diff options
-rw-r--r-- | src/gss_ntlmssp.h | 1 | ||||
-rw-r--r-- | src/gss_sec_ctx.c | 26 |
2 files changed, 26 insertions, 1 deletions
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h index 5777968..8bd16ef 100644 --- a/src/gss_ntlmssp.h +++ b/src/gss_ntlmssp.h @@ -41,6 +41,7 @@ NTLMSSP_NEGOTIATE_56 | \ NTLMSSP_NEGOTIATE_NTLM | \ NTLMSSP_REQUEST_TARGET | \ + NTLMSSP_NEGOTIATE_OEM | \ NTLMSSP_NEGOTIATE_UNICODE) #define NTLMSSP_DEFAULT_SERVER_FLAGS ( \ diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index 9f1e989..75f6b43 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -217,7 +217,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, goto done; } - /* only in connecionless mode we may receive an input buffer + /* only in connectionless mode we may receive an input buffer * on the the first call, if DATAGRAM is not selected and * we have a buffer here, somethings wrong */ if (ctx->neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM) { @@ -368,10 +368,34 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, retmaj = GSS_S_FAILURE; goto done; } + if ((in_flags & NTLMSSP_NEGOTIATE_OEM) && + (in_flags & NTLMSSP_NEGOTIATE_UNICODE)) { + /* prefer Unicode */ + in_flags &= ~NTLMSSP_NEGOTIATE_OEM; + } } else { in_flags &= ~NTLMSSP_NEGOTIATE_DATAGRAM; + + if ((in_flags & NTLMSSP_NEGOTIATE_OEM) && + (in_flags & NTLMSSP_NEGOTIATE_UNICODE)) { + /* server sent both?? This is broken, proceed only if there + * are no strings set in the challenge packet and downgrade + * to OEM charset hoping the server will cope */ + if (in_flags & (NTLMSSP_NEGOTIATE_TARGET_INFO | + NTLMSSP_TARGET_TYPE_SERVER | + NTLMSSP_TARGET_TYPE_DOMAIN)) { + retmaj = GSS_S_FAILURE; + goto done; + } else { + in_flags &= ~NTLMSSP_NEGOTIATE_UNICODE; + } + } } + /* Now that everything has been checked clear non + * negotiated flags */ + ctx->neg_flags &= in_flags; + retmaj = gssntlm_cli_auth(&retmin, ctx, cred, &target_info, in_flags, input_chan_bindings); if (retmaj) goto done; |