socks_sspi.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. * Copyright (C) 2012, 2011, Markus Moeller, <markus_moeller@compuserve.com>
  10. *
  11. * This software is licensed as described in the file COPYING, which
  12. * you should have received as part of this distribution. The terms
  13. * are also available at https://curl.se/docs/copyright.html.
  14. *
  15. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  16. * copies of the Software, and permit persons to whom the Software is
  17. * furnished to do so, under the terms of the COPYING file.
  18. *
  19. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  20. * KIND, either express or implied.
  21. *
  22. * SPDX-License-Identifier: curl
  23. *
  24. ***************************************************************************/
  25. #include "curl_setup.h"
  26. #if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_PROXY)
  27. #include "urldata.h"
  28. #include "sendf.h"
  29. #include "connect.h"
  30. #include "strerror.h"
  31. #include "timeval.h"
  32. #include "socks.h"
  33. #include "curl_sspi.h"
  34. #include "curl_multibyte.h"
  35. #include "warnless.h"
  36. #include "strdup.h"
  37. /* The last 3 #include files should be in this order */
  38. #include "curl_printf.h"
  39. #include "curl_memory.h"
  40. #include "memdebug.h"
  41. /*
  42. * Helper sspi error functions.
  43. */
  44. static int check_sspi_err(struct Curl_easy *data,
  45. SECURITY_STATUS status,
  46. const char *function)
  47. {
  48. if(status != SEC_E_OK &&
  49. status != SEC_I_COMPLETE_AND_CONTINUE &&
  50. status != SEC_I_COMPLETE_NEEDED &&
  51. status != SEC_I_CONTINUE_NEEDED) {
  52. char buffer[STRERROR_LEN];
  53. failf(data, "SSPI error: %s failed: %s", function,
  54. Curl_sspi_strerror(status, buffer, sizeof(buffer)));
  55. return 1;
  56. }
  57. return 0;
  58. }
  59. /* This is the SSPI-using version of this function */
  60. CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
  61. struct Curl_easy *data)
  62. {
  63. struct connectdata *conn = data->conn;
  64. curl_socket_t sock = conn->sock[sockindex];
  65. CURLcode code;
  66. ssize_t actualread;
  67. ssize_t written;
  68. int result;
  69. /* Needs GSS-API authentication */
  70. SECURITY_STATUS status;
  71. unsigned long sspi_ret_flags = 0;
  72. unsigned char gss_enc;
  73. SecBuffer sspi_send_token, sspi_recv_token, sspi_w_token[3];
  74. SecBufferDesc input_desc, output_desc, wrap_desc;
  75. SecPkgContext_Sizes sspi_sizes;
  76. CredHandle cred_handle;
  77. CtxtHandle sspi_context;
  78. PCtxtHandle context_handle = NULL;
  79. SecPkgCredentials_Names names;
  80. TimeStamp expiry;
  81. char *service_name = NULL;
  82. unsigned short us_length;
  83. unsigned long qop;
  84. unsigned char socksreq[4]; /* room for GSS-API exchange header only */
  85. const char *service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
  86. data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
  87. const size_t service_length = strlen(service);
  88. /* GSS-API request looks like
  89. * +----+------+-----+----------------+
  90. * |VER | MTYP | LEN | TOKEN |
  91. * +----+------+----------------------+
  92. * | 1 | 1 | 2 | up to 2^16 - 1 |
  93. * +----+------+-----+----------------+
  94. */
  95. /* prepare service name */
  96. if(strchr(service, '/')) {
  97. service_name = strdup(service);
  98. if(!service_name)
  99. return CURLE_OUT_OF_MEMORY;
  100. }
  101. else {
  102. service_name = malloc(service_length +
  103. strlen(conn->socks_proxy.host.name) + 2);
  104. if(!service_name)
  105. return CURLE_OUT_OF_MEMORY;
  106. msnprintf(service_name, service_length +
