From 007520e3fef2c12a2ee7844d1ac016668a804132 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Sun, 8 Dec 2013 08:34:31 +0100
Subject: [PATCH] handle NIL user domain, and Z(4) at end of nt blob for ntlmv2

the nt blob ends with 4 zero bytes, this is not the same as
the EOL av-pair terminator!

this makes ntlmv2 work with windows xp with LmCompatibityLevel = 3
---
 sys/src/cmd/auth/authsrv.c | 41 ++++++++++++++++++++++++++------------
 sys/src/cmd/cifs/auth.c    |  7 +++++++
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/sys/src/cmd/auth/authsrv.c b/sys/src/cmd/auth/authsrv.c
index e6d9749e6..7e1542587 100644
--- a/sys/src/cmd/auth/authsrv.c
+++ b/sys/src/cmd/auth/authsrv.c
@@ -733,6 +733,13 @@ mschap(Ticketreq *tr)
 			if(id == MsvAvEOL)
 				break;
 		}
+
+		/* Z[4] */
+		if(ntbloblen > sizeof(ntblob)-4)
+			exits(0);
+		if(readn(0, ntblob+ntbloblen, 4) < 0)
+			exits(0);
+		ntbloblen += 4;
 	}
 
 	safecpy(tr->uid, reply.uid, sizeof(tr->uid));
@@ -750,21 +757,29 @@ mschap(Ticketreq *tr)
 
 	if(ntbloblen > 0){
 		getname(MsvAvNbDomainName, ntblob, ntbloblen, windom, sizeof(windom));
-		ntv2hash(hash, secret, tr->uid, windom);
 
-		/*
-		 * LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
-		 */
-		s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
-		hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s);
-		lmok = memcmp(resp, reply.LMresp, 16) == 0;
+		for(;;){
+			ntv2hash(hash, secret, tr->uid, windom);
 
-		/*
-		 * NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob)
-		 */
-		s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
-		hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s);
-		ntok = memcmp(resp, reply.NTresp, 16) == 0;
+			/*
+			 * LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
+			 */
+			s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
+			hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s);
+			lmok = memcmp(resp, reply.LMresp, 16) == 0;
+
+			/*
+			 * NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob)
+			 */
+			s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
+			hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s);
+			ntok = memcmp(resp, reply.NTresp, 16) == 0;
+
+			if(lmok || ntok || windom[0] == '\0')
+				break;
+
+			windom[0] = '\0';	/* try NIL domain */
+		}
 		dupe = 0;
 	} else {
 		lmhash(hash, secret);
diff --git a/sys/src/cmd/cifs/auth.c b/sys/src/cmd/cifs/auth.c
index 5bf2433f9..c491b335a 100644
--- a/sys/src/cmd/cifs/auth.c
+++ b/sys/src/cmd/cifs/auth.c
@@ -206,8 +206,15 @@ ntv2_blob(uchar *blob, int len, char *windom)
 	*p++ = 0;
 	*p++ = 0;
 
+	len -= 4;
 	p += putname(p, len - (p-blob), windom, Bdomain);
 	p += putname(p, len - (p-blob), "", Beof);
+	len += 4;
+
+	*p++ = 0;		/* 32bit: unknown data */
+	*p++ = 0;
+	*p++ = 0;
+	*p++ = 0;
 
 	return p - blob;
 }