QPID-5639, QPID-5878 : Ensure that the client gets a chance to evaluate the server proof for SCRAM-SHA* mechanisms

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1615620 13f79535-47bb-0310-9956-ffa450edef68

4 files changed, 9 insertions, 3 deletions

diff --git a/qpid/java/amqp-1-0-common/src/main/java/org/apache/qpid/amqp_1_0/transport/ConnectionEndpoint.java b/qpid/java/amqp-1-0-common/src/main/java/org/apache/qpid/amqp_1_0/transport/ConnectionEndpoint.java
index e47e4a3507..9e7e4afeb2 100644
--- a/qpid/java/amqp-1-0-common/src/main/java/org/apache/qpid/amqp_1_0/transport/ConnectionEndpoint.java
+++ b/qpid/java/amqp-1-0-common/src/main/java/org/apache/qpid/amqp_1_0/transport/ConnectionEndpoint.java
@@ -1414,7 +1414,7 @@ public class ConnectionEndpoint implements DescribedTypeConstructorRegistry.Sour
                     break;
                 case CLIENT_PROOF_SENT:
                     evaluateOutcome(challenge);
-                    response = null;
+                    response = new byte[0];
                     _state = State.COMPLETE;
                     break;
                 default:
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
index d95824d94c..152a9086ec 100644
--- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
+++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
@@ -110,7 +110,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
             // Process response from the client
             byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
 
-            if (server.isComplete())
+            if (server.isComplete() && (challenge == null || challenge.length == 0))
             {
                 final String userId = server.getAuthorizationID();
                 return new AuthenticationResult(new UsernamePrincipal(userId));
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
index f510ec32d8..149f7313ff 100644
--- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
+++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
@@ -91,6 +91,12 @@ public class ScramSaslServer implements SaslServer
                 challenge = generateServerFinalMessage(response);
                 _state = State.COMPLETE;
                 break;
+            case COMPLETE:
+                if(response == null || response.length == 0)
+                {
+                    challenge = new byte[0];
+                    break;
+                }
             default:
                 throw new SaslException("No response expected in state " + _state);
 
diff --git a/qpid/java/client/src/main/java/org/apache/qpid/client/security/scram/AbstractScramSaslClient.java b/qpid/java/client/src/main/java/org/apache/qpid/client/security/scram/AbstractScramSaslClient.java
index 1e67567b8b..735fb4fb7f 100644
--- a/qpid/java/client/src/main/java/org/apache/qpid/client/security/scram/AbstractScramSaslClient.java
+++ b/qpid/java/client/src/main/java/org/apache/qpid/client/security/scram/AbstractScramSaslClient.java
@@ -112,7 +112,7 @@ public abstract class AbstractScramSaslClient implements SaslClient
                 break;
             case CLIENT_PROOF_SENT:
                 evaluateOutcome(challenge);
-                response = null;
+                response = new byte[0];
                 _state = State.COMPLETE;
                 break;
             default: