From 25a742e6e417f789bd3d5b1cb406e3591a4026fc Mon Sep 17 00:00:00 2001
From: Matthew John Cheetham <mjcheetham@outlook.com>
Date: Tue, 14 Apr 2026 13:51:23 +0100
Subject: [PATCH] spnego/sspi: block NTLM via PackageList exclusion

Use the SEC_WINNT_AUTH_IDENTITY_EX PackageList field to pass '!ntlm'
to the Negotiate SSP, preventing NTLM from being selected during
SPNEGO negotiation on Windows.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
---
 lib/vauth/spnego_sspi.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/lib/vauth/spnego_sspi.c b/lib/vauth/spnego_sspi.c
index 1f73123a0d..e0029ba04a 100644
--- a/lib/vauth/spnego_sspi.c
+++ b/lib/vauth/spnego_sspi.c
@@ -146,6 +146,27 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
       /* Use the current Windows user */
       nego->p_identity = NULL;
 
+    /* Exclude NTLM from SPNEGO negotiation via the PackageList field */
+    if(!nego->p_identity) {
+      memset(&nego->identity, 0, sizeof(nego->identity));
+      nego->identity.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
+      nego->identity.Length = sizeof(nego->identity);
+      nego->identity.Flags =
+#ifdef UNICODE
+        SEC_WINNT_AUTH_IDENTITY_UNICODE;
+#else
+        SEC_WINNT_AUTH_IDENTITY_ANSI;
+#endif
+      nego->p_identity = &nego->identity;
+    }
+
+    /* Use the special name "!ntlm" to prevent NTLM from being used:
+     * https://learn.microsoft.com/en-us/windows/win32/api/sspi/ns-sspi-sec_winnt_auth_identity_exa
+     */
+    nego->identity.PackageList =
+      (unsigned TCHAR *)CURL_UNCONST(TEXT("!ntlm"));
+    nego->identity.PackageListLength = 5;
+
     /* Allocate our credentials handle */
     nego->credentials = curlx_calloc(1, sizeof(CredHandle));
     if(!nego->credentials)