  107. strlen(conn->socks_proxy.host.name) + 2, "%s/%s",
  108. service, conn->socks_proxy.host.name);
  109. }
  110. input_desc.cBuffers = 1;
  111. input_desc.pBuffers = &sspi_recv_token;
  112. input_desc.ulVersion = SECBUFFER_VERSION;
  113. sspi_recv_token.BufferType = SECBUFFER_TOKEN;
  114. sspi_recv_token.cbBuffer = 0;
  115. sspi_recv_token.pvBuffer = NULL;
  116. output_desc.cBuffers = 1;
  117. output_desc.pBuffers = &sspi_send_token;
  118. output_desc.ulVersion = SECBUFFER_VERSION;
  119. sspi_send_token.BufferType = SECBUFFER_TOKEN;
  120. sspi_send_token.cbBuffer = 0;
  121. sspi_send_token.pvBuffer = NULL;
  122. wrap_desc.cBuffers = 3;
  123. wrap_desc.pBuffers = sspi_w_token;
  124. wrap_desc.ulVersion = SECBUFFER_VERSION;
  125. cred_handle.dwLower = 0;
  126. cred_handle.dwUpper = 0;
  127. status = s_pSecFn->AcquireCredentialsHandle(NULL,
  128. (TCHAR *) TEXT("Kerberos"),
  129. SECPKG_CRED_OUTBOUND,
  130. NULL,
  131. NULL,
  132. NULL,
  133. NULL,
  134. &cred_handle,
  135. &expiry);
  136. if(check_sspi_err(data, status, "AcquireCredentialsHandle")) {
  137. failf(data, "Failed to acquire credentials.");
  138. free(service_name);
  139. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  140. return CURLE_COULDNT_CONNECT;
  141. }
  142. (void)curlx_nonblock(sock, FALSE);
  143. /* As long as we need to keep sending some context info, and there's no */
  144. /* errors, keep sending it... */
  145. for(;;) {
  146. TCHAR *sname;
  147. sname = curlx_convert_UTF8_to_tchar(service_name);
  148. if(!sname)
  149. return CURLE_OUT_OF_MEMORY;
  150. status = s_pSecFn->InitializeSecurityContext(&cred_handle,
  151. context_handle,
  152. sname,
  153. ISC_REQ_MUTUAL_AUTH |
  154. ISC_REQ_ALLOCATE_MEMORY |
  155. ISC_REQ_CONFIDENTIALITY |
  156. ISC_REQ_REPLAY_DETECT,
  157. 0,
  158. SECURITY_NATIVE_DREP,
  159. &input_desc,
  160. 0,
  161. &sspi_context,
  162. &output_desc,
  163. &sspi_ret_flags,
  164. &expiry);
  165. curlx_unicodefree(sname);
  166. if(sspi_recv_token.pvBuffer) {
  167. s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
  168. sspi_recv_token.pvBuffer = NULL;
  169. sspi_recv_token.cbBuffer = 0;
  170. }
  171. if(check_sspi_err(data, status, "InitializeSecurityContext")) {
  172. free(service_name);
  173. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  174. s_pSecFn->DeleteSecurityContext(&sspi_context);
  175. if(sspi_recv_token.pvBuffer)
  176. s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
  177. failf(data, "Failed to initialise security context.");
  178. return CURLE_COULDNT_CONNECT;
  179. }
  180. if(sspi_send_token.cbBuffer) {
  181. socksreq[0] = 1; /* GSS-API subnegotiation version */
  182. socksreq[1] = 1; /* authentication message type */
  183. us_length = htons((short)sspi_send_token.cbBuffer);
  184. memcpy(socksreq + 2, &us_length, sizeof(short));
  185. code = Curl_write_plain(data, sock, (char *)socksreq, 4, &written);
  186. if(code || (4 != written)) {
  187. failf(data, "Failed to send SSPI authentication request.");
  188. free(service_name);
  189. if(sspi_send_token.pvBuffer)
  190. s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
  191. if(sspi_recv_token.pvBuffer)
  192. s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
  193. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  194. s_pSecFn->DeleteSecurityContext(&sspi_context);
  195. return CURLE_COULDNT_CONNECT;
  196. }
  197. code = Curl_write_plain(data, sock, (char *)sspi_send_token.pvBuffer,
  198. sspi_send_token.cbBuffer, &written);
  199. if(code || (sspi_send_token.cbBuffer != (size_t)written)) {
  200. failf(data, "Failed to send SSPI authentication token.");
  201. free(service_name);
