diff options
author | Simo Sorce <simo@redhat.com> | 2014-04-09 21:11:31 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-05-04 17:21:06 -0400 |
commit | 022fab3c12ddacfcd4299bc69189553a1b6e1e03 (patch) | |
tree | 622031468a00a5317d51de97e6d3b8ba0165fc26 | |
parent | 0ad98b9619d6b85877a56a41898d2969f085188a (diff) | |
download | gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.tar.gz gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.tar.xz gss-ntlmssp-022fab3c12ddacfcd4299bc69189553a1b6e1e03.zip |
Disable MIC by default.
The environment variable NTLMSSP_ENABLE_MIC will enable setting the MIC if
requested by the server when it is set to '1'.
It is disabled by default because it works only with a patched SPNEGO library
that will always set the mechlistMIC on the authenticate packet if we report
that integrity is enabled.
If the libray is unpatched it has also been observed that Firefox will go in
an infinite authentication loop while it keeps trying to make requests that are
always denied.
-rw-r--r-- | src/gss_sec_ctx.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index 96d2fc4..9836ac2 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -433,6 +433,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, } if (target_info.length > 0) { + bool *add_mic_ptr = NULL; + const char *envvar; if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) { if (input_chan_bindings->initiator_addrtype != 0 || @@ -448,12 +450,20 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, cb.data = input_chan_bindings->application_data.value; } + if (protect) { + envvar = getenv("NTLMSSP_ENABLE_MIC"); + if ((envvar != NULL) && + (strcasecmp(envvar, "1") == 0)) { + add_mic_ptr = &add_mic; + } + } + retmin = ntlm_process_target_info(ctx->ntlm, protect, &target_info, server_name, &cb, &client_target_info, &srv_time, - protect ? &add_mic: NULL); + add_mic_ptr); if (retmin) { if (retmin == ERR_DECODE) { retmaj = GSS_S_DEFECTIVE_TOKEN; |