Annotation of embedaddon/curl/lib/socks_sspi.c, revision 1.1.1.1
1.1 misho 1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9: * Copyright (C) 2009, 2011, Markus Moeller, <markus_moeller@compuserve.com>
10: *
11: * This software is licensed as described in the file COPYING, which
12: * you should have received as part of this distribution. The terms
13: * are also available at https://curl.haxx.se/docs/copyright.html.
14: *
15: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
16: * copies of the Software, and permit persons to whom the Software is
17: * furnished to do so, under the terms of the COPYING file.
18: *
19: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20: * KIND, either express or implied.
21: *
22: ***************************************************************************/
23:
24: #include "curl_setup.h"
25:
26: #if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_PROXY)
27:
28: #include "urldata.h"
29: #include "sendf.h"
30: #include "connect.h"
31: #include "strerror.h"
32: #include "timeval.h"
33: #include "socks.h"
34: #include "curl_sspi.h"
35: #include "curl_multibyte.h"
36: #include "warnless.h"
37: #include "strdup.h"
38: /* The last 3 #include files should be in this order */
39: #include "curl_printf.h"
40: #include "curl_memory.h"
41: #include "memdebug.h"
42:
43: /*
44: * Helper sspi error functions.
45: */
46: static int check_sspi_err(struct connectdata *conn,
47: SECURITY_STATUS status,
48: const char *function)
49: {
50: if(status != SEC_E_OK &&
51: status != SEC_I_COMPLETE_AND_CONTINUE &&
52: status != SEC_I_COMPLETE_NEEDED &&
53: status != SEC_I_CONTINUE_NEEDED) {
54: char buffer[STRERROR_LEN];
55: failf(conn->data, "SSPI error: %s failed: %s", function,
56: Curl_sspi_strerror(status, buffer, sizeof(buffer)));
57: return 1;
58: }
59: return 0;
60: }
61:
62: /* This is the SSPI-using version of this function */
63: CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
64: struct connectdata *conn)
65: {
66: struct Curl_easy *data = conn->data;
67: curl_socket_t sock = conn->sock[sockindex];
68: CURLcode code;
69: ssize_t actualread;
70: ssize_t written;
71: int result;
72: /* Needs GSS-API authentication */
73: SECURITY_STATUS status;
74: unsigned long sspi_ret_flags = 0;
75: unsigned char gss_enc;
76: SecBuffer sspi_send_token, sspi_recv_token, sspi_w_token[3];
77: SecBufferDesc input_desc, output_desc, wrap_desc;
78: SecPkgContext_Sizes sspi_sizes;
79: CredHandle cred_handle;
80: CtxtHandle sspi_context;
81: PCtxtHandle context_handle = NULL;
82: SecPkgCredentials_Names names;
83: TimeStamp expiry;
84: char *service_name = NULL;
85: unsigned short us_length;
86: unsigned long qop;
87: unsigned char socksreq[4]; /* room for GSS-API exchange header only */
88: const char *service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
89: data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
90: const size_t service_length = strlen(service);
91:
92: /* GSS-API request looks like
93: * +----+------+-----+----------------+
94: * |VER | MTYP | LEN | TOKEN |
95: * +----+------+----------------------+
96: * | 1 | 1 | 2 | up to 2^16 - 1 |
97: * +----+------+-----+----------------+
98: */
99:
100: /* prepare service name */
101: if(strchr(service, '/')) {
102: service_name = strdup(service);
103: if(!service_name)
104: return CURLE_OUT_OF_MEMORY;
105: }
106: else {
107: service_name = malloc(service_length +
108: strlen(conn->socks_proxy.host.name) + 2);
109: if(!service_name)
110: return CURLE_OUT_OF_MEMORY;
111: msnprintf(service_name, service_length +
112: strlen(conn->socks_proxy.host.name) + 2, "%s/%s",
