Add Windows SSPI Negotiate

[micha102]

In this PR, I add support of SSPI Negotiate for Windows. (Previously only NTLM is supported)
SSPI Negotiate mode directly generates a Kerberos ticket to inherit the user session. No login or password are needed.
Also, the authenticate is done on one-shot (no 407 Proxy Authentication Required received but directly 200 Connection Established)
I tested it with our corporate proxy successfully.

Kindly review it.

Note: I didn't integrate it to the -M switch (automatic configuration detection)

[fralken]

Hello @micha102 , thanks, this is a nice addition. I cannot test it myself right now, but it looks well written and documented. I added a couple of comments in proxy.c.

Also, since now sspi supports both ntlm and negotiate, I would add few changes in the sspi code:

1. add a new method int sspi_is_ntlm(void) similar to sspi_is_negotiate(void), and use this method in ntlm.c. This is because sspi_enable now doesn't guarantee that it refers to ntlm.

2. rename sspi_request and sspi_response to sspi_ntlm_request and sspi_ntlm_response so it is more clear that they implement this protocol.

3. rebase your code on versat:master so that the merge commit is not necessary

Thanks

[micha102]

Thanks.
Will work on the modification this week.

[micha102]

I did the renaming of the old functions which assumed SSPI is only NTLM to explicitly say they are NTLM.
But after I force pushed, I couldn't find anymore the comments you did on proxy.c
Can you please re-post them ?

[fralken]

Hello @micha102 I guess you can still view the comments if you go to the "Files changed" tab. There you can see my comments in main.c and proxy.c.

Are sspi_negotiate_response() and sspi_negotiate_cleanup() used anywhere?

[micha102]

I wanted to add a proper cleanup method for the allocated sspi_negotiate_state object, but it seems that the thread is terminated at an earlier stage at the bailout of forward.c where it exits the thread, so it's not necessary.
For the sspi_negotiate_response method, I first cloned the function sspi_ntlm_response but then when I realize it's one-shot authentication it's not needed anymore.

I cleanup both 2 functions as well as the variables storing the initialization and termination states.

But for the comments in proxy.c I still can't see them sorry

[fralken]

This is weird, in the same view I see my comments (see below).
Also, int sspi_negotiate_request can be renamed to int sspi_negotiate since there is not a corresponding response. In sspi.h you should put extern like the other function declarations, since they are referenced in other files (proxy.c). Same for sspi_get_scheme.

Again, thanks a lot for this PR, it is a nice addition to the SSPI support.

[Copilot]

Pull request overview

This PR extends CNTLM’s Windows (Cygwin) SSPI authentication support by adding an SSPI Negotiate mode alongside the existing SSPI NTLM mode, enabling Kerberos/Negotiate-based proxy authentication using the current Windows logon session.

Changes:

• Added SSPI Negotiate mode helpers/APIs and scheme reporting.
• Updated proxy authentication flow to emit Proxy-Authorization: Negotiate … using a per-thread Negotiate state.
• Updated documentation to mention both NTLM and Negotiate SSPI modes.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
sspi.h	Adds Negotiate state struct and new SSPI API declarations.
sspi.c	Adds mode checks (NTLM/Negotiate), scheme getter, Negotiate token generation, and renames SSPI NTLM functions.
proxy.c	Adds thread-local Negotiate state and uses SSPI Negotiate in proxy_authenticate().
ntlm.c	Updates SSPI NTLM function call names and gates response path on sspi_is_ntlm().
main.c	Adjusts password/hashes requirement logic for SSPI Negotiate mode.
doc/cntlm.conf	Updates SSPI comment to reflect Negotiate support.
doc/cntlm.1	Updates manpage to document SSPI ... Negotiate.

Comments suppressed due to low confidence (1)

sspi.c:223

• In UNICODE builds, sspi_mode allocation/conversion does not leave room for the terminating NUL (zmalloc(sizeof(wchar_t) * strlen(mode)) and mbstowcs(..., strlen(mode))). This can leave sspi_mode unterminated and make later wcscmp read past the buffer. Allocate strlen(mode)+1 and convert/copy including the terminator.

	if ((!strcasecmp("NTLM", mode) || !strcasecmp("Negotiate", mode)) && sspi_dll)  // Only NTLM and Negotiate supported for now
	{
#ifdef UNICODE
		sspi_mode = zmalloc(sizeof(wchar_t) * strlen(mode));
		mbstowcs(sspi_mode, mode, strlen(mode));
#else