• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
9  * Copyright (C) 2009, 2011, Markus Moeller, <markus_moeller@compuserve.com>
10  *
11  * This software is licensed as described in the file COPYING, which
12  * you should have received as part of this distribution. The terms
13  * are also available at http://curl.haxx.se/docs/copyright.html.
14  *
15  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
16  * copies of the Software, and permit persons to whom the Software is
17  * furnished to do so, under the terms of the COPYING file.
18  *
19  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20  * KIND, either express or implied.
21  *
22  ***************************************************************************/
23 
24 #include "curl_setup.h"
25 
26 #if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_PROXY)
27 
28 #include "urldata.h"
29 #include "sendf.h"
30 #include "connect.h"
31 #include "strerror.h"
32 #include "timeval.h"
33 #include "socks.h"
34 #include "curl_sspi.h"
35 #include "curl_multibyte.h"
36 #include "warnless.h"
37 #include "curl_printf.h"
38 #include "curl_memory.h"
39 /* The last #include file should be: */
40 #include "memdebug.h"
41 
42 /*
43  * Helper sspi error functions.
44  */
check_sspi_err(struct connectdata * conn,SECURITY_STATUS status,const char * function)45 static int check_sspi_err(struct connectdata *conn,
46                           SECURITY_STATUS status,
47                           const char* function)
48 {
49   if(status != SEC_E_OK &&
50      status != SEC_I_COMPLETE_AND_CONTINUE &&
51      status != SEC_I_COMPLETE_NEEDED &&
52      status != SEC_I_CONTINUE_NEEDED) {
53     failf(conn->data, "SSPI error: %s failed: %s", function,
54           Curl_sspi_strerror(conn, status));
55     return 1;
56   }
57   return 0;
58 }
59 
60 /* This is the SSPI-using version of this function */
Curl_SOCKS5_gssapi_negotiate(int sockindex,struct connectdata * conn)61 CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
62                                       struct connectdata *conn)
63 {
64   struct SessionHandle *data = conn->data;
65   curl_socket_t sock = conn->sock[sockindex];
66   CURLcode code;
67   ssize_t actualread;
68   ssize_t written;
69   int result;
70   /* Needs GSS-API authentication */
71   SECURITY_STATUS status;
72   unsigned long sspi_ret_flags = 0;
73   int gss_enc;
74   SecBuffer sspi_send_token, sspi_recv_token, sspi_w_token[3];
75   SecBufferDesc input_desc, output_desc, wrap_desc;
76   SecPkgContext_Sizes sspi_sizes;
77   CredHandle cred_handle;
78   CtxtHandle sspi_context;
79   PCtxtHandle context_handle = NULL;
80   SecPkgCredentials_Names names;
81   TimeStamp expiry;
82   char *service_name = NULL;
83   unsigned short us_length;
84   unsigned long qop;
85   unsigned char socksreq[4]; /* room for GSS-API exchange header only */
86   char *service = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE];
87 
88   /*   GSS-API request looks like
89    * +----+------+-----+----------------+
90    * |VER | MTYP | LEN |     TOKEN      |
91    * +----+------+----------------------+
92    * | 1  |  1   |  2  | up to 2^16 - 1 |
93    * +----+------+-----+----------------+
94    */
95 
96   /* prepare service name */
97   if(strchr(service, '/')) {
98     service_name = malloc(strlen(service));
99     if(!service_name)
100       return CURLE_OUT_OF_MEMORY;
101     memcpy(service_name, service, strlen(service));
102   }
103   else {
104     service_name = malloc(strlen(service) + strlen(conn->proxy.name) + 2);
105     if(!service_name)
106       return CURLE_OUT_OF_MEMORY;
107     snprintf(service_name, strlen(service) +strlen(conn->proxy.name)+2,
108              "%s/%s", service, conn->proxy.name);
109   }
110 
111   input_desc.cBuffers = 1;
112   input_desc.pBuffers = &sspi_recv_token;
113   input_desc.ulVersion = SECBUFFER_VERSION;
114 
115   sspi_recv_token.BufferType = SECBUFFER_TOKEN;
116   sspi_recv_token.cbBuffer = 0;
117   sspi_recv_token.pvBuffer = NULL;
118 
119   output_desc.cBuffers = 1;
120   output_desc.pBuffers = &sspi_send_token;
