(AWTKeyStroke.class, AWTKeyStroke.class);
+        }
+        return clazz;
+    }
 
     private char keyChar = KeyEvent.CHAR_UNDEFINED;
@@ -165 +182 @@
             throw new IllegalArgumentException("subclass cannot be null");
         }
-        if (AWTKeyStroke.ctor.getDeclaringClass().equals(subclass)) {
-            // Already registered
-            return;
+        synchronized (AWTKeyStroke.class) {
+            Class keyStrokeClass = (Class)AppContext.getAppContext().get(AWTKeyStroke.class);
+            if (keyStrokeClass != null && keyStrokeClass.equals(subclass)){
+                // Already registered
+                return;
+            }
         }
         if (!AWTKeyStroke.class.isAssignableFrom(subclass)) {
@@ -198 +218 @@
 
         synchronized (AWTKeyStroke.class) {
-            AWTKeyStroke.ctor = ctor;
-            cache = null;
-            cacheKey = null;
+            AppContext.getAppContext().put(AWTKeyStroke.class, subclass);
+            AppContext.getAppContext().remove(APP_CONTEXT_CACHE_KEY);
+            AppContext.getAppContext().remove(APP_CONTEXT_KEYSTROKE_KEY);
         }
     }
@@ -230 +250 @@
         (char keyChar, int keyCode, int modifiers, boolean onKeyRelease)
     {
+        Map cache = (Map)AppContext.getAppContext().get(APP_CONTEXT_CACHE_KEY);
+        AWTKeyStroke cacheKey = (AWTKeyStroke)AppContext.getAppContext().get(APP_CONTEXT_KEYSTROKE_KEY);
+
         if (cache == null) {
             cache = new HashMap();
+            AppContext.getAppContext().put(APP_CONTEXT_CACHE_KEY, cache);
         }
 
         if (cacheKey == null) {
             try {
-                cacheKey = (AWTKeyStroke)ctor.newInstance((Object[]) null);
+                Class clazz = getAWTKeyStrokeClass();
+                cacheKey = (AWTKeyStroke)getCtor(clazz).newInstance((Object[]) null);
+                AppContext.getAppContext().put(APP_CONTEXT_KEYSTROKE_KEY, cacheKey);
             } catch (InstantiationException e) {
                 assert(false);
@@ -254 +280 @@
             stroke = cacheKey;
             cache.put(stroke, stroke);
-            cacheKey = null;
-        }
-
+            AppContext.getAppContext().remove(APP_CONTEXT_KEYSTROKE_KEY);
+        }
         return stroke;
     }
@@ -776 +801 @@
         synchronized (AWTKeyStroke.class) {
             Class newClass = getClass();
-            if (!newClass.equals(ctor.getDeclaringClass())) {
+            Class awtKeyStrokeClass = getAWTKeyStrokeClass();
+            if (!newClass.equals(awtKeyStrokeClass)) {
                 registerSubclass(newClass);
             }

trunk/openjdk/jdk/src/share/classes/java/awt/Component.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1995, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/awt/EventDispatchThread.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/awt/EventQueue.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/awt/MenuComponent.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1995, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/awt/TrayIcon.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/io/InputStream.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1994, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -45 +45 @@
 public abstract class InputStream implements Closeable {
 
-    // SKIP_BUFFER_SIZE is used to determine the size of skipBuffer
-    private static final int SKIP_BUFFER_SIZE = 2048;
-    // skipBuffer is initialized in skip(long), if needed.
-    private static byte[] skipBuffer;
+    // MAX_SKIP_BUFFER_SIZE is used to determine the maximum buffer skip to
+    // use when skipping.
+    private static final int MAX_SKIP_BUFFER_SIZE = 2048;
 
     /**
@@ -213 +212 @@
         long remaining = n;
         int nr;
-        if (skipBuffer == null)
-            skipBuffer = new byte[SKIP_BUFFER_SIZE];
-
-        byte[] localSkipBuffer = skipBuffer;
 
         if (n <= 0) {
@@ -222 +217 @@
         }
 
+        int size = (int)Math.min(MAX_SKIP_BUFFER_SIZE, remaining);
+        byte[] skipBuffer = new byte[size];
         while (remaining > 0) {
-            nr = read(localSkipBuffer, 0,
-                      (int) Math.min(SKIP_BUFFER_SIZE, remaining));
+            nr = read(skipBuffer, 0, (int)Math.min(size, remaining));
             if (nr < 0) {
                 break;

trunk/openjdk/jdk/src/share/classes/java/net/AbstractPlainDatagramSocketImpl.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/net/AbstractPlainSocketImpl.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1995, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/net/NetworkInterface.java

