Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: [Win][SSPI] proper authentication using SSPI ?

From: Павел Н via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 26 Jun 2017 22:18:20 +0300

26.06.2017, 16:49, "Павел Н via curl-library" <curl-library_at_cool.haxx.se>:
> Hi all.
>
> Long time curl and libcurl user and suffering as long to enter proxy creds to the command line.
>
> In the end this very thing stops us from using libcurl with Windows SSPI in a Windows product, so we suffer even more trying to use WinInet and WinHttp.
>
> Recently I spent some time and finally figured out what's wrong with all of this. It turns out the change to be made is almost trivially simple: one must supply an SPN to the call of InitializeSecurityContext() instead of an empty string, e.g. 'TEXT("")' in ntlm_sspi.c:
>
>   status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
>                                                (TCHAR *) TEXT(""),
>                                                0, 0, SECURITY_NETWORK_DREP,
>                                                NULL, 0,
>                                                ntlm->context, &type_1_desc,
>                                                &attrs, &expiry);
>
> as one does in SChannel implementation in 'host_name' schannel.c:
>
>     sspi_status = s_pSecFn->InitializeSecurityContext(
>       &connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle,
>       host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL,
>       &outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp);
>
> In the case of proxy Chromium does it like this:
>
> HTTP/proxy.example.com
>
> I would REALLY appreciate it if anyone does fix it for me.
>
> Otherwise it will take me some time to dive in the implementation techniques and coding style to do this, but in the end I will do it for sure.
>
> Thanks in advance.
>
> paul
>
> P.S. Some more details on providing SPN to the call of InitializeSecurityContext().
> If your logon creds are ok to authenticate on the server, then empty string works.
> If the server does not accept you logon creds, but there is a record for the server in Windows Credential Manager for it, the authentication will fail since, i guess, SSPI tries to use only your logon creds.
> However if you supply the host name to the InitializeSecurityContext() call it works either way: if there is a record for the host in Credential Manager, SSPI uses it; if there isn't, SSPI uses your logon creds.
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

Further investigation has shown that negotiate and digest methods currently work just fine (7.54.1) and it is NTLM method that fails.

I guess one simply needs to make InitializeSecurityContext() call in ntlm_sspi.c the same way it is done in digest_sspi.c and spnego_sspi.c.

paul
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-06-26