113: service, conn->socks_proxy.host.name);
114: }
115:
116: input_desc.cBuffers = 1;
117: input_desc.pBuffers = &sspi_recv_token;
118: input_desc.ulVersion = SECBUFFER_VERSION;
119:
120: sspi_recv_token.BufferType = SECBUFFER_TOKEN;
121: sspi_recv_token.cbBuffer = 0;
122: sspi_recv_token.pvBuffer = NULL;
123:
124: output_desc.cBuffers = 1;
125: output_desc.pBuffers = &sspi_send_token;
126: output_desc.ulVersion = SECBUFFER_VERSION;
127:
128: sspi_send_token.BufferType = SECBUFFER_TOKEN;
129: sspi_send_token.cbBuffer = 0;
130: sspi_send_token.pvBuffer = NULL;
131:
132: wrap_desc.cBuffers = 3;
133: wrap_desc.pBuffers = sspi_w_token;
134: wrap_desc.ulVersion = SECBUFFER_VERSION;
135:
136: cred_handle.dwLower = 0;
137: cred_handle.dwUpper = 0;
138:
139: status = s_pSecFn->AcquireCredentialsHandle(NULL,
140: (TCHAR *) TEXT("Kerberos"),
141: SECPKG_CRED_OUTBOUND,
142: NULL,
143: NULL,
144: NULL,
145: NULL,
146: &cred_handle,
147: &expiry);
148:
149: if(check_sspi_err(conn, status, "AcquireCredentialsHandle")) {
150: failf(data, "Failed to acquire credentials.");
151: free(service_name);
152: s_pSecFn->FreeCredentialsHandle(&cred_handle);
153: return CURLE_COULDNT_CONNECT;
154: }
155:
156: (void)curlx_nonblock(sock, FALSE);
157:
158: /* As long as we need to keep sending some context info, and there's no */
159: /* errors, keep sending it... */
160: for(;;) {
161: TCHAR *sname;
162:
163: sname = Curl_convert_UTF8_to_tchar(service_name);
164: if(!sname)
165: return CURLE_OUT_OF_MEMORY;
166:
167: status = s_pSecFn->InitializeSecurityContext(&cred_handle,
168: context_handle,
169: sname,
170: ISC_REQ_MUTUAL_AUTH |
171: ISC_REQ_ALLOCATE_MEMORY |
172: ISC_REQ_CONFIDENTIALITY |
173: ISC_REQ_REPLAY_DETECT,
174: 0,
175: SECURITY_NATIVE_DREP,
176: &input_desc,
177: 0,
178: &sspi_context,
179: &output_desc,
180: &sspi_ret_flags,
181: &expiry);
182:
183: Curl_unicodefree(sname);
184:
185: if(sspi_recv_token.pvBuffer) {
186: s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
187: sspi_recv_token.pvBuffer = NULL;
188: sspi_recv_token.cbBuffer = 0;
189: }
190:
191: if(check_sspi_err(conn, status, "InitializeSecurityContext")) {
192: free(service_name);
193: s_pSecFn->FreeCredentialsHandle(&cred_handle);
194: s_pSecFn->DeleteSecurityContext(&sspi_context);
195: if(sspi_recv_token.pvBuffer)
196: s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
197: failf(data, "Failed to initialise security context.");
198: return CURLE_COULDNT_CONNECT;
199: }
200:
201: if(sspi_send_token.cbBuffer != 0) {
202: socksreq[0] = 1; /* GSS-API subnegotiation version */
203: socksreq[1] = 1; /* authentication message type */
204: us_length = htons((short)sspi_send_token.cbBuffer);
205: memcpy(socksreq + 2, &us_length, sizeof(short));
206:
207: code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
208: if(code || (4 != written)) {
209: failf(data, "Failed to send SSPI authentication request.");
210: free(service_name);
211: if(sspi_send_token.pvBuffer)
212: s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
213: if(sspi_recv_token.pvBuffer)
214: s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
215: s_pSecFn->FreeCredentialsHandle(&cred_handle);
216: s_pSecFn->DeleteSecurityContext(&sspi_context);
217: return CURLE_COULDNT_CONNECT;
218: }
219:
220: code = Curl_write_plain(conn, sock, (char *)sspi_send_token.pvBuffer,
221: sspi_send_token.cbBuffer, &written);
222: if(code || (sspi_send_token.cbBuffer != (size_t)written)) {
223: failf(data, "Failed to send SSPI authentication token.");
224: free(service_name);
225: if(sspi_send_token.pvBuffer)