  202. if(sspi_send_token.pvBuffer)
  203. s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
  204. if(sspi_recv_token.pvBuffer)
  205. s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
  206. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  207. s_pSecFn->DeleteSecurityContext(&sspi_context);
  208. return CURLE_COULDNT_CONNECT;
  209. }
  210. }
  211. if(sspi_send_token.pvBuffer) {
  212. s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
  213. sspi_send_token.pvBuffer = NULL;
  214. }
  215. sspi_send_token.cbBuffer = 0;
  216. if(sspi_recv_token.pvBuffer) {
  217. s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
  218. sspi_recv_token.pvBuffer = NULL;
  219. }
  220. sspi_recv_token.cbBuffer = 0;
  221. if(status != SEC_I_CONTINUE_NEEDED)
  222. break;
  223. /* analyse response */
  224. /* GSS-API response looks like
  225. * +----+------+-----+----------------+
  226. * |VER | MTYP | LEN | TOKEN |
  227. * +----+------+----------------------+
  228. * | 1 | 1 | 2 | up to 2^16 - 1 |
  229. * +----+------+-----+----------------+
  230. */
  231. result = Curl_blockread_all(data, sock, (char *)socksreq, 4, &actualread);
  232. if(result || (actualread != 4)) {
  233. failf(data, "Failed to receive SSPI authentication response.");
  234. free(service_name);
  235. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  236. s_pSecFn->DeleteSecurityContext(&sspi_context);
  237. return CURLE_COULDNT_CONNECT;
  238. }
  239. /* ignore the first (VER) byte */
  240. if(socksreq[1] == 255) { /* status / message type */
  241. failf(data, "User was rejected by the SOCKS5 server (%u %u).",
  242. (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
  243. free(service_name);
  244. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  245. s_pSecFn->DeleteSecurityContext(&sspi_context);
  246. return CURLE_COULDNT_CONNECT;
  247. }
  248. if(socksreq[1] != 1) { /* status / message type */
  249. failf(data, "Invalid SSPI authentication response type (%u %u).",
  250. (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
  251. free(service_name);
  252. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  253. s_pSecFn->DeleteSecurityContext(&sspi_context);
  254. return CURLE_COULDNT_CONNECT;
  255. }
  256. memcpy(&us_length, socksreq + 2, sizeof(short));
  257. us_length = ntohs(us_length);
  258. sspi_recv_token.cbBuffer = us_length;
  259. sspi_recv_token.pvBuffer = malloc(us_length);
  260. if(!sspi_recv_token.pvBuffer) {
  261. free(service_name);
  262. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  263. s_pSecFn->DeleteSecurityContext(&sspi_context);
  264. return CURLE_OUT_OF_MEMORY;
  265. }
  266. result = Curl_blockread_all(data, sock, (char *)sspi_recv_token.pvBuffer,
  267. sspi_recv_token.cbBuffer, &actualread);
  268. if(result || (actualread != us_length)) {
  269. failf(data, "Failed to receive SSPI authentication token.");
  270. free(service_name);
  271. if(sspi_recv_token.pvBuffer)
  272. s_pSecFn->FreeContextBuffer(sspi_recv_token.pvBuffer);
  273. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  274. s_pSecFn->DeleteSecurityContext(&sspi_context);
  275. return CURLE_COULDNT_CONNECT;
  276. }
  277. context_handle = &sspi_context;
  278. }
  279. free(service_name);
  280. /* Everything is good so far, user was authenticated! */
  281. status = s_pSecFn->QueryCredentialsAttributes(&cred_handle,
  282. SECPKG_CRED_ATTR_NAMES,
  283. &names);
  284. s_pSecFn->FreeCredentialsHandle(&cred_handle);
  285. if(check_sspi_err(data, status, "QueryCredentialAttributes")) {
  286. s_pSecFn->DeleteSecurityContext(&sspi_context);
  287. s_pSecFn->FreeContextBuffer(names.sUserName);
  288. failf(data, "Failed to determine user name.");