121   output_desc.ulVersion = SECBUFFER_VERSION;
122 
123   sspi_send_token.BufferType = SECBUFFER_TOKEN;
124   sspi_send_token.cbBuffer = 0;
125   sspi_send_token.pvBuffer = NULL;
126 
127   wrap_desc.cBuffers = 3;
128   wrap_desc.pBuffers = sspi_w_token;
129   wrap_desc.ulVersion = SECBUFFER_VERSION;
130 
131   cred_handle.dwLower = 0;
132   cred_handle.dwUpper = 0;
133 
134   status = s_pSecFn->AcquireCredentialsHandle(NULL,
135                                               (TCHAR *) TEXT("Kerberos"),
136                                               SECPKG_CRED_OUTBOUND,
137                                               NULL,
138                                               NULL,
139                                               NULL,
140                                               NULL,
141                                               &cred_handle,
142                                               &expiry);
143 
144   if(check_sspi_err(conn, status, "AcquireCredentialsHandle")) {
145     failf(data, "Failed to acquire credentials.");
146     free(service_name);
147     s_pSecFn->FreeCredentialsHandle(&cred_handle);
148     return CURLE_COULDNT_CONNECT;
149   }
150 
151   /* As long as we need to keep sending some context info, and there's no  */
152   /* errors, keep sending it...                                            */
153   for(;;) {
154     TCHAR *sname;
155 
156     sname = Curl_convert_UTF8_to_tchar(service_name);
157     if(!sname)
158       return CURLE_OUT_OF_MEMORY;
159 
160     status = s_pSecFn->InitializeSecurityContext(&cred_handle,
161                                                  context_handle,
162                                                  sname,
163                                                  ISC_REQ_MUTUAL_AUTH |
164                                                  ISC_REQ_ALLOCATE_MEMORY |
165                                                  ISC_REQ_CONFIDENTIALITY |
166                                                  ISC_REQ_REPLAY_DETECT,
167                                                  0,
168                                                  SECURITY_NATIVE_DREP,
169                                                  &input_desc,
170                                                  0,
171                                                  &sspi_context,
172                                                  &output_desc,
173                                                  &sspi_ret_flags,
174                                                  &expiry);
175 
176     Curl_unicodefree(sname);
177 
178     if(sspi_recv_token.pvBuffer) {
179       s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
180       sspi_recv_token.pvBuffer = NULL;
181       sspi_recv_token.cbBuffer = 0;
182     }
183 
184     if(check_sspi_err(conn, status, "InitializeSecurityContext")) {
185       free(service_name);
186       s_pSecFn->FreeCredentialsHandle(&cred_handle);
187       s_pSecFn->DeleteSecurityContext(&sspi_context);
188       if(sspi_recv_token.pvBuffer)
189         s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
190       failf(data, "Failed to initialise security context.");
191       return CURLE_COULDNT_CONNECT;
192     }
193 
194     if(sspi_send_token.cbBuffer != 0) {
195       socksreq[0] = 1;    /* GSS-API subnegotiation version */
196       socksreq[1] = 1;    /* authentication message type */
197       us_length = htons((short)sspi_send_token.cbBuffer);
198       memcpy(socksreq+2, &us_length, sizeof(short));
199 
200       code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
201       if(code || (4 != written)) {
202         failf(data, "Failed to send SSPI authentication request.");
203         free(service_name);
204         if(sspi_send_token.pvBuffer)
205           s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
206         if(sspi_recv_token.pvBuffer)
207           s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
208         s_pSecFn->FreeCredentialsHandle(&cred_handle);
209         s_pSecFn->DeleteSecurityContext(&sspi_context);
210         return CURLE_COULDNT_CONNECT;
