curl: disable NTLM via SPNEGO by default

When users choose Kerberos as authentication method, little do they
know that there's a provision to fall back to the very weak NTLM
authentication instead of using the otherwise quite strong Kerberos
authentication methods. The mechanism to choose e.g. NTLM is called
"SPNEGO".

By somewhat lucky happenstance, a recent security fix that wanted
to disable NTLM in Git for Windows by default was _not_ affected
by this, due to a quite long-standing bug in Git: Kerberos
authentication is simply never attempted by default. Users need
to configure `http.emptyAuth=true` to enable it, even though the
`http.emptyAuth=auto` default promises to behave in the same way.

In preparation for fixing that `http.emptyAuth` bug _without_ weakening
the security bug fix that disables NTLM by default, these two patches
disable NTLM via SPNEGO altogether.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

mingw-w64-curl/0001-Make-cURL-relocatable.patch

@@ -1,7 +1,7 @@
 From b0761795838b6645cf1bc7d0c290decc1f57b4ca Mon Sep 17 00:00:00 2001
 From: Ray Donnelly <mingw.android@gmail.com>
 Date: Wed, 22 Feb 2017 11:03:04 +0100
-Subject: [PATCH 1/2] Make cURL relocatable
+Subject: [PATCH 1/4] Make cURL relocatable
 
 This adds the ability to specify CA_BUNDLE paths that are relative to
 the MSYS2 pseudo-root directory.

mingw-w64-curl/0002-Hack-make-relocation-work-inside-libexec-git-core-an.patch

@@ -1,7 +1,7 @@
 From 0d1cc065356bcb23642563c3046b0b0e860fa9bb Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Wed, 31 Oct 2018 10:52:59 +0100
-Subject: [PATCH 2/2] Hack: make relocation work inside libexec/git-core/ and
+Subject: [PATCH 2/4] Hack: make relocation work inside libexec/git-core/ and
  bin/
 
