2 files changed, 23 insertions, 1 deletions

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index dbbef9e7a3c..64b424c099f 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -27,10 +27,31 @@
 #include "../libcli/security/dom_sid.h"
 
 
+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
+{
+	/*
+	 * If none of the first 5 bytes of the client challenge is unique, the
+	 * server MUST fail session-key negotiation without further processing
+	 * of the following steps.
+	 */
+
+	if (challenge->data[1] == challenge->data[0] &&
+	    challenge->data[2] == challenge->data[0] &&
+	    challenge->data[3] == challenge->data[0] &&
+	    challenge->data[4] == challenge->data[0])
+	{
+		return false;
+	}
+
+	return true;
+}
+
 void netlogon_creds_random_challenge(struct netr_Credential *challenge)
 {
 	ZERO_STRUCTP(challenge);
-	generate_random_buffer(challenge->data, sizeof(challenge->data));
+	while (!netlogon_creds_is_random_challenge(challenge)) {
+		generate_random_buffer(challenge->data, sizeof(challenge->data));
+	}
 }
 
 static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 82797d453ed..ad768682b9f 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -11,6 +11,7 @@
 
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c  */
 
+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge);
 void netlogon_creds_random_challenge(struct netr_Credential *challenge);
 
 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);