Ticket #10266: super-patch

diff --git a/data/Makefile.am b/data/Makefile.am
index 0bb621f..44542fa 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -1,6 +1,6 @@
 dist_noinst_DATA = install.nsi.in \
        makezip.sh.in \
-       libgcc_s_sjlj-1.dll \
+       libgcc_s_dw2-1.dll \
        libstdc++-6.dll \
        libwinpthread-1.dll \
        nsis_appid.dll \
diff --git a/data/install.nsi.in b/data/install.nsi.in
index 529b94e..18f1f0e 100644
--- a/data/install.nsi.in
+++ b/data/install.nsi.in
@@ -874,12 +874,12 @@ Section "FileZilla Client" SecMain
   ; MinGW runtime libraries

   ; First get rid of remnants
-  !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libgcc_s_sjlj-1.dll"
+  !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libgcc_s_dw2-1.dll"
   !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libstdc++-6.dll"
   !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libwinpthread-1.dll"

   ; Now install new version of runtime
-  !insertmacro InstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "${srcdir}\libgcc_s_sjlj-1.dll" "$INSTDIR\libgcc_s_sjlj-1.dll" "$INSTDIR"
+  !insertmacro InstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "${srcdir}\libgcc_s_dw2-1.dll" "$INSTDIR\libgcc_s_dw2-1.dll" "$INSTDIR"
   !insertmacro InstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "${srcdir}\libstdc++-6.dll"     "$INSTDIR\libstdc++-6.dll"     "$INSTDIR"
   !insertmacro InstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "${srcdir}\libwinpthread-1.dll" "$INSTDIR\libwinpthread-1.dll" "$INSTDIR"

@@ -1300,7 +1300,7 @@ Section "Uninstall"
   Delete "$INSTDIR\fzputtygen.exe"

   ; MinGW runtime libraries
-  !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libgcc_s_sjlj-1.dll"
+  !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libgcc_s_dw2-1.dll"
   !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libstdc++-6.dll"
   !insertmacro UnInstallLib DLL NOTSHARED REBOOT_NOTPROTECTED "$INSTDIR\libwinpthread-1.dll"

diff --git a/data/libgcc_s_dw2-1.dll b/data/libgcc_s_dw2-1.dll
new file mode 100644
index 0000000..3ac46a5
Binary files /dev/null and b/data/libgcc_s_dw2-1.dll differ
diff --git a/data/libstdc++-6.dll b/data/libstdc++-6.dll
index c4804b8..b0fd5e4 100644
Binary files a/data/libstdc++-6.dll and b/data/libstdc++-6.dll differ
diff --git a/data/libwinpthread-1.dll b/data/libwinpthread-1.dll
index ac09bcc..511c25c 100644
Binary files a/data/libwinpthread-1.dll and b/data/libwinpthread-1.dll differ
diff --git a/data/makezip.sh.in b/data/makezip.sh.in
index 96bb1cd..46f4859 100644
--- a/data/makezip.sh.in
+++ b/data/makezip.sh.in
@@ -54,7 +54,7 @@ copy_libtool "src/putty" "fzputtygen.exe"
 copy_libtool "src/fzshellext" "libfzshellext-0.dll" "fzshellext.dll"

 cp "$top_srcdir/src/fzshellext/fzshellext_64.dll" "$targetdir/fzshellext_64.dll" || exit 1
-cp "$top_srcdir/data/libgcc_s_sjlj-1.dll" "$targetdir/libgcc_s_sjlj-1.dll" || exit 1
+cp "$top_srcdir/data/libgcc_s_dw2-1.dll" "$targetdir/libgcc_s_dw2-1.dll" || exit 1
 cp "$top_srcdir/data/libstdc++-6.dll" "$targetdir/libstdc++-6.dll" || exit 1
 cp "$top_srcdir/data/libwinpthread-1.dll" "$targetdir/libwinpthread-1.dll" || exit 1

diff --git a/src/engine/Makefile.am b/src/engine/Makefile.am
index a13bf4b..61208a8 100644
--- a/src/engine/Makefile.am
+++ b/src/engine/Makefile.am
@@ -20,6 +20,8 @@ libengine_a_SOURCES = \
        FileZillaEngine.cpp \
        file.cpp \
        ftpcontrolsocket.cpp \
+       gssinterface.cpp \
+       gsssocket.cpp \
        httpcontrolsocket.cpp \
        iothread.cpp \
        local_filesys.cpp \
@@ -52,6 +54,7 @@ noinst_HEADERS = backend.h \
        filezilla.h \
        file.h \
        ftpcontrolsocket.h \
+       gsssocket.h \
        httpcontrolsocket.h iothread.h \
        logging_private.h \
        pathcache.h \
diff --git a/src/engine/ftpcontrolsocket.cpp b/src/engine/ftpcontrolsocket.cpp
index 5d2c0ff..a92be07 100644
--- a/src/engine/ftpcontrolsocket.cpp
+++ b/src/engine/ftpcontrolsocket.cpp
@@ -13,6 +13,7 @@
 #include "transfersocket.h"
 #include "local_filesys.h"
 #include "proxy.h"
+#include "gssinterface.h"

 #include <wx/filename.h>
 #include <wx/log.h>
@@ -22,19 +23,21 @@
 #include <algorithm>

 #define LOGON_WELCOME  0
-#define LOGON_AUTH_TLS 1
-#define LOGON_AUTH_SSL 2
-#define LOGON_AUTH_WAIT    3
-#define LOGON_LOGON        4
-#define LOGON_SYST     5
-#define LOGON_FEAT     6
-#define LOGON_CLNT     7
-#define LOGON_OPTSUTF8 8
-#define LOGON_PBSZ     9
-#define LOGON_PROT     10
-#define LOGON_OPTSMLST 11
-#define LOGON_CUSTOMCOMMANDS 12
-#define LOGON_DONE     13
+#define LOGON_AUTH_GSS  1
+#define LOGON_AUTH_ADAT 2
+#define LOGON_AUTH_TLS 3
+#define LOGON_AUTH_SSL 4
+#define LOGON_AUTH_WAIT    5
+#define LOGON_LOGON        6
+#define LOGON_SYST     7
+#define LOGON_FEAT     8
+#define LOGON_CLNT     9
+#define LOGON_OPTSUTF8 10
+#define LOGON_PBSZ     11
+#define LOGON_PROT     12
+#define LOGON_OPTSMLST 13
+#define LOGON_CUSTOMCOMMANDS 14
+#define LOGON_DONE     15

 CRawTransferOpData::CRawTransferOpData()
    : COpData(Command::rawtransfer)
@@ -118,22 +121,31 @@ struct t_loginCommand
 class CFtpLogonOpData : public CConnectOpData
 {
 public:
-   CFtpLogonOpData()
+   CFtpLogonOpData(CControlSocket *pSocket)
    {
        waitChallenge = false;
        gotPassword = false;
        waitForAsyncRequest = false;
        gotFirstWelcomeLine = false;
        ftp_proxy_type = 0;
+       pControlSocket = pSocket;

        customCommandIndex = 0;

        for (int i = 0; i < LOGON_DONE; ++i)
            neededCommands[i] = 1;
+
+       if (!IsGssLoaded())
+           neededCommands[LOGON_AUTH_GSS] = 0;
+
+       neededCommands[LOGON_AUTH_ADAT] = 0;
    }

    virtual ~CFtpLogonOpData()
+
    {
+       if (target_name)
+           GssReleaseName(pControlSocket, (void **) &target_name);
    }

    wxString challenge; // Used for interactive logons
@@ -149,6 +161,11 @@ public:
    std::list<t_loginCommand> loginSequence;

    int ftp_proxy_type;
+
+   CControlSocket *pControlSocket;
+   wxString adatSend;
+   void *target_name = NULL;
+   int lastcode = -1;
 };

 class CFtpDeleteOpData : public COpData
@@ -189,7 +206,9 @@ CFtpControlSocket::CFtpControlSocket(CFileZillaEnginePrivate & engine)
    m_pendingReplies = 1;
    m_pTlsSocket = 0;
    m_protectDataChannel = false;
+   m_protectCommandChannel = false;
    m_lastTypeBinary = -1;
+   m_protBufferSize = 0;

    // Enable TCP_NODELAY, speeds things up a bit.
    // Enable SO_KEEPALIVE, lots of clueless users have broken routers and
@@ -406,6 +425,11 @@ void CFtpControlSocket::ParseResponse()
        return;
    }