@@ -531 +531 @@
             result += " (" + displayName + ")";
         }
-        result += " index: "+index+" addresses:\n";
-        for (Enumeration e = getInetAddresses(); e.hasMoreElements(); ) {
-            InetAddress addr = (InetAddress)e.nextElement();
-            result += addr+";\n";
-        }
         return result;
     }
+
     private static native void init();
-
 }

trunk/openjdk/jdk/src/share/classes/java/security/AccessControlContext.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1997, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/java/security/SignedObject.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1997, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -250 +250 @@
      */
     private void readObject(java.io.ObjectInputStream s)
-         throws java.io.IOException, ClassNotFoundException
-    {
-        s.defaultReadObject();
-        content = content.clone();
-        signature = signature.clone();
+        throws java.io.IOException, ClassNotFoundException {
+            java.io.ObjectInputStream.GetField fields = s.readFields();
+            content = ((byte[])fields.get("content", null)).clone();
+            signature = ((byte[])fields.get("signature", null)).clone();
+            thealgorithm = (String)fields.get("thealgorithm", null);
     }
 }

trunk/openjdk/jdk/src/share/classes/java/sql/Timestamp.java

@@ -489 +489 @@
      */
     public int compareTo(Timestamp ts) {
-        int i = super.compareTo(ts);
+        long thisTime = this.getTime();
+        long anotherTime = ts.getTime();
+        int i = (thisTime<anotherTime ? -1 :(thisTime==anotherTime?0 :1));
         if (i == 0) {
             if (nanos > ts.nanos) {

trunk/openjdk/jdk/src/share/classes/javax/net/ssl/HttpsURLConnection.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1999, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -369 +369 @@
         }
 
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkSetFactory();
+        }
         sslSocketFactory = sf;
     }

trunk/openjdk/jdk/src/share/classes/javax/swing/ImageIcon.java

@@ -37 +37 @@
 import javax.accessibility.*;
 
+import sun.awt.AppContext;
+import java.lang.reflect.Field;
+import java.security.*;
 
 /**
@@ -76 +79 @@
     String description = null;
 
-    protected final static Component component = new Component() {};
-    protected final static MediaTracker tracker = new MediaTracker(component);
+   // Fields for twisted backward compatibility only. DO NOT USE.
+    protected final static Component component;
+    protected final static MediaTracker tracker;
+
+    static {
+        component = AccessController.doPrivileged(new PrivilegedAction<Component>() {
+            public Component run() {
+
+                try {
+                    final Component component = createNoPermsComponent();
+
+                    // 6482575 - clear the appContext field so as not to leak it
+                    Field appContextField =
+
+                            Component.class.getDeclaredField("appContext");
+                    appContextField.setAccessible(true);
+                    appContextField.set(component, null);
+
+                    return component;
+                } catch (Throwable e) {
+                    // We don't care about component.
+                    // So don't prevent class initialisation.
+                    e.printStackTrace();
+
+                    return null;
+                }
+            }
+        });
+        tracker = new MediaTracker(component);
+    }
+
+    private static Component createNoPermsComponent() {
+        // 7020198 - set acc field to no permissions and no subject
+        // Note, will have appContext set.
+        return AccessController.doPrivileged(
+                new PrivilegedAction<Component>() {
+                    public Component run() {
+                        return new Component() {
+                        };
+                    }
+                },
+                new AccessControlContext(new ProtectionDomain[]{
+                        new ProtectionDomain(null, null)
+                })
+        );
+    }
 
     /**
@@ -83 +130 @@
      */
     private static int mediaTrackerID;
+
+    private final static Object TRACKER_KEY = new StringBuilder("TRACKER_KEY");
 
     int width = -1;
@@ -244 +293 @@
      */
     protected void loadImage(Image image) {
-        synchronized(tracker) {
+        MediaTracker mTracker = getTracker();
+        synchronized(mTracker) {
             int id = getNextID();
 
-            tracker.addImage(image, id);
+            mTracker.addImage(image, id);
             try {
-                tracker.waitForID(id, 0);
+                mTracker.waitForID(id, 0);
             } catch (InterruptedException e) {
                 System.out.println("INTERRUPTED while loading Image");
             }
-            loadStatus = tracker.statusID(id, false);
-            tracker.removeImage(image, id);
+            loadStatus = mTracker.statusID(id, false);
+            mTracker.removeImage(image, id);
 
             width = image.getWidth(imageObserver);
@@ -265 +315 @@
      */
     private int getNextID() {
-        synchronized(tracker) {
+        synchronized(getTracker()) {
             return ++mediaTrackerID;
         }
+    }
+
+    /**
+     * Returns the MediaTracker for the current AppContext, creating a new
+     * MediaTracker if necessary.
+     */
+    private MediaTracker getTracker() {
+        Object trackerObj;
+        AppContext ac = AppContext.getAppContext();
+        // Opt: Only synchronize if trackerObj comes back null?
+        // If null, synchronize, re-check for null, and put new tracker
+        synchronized (ac) {
+            trackerObj = ac.get(TRACKER_KEY);
+            if (trackerObj == null) {
+                Component comp = new Component() {
+                };
+                trackerObj = new MediaTracker(comp);
+                ac.put(TRACKER_KEY, trackerObj);
+            }
+        }
+        return (MediaTracker) trackerObj;
     }
 

trunk/openjdk/jdk/src/share/classes/javax/swing/Timer.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/javax/swing/TransferHandler.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/awt/SunToolkit.java

