From 0a1c85e39b0fcbfd67a185af63133de485560ee0 Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Mon, 16 Aug 2021 08:35:22 +0200
Subject: auth: we do not support a security layer after kerberos
 authentication

Closes #7008
---
 lib/vauth/krb5_gssapi.c | 1 +
 lib/vauth/krb5_sspi.c   | 1 +
 2 files changed, 2 insertions(+)

(limited to 'lib/vauth')

diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c
index 58d835b5f..ea4995c72 100644
--- a/lib/vauth/krb5_gssapi.c
+++ b/lib/vauth/krb5_gssapi.c
@@ -257,6 +257,7 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
     gss_release_buffer(&unused_status, &username_token);
     return CURLE_BAD_CONTENT_ENCODING;
   }
+  sec_layer &= GSSAUTH_P_NONE;  /* We do not support a security layer */
 
   /* Process the maximum message size the server can receive */
   if(max_size > 0) {
diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c
index 983171c8e..08644d79c 100644
--- a/lib/vauth/krb5_sspi.c
+++ b/lib/vauth/krb5_sspi.c
@@ -338,6 +338,7 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
     infof(data, "GSSAPI handshake failure (invalid security layer)");
     return CURLE_BAD_CONTENT_ENCODING;
   }
+  sec_layer &= KERB_WRAP_NO_ENCRYPT;  /* We do not support a security layer */
 
   /* Process the maximum message size the server can receive */
   if(max_size > 0) {
-- 
cgit v1.2.1