+   if (m_Response[0] == '6' && m_protectCommandChannel) {
+       DecryptResponse();
+       return;
+   }
+
    if (m_Response[0] != '1') {
        if (m_pendingReplies > 0)
            m_pendingReplies--;
@@ -719,6 +743,58 @@ int CFtpControlSocket::LogonParseResponse()
            return FZ_REPLY_DISCONNECTED;
        }
    }
+   else if (pData->opState == LOGON_AUTH_GSS)
+   {
+       if (code == 3) {
+           pData->neededCommands[LOGON_AUTH_ADAT] = 1;
+           pData->neededCommands[LOGON_AUTH_TLS] = 0;
+           pData->neededCommands[LOGON_AUTH_SSL] = 0;
+           pData->neededCommands[LOGON_AUTH_WAIT] = 0;
+           pData->neededCommands[LOGON_PBSZ] = 1;
+           pData->neededCommands[LOGON_PROT] = 1;
+           m_protBufferSize =
+               engine_.GetOptions().GetOptionVal(OPTION_GSS_PROTBUFSIZE);
+       }
+   }
+   else if (pData->opState == LOGON_AUTH_ADAT)
+   {
+       if (code == 2 || code == 3) {
+           /*
+            * Scan this response to see if we got an ADAT
+            * message.  If we did, decode the data and
+            * save it.
+            */
+
+           int pos = m_Response.Find(_T("ADAT="));
+
+           pData->lastcode = code;
+
+           if (pos != wxNOT_FOUND) {
+               wxString data = m_Response.Mid(pos + 5);
+               bool more;
+
+               if (!ProcessAdatResponse(data, &more)) {
+                   LogMessage(MessageType::Status,
+                          _("Processing of ADAT response failed"));
+                   DoClose(FZ_REPLY_INTERNALERROR);
+                   return FZ_REPLY_ERROR;
+               }
+               /*
+                * If we have a token to send, bump our
+                * opState back so we can send it.
+                */
+
+               if (more)
+                   pData->opState--;
+
+           }
+       } else {
+           /* Any other response is an error */
+           LogMessage(MessageType::Status, _("Invalid response to ADAT"));
+           DoClose(FZ_REPLY_INTERNALERROR);
+           return FZ_REPLY_ERROR;
+       }
+   }
    else if (pData->opState == LOGON_AUTH_TLS ||
             pData->opState == LOGON_AUTH_SSL)
    {
@@ -893,10 +969,39 @@ int CFtpControlSocket::LogonParseResponse()
            m_useUTF8 = false;
        }
    }
-   else if (pData->opState == LOGON_PROT) {
-       if (code == 2 || code == 3)
+   else if (pData->opState == LOGON_PROT)
+   {
+       if (m_protectDataChannel && code != 2)
+           m_protectDataChannel = false;
+       else if (code == 2 || code == 3)
            m_protectDataChannel = true;
    }
+   else if (pData->opState == LOGON_PBSZ)
+   {
+       if (code != 2)
+           m_protectDataChannel = false;
+
+       if (m_protectDataChannel) {
+           /*
+            * Parse the PBSZ response to see if the buffer size
+            * has been specified.
+            */
+
+           int pos = m_Response.Find(_T("PBSZ="));
+
+           if (pos != wxNOT_FOUND) {
+               wxString data = m_Response.Mid(pos + 5);
+               unsigned long retbufsz;
+
+               if (! data.ToCULong(&retbufsz)) {
+                   LogMessage(MessageType::Status, _("Invalid PBSZ response, ignoring."));
+               } else {
+                   if (retbufsz < m_protBufferSize)
+                       m_protBufferSize = retbufsz;
+               }
+           }
+       }
+   }
    else if (pData->opState == LOGON_CUSTOMCOMMANDS) {
        ++pData->customCommandIndex;
        if (pData->customCommandIndex < m_pCurrentServer->GetPostLoginCommands().size())
@@ -1053,6 +1158,12 @@ int CFtpControlSocket::LogonSend()
        res = FZ_REPLY_WOULDBLOCK;
        LogMessage(MessageType::Debug_Info, _T("LogonSend() called during LOGON_AUTH_WAIT, ignoring"));
        break;
+   case LOGON_AUTH_GSS:
+       res = SendCommand(_T("AUTH GSSAPI"), false, false);
+       break;
+   case LOGON_AUTH_ADAT:
+       res = SendGssAdat();
+       break;
    case LOGON_AUTH_TLS:
        res = SendCommand(_T("AUTH TLS"), false, false);
        break;
@@ -1139,10 +1250,20 @@ int CFtpControlSocket::LogonSend()
        res = SendCommand(_T("OPTS UTF8 ON"));
        break;
    case LOGON_PBSZ:
-       res = SendCommand(_T("PBSZ 0"));
+       if (IsGssLoaded() &&
+           engine_.GetOptions().GetOptionVal(OPTION_GSS_ENCRYPTDATACHAN)) {
+           m_protectDataChannel = true;
+           res = SendCommand(_T("PBSZ ") +
+                   std::to_string(m_protBufferSize));
+       }
+       else
+           res = SendCommand(_T("PBSZ 0"));
        break;
    case LOGON_PROT:
-       res = SendCommand(_T("PROT P"));
+       if (m_protectDataChannel)
+           res = SendCommand(_T("PROT P"));
+       else
+           res = SendCommand(_T("PROT C"));
        break;
    case LOGON_CUSTOMCOMMANDS:
        if (pData->customCommandIndex >= m_pCurrentServer->GetPostLoginCommands().size())
@@ -1183,9 +1304,28 @@ int CFtpControlSocket::GetReplyCode() const
    }
 }

+int CFtpControlSocket::GetFullReplyCode() const
+{
+   unsigned long ret;
+
+   if (m_Response.empty()) {
+       return 0;
+   }
+
+   wxString substr = m_Response.Mid(0, 3);
+
+   if (! substr.ToULong(&ret)) {
+       return 0;
+   }
+
+   return ret;
+}
+
 bool CFtpControlSocket::SendCommand(wxString const& str, bool maskArgs, bool measureRTT)
 {
    int pos;
+   wxCharBuffer buffer;
+
    if (maskArgs && (pos = str.Find(_T(" "))) != -1)
    {
        wxString stars('*', str.Length() - pos - 1);
@@ -1194,12 +1334,23 @@ bool CFtpControlSocket::SendCommand(wxString const& str, bool maskArgs, bool mea
    else
        LogMessageRaw(MessageType::Command, str);

-   wxCharBuffer buffer = ConvToServer(str + _T("\r\n"));
-   if (!buffer)
+   if (m_protectCommandChannel)
    {
-       LogMessage(MessageType::Error, _T("Failed to convert command to 8 bit charset"));
-       return false;
+       buffer = ProtectCommand(str);
+       if (!buffer)
+       {
+           LogMessage(MessageType::Error, _T("Failed to encrypt command"));
+           return false;
+       }
+   } else {
+       buffer = ConvToServer(str + _T("\r\n"));
+       if (!buffer)
+       {
+           LogMessage(MessageType::Error, _T("Failed to convert command to 8 bit charset"));
+           return false;
+       }
    }
+
    unsigned int len = (unsigned int)strlen(buffer);
    bool res = CRealControlSocket::Send(buffer, len);
    if (res)
@@ -4275,7 +4426,7 @@ int CFtpControlSocket::Connect(const CServer &server)
        delete m_pCurOpData;
    }

-   CFtpLogonOpData* pData = new CFtpLogonOpData;
+   CFtpLogonOpData* pData = new CFtpLogonOpData(this);
    m_pCurOpData = pData;

    // Do not use FTP proxy if generic proxy is set
@@ -4472,6 +4623,176 @@ int CFtpControlSocket::ParseSubcommandResult(int prevResult)
    return FZ_REPLY_ERROR;
 }

+int CFtpControlSocket::SendGssAdat()
+{
+   CFtpLogonOpData *pData = reinterpret_cast<CFtpLogonOpData *>(m_pCurOpData);
+   wxString output_token;
+   bool complete;
+
+   //
+   // If data is left over from a init_sec_context call send it now
+   //
+
+   if (pData->adatSend.length() > 0) {
+       int ret = SendCommand("ADAT " + pData->adatSend, false, false);
+       pData->adatSend.Clear();
+       return ret;
+   }
+
+   //
+   // The code here should only be invoked the first time around
+   //
+
+   if (! pData->target_name) {
+       wxString target = "host@" + pData->host;
+       if (!GssImportName(this, target, &pData->target_name))
+           return false;
+   }
+
+   if (!GssInitSecContext(this, &gcontext, pData->target_name, true,
+                  wxEmptyString, &output_token, &complete))
+       return false;
+
+   if (output_token.Length() > 0) {
+       if (!SendCommand(_T("ADAT ") + output_token, false, false))
+           return false;
+   }
+
+   /*
+    * If lastcode is set, it should be either 2 (complete) or 3
+    * (more exchanges needed).  If it's 2, we should be done
+    * (GSS_S_COMPLETE).
+    */
+
+   if (pData->lastcode == 2) {
+       if (complete) {
+           LogMessage(MessageType::Status, _("GSSAPI Authentication successful"));
+           m_protectCommandChannel = true;
+       } else {
+           return false;
+       }
+   }
+
+   return true;
+}
+
+bool CFtpControlSocket::ProcessAdatResponse(wxString recvdata,
+                       bool *more)
+{
+   CFtpLogonOpData *pData = reinterpret_cast<CFtpLogonOpData *>(m_pCurOpData);
+   bool complete;
+
+   if (!GssInitSecContext(this, &gcontext, pData->target_name, true,
+                  recvdata, &pData->adatSend, &complete)) {
+       return false;
+   }
+
+   if (pData->adatSend.Length() > 0) {
+       *more = true;
+   } else {
+       *more = false;
+   }
+
+   /*
+    * If we're done, mark it.
+    */
+
+   if (pData->lastcode == 2 && complete) {
+       LogMessage(MessageType::Status, _("GSSAPI Authentication successful"));
+       m_protectCommandChannel = true;
+   }
+
+   return true;
+}
+
+wxCharBuffer CFtpControlSocket::ProtectCommand(wxString const& str)
+{
+   wxCharBuffer input = ConvToServer(str);
+   wxString output;
+
+   if (!GssWrap(this, gcontext, true, input, &output))
+   {
+       return wxCharBuffer();
+   }
+
+   wxString retstr = _("ENC ") + output + _("\r\n");
+
+   return retstr.c_str();
+}
+
+void CFtpControlSocket::DecryptResponse()
+{
+   int code = GetFullReplyCode();
+   wxString enc_response;
+   bool encrypted;
+   wxMemoryBuffer output;
+
+   if (code != 631 && code != 632 && code != 633)
+   {
+       LogMessage(MessageType::Error, _T("Unknown response code %d"), code);
+       return;
+   }
+
+   bool protect = (code != 631);
+
+   std::list<wxString>::iterator iter = m_MultilineResponseLines.begin();
+
+   while (iter != m_MultilineResponseLines.end())
+   {
+       enc_response.Append(iter->Mid(4));
+       iter++;
+   }
+
+   enc_response.Append(m_Response.Mid(4));
+
+   if (!GssUnwrap(this, gcontext, enc_response, &output, &encrypted))
+       return;
+
+   if (protect != encrypted)
+   {
+       LogMessage(MessageType::Error, _("Response code did not match encryption level!"));
+       return;
+   }
+   /*
+    * Because of the way multiline reponses are dealt with in
+    * GSSAPI, we need to replicate part of OnReceive() here (but
+    * it's been adapted).
+    */
+
+   char *start, *bufstart;
+   start = bufstart = (char *) malloc(output.GetDataLen() + 1);
+   memcpy(bufstart, output.GetData(), output.GetDataLen());
+   bufstart[output.GetDataLen()] = '\0';
+
+   for (int i = start - bufstart; i < output.GetDataLen() + 1; ++i)
+   {
+       char& p = bufstart[i];
+       if (p == '\r' ||
+           p == '\n' ||
+           p == 0)
+       {
+           int len = i - (start - bufstart);
+           if (!len)
+           {
+               ++start;
+               continue;
+           }
+
+           p = 0;
+           wxString line = ConvToLocal(start, i + 1 - (start - bufstart));
+           start = bufstart + i + 1;
+
+           ParseLine(line);
+
+           // Abort if connection got closed
+           if (!m_pCurrentServer)
+               break;
+       }
+   }
+
+   free(bufstart);
+}
+
 void CFtpControlSocket::operator()(CEventBase const& ev)
 {
    if (Dispatch<CTimerEvent>(ev, this, &CFtpControlSocket::OnTimer)) {
diff --git a/src/engine/ftpcontrolsocket.h b/src/engine/ftpcontrolsocket.h
index a1db93c..de7a2d0 100644
--- a/src/engine/ftpcontrolsocket.h
+++ b/src/engine/ftpcontrolsocket.h
@@ -96,11 +96,18 @@ protected:
    virtual int ParseSubcommandResult(int prevResult);

    int GetReplyCode() const;
+   int GetFullReplyCode() const;

    int Logon();
    int LogonParseResponse();
    int LogonSend();