211       }
212 
213       code = Curl_write_plain(conn, sock, (char *)sspi_send_token.pvBuffer,
214                               sspi_send_token.cbBuffer, &written);
215       if(code || (sspi_send_token.cbBuffer != (size_t)written)) {
216         failf(data, "Failed to send SSPI authentication token.");
217         free(service_name);
218         if(sspi_send_token.pvBuffer)
219           s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
220         if(sspi_recv_token.pvBuffer)
221           s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
222         s_pSecFn->FreeCredentialsHandle(&cred_handle);
223         s_pSecFn->DeleteSecurityContext(&sspi_context);
224         return CURLE_COULDNT_CONNECT;
225       }
226 
227     }
228 
229     if(sspi_send_token.pvBuffer) {
230       s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
231       sspi_send_token.pvBuffer = NULL;
232     }
233     sspi_send_token.cbBuffer = 0;
234 
235     if(sspi_recv_token.pvBuffer) {
236       s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
237       sspi_recv_token.pvBuffer = NULL;
238     }
239     sspi_recv_token.cbBuffer = 0;
240 
241     if(status != SEC_I_CONTINUE_NEEDED)
242       break;
243 
244     /* analyse response */
245 
246     /*   GSS-API response looks like
247      * +----+------+-----+----------------+
248      * |VER | MTYP | LEN |     TOKEN      |
249      * +----+------+----------------------+
250      * | 1  |  1   |  2  | up to 2^16 - 1 |
251      * +----+------+-----+----------------+
252      */
253 
254     result = Curl_blockread_all(conn, sock, (char *)socksreq, 4, &actualread);
255     if(result || (actualread != 4)) {
256       failf(data, "Failed to receive SSPI authentication response.");
257       free(service_name);
258       s_pSecFn->FreeCredentialsHandle(&cred_handle);
259       s_pSecFn->DeleteSecurityContext(&sspi_context);
260       return CURLE_COULDNT_CONNECT;
261     }
262 
263     /* ignore the first (VER) byte */
264     if(socksreq[1] == 255) { /* status / message type */
265       failf(data, "User was rejected by the SOCKS5 server (%u %u).",
266             (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
267       free(service_name);
268       s_pSecFn->FreeCredentialsHandle(&cred_handle);
269       s_pSecFn->DeleteSecurityContext(&sspi_context);
270       return CURLE_COULDNT_CONNECT;
271     }
272 
273     if(socksreq[1] != 1) { /* status / messgae type */
274       failf(data, "Invalid SSPI authentication response type (%u %u).",
275             (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
276       free(service_name);
277       s_pSecFn->FreeCredentialsHandle(&cred_handle);
278       s_pSecFn->DeleteSecurityContext(&sspi_context);
279       return CURLE_COULDNT_CONNECT;
280     }
281 
282     memcpy(&us_length, socksreq+2, sizeof(short));
283     us_length = ntohs(us_length);
284 
285     sspi_recv_token.cbBuffer = us_length;
286     sspi_recv_token.pvBuffer = malloc(us_length);
287 
288     if(!sspi_recv_token.pvBuffer) {
289       free(service_name);
290       s_pSecFn->FreeCredentialsHandle(&cred_handle);
291       s_pSecFn->DeleteSecurityContext(&sspi_context);
292       return CURLE_OUT_OF_MEMORY;
293     }
294     result = Curl_blockread_all(conn, sock, (char *)sspi_recv_token.pvBuffer,
295                                 sspi_recv_token.cbBuffer, &actualread);
296 
297     if(result || (actualread != us_length)) {
298       failf(data, "Failed to receive SSPI authentication token.");
299       free(service_name);
300       if(sspi_recv_token.pvBuffer)
301         s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
302       s_pSecFn->FreeCredentialsHandle(&cred_handle);
303       s_pSecFn->DeleteSecurityContext(&sspi_context);
304       return CURLE_COULDNT_CONNECT;
305     }
306 
307     context_handle = &sspi_context;
308   }
309 
310   free(service_name);
311 
312   /* Everything is good so far, user was authenticated! */
313   status = s_pSecFn->QueryCredentialsAttributes(&cred_handle,
314                                                 SECPKG_CRED_ATTR_NAMES,
