Disable MIC by default.

The environment variable NTLMSSP_ENABLE_MIC will enable setting the MIC if requested by the server when it is set to '1'. It is disabled by default because it works only with a patched SPNEGO library that will always set the mechlistMIC on the authenticate packet if we report that integrity is enabled. If the libray is unpatched it has also been observed that Firefox will go in an infinite authentication loop while it keeps trying to make requests that are always denied.
author: Simo Sorce <simo@redhat.com> 2014-04-09 21:11:31 -0400
committer: Simo Sorce <simo@redhat.com> 2014-05-04 17:21:06 -0400
commit: 022fab3c12ddacfcd4299bc69189553a1b6e1e03 (patch)
tree: 622031468a00a5317d51de97e6d3b8ba0165fc26
parent: 0ad98b9619d6b85877a56a41898d2969f085188a (diff)
download: gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.tar.gz
gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.tar.xz
gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
index 96d2fc4..9836ac2 100644
--- a/src/gss_sec_ctx.c
+++ b/src/gss_sec_ctx.c
@@ -433,6 +433,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
             }
 
             if (target_info.length > 0) {
+                bool *add_mic_ptr = NULL;
+                const char *envvar;
 
                 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
                     if (input_chan_bindings->initiator_addrtype != 0 ||
@@ -448,12 +450,20 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
                     cb.data = input_chan_bindings->application_data.value;
                 }
 
+                if (protect) {
+                    envvar = getenv("NTLMSSP_ENABLE_MIC");
+                    if ((envvar != NULL) &&
+                        (strcasecmp(envvar, "1") == 0)) {
+                        add_mic_ptr = &add_mic;
+                    }
+                }
+
                 retmin = ntlm_process_target_info(ctx->ntlm, protect,
                                                   &target_info,
                                                   server_name, &cb,
                                                   &client_target_info,
                                                   &srv_time,
-                                                  protect ? &add_mic: NULL);
+                                                  add_mic_ptr);
                 if (retmin) {
                     if (retmin == ERR_DECODE) {
                         retmaj = GSS_S_DEFECTIVE_TOKEN;
author	Simo Sorce <simo@redhat.com>	2014-04-09 21:11:31 -0400
committer	Simo Sorce <simo@redhat.com>	2014-05-04 17:21:06 -0400
commit	022fab3c12ddacfcd4299bc69189553a1b6e1e03 (patch)
tree	622031468a00a5317d51de97e6d3b8ba0165fc26
parent	0ad98b9619d6b85877a56a41898d2969f085188a (diff)
download	gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.tar.gz gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.tar.xz gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.zip