6733095: Failure when SPNEGO request non-Mutual

Reviewed-by: valeriep

src/share/classes/sun/security/jgss/GSSContextImpl.java

 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -284,7 +284,8 @@ class GSSContextImpl implements GSSContext {
         ByteArrayOutputStream bos = new ByteArrayOutputStream(100);
         acceptSecContext(new ByteArrayInputStream(inTok, offset, len),
                          bos);
-        return bos.toByteArray();
+        byte[] out = bos.toByteArray();
+        return (out.length == 0) ? null : out;
     }
 
     public void acceptSecContext(InputStream inStream,

src/share/classes/sun/security/jgss/spnego/SpNegoContext.java

 /*
- * Copyright 2005-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -413,13 +413,14 @@ public class SpNegoContext implements GSSContextSpi {
                     // pull out the mechanism token
                     byte[] accept_token = targToken.getResponseToken();
                     if (accept_token == null) {
-                        // return wth failure
-                        throw new GSSException(errorCode, -1,
-                                        "mechansim token from server is null");
+                        if (!isMechContextEstablished()) {
+                            // return with failure
+                            throw new GSSException(errorCode, -1,
+                                    "mechanism token from server is null");
+                        }
+                    } else {
+                        mechToken = GSS_initSecContext(accept_token);
                     }
-
-                    mechToken = GSS_initSecContext(accept_token);
-
                     // verify MIC
                     if (!GSSUtil.useMSInterop()) {
                         byte[] micToken = targToken.getMechListMIC();
@@ -428,7 +429,6 @@ public class SpNegoContext implements GSSContextSpi {
                                 "verification of MIC on MechList Failed!");
                         }
                     }
-
                     if (isMechContextEstablished()) {
                         state = STATE_DONE;
                         retVal = mechToken;
@@ -556,9 +556,6 @@ public class SpNegoContext implements GSSContextSpi {
 
                 // get the token for mechanism
                 byte[] accept_token = GSS_acceptSecContext(mechToken);
-                if (accept_token == null) {
-                    valid = false;
-                }
 
                 // verify MIC
                 if (!GSSUtil.useMSInterop() && valid) {

test/sun/security/krb5/auto/Context.java

@@ -360,6 +360,10 @@ public class Context {
                     if (me.x.isEstablished()) {
                         me.f = true;
                         System.out.println(c.name + " side established");
+                        if (input != null) {
+                            throw new Exception("Context established but " +
+                                    "still receive token at " + c.name);
+                        }
                         return null;
                     } else {
                         System.out.println(c.name + " call initSecContext");
@@ -374,6 +378,10 @@ public class Context {
                     if (me.x.isEstablished()) {
                         me.f = true;
                         System.out.println(s.name + " side established");
+                        if (input != null) {
+                            throw new Exception("Context established but " +
+                                    "still receive token at " + s.name);
+                        }
                         return null;
                     } else {
                         System.out.println(s.name + " called acceptSecContext");

test/sun/security/krb5/auto/NonMutualSpnego.java

+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6733095
+ * @summary Failure when SPNEGO request non-Mutual
+ */
+
+import sun.security.jgss.GSSUtil;
+
+public class NonMutualSpnego {
+
+    public static void main(String[] args)
+            throws Exception {
+
+        // Create and start the KDC
+        new OneKDC(null).writeJAASConf();
+        new NonMutualSpnego().go();
+    }
+
+    void go() throws Exception {
+        Context c = Context.fromJAAS("client");
+        Context s = Context.fromJAAS("server");
+
+        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
+        c.x().requestMutualAuth(false);
+        s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID);
+
+        Context.handshake(c, s);
+
+        Context.transmit("i say high --", c, s);
+        Context.transmit("   you say low", s, c);
+
+        c.dispose();
+        s.dispose();
+    }
+}