226: s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
227: if(sspi_recv_token.pvBuffer)
228: s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
229: s_pSecFn->FreeCredentialsHandle(&cred_handle);
230: s_pSecFn->DeleteSecurityContext(&sspi_context);
231: return CURLE_COULDNT_CONNECT;
232: }
233:
234: }
235:
236: if(sspi_send_token.pvBuffer) {
237: s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
238: sspi_send_token.pvBuffer = NULL;
239: }
240: sspi_send_token.cbBuffer = 0;
241:
242: if(sspi_recv_token.pvBuffer) {
243: s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
244: sspi_recv_token.pvBuffer = NULL;
245: }
246: sspi_recv_token.cbBuffer = 0;
247:
248: if(status != SEC_I_CONTINUE_NEEDED)
249: break;
250:
251: /* analyse response */
252:
253: /* GSS-API response looks like
254: * +----+------+-----+----------------+
255: * |VER | MTYP | LEN | TOKEN |
256: * +----+------+----------------------+
257: * | 1 | 1 | 2 | up to 2^16 - 1 |
258: * +----+------+-----+----------------+
259: */
260:
261: result = Curl_blockread_all(conn, sock, (char *)socksreq, 4, &actualread);
262: if(result || (actualread != 4)) {
263: failf(data, "Failed to receive SSPI authentication response.");
264: free(service_name);
265: s_pSecFn->FreeCredentialsHandle(&cred_handle);
266: s_pSecFn->DeleteSecurityContext(&sspi_context);
267: return CURLE_COULDNT_CONNECT;
268: }
269:
270: /* ignore the first (VER) byte */
271: if(socksreq[1] == 255) { /* status / message type */
272: failf(data, "User was rejected by the SOCKS5 server (%u %u).",
273: (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
274: free(service_name);
275: s_pSecFn->FreeCredentialsHandle(&cred_handle);
276: s_pSecFn->DeleteSecurityContext(&sspi_context);
277: return CURLE_COULDNT_CONNECT;
278: }
279:
280: if(socksreq[1] != 1) { /* status / messgae type */
281: failf(data, "Invalid SSPI authentication response type (%u %u).",
282: (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
283: free(service_name);
284: s_pSecFn->FreeCredentialsHandle(&cred_handle);
285: s_pSecFn->DeleteSecurityContext(&sspi_context);
286: return CURLE_COULDNT_CONNECT;
287: }
288:
289: memcpy(&us_length, socksreq + 2, sizeof(short));
290: us_length = ntohs(us_length);
291:
292: sspi_recv_token.cbBuffer = us_length;
293: sspi_recv_token.pvBuffer = malloc(us_length);
294:
295: if(!sspi_recv_token.pvBuffer) {
296: free(service_name);
297: s_pSecFn->FreeCredentialsHandle(&cred_handle);
298: s_pSecFn->DeleteSecurityContext(&sspi_context);
299: return CURLE_OUT_OF_MEMORY;
300: }
301: result = Curl_blockread_all(conn, sock, (char *)sspi_recv_token.pvBuffer,
302: sspi_recv_token.cbBuffer, &actualread);
303:
304: if(result || (actualread != us_length)) {
305: failf(data, "Failed to receive SSPI authentication token.");
306: free(service_name);
307: if(sspi_recv_token.pvBuffer)
308: s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
309: s_pSecFn->FreeCredentialsHandle(&cred_handle);
310: s_pSecFn->DeleteSecurityContext(&sspi_context);
311: return CURLE_COULDNT_CONNECT;
312: }
313:
314: context_handle = &sspi_context;
315: }
316:
317: free(service_name);
318:
319: /* Everything is good so far, user was authenticated! */
320: status = s_pSecFn->QueryCredentialsAttributes(&cred_handle,
321: SECPKG_CRED_ATTR_NAMES,
322: &names);
323: s_pSecFn->FreeCredentialsHandle(&cred_handle);
324: if(check_sspi_err(conn, status, "QueryCredentialAttributes")) {
325: s_pSecFn->DeleteSecurityContext(&sspi_context);
326: s_pSecFn->FreeContextBuffer(names.sUserName);
327: failf(data, "Failed to determine user name.");
328: return CURLE_COULDNT_CONNECT;
329: }
