you know what? this sort of thing makes me laugh. hmm, what functions

have we got.  and what data do we have.  hmm.. i wonder what the NTLMv2
user session key can be... hmmm... weell.... there's some hidden data
here, generated from the user password that doesn't go over-the-wire,
so that's _got_ to be involved.  and... that bit of data took a lot of
computation to produce, so it's probably _also_ involved... and md4 no, md5?
no, how about hmac_md5 yes let's try that one (the other's didn't work)
oh goodie, it worked!

i love it when this sort of thing happens.  took all of fifteen minutes to
guess it.  tried concatenating client and server challenges.  tried
concatenating _random_ bits of client and server challenges.  tried
md5 of the above.  tried hmac_md5 of the above.  eventually, it boils down
to this:

kr = MD4(NT#,username,domainname)
hmacntchal=hmac_md5(kr, nt server challenge)
sess_key = hmac_md5(kr, hmacntchal);
(This used to be commit ab174759cd210fe1be888d0c589a5b2669f7ff1e)

2 files changed, 4 insertions, 1 deletions

diff --git a/source3/include/client.h b/source3/include/client.h
index b06d877181..7c5854b556 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -74,6 +74,8 @@ struct pwd_info
 	uchar lm_cli_chal[8];
 	uchar nt_cli_chal[128];
 	size_t nt_cli_chal_len;
+
+	uchar sess_key[16];
 };
 
 struct cli_state {
diff --git a/source3/include/proto.h b/source3/include/proto.h
index a5348d4e88..ac5022935a 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -821,7 +821,8 @@ void pwd_make_lm_nt_owf2(struct pwd_info *pwd, const uchar srv_key[8],
 		const char *user, const char *server, const char *domain);
 void pwd_make_lm_nt_owf(struct pwd_info *pwd, uchar cryptkey[8]);
 void pwd_get_lm_nt_owf(struct pwd_info *pwd, uchar lm_owf[24],
-				uchar *nt_owf, size_t *nt_owf_len);
+				uchar *nt_owf, size_t *nt_owf_len,
+				uchar *sess_key);
 
 /*The following definitions come from  libsmb/smbdes.c  */