+   int SendGssAdat();
+   bool ProcessAdatResponse(wxString recvdata, bool *more);
+   void ReportGssError(uint32_t major, uint32_t minor);
+   wxCharBuffer ProtectCommand(wxString const& str);
+   void DecryptResponse();
+
    wxString GetPassiveCommand(CRawTransferOpData& data);
    bool ParsePasvResponse(CRawTransferOpData* pData);
    bool ParseEpsvResponse(CRawTransferOpData* pData);
@@ -139,6 +146,13 @@ protected:

    CTlsSocket* m_pTlsSocket;
    bool m_protectDataChannel;
+   bool m_protectCommandChannel;
+
+   // Context structure for GSSAPI
+   void *gcontext = NULL;
+
+   // Protection buffer size
+   int m_protBufferSize;

    int m_lastTypeBinary;

diff --git a/src/engine/gssinterface.cpp b/src/engine/gssinterface.cpp
new file mode 100644
index 0000000..1af0fb2
--- /dev/null
+++ b/src/engine/gssinterface.cpp
@@ -0,0 +1,982 @@
+#include <filezilla.h>
+#include "ControlSocket.h"
+#include "../interface/Options.h"
+
+#include <wx/dynlib.h>
+#include <wx/base64.h>
+#include <wx/filename.h>
+
+#include "gssinterface.h"
+
+/*
+ * We include the generic header file here from the GSSAPI RFC, so we
+ * don't need to depend on it (but only some of it).
+ */
+
+/* -*- mode: c; indent-tabs-mode: nil -*- */
+/*
+ * Copyright 1993 by OpenVision Technologies, Inc.
+ *
+ * Permission to use, copy, modify, distribute, and sell this software
+ * and its documentation for any purpose is hereby granted without fee,
+ * provided that the above copyright notice appears in all copies and
+ * that both that copyright notice and this permission notice appear in
+ * supporting documentation, and that the name of OpenVision not be used
+ * in advertising or publicity pertaining to distribution of the software
+ * without specific, written prior permission. OpenVision makes no
+ * representations about the suitability of this software for any
+ * purpose.  It is provided "as is" without express or implied warranty.
+ *
+ * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+ * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Determine platform-dependent configuration.
+ */
+
+#if defined(__MACH__) && defined(__APPLE__)
+#       include <TargetConditionals.h>
+#       if TARGET_RT_MAC_CFM
+#               error "Use KfM 4.0 SDK headers for CFM compilation."
+#       endif
+#endif
+
+#ifndef __has_extension
+#define __has_extension(x) 0
+#endif
+
+#ifndef GSSKRB_APPLE_DEPRECATED
+#if __has_extension(attribute_deprecated_with_message)
+#define GSSKRB_APPLE_DEPRECATED(x) __attribute__((deprecated(x)))
+#else
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+#define GSSKRB_APPLE_DEPRECATED(x) __attribute__((deprecated))
+#endif
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#if TARGET_OS_MAC
+#    pragma pack(push,2)
+#endif
+
+#if 0
+#if defined(_MSDOS) || defined(_WIN32)
+#include <win-mac.h>
+#endif
+#endif
+
+#ifndef KRB5_CALLCONV
+#define KRB5_CALLCONV
+#define KRB5_CALLCONV_C
+#endif
+
+/*
+ * First, include stddef.h to get size_t defined.
+ */
+#include <stddef.h>
+
+/*
+ * POSIX says that sys/types.h is where size_t is defined.
+ */
+#include <sys/types.h>
+
+/*
+ * $Id: gssapi.hin 20876 2008-10-15 21:58:43Z tlyu $
+ */
+
+/*
+ * First, define the three platform-dependent pointer types.
+ */
+
+struct gss_name_struct;
+typedef struct gss_name_struct * gss_name_t;
+
+struct gss_cred_id_struct;
+typedef struct gss_cred_id_struct * gss_cred_id_t;
+
+struct gss_ctx_id_struct;
+typedef struct gss_ctx_id_struct * gss_ctx_id_t;
+
+/*
+ * The following type must be defined as the smallest natural unsigned integer
+ * supported by the platform that has at least 32 bits of precision.
+ */
+typedef uint32_t gss_uint32;
+typedef int32_t gss_int32;
+
+#ifdef  OM_STRING
+/*
+ * We have included the xom.h header file.  Use the definition for
+ * OM_object identifier.
+ */
+typedef OM_object_identifier    gss_OID_desc, *gss_OID;
+#else   /* OM_STRING */
+/*
+ * We can't use X/Open definitions, so roll our own.
+ */
+typedef gss_uint32      OM_uint32;
+
+typedef struct gss_OID_desc_struct {
+    OM_uint32 length;
+    void *elements;
+} gss_OID_desc, *gss_OID;
+#endif  /* OM_STRING */
+
+typedef struct gss_OID_set_desc_struct  {
+    size_t  count;
+    gss_OID elements;
+} gss_OID_set_desc, *gss_OID_set;
+
+typedef struct gss_buffer_desc_struct {
+    size_t length;
+    void *value;
+} gss_buffer_desc, *gss_buffer_t;
+
+typedef struct gss_channel_bindings_struct {
+    OM_uint32 initiator_addrtype;
+    gss_buffer_desc initiator_address;
+    OM_uint32 acceptor_addrtype;
+    gss_buffer_desc acceptor_address;
+    gss_buffer_desc application_data;
+} *gss_channel_bindings_t;
+
+/*
+ * For now, define a QOP-type as an OM_uint32 (pending resolution of ongoing
+ * discussions).
+ */
+typedef OM_uint32       gss_qop_t;
+typedef int             gss_cred_usage_t;
+
+/*
+ * Flag bits for context-level services.
+ */
+#define GSS_C_DELEG_FLAG        1
+#define GSS_C_MUTUAL_FLAG       2
+#define GSS_C_REPLAY_FLAG       4
+#define GSS_C_SEQUENCE_FLAG     8
+#define GSS_C_CONF_FLAG         16
+#define GSS_C_INTEG_FLAG        32
+#define GSS_C_ANON_FLAG         64
+#define GSS_C_PROT_READY_FLAG   128
+#define GSS_C_TRANS_FLAG        256
+#define GSS_C_DELEG_POLICY_FLAG 32768
+#define GSS_C_NO_UI_FLAG   0x80000000
+
+/*
+ * Credential usage options
+ */
+#define GSS_C_BOTH      0
+#define GSS_C_INITIATE  1
+#define GSS_C_ACCEPT    2
+
+#define GSS_C_OPTION_MASK 0xffff
+#define GSS_C_CRED_NO_UI  0x10000
+
+
+/*
+ * Status code types for gss_display_status
+ */
+#define GSS_C_GSS_CODE  1
+#define GSS_C_MECH_CODE 2
+
+/*
+ * Various Null values.
+ */
+#define GSS_C_NO_NAME ((gss_name_t) 0)
+#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+#define GSS_C_NO_OID ((gss_OID) 0)
+#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+#define GSS_C_EMPTY_BUFFER {0, NULL}
+
+/*
+ * Some alternate names for a couple of the above values.  These are defined
+ * for V1 compatibility.
+ */
+#define GSS_C_NULL_OID          GSS_C_NO_OID
+#define GSS_C_NULL_OID_SET      GSS_C_NO_OID_SET
+
+/*
+ * Define the default Quality of Protection for per-message services.  Note
+ * that an implementation that offers multiple levels of QOP may either reserve
+ * a value (for example zero, as assumed here) to mean "default protection", or
+ * alternatively may simply equate GSS_C_QOP_DEFAULT to a specific explicit
+ * QOP value.  However a value of 0 should always be interpreted by a GSSAPI
+ * implementation as a request for the default protection level.
+ */
+#define GSS_C_QOP_DEFAULT 0
+
+/*
+ * Expiration time of 2^32-1 seconds means infinite lifetime for a
+ * credential or security context
+ */
+#define GSS_C_INDEFINITE ((OM_uint32) 0xfffffffful)
+
+
+/* Major status codes */
+
+#define GSS_S_COMPLETE 0
+
+/*
+ * Some "helper" definitions to make the status code macros obvious.
+ */
+#define GSS_C_CALLING_ERROR_OFFSET 24
+#define GSS_C_ROUTINE_ERROR_OFFSET 16
+#define GSS_C_SUPPLEMENTARY_OFFSET 0
+#define GSS_C_CALLING_ERROR_MASK ((OM_uint32) 0377ul)
+#define GSS_C_ROUTINE_ERROR_MASK ((OM_uint32) 0377ul)
+#define GSS_C_SUPPLEMENTARY_MASK ((OM_uint32) 0177777ul)
+
+/*
+ * The macros that test status codes for error conditions.  Note that the
+ * GSS_ERROR() macro has changed slightly from the V1 GSSAPI so that it now
+ * evaluates its argument only once.
+ */
+#define GSS_CALLING_ERROR(x) \
+  ((x) & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+#define GSS_ROUTINE_ERROR(x) \
+  ((x) & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+#define GSS_SUPPLEMENTARY_INFO(x) \
+  ((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+#define GSS_ERROR(x) \
+  ((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+          (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+/*
+ * Now the actual status code definitions
+ */
+
+/*
+ * Calling errors:
+ */
+#define GSS_S_CALL_INACCESSIBLE_READ \
+                             (((OM_uint32) 1ul) << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_INACCESSIBLE_WRITE \
+                             (((OM_uint32) 2ul) << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_BAD_STRUCTURE \
+                             (((OM_uint32) 3ul) << GSS_C_CALLING_ERROR_OFFSET)
+
+/*
+ * Routine errors:
+ */
+#define GSS_S_BAD_MECH (((OM_uint32) 1ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAME (((OM_uint32) 2ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAMETYPE (((OM_uint32) 3ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_BINDINGS (((OM_uint32) 4ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_STATUS (((OM_uint32) 5ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_SIG (((OM_uint32) 6ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CRED (((OM_uint32) 7ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CONTEXT (((OM_uint32) 8ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_TOKEN (((OM_uint32) 9ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_CREDENTIAL \
+     (((OM_uint32) 10ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CREDENTIALS_EXPIRED \
+     (((OM_uint32) 11ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CONTEXT_EXPIRED \
+     (((OM_uint32) 12ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_FAILURE (((OM_uint32) 13ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_QOP (((OM_uint32) 14ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAUTHORIZED (((OM_uint32) 15ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAVAILABLE (((OM_uint32) 16ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DUPLICATE_ELEMENT \
+     (((OM_uint32) 17ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NAME_NOT_MN \
+     (((OM_uint32) 18ul) << GSS_C_ROUTINE_ERROR_OFFSET)
+
+/*
+ * Supplementary info bits:
+ */
+#define GSS_S_CONTINUE_NEEDED (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+#define GSS_S_DUPLICATE_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+#define GSS_S_OLD_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+#define GSS_S_UNSEQ_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+#define GSS_S_GAP_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+
+/*
+ * Finally, function prototypes for the GSSAPI routines.
+ */
+
+#if defined (_WIN32) && defined (_MSC_VER)
+# ifdef GSS_DLL_FILE
+#  define GSS_DLLIMP __declspec(dllexport)
+# else
+#  define GSS_DLLIMP __declspec(dllimport)
+# endif
+#else
+# define GSS_DLLIMP
+#endif
+
+/* Reserved static storage for GSS_oids.  Comments are quotes from RFC 2744.
+ *
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_USER_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+static gss_OID *p_GSS_C_NT_HOSTBASED_SERVICE;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_ANONYMOUS;
+
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+/* Function Prototypes */
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_init_sec_context)(
+    OM_uint32 *,        /* minor_status */
+    gss_cred_id_t,      /* claimant_cred_handle */
+    gss_ctx_id_t *,     /* context_handle */
+    gss_name_t,         /* target_name */
+    gss_OID,            /* mech_type (used to be const) */
+    OM_uint32,          /* req_flags */
+    OM_uint32,          /* time_req */
+    gss_channel_bindings_t,     /* input_chan_bindings */
+    gss_buffer_t,       /* input_token */
+    gss_OID *,          /* actual_mech_type */
+    gss_buffer_t,       /* output_token */
+    OM_uint32 *,        /* ret_flags */
+    OM_uint32 *)        /* time_rec */
+   = NULL;
+
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_delete_sec_context)(
+    OM_uint32 *,        /* minor_status */
+    gss_ctx_id_t *,     /* context_handle */
+    gss_buffer_t);      /* output_token */
+
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_wrap)(
+    OM_uint32 *,        /* minor_status */
+    gss_ctx_id_t,       /* context_handle */
+    int,                /* conf_req_flag */
+    gss_qop_t,          /* qop_req */
+    gss_buffer_t,       /* input_message_buffer */
+    int *,              /* conf_state */
+    gss_buffer_t)       /* output_message_buffer */
+   = NULL;
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_unwrap)(
+    OM_uint32 *,        /* minor_status */
+    gss_ctx_id_t,       /* context_handle */
+    gss_buffer_t,       /* input_message_buffer */
+    gss_buffer_t,       /* output_message_buffer */
