diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2013-12-08 08:34:31 +0100 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2013-12-08 08:34:31 +0100 |
| commit | 007520e3fef2c12a2ee7844d1ac016668a804132 (patch) | |
| tree | b3961b83c7271d5cb971cd90e49d6bbf91c95842 /sys | |
| parent | c940e986302d16d6e09d61c908d45730b3873766 (diff) | |
handle NIL user domain, and Z(4) at end of nt blob for ntlmv2
the nt blob ends with 4 zero bytes, this is not the same as
the EOL av-pair terminator!
this makes ntlmv2 work with windows xp with LmCompatibityLevel = 3
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/src/cmd/auth/authsrv.c | 41 | ||||
| -rw-r--r-- | sys/src/cmd/cifs/auth.c | 7 |
2 files changed, 35 insertions, 13 deletions
diff --git a/sys/src/cmd/auth/authsrv.c b/sys/src/cmd/auth/authsrv.c index e6d9749e6..7e1542587 100644 --- a/sys/src/cmd/auth/authsrv.c +++ b/sys/src/cmd/auth/authsrv.c @@ -733,6 +733,13 @@ mschap(Ticketreq *tr) if(id == MsvAvEOL) break; } + + /* Z[4] */ + if(ntbloblen > sizeof(ntblob)-4) + exits(0); + if(readn(0, ntblob+ntbloblen, 4) < 0) + exits(0); + ntbloblen += 4; } safecpy(tr->uid, reply.uid, sizeof(tr->uid)); @@ -750,21 +757,29 @@ mschap(Ticketreq *tr) if(ntbloblen > 0){ getname(MsvAvNbDomainName, ntblob, ntbloblen, windom, sizeof(windom)); - ntv2hash(hash, secret, tr->uid, windom); - /* - * LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC) - */ - s = hmac_md5(chal, 8, hash, MShashlen, nil, nil); - hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s); - lmok = memcmp(resp, reply.LMresp, 16) == 0; + for(;;){ + ntv2hash(hash, secret, tr->uid, windom); + + /* + * LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC) + */ + s = hmac_md5(chal, 8, hash, MShashlen, nil, nil); + hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s); + lmok = memcmp(resp, reply.LMresp, 16) == 0; + + /* + * NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob) + */ + s = hmac_md5(chal, 8, hash, MShashlen, nil, nil); + hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s); + ntok = memcmp(resp, reply.NTresp, 16) == 0; + + if(lmok || ntok || windom[0] == '\0') + break; - /* - * NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob) - */ - s = hmac_md5(chal, 8, hash, MShashlen, nil, nil); - hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s); - ntok = memcmp(resp, reply.NTresp, 16) == 0; + windom[0] = '\0'; /* try NIL domain */ + } dupe = 0; } else { lmhash(hash, secret); diff --git a/sys/src/cmd/cifs/auth.c b/sys/src/cmd/cifs/auth.c index 5bf2433f9..c491b335a 100644 --- a/sys/src/cmd/cifs/auth.c +++ b/sys/src/cmd/cifs/auth.c @@ -206,8 +206,15 @@ ntv2_blob(uchar *blob, int len, char *windom) *p++ = 0; *p++ = 0; + len -= 4; p += putname(p, len - (p-blob), windom, Bdomain); p += putname(p, len - (p-blob), "", Beof); + len += 4; + + *p++ = 0; /* 32bit: unknown data */ + *p++ = 0; + *p++ = 0; + *p++ = 0; return p - blob; } |