  289. return CURLE_COULDNT_CONNECT;
  290. }
  291. infof(data, "SOCKS5 server authenticated user %s with GSS-API.",
  292. names.sUserName);
  293. s_pSecFn->FreeContextBuffer(names.sUserName);
  294. /* Do encryption */
  295. socksreq[0] = 1; /* GSS-API subnegotiation version */
  296. socksreq[1] = 2; /* encryption message type */
  297. gss_enc = 0; /* no data protection */
  298. /* do confidentiality protection if supported */
  299. if(sspi_ret_flags & ISC_REQ_CONFIDENTIALITY)
  300. gss_enc = 2;
  301. /* else do integrity protection */
  302. else if(sspi_ret_flags & ISC_REQ_INTEGRITY)
  303. gss_enc = 1;
  304. infof(data, "SOCKS5 server supports GSS-API %s data protection.",
  305. (gss_enc == 0)?"no":((gss_enc == 1)?"integrity":"confidentiality") );
  306. /* force to no data protection, avoid encryption/decryption for now */
  307. gss_enc = 0;
  308. /*
  309. * Sending the encryption type in clear seems wrong. It should be
  310. * protected with gss_seal()/gss_wrap(). See RFC1961 extract below
  311. * The NEC reference implementations on which this is based is
  312. * therefore at fault
  313. *
  314. * +------+------+------+.......................+
  315. * + ver | mtyp | len | token |
  316. * +------+------+------+.......................+
  317. * + 0x01 | 0x02 | 0x02 | up to 2^16 - 1 octets |
  318. * +------+------+------+.......................+
  319. *
  320. * Where:
  321. *
  322. * - "ver" is the protocol version number, here 1 to represent the
  323. * first version of the SOCKS/GSS-API protocol
  324. *
  325. * - "mtyp" is the message type, here 2 to represent a protection
  326. * -level negotiation message
  327. *
  328. * - "len" is the length of the "token" field in octets
  329. *
  330. * - "token" is the GSS-API encapsulated protection level
  331. *
  332. * The token is produced by encapsulating an octet containing the
  333. * required protection level using gss_seal()/gss_wrap() with conf_req
  334. * set to FALSE. The token is verified using gss_unseal()/
  335. * gss_unwrap().
  336. *
  337. */
  338. if(data->set.socks5_gssapi_nec) {
  339. us_length = htons((short)1);
  340. memcpy(socksreq + 2, &us_length, sizeof(short));
  341. }
  342. else {
  343. status = s_pSecFn->QueryContextAttributes(&sspi_context,
  344. SECPKG_ATTR_SIZES,
  345. &sspi_sizes);
  346. if(check_sspi_err(data, status, "QueryContextAttributes")) {
  347. s_pSecFn->DeleteSecurityContext(&sspi_context);
  348. failf(data, "Failed to query security context attributes.");
  349. return CURLE_COULDNT_CONNECT;
  350. }
  351. sspi_w_token[0].cbBuffer = sspi_sizes.cbSecurityTrailer;
  352. sspi_w_token[0].BufferType = SECBUFFER_TOKEN;
  353. sspi_w_token[0].pvBuffer = malloc(sspi_sizes.cbSecurityTrailer);
  354. if(!sspi_w_token[0].pvBuffer) {
  355. s_pSecFn->DeleteSecurityContext(&sspi_context);
  356. return CURLE_OUT_OF_MEMORY;
  357. }
  358. sspi_w_token[1].cbBuffer = 1;
  359. sspi_w_token[1].pvBuffer = malloc(1);
  360. if(!sspi_w_token[1].pvBuffer) {
  361. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  362. s_pSecFn->DeleteSecurityContext(&sspi_context);
  363. return CURLE_OUT_OF_MEMORY;
  364. }
  365. memcpy(sspi_w_token[1].pvBuffer, &gss_enc, 1);
  366. sspi_w_token[2].BufferType = SECBUFFER_PADDING;
  367. sspi_w_token[2].cbBuffer = sspi_sizes.cbBlockSize;
  368. sspi_w_token[2].pvBuffer = malloc(sspi_sizes.cbBlockSize);
  369. if(!sspi_w_token[2].pvBuffer) {
  370. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  371. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  372. s_pSecFn->DeleteSecurityContext(&sspi_context);
  373. return CURLE_OUT_OF_MEMORY;
  374. }