330: infof(data, "SOCKS5 server authencticated user %s with GSS-API.\n",
331: names.sUserName);
332: s_pSecFn->FreeContextBuffer(names.sUserName);
333:
334: /* Do encryption */
335: socksreq[0] = 1; /* GSS-API subnegotiation version */
336: socksreq[1] = 2; /* encryption message type */
337:
338: gss_enc = 0; /* no data protection */
339: /* do confidentiality protection if supported */
340: if(sspi_ret_flags & ISC_REQ_CONFIDENTIALITY)
341: gss_enc = 2;
342: /* else do integrity protection */
343: else if(sspi_ret_flags & ISC_REQ_INTEGRITY)
344: gss_enc = 1;
345:
346: infof(data, "SOCKS5 server supports GSS-API %s data protection.\n",
347: (gss_enc == 0)?"no":((gss_enc == 1)?"integrity":"confidentiality") );
348: /* force to no data protection, avoid encryption/decryption for now */
349: gss_enc = 0;
350: /*
351: * Sending the encryption type in clear seems wrong. It should be
352: * protected with gss_seal()/gss_wrap(). See RFC1961 extract below
353: * The NEC reference implementations on which this is based is
354: * therefore at fault
355: *
356: * +------+------+------+.......................+
357: * + ver | mtyp | len | token |
358: * +------+------+------+.......................+
359: * + 0x01 | 0x02 | 0x02 | up to 2^16 - 1 octets |
360: * +------+------+------+.......................+
361: *
362: * Where:
363: *
364: * - "ver" is the protocol version number, here 1 to represent the
365: * first version of the SOCKS/GSS-API protocol
366: *
367: * - "mtyp" is the message type, here 2 to represent a protection
368: * -level negotiation message
369: *
370: * - "len" is the length of the "token" field in octets
371: *
372: * - "token" is the GSS-API encapsulated protection level
373: *
374: * The token is produced by encapsulating an octet containing the
375: * required protection level using gss_seal()/gss_wrap() with conf_req
376: * set to FALSE. The token is verified using gss_unseal()/
377: * gss_unwrap().
378: *
379: */
380:
381: if(data->set.socks5_gssapi_nec) {
382: us_length = htons((short)1);
383: memcpy(socksreq + 2, &us_length, sizeof(short));
384: }
385: else {
386: status = s_pSecFn->QueryContextAttributes(&sspi_context,
387: SECPKG_ATTR_SIZES,
388: &sspi_sizes);
389: if(check_sspi_err(conn, status, "QueryContextAttributes")) {
390: s_pSecFn->DeleteSecurityContext(&sspi_context);
391: failf(data, "Failed to query security context attributes.");
392: return CURLE_COULDNT_CONNECT;
393: }
394:
395: sspi_w_token[0].cbBuffer = sspi_sizes.cbSecurityTrailer;
396: sspi_w_token[0].BufferType = SECBUFFER_TOKEN;
397: sspi_w_token[0].pvBuffer = malloc(sspi_sizes.cbSecurityTrailer);
398:
399: if(!sspi_w_token[0].pvBuffer) {
400: s_pSecFn->DeleteSecurityContext(&sspi_context);
401: return CURLE_OUT_OF_MEMORY;
402: }
403:
404: sspi_w_token[1].cbBuffer = 1;
405: sspi_w_token[1].pvBuffer = malloc(1);
406: if(!sspi_w_token[1].pvBuffer) {
407: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
408: s_pSecFn->DeleteSecurityContext(&sspi_context);
409: return CURLE_OUT_OF_MEMORY;
410: }
411:
412: memcpy(sspi_w_token[1].pvBuffer, &gss_enc, 1);
413: sspi_w_token[2].BufferType = SECBUFFER_PADDING;
414: sspi_w_token[2].cbBuffer = sspi_sizes.cbBlockSize;
415: sspi_w_token[2].pvBuffer = malloc(sspi_sizes.cbBlockSize);
416: if(!sspi_w_token[2].pvBuffer) {
417: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
418: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
419: s_pSecFn->DeleteSecurityContext(&sspi_context);
420: return CURLE_OUT_OF_MEMORY;
421: }
422: status = s_pSecFn->EncryptMessage(&sspi_context,
423: KERB_WRAP_NO_ENCRYPT,
424: &wrap_desc,