+    int *,              /* conf_state */
+    gss_qop_t *)        /* qop_state */
+   = NULL;
+
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_display_status)(
+    OM_uint32 *,        /* minor_status */
+    OM_uint32,          /* status_value */
+    int,                /* status_type */
+    gss_OID,            /* mech_type (used to be const) */
+    OM_uint32 *,        /* message_context */
+    gss_buffer_t)       /* status_string */
+   = NULL;
+
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_import_name)(
+    OM_uint32 *,        /* minor_status */
+    gss_buffer_t,       /* input_name_buffer */
+    gss_OID,            /* input_name_type(used to be const) */
+    gss_name_t *)       /* output_name */
+   = NULL;
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_release_name)(
+    OM_uint32 *,        /* minor_status */
+    gss_name_t *)       /* input_name */
+   = NULL;
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_release_buffer)(
+    OM_uint32 *,        /* minor_status */
+    gss_buffer_t)       /* buffer */
+   = NULL;
+
+static OM_uint32 KRB5_CALLCONV
+(*p_gss_wrap_size_limit)(
+    OM_uint32 *,        /* minor_status */
+    gss_ctx_id_t,       /* context_handle */
+    int,                /* conf_req_flag */
+    gss_qop_t,          /* qop_req */
+    OM_uint32,          /* req_output_size */
+    OM_uint32 *)        /* max_input_size */
+   = NULL;
+
+#if TARGET_OS_MAC
+#    pragma pack(pop)
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+/* XXXX these are not part of the GSSAPI C bindings!  (but should be) */
+
+#define GSS_CALLING_ERROR_FIELD(x) \
+   (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK)
+#define GSS_ROUTINE_ERROR_FIELD(x) \
+   (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK)
+#define GSS_SUPPLEMENTARY_INFO_FIELD(x) \
+   (((x) >> GSS_C_SUPPLEMENTARY_OFFSET) & GSS_C_SUPPLEMENTARY_MASK)
+
+/* XXXX This is a necessary evil until the spec is fixed */
+#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
+
+static int tried_load = 0;
+
+static struct symbol_list
+{
+   const char *symname;
+   void **symptr;
+} gssapi_symlist[] =
+{
+   { "gss_init_sec_context", (void **) &p_gss_init_sec_context },
+   { "gss_delete_sec_context", (void **) &p_gss_delete_sec_context },
+   { "gss_release_buffer", (void **) &p_gss_release_buffer },
+   { "gss_release_name", (void **) &p_gss_release_name },
+   { "gss_display_status", (void **) &p_gss_display_status },
+   { "gss_import_name", (void **) &p_gss_import_name },
+   { "gss_wrap", (void **) &p_gss_wrap },
+   { "gss_unwrap", (void **) &p_gss_unwrap },
+   { "gss_wrap_size_limit", (void **) &p_gss_wrap_size_limit },
+   { "GSS_C_NT_HOSTBASED_SERVICE", (void **) &p_GSS_C_NT_HOSTBASED_SERVICE },
+   { NULL, NULL},
+};
+
+static wxDynamicLibrary gsslib;
+static wxString gsslibname =
+#ifdef DEFAULT_GSS_LIBRARY
+   DEFAULT_GSS_LIBRARY ;
+#elif __WXMAC__
+   "/usr/lib/libgssapi_krb5.dylib";
+#elif __WXMSW__
+   "C:\\Program Files\\MIT Kerberos\\GSSAPI32.DLL";
+#else
+   "/usr/lib/libgssapi_krb5.so";
+#endif
+
+static wxString gssloaderr;
+
+static void LogGssError(CControlSocket *psocket, OM_uint32 maj, OM_uint32 min);
+
+bool IsGssLoaded(void)
+{
+   if (! COptions::Get()->GetOptionVal(OPTION_GSS_ENABLE))
+       return false;
+
+   if (!gsslib.IsLoaded() && !tried_load) {
+       tried_load = 1;
+
+       wxString libname = COptions::Get()->GetOption(OPTION_GSS_LIBRARY);
+
+       return LoadGssLibrary(libname.IsEmpty() ? gsslibname : libname);
+   }
+
+   return gsslib.IsLoaded();
+}
+
+bool LoadGssLibrary(const wxString &libname)
+{
+   int i;
+
+   tried_load = 1;
+
+   if (gsslib.IsLoaded()) {
+       gsslib.Unload();
+
+       for (i = 0; gssapi_symlist[i].symname != NULL; i++)
+           *gssapi_symlist[i].symptr = NULL;
+   }
+
+   gsslibname = libname;
+
+#ifdef __WXMSW__
+   /*
+    * On Windows we need to set the DLL path so that the GSSAPI library
+    * can pull in any necessary symbols from other libraries (such as
+    * the Kerberos library).  Set the path based on the directory of
+    * the GSSAPI library.
+    */
+
+   wxFileName dirname(libname);
+   wxString dir = dirname.GetPath();
+
+   SetDllDirectory(dir.t_str());
+#endif
+
+   if (gsslib.Load(gsslibname, wxDL_DEFAULT | wxDL_VERBATIM) == true) {
+       for (i = 0; gssapi_symlist[i].symname != NULL; i++)
+       {
+           *gssapi_symlist[i].symptr =
+               gsslib.GetSymbol(gssapi_symlist[i].symname);
+
+           if (! *gssapi_symlist[i].symptr) {
+               gsslib.Unload();
+               gssloaderr =
+                   wxString::Format("Unable to load "
+                            "symbol %s from "
+                            "library %s",
+                            gssapi_symlist[i].symname,
+                            gsslibname);
+               return false;
+           }
+       }
+   } else {
+       gssloaderr = wxString::Format("Load of %s failed", gsslibname);
+       return false;
+   }
+
+   return true;
+}
+
+wxString GetGssLibraryName(void)
+{
+   return gsslibname;
+}
+
+wxString GetGssLoadError(void)
+{
+   return gssloaderr;
+}
+
+bool GssInitSecContext(CControlSocket *psocket, void **context, void *name,
+              bool delegate, const wxString &input_token,
+              wxString *output_token, bool *complete)
+{
+   OM_uint32 maj_stat, min_stat;
+   gss_buffer_desc recv_token = GSS_C_EMPTY_BUFFER,
+           send_token = GSS_C_EMPTY_BUFFER;
+   wxMemoryBuffer decoded_recv;
+
+   if (! p_gss_init_sec_context)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_init_sec_context is NULL!"));
+       return false;
+   }
+
+   if (input_token.Length() > 0) {
+       decoded_recv = wxBase64Decode(input_token);
+       if (!decoded_recv) {
+           psocket->LogMessage(MessageType::Error, _("Unable to decode base64 data when calling gss_init_sec_context"));
+           return false;
+       }
+
+       recv_token.value = decoded_recv.GetData();
+       recv_token.length = decoded_recv.GetDataLen();
+   }
+
+   maj_stat = p_gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL,
+                     (gss_ctx_id_t *) context,
+                     (gss_name_t) name,
+                     GSS_C_NO_OID,
+                     GSS_C_MUTUAL_FLAG |
+                     GSS_C_REPLAY_FLAG |
+                     (delegate ? GSS_C_DELEG_FLAG : 0), 0,
+                     GSS_C_NO_CHANNEL_BINDINGS,
+                     &recv_token, NULL, &send_token,
+                     NULL, NULL);
+
+   if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   if (complete)
+   {
+       *complete = (maj_stat == GSS_S_COMPLETE) ? true : false;
+   }
+
+   if (send_token.length > 0)
+   {
+       *output_token = wxBase64Encode((char *) send_token.value,
+                          send_token.length);
+       p_gss_release_buffer(&min_stat, &send_token);
+   }
+
+   return true;
+}
+
+bool GssImportName(CControlSocket *psocket, const wxString& name,
+          void **target_ret)
+{
+   OM_uint32 maj_stat, min_stat;
+   gss_buffer_desc name_buf;
+
+   if (!p_gss_import_name || !p_GSS_C_NT_HOSTBASED_SERVICE)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_import_name or p_GSS_C_NT_HOSTBASED_SERVICE is NULL!"));
+       return false;
+   }
+
+   std::string temp = name.ToStdString();
+
+   name_buf.value = (char *) temp.c_str();
+   name_buf.length = name.Length();
+
+   maj_stat = p_gss_import_name(&min_stat, &name_buf,
+                    *p_GSS_C_NT_HOSTBASED_SERVICE,
+                    (gss_name_t *) target_ret);
+
+   if (maj_stat != GSS_S_COMPLETE)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   return true;
+}
+
+bool
+GssWrap(CControlSocket *psocket, void *context, bool encrypt,
+   const wxCharBuffer &inbuf, wxString *outbuf)
+{
+   OM_uint32 maj_stat, min_stat;
+   gss_buffer_desc in_wrap, out_wrap = GSS_C_EMPTY_BUFFER;
+   int conf_state;
+   wxMemoryBuffer encbuf;
+
+   if (!p_gss_wrap)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_wrap is NULL!"));
+       return false;
+   }
+
+   in_wrap.value = (char *) inbuf.data();
+   in_wrap.length = inbuf.length() + 1;
+
+   maj_stat = p_gss_wrap(&min_stat, (gss_ctx_id_t) context,
+                 encrypt ? 1 : 0, GSS_C_QOP_DEFAULT, &in_wrap,
+                 &conf_state, &out_wrap);
+
+   if (maj_stat != GSS_S_COMPLETE)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   encbuf.AppendData(out_wrap.value, out_wrap.length);
+
+   *outbuf = wxBase64Encode(encbuf);
+
+   p_gss_release_buffer(&min_stat, &out_wrap);
+
+   return true;
+}
+
+bool
+GssWrap(CControlSocket *psocket, void *context, bool encrypt,
+   const unsigned char *inbuf, size_t inbuflen, unsigned char **outbuf,
+   size_t *outbufsize, size_t *outbuflen, size_t offset)
+{
+   OM_uint32 maj_stat, min_stat;
+   gss_buffer_desc in_wrap, out_wrap = GSS_C_EMPTY_BUFFER;
+   int conf_state;
+
+   if (!p_gss_wrap)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_wrap is NULL!"));
+       return false;
+   }
+
+   in_wrap.value = (void *) inbuf;
+   in_wrap.length = inbuflen;
+
+   maj_stat = p_gss_wrap(&min_stat, (gss_ctx_id_t) context,
+                 encrypt ? 1 : 0, GSS_C_QOP_DEFAULT, &in_wrap,
+                 &conf_state, &out_wrap);
+
+   if (maj_stat != GSS_S_COMPLETE)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   if (out_wrap.length > *outbufsize + offset) {
+       *outbufsize = out_wrap.length + offset;
+       *outbuf = (unsigned char *) realloc(*outbuf, *outbufsize);
+   }
+
+   memcpy(*outbuf + offset, out_wrap.value, out_wrap.length);
+
+   *outbuflen = out_wrap.length;
+
+   p_gss_release_buffer(&min_stat, &out_wrap);
+
+   return true;
+}
+
+bool
+GssUnwrap(CControlSocket *psocket, void *context, const wxString& inbuf,
+     wxMemoryBuffer *outbuf, bool *encrypt)
+{
+   OM_uint32 maj_stat, min_stat;
+   gss_buffer_desc in_wrap, out_wrap;
+   int conf_level;
+
+   if (!p_gss_unwrap)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_unwrap is NULL!"));
+       return false;
+   }
+
+   wxMemoryBuffer indecbuf = wxBase64Decode(inbuf);
+
+   if (!indecbuf)
+   {
+       psocket->LogMessage(MessageType::Error, _("Unable to base64-decode message response data!"));
+       return false;
+   }
+
+   in_wrap.value = indecbuf.GetData();
+   in_wrap.length = indecbuf.GetDataLen();
+
+   maj_stat = p_gss_unwrap(&min_stat, (gss_ctx_id_t) context, &in_wrap,
+               &out_wrap, &conf_level, NULL);
+
+   if (maj_stat != GSS_S_COMPLETE)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   if (encrypt)
+   {
+       *encrypt = conf_level != 0;
+   }
+
+   outbuf->Clear();
+   outbuf->AppendData(out_wrap.value, out_wrap.length);
+
+   p_gss_release_buffer(&min_stat, &out_wrap);
+
+   return true;
+}
+
+bool GssUnwrap(CControlSocket* psocket, void *context, unsigned char *inbuf,
+          size_t inbuflen, unsigned char **outbuf, size_t *outbuflen,
+          size_t *retbufsize)
+{
+   OM_uint32 maj_stat, min_stat;
+   gss_buffer_desc in_wrap, out_wrap;
+   int conf_level;
+
+   if (!p_gss_unwrap)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_unwrap is NULL!"));
+       return false;
+   }
+
+   in_wrap.value = inbuf;
+   in_wrap.length = inbuflen;
+
+   maj_stat = p_gss_unwrap(&min_stat, (gss_ctx_id_t) context, &in_wrap,
+               &out_wrap, &conf_level, NULL);
+
+   if (maj_stat != GSS_S_COMPLETE)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   if (out_wrap.length > *outbuflen) {
+       *outbuf = (unsigned char *) realloc(*outbuf, out_wrap.length);
+       *outbuflen = out_wrap.length;
+   }
+
+   memcpy(*outbuf, out_wrap.value, out_wrap.length);
+   *retbufsize = out_wrap.length;
+
+   p_gss_release_buffer(&min_stat, &out_wrap);
+
+   return true;
+}
+
+bool
+GssWrapSizeLimit(CControlSocket *psocket, void *context, size_t output_size,
+        size_t *max_input_size)
+{
+   OM_uint32 maj_stat, min_stat;
+   OM_uint32 req_insize;
+
+   if (!p_gss_wrap_size_limit)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_wrap_size_limit is NULL!"));
+       return false;
+   }
+
+   maj_stat = p_gss_wrap_size_limit(&min_stat, (gss_ctx_id_t) context, 1,
+                    GSS_C_QOP_DEFAULT, output_size,
+                    &req_insize);
+
+   if (maj_stat != GSS_S_COMPLETE)
+   {
+       LogGssError(psocket, maj_stat, min_stat);
