Helper function to check lm compatibility level

Also stop associating it with th creds struct.

4 files changed, 21 insertions, 17 deletions

diff --git a/src/gss_creds.c b/src/gss_creds.c
index 0372d72..b34b600 100644
--- a/src/gss_creds.c
+++ b/src/gss_creds.c
@@ -96,15 +96,7 @@ static int get_user_file_creds(struct gssntlm_name *name,
     ret = NTOWFv1(pwd, &cred->cred.user.nt_hash);
     if (ret) return ret;
 
-    envvar = getenv("LM_COMPAT_LEVEL");
-    if (envvar != NULL) {
-        cred->lm_compatibility_level = atoi(envvar);
-    } else {
-        /* use the most secure setting by default */
-        cred->lm_compatibility_level = SEC_LEVEL_MAX;
-    }
-
-    if (cred->lm_compatibility_level < 3) {
+    if (gssntlm_get_lm_compatibility_level() < 3) {
         cred->cred.user.lm_hash.length = 16;
         ret = LMOWFv1(pwd, &cred->cred.user.lm_hash);
         if (ret) return ret;
@@ -228,8 +220,6 @@ int gssntlm_copy_creds(struct gssntlm_cred *in, struct gssntlm_cred *out)
     }
     out->type = in->type;
 
-    out->lm_compatibility_level = in->lm_compatibility_level;
-
 done:
     if (ret) {
         safefree(dom);
diff --git a/src/gss_ntlmssp.c b/src/gss_ntlmssp.c
index 10e9f70..36a623e 100644
--- a/src/gss_ntlmssp.c
+++ b/src/gss_ntlmssp.c
@@ -80,3 +80,16 @@ uint32_t gssntlm_context_is_valid(struct gssntlm_ctx *ctx, time_t *time_now)
     if (time_now) *time_now = now;
     return GSS_S_COMPLETE;
 }
+
+int gssntlm_get_lm_compatibility_level(void)
+{
+    const char *envvar;
+
+    envvar = getenv("LM_COMPAT_LEVEL");
+    if (envvar != NULL) {
+        return atoi(envvar);
+    }
+
+    /* use the most secure setting by default */
+    return SEC_LEVEL_MAX;
+}
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h
index 681db98..0701342 100644
--- a/src/gss_ntlmssp.h
+++ b/src/gss_ntlmssp.h
@@ -81,8 +81,6 @@ struct gssntlm_cred {
             int dummy;
         } server;
     } cred;
-
-    int lm_compatibility_level;
 };
 
 struct gssntlm_signseal {
@@ -138,6 +136,8 @@ uint8_t gssntlm_required_security(int security_level,
 uint32_t gssntlm_context_is_valid(struct gssntlm_ctx *ctx,
                                   time_t *time_now);
 
+int gssntlm_get_lm_compatibility_level(void);
+
 void gssntlm_int_release_cred(struct gssntlm_cred *cred);
 
 int gssntlm_copy_creds(struct gssntlm_cred *in, struct gssntlm_cred *out);
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
index 948c58d..5ee4964 100644
--- a/src/gss_sec_ctx.c
+++ b/src/gss_sec_ctx.c
@@ -58,6 +58,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
     struct ntlm_buffer enc_sess_key = { 0 };
     struct ntlm_key encrypted_random_session_key = { .length = 16 };
     struct ntlm_key key_exchange_key = { .length = 16 };
+    int lm_compat_lvl;
     uint32_t tmpmin;
     uint32_t retmin = 0;
     uint32_t retmaj = 0;
@@ -162,8 +163,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
             workstation = ctx->workstation;
         }
 
-        sec_req = gssntlm_required_security(cred->lm_compatibility_level,
-                                            ctx->role);
+        lm_compat_lvl = gssntlm_get_lm_compatibility_level();
+        sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role);
         if (sec_req == 0xff) {
             retmaj = GSS_S_FAILURE;
             goto done;
@@ -237,8 +238,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
             goto done;
         }
 
-        sec_req = gssntlm_required_security(ctx->cred.lm_compatibility_level,
-                                            ctx->role);
+        lm_compat_lvl = gssntlm_get_lm_compatibility_level();
+        sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role);
         if (sec_req == 0xff) {
             retmaj = GSS_S_FAILURE;
             goto done;