@@ -71 +71 @@
     /* Load debug settings for native code */
     static {
-        String nativeDebug = System.getProperty("sun.awt.nativedebug");
-        if ("true".equalsIgnoreCase(nativeDebug)) {
+        if (AccessController.doPrivileged(new GetBooleanAction("sun.awt.nativedebug"))) {
             DebugSettings.init();
         }

trunk/openjdk/jdk/src/share/classes/sun/font/FileFont.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/font/TrueTypeFont.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/font/Type1Font.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/java2d/pipe/DrawImage.java

@@ -510 +510 @@
          */
         int edges[] = new int[(dy2-dy1)*2+2];
+        // It is important that edges[0]=edges[1]=0 when we call
+        // Transform in case it must return early and we would
+        // not want to render anything on an error condition.
         helper.Transform(tmpmaskblit, srcData, tmpData,
                          AlphaComposite.Src, null,

trunk/openjdk/jdk/src/share/classes/sun/misc/FloatingDecimal.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/net/ResourceManager.java

@@ -42 +42 @@
     /* default maximum number of udp sockets per VM
      * when a security manager is enabled.
-     * The default is 1024 which is high enough to be useful
+     * The default is 25 which is high enough to be useful
      * but low enough to be well below the maximum number
-     * of port numbers actually available on all OSes for
-     * such sockets (5000 on some versions of windows)
+     * of port numbers actually available on all OSes
+     * when multiplied by the maximum feasible number of VM processes
+     * that could practically be spawned.
      */
 
-    private static final int DEFAULT_MAX_SOCKETS = 1024;
+    private static final int DEFAULT_MAX_SOCKETS = 25;
     private static final int maxSockets;
     private static final AtomicInteger numSockets;

trunk/openjdk/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2001, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/nio/ch/Net.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2003, 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -41 +41 @@
  */
 class AnnotationInvocationHandler implements InvocationHandler, Serializable {
+    private static final long serialVersionUID = 6182022883658399397L;
     private final Class type;
     private final Map<String, Object> memberValues;

trunk/openjdk/jdk/src/share/classes/sun/reflect/annotation/AnnotationTypeMismatchExceptionProxy.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -35 +35 @@
  */
 class AnnotationTypeMismatchExceptionProxy extends ExceptionProxy {
+    private static final long serialVersionUID = 7844069490309503934L;
     private Method member;
     private String foundType;

trunk/openjdk/jdk/src/share/classes/sun/reflect/annotation/EnumConstantNotPresentExceptionProxy.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -34 +34 @@
  */
 public class EnumConstantNotPresentExceptionProxy extends ExceptionProxy {
+    private static final long serialVersionUID = -604662101303187330L;
     Class<? extends Enum> enumType;
     String constName;

trunk/openjdk/jdk/src/share/classes/sun/reflect/annotation/TypeNotPresentExceptionProxy.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -34 +34 @@
  */
 public class TypeNotPresentExceptionProxy extends ExceptionProxy {
+    private static final long serialVersionUID = 5565925172427947573L;
     String typeName;
     Throwable cause;

trunk/openjdk/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -39 +39 @@
 import java.rmi.server.RMIClientSocketFactory;
 import java.rmi.server.RMIServerSocketFactory;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.CodeSource;
+import java.security.Policy; 
 import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.ProtectionDomain; 
 import java.text.MessageFormat;
+import sun.rmi.server.LoaderHandler;
 import sun.rmi.server.UnicastServerRef;
 import sun.rmi.server.UnicastServerRef2;
@@ -46 +55 @@
 import sun.rmi.transport.ObjectTable;
 import sun.rmi.transport.Target;
+import sun.security.action.GetPropertyAction;
 
 /**
@@ -325 +335 @@
             ClassLoader cl = new URLClassLoader(urls);
 
+            String codebaseProperty = null;
+            String prop = java.security.AccessController.doPrivileged(
+                new GetPropertyAction("java.rmi.server.codebase"));
+                if (prop != null && prop.trim().length() > 0) {
+                    codebaseProperty = prop;
+                }
+            URL[] codebaseURLs = null;
+            if (codebaseProperty != null) {
+                codebaseURLs = sun.misc.URLClassPath.pathToURLs(codebaseProperty);
+            } else {
+                codebaseURLs = new URL[0];
+            }
+
             /*
              * Fix bugid 4242317: Classes defined by this class loader should
@@ -334 +357 @@
             Thread.currentThread().setContextClassLoader(cl);
 