425: 0);
426: if(check_sspi_err(conn, status, "EncryptMessage")) {
427: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
428: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
429: s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
430: s_pSecFn->DeleteSecurityContext(&sspi_context);
431: failf(data, "Failed to query security context attributes.");
432: return CURLE_COULDNT_CONNECT;
433: }
434: sspi_send_token.cbBuffer = sspi_w_token[0].cbBuffer
435: + sspi_w_token[1].cbBuffer
436: + sspi_w_token[2].cbBuffer;
437: sspi_send_token.pvBuffer = malloc(sspi_send_token.cbBuffer);
438: if(!sspi_send_token.pvBuffer) {
439: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
440: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
441: s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
442: s_pSecFn->DeleteSecurityContext(&sspi_context);
443: return CURLE_OUT_OF_MEMORY;
444: }
445:
446: memcpy(sspi_send_token.pvBuffer, sspi_w_token[0].pvBuffer,
447: sspi_w_token[0].cbBuffer);
448: memcpy((PUCHAR) sspi_send_token.pvBuffer +(int)sspi_w_token[0].cbBuffer,
449: sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
450: memcpy((PUCHAR) sspi_send_token.pvBuffer
451: + sspi_w_token[0].cbBuffer
452: + sspi_w_token[1].cbBuffer,
453: sspi_w_token[2].pvBuffer, sspi_w_token[2].cbBuffer);
454:
455: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
456: sspi_w_token[0].pvBuffer = NULL;
457: sspi_w_token[0].cbBuffer = 0;
458: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
459: sspi_w_token[1].pvBuffer = NULL;
460: sspi_w_token[1].cbBuffer = 0;
461: s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
462: sspi_w_token[2].pvBuffer = NULL;
463: sspi_w_token[2].cbBuffer = 0;
464:
465: us_length = htons((short)sspi_send_token.cbBuffer);
466: memcpy(socksreq + 2, &us_length, sizeof(short));
467: }
468:
469: code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
470: if(code || (4 != written)) {
471: failf(data, "Failed to send SSPI encryption request.");
472: if(sspi_send_token.pvBuffer)
473: s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
474: s_pSecFn->DeleteSecurityContext(&sspi_context);
475: return CURLE_COULDNT_CONNECT;
476: }
477:
478: if(data->set.socks5_gssapi_nec) {
479: memcpy(socksreq, &gss_enc, 1);
480: code = Curl_write_plain(conn, sock, (char *)socksreq, 1, &written);
481: if(code || (1 != written)) {
482: failf(data, "Failed to send SSPI encryption type.");
483: s_pSecFn->DeleteSecurityContext(&sspi_context);
484: return CURLE_COULDNT_CONNECT;
485: }
486: }
487: else {
488: code = Curl_write_plain(conn, sock, (char *)sspi_send_token.pvBuffer,
489: sspi_send_token.cbBuffer, &written);
490: if(code || (sspi_send_token.cbBuffer != (size_t)written)) {
491: failf(data, "Failed to send SSPI encryption type.");
492: if(sspi_send_token.pvBuffer)
493: s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
494: s_pSecFn->DeleteSecurityContext(&sspi_context);
495: return CURLE_COULDNT_CONNECT;
496: }
497: if(sspi_send_token.pvBuffer)
498: s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
499: }
500:
501: result = Curl_blockread_all(conn, sock, (char *)socksreq, 4, &actualread);
502: if(result || (actualread != 4)) {
503: failf(data, "Failed to receive SSPI encryption response.");
504: s_pSecFn->DeleteSecurityContext(&sspi_context);
505: return CURLE_COULDNT_CONNECT;
506: }
507:
508: /* ignore the first (VER) byte */
509: if(socksreq[1] == 255) { /* status / message type */
510: failf(data, "User was rejected by the SOCKS5 server (%u %u).",
511: (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
512: s_pSecFn->DeleteSecurityContext(&sspi_context);
