curl: disallow NTLM via SPNEGO (#193)

Git for Windows recently offered a new security bug release, which
essentially disables NTLM by default. This is considered an important
measure to heighten the security stance of Git for Windows. However,
there is another path which allows NTLM that was not yet covered in Git
for Windows: [the SPNEGO
mechanism](https://en.wikipedia.org/wiki/SPNEGO) that allows downgrading
Kerberos to NTLM.

This PR disables NTLM via SPNEGO altogether, in line with [what the
primary cURL maintainer
wants](curl/curl#21076 (comment)),
too.

Author: dscho

mingw-w64-curl/0001-Make-cURL-relocatable.patch

@@ -1,7 +1,7 @@
-From 80b680d4796d1ce913185dbaf4c36c6a64669e86 Mon Sep 17 00:00:00 2001
+From b0761795838b6645cf1bc7d0c290decc1f57b4ca Mon Sep 17 00:00:00 2001
 From: Ray Donnelly <mingw.android@gmail.com>
 Date: Wed, 22 Feb 2017 11:03:04 +0100
-Subject: [PATCH 1/2] Make cURL relocatable
+Subject: [PATCH 1/4] Make cURL relocatable
 
 This adds the ability to specify CA_BUNDLE paths that are relative to
 the MSYS2 pseudo-root directory.
@@ -22,17 +22,17 @@ be copied from `mingw-w64-pathtools` into `lib/`.
 Original-patch-by: Ray Donnelly <mingw.android@gmail.com>
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 ---
- configure.ac         |  1 +
+ configure.ac         |  2 ++
  lib/Makefile.inc     |  2 ++
  lib/curl_config.h.in |  3 +++
- lib/vtls/vtls.c      | 49 ++++++++++++++++++++++++++++++++++++++++++++
+ lib/vtls/vtls.c      | 48 ++++++++++++++++++++++++++++++++++++++++++++
  4 files changed, 55 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index cc16f4120..827d04948 100644
+index 6d2cb5583b..cefba6bb1b 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4069,6 +4069,8 @@ dnl default includes
+@@ -4035,6 +4035,8 @@ dnl default includes
  ]
  )
 
@@ -42,18 +42,18 @@ index cc16f4120..827d04948 100644
  AC_C_CONST
  AC_TYPE_SIZE_T
 diff --git a/lib/Makefile.inc b/lib/Makefile.inc
-index 8b506febc..841e8a7ea 100644
+index 84b4e5425b..8c9010e51a 100644
 --- a/lib/Makefile.inc
 +++ b/lib/Makefile.inc
-@@ -229,6 +229,7 @@ LIB_CFILES =         \
+@@ -233,6 +233,7 @@ LIB_CFILES =         \
    noproxy.c          \
    openldap.c         \
    parsedate.c        \
 +  pathtools.c        \
    pingpong.c         \
    pop3.c             \
    progress.c         \
-@@ -361,6 +362,7 @@ LIB_HFILES =         \
+@@ -359,6 +360,7 @@ LIB_HFILES =         \
    netrc.h            \
    noproxy.h          \
    parsedate.h        \
@@ -62,10 +62,10 @@ index 8b506febc..841e8a7ea 100644
    pop3.h             \
    progress.h         \
 diff --git a/lib/curl_config.h.in b/lib/curl_config.h.in
-index 668be5ea1..9c3139764 100644
+index 7108da0790..9dbbfb3666 100644
 --- a/lib/curl_config.h.in
 +++ b/lib/curl_config.h.in
-@@ -14,6 +14,9 @@
+@@ -17,6 +17,9 @@
  /* If safe CA bundle search is enabled */
  #undef CURL_CA_SEARCH_SAFE
 
@@ -76,7 +76,7 @@ index 668be5ea1..9c3139764 100644
  #undef CURL_DEFAULT_SSL_BACKEND
 
 diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index df0449cbe..bb45551b0 100644
+index f7201d18d6..b4a0547a8c 100644
 --- a/lib/vtls/vtls.c
 +++ b/lib/vtls/vtls.c
 @@ -77,6 +77,9 @@
@@ -89,7 +89,7 @@ index df0449cbe..bb45551b0 100644
 
