spnego/sspi: block NTLM via PackageList exclusion

Use the SEC_WINNT_AUTH_IDENTITY_EX PackageList field to pass '!ntlm' to the Negotiate SSP, preventing NTLM from being selected during SPNEGO negotiation on Windows. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
2026-06-02 20:04:15 +03:00 · 2026-04-14 13:51:23 +01:00 · 2026-04-14 13:51:23 +01:00 · 25a742e6e4
commit 25a742e6e4
parent 9ba4ddbc76
1 changed files with 21 additions and 0 deletions
--- a/lib/vauth/spnego_sspi.c
+++ b/lib/vauth/spnego_sspi.c
@ -146,6 +146,27 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
      /* Use the current Windows user */
      nego->p_identity = NULL;

+    /* Exclude NTLM from SPNEGO negotiation via the PackageList field */
+    if(!nego->p_identity) {
+      memset(&nego->identity, 0, sizeof(nego->identity));
+      nego->identity.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
+      nego->identity.Length = sizeof(nego->identity);
+      nego->identity.Flags =
+#ifdef UNICODE
+        SEC_WINNT_AUTH_IDENTITY_UNICODE;
+#else
+        SEC_WINNT_AUTH_IDENTITY_ANSI;
+#endif
+      nego->p_identity = &nego->identity;
+    }
+
+    /* Use the special name "!ntlm" to prevent NTLM from being used:
+     * https://learn.microsoft.com/en-us/windows/win32/api/sspi/ns-sspi-sec_winnt_auth_identity_exa
+     */
+    nego->identity.PackageList =
+      (unsigned TCHAR *)CURL_UNCONST(TEXT("!ntlm"));
+    nego->identity.PackageListLength = 5;
+
    /* Allocate our credentials handle */
    nego->credentials = curlx_calloc(1, sizeof(CredHandle));
    if(!nego->credentials)