From 5f64108b70bbcc055b6cf8a224fbaeca22cdbf3e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 12:27:18 +0000
Subject: [PATCH 1/3] Initial plan


From ca487fb1c93016adfcdb1da218920a3d9c8c494c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 12:32:41 +0000
Subject: [PATCH 2/3] fix(credssp): fix grammar in expect message and guard
 empty output token in PubKeyInfo path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix grammar: "an decrypt" → "a decrypt" in exchange_pub_key_auth expect message
- Only advance to PubKeyInfo state when the output token is non-empty;
  if the token is empty and pub_key_auth is absent, return an InvalidToken error
  to match the original single-leg behaviour
---
 src/credssp/mod.rs | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/credssp/mod.rs b/src/credssp/mod.rs
index e0e4858d..c81ecfcb 100644
--- a/src/credssp/mod.rs
+++ b/src/credssp/mod.rs
@@ -497,7 +497,7 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity> + Send> CredSspServe
             .as_ref()
             .unwrap()
             .peer_version
-            .expect("an decrypt public key server function cannot be fired without any incoming TSRequest");
+            .expect("a decrypt public key server function cannot be fired without any incoming TSRequest");
 
         let context = self.context.as_mut().unwrap();
 
@@ -666,9 +666,19 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity> + Send> CredSspServe
 
                             self.state = CredSspState::AuthInfo;
                         } else {
-                            ts_request.nego_tokens = Some(output_token.remove(0).buffer);
-
-                            self.state = CredSspState::PubKeyInfo;
+                            let output = output_token.remove(0).buffer;
+                            if !output.is_empty() {
+                                ts_request.nego_tokens = Some(output);
+                                self.state = CredSspState::PubKeyInfo;
+                            } else {
+                                try_cred_ssp_server!(
+                                    Err(Error::new(
+                                        ErrorKind::InvalidToken,
+                                        String::from("CredSSP server expected an encrypted public key"),
+                                    )),
+                                    ts_request
+                                );
+                            }
                         }
                     }
                     result => {

From 836ee2ab790a4c15f0aabb606b430bd85c43bc0b Mon Sep 17 00:00:00 2001
From: Pavlo Myroniuk <the.best.tvarynka@gmail.com>
Date: Thu, 18 Jun 2026 13:56:00 +0300
Subject: [PATCH 3/3] Update src/credssp/mod.rs

---
 src/credssp/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/credssp/mod.rs b/src/credssp/mod.rs
index c81ecfcb..70412d76 100644
--- a/src/credssp/mod.rs
+++ b/src/credssp/mod.rs
@@ -674,7 +674,7 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity> + Send> CredSspServe
                                 try_cred_ssp_server!(
                                     Err(Error::new(
                                         ErrorKind::InvalidToken,
-                                        String::from("CredSSP server expected an encrypted public key"),
+                                        "CredSSP server error: the security package returned an empty token",
                                     )),
                                     ts_request
                                 );