--- a/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java	Thu Jun 18 10:38:21 2009 -0400
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java	Fri Jun 19 18:03:27 2009 +0800
@@ -33,6 +33,7 @@
 import java.net.Inet6Address;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
 import sun.security.krb5.*;
 import sun.security.jgss.HttpCaller;
 import sun.security.krb5.internal.Krb5;
@@ -219,43 +220,35 @@
                         "Incorrect checksum");
             }
 
-            byte[] remoteBindingBytes = new byte[CHECKSUM_BINDINGS_SIZE];
-            System.arraycopy(checksumBytes, 4, remoteBindingBytes, 0,
-                             CHECKSUM_BINDINGS_SIZE);
-
-            byte[] noBindings = new byte[CHECKSUM_BINDINGS_SIZE];
-            boolean tokenContainsBindings =
-                (!java.util.Arrays.equals(noBindings, remoteBindingBytes));
-
             ChannelBinding localBindings = context.getChannelBinding();
 
-            if (tokenContainsBindings ||
-                localBindings != null) {
+            // Ignore remote channel binding info when not requested at
+            // local side (RFC 4121 4.1.1.2: the acceptor MAY ignore...).
+            //
+            // All major krb5 implementors implement this "MAY",
+            // and some applications depend on it as a workaround
+            // for not having a way to negotiate the use of channel
+            // binding -- the initiator application always uses CB
+            // and hopes the acceptor will ignore the CB if the
+            // acceptor doesn't support CB.
+            if (localBindings != null) {
+                byte[] remoteBindingBytes = new byte[CHECKSUM_BINDINGS_SIZE];
+                System.arraycopy(checksumBytes, 4, remoteBindingBytes, 0,
+                                 CHECKSUM_BINDINGS_SIZE);
 
-                boolean badBindings = false;
-                String errorMessage = null;
-
-                if (tokenContainsBindings &&
-                    localBindings != null) {
+                byte[] noBindings = new byte[CHECKSUM_BINDINGS_SIZE];
+                if (!Arrays.equals(noBindings, remoteBindingBytes)) {
                     byte[] localBindingsBytes =
                         computeChannelBinding(localBindings);
-                    //              System.out.println("ChannelBinding hash: "
-                    //         + getHexBytes(localBindingsBytes));
-                    badBindings =
-                        (!java.util.Arrays.equals(localBindingsBytes,
-                                                remoteBindingBytes));
-                    errorMessage = "Bytes mismatch!";
-                } else if (localBindings == null) {
-                    errorMessage = "ChannelBinding not provided!";
-                    badBindings = true;
+                    if (!Arrays.equals(localBindingsBytes,
+                                                remoteBindingBytes)) {
+                        throw new GSSException(GSSException.BAD_BINDINGS, -1,
+                                               "Bytes mismatch!");
+                    }
                 } else {
-                    errorMessage = "Token missing ChannelBinding!";
-                    badBindings = true;
+                    throw new GSSException(GSSException.BAD_BINDINGS, -1,
+                                           "Token missing ChannelBinding!");
                 }
-
-                if (badBindings)
-                    throw new GSSException(GSSException.BAD_BINDINGS, -1,
-                                           errorMessage);
             }
 
             flags = readLittleEndian(checksumBytes, 20, 4);