+       return false;
+   }
+
+   *max_input_size = req_insize;
+
+   return true;
+}
+
+void
+GssReleaseName(CControlSocket* psocket, void **name)
+{
+   OM_uint32 maj_stat, min_stat;
+
+   if (!p_gss_release_name)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_release_buffer is NULL!"));
+       return;
+   }
+
+   maj_stat = p_gss_release_name(&min_stat, (gss_name_t *) name);
+
+   return;
+}
+
+static void
+LogGssError(CControlSocket *psocket, OM_uint32 maj, OM_uint32 min)
+{
+   OM_uint32 maj_stat, min_stat, message_context = 0;
+   gss_buffer_desc status_string;
+
+   if (!p_gss_display_status)
+   {
+       psocket->LogMessage(MessageType::Error, _("Internal Error: p_gss_display_status is NULL!"));
+       return;
+   }
+
+   do {
+       maj_stat = p_gss_display_status(&min_stat, maj,
+                       GSS_C_GSS_CODE, GSS_C_NO_OID,
+                       &message_context,
+                       &status_string);
+
+       if (maj_stat == GSS_S_COMPLETE)
+       {
+           psocket->LogMessage(MessageType::Error, _T("GSSAPI Error Major Status: %.*s"),
+                       (int) status_string.length,
+                       (char *) status_string.value);
+           p_gss_release_buffer(&min_stat, &status_string);
+       }
+   } while (message_context != 0);
+
+   do {
+       maj_stat = p_gss_display_status(&min_stat, min,
+                       GSS_C_MECH_CODE, GSS_C_NO_OID,
+                       &message_context,
+                       &status_string);
+
+       if (maj_stat == GSS_S_COMPLETE)
+       {
+           psocket->LogMessage(MessageType::Error, _T("GSSAPI Error Minor Status: %.*s"),
+                       (int) status_string.length,
+                       (char *) status_string.value);
+           p_gss_release_buffer(&min_stat, &status_string);
+       }
+   } while (message_context != 0);
+}
diff --git a/src/engine/gsssocket.cpp b/src/engine/gsssocket.cpp
new file mode 100644
index 0000000..938b194
--- /dev/null
+++ b/src/engine/gsssocket.cpp
@@ -0,0 +1,300 @@
+#include <filezilla.h>
+#include "engineprivate.h"
+#include "gsssocket.h"
+#include "ControlSocket.h"
+#include <errno.h>
+
+CGssSocket::CGssSocket(CEventHandler* pEvtHandler, CSocket* pSocket,
+              CControlSocket* pOwner, void *gcontext_in,
+              size_t pbufSize)
+   : CEventHandler(pOwner->event_loop_)
+   , CBackend(pEvtHandler)
+   , m_pOwner(pOwner)
+   , gcontext(gcontext_in)
+   , p_bufSize(pbufSize)
+   , databuffer(NULL)
+   , databuffersize(0)
+   , datainbuffer(0)
+   , encbuffer(NULL)
+   , encbuffersize(0)
+   , encbufferlen(0)
+   , llen(4)
+   , endoffile(false)
+   , writewait(false)
+   , shutdown(false)
+{
+   wxASSERT(pSocket);
+
+   m_pSocket = pSocket;
+   m_pSocketBackend = new CSocketBackend(this, *m_pSocket, m_pOwner->GetEngine().GetRateLimiter());
+   GssWrapSizeLimit(m_pOwner, gcontext, p_bufSize, &maxwrap);
+}
+
+CGssSocket::~CGssSocket()
+{
+   delete m_pSocketBackend;
+   if (databuffer)
+       free(databuffer);
+   if (encbuffer)
+       free(encbuffer);
+}
+
+int
+CGssSocket::Read(void *buffer, unsigned int size, int& error)
+{
+   if (datainbuffer == 0 && !endoffile) {
+       if (!FetchData(error)) {
+           return -1;
+       }
+   }
+
+   if (endoffile == true)
+       return 0;
+
+   unsigned int retsize = datainbuffer > size ? size : datainbuffer;
+
+   memcpy(buffer, dataptr, retsize);
+
+   dataptr += retsize;
+   datainbuffer -= retsize;
+
+   return retsize;
+}
+
+/*
+ * Called to fill the buffer based on how much data we need
+ */
+
+bool CGssSocket::FetchData(int& error)
+{
+   int cc;
+
+   /*
+    * If llen > 0, then that means we need to read length bytes.
+    * If llen == 0, then that means we already have the length, it's
+    * in packetsize, and we can skip that.
+    */
+
+   if (llen > 0) {
+
+       /*
+                 * According to RFC 2228, each packet is prefixed by 4
+                 * bytes which contains the length of the data.  We're
+                 * just going to hardcode this as "4" right now.
+        */
+
+       while (llen > 0) {
+           cc = m_pSocketBackend->Read(lenbytes + 4 - llen,
+                           llen, error);
+
+           if (cc == 0) {
+               error = ECONNABORTED;
+               return false;
+           }
+
+           if (cc < 0) {
+               return false;
+           }
+
+           llen -= cc;
+       }
+
+       packetsize = (lenbytes[0] << 24) + (lenbytes[1] << 16) +
+                (lenbytes[2] << 8) + lenbytes[3];
+
+       if (packetsize > encbuffersize) {
+           encbuffer = (unsigned char *) realloc(encbuffer,
+                                 packetsize);
+           encbuffersize = packetsize;
+       }
+
+       encbufferlen = 0;
+   }
+
+   while (encbufferlen < packetsize) {
+       cc = m_pSocketBackend->Read(encbuffer + encbufferlen,
+                       packetsize - encbufferlen, error);
+       if (cc <= 0)
+           return false;
+
+       encbufferlen += cc;
+   }
+
+   /*
+    * Should be a full GSS packet of data now
+    */
+
+   if (!GssUnwrap(m_pOwner, gcontext, encbuffer, packetsize, &databuffer,
+              &databuffersize, &datainbuffer)) {
+       error = EIO;
+       return false;
+   }
+
+   dataptr = databuffer;
+   llen = 4;
+
+   /*
+    * An EOF is encoded by a packet with no data
+    */
+
+   if (datainbuffer == 0)
+       endoffile = true;
+
+   return true;
+}
+
+void CGssSocket::operator()(CEventBase const& ev)
+{
+   Dispatch<CSocketEvent>(ev, this, &CGssSocket::OnSocketEvent);
+}
+
+void CGssSocket::OnSocketEvent(CSocketEventSource*, SocketEventType t, int error)
+{
+   switch (t)
+   {
+   case SocketEventType::read:
+   {
+       m_pEvtHandler->SendEvent<CSocketEvent>(this, SocketEventType::read, 0);
+       break;
+   }
+   case SocketEventType::write:
+   {
+       int ret = 0;
+
+       if (writewait)
+           ret = PushData();
+
+       if (ret == 0) {
+           m_pEvtHandler->SendEvent<CSocketEvent>(this, SocketEventType::write, 0);
+       }
+
+       break;
+   }
+   default:
+       break;
+   }
+}
+
+int CGssSocket::PushData(void)
+{
+   int cc, error;
+
+   if (!writewait)
+       return 0;
+
+   while (datainbuffer > 0) {
+       cc = m_pSocketBackend->Write(dataptr, datainbuffer, error);
+
+       if (cc < 0) {
+           if (error != EAGAIN)
+               endoffile = true;
+           return error;
+       }
+
+       if (cc == 0) {
+           return EIO;
+       }
+
+       dataptr += cc;
+       datainbuffer -= cc;
+   }
+
+   if (datainbuffer == 0)
+       writewait = false;
+
+   return 0;
+}
+
+int CGssSocket::Write(const void *buffer, unsigned int len, int& error)
+{
+   size_t bytestowrite;
+   int cc;
+
+   if (endoffile) {
+       error = ENOTCONN;
+       return -1;
+   }
+
+   if (writewait) {
+       error = EAGAIN;
+       return -1;
+   }
+
+   bytestowrite = len > maxwrap ? maxwrap : len;
+
+   if (!GssWrap(m_pOwner, gcontext, true, (unsigned char *) buffer,
+            bytestowrite, &databuffer, &databuffersize,
+            &datainbuffer, 4)) {
+       error = EIO;
+       return -1;
+   }
+
+   /*
+    * Prefix the buffer with the length, and bump our length to include
+    * the buffer prefix.
+    */
+
+   databuffer[0] = (datainbuffer >> 24) & 0xff;
+   databuffer[1] = (datainbuffer >> 16) & 0xff;
+   databuffer[2] = (datainbuffer >> 8) & 0xff;
+   databuffer[3] = datainbuffer & 0xff;
+
+   datainbuffer += 4;
+
+   dataptr = databuffer;
+
+   while (datainbuffer > 0) {
+       cc = m_pSocketBackend->Write(dataptr, datainbuffer, error);
+
+       if (cc <= 0) {
+           if (cc < 0 && error != EAGAIN)
+               return -1;
+           writewait = true;
+           break;
+       }
+
+       dataptr += cc;
+       datainbuffer -= cc;
+   }
+
+   /*
+    * If data is queued by us, we need to tell the upper layers that
+    * we've "written" it all, so we don't get it again.  So always
+    * return bytestowrite at this point.
+    */
+
+   return bytestowrite;
+}
+
+int CGssSocket::Shutdown(void)
+{
+   int error;
+
+   if (shutdown && writewait)
+       return EAGAIN;
+
+   /*
+    * At the end of our write, we should encode a GSS packet with
+    * a zero length.
+    */
+
+   shutdown = true;
+
+   if (Write(NULL, 0, error) < 0)
+       return error;
+
+   return 0;
+}
+
+/*
+ * All stubs for now
+ */
+
+void CGssSocket::OnRateAvailable(enum CRateLimiter::rate_direction)
+{
+}
+
+int CGssSocket::Peek(void *buffer, unsigned int len, int& error)
+{
+   return 0;
+}
diff --git a/src/engine/gsssocket.h b/src/engine/gsssocket.h
new file mode 100644
index 0000000..2017724
--- /dev/null
+++ b/src/engine/gsssocket.h
@@ -0,0 +1,53 @@
+#ifndef __GSSSOCKET_H__
+#define __GSSSOCKET_H__
+
+#include "gssinterface.h"
+#include "backend.h"
+#include "socket.h"
+
+class CControlSocket;
+class CGssSocket : protected CEventHandler, public CBackend
+{
+public:
+   CGssSocket(CEventHandler *pEvtHandler, CSocket *psocket,
+          CControlSocket *pOwner, void *gcontext_in, size_t pbsz);
+   virtual ~CGssSocket();
+
+   virtual int Read(void *buffer, unsigned int size, int& error);
+   virtual int Peek(void *buffer, unsigned int size, int& error);
+   virtual int Write(const void *buffer, unsigned int size, int& error);
+   virtual int Shutdown(void);
+
+protected:
+   bool FetchData(int& error);
+   int PushData(void);
+   void OnSocketEvent(CSocketEventSource*, SocketEventType, int);
+   virtual void OnRateAvailable(enum CRateLimiter::rate_direction direction);
+   virtual void operator()(CEventBase const& ev);
+
+   CSocketBackend* m_pSocketBackend;
+   CControlSocket* m_pOwner;
+   CSocket* m_pSocket;
+   void *gcontext;
+   size_t p_bufSize;       /* PBSZ from connection */
+   size_t maxwrap;         /* Max size of data to gss_wrap */
+
+   /*
+    * We use "databuffer" to hold network data for reading and writing
+    */
+
+   unsigned char *databuffer;  /* Decrypted data buffer */
+   unsigned char *dataptr;     /* Ptr to next data to be read */
+   size_t databuffersize;      /* Size of databuffer */
+   size_t datainbuffer;        /* # of bytes in databuffer */
+   unsigned int packetsize;    /* Size of encrypted packet */
+   unsigned char *encbuffer;   /* Encrypted buffer */
+   size_t encbuffersize;       /* Size of encrypted buffer */
+   size_t encbufferlen;        /* # of bytes in encrypted buffer */
+   unsigned char lenbytes[4];  /* Buffer for length bytes */
+   unsigned int llen;      /* Remaining bytes to fill lenbytes */
+   bool endoffile;         /* Set to true if the net is closed */
+   bool writewait;         /* True if waiting to write */
+   bool shutdown;          /* True if shutting down */
+};
+#endif /* __GSSSOCKET_H__ */
diff --git a/src/engine/transfersocket.cpp b/src/engine/transfersocket.cpp
index 65d79e6..af08d3d 100644
--- a/src/engine/transfersocket.cpp
+++ b/src/engine/transfersocket.cpp
@@ -5,6 +5,7 @@
 #include "iothread.h"
 #include "optionsbase.h"
 #include "tlssocket.h"
+#include "gsssocket.h"
 #include "transfersocket.h"
 #include "proxy.h"
 #include "servercapabilities.h"
@@ -39,12 +40,17 @@ void CTransferSocket::ResetSocket()
    if( m_pBackend == m_pTlsSocket ) {
        m_pBackend = 0;
    }
+   if (m_pBackend == m_pGssSocket) {
+       m_pBackend = 0;
+   }
    delete m_pTlsSocket;
+   delete m_pGssSocket;
    delete m_pBackend;
    delete m_pSocketServer;
    delete m_pSocket;
    m_pProxyBackend = 0;
    m_pTlsSocket = 0;
+   m_pGssSocket = 0;
    m_pBackend = 0;
    m_pSocketServer = 0;
    m_pSocket = 0;
@@ -430,6 +436,13 @@ void CTransferSocket::OnClose(int error)
            else
                TransferEnd(TransferEndReason::successful);
        }
+       else if (m_shutdown && m_pGssSocket)
+       {
+           if (m_pGssSocket->Shutdown() != 0)
+               TransferEnd(TransferEndReason::transfer_failure);
+           else
+               TransferEnd(TransferEndReason::successful);
+       }
        else
            TransferEnd(TransferEndReason::transfer_failure);
        return;
@@ -637,10 +650,12 @@ bool CTransferSocket::CheckGetNextReadBuffer()
            return false;
        }
        else if (res == IO_Success) {
-           if (m_pTlsSocket) {
+           if (m_pTlsSocket || m_pGssSocket) {
                m_shutdown = true;