  #define CLONE_STRING(var)                    \
    do {                                       \
-@@ -295,6 +299,15 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+@@ -297,6 +300,15 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
  #if defined(CURL_CA_PATH) || defined(CURL_CA_BUNDLE)
    struct UserDefined *set = &data->set;
    CURLcode result;
@@ -105,7 +105,7 @@ index df0449cbe..bb45551b0 100644
  #endif
 
    if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
-@@ -302,15 +317,41 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+@@ -305,15 +317,41 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
        sslc->native_ca_store = TRUE;
  #endif
  #ifdef CURL_CA_PATH
@@ -147,7 +147,7 @@ index df0449cbe..bb45551b0 100644
        if(result)
          return result;
      }
-@@ -353,8 +392,13 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+@@ -352,16 +390,26 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
  #endif
  #ifdef CURL_CA_PATH
      if(!sslc->custom_capath && !set->str[STRING_SSL_CAPATH_PROXY]) {
@@ -161,7 +161,6 @@ index df0449cbe..bb45551b0 100644
        if(result)
          return result;
      }
-@@ -362,8 +406,13 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
  #endif
  #ifdef CURL_CA_BUNDLE
      if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) {

mingw-w64-curl/0002-Hack-make-relocation-work-inside-libexec-git-core-an.patch

@@ -1,7 +1,7 @@
-From 5022c4e5a2bd1483c70f2e8177eb51edd36139eb Mon Sep 17 00:00:00 2001
+From 0d1cc065356bcb23642563c3046b0b0e860fa9bb Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Wed, 31 Oct 2018 10:52:59 +0100
-Subject: [PATCH 2/2] Hack: make relocation work inside libexec/git-core/ and
+Subject: [PATCH 2/4] Hack: make relocation work inside libexec/git-core/ and
  bin/
 
 In Git for Windows, there is a copy of libcurl-4.dll in
@@ -30,10 +30,10 @@ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
  1 file changed, 20 insertions(+), 1 deletion(-)
 
 diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index bb45551b0..a864fb758 100644
+index b4a0547a8c..ce4f4af5e7 100644
 --- a/lib/vtls/vtls.c
 +++ b/lib/vtls/vtls.c
-@@ -343,10 +343,29 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+@@ -341,10 +341,29 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
      get_dll_path(relocated_bundle, path_max);
      strip_n_suffix_folders(relocated_bundle, 1);
      strncat(relocated_bundle, "/", path_max - 1);

