On Mon, 23 Feb 2009, Brian J. Murrell wrote:

> output_auth_headers() is testing data->state.negotiate.context for validity
> before calling Curl_output_negotiate(conn, proxy) with proxy == TRUE but in
> Curl_output_negotiate() if proxy == TRUE, neg_ctx is set to
> conn->data->state.proxyneg, not conn->data->state.negotiate (which is used
> for the FALSE case).

Ugh, indeed you're right. Looking at this closer, the code checks for a
*server context* unconditionally in output_auth_headers() instead of checking
the proper proxy OR server context...

What about this patch (against current CVS):

diff -u -r1.411 http.c
--- lib/http.c 2 Feb 2009 16:19:23 -0000 1.411
+++ lib/http.c 23 Feb 2009 15:19:13 -0000
@@ -516,6 +516,10 @@
    struct SessionHandle *data = conn->data;
    const char *auth=NULL;
    CURLcode result = CURLE_OK;
+#ifdef HAVE_GSSAPI
+ struct negotiatedata *negdata = proxy?
+ &data->state.proxyneg:&data->state.negotiate;
+#endif

  #ifndef CURL_DISABLE_CRYPTO_AUTH
    (void)request;
@@ -524,14 +528,13 @@

  #ifdef HAVE_GSSAPI
    if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
- data->state.negotiate.context &&
- !GSS_ERROR(data->state.negotiate.status)) {
+ negdata->context && !GSS_ERROR(negdata->status)) {
      auth="GSS-Negotiate";
      result = Curl_output_negotiate(conn, proxy);
      if(result)
        return result;
      authstatus->done = TRUE;
- data->state.negotiate.state = GSS_AUTHSENT;
+ negdata->state = GSS_AUTHSENT;
    }
    else
  #endif

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html