From ba7b65f95736c5fbef3ccfaeb945273379e003ee Mon Sep 17 00:00:00 2001
From: penpal <unameme@proton.me>
Date: Fri, 15 May 2026 23:38:29 +0545
Subject: [PATCH] sspi: clear SSPI credentials on AcquireCredentialsHandle
 failure

- Clear credentials on AcquireCredentialsHandle failure so it is not
  used on a subsequent call.

SSPI initialization may evaluate the credentials pointer to determine
whether or not a prior call to AcquireCredentialsHandle was successful,
therefore we must clear it on a failed call.

Closes https://github.com/curl/curl/pull/21642
---
 lib/vauth/krb5_sspi.c   | 5 ++++-
 lib/vauth/ntlm_sspi.c   | 5 ++++-
 lib/vauth/spnego_sspi.c | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c
index 506ee759df..b41d0bcbad 100644
--- a/lib/vauth/krb5_sspi.c
+++ b/lib/vauth/krb5_sspi.c
@@ -154,8 +154,11 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data,
                                  SECPKG_CRED_OUTBOUND, NULL,
                                  krb5->p_identity, NULL, NULL,
                                  krb5->credentials, NULL);
-    if(status != SEC_E_OK)
+    if(status != SEC_E_OK) {
+      curlx_free(krb5->credentials);
+      krb5->credentials = NULL;
       return CURLE_LOGIN_DENIED;
+    }
 
     /* Allocate our new context handle */
     krb5->context = curlx_calloc(1, sizeof(CtxtHandle));
diff --git a/lib/vauth/ntlm_sspi.c b/lib/vauth/ntlm_sspi.c
index 354b31882b..06e3ec5ddf 100644
--- a/lib/vauth/ntlm_sspi.c
+++ b/lib/vauth/ntlm_sspi.c
@@ -139,8 +139,11 @@ CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
                                      SECPKG_CRED_OUTBOUND, NULL,
                                      ntlm->p_identity, NULL, NULL,
                                      ntlm->credentials, NULL);
-  if(status != SEC_E_OK)
+  if(status != SEC_E_OK) {
+    curlx_free(ntlm->credentials);
+    ntlm->credentials = NULL;
     return CURLE_LOGIN_DENIED;
+  }
 
   /* Allocate our new context handle */
   ntlm->context = curlx_calloc(1, sizeof(CtxtHandle));
diff --git a/lib/vauth/spnego_sspi.c b/lib/vauth/spnego_sspi.c
index d591bd5339..8ba2316d88 100644
--- a/lib/vauth/spnego_sspi.c
+++ b/lib/vauth/spnego_sspi.c
@@ -159,8 +159,11 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
                                 SECPKG_CRED_OUTBOUND, NULL,
                                 nego->p_identity, NULL, NULL,
                                 nego->credentials, NULL);
-    if(nego->status != SEC_E_OK)
+    if(nego->status != SEC_E_OK) {
+      curlx_free(nego->credentials);
+      nego->credentials = NULL;
       return CURLE_AUTH_ERROR;
+    }
 
     /* Allocate our new context handle */
     nego->context = curlx_calloc(1, sizeof(CtxtHandle));