From 3f9ab2e8e7437ad2775ecd7b87c20804089b58cb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 15 Oct 2011 14:56:11 +1100
Subject: [PATCH] ntlmssp: Refuse to seal if we did not negotiate to sign

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 auth/ntlmssp/ntlmssp_sign.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index 019ea3ce3b3..a5c57d8423f 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -274,6 +274,11 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+		DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (!ntlmssp_state->session_key.length) {
 		DEBUG(3, ("NO session key, cannot seal packet\n"));
 		return NT_STATUS_NO_USER_SESSION_KEY;
-- 
2.34.1