  375. status = s_pSecFn->EncryptMessage(&sspi_context,
  376. KERB_WRAP_NO_ENCRYPT,
  377. &wrap_desc,
  378. 0);
  379. if(check_sspi_err(data, status, "EncryptMessage")) {
  380. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  381. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  382. s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
  383. s_pSecFn->DeleteSecurityContext(&sspi_context);
  384. failf(data, "Failed to query security context attributes.");
  385. return CURLE_COULDNT_CONNECT;
  386. }
  387. sspi_send_token.cbBuffer = sspi_w_token[0].cbBuffer
  388. + sspi_w_token[1].cbBuffer
  389. + sspi_w_token[2].cbBuffer;
  390. sspi_send_token.pvBuffer = malloc(sspi_send_token.cbBuffer);
  391. if(!sspi_send_token.pvBuffer) {
  392. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  393. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  394. s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
  395. s_pSecFn->DeleteSecurityContext(&sspi_context);
  396. return CURLE_OUT_OF_MEMORY;
  397. }
  398. memcpy(sspi_send_token.pvBuffer, sspi_w_token[0].pvBuffer,
  399. sspi_w_token[0].cbBuffer);
  400. memcpy((PUCHAR) sspi_send_token.pvBuffer +(int)sspi_w_token[0].cbBuffer,
  401. sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
  402. memcpy((PUCHAR) sspi_send_token.pvBuffer
  403. + sspi_w_token[0].cbBuffer
  404. + sspi_w_token[1].cbBuffer,
  405. sspi_w_token[2].pvBuffer, sspi_w_token[2].cbBuffer);
  406. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  407. sspi_w_token[0].pvBuffer = NULL;
  408. sspi_w_token[0].cbBuffer = 0;
  409. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  410. sspi_w_token[1].pvBuffer = NULL;
  411. sspi_w_token[1].cbBuffer = 0;
  412. s_pSecFn->FreeContextBuffer(sspi_w_token[2].pvBuffer);
  413. sspi_w_token[2].pvBuffer = NULL;
  414. sspi_w_token[2].cbBuffer = 0;
  415. us_length = htons((short)sspi_send_token.cbBuffer);
  416. memcpy(socksreq + 2, &us_length, sizeof(short));
  417. }
  418. code = Curl_write_plain(data, sock, (char *)socksreq, 4, &written);
  419. if(code || (4 != written)) {
  420. failf(data, "Failed to send SSPI encryption request.");
  421. if(sspi_send_token.pvBuffer)
  422. s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
  423. s_pSecFn->DeleteSecurityContext(&sspi_context);
  424. return CURLE_COULDNT_CONNECT;
  425. }
  426. if(data->set.socks5_gssapi_nec) {
  427. memcpy(socksreq, &gss_enc, 1);
  428. code = Curl_write_plain(data, sock, (char *)socksreq, 1, &written);
  429. if(code || (1 != written)) {
  430. failf(data, "Failed to send SSPI encryption type.");
  431. s_pSecFn->DeleteSecurityContext(&sspi_context);
  432. return CURLE_COULDNT_CONNECT;
  433. }
  434. }
  435. else {
  436. code = Curl_write_plain(data, sock, (char *)sspi_send_token.pvBuffer,
  437. sspi_send_token.cbBuffer, &written);
  438. if(code || (sspi_send_token.cbBuffer != (size_t)written)) {
  439. failf(data, "Failed to send SSPI encryption type.");
  440. if(sspi_send_token.pvBuffer)
  441. s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
  442. s_pSecFn->DeleteSecurityContext(&sspi_context);
  443. return CURLE_COULDNT_CONNECT;
  444. }
  445. if(sspi_send_token.pvBuffer)
  446. s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer);
  447. }
  448. result = Curl_blockread_all(data, sock, (char *)socksreq, 4, &actualread);
  449. if(result || (actualread != 4)) {
  450. failf(data, "Failed to receive SSPI encryption response.");
  451. s_pSecFn->DeleteSecurityContext(&sspi_context);
  452. return CURLE_COULDNT_CONNECT;
  453. }
  454. /* ignore the first (VER) byte */
  455. if(socksreq[1] == 255) { /* status / message type */
  456. failf(data, "User was rejected by the SOCKS5 server (%u %u).",