513: return CURLE_COULDNT_CONNECT;
514: }
515:
516: if(socksreq[1] != 2) { /* status / message type */
517: failf(data, "Invalid SSPI encryption response type (%u %u).",
518: (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
519: s_pSecFn->DeleteSecurityContext(&sspi_context);
520: return CURLE_COULDNT_CONNECT;
521: }
522:
523: memcpy(&us_length, socksreq + 2, sizeof(short));
524: us_length = ntohs(us_length);
525:
526: sspi_w_token[0].cbBuffer = us_length;
527: sspi_w_token[0].pvBuffer = malloc(us_length);
528: if(!sspi_w_token[0].pvBuffer) {
529: s_pSecFn->DeleteSecurityContext(&sspi_context);
530: return CURLE_OUT_OF_MEMORY;
531: }
532:
533: result = Curl_blockread_all(conn, sock, (char *)sspi_w_token[0].pvBuffer,
534: sspi_w_token[0].cbBuffer, &actualread);
535:
536: if(result || (actualread != us_length)) {
537: failf(data, "Failed to receive SSPI encryption type.");
538: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
539: s_pSecFn->DeleteSecurityContext(&sspi_context);
540: return CURLE_COULDNT_CONNECT;
541: }
542:
543:
544: if(!data->set.socks5_gssapi_nec) {
545: wrap_desc.cBuffers = 2;
546: sspi_w_token[0].BufferType = SECBUFFER_STREAM;
547: sspi_w_token[1].BufferType = SECBUFFER_DATA;
548: sspi_w_token[1].cbBuffer = 0;
549: sspi_w_token[1].pvBuffer = NULL;
550:
551: status = s_pSecFn->DecryptMessage(&sspi_context,
552: &wrap_desc,
553: 0,
554: &qop);
555:
556: if(check_sspi_err(conn, status, "DecryptMessage")) {
557: if(sspi_w_token[0].pvBuffer)
558: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
559: if(sspi_w_token[1].pvBuffer)
560: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
561: s_pSecFn->DeleteSecurityContext(&sspi_context);
562: failf(data, "Failed to query security context attributes.");
563: return CURLE_COULDNT_CONNECT;
564: }
565:
566: if(sspi_w_token[1].cbBuffer != 1) {
567: failf(data, "Invalid SSPI encryption response length (%lu).",
568: (unsigned long)sspi_w_token[1].cbBuffer);
569: if(sspi_w_token[0].pvBuffer)
570: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
571: if(sspi_w_token[1].pvBuffer)
572: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
573: s_pSecFn->DeleteSecurityContext(&sspi_context);
574: return CURLE_COULDNT_CONNECT;
575: }
576:
577: memcpy(socksreq, sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
578: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
579: s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
580: }
581: else {
582: if(sspi_w_token[0].cbBuffer != 1) {
583: failf(data, "Invalid SSPI encryption response length (%lu).",
584: (unsigned long)sspi_w_token[0].cbBuffer);
585: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
586: s_pSecFn->DeleteSecurityContext(&sspi_context);
587: return CURLE_COULDNT_CONNECT;
588: }
589: memcpy(socksreq, sspi_w_token[0].pvBuffer, sspi_w_token[0].cbBuffer);
590: s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
591: }
592: (void)curlx_nonblock(sock, TRUE);
593:
594: infof(data, "SOCKS5 access with%s protection granted.\n",
595: (socksreq[0] == 0)?"out GSS-API data":
596: ((socksreq[0] == 1)?" GSS-API integrity":" GSS-API confidentiality"));
597:
598: /* For later use if encryption is required
599: conn->socks5_gssapi_enctype = socksreq[0];
600: if(socksreq[0] != 0)
601: conn->socks5_sspi_context = sspi_context;
602: else {
603: s_pSecFn->DeleteSecurityContext(&sspi_context);
604: conn->socks5_sspi_context = sspi_context;
605: }
606: */
607: return CURLE_OK;
608: }
609: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to socks_sspi.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib