DeterministicESPAsyncWebServer v6.27.1
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
ntlm.h
Go to the documentation of this file.
1// Copyright (C) 2026 Douglas Quigg (dstroy0) <dquigg123@gmail.com>
2// SPDX-License-Identifier: AGPL-3.0-or-later
3
4/**
5 * @file ntlm.h
6 * @brief NTLMv2 response computation (MS-NLMP §3.3.2) for the SMB2 client (DETWS_ENABLE_SMB).
7 *
8 * The auth core: from the user's password and the server's CHALLENGE (the 8-byte server challenge
9 * + the target-info AV_PAIR blob), compute the NtChallengeResponse and the session base key that
10 * seed SESSION_SETUP. Built on the KAT-verified MD4 / MD5 / HMAC-MD5 (smb_md.h). Pure, zero heap.
11 *
12 * NThash = MD4(UTF-16LE(password))
13 * NTOWFv2 = HMAC-MD5(NThash, UTF-16LE(Uppercase(user) + domain))
14 * temp = 0x01 0x01 Z(6) Time(8) ClientChallenge(8) Z(4) TargetInfo Z(4)
15 * NTProofStr = HMAC-MD5(NTOWFv2, ServerChallenge(8) + temp)
16 * NtChallengeResponse = NTProofStr(16) + temp
17 * SessionBaseKey = HMAC-MD5(NTOWFv2, NTProofStr)
18 *
19 * Verified against the MS-NLMP §4.2 worked example (test_ntlm).
20 *
21 * @author Douglas Quigg (dstroy0)
22 * @date 2026
23 */
24
25#ifndef DETERMINISTICESPASYNCWEBSERVER_NTLM_H
26#define DETERMINISTICESPASYNCWEBSERVER_NTLM_H
27
28#include "ServerConfig.h"
29
30#if DETWS_ENABLE_SMB
31
32#include <stddef.h>
33#include <stdint.h>
34
35/** @brief The NT hash: MD4 of the UTF-16LE password (@p password is ASCII/UTF-8, NUL-terminated). */
36void ntlm_nt_hash(const char *password, uint8_t nt_hash[16]);
37
38/**
39 * @brief NTOWFv2 = HMAC-MD5(NThash, UTF-16LE(Uppercase(user) + domain)).
40 *
41 * Only the @p user is uppercased (ASCII), not the @p domain (MS-NLMP). Both are NUL-terminated.
42 * @return true; false if user + domain exceed the internal 256-char scratch.
43 */
44bool ntlm_ntowfv2(const uint8_t nt_hash[16], const char *user, const char *domain, uint8_t owf[16]);
45
46/**
47 * @brief Compute the NTLMv2 NtChallengeResponse (NTProofStr + temp) and the session base key.
48 *
49 * @param owf NTOWFv2 (from ntlm_ntowfv2).
50 * @param server_challenge the 8-byte challenge from the server's CHALLENGE_MESSAGE.
51 * @param client_challenge the 8-byte client-generated challenge.
52 * @param timestamp the 8-byte little-endian FILETIME (may be zero).
53 * @param target_info the AV_PAIR blob from the CHALLENGE_MESSAGE.
54 * @param session_key receives the 16-byte SessionBaseKey (may be null).
55 * @return the NtChallengeResponse length written to @p out (48 + @p ti_len), or 0 on overflow.
56 */
57size_t ntlm_v2_response(const uint8_t owf[16], const uint8_t server_challenge[8], const uint8_t client_challenge[8],
58 const uint8_t timestamp[8], const uint8_t *target_info, size_t ti_len, uint8_t *out,
59 size_t out_cap, uint8_t session_key[16]);
60
61#endif // DETWS_ENABLE_SMB
62
63#endif // DETERMINISTICESPASYNCWEBSERVER_NTLM_H
User-facing configuration for DeterministicESPAsyncWebServer.