-               int error = m_pTlsSocket->Shutdown();
+               int error = m_pTlsSocket ?
+                   m_pTlsSocket->Shutdown() :
+                   m_pGssSocket->Shutdown();
                if (error != 0) {
                    if (error != EAGAIN)
                        TransferEnd(TransferEndReason::transfer_failure);
@@ -714,6 +729,16 @@ bool CTransferSocket::InitTls(const CTlsSocket* pPrimaryTlsSocket)
    return true;
 }

+bool CTransferSocket::InitGss()
+{
+   m_pGssSocket = new CGssSocket(this, m_pSocket, &controlSocket_,
+                     controlSocket_.gcontext,
+                     controlSocket_.m_protBufferSize);
+
+   m_pBackend = m_pGssSocket;
+   return true;
+}
+
 void CTransferSocket::TriggerPostponedEvents()
 {
    wxASSERT(m_bActive);
@@ -742,7 +767,13 @@ bool CTransferSocket::InitBackend()
        return true;

    if (controlSocket_.m_protectDataChannel) {
-       if (!InitTls(controlSocket_.m_pTlsSocket))
+       bool ret;
+       if (controlSocket_.gcontext) {
+           ret = InitGss();
+       } else {
+           ret = InitTls(controlSocket_.m_pTlsSocket);
+       }
+       if (!ret)
            return false;
    }
    else
diff --git a/src/engine/transfersocket.h b/src/engine/transfersocket.h
index ec537c7..46e49d5 100644
--- a/src/engine/transfersocket.h
+++ b/src/engine/transfersocket.h
@@ -19,6 +19,7 @@ enum class TransferMode

 class CIOThread;
 class CTlsSocket;
+class CGssSocket;
 class CTransferSocket final : public CEventHandler
 {
 public:
@@ -47,6 +48,7 @@ protected:

    bool InitBackend();
    bool InitTls(const CTlsSocket* pPrimaryTlsSocket);
+   bool InitGss();

    void ResetSocket();

