from cli_netlogin.c
===================

        case NET_LOGON_TYPE: {
                uint8 chal[8];
                unsigned char local_lm_response[24];
                unsigned char local_nt_response[24];

                generate_random_buffer(chal, 8, False);

                SMBencrypt(password, chal, local_lm_response);
                SMBNTencrypt(password, chal, local_nt_response);


from wbinfo.c
=============

	ZERO_STRUCT(request);
	ZERO_STRUCT(response);

        p = strchr(username, '%');

        if (p) {
                *p = 0;
                fstrcpy(pass, p + 1);
	}
		
	parse_wbinfo_domain_user(username, name_domain, name_user);

	fstrcpy(request.data.auth_crap.user, name_user);

	fstrcpy(request.data.auth_crap.domain, name_domain);

	generate_random_buffer(request.data.auth_crap.chal, 8, False);
        
        SMBencrypt((uchar *)pass, request.data.auth_crap.chal, 
                   (uchar *)request.data.auth_crap.lm_resp);
        SMBNTencrypt((uchar *)pass, request.data.auth_crap.chal,
                     (uchar *)request.data.auth_crap.nt_resp);

        request.data.auth_crap.lm_resp_len = 24;
        request.data.auth_crap.nt_resp_len = 24;


winbindd_pam.c
==============

	passlen = strlen(state->request.data.auth.pass);
		
	{
		unsigned char local_lm_response[24];
		unsigned char local_nt_response[24];
		
		generate_random_buffer(chal, 8, False);
		SMBencrypt( (const uchar *)state->request.data.auth.pass, chal, local_lm_response);
		
		SMBNTencrypt((const uchar *)state->request.data.auth.pass, chal, local_nt_response);

		lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
		nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
	}


password.c
==========

		DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
		generate_random_buffer( local_challenge, 8, False);
		SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
		SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response);
		smb_apasslen = 24;
		smb_ntpasslen = 24;
		smb_apasswd = (char *)local_lm_response;
		smb_ntpasswd = (char *)local_nt_response;


//---------------------------------------------------------------------------
//  These sequences look interesting...

// These next two together perform the LM_RESP transformation...

void SMBencrypt(const uchar *passwd, uchar *c8, uchar *p24)
{
	uchar p14[15], p21[21];

	memset(p21,'\0',21);
	memset(p14,'\0',14);
	StrnCpy((char *)p14,(const char *)passwd,14);

	strupper((char *)p14);
	E_P16(p14, p21); 

	SMBOWFencrypt(p21, c8, p24);

#ifdef DEBUG_PASSWORD
	DEBUG(100,("SMBencrypt: lm#, challenge, response\n"));
	dump_data(100, (char *)p21, 16);
	dump_data(100, (char *)c8, 8);
	dump_data(100, (char *)p24, 24);
#endif
}


/* Does the des encryption from the NT or LM MD4 hash. */
void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24])
{
	uchar p21[21];
 
	memset(p21,'\0',21);
 
	memcpy(p21, passwd, 16);    
	E_P24(p21, c8, p24);
}

// This does the NT_RESP transformation...
/* Does the NT MD4 hash then des encryption. */
 
void SMBNTencrypt(const uchar *passwd, uchar *c8, uchar *p24)
{
	uchar p21[21];
 
	memset(p21,'\0',21);
 
	E_md4hash(passwd, p21);    
	SMBOWFencrypt(p21, c8, p24);

#ifdef DEBUG_PASSWORD
	DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n"));
	dump_data(100, (char *)p21, 16);
	dump_data(100, (char *)c8, 8);
	dump_data(100, (char *)p24, 24);
#endif
}


/* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */
void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24])
{
	uchar p21[21];
 
	memset(p21,'\0',21);
	memcpy(p21, passwd, 8);    
	memset(p21 + 8, 0xbd, 8);    

	E_P24(p21, ntlmchalresp, p24);
#ifdef DEBUG_PASSWORD
	DEBUG(100,("NTLMSSPOWFencrypt: p21, c8, p24\n"));
	dump_data(100, (char *)p21, 21);
	dump_data(100, (char *)ntlmchalresp, 8);
	dump_data(100, (char *)p24, 24);
#endif
}


//======================================================================================
password.c
==========

/****************************************************************************
 Core of smb password checking routine.
****************************************************************************/

BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8)
{
	/* Finish the encryption of part_passwd. */
	unsigned char p21[21];
	unsigned char p24[24];

	if (part_passwd == NULL)
		DEBUG(10,("No password set - allowing access\n"));