315                                                 &names);
316   s_pSecFn->FreeCredentialsHandle(&cred_handle);
317   if(check_sspi_err(conn, status, "QueryCredentialAttributes")) {
318     s_pSecFn->DeleteSecurityContext(&sspi_context);
319     s_pSecFn->FreeContextBuffer(names.sUserName);
320     failf(data, "Failed to determine user name.");
321     return CURLE_COULDNT_CONNECT;
322   }
323   infof(data, "SOCKS5 server authencticated user %s with GSS-API.\n",
324         names.sUserName);
325   s_pSecFn->FreeContextBuffer(names.sUserName);
326 
327   /* Do encryption */
328   socksreq[0] = 1;    /* GSS-API subnegotiation version */
329   socksreq[1] = 2;    /* encryption message type */
330 
331   gss_enc = 0; /* no data protection */
332   /* do confidentiality protection if supported */
333   if(sspi_ret_flags & ISC_REQ_CONFIDENTIALITY)
334     gss_enc = 2;
335   /* else do integrity protection */
336   else if(sspi_ret_flags & ISC_REQ_INTEGRITY)
337     gss_enc = 1;
338 
339   infof(data, "SOCKS5 server supports GSS-API %s data protection.\n",
340         (gss_enc==0)?"no":((gss_enc==1)?"integrity":"confidentiality") );
341   /* force to no data protection, avoid encryption/decryption for now */
342   gss_enc = 0;
343   /*
344    * Sending the encryption type in clear seems wrong. It should be
345    * protected with gss_seal()/gss_wrap(). See RFC1961 extract below
346    * The NEC reference implementations on which this is based is
347    * therefore at fault
348    *
349    *  +------+------+------+.......................+
350    *  + ver  | mtyp | len  |   token               |
351    *  +------+------+------+.......................+
352    *  + 0x01 | 0x02 | 0x02 | up to 2^16 - 1 octets |
353    *  +------+------+------+.......................+
354    *
355    *   Where:
356    *
357    *  - "ver" is the protocol version number, here 1 to represent the
358    *    first version of the SOCKS/GSS-API protocol
359    *
360    *  - "mtyp" is the message type, here 2 to represent a protection
361    *    -level negotiation message
362    *
363    *  - "len" is the length of the "token" field in octets
364    *
365    *  - "token" is the GSS-API encapsulated protection level
366    *
367    * The token is produced by encapsulating an octet containing the
368    * required protection level using gss_seal()/gss_wrap() with conf_req
369    * set to FALSE.  The token is verified using gss_unseal()/
370    * gss_unwrap().
371    *
372    */
373 
374   if(data->set.socks5_gssapi_nec) {
375     us_length = htons((short)1);
376     memcpy(socksreq+2, &us_length, sizeof(short));
377   }
378   else {
379     status = s_pSecFn->QueryContextAttributes(&sspi_context,
380                                               SECPKG_ATTR_SIZES,
381                                               &sspi_sizes);
382     if(check_sspi_err(conn, status, "QueryContextAttributes")) {
383       s_pSecFn->DeleteSecurityContext(&sspi_context);
384       failf(data, "Failed to query security context attributes.");
385       return CURLE_COULDNT_CONNECT;
386     }
387 
388     sspi_w_token[0].cbBuffer = sspi_sizes.cbSecurityTrailer;
389     sspi_w_token[0].BufferType = SECBUFFER_TOKEN;
390     sspi_w_token[0].pvBuffer = malloc(sspi_sizes.cbSecurityTrailer);
391 
392     if(!sspi_w_token[0].pvBuffer) {
393       s_pSecFn->DeleteSecurityContext(&sspi_context);
394       return CURLE_OUT_OF_MEMORY;
395     }
396 
397     sspi_w_token[1].cbBuffer = 1;
398     sspi_w_token[1].pvBuffer = malloc(1);
399     if(!sspi_w_token[1].pvBuffer) {
400       s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
401       s_pSecFn->DeleteSecurityContext(&sspi_context);
402       return CURLE_OUT_OF_MEMORY;
403     }
404 
405     memcpy(sspi_w_token[1].pvBuffer, &gss_enc, 1);
406     sspi_w_token[2].BufferType = SECBUFFER_PADDING;
407     sspi_w_token[2].cbBuffer = sspi_sizes.cbBlockSize;
408     sspi_w_token[2].pvBuffer = malloc(sspi_sizes.cbBlockSize);
409     if(!sspi_w_token[2].pvBuffer) {
410       s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