mingw-w64-curl/0003-auth-upgrade-SSPI-identity-to-SEC_WINNT_AUTH_IDENTIT.patch

@@ -0,0 +1,161 @@
+From 0aa2cd8539608511e34a58473f2974ae0ae50444 Mon Sep 17 00:00:00 2001
+From: Matthew John Cheetham <mjcheetham@outlook.com>
+Date: Tue, 24 Mar 2026 11:53:02 +0000
+Subject: [PATCH 3/4] auth: upgrade SSPI identity to SEC_WINNT_AUTH_IDENTITY_EX
+
+Replace SEC_WINNT_AUTH_IDENTITY with SEC_WINNT_AUTH_IDENTITY_EX across all
+SSPI authentication code. The extended structure adds Version, Length, and
+PackageList fields while remaining backwards compatible with all SSPI
+functions. Available since Windows XP.
+
+Curl_create_sspi_identity now sets the Version and Length fields when
+initializing the structure.
+
+Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ lib/curl_sspi.c         |  6 ++++--
+ lib/curl_sspi.h         |  6 +++---
+ lib/ldap.c              |  2 +-
+ lib/vauth/digest_sspi.c | 10 +++++-----
+ lib/vauth/vauth.h       | 12 ++++++------
+ 5 files changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/lib/curl_sspi.c b/lib/curl_sspi.c
+index 1d4cf925d6..018bfff28e 100644
+--- a/lib/curl_sspi.c
++++ b/lib/curl_sspi.c
+@@ -93,7 +93,7 @@ void Curl_sspi_global_cleanup(void)
+  * Returns CURLE_OK on success.
+  */
+ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+-                                   SEC_WINNT_AUTH_IDENTITY *identity)
++                                   SEC_WINNT_AUTH_IDENTITY_EX *identity)
+ {
+   xcharp_u useranddomain;
+   xcharp_u user, dup_user;
+@@ -105,6 +105,8 @@ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+ 
+   /* Initialize the identity */
+   memset(identity, 0, sizeof(*identity));
++  identity->Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
++  identity->Length = sizeof(*identity);
+ 
+   useranddomain.tchar_ptr = curlx_convert_UTF8_to_tchar(userp);
+   if(!useranddomain.tchar_ptr)
+@@ -195,7 +197,7 @@ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+  *
+  * identity [in/out] - The identity structure.
+  */
+-void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity)
++void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY_EX *identity)
+ {
+   if(identity) {
+     Curl_safefree(identity->User);
+diff --git a/lib/curl_sspi.h b/lib/curl_sspi.h
+index 3779d51753..ea405f53a7 100644
+--- a/lib/curl_sspi.h
++++ b/lib/curl_sspi.h
+@@ -34,14 +34,14 @@ void Curl_sspi_global_cleanup(void);
+ 
+ /* This is used to populate the domain in an SSPI identity structure */
+ CURLcode Curl_override_sspi_http_realm(const char *chlg,
+-                                       SEC_WINNT_AUTH_IDENTITY *identity);
++                                       SEC_WINNT_AUTH_IDENTITY_EX *identity);
+ 
+ /* This is used to generate an SSPI identity structure */
+ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+-                                   SEC_WINNT_AUTH_IDENTITY *identity);
++                                   SEC_WINNT_AUTH_IDENTITY_EX *identity);
+ 
+ /* This is used to free an SSPI identity structure */
+-void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity);
++void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY_EX *identity);
+ 
+ /* Forward-declaration of global variables defined in curl_sspi.c */
+ extern PSecurityFunctionTable Curl_pSecFn;
+diff --git a/lib/ldap.c b/lib/ldap.c
+index e223078b03..59369a556d 100644
+--- a/lib/ldap.c
++++ b/lib/ldap.c
+@@ -157,7 +157,7 @@ static ULONG ldap_win_bind_auth(LDAP *server, const char *user,
+                                 const char *passwd, unsigned long authflags)
+ {
+   ULONG method = 0;
+-  SEC_WINNT_AUTH_IDENTITY cred;
++  SEC_WINNT_AUTH_IDENTITY_EX cred;
+   ULONG rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+ 
+   memset(&cred, 0, sizeof(cred));
+diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
+index f29e569cd1..5f4b5e2735 100644
+--- a/lib/vauth/digest_sspi.c
++++ b/lib/vauth/digest_sspi.c
+@@ -95,8 +95,8 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
+   CredHandle credentials;
+   CtxtHandle context;
+   PSecPkgInfo SecurityPackage;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   SecBuffer chlg_buf;
+   SecBuffer resp_buf;
+   SecBufferDesc chlg_desc;
+@@ -240,7 +240,7 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
+  * Returns CURLE_OK on success.
+  */
+ CURLcode Curl_override_sspi_http_realm(const char *chlg,
+-                                       SEC_WINNT_AUTH_IDENTITY *identity)
++                                       SEC_WINNT_AUTH_IDENTITY_EX *identity)
+ {
+   xcharp_u domain, dup_domain;
+ 
+@@ -466,8 +466,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+ 
+   if(!digest->http_context) {
+     CredHandle credentials;
+-    SEC_WINNT_AUTH_IDENTITY identity;
+-    SEC_WINNT_AUTH_IDENTITY *p_identity;
++    SEC_WINNT_AUTH_IDENTITY_EX identity;
++    SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+     SecBuffer resp_buf;
+     SecBufferDesc resp_desc;
+     unsigned long attrs;
+diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
+index 3e66c89cb5..10a02321e3 100644
+--- a/lib/vauth/vauth.h
++++ b/lib/vauth/vauth.h
+@@ -170,8 +170,8 @@ struct ntlmdata {
+ #endif
+   CredHandle *credentials;
+   CtxtHandle *context;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   size_t token_max;
+   BYTE *output_token;
+   BYTE *input_token;
+@@ -241,8 +241,8 @@ struct kerberos5data {
+   CredHandle *credentials;
+   CtxtHandle *context;
+   TCHAR *spn;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   size_t token_max;
+   BYTE *output_token;
+ #else
+@@ -309,8 +309,8 @@ struct negotiatedata {
+   SECURITY_STATUS status;
+   CredHandle *credentials;
+   CtxtHandle *context;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   TCHAR *spn;
+   size_t token_max;
+   BYTE *output_token;