-            int regPort = Registry.REGISTRY_PORT;
-            if (args.length >= 1) {
-                regPort = Integer.parseInt(args[0]);
-            }
-            registry = new RegistryImpl(regPort);
+            final int regPort = (args.length >= 1) ? Integer.parseInt(args[0])
+                                                   : Registry.REGISTRY_PORT;
+            try {
+                registry = AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<RegistryImpl>() {
+                        public RegistryImpl run() throws RemoteException {
+                            return new RegistryImpl(regPort);
+                        }
+                    }, getAccessControlContext(codebaseURLs));
+            } catch (PrivilegedActionException ex) {
+                throw (RemoteException) ex.getException();
+            }
+
             // prevent registry from exiting
             while (true) {
@@ -358 +389 @@
         System.exit(1);
     }
+
+    /**
+     * Generates an AccessControlContext from several URLs.
+     * The approach used here is taken from the similar method
+     * getAccessControlContext() in the sun.applet.AppletPanel class.
+     */
+    private static AccessControlContext getAccessControlContext(URL[] urls) {
+        // begin with permissions granted to all code in current policy
+        PermissionCollection perms = AccessController.doPrivileged(
+            new java.security.PrivilegedAction<PermissionCollection>() {
+                public PermissionCollection run() {
+                    CodeSource codesource = new CodeSource(null,
+                        (java.security.cert.Certificate[]) null);
+                    Policy p = java.security.Policy.getPolicy();
+                    if (p != null) {
+                        return p.getPermissions(codesource);
+                    } else {
+                        return new Permissions();
+                    }
+                }
+            });
+
+        /*
+         * Anyone can connect to the registry and the registry can connect
+         * to and possibly download stubs from anywhere. Downloaded stubs and
+         * related classes themselves are more tightly limited by RMI.
+         */
+        perms.add(new SocketPermission("*", "connect,accept"));
+
+        perms.add(new RuntimePermission("accessClassInPackage.sun.*"));
+
+        // add permissions required to load from codebase URL path
+        LoaderHandler.addPermissionsForURLs(urls, perms, false);
+
+        /*
+         * Create an AccessControlContext that consists of a single
+         * protection domain with only the permissions calculated above.
+         */
+        ProtectionDomain pd = new ProtectionDomain(
+            new CodeSource((urls.length > 0 ? urls[0] : null),
+                (java.security.cert.Certificate[]) null),
+            perms);
+        return new AccessControlContext(new ProtectionDomain[] { pd });
+    }
 }

trunk/openjdk/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -1029 +1029 @@
      * it is not already implied by the collection.
      */
-    private static void addPermissionsForURLs(URL[] urls,
+    public static void addPermissionsForURLs(URL[] urls,
                                               PermissionCollection perms,
                                               boolean forLoader)

trunk/openjdk/jdk/src/share/classes/sun/rmi/server/UnicastServerRef.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -391 +391 @@
             try {
                 in = call.getInputStream();
+                try {
+                    Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
+                    if (clazz.isAssignableFrom(skel.getClass())) {
+                        ((MarshalInputStream)in).useCodebaseOnly();
+                    }
+                } catch (ClassNotFoundException ignore) { }
                 hash = in.readLong();
             } catch (Exception readEx) {

trunk/openjdk/jdk/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java

@@ -25 +25 @@
 
 /*
- * ===========================================================================
- *  IBM Confidential
- *  OCO Source Materials
- *  Licensed Materials - Property of IBM
  *
  *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
- *
- *  The source code for this program is not published or otherwise divested of
- *  its trade secrets, irrespective of what has been deposited with the U.S.
- *  Copyright Office.
- *
  *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
- * ===========================================================================
- *
  */
-
 package sun.security.jgss.spi;
 

trunk/openjdk/jdk/src/share/classes/sun/security/jgss/spnego/NegTokenInit.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -67 +67 @@
     private Oid[] mechTypeList = null;
 
-    private byte[] reqFlags = null;
+    private BitArray reqFlags = null;
     private byte[] mechToken = null;
     private byte[] mechListMIC = null;
 
-    NegTokenInit(byte[] mechTypes, byte[] flags,
+    NegTokenInit(byte[] mechTypes, BitArray flags,
                 byte[] token, byte[] mechListMIC)
     {
@@ -102 +102 @@
             if (reqFlags != null) {
                 DerOutputStream flags = new DerOutputStream();
-                flags.putBitString(reqFlags);
+                flags.putUnalignedBitString(reqFlags);
                 initToken.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                                 true, (byte) 0x01), flags);
@@ -238 +238 @@
     }
 
-    byte[] getReqFlags() {
+    BitArray getReqFlags() {
         return reqFlags;
     }

trunk/openjdk/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -54 +54 @@
     private int state = STATE_NEW;
 