 In Git for Windows, there is a copy of libcurl-4.dll in

mingw-w64-curl/0003-auth-upgrade-SSPI-identity-to-SEC_WINNT_AUTH_IDENTIT.patch

@@ -0,0 +1,161 @@
+From 0aa2cd8539608511e34a58473f2974ae0ae50444 Mon Sep 17 00:00:00 2001
+From: Matthew John Cheetham <mjcheetham@outlook.com>
+Date: Tue, 24 Mar 2026 11:53:02 +0000
+Subject: [PATCH 3/4] auth: upgrade SSPI identity to SEC_WINNT_AUTH_IDENTITY_EX
+
+Replace SEC_WINNT_AUTH_IDENTITY with SEC_WINNT_AUTH_IDENTITY_EX across all
+SSPI authentication code. The extended structure adds Version, Length, and
+PackageList fields while remaining backwards compatible with all SSPI
+functions. Available since Windows XP.
+
+Curl_create_sspi_identity now sets the Version and Length fields when
+initializing the structure.
+
+Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ lib/curl_sspi.c         |  6 ++++--
+ lib/curl_sspi.h         |  6 +++---
+ lib/ldap.c              |  2 +-
+ lib/vauth/digest_sspi.c | 10 +++++-----
+ lib/vauth/vauth.h       | 12 ++++++------
+ 5 files changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/lib/curl_sspi.c b/lib/curl_sspi.c
+index 1d4cf925d6..018bfff28e 100644
+--- a/lib/curl_sspi.c
++++ b/lib/curl_sspi.c
+@@ -93,7 +93,7 @@ void Curl_sspi_global_cleanup(void)
+  * Returns CURLE_OK on success.
+  */
+ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+-                                   SEC_WINNT_AUTH_IDENTITY *identity)
++                                   SEC_WINNT_AUTH_IDENTITY_EX *identity)
+ {
+   xcharp_u useranddomain;
+   xcharp_u user, dup_user;
+@@ -105,6 +105,8 @@ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+ 
+   /* Initialize the identity */
+   memset(identity, 0, sizeof(*identity));
++  identity->Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
++  identity->Length = sizeof(*identity);
+ 
+   useranddomain.tchar_ptr = curlx_convert_UTF8_to_tchar(userp);
+   if(!useranddomain.tchar_ptr)
+@@ -195,7 +197,7 @@ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+  *
+  * identity [in/out] - The identity structure.
+  */
+-void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity)
++void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY_EX *identity)
+ {
+   if(identity) {
+     Curl_safefree(identity->User);
+diff --git a/lib/curl_sspi.h b/lib/curl_sspi.h
+index 3779d51753..ea405f53a7 100644
+--- a/lib/curl_sspi.h
++++ b/lib/curl_sspi.h
+@@ -34,14 +34,14 @@ void Curl_sspi_global_cleanup(void);
+ 
+ /* This is used to populate the domain in an SSPI identity structure */
+ CURLcode Curl_override_sspi_http_realm(const char *chlg,
+-                                       SEC_WINNT_AUTH_IDENTITY *identity);
++                                       SEC_WINNT_AUTH_IDENTITY_EX *identity);
+ 
+ /* This is used to generate an SSPI identity structure */
+ CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+-                                   SEC_WINNT_AUTH_IDENTITY *identity);
++                                   SEC_WINNT_AUTH_IDENTITY_EX *identity);
+ 
+ /* This is used to free an SSPI identity structure */
+-void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity);
++void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY_EX *identity);
+ 
+ /* Forward-declaration of global variables defined in curl_sspi.c */
+ extern PSecurityFunctionTable Curl_pSecFn;
+diff --git a/lib/ldap.c b/lib/ldap.c
+index e223078b03..59369a556d 100644
+--- a/lib/ldap.c
++++ b/lib/ldap.c
+@@ -157,7 +157,7 @@ static ULONG ldap_win_bind_auth(LDAP *server, const char *user,
+                                 const char *passwd, unsigned long authflags)
+ {
+   ULONG method = 0;
+-  SEC_WINNT_AUTH_IDENTITY cred;
++  SEC_WINNT_AUTH_IDENTITY_EX cred;
+   ULONG rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+ 
+   memset(&cred, 0, sizeof(cred));
+diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
+index f29e569cd1..5f4b5e2735 100644
+--- a/lib/vauth/digest_sspi.c
++++ b/lib/vauth/digest_sspi.c
+@@ -95,8 +95,8 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
+   CredHandle credentials;
+   CtxtHandle context;
+   PSecPkgInfo SecurityPackage;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   SecBuffer chlg_buf;
+   SecBuffer resp_buf;
+   SecBufferDesc chlg_desc;
+@@ -240,7 +240,7 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
+  * Returns CURLE_OK on success.
+  */
+ CURLcode Curl_override_sspi_http_realm(const char *chlg,
+-                                       SEC_WINNT_AUTH_IDENTITY *identity)
++                                       SEC_WINNT_AUTH_IDENTITY_EX *identity)
+ {
+   xcharp_u domain, dup_domain;
+ 
+@@ -466,8 +466,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+ 
+   if(!digest->http_context) {
+     CredHandle credentials;
+-    SEC_WINNT_AUTH_IDENTITY identity;
+-    SEC_WINNT_AUTH_IDENTITY *p_identity;
++    SEC_WINNT_AUTH_IDENTITY_EX identity;
++    SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+     SecBuffer resp_buf;
+     SecBufferDesc resp_desc;
+     unsigned long attrs;
+diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
+index 3e66c89cb5..10a02321e3 100644
+--- a/lib/vauth/vauth.h
++++ b/lib/vauth/vauth.h
+@@ -170,8 +170,8 @@ struct ntlmdata {
+ #endif
+   CredHandle *credentials;
+   CtxtHandle *context;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   size_t token_max;
+   BYTE *output_token;
+   BYTE *input_token;
+@@ -241,8 +241,8 @@ struct kerberos5data {
+   CredHandle *credentials;
+   CtxtHandle *context;
+   TCHAR *spn;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   size_t token_max;
+   BYTE *output_token;
+ #else
+@@ -309,8 +309,8 @@ struct negotiatedata {
+   SECURITY_STATUS status;
+   CredHandle *credentials;
+   CtxtHandle *context;
+-  SEC_WINNT_AUTH_IDENTITY identity;
+-  SEC_WINNT_AUTH_IDENTITY *p_identity;
++  SEC_WINNT_AUTH_IDENTITY_EX identity;
++  SEC_WINNT_AUTH_IDENTITY_EX *p_identity;
+   TCHAR *spn;
+   size_t token_max;
+   BYTE *output_token;

