IndependentNTLMAuthenticationProvider: ChallengeMessage.NegotiateFlags are now properly set

2025-07-22 01:05:54 +02:00 · 2017-03-02 11:35:56 +02:00 · 2017-03-02 11:35:56 +02:00 · 1d756498f1
commit 1d756498f1
parent 6325053243
1 changed files with 48 additions and 11 deletions
--- a/SMBLibrary/Authentication/NTLM/IndependentNTLMAuthenticationProvider.cs
+++ b/SMBLibrary/Authentication/NTLM/IndependentNTLMAuthenticationProvider.cs
@ -46,26 +46,63 @@ namespace SMBLibrary.Authentication.NTLM
            context = new AuthContext(negotiateMessage.Workstation, serverChallenge);
            challengeMessage = new ChallengeMessage();
-            challengeMessage.NegotiateFlags = NegotiateFlags.UnicodeEncoding |
+            // https://msdn.microsoft.com/en-us/library/cc236691.aspx
-                                     NegotiateFlags.TargetNameSupplied |
+            challengeMessage.NegotiateFlags = NegotiateFlags.TargetTypeServer |
-                                     NegotiateFlags.NTLMSessionSecurity |
+                                              NegotiateFlags.TargetInfo |
-                                     NegotiateFlags.TargetTypeServer |
+                                              NegotiateFlags.TargetNameSupplied |
-                                     NegotiateFlags.ExtendedSessionSecurity |
+                                              NegotiateFlags.Version;
-                                     NegotiateFlags.TargetInfo |
+            // [MS-NLMP] NTLMSSP_NEGOTIATE_NTLM MUST be set in the [..] CHALLENGE_MESSAGE to the client.
-                                     NegotiateFlags.Version;
+            challengeMessage.NegotiateFlags |= NegotiateFlags.NTLMSessionSecurity;
            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.UnicodeEncoding) > 0)
            {
                challengeMessage.NegotiateFlags |= NegotiateFlags.UnicodeEncoding;
            }
            else if ((negotiateMessage.NegotiateFlags & NegotiateFlags.OEMEncoding) > 0)
            {
                challengeMessage.NegotiateFlags |= NegotiateFlags.OEMEncoding;
            }
            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.ExtendedSessionSecurity) > 0)
            {
                challengeMessage.NegotiateFlags |= NegotiateFlags.ExtendedSessionSecurity;
            }
            else if ((negotiateMessage.NegotiateFlags & NegotiateFlags.LanManagerKey) > 0)
            {
                challengeMessage.NegotiateFlags |= NegotiateFlags.LanManagerKey;
            }
            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Sign) > 0)
            {
                // [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE,
                // the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE.
                challengeMessage.NegotiateFlags |= NegotiateFlags.Sign;
            }
-            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Use56BitEncryption) > 0)
+
            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Seal) > 0)
            {
-                challengeMessage.NegotiateFlags |= NegotiateFlags.Use56BitEncryption;
+                // [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_SEAL to the server in the NEGOTIATE_MESSAGE,
                // the server MUST return NTLMSSP_NEGOTIATE_SEAL to the client in the CHALLENGE_MESSAGE.
                challengeMessage.NegotiateFlags |= NegotiateFlags.Seal;
            }
-            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Use128BitEncryption) > 0)
+
            if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Sign) > 0 ||
                (negotiateMessage.NegotiateFlags & NegotiateFlags.Seal) > 0)
            {
-                challengeMessage.NegotiateFlags |= NegotiateFlags.Use128BitEncryption;
+                if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Use56BitEncryption) > 0)
                {
                    // [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN with
                    // NTLMSSP_NEGOTIATE_56 to the server in the NEGOTIATE_MESSAGE, the server MUST return
                    // NTLMSSP_NEGOTIATE_56 to the client in the CHALLENGE_MESSAGE.
                    challengeMessage.NegotiateFlags |= NegotiateFlags.Use56BitEncryption;
                }
                if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Use128BitEncryption) > 0)
                {
                    // [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_128 to the server in the NEGOTIATE_MESSAGE,
                    // the server MUST return NTLMSSP_NEGOTIATE_128 to the client in the CHALLENGE_MESSAGE only if
                    // the client sets NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN.
                    challengeMessage.NegotiateFlags |= NegotiateFlags.Use128BitEncryption;
                }
            }
            challengeMessage.TargetName = Environment.MachineName;
            challengeMessage.ServerChallenge = serverChallenge;