src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitialToken.java

@@ -34,10 +34,11 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import sun.security.krb5.*;
 import sun.security.krb5.internal.Krb5;
+import sun.security.jgss.krb5.internal.TlsChannelBindingImpl;
 
 abstract class InitialToken extends Krb5Token {
 
     private static final int CHECKSUM_TYPE = 0x8003;
 

@@ -55,10 +56,11 @@
     private static final int CHECKSUM_INTEG_FLAG    = 32;
 
     private final byte[] CHECKSUM_FIRST_BYTES =
     {(byte)0x10, (byte)0x00, (byte)0x00, (byte)0x00};
 
+    private static final int CHANNEL_BINDING_AF_UNSPEC = 0;
     private static final int CHANNEL_BINDING_AF_INET = 2;
     private static final int CHANNEL_BINDING_AF_INET6 = 24;
     private static final int CHANNEL_BINDING_AF_NULL_ADDR = 255;
 
     private static final int Inet4_ADDRSZ = 4;

@@ -331,22 +333,22 @@
                 context.setIntegState(false);
             }
         }
     }
 
-    private int getAddrType(InetAddress addr) {
-        int addressType = CHANNEL_BINDING_AF_NULL_ADDR;
+    private int getAddrType(InetAddress addr, int defValue) {
+        int addressType = defValue;
 
         if (addr instanceof Inet4Address)
             addressType = CHANNEL_BINDING_AF_INET;
         else if (addr instanceof Inet6Address)
             addressType = CHANNEL_BINDING_AF_INET6;
         return (addressType);
     }
 
     private byte[] getAddrBytes(InetAddress addr) throws GSSException {
-        int addressType = getAddrType(addr);
+        int addressType = getAddrType(addr, CHANNEL_BINDING_AF_NULL_ADDR);
         byte[] addressBytes = addr.getAddress();
         if (addressBytes != null) {
             switch (addressType) {
                 case CHANNEL_BINDING_AF_INET:
                     if (addressBytes.length != Inet4_ADDRSZ) {

@@ -373,12 +375,20 @@
 
         InetAddress initiatorAddress = channelBinding.getInitiatorAddress();
         InetAddress acceptorAddress = channelBinding.getAcceptorAddress();
         int size = 5*4;
 
-        int initiatorAddressType = getAddrType(initiatorAddress);
-        int acceptorAddressType = getAddrType(acceptorAddress);
+        // LDAP TLS Channel Binding requires CHANNEL_BINDING_AF_UNSPEC address type
+        // for unspecified initiator and acceptor addresses.
+        // CHANNEL_BINDING_AF_NULL_ADDR value should be used for unspecified address
+        // in all other cases.
+        int initiatorAddressType = getAddrType(initiatorAddress,
+                (channelBinding instanceof TlsChannelBindingImpl)?
+                        CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR);
+        int acceptorAddressType = getAddrType(acceptorAddress,
+                (channelBinding instanceof TlsChannelBindingImpl)?
+                        CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR);
 
         byte[] initiatorAddressBytes = null;
         if (initiatorAddress != null) {
             initiatorAddressBytes = getAddrBytes(initiatorAddress);
             size += initiatorAddressBytes.length;