I’m using 1.0.1 and it seems there is a slight error in processing SPNEGO token received from a backend server (a Microsoft Outlook Exchange server).
The process is that my client sends a Negotiate token, obtained from a gss_init_sec_context(). The server responds with another Negotiate token. The authentication is successful, because server responds with a HTTP 200 along with the token.
However when I pass the token to gss_init_sec_context() again, the call returns a major error. I traced the code. What happens is that the SPNEGO token is decoded in spnego/init_sec_context.c, function spnego_reply(). The decoded data has result “accept_completed”, which correctly indicates that the context acceptor accepted the token. The response token is an empty string “”.
But spnego_reply only checks if response token is NULL. If not it passes the token to another gss_init_context() call. This causes error because the underlying Kerberos code reports a GSS_S_BAD_STRUCTURE, since obviously there is no Kerberos data.
It seems to me that empty string “” should be treated the same way as NULL in spnego_reply().