@@ -98,6 +100,8 @@ protected:
    CTlsSocket* m_pTlsSocket{};
    bool m_shutdown{};

+   CGssSocket* m_pGssSocket{};
+
    // Needed for the madeProgress field in CTransferStatus
    // Initially 0, 2 if made progress
    // On uploads, 1 after first WSAE_WOULDBLOCK
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
index 60a3e46..8fad5a3 100644
--- a/src/include/Makefile.am
+++ b/src/include/Makefile.am
@@ -10,6 +10,7 @@ noinst_HEADERS = \
    event_loop.h \
    externalipresolver.h \
    FileZillaEngine.h \
+   gssinterface.h \
    libfilezilla.h \
    local_filesys.h \
    local_path.h \
diff --git a/src/include/gssinterface.h b/src/include/gssinterface.h
new file mode 100644
index 0000000..c90bc0c
--- /dev/null
+++ b/src/include/gssinterface.h
@@ -0,0 +1,142 @@
+#ifndef __GSSINTERFACE_H__
+#define __GSSINTERFACE_H__
+
+class CControlSocket;
+
+/*
+ * Return 'true' if the GSSAPI library has loaded successfully.  Will
+ * attempt to load it if it is not already loaded.
+ */
+
+bool IsGssLoaded(void);
+
+/*
+ * Load the GSS Library.  If one is currently loaded, unload the old library
+ * first.  Returns 'true' if load was successful, 'false' if not.
+ */
+
+bool LoadGssLibrary(const wxString &);
+
+/*
+ * Return the name of the currently configured GSS library
+ */
+
+wxString GetGssLibraryName(void);
+
+/*
+ * Return the last error we got when we tried to load the module
+ */
+
+wxString GetGssLoadError(void);
+
+/*
+ * Import a name via gss_import_name().  Takes target name (service@host)
+ * as input, returns a gss_name_t.  Returns false on failure.
+ */
+
+bool GssImportName(CControlSocket *psocket, const wxString& , void **);
+
+/*
+ * Call gss_init_sec_context.  Arguments are:
+ *
+ * psocket - Connection control socket (for logging)
+ * context - Returned/modified gss_ctx_id_t.  Should be NULL at first
+ *       call.
+ * name        - Target name (from gss_import_name)
+ * delegate    - if 'true', delegate credentials
+ * input_token - Base64-encoded input token
+ * output_token    - Base64-encoded output token
+ * complete    - Return 'true' if function returned GSS_S_COMPLETE
+ *
+ * Returns false on failure.
+ */
+
+bool GssInitSecContext(CControlSocket* psocket, void **context,
+              void *name, bool delegate, const wxString &input_token,
+              wxString *output_token, bool *complete);
+
+/*
+ * Call gss_wrap on data to perform encryption/integrity protection.
+ * Arguments are:
+ *
+ * psocket - Connection control socket (for logging)
+ * context - gss_ctx_id_t from gss_init_sec_context.
+ * encrypt - set to 'true' if performing encryption.
+ * inbuf   - Input data
+ * outbuf  - Base64-encoded output data
+ *
+ * Returns false on failure.
+ */
+
+bool GssWrap(CControlSocket* psocket, void *context, bool encrypt,
+        const wxCharBuffer& inbuf, wxString *outbuf);
+
+/*
+ * Alternate version of GssWrap that does not perform any base64 encoding
+ *
+ * Similar arguments as above, except that outbuf can be reallocated if
+ * it is not big enough (buffer size is passed in via *outbufsize).
+ *
+ * Offset is a "buffer offset" in case you need to do something like prepend
+ * length
+ */
+
+bool GssWrap(CControlSocket* psocket, void *context, bool encrypt,
+        const unsigned char *inbuf, size_t inbuflen,
+        unsigned char **outbuf, size_t *outbufsize, size_t *outbuflen,
+        size_t offset);
+
+/*
+ * Call gss_unwrap on data to perform decryption/integrity verification.
+ * Arguments are:
+ *
+ * psocket - Connection control socket (for logging)
+ * context - gss_ctx_id_t from gss_init_sec_context.
+ * inbuf   - Base64-encoded input data
+ * outbuf  - Output data
+ * encrypted   - Will be set to 'true' if data was encrypted
+ *
+ * Returns false on failure.
+ */
+
+bool GssUnwrap(CControlSocket* psocket, void *context, const wxString& inbuf,
+          wxMemoryBuffer *outbuf, bool *encrypted);
+
+/*
+ * Alternate version of gss_unwrap which does not perform base64 decoding.
+ *
+ * Similar arguments to above function, except outbuf can be reallocated
+ * if size isn't big enough.
+ */
+
+bool GssUnwrap(CControlSocket* psocket, void *context, unsigned char *inbuf,
+          size_t inbuflen, unsigned char **outbuf, size_t *outbuflen,
+          size_t *retbufsize);
+
+/*
+ * Call gss_release_name to release a name buffer
+ * Arguments are:
+ *
+ * psocket - Connection control socket (for logging)
+ * name        - Pointer to name buffer to release
+ *
+ */
+
+void GssReleaseName(CControlSocket* psocket, void **name);
+
+/*
+ * Call gss_wrap_size_limit to determine the maximum amount of unencrypted
+ * data we can send given an encrypted buffer size.
+ * Arguments are:
+
+ * psocket     - Connection control socket (for logging)
+ * context     - gss_ctx_id_t from gss_init_sec_context.
+ * output_size     - Requested output size
+ * max_input_size  - Maximum input size
+ *
+ * Returns false on failure.
+ */
+
+bool GssWrapSizeLimit(CControlSocket* psocket, void *context,
+             size_t output_size, size_t *max_input_size);
+#endif /* __GSSINTERFACE_H__ */
diff --git a/src/include/option_change_event_handler.h b/src/include/option_change_event_handler.h
index 3ebb6fd..37734c7 100644
--- a/src/include/option_change_event_handler.h
+++ b/src/include/option_change_event_handler.h
@@ -8,7 +8,7 @@
 class COptions;

 enum {
-   changed_options_size = 128
+   changed_options_size = 256
 };

 typedef std::bitset<changed_options_size> changed_options_t;
diff --git a/src/include/optionsbase.h b/src/include/optionsbase.h
index 8b3266d..9e668f4 100644
--- a/src/include/optionsbase.h
+++ b/src/include/optionsbase.h
@@ -33,6 +33,11 @@ enum engineOptions

    OPTION_ALLOW_TRANSFERMODEFALLBACK, // If PORT fails, allow PASV and vice versa

+   OPTION_GSS_ENABLE,
+   OPTION_GSS_LIBRARY,
+   OPTION_GSS_ENCRYPTDATACHAN,
+   OPTION_GSS_PROTBUFSIZE,
+
    OPTION_RECONNECTCOUNT,
    OPTION_RECONNECTDELAY,

