[Dovecot] [PATCH] NTLM2 support

Thu Sep 30 11:41:47 EEST 2004

Hello,

as pointed by Andrew Bartlett NTLM2 authentication support
is missing in dovecot. Attached patch adds it.
Tested and works for me.

Please consider applying.

Best regards.

-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net
-------------- next part --------------
diff -urpNX /usr/share/dontdiff dovecot-1.0-test46.vanilla/src/auth/mech-ntlm.c dovecot-1.0-test46/src/auth/mech-ntlm.c

--- dovecot-1.0-test46.vanilla/src/auth/mech-ntlm.c	2004-08-31 13:28:03.000000000 +0400
+++ dovecot-1.0-test46/src/auth/mech-ntlm.c	2004-09-28 23:45:46.000000000 +0400
@@ -25,6 +25,7 @@ struct ntlm_auth_request {
 	pool_t pool;
 
 	/* requested: */
+	int ntlm2_negotiated;
 	const unsigned char *challenge;
 
 	/* received: */
@@ -73,7 +74,7 @@ ntlm_credentials_callback(const char *cr
 	buffer_t *hash_buffer;
 	int ret;
 
-	if (credentials == NULL) {
+	if ((credentials == NULL) && !auth->ntlm2_negotiated) {
 		passdb->lookup_credentials(auth_request,
 					   PASSDB_CREDENTIALS_LANMAN,
 					   lm_credentials_callback);
@@ -105,8 +106,16 @@ ntlm_credentials_callback(const char *cr
 			     NTLMSSP_V2_RESPONSE_SIZE) == 0;
 	} else {
 		unsigned char ntlm_response[NTLMSSP_RESPONSE_SIZE];
+		const unsigned char *client_lm_response =
+			ntlmssp_buffer_data(auth->response, lm_response);
 
-		ntlmssp_v1_response(hash, auth->challenge, ntlm_response);
+		if (auth->ntlm2_negotiated)
+			ntlmssp2_response(hash, auth->challenge,
+					  client_lm_response,
+					  ntlm_response);
+		else 
+			ntlmssp_v1_response(hash, auth->challenge,
+					    ntlm_response);
 
 		ret = memcmp(ntlm_response, client_response,
 			     NTLMSSP_RESPONSE_SIZE) == 0;
@@ -145,6 +154,7 @@ mech_ntlm_auth_continue(struct auth_requ
 
 		message = ntlmssp_create_challenge(auth->pool, request,
 						   &message_size);
+		auth->ntlm2_negotiated = message->flags & NTLMSSP_NEGOTIATE_NTLM2;
 		auth->challenge = message->challenge;
 
 		mech_init_auth_client_reply(&reply);
diff -urpNX /usr/share/dontdiff dovecot-1.0-test46.vanilla/src/lib-ntlm/ntlm-encrypt.c dovecot-1.0-test46/src/lib-ntlm/ntlm-encrypt.c
--- dovecot-1.0-test46.vanilla/src/lib-ntlm/ntlm-encrypt.c	2004-09-22 23:52:09.000000000 +0400
+++ dovecot-1.0-test46/src/lib-ntlm/ntlm-encrypt.c	2004-09-28 22:43:42.000000000 +0400
@@ -4,7 +4,7 @@
  * Copyright (c) 2004 Andrey Panin <pazke at donpac.ru>
  *
  * This library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published 
+ * it under the terms of the GNU Lesser General Public License as published
  * by the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  */
@@ -110,6 +110,23 @@ ntlmssp_v1_response(const unsigned char 
 }
 
 void
+ntlmssp2_response(const unsigned char *hash,
+		  const unsigned char *server_challenge,
+		  const unsigned char *client_challenge,
+		  unsigned char response[NTLMSSP_RESPONSE_SIZE])
+{
+	struct md5_context ctx;
+	unsigned char session_hash[16];
+
+	md5_init(&ctx);
+	md5_update(&ctx, server_challenge, NTLMSSP_CHALLENGE_SIZE);
+	md5_update(&ctx, client_challenge, NTLMSSP_CHALLENGE_SIZE);
+	md5_final(&ctx, session_hash);
+
+	ntlmssp_v1_response(hash, session_hash, response);
+}
+
+void
 ntlmssp_v2_response(const char *user, const char *target,
 		    const unsigned char *hash_v1,
 		    const unsigned char *challenge,
diff -urpNX /usr/share/dontdiff dovecot-1.0-test46.vanilla/src/lib-ntlm/ntlm-encrypt.h dovecot-1.0-test46/src/lib-ntlm/ntlm-encrypt.h
--- dovecot-1.0-test46.vanilla/src/lib-ntlm/ntlm-encrypt.h	2004-07-30 07:16:23.000000000 +0400
+++ dovecot-1.0-test46/src/lib-ntlm/ntlm-encrypt.h	2004-09-28 22:45:22.000000000 +0400
@@ -11,6 +11,11 @@ void ntlmssp_v1_response(const unsigned 
 			 const unsigned char *challenge,
 			 unsigned char response[NTLMSSP_RESPONSE_SIZE]);
 
+void ntlmssp2_response( const unsigned char *hash,
+			const unsigned char *server_challenge,
+			const unsigned char *client_challenge,
+			unsigned char response[NTLMSSP_RESPONSE_SIZE]);
+
 void ntlmssp_v2_response(const char *user, const char *target,
 			 const unsigned char *hash_v1,
 			 const unsigned char *challenge,
diff -urpNX /usr/share/dontdiff dovecot-1.0-test46.vanilla/src/lib-ntlm/ntlm-message.c dovecot-1.0-test46/src/lib-ntlm/ntlm-message.c
--- dovecot-1.0-test46.vanilla/src/lib-ntlm/ntlm-message.c	2004-07-31 07:50:01.000000000 +0400
+++ dovecot-1.0-test46/src/lib-ntlm/ntlm-message.c	2004-09-28 23:42:45.000000000 +0400
@@ -119,6 +119,9 @@ static inline uint32_t ntlmssp_flags(uin
 			 NTLMSSP_NEGOTIATE_NTLM |
 			 NTLMSSP_NEGOTIATE_TARGET_INFO;
 
+	if (client_flags & NTLMSSP_NEGOTIATE_NTLM2)
+		flags |= NTLMSSP_NEGOTIATE_NTLM2;
+
 	if (client_flags & NTLMSSP_REQUEST_TARGET)
 		flags |= NTLMSSP_REQUEST_TARGET | NTLMSSP_TARGET_TYPE_SERVER;
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040930/03c85ca0/attachment-0003.bin>