-    private static final int CHECKSUM_DELEG_FLAG    = 1;
-    private static final int CHECKSUM_MUTUAL_FLAG   = 2;
-    private static final int CHECKSUM_REPLAY_FLAG   = 4;
-    private static final int CHECKSUM_SEQUENCE_FLAG = 8;
-    private static final int CHECKSUM_CONF_FLAG     = 16;
-    private static final int CHECKSUM_INTEG_FLAG    = 32;
-
     /*
      * Optional features that the application can set and their default
@@ -701 +694 @@
      * get the context flags
      */
-    private byte[] getContextFlags() {
-        int flags = 0;
-
-        if (getCredDelegState())
-            flags |= CHECKSUM_DELEG_FLAG;
-        if (getMutualAuthState())
-            flags |= CHECKSUM_MUTUAL_FLAG;
-        if (getReplayDetState())
-            flags |= CHECKSUM_REPLAY_FLAG;
-        if (getSequenceDetState())
-            flags |= CHECKSUM_SEQUENCE_FLAG;
-        if (getIntegState())
-            flags |= CHECKSUM_INTEG_FLAG;
-        if (getConfState())
-            flags |= CHECKSUM_CONF_FLAG;
-
-        byte[] temp = new byte[1];
-        temp[0] = (byte)(flags & 0xff);
-        return temp;
+    private BitArray getContextFlags() {
+        BitArray out = new BitArray(7);
+
+        if (getCredDelegState()) out.set(0, true);
+        if (getMutualAuthState()) out.set(1, true);
+        if (getReplayDetState()) out.set(2, true);
+        if (getSequenceDetState()) out.set(3, true);
+        if (getConfState()) out.set(5, true);
+        if (getIntegState()) out.set(6, true);
+
+        return out;
     }
 

trunk/openjdk/jdk/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java

@@ -248 +248 @@
     }
 
-    Ticket readData() throws IOException, RealmException, KrbApErrException, Asn1Exception {
+    byte[] readData() throws IOException {
         int length;
         length = read(4);
-        if (length > 0) {
+        if (length == 0) {
+            return null;
+        } else {
             byte[] bytes = new byte[length];
             read(bytes, 0, length);
-            Ticket ticket = new Ticket(bytes);
-            return ticket;
-        }
-        else return null;
+            return bytes;
+        }
     }
 
@@ -326 +326 @@
         return flags;
     }
+
+    /**
+     * Reads the next cred in stream.
+     * @return the next cred, null if ticket or second_ticket unparseable.
+     *
+     * Note: MIT krb5 1.8.1 might generate a config entry with server principal
+     * X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/REALM@REALM. The
+     * entry is used by KDC to inform the client that it support certain
+     * features. Its ticket is not a valid krb5 ticket and thus this method
+     * returns null.
+     */
     Credentials readCred(int version) throws IOException,RealmException, KrbApErrException, Asn1Exception {
         PrincipalName cpname = readPrincipal(version);
@@ -361 +372 @@
             auData = new AuthorizationData(auDataEntry);
         }
-        Ticket ticket = readData();
-        if (DEBUG) {
-            System.out.println(">>>DEBUG <CCacheInputStream>");
-            if (ticket == null) {
-                System.out.println("///ticket is null");
-            }
-        }
-        Ticket secTicket = readData();
-        Credentials cred = new Credentials(cpname, spname, key, authtime, starttime,
-                                           endtime, renewTill, skey, tFlags,
-                                           addrs, auData, ticket, secTicket);
-        return cred;
+        byte[] ticketData = readData();
+        byte[] ticketData2 = readData();
+
+        try {
+            return new Credentials(cpname, spname, key, authtime, starttime,
+                endtime, renewTill, skey, tFlags,
+                addrs, auData,
+                ticketData != null ? new Ticket(ticketData) : null,
+                ticketData2 != null ? new Ticket(ticketData2) : null);
+        } catch (Exception e) {     // If any of new Ticket(*) fails.
+            return null;
+        }
     }
 }

trunk/openjdk/jdk/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -187 +187 @@
         credentialsList = new Vector<Credentials> ();
         while (cis.available() > 0) {
-            credentialsList.addElement(cis.readCred(version));
+            Credentials cred = cis.readCred(version);
+            if (cred != null) {
+                credentialsList.addElement(cred);
+            }
         }
         cis.close();

trunk/openjdk/jdk/src/share/classes/sun/security/provider/SeedGenerator.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -136 +136 @@
     }
 
-    void getSeedBytes(byte[] result) {
-        for (int i = 0; i < result.length; i++) {
-          result[i] = getSeedByte();
-        }
-    }
-
-    abstract byte getSeedByte();
+    abstract void getSeedBytes(byte[] result);
 
     /**
@@ -337 +331 @@
             }
         }
+
+        @Override
+        void getSeedBytes(byte[] result) {
+            for (int i = 0; i < result.length; i++) {
+                result[i] = getSeedByte();
+            }
+        } 
 
         byte getSeedByte() {
@@ -424 +425 @@
 
         private String deviceName;
-        private BufferedInputStream devRandom;
-
+        private InputStream devRandom;
 