411       s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
412       s_pSecFn->DeleteSecurityContext(&sspi_context);
413       return CURLE_OUT_OF_MEMORY;
414     }
415     status = s_pSecFn->EncryptMessage(&sspi_context,
416                                       KERB_WRAP_NO_ENCRYPT,
417                                       &wrap_desc,
418                                       0);
419     if(check_sspi_err(conn, status, "EncryptMessage")) {
420       s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
421       s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
422       s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
423       s_pSecFn->DeleteSecurityContext(&sspi_context);
424       failf(data, "Failed to query security context attributes.");
425       return CURLE_COULDNT_CONNECT;
426     }
427     sspi_send_token.cbBuffer = sspi_w_token[0].cbBuffer
428       + sspi_w_token[1].cbBuffer
429       + sspi_w_token[2].cbBuffer;
430     sspi_send_token.pvBuffer = malloc(sspi_send_token.cbBuffer);
431     if(!sspi_send_token.pvBuffer) {
432       s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
433       s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
434       s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
435       s_pSecFn->DeleteSecurityContext(&sspi_context);
436       return CURLE_OUT_OF_MEMORY;
437     }
438 
439     memcpy(sspi_send_token.pvBuffer, sspi_w_token[0].pvBuffer,
440            sspi_w_token[0].cbBuffer);
441     memcpy((PUCHAR) sspi_send_token.pvBuffer +(int)sspi_w_token[0].cbBuffer,
442            sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
443     memcpy((PUCHAR) sspi_send_token.pvBuffer
444            +sspi_w_token[0].cbBuffer
445            +sspi_w_token[1].cbBuffer,
446            sspi_w_token[2].pvBuffer, sspi_w_token[2].cbBuffer);
447 
448     s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
449     sspi_w_token[0].pvBuffer = NULL;
450     sspi_w_token[0].cbBuffer = 0;
451     s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
452     sspi_w_token[1].pvBuffer = NULL;
453     sspi_w_token[1].cbBuffer = 0;
454     s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
455     sspi_w_token[2].pvBuffer = NULL;
456     sspi_w_token[2].cbBuffer = 0;
457 
458     us_length = htons((short)sspi_send_token.cbBuffer);
459     memcpy(socksreq+2, &us_length, sizeof(short));
460   }
461 
462   code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
463   if(code || (4 != written)) {
464     failf(data, "Failed to send SSPI encryption request.");
465     if(sspi_send_token.pvBuffer)
466       s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
467     s_pSecFn->DeleteSecurityContext(&sspi_context);
468     return CURLE_COULDNT_CONNECT;
469   }
470 
471   if(data->set.socks5_gssapi_nec) {
472     memcpy(socksreq, &gss_enc, 1);
473     code = Curl_write_plain(conn, sock, (char *)socksreq, 1, &written);
474     if(code || (1 != written)) {
475       failf(data, "Failed to send SSPI encryption type.");
476       s_pSecFn->DeleteSecurityContext(&sspi_context);
477       return CURLE_COULDNT_CONNECT;
478     }
479   }
480   else {
481     code = Curl_write_plain(conn, sock, (char *)sspi_send_token.pvBuffer,
482                             sspi_send_token.cbBuffer, &written);
483     if(code || (sspi_send_token.cbBuffer != (size_t)written)) {
484       failf(data, "Failed to send SSPI encryption type.");
485       if(sspi_send_token.pvBuffer)
486         s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
487       s_pSecFn->DeleteSecurityContext(&sspi_context);
488       return CURLE_COULDNT_CONNECT;
489     }
490     if(sspi_send_token.pvBuffer)
491       s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
492   }
493 
494   result = Curl_blockread_all(conn, sock, (char *)socksreq, 4, &actualread);
495   if(result || (actualread != 4)) {
496     failf(data, "Failed to receive SSPI encryption response.");
497     s_pSecFn->DeleteSecurityContext(&sspi_context);
498     return CURLE_COULDNT_CONNECT;
499   }
500 
501   /* ignore the first (VER) byte */