mingw-w64-curl/0004-spnego-windows-disallow-NTLM-via-SPNEGO.patch

@@ -0,0 +1,76 @@
+From cab1cced8a4c48054183192a80d09112d788e868 Mon Sep 17 00:00:00 2001
+From: Matthew John Cheetham <mjcheetham@outlook.com>
+Date: Mon, 23 Mar 2026 13:34:27 +0000
+Subject: [PATCH 4/4] spnego(windows): disallow NTLM via SPNEGO
+
+SPNEGO (Negotiate) authentication can silently fall back to NTLM when
+Kerberos is unavailable. This is undesirable because:
+
+1. Kerberos is supposed to be a strong authentication method, and
+   allowing to downgrade it to NTLM weakens that.
+
+2. If the caller wants to allow or disallow NTLM authentication, they
+   can do so explicitly; But with NTLM via SPNEGO, there is no such
+   option.
+
+3. The cURL project deprecated NTLM support and plans on removing it in
+   September 2026 altogether. If NTLM via SPNEGO was still supported,
+   that would seriously sabotage the security implications of this plan.
+
+With this patch, libcurl checks the sub-mechanism selected by SPNEGO
+after the security context is initialized but before any tokens are
+sent on the wire. If NTLM was chosen, the authentication fails with
+CURLE_AUTH_ERROR.
+
+Bare NTLM auth (CURLAUTH_NTLM) is not affected.
+
+Note that this patch only changes the Windows (SSPI) side by restricting
+SSPI from using NTLM by specifying the special string "!ntlm" in the
+PackageList field of the SEC_WINNT_AUTH_IDENTITY_EX structure. A more
+comprehensive solution that includes GSS-API is being developed in
+https://github.com/curl/curl/pull/21076.
+
+Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ lib/vauth/spnego_sspi.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/lib/vauth/spnego_sspi.c b/lib/vauth/spnego_sspi.c
+index 1f73123a0d..57d7599361 100644
+--- a/lib/vauth/spnego_sspi.c
++++ b/lib/vauth/spnego_sspi.c
+@@ -146,6 +146,33 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
+       /* Use the current Windows user */
+       nego->p_identity = NULL;
+ 
++    /* Disallow NTLM via SPNEGO */ {
++      /* Exclude NTLM from SPNEGO negotiation via the PackageList field */
++      if(!nego->p_identity) {
++        memset(&nego->identity, 0, sizeof(nego->identity));
++        nego->identity.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
++        nego->identity.Length = sizeof(nego->identity);
++        nego->identity.Flags =
++#ifdef UNICODE
++          SEC_WINNT_AUTH_IDENTITY_UNICODE;
++#else
++          SEC_WINNT_AUTH_IDENTITY_ANSI;
++#endif
++        nego->p_identity = &nego->identity;
++      }
++
++      /* Use the special name "!ntlm" to prevent NTLM from being used:
++       * https://learn.microsoft.com/en-us/windows/win32/api/sspi/ns-sspi-sec_winnt_auth_identity_exa
++       */
++      nego->identity.PackageList =
++#ifdef UNICODE
++        (unsigned short *)CURL_UNCONST(TEXT("!ntlm"));
++#else
++        (unsigned char *)CURL_UNCONST(TEXT("!ntlm"));
++#endif
++      nego->identity.PackageListLength = 5;
++    }
++
+     /* Allocate our credentials handle */
+     nego->credentials = curlx_calloc(1, sizeof(CredHandle));
+     if(!nego->credentials)