         /**
@@ -447 +447 @@
         private void init() throws IOException {
             final URL device = new URL(deviceName);
-            devRandom = java.security.AccessController.doPrivileged
-                (new java.security.PrivilegedAction<BufferedInputStream>() {
-                        public BufferedInputStream run() {
-                            try {
-                                return new BufferedInputStream(device.openStream());
-                            } catch (IOException ioe) {
-                                return null;
+            try {
+                devRandom = java.security.AccessController.doPrivileged
+                    (new java.security.PrivilegedExceptionAction<InputStream>() {
+                        public InputStream run() throws IOException {
+                            /*
+                             * return a FileInputStream for file URLs and
+                             * avoid buffering. The openStream() call wraps
+                             * InputStream in a BufferedInputStream which
+                             * can buffer up to 8K bytes. This read is a
+                             * performance issue for entropy sources which
+                             * can be slow to replenish.
+                             */
+                            if (device.getProtocol().equalsIgnoreCase("file")) {
+                                File deviceFile = getDeviceFile(device);
+                                return new FileInputStream(deviceFile);
+                            } else {
+                                return device.openStream();
                             }
                         }
                     });
-
-            if (devRandom == null) {
-                throw new IOException("failed to open " + device);
-            }
-        }
-
-        byte getSeedByte() {
-            byte b[] = new byte[1];
-            int stat;
-            try {
-                stat = devRandom.read(b, 0, b.length);
+            } catch (Exception e) {
+                throw new IOException("Failed to open " + deviceName, e.getCause());
+            }
+        }
+
+        /*
+         * Use a URI to access this File. Previous code used a URL
+         * which is less strict on syntax. If we encounter a
+         * URISyntaxException we make best efforts for backwards
+         * compatibility. e.g. space character in deviceName string.
+         *
+         * Method called within PrivilegedExceptionAction block.
+         */
+        private File getDeviceFile(URL device) throws IOException {
+            try {
+                URI deviceURI = device.toURI();
+                if(deviceURI.isOpaque()) {
+                    // File constructor does not accept opaque URI
+                    URI localDir = new File(System.getProperty("user.dir")).toURI();
+                    String uriPath = localDir.toString() +
+                                         deviceURI.toString().substring(5);
+                    return new File(URI.create(uriPath));
+                } else {
+                    return new File(deviceURI);
+                }
+            } catch (URISyntaxException use) {
+                /*
+                 * Make best effort to access this File.
+                 * We can try using the URL path.
+                 */
+                return new File(device.getPath());
+            }
+        }
+
+        @Override
+        void getSeedBytes(byte[] result) {
+            int len = result.length;
+            int read = 0;
+            try {
+                while (read < len) {
+                    int count = devRandom.read(result, read, len - read);
+                    // /dev/random blocks - should never have EOF
+                    if (count < 0)
+                        throw new InternalError("URLSeedGenerator " + deviceName +
+                                        " reached end of file");
+                    read += count;
+                }
             } catch (IOException ioe) {
                 throw new InternalError("URLSeedGenerator " + deviceName +
@@ -473 +519 @@
                                         ioe.getMessage());
             }
-            if (stat == b.length) {
-                return b[0];
-            } else if (stat == -1) {
-                throw new InternalError("URLSeedGenerator " + deviceName +
-                                           " reached end of file");
-            } else {
-                throw new InternalError("URLSeedGenerator " + deviceName +
-                                           " failed read");
-            }
-        }
-
+        }
     }
 

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/AppOutputStream.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 20111 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -61 +61 @@
         // check if the Socket is invalid (error or closed)
         c.checkWrite();
-        //
-        // Always flush at the end of each application level record.
-        // This lets application synchronize read and write streams
-        // however they like; if we buffered here, they couldn't.
-        //
-        // NOTE: *must* call c.writeRecord() even for len == 0
+
+        /*
+         * By default, we counter chosen plaintext issues on CBC mode
+         * ciphersuites in SSLv3/TLS1.0 by sending one byte of application
+         * data in the first record of every payload, and the rest in
+         * subsequent record(s). Note that the issues have been solved in
+         * TLS 1.1 or later.
+         *
+         * It is not necessary to split the very first application record of
+         * a freshly negotiated TLS session, as there is no previous
+         * application data to guess.  To improve compatibility, we will not
+         * split such records. 
+         *
+         * This avoids issues in the outbound direction.  For a full fix,
+         * the peer must have similar protections.
+         */
+        boolean isFirstRecordOfThePayload = true;
+
+        /*
+         * Always flush at the end of each application level record.
+         * This lets application synchronize read and write streams
+         * however they like; if we buffered here, they couldn't.
+         *
+         * NOTE: *must* call c.writeRecord() even for len == 0
+         */
+
         try {
             do {
-                int howmuch = Math.min(len, r.availableDataBytes());
+                int howmuch;
+                if (isFirstRecordOfThePayload && c.needToSplitPayload()) {
+                    howmuch = Math.min(0x01, r.availableDataBytes());
+                } else {
+                    howmuch = Math.min(len, r.availableDataBytes());
+                }
+
+                if (isFirstRecordOfThePayload && howmuch != 0) {
+                    isFirstRecordOfThePayload = false;
+                }
 
                 if (howmuch > 0) {

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/CipherBox.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -77 +77 @@
 
