26.06.2017, 16:49, "Павел Н via curl-library" <[email protected]>: > Hi all. > > Long time curl and libcurl user and suffering as long to enter proxy creds to > the command line. > > In the end this very thing stops us from using libcurl with Windows SSPI in a > Windows product, so we suffer even more trying to use WinInet and WinHttp. > > Recently I spent some time and finally figured out what's wrong with all of > this. It turns out the change to be made is almost trivially simple: one must > supply an SPN to the call of InitializeSecurityContext() instead of an empty > string, e.g. 'TEXT("")' in ntlm_sspi.c: > > status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL, > (TCHAR *) TEXT(""), > 0, 0, SECURITY_NETWORK_DREP, > NULL, 0, > ntlm->context, &type_1_desc, > &attrs, &expiry); > > as one does in SChannel implementation in 'host_name' schannel.c: > > sspi_status = s_pSecFn->InitializeSecurityContext( > &connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle, > host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL, > &outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp); > > In the case of proxy Chromium does it like this: > > HTTP/proxy.example.com > > I would REALLY appreciate it if anyone does fix it for me. > > Otherwise it will take me some time to dive in the implementation techniques > and coding style to do this, but in the end I will do it for sure. > > Thanks in advance. > > paul > > P.S. Some more details on providing SPN to the call of > InitializeSecurityContext(). > If your logon creds are ok to authenticate on the server, then empty string > works. > If the server does not accept you logon creds, but there is a record for the > server in Windows Credential Manager for it, the authentication will fail > since, i guess, SSPI tries to use only your logon creds. > However if you supply the host name to the InitializeSecurityContext() call > it works either way: if there is a record for the host in Credential Manager, > SSPI uses it; if there isn't, SSPI uses your logon creds. > ------------------------------------------------------------------- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html
Further investigation has shown that negotiate and digest methods currently work just fine (7.54.1) and it is NTLM method that fails. I guess one simply needs to make InitializeSecurityContext() call in ntlm_sspi.c the same way it is done in digest_sspi.c and spnego_sspi.c. paul ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