diff --git a/src/interface/Makefile.am b/src/interface/Makefile.am
index 91b2f00..94e7e9b 100644
--- a/src/interface/Makefile.am
+++ b/src/interface/Makefile.am
@@ -80,6 +80,7 @@ filezilla_SOURCES = aboutdialog.cpp \
        settings/optionspage_filelists.cpp \
        settings/optionspage_filetype.cpp \
        settings/optionspage_ftpproxy.cpp \
+       settings/optionspage_gssauth.cpp \
        settings/optionspage_interface.cpp \
        settings/optionspage_language.cpp \
        settings/optionspage_logging.cpp \
diff --git a/src/interface/Options.cpp b/src/interface/Options.cpp
index f718614..b75acdb 100644
--- a/src/interface/Options.cpp
+++ b/src/interface/Options.cpp
@@ -76,6 +76,10 @@ static const t_Option options[OPTIONS_NUM] =
    { "Logging Raw Listing", number, _T("0"), normal },
    { "fzsftp executable", string, _T(""), internal },
    { "Allow transfermode fallback", number, _T("1"), normal },
+   { "Enable GSSAPI Authentication", number, _T("1"), normal },
+   { "GSSAPI library name", string, _T(""), normal },
+   { "GSSAPI data channel encrypt", number, _T("0"), normal },
+   { "GSSAPI protection buffer size", number, _T("65536"), normal },
    { "Reconnect count", number, _T("2"), normal },
    { "Reconnect delay", number, _T("5"), normal },
    { "Enable speed limits", number, _T("0"), normal },
diff --git a/src/interface/resources/xrc/settings.xrc b/src/interface/resources/xrc/settings.xrc
index c4b9af6..f5b116e 100644
--- a/src/interface/resources/xrc/settings.xrc
+++ b/src/interface/resources/xrc/settings.xrc
@@ -607,6 +607,109 @@
       </object>
     </object>
   </object>
+  <object class="wxPanel" name="ID_SETTINGS_CONNECTION_FTP_GSSAPI">
+    <object class="wxBoxSizer">
+      <orient>wxVERTICAL</orient>
+      <object class="sizeritem">
+        <object class="wxStaticBoxSizer">
+          <label>GSSAPI Authentication</label>
+          <orient>wxVERTICAL</orient>
+          <object class="sizeritem">
+       <flag>wxGROW</flag>
+            <object class="wxFlexGridSizer">
+              <orient>wxVERTICAL</orient>
+              <cols>1</cols>
+              <vgap>5</vgap>
+         <growablecols>0</growablecols>
+              <object class="sizeritem">
+                <object class="wxCheckBox" name="ID_ENABLEGSSAPI">
+                  <label>Enable GSSAPI Authentication</label>
+                </object>
+              </object>
+         <object class="sizeritem">
+       <flag>wxGROW</flag>
+                <object class="wxBoxSizer">
+                  <orient>wxHORIZONTAL</orient>
+         <hgap>3</hgap>
+         <object class="sizeritem">
+           <object class="wxStaticText">
+             <label>GSSAPI Plugin:</label>
+           </object>
+           <flag>wxALIGN_CENTER_VERTICAL</flag>
+         </object>
+                  <object class="sizeritem">
+                    <object class="wxTextCtrl" name="ID_GSSPLUGINNAME"/>
+                    <flag>wxALIGN_CENTRE_VERTICAL|wxGROW</flag>
+           <option>1</option>
+                  </object>
+                  <object class="sizeritem">
+                    <object class="wxButton" name="ID_BROWSEGSSPLUGIN">
+                      <label>&amp;Browse...</label>
+                    </object>
+                    <flag>wxALIGN_CENTRE_VERTICAL</flag>
+                  </object>
+         <flag>wxGROW</flag>
+                </object>
+              </object>
+         <object class="sizeritem">
+           <flag>wxGROW</flag>
+           <object class="wxBoxSizer">
+         <orient>wxHORIZONTAL</orient>
+         <object class="sizeritem">
+           <object class="wxStaticText">
+             <label>Module status:</label>
+           </object>
+         </object>
+         <object class="sizeritem">
+           <flag>wxGROW</flag>
+           <option>1</option>
+           <object class="wxStaticText" name="ID_GSSMODSTATUS"/>
+         </object>
+       </object>
+         </object>
+         <object class="sizeritem">
+           <object class="wxStaticText">
+         <label>Note: the following settings only apply to new connections, not existing ones</label>
+       </object>
+         </object>
+              <object class="sizeritem">
+                <object class="wxCheckBox" name="ID_ENABLEGSSDATAENCRYPT">
+                  <label>Enable Data Channel Encryption</label>
+                </object>
+              </object>
+         <object class="sizeritem">
+                <object class="wxFlexGridSizer">
+                  <cols>3</cols>
+                  <object class="sizeritem">
+                    <object class="wxStaticText">
+                      <label>Encrypted buffer size:</label>
+                    </object>
+                    <flag>wxALIGN_CENTRE_VERTICAL</flag>
+                  </object>
+                  <object class="sizeritem">
+                    <object class="wxTextCtrl" name="ID_GSSPROTBUFSIZE">
+                      <size>34,-1d</size>
+                    </object>
+                    <flag>wxALIGN_CENTRE_VERTICAL</flag>
+                  </object>
+                  <hgap>4</hgap>
+                  <object class="sizeritem">
+                    <object class="wxStaticText">
+                      <label>(32768-1048576)</label>
+                    </object>
+                    <flag>wxALIGN_CENTRE_VERTICAL</flag>
+                  </object>
+                </object>
+         </object>
+            </object>
+            <flag>wxLEFT|wxRIGHT|wxBOTTOM</flag>
+            <border>4</border>
+          </object>
+        </object>
+        <flag>wxGROW</flag>
+      </object>
+    </object>
+  </object>
   <object class="wxPanel" name="ID_SETTINGS_CONNECTION_SFTP">
     <object class="wxFlexGridSizer">
       <cols>2</cols>
diff --git a/src/interface/settings/optionspage_gssauth.cpp b/src/interface/settings/optionspage_gssauth.cpp
new file mode 100644
index 0000000..9f96e5f
--- /dev/null
+++ b/src/interface/settings/optionspage_gssauth.cpp
@@ -0,0 +1,129 @@
+#include <filezilla.h>
+
+#include "../Options.h"
+#include "settingsdialog.h"
+#include "optionspage.h"
+#include "optionspage_gssauth.h"
+#include "gssinterface.h"
+
+BEGIN_EVENT_TABLE(COptionsPageGssAuth, COptionsPageGssAuth::COptionsPage)
+EVT_CHECKBOX(XRCID("ID_ENABLEGSSAPI"), COptionsPageGssAuth::OnGssSettingChanged)
+EVT_CHECKBOX(XRCID("ID_ENABLEGSSDATAENCRYPT"), COptionsPageGssAuth::OnGssSettingChanged)
+EVT_BUTTON(XRCID("ID_BROWSEGSSPLUGIN"), COptionsPageGssAuth::OnBrowse)
+END_EVENT_TABLE()
+
+bool COptionsPageGssAuth::LoadPage()
+{
+   bool failure = false;
+   wxString libname;
+
+   SetCheckFromOption(XRCID("ID_ENABLEGSSAPI"), OPTION_GSS_ENABLE,
+              failure);
+
+   libname = m_pOptions->GetOption(OPTION_GSS_LIBRARY);
+
+   if (libname.IsEmpty()) {
+       libname = GetGssLibraryName();
+   }
+
+   SetText(XRCID("ID_GSSPLUGINNAME"), libname, failure);
+
+   SetCheckFromOption(XRCID("ID_ENABLEGSSDATAENCRYPT"),
+              OPTION_GSS_ENCRYPTDATACHAN, failure);
+
+   SetTextFromOption(XRCID("ID_GSSPROTBUFSIZE"), OPTION_GSS_PROTBUFSIZE,
+             failure);
+
+   if (!failure)
+       SetCtrlState();
+
+   return !failure;
+}
+
+bool COptionsPageGssAuth::SavePage()
+{
+   SetOptionFromCheck(XRCID("ID_ENABLEGSSAPI"), OPTION_GSS_ENABLE);
+   SetOptionFromText(XRCID("ID_GSSPLUGINNAME"), OPTION_GSS_LIBRARY);
+   SetOptionFromCheck(XRCID("ID_ENABLEGSSDATAENCRYPT"),
+              OPTION_GSS_ENCRYPTDATACHAN);
+   SetOptionFromText(XRCID("ID_GSSPROTBUFSIZE"), OPTION_GSS_PROTBUFSIZE);
+
+   return true;
+}
+
+bool COptionsPageGssAuth::Validate()
+{
+   wxTextCtrl *pTextCtrl = XRCCTRL(*this, "ID_GSSPLUGINNAME", wxTextCtrl);
+
+   if (pTextCtrl->IsModified()) {
+       pTextCtrl->SetModified(false);
+       LoadGssLibrary(pTextCtrl->GetValue());
+   }
+
+   wxTextCtrl *pProtBufSz = XRCCTRL(*this, "ID_GSSPROTBUFSIZE", wxTextCtrl);
+
+   long protbufsz;
+
+   if (!pProtBufSz->GetValue().ToLong(&protbufsz) ||
+       protbufsz < 32768 || protbufsz > 1048576)
+       return DisplayError(pProtBufSz, _("Encryption buffer size must be between 32768 and 1048576."));
+
+   return true;
+}
+
+void COptionsPageGssAuth::OnBrowse(wxCommandEvent& event)
+{
+   wxFileDialog dlg(this, _("Select GSS library"), wxString(),
+            GetGssLibraryName(),
+#ifdef __WXMSW__
+       _T("Dynamic link library (*.dll)|*.dll"),
+#elif __WXMAC__
+       _T("Shared library (*.dylib)|*.dylib;public.unix-executable"),
+#else
+       wxFileSelectorDefaultWildcardStr,
+#endif
+       wxFD_OPEN | wxFD_FILE_MUST_EXIST);
+
+   if (dlg.ShowModal() != wxID_OK)
+       return;
+
+   XRCCTRL(*this, "ID_GSSPLUGINNAME", wxTextCtrl)->ChangeValue(dlg.GetPath());
+
+   XRCCTRL(*this, "ID_GSSPLUGINNAME", wxTextCtrl)->SetModified(true);
+
+   SetCtrlState();
+}
+
+void COptionsPageGssAuth::OnGssSettingChanged(wxCommandEvent& event)
+{
+   SetCtrlState();
+}
+
+void COptionsPageGssAuth::SetCtrlState()
+{
+   bool enabled = XRCCTRL(*this, "ID_ENABLEGSSAPI", wxCheckBox)->GetValue();
+   wxTextCtrl *pTextCtrl = XRCCTRL(*this, "ID_GSSPLUGINNAME", wxTextCtrl);
+   pTextCtrl->Enable(enabled);
+
+   XRCCTRL(*this, "ID_BROWSEGSSPLUGIN", wxButton)->Enable(enabled);
+
+   if (!enabled) {
+       XRCCTRL(*this, "ID_GSSMODSTATUS", wxStaticText)->SetLabel(_("Disabled"));
+   } else {
+       if (pTextCtrl->IsModified()) {
+           pTextCtrl->SetModified(false);
+           LoadGssLibrary(pTextCtrl->GetValue());
+       }
+       if (IsGssLoaded()) {
+           XRCCTRL(*this, "ID_GSSMODSTATUS", wxStaticText)->SetLabel(_("Loaded successfully"));
+       } else {
+           XRCCTRL(*this, "ID_GSSMODSTATUS", wxStaticText)->SetLabel(GetGssLoadError());
+       }
+   }
+
+   wxCheckBox *pDataEncCtrl = XRCCTRL(*this, "ID_ENABLEGSSDATAENCRYPT", wxCheckBox);
+   bool enabledDataEnc = pDataEncCtrl->GetValue();
+   pDataEncCtrl->Enable(enabled);
+
+   XRCCTRL(*this, "ID_GSSPROTBUFSIZE", wxTextCtrl)->Enable(enabled && enabledDataEnc);
+}
diff --git a/src/interface/settings/optionspage_gssauth.h b/src/interface/settings/optionspage_gssauth.h
new file mode 100644
index 0000000..2e6b17a
--- /dev/null
+++ b/src/interface/settings/optionspage_gssauth.h
@@ -0,0 +1,18 @@
+#ifndef __OPTIONSPAGE_GSSAUTH_H__
+#define __OPTIONSPAGE_GSSAUTH_H__
+
+class COptionsPageGssAuth : public COptionsPage
+{
+public:
+   virtual wxString GetResourceName() { return _T("ID_SETTINGS_CONNECTION_FTP_GSSAPI"); }
+   virtual bool LoadPage();
+   virtual bool SavePage();
+   virtual bool Validate();
+
+protected:
+   DECLARE_EVENT_TABLE()
+   void OnGssSettingChanged(wxCommandEvent& event);
+   void OnBrowse(wxCommandEvent& event);
+   void SetCtrlState();
+};
+#endif //__OPTIONSPAGE_GSSAUTH_H__
diff --git a/src/interface/settings/settingsdialog.cpp b/src/interface/settings/settingsdialog.cpp
index 69490b6..4d0611f 100644
--- a/src/interface/settings/settingsdialog.cpp
+++ b/src/interface/settings/settingsdialog.cpp
@@ -7,6 +7,7 @@
 #include "optionspage_connection_active.h"
 #include "optionspage_connection_passive.h"
 #include "optionspage_ftpproxy.h"
+#include "optionspage_gssauth.h"
 #include "optionspage_connection_sftp.h"
 #include "optionspage_filetype.h"
 #include "optionspage_fileexists.h"
@@ -94,6 +95,7 @@ bool CSettingsDialog::LoadPages()
    AddPage(_("Active mode"), new COptionsPageConnectionActive, 2);
    AddPage(_("Passive mode"), new COptionsPageConnectionPassive, 2);
    AddPage(_("FTP Proxy"), new COptionsPageFtpProxy, 2);
+   AddPage(_("GSSAPI Auth"), new COptionsPageGssAuth, 2);
    AddPage(_("SFTP"), new COptionsPageConnectionSFTP, 1);
    AddPage(_("Generic proxy"), new COptionsPageProxy, 1);
    AddPage(_("Transfers"), new COptionsPageTransfer, 0);