From 5795f577aeb3a39f51bda9a3840a441ca2237307 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 8 Aug 2014 15:44:37 -0400
Subject: Offer OEM charset support in the negotiate packet

But make sure to clear out flags once we receive the challenge packet
or we end up with both (OEM and UNICODE) flags set when we generate
the AUTH package.
Special care needs to be taken for DATAGRAM packets, as they are special.
---
 src/gss_ntlmssp.h |  1 +
 src/gss_sec_ctx.c | 26 +++++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h
index 5777968..8bd16ef 100644
--- a/src/gss_ntlmssp.h
+++ b/src/gss_ntlmssp.h
@@ -41,6 +41,7 @@
                 NTLMSSP_NEGOTIATE_56 | \
                 NTLMSSP_NEGOTIATE_NTLM | \
                 NTLMSSP_REQUEST_TARGET | \
+                NTLMSSP_NEGOTIATE_OEM | \
                 NTLMSSP_NEGOTIATE_UNICODE)
 
 #define NTLMSSP_DEFAULT_SERVER_FLAGS ( \
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
index 9f1e989..75f6b43 100644
--- a/src/gss_sec_ctx.c
+++ b/src/gss_sec_ctx.c
@@ -217,7 +217,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
             goto done;
         }
 
-        /* only in connecionless mode we may receive an input buffer
+        /* only in connectionless mode we may receive an input buffer
          * on the the first call, if DATAGRAM is not selected and
          * we have a buffer here, somethings wrong */
         if (ctx->neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM) {
@@ -368,10 +368,34 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
                 retmaj = GSS_S_FAILURE;
                 goto done;
             }
+            if ((in_flags & NTLMSSP_NEGOTIATE_OEM) &&
+                (in_flags & NTLMSSP_NEGOTIATE_UNICODE)) {
+                /* prefer Unicode */
+                in_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+            }
         } else {
             in_flags &= ~NTLMSSP_NEGOTIATE_DATAGRAM;
+
+            if ((in_flags & NTLMSSP_NEGOTIATE_OEM) &&
+                (in_flags & NTLMSSP_NEGOTIATE_UNICODE)) {
+                /* server sent both?? This is broken, proceed only if there
+                 * are no strings set in the challenge packet and downgrade
+                 * to OEM charset hoping the server will cope */
+                if (in_flags & (NTLMSSP_NEGOTIATE_TARGET_INFO |
+                                NTLMSSP_TARGET_TYPE_SERVER |
+                                NTLMSSP_TARGET_TYPE_DOMAIN)) {
+                    retmaj = GSS_S_FAILURE;
+                    goto done;
+                } else {
+                    in_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
+                }
+            }
         }
 
+        /* Now that everything has been checked clear non
+         * negotiated flags */
+        ctx->neg_flags &= in_flags;
+
        retmaj = gssntlm_cli_auth(&retmin, ctx, cred, &target_info,
                                   in_flags, input_chan_bindings);
         if (retmaj) goto done;
-- 
cgit