502   if(socksreq[1] == 255) { /* status / message type */
503     failf(data, "User was rejected by the SOCKS5 server (%u %u).",
504           (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
505     s_pSecFn->DeleteSecurityContext(&sspi_context);
506     return CURLE_COULDNT_CONNECT;
507   }
508 
509   if(socksreq[1] != 2) { /* status / message type */
510     failf(data, "Invalid SSPI encryption response type (%u %u).",
511           (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
512     s_pSecFn->DeleteSecurityContext(&sspi_context);
513     return CURLE_COULDNT_CONNECT;
514   }
515 
516   memcpy(&us_length, socksreq+2, sizeof(short));
517   us_length = ntohs(us_length);
518 
519   sspi_w_token[0].cbBuffer = us_length;
520   sspi_w_token[0].pvBuffer = malloc(us_length);
521   if(!sspi_w_token[0].pvBuffer) {
522     s_pSecFn->DeleteSecurityContext(&sspi_context);
523     return CURLE_OUT_OF_MEMORY;
524   }
525 
526   result = Curl_blockread_all(conn, sock, (char *)sspi_w_token[0].pvBuffer,
527                               sspi_w_token[0].cbBuffer, &actualread);
528 
529   if(result || (actualread != us_length)) {
530     failf(data, "Failed to receive SSPI encryption type.");
531     s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
532     s_pSecFn->DeleteSecurityContext(&sspi_context);
533     return CURLE_COULDNT_CONNECT;
534   }
535 
536 
537   if(!data->set.socks5_gssapi_nec) {
538     wrap_desc.cBuffers = 2;
539     sspi_w_token[0].BufferType = SECBUFFER_STREAM;
540     sspi_w_token[1].BufferType = SECBUFFER_DATA;
541     sspi_w_token[1].cbBuffer = 0;
542     sspi_w_token[1].pvBuffer = NULL;
543 
544     status = s_pSecFn->DecryptMessage(&sspi_context,
545                                       &wrap_desc,
546                                       0,
547                                       &qop);
548 
549     if(check_sspi_err(conn, status, "DecryptMessage")) {
550       if(sspi_w_token[0].pvBuffer)
551         s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
552       if(sspi_w_token[1].pvBuffer)
553         s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
554       s_pSecFn->DeleteSecurityContext(&sspi_context);
555       failf(data, "Failed to query security context attributes.");
556       return CURLE_COULDNT_CONNECT;
557     }
558 
559     if(sspi_w_token[1].cbBuffer != 1) {
560       failf(data, "Invalid SSPI encryption response length (%lu).",
561             (unsigned long)sspi_w_token[1].cbBuffer);
562       if(sspi_w_token[0].pvBuffer)
563         s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
564       if(sspi_w_token[1].pvBuffer)
565         s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
566       s_pSecFn->DeleteSecurityContext(&sspi_context);
567       return CURLE_COULDNT_CONNECT;
568     }
569 
570     memcpy(socksreq, sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
571     s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
572     s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
573   }
574   else {
575     if(sspi_w_token[0].cbBuffer != 1) {
576       failf(data, "Invalid SSPI encryption response length (%lu).",
577             (unsigned long)sspi_w_token[0].cbBuffer);
578       s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
579       s_pSecFn->DeleteSecurityContext(&sspi_context);
580       return CURLE_COULDNT_CONNECT;
581     }
582     memcpy(socksreq, sspi_w_token[0].pvBuffer, sspi_w_token[0].cbBuffer);
583     s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
584   }
585 
586   infof(data, "SOCKS5 access with%s protection granted.\n",
587         (socksreq[0]==0)?"out GSS-API data":
588         ((socksreq[0]==1)?" GSS-API integrity":" GSS-API confidentiality"));
589 
590   /* For later use if encryption is required
591      conn->socks5_gssapi_enctype = socksreq[0];
592      if(socksreq[0] != 0)
593        conn->socks5_sspi_context = sspi_context;
594      else {
595        s_pSecFn->DeleteSecurityContext(&sspi_context);
596        conn->socks5_sspi_context = sspi_context;
597      }
598   */
599   return CURLE_OK;
600 }
601 #endif
602