From 3b8485d047492788925b530e9e622a61c66f2dbd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Aug 2003 05:53:43 +0000
Subject: As described in http://davenport.sourceforge.net/ntlm.html add NTLM2
 authentication.

NTLM2 is a version of NTLM, that involves both a client and server challenge,
and the creating of a new (presuable more secure) session key.

Unfortunetly this is not quite the same as NTLMv2, and we don't know how to
get the session key.  I suggest looking very closely at what MSCHAPv2, and
other MS auth protocols do...

Andrew Bartlett
(This used to be commit d4a5f4fdf97b707b44a0787267e1e4388d1b5388)
---
 source3/libsmb/ntlmssp.c | 43 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

(limited to 'source3')

diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index a314aa15db..47e283dc51 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -23,6 +23,12 @@
 
 #include "includes.h"
 
+#if 0
+/* we currently do not know how to get the right session key for this, so
+   we cannot enable it by default... :-( */
+#define USE_NTLM2 1
+#endif
+
 /**
  * Print out the NTLMSSP flags for debugging 
  * @param neg_flags The flags from the packet
@@ -415,6 +421,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_client_state *ntlmssp_stat
 	if (ntlmssp_state->use_ntlmv2) {
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 	}
+
+#ifdef USE_NTLM2
+	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+#endif	
 	
 	/* generate the ntlmssp negotiate packet */
 	msrpc_gen(next_request, "CddAA",
@@ -560,7 +570,34 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 			data_blob_free(&struct_blob);
 			return NT_STATUS_NO_MEMORY;
 		}
+#ifdef USE_NTLM2 
+	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+		struct MD5Context md5_session_nonce_ctx;
+		uchar nt_hash[16];
+		uchar session_nonce[16];
+		E_md4hash(ntlmssp_state->password, nt_hash);
+		
+		generate_random_buffer(lm_response.data, 8, False);
+		memset(lm_response.data+8, 0, 16);
+		
+		MD5Init(&md5_session_nonce_ctx);
+		MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
+		MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
+		MD5Final(session_nonce, &md5_session_nonce_ctx);
+		
+		nt_response = data_blob(NULL, 24);
+		SMBNTencrypt(ntlmssp_state->password,
+			     challenge_blob.data,
+			     nt_response.data);
+
+		/* This is *NOT* the correct session key algorithm - just 
+		   fill in the bytes with something... */
+		session_key = data_blob(NULL, 16);
+		SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
+#endif 
 	} else {
+		
+		
 		uchar lm_hash[16];
 		uchar nt_hash[16];
 		E_deshash(ntlmssp_state->password, lm_hash);
@@ -571,15 +608,15 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 			lm_response = data_blob(NULL, 24);
 			SMBencrypt(ntlmssp_state->password,challenge_blob.data,
 				   lm_response.data);
-		}
+			}
 		
 		nt_response = data_blob(NULL, 24);
 		SMBNTencrypt(ntlmssp_state->password,challenge_blob.data,
 			     nt_response.data);
-
+		
 		session_key = data_blob(NULL, 16);
 		if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) 
-		      && lp_client_lanman_auth()) {
+		    && lp_client_lanman_auth()) {
 			SMBsesskeygen_lmv1(lm_hash, lm_response.data, 
 					   session_key.data);
 		} else {
-- 
cgit