     /**
+     * Is the cipher of CBC mode?
+     */
+     private final boolean isCBCMode;
+
+    /**
      * NULL cipherbox. Identity operation, no encryption.
      */
@@ -82 +87 @@
         this.protocolVersion = ProtocolVersion.DEFAULT;
         this.cipher = null;
+        this.isCBCMode = false;
     }
 
@@ -97 +103 @@
             this.cipher = JsseJce.getCipher(bulkCipher.transformation);
             int mode = encrypt ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE;
+            this.isCBCMode = bulkCipher.isCBCMode;
             cipher.init(mode, key, iv);
             // do not call getBlockSize until after init()
@@ -487 +494 @@
         return newlen;
     }
+
+    /*
+     * Does the cipher use CBC mode?
+     *
+     * @return true if the cipher use CBC mode, false otherwise.
+     */
+    boolean isCBCMode() {
+        return isCBCMode;
+    }
 }

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -341 +341 @@
         final boolean exportable;
 
+        // Is the cipher algorithm of Cipher Block Chaining (CBC) mode?
+        final boolean isCBCMode;
+
         BulkCipher(String transformation, int keySize,
                 int expandedKeySize, int ivSize, boolean allowed) {
             this.transformation = transformation;
-            this.algorithm = transformation.split("/")[0];
+            String[] splits = transformation.split("/");
+            this.algorithm = splits[0];
+            this.isCBCMode =
+                splits.length <= 1 ? false : "CBC".equalsIgnoreCase(splits[1]);
             this.description = this.algorithm + "/" + (keySize << 3);
             this.keySize = keySize;
@@ -357 +363 @@
                 int ivSize, boolean allowed) {
             this.transformation = transformation;
-            this.algorithm = transformation.split("/")[0];
+            String[] splits = transformation.split("/");
+            this.algorithm = splits[0];
+            this.isCBCMode =
+                splits.length <= 1 ? false : "CBC".equalsIgnoreCase(splits[1]);
             this.description = this.algorithm + "/" + (keySize << 3);
             this.keySize = keySize;

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -47 +47 @@
 final class EngineOutputRecord extends OutputRecord {
 
+    private SSLEngineImpl engine;
     private EngineWriter writer;
 
@@ -63 +64 @@
     EngineOutputRecord(byte type, SSLEngineImpl engine) {
         super(type, recordSize(type));
+        this.engine = engine;
         writer = engine.writer;
     }
@@ -228 +230 @@
          * records, so this increases robustness.
          */
-        int length = Math.min(ea.getAppRemaining(), maxDataSize);
-        if (length == 0) {
+        if (ea.getAppRemaining() == 0) {
             return;
         }
 
+        /*
+         * By default, we counter chosen plaintext issues on CBC mode
+         * ciphersuites in SSLv3/TLS1.0 by sending one byte of application
+         * data in the first record of every payload, and the rest in
+         * subsequent record(s). Note that the issues have been solved in
+         * TLS 1.1 or later.
+         *
+         * It is not necessary to split the very first application record of
+         * a freshly negotiated TLS session, as there is no previous
+         * application data to guess.  To improve compatibility, we will not
+         * split such records.
+         *
+         * Because of the compatibility, we'd better produce no more than
+         * SSLSession.getPacketBufferSize() net data for each wrap. As we
+         * need a one-byte record at first, the 2nd record size should be
+         * equal to or less than Record.maxDataSizeMinusOneByteRecord.
+         *
+         * This avoids issues in the outbound direction.  For a full fix,
+         * the peer must have similar protections.
+         */
+        int length;
+        if (engine.needToSplitPayload(writeCipher, protocolVersion)) {
+            write(ea, writeMAC, writeCipher, 0x01);
+            ea.resetLim();      // reset application data buffer limit
+            length = Math.min(ea.getAppRemaining(),
+                        maxDataSizeMinusOneByteRecord);
+        } else {
+            length = Math.min(ea.getAppRemaining(), maxDataSize);
+        }
+
+        // Don't bother to really write empty records.
+        if (length > 0) {
+            write(ea, writeMAC, writeCipher, length);
+        }
+
+        return;
+    }
+
+    void write(EngineArgs ea, MAC writeMAC, CipherBox writeCipher,
+            int length) throws IOException {
         /*
          * Copy out existing buffer values.

