Fail if the encryption level is not matched

If the client allows only 128bit security but the server does not offer it, then fail the authentication.
author: Simo Sorce <simo@redhat.com> 2014-04-06 22:54:48 -0400
committer: Simo Sorce <simo@redhat.com> 2014-05-04 17:21:06 -0400
commit: 915ddae2d8c0bf77ecc29fd3e87be79452d43c7d (patch)
tree: 2defb2096c4203e242da8ec0540d7b4e0b454864 /src
parent: 8647a0c4c78e0816629b76ce004e3c82a0cd7a85 (diff)
download: gss-ntlmssp-915ddae2d8c0bf77ecc29fd3e87be79452d43c7d.tar.gz
gss-ntlmssp-915ddae2d8c0bf77ecc29fd3e87be79452d43c7d.tar.xz
gss-ntlmssp-915ddae2d8c0bf77ecc29fd3e87be79452d43c7d.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
index 7bf87f5..69e2444 100644
--- a/src/gss_sec_ctx.c
+++ b/src/gss_sec_ctx.c
@@ -321,6 +321,12 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
         }
 
         /* check required flags */
+        if ((ctx->neg_flags & NTLMSSP_NEGOTIATE_128) &&
+            (!(ctx->neg_flags & NTLMSSP_NEGOTIATE_56)) &&
+            (!(in_flags & NTLMSSP_NEGOTIATE_128))) {
+            retmaj = GSS_S_UNAVAILABLE;
+            goto done;
+        }
         if ((ctx->neg_flags & NTLMSSP_NEGOTIATE_SEAL) &&
             (!(in_flags & NTLMSSP_NEGOTIATE_SEAL))) {
             retmaj = GSS_S_FAILURE;
author	Simo Sorce <simo@redhat.com>	2014-04-06 22:54:48 -0400
committer	Simo Sorce <simo@redhat.com>	2014-05-04 17:21:06 -0400
commit	915ddae2d8c0bf77ecc29fd3e87be79452d43c7d (patch)
tree	2defb2096c4203e242da8ec0540d7b4e0b454864 /src
parent	8647a0c4c78e0816629b76ce004e3c82a0cd7a85 (diff)
download	gss-ntlmssp-915ddae2d8c0bf77ecc29fd3e87be79452d43c7d.tar.gz gss-ntlmssp-915ddae2d8c0bf77ecc29fd3e87be79452d43c7d.tar.xz gss-ntlmssp-915ddae2d8c0bf77ecc29fd3e87be79452d43c7d.zip