  457. (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
  458. s_pSecFn->DeleteSecurityContext(&sspi_context);
  459. return CURLE_COULDNT_CONNECT;
  460. }
  461. if(socksreq[1] != 2) { /* status / message type */
  462. failf(data, "Invalid SSPI encryption response type (%u %u).",
  463. (unsigned int)socksreq[0], (unsigned int)socksreq[1]);
  464. s_pSecFn->DeleteSecurityContext(&sspi_context);
  465. return CURLE_COULDNT_CONNECT;
  466. }
  467. memcpy(&us_length, socksreq + 2, sizeof(short));
  468. us_length = ntohs(us_length);
  469. sspi_w_token[0].cbBuffer = us_length;
  470. sspi_w_token[0].pvBuffer = malloc(us_length);
  471. if(!sspi_w_token[0].pvBuffer) {
  472. s_pSecFn->DeleteSecurityContext(&sspi_context);
  473. return CURLE_OUT_OF_MEMORY;
  474. }
  475. result = Curl_blockread_all(data, sock, (char *)sspi_w_token[0].pvBuffer,
  476. sspi_w_token[0].cbBuffer, &actualread);
  477. if(result || (actualread != us_length)) {
  478. failf(data, "Failed to receive SSPI encryption type.");
  479. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  480. s_pSecFn->DeleteSecurityContext(&sspi_context);
  481. return CURLE_COULDNT_CONNECT;
  482. }
  483. if(!data->set.socks5_gssapi_nec) {
  484. wrap_desc.cBuffers = 2;
  485. sspi_w_token[0].BufferType = SECBUFFER_STREAM;
  486. sspi_w_token[1].BufferType = SECBUFFER_DATA;
  487. sspi_w_token[1].cbBuffer = 0;
  488. sspi_w_token[1].pvBuffer = NULL;
  489. status = s_pSecFn->DecryptMessage(&sspi_context,
  490. &wrap_desc,
  491. 0,
  492. &qop);
  493. if(check_sspi_err(data, status, "DecryptMessage")) {
  494. if(sspi_w_token[0].pvBuffer)
  495. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  496. if(sspi_w_token[1].pvBuffer)
  497. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  498. s_pSecFn->DeleteSecurityContext(&sspi_context);
  499. failf(data, "Failed to query security context attributes.");
  500. return CURLE_COULDNT_CONNECT;
  501. }
  502. if(sspi_w_token[1].cbBuffer != 1) {
  503. failf(data, "Invalid SSPI encryption response length (%lu).",
  504. (unsigned long)sspi_w_token[1].cbBuffer);
  505. if(sspi_w_token[0].pvBuffer)
  506. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  507. if(sspi_w_token[1].pvBuffer)
  508. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  509. s_pSecFn->DeleteSecurityContext(&sspi_context);
  510. return CURLE_COULDNT_CONNECT;
  511. }
  512. memcpy(socksreq, sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
  513. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  514. s_pSecFn->FreeContextBuffer(sspi_w_token[1].pvBuffer);
  515. }
  516. else {
  517. if(sspi_w_token[0].cbBuffer != 1) {
  518. failf(data, "Invalid SSPI encryption response length (%lu).",
  519. (unsigned long)sspi_w_token[0].cbBuffer);
  520. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  521. s_pSecFn->DeleteSecurityContext(&sspi_context);
  522. return CURLE_COULDNT_CONNECT;
  523. }
  524. memcpy(socksreq, sspi_w_token[0].pvBuffer, sspi_w_token[0].cbBuffer);
  525. s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
  526. }
  527. (void)curlx_nonblock(sock, TRUE);
  528. infof(data, "SOCKS5 access with%s protection granted.",
  529. (socksreq[0] == 0)?"out GSS-API data":
  530. ((socksreq[0] == 1)?" GSS-API integrity":" GSS-API confidentiality"));
  531. /* For later use if encryption is required
  532. conn->socks5_gssapi_enctype = socksreq[0];
  533. if(socksreq[0] != 0)
  534. conn->socks5_sspi_context = sspi_context;
  535. else {
  536. s_pSecFn->DeleteSecurityContext(&sspi_context);
  537. conn->socks5_sspi_context = sspi_context;
  538. }
  539. */
  540. return CURLE_OK;
  541. }
  542. #endif