curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: [Win][SSPI] proper authentication using SSPI ?

From: Павел Н via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 26 Jun 2017 22:18:20 +0300

26.06.2017, 16:49, "Павел Н via curl-library" <curl-library_at_cool.haxx.se>:
> Hi all.
>
> Long time curl and libcurl user and suffering as long to enter proxy creds to the command line.
>
> In the end this very thing stops us from using libcurl with Windows SSPI in a Windows product, so we suffer even more trying to use WinInet and WinHttp.
>
> Recently I spent some time and finally figured out what's wrong with all of this. It turns out the change to be made is almost trivially simple: one must supply an SPN to the call of InitializeSecurityContext() instead of an empty string, e.g. 'TEXT("")' in ntlm_sspi.c:
>
>   status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
>                                                (TCHAR *) TEXT(""),
>                                                0, 0, SECURITY_NETWORK_DREP,
>                                                NULL, 0,
>                                                ntlm->context, &type_1_desc,
>                                                &attrs, &expiry);
>
> as one does in SChannel implementation in 'host_name' schannel.c:
>
>     sspi_status = s_pSecFn->InitializeSecurityContext(
>       &connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle,
>       host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL,
>       &outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp);
>
> In the case of proxy Chromium does it like this:
>
> HTTP/proxy.example.com
>
> I would REALLY appreciate it if anyone does fix it for me.
>
> Otherwise it will take me some time to dive in the implementation techniques and coding style to do this, but in the end I will do it for sure.
>
> Thanks in advance.
>
> paul
>
> P.S. Some more details on providing SPN to the call of InitializeSecurityContext().
> If your logon creds are ok to authenticate on the server, then empty string works.
> If the server does not accept you logon creds, but there is a record for the server in Windows Credential Manager for it, the authentication will fail since, i guess, SSPI tries to use only your logon creds.
> However if you supply the host name to the InitializeSecurityContext() call it works either way: if there is a record for the host in Credential Manager, SSPI uses it; if there isn't, SSPI uses your logon creds.
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

Further investigation has shown that negotiate and digest methods currently work just fine (7.54.1) and it is NTLM method that fails.

I guess one simply needs to make InitializeSecurityContext() call in ntlm_sspi.c the same way it is done in digest_sspi.c and spnego_sspi.c.

paul
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-06-26