-
Bug
-
Resolution: Fixed
-
P4
-
6u91, 7
-
None
-
b41
-
generic
-
generic
Using SPNEGO, when the client calls reqMutualAuth(false) with Kerberos as the mech, the current implementation fails.
The reason is that when reqMutualAuth(false) is called, the negotiation process of the underlying mech contains only one token, which means the server's first call to Kerberos' acceptSecContext() already returns null. Unfortunately, the current SPNEGO implementation needs this output be non-null, therefore the failure.
There's also a tiny error in byte[] GSSContextImpl.acceptSecContext(byte[]) that returns an empty byte array when the correct output should have been null.
The reason is that when reqMutualAuth(false) is called, the negotiation process of the underlying mech contains only one token, which means the server's first call to Kerberos' acceptSecContext() already returns null. Unfortunately, the current SPNEGO implementation needs this output be non-null, therefore the failure.
There's also a tiny error in byte[] GSSContextImpl.acceptSecContext(byte[]) that returns an empty byte array when the correct output should have been null.