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/Record.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -66 +66 @@
                                     + trailerSize;      // MAC
 
+    static final boolean enableCBCProtection =
+            Debug.getBooleanProperty("jsse.enableCBCProtection", true);
+
+    /*
+     * For CBC protection in SSL3/TLS1, we break some plaintext into two
+     * packets.  Max application data size for the second packet. 
+     */
+    static final int    maxDataSizeMinusOneByteRecord =
+                                  maxDataSize       // max data size
+                                - (                 // max one byte record size
+                                      headerSize    // header
+                                    + 1             // one byte data
+                                    + maxPadding    // padding
+                                    + trailerSize   // MAC
+                                  );
+
     /*
      * The maximum large record size.

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -307 +307 @@
 
     /*
+     * Is it the first application record to write?
+     */
+    private boolean isFirstAppOutputRecord = true;
+
+    /*
      * Class and subclass dynamic debugging support
      */
@@ -596 +601 @@
                                 ("Algorithm missing:  ").initCause(e);
         }
+
+        // reset the flag of the first application record
+        isFirstAppOutputRecord = true;
     }
 
@@ -1213 +1221 @@
 
         // eventually compress as well.
-        return writer.writeRecord(eor, ea, writeMAC, writeCipher);
+        HandshakeStatus hsStatus =
+                writer.writeRecord(eor, ea, writeMAC, writeCipher);
+
+        /*
+         * turn off the flag of the first application record if we really
+         * consumed at least byte.
+         */
+        if (isFirstAppOutputRecord && ea.deltaApp() > 0) {
+            isFirstAppOutputRecord = false;
+        }
+
+        return hsStatus;
+    }
+
+    /*
+     * Need to split the payload except the following cases:
+     *
+     * 1. protocol version is TLS 1.1 or later;
+     * 2. bulk cipher does not use CBC mode, including null bulk cipher suites.
+     * 3. the payload is the first application record of a freshly
+     *    negotiated TLS session.
+     * 4. the CBC protection is disabled;
+     *
+     * More details, please refer to
+     * EngineOutputRecord.write(EngineArgs, MAC, CipherBox).
+     */
+    boolean needToSplitPayload(CipherBox cipher, ProtocolVersion protocol) {
+        return (protocol.v <= ProtocolVersion.TLS10.v) &&
+                cipher.isCBCMode() && !isFirstAppOutputRecord &&
+                Record.enableCBCProtection;
     }
 

trunk/openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -359 +359 @@
     private static final Debug debug = Debug.getInstance("ssl");
 
+    /*
+     * Is it the first application record to write?
+     */
+    private boolean isFirstAppOutputRecord = true;
+
     //
     // CONSTRUCTORS AND INITIALIZATION CODE
@@ -762 +767 @@
         r.encrypt(writeCipher);
         r.write(sockOutput);
-    }
-
+
+        // turn off the flag of the first application record
+        if (isFirstAppOutputRecord &&
+                r.contentType() == Record.ct_application_data) {
+            isFirstAppOutputRecord = false;
+        }
+    }
+  
+    /*
+     * Need to split the payload except the following cases:
+     *
+     * 1. protocol version is TLS 1.1 or later;
+     * 2. bulk cipher does not use CBC mode, including null bulk cipher suites.
+     * 3. the payload is the first application record of a freshly
+     *    negotiated TLS session.
+     * 4. the CBC protection is disabled;
+     *
+     * More details, please refer to AppOutputStream.write(byte[], int, int).
+     */
+    boolean needToSplitPayload() {
+        writeLock.lock();
+        try {
+            return (protocolVersion.v <= ProtocolVersion.TLS10.v) &&
+                    writeCipher.isCBCMode() && !isFirstAppOutputRecord && 
+                    Record.enableCBCProtection;
+        } finally {
+            writeLock.unlock();
+        }
+    }
 
     /*
@@ -1830 +1862 @@
                                 ("Algorithm missing:  ").initCause(e);
         }
+
+        // reset the flag of the first application record
+        isFirstAppOutputRecord = true;
     }
 

trunk/openjdk/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2002, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *

trunk/openjdk/jdk/src/share/classes/sun/swing/table/DefaultTableCellHeaderRenderer.java

@@ -1 +1 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -25 +25 @@
 package sun.swing.table;
 
+import sun.swing.DefaultLookup;
+
 import java.awt.Component;
 import java.awt.Color;
@@ -32 +34 @@
 import java.awt.Point;
 import java.awt.Rectangle;
+import java.io.Serializable;
 import javax.swing.*;
 import javax.swing.plaf.UIResource;
 import javax.swing.border.Border;
 import javax.swing.table.*;
-import sun.swing.DefaultLookup;
-
 
 public class DefaultTableCellHeaderRenderer extends DefaultTableCellRenderer
@@ -187 +188 @@
     }
 
-    private class EmptyIcon implements Icon {
+    private class EmptyIcon implements Icon, Serializable {
         int width = 0;
         int height = 0;