ntlm: Fixed HTTP proxy authentication when using Windows SSPI

Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix bug in NTLM handshake for HTTP proxy authentication. NTLM handshake for HTTP proxy authentication failed with error SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy servers on generating the NTLM Type-3 message. The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according to the observations and suggestions made in a bug report for the QT project (https://bugreports.qt-project.org/browse/QTBUG-17322). Removing all the flags solved the problem. Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html Reported-by: Ulrich Telle Assisted-by: Steve Holme, Daniel Stenberg
author: Ulrich Telle <Ulrich.Telle@gmx.de> 2014-09-12 12:22:56 +0200
committer: Steve Holme <steve_holme@hotmail.com> 2014-09-12 13:05:02 +0100
commit: 8ee182288af1bd828613fdcab2e7e8b551e91901 (patch)
tree: 5461b366695bac7c26b267c60a5d2c70237de747
parent: 006b61eb0b262619c750a81e5b0c1f8909cdfc80 (diff)
1 files changed, 7 insertions, 10 deletions
diff --git a/lib/curl_ntlm_msgs.c b/lib/curl_ntlm_msgs.c
index b80792632..0b76827e7 100644
--- a/lib/curl_ntlm_msgs.c
+++ b/lib/curl_ntlm_msgs.c
@@ -476,10 +476,7 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp,
   /* Generate our type-1 message */
   status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, NULL,
                                                (TCHAR *) TEXT(""),
-                                               ISC_REQ_CONFIDENTIALITY |
-                                               ISC_REQ_REPLAY_DETECT |
-                                               ISC_REQ_CONNECTION,
-                                               0, SECURITY_NETWORK_DREP,
+                                               0, 0, SECURITY_NETWORK_DREP,
                                                NULL, 0,
                                                &ntlm->c_handle, &type_1_desc,
                                                &attrs, &tsDummy);
@@ -641,7 +638,6 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
 
   (void)passwdp;
   (void)userp;
-  (void)data;
 
   /* Setup the type-2 "input" security buffer */
   type_2_desc.ulVersion = SECBUFFER_VERSION;
@@ -663,16 +659,17 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   status = s_pSecFn->InitializeSecurityContext(&ntlm->handle,
                                                &ntlm->c_handle,
                                                (TCHAR *) TEXT(""),
-                                               ISC_REQ_CONFIDENTIALITY |
-                                               ISC_REQ_REPLAY_DETECT |
-                                               ISC_REQ_CONNECTION,
-                                               0, SECURITY_NETWORK_DREP,
+                                               0, 0, SECURITY_NETWORK_DREP,
                                                &type_2_desc,
                                                0, &ntlm->c_handle,
                                                &type_3_desc,
                                                &attrs, &tsDummy);
-  if(status != SEC_E_OK)
+  if(status != SEC_E_OK) {
+    infof(data, "NTLM handshake failure (type-3 message): Status=%x\n",
+          status);
+
     return CURLE_RECV_ERROR;
+  }
 
   size = type_3_buf.cbBuffer;
author	Ulrich Telle <Ulrich.Telle@gmx.de>	2014-09-12 12:22:56 +0200
committer	Steve Holme <steve_holme@hotmail.com>	2014-09-12 13:05:02 +0100
commit	8ee182288af1bd828613fdcab2e7e8b551e91901 (patch)
tree	5461b366695bac7c26b267c60a5d2c70237de747
parent	006b61eb0b262619c750a81e5b0c1f8909cdfc80 (diff)