	/* No password set - always true ! */
	if (part_passwd == NULL)
		return True;

	memset(p21,'\0',21);
	memcpy(p21,part_passwd,16);
	E_P24(p21, c8, p24);
#if DEBUG_PASSWORD
	{
		int i;
		DEBUG(100,("Part password (P16) was |"));
		for(i = 0; i < 16; i++)
			DEBUG(100,("%X ", (unsigned char)part_passwd[i]));
		DEBUG(100,("|\n"));
		DEBUG(100,("Password from client was |"));
		for(i = 0; i < 24; i++)
		DEBUG(100,("%X ", (unsigned char)password[i]));
		DEBUG(100,("|\n"));
		DEBUG(100,("Given challenge was |"));
		for(i = 0; i < 8; i++)
			DEBUG(100,("%X ", (unsigned char)c8[i]));
		DEBUG(100,("|\n"));
		DEBUG(100,("Value from encryption was |"));
		for(i = 0; i < 24; i++)
			DEBUG(100,("%X ", (unsigned char)p24[i]));
		DEBUG(100,("|\n"));
	}
#endif
	return (memcmp(p24, password, 24) == 0);
}


//==================================================================================================

/*************************************************************************
 _net_login_network:
 *************************************************************************/

static NTSTATUS net_login_network(NET_ID_INFO_2 *id2, SAM_ACCOUNT *sampass)
{
	uint8    *nt_pwd, *lanman_pwd;

	DEBUG(5,("net_login_network: lm_len: %d nt_len: %d\n",
		id2->hdr_lm_chal_resp.str_str_len, 
		id2->hdr_nt_chal_resp.str_str_len));

	/* JRA. Check the NT password first if it exists - this is a higher quality 
           password, if it exists and it doesn't match - fail. */

	nt_pwd = pdb_get_nt_passwd(sampass);
	lanman_pwd = pdb_get_lanman_passwd(sampass);

	if (id2->hdr_nt_chal_resp.str_str_len == 24 && nt_pwd != NULL)	{
		if(smb_password_check((char *)id2->nt_chal_resp.buffer, nt_pwd, id2->lm_chal)) 
			return NT_STATUS_OK;
		else
			return NT_STATUS_WRONG_PASSWORD;
	}

	/* lkclXXXX this is not a good place to put disabling of LM hashes in.
	   if that is to be done, first move this entire function into a
	   library routine that calls the two smb_password_check() functions.
	   if disabling LM hashes (which nt can do for security reasons) then
	   an attempt should be made to disable them everywhere (which nt does
	   not do, for various security-hole reasons).
	 */

	if (lp_lanman_auth() && id2->hdr_lm_chal_resp.str_str_len == 24 &&
		smb_password_check((char *)id2->lm_chal_resp.buffer,
		                   lanman_pwd, id2->lm_chal)) 
	{
		return NT_STATUS_OK;
	}


	/* oops! neither password check succeeded */

	return NT_STATUS_WRONG_PASSWORD;
}


//=======================================================================================
//  Som defines...  NTLMSSP

rpc_dce.h
=========

/* NTLMSSP message types */
enum NTLM_MESSAGE_TYPE
{
	NTLMSSP_NEGOTIATE = 1,
	NTLMSSP_CHALLENGE = 2,
	NTLMSSP_AUTH      = 3,
	NTLMSSP_UNKNOWN   = 4
};

/* NTLMSSP negotiation flags */
#define NTLMSSP_NEGOTIATE_UNICODE          0x00000001
#define NTLMSSP_NEGOTIATE_OEM              0x00000002
#define NTLMSSP_REQUEST_TARGET             0x00000004
#define NTLMSSP_NEGOTIATE_SIGN             0x00000010
#define NTLMSSP_NEGOTIATE_SEAL             0x00000020
#define NTLMSSP_NEGOTIATE_LM_KEY           0x00000080
#define NTLMSSP_NEGOTIATE_NTLM             0x00000200
#define NTLMSSP_NEGOTIATE_00001000         0x00001000
#define NTLMSSP_NEGOTIATE_00002000         0x00002000
#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN      0x00008000
#define NTLMSSP_NEGOTIATE_NTLM2            0x00080000
#define NTLMSSP_NEGOTIATE_TARGET_INFO      0x00800000
#define NTLMSSP_NEGOTIATE_128              0x20000000
#define NTLMSSP_NEGOTIATE_KEY_EXCH         0x40000000

#define SMBD_NTLMSSP_NEG_FLAGS 0x000082b1