mingw-w64-curl/0004-spnego-windows-disallow-NTLM-via-SPNEGO.patch

@@ -0,0 +1,76 @@
+From cab1cced8a4c48054183192a80d09112d788e868 Mon Sep 17 00:00:00 2001
+From: Matthew John Cheetham <mjcheetham@outlook.com>
+Date: Mon, 23 Mar 2026 13:34:27 +0000
+Subject: [PATCH 4/4] spnego(windows): disallow NTLM via SPNEGO
+
+SPNEGO (Negotiate) authentication can silently fall back to NTLM when
+Kerberos is unavailable. This is undesirable because:
+
+1. Kerberos is supposed to be a strong authentication method, and
+   allowing to downgrade it to NTLM weakens that.
+
+2. If the caller wants to allow or disallow NTLM authentication, they
+   can do so explicitly; But with NTLM via SPNEGO, there is no such
+   option.
+
+3. The cURL project deprecated NTLM support and plans on removing it in
+   September 2026 altogether. If NTLM via SPNEGO was still supported,
+   that would seriously sabotage the security implications of this plan.
+
+With this patch, libcurl checks the sub-mechanism selected by SPNEGO
+after the security context is initialized but before any tokens are
+sent on the wire. If NTLM was chosen, the authentication fails with
+CURLE_AUTH_ERROR.
+
+Bare NTLM auth (CURLAUTH_NTLM) is not affected.
+
+Note that this patch only changes the Windows (SSPI) side by restricting
+SSPI from using NTLM by specifying the special string "!ntlm" in the
+PackageList field of the SEC_WINNT_AUTH_IDENTITY_EX structure. A more
+comprehensive solution that includes GSS-API is being developed in
+https://github.com/curl/curl/pull/21076.
+
+Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+---
+ lib/vauth/spnego_sspi.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/lib/vauth/spnego_sspi.c b/lib/vauth/spnego_sspi.c
+index 1f73123a0d..57d7599361 100644
+--- a/lib/vauth/spnego_sspi.c
++++ b/lib/vauth/spnego_sspi.c
+@@ -146,6 +146,33 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
+       /* Use the current Windows user */
+       nego->p_identity = NULL;
+ 
++    /* Disallow NTLM via SPNEGO */ {
++      /* Exclude NTLM from SPNEGO negotiation via the PackageList field */
++      if(!nego->p_identity) {
++        memset(&nego->identity, 0, sizeof(nego->identity));
++        nego->identity.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
++        nego->identity.Length = sizeof(nego->identity);
++        nego->identity.Flags =
++#ifdef UNICODE
++          SEC_WINNT_AUTH_IDENTITY_UNICODE;
++#else
++          SEC_WINNT_AUTH_IDENTITY_ANSI;
++#endif
++        nego->p_identity = &nego->identity;
++      }
++
++      /* Use the special name "!ntlm" to prevent NTLM from being used:
++       * https://learn.microsoft.com/en-us/windows/win32/api/sspi/ns-sspi-sec_winnt_auth_identity_exa
++       */
++      nego->identity.PackageList =
++#ifdef UNICODE
++        (unsigned short *)CURL_UNCONST(TEXT("!ntlm"));
++#else
++        (unsigned char *)CURL_UNCONST(TEXT("!ntlm"));
++#endif
++      nego->identity.PackageListLength = 5;
++    }
++
+     /* Allocate our credentials handle */
+     nego->credentials = curlx_calloc(1, sizeof(CredHandle));
+     if(!nego->credentials)

mingw-w64-curl/PKGBUILD

@@ -36,13 +36,17 @@ source=("https://github.com/curl/curl/releases/download/${_realname}-${pkgver//.
         "pathtools.h"
         "0001-Make-cURL-relocatable.patch"
         "0002-Hack-make-relocation-work-inside-libexec-git-core-an.patch"
+        "0003-auth-upgrade-SSPI-identity-to-SEC_WINNT_AUTH_IDENTIT.patch"
+        "0004-spnego-windows-disallow-NTLM-via-SPNEGO.patch"
         "70bb0db76720c152f6a55bbe12cf162b55cb105b.patch")
 sha256sums=('eba3230c1b659211a7afa0fbf475978cbf99c412e4d72d9aa92d020c460742d4'
             'SKIP'
             '08209cbf1633fa92eae7e5d28f95f8df9d6184cc20fa878c99aec4709bb257fd'
             '965d3921ec4fdeec94a2718bc2c85ce5e1a00ea0e499330a554074a7ae15dfc6'
-            '9cdae4bbdc44a6d342c31ea567e79d4e1a435227f2236cdb7e75d72d94d62905'
-            '6911afe3d7a3158447ff29a06c0f652eafd1d169928843777a5f69d27c87fc1e'
+            '8567c3601664836e12e142f4c51c4f023aaa3477e9985ea4168301af22a1141f'
+            'b9a7ca284f881c2e5e15daf109d8c42d7e92ef32949031b3da42ef9b7bf924bd'
+            'e834995b7adcb573c8441ea17a54e71a359c4ec5049d31093ff25f898a48abf9'
+            'f597923ca8ec8757bc7600a420cc5f6f5acd6ab85e005054273bc63805af6d48'
             'ffaadb16a5f1aaa4e0a33473b905a6650e6291afecb39f56805eaffc26a20932')
 validpgpkeys=('27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2')  # Daniel Stenberg
 
@@ -94,6 +98,8 @@ prepare() {
   apply_patch_with_msg \
     0001-Make-cURL-relocatable.patch \
     0002-Hack-make-relocation-work-inside-libexec-git-core-an.patch \
+    0003-auth-upgrade-SSPI-identity-to-SEC_WINNT_AUTH_IDENTIT.patch \
+    0004-spnego-windows-disallow-NTLM-via-SPNEGO.patch \
     70bb0db76720c152f6a55bbe12cf162b55cb105b.patch
 
   autoreconf -vfi