experimental ntlmv2 server authenticaion support for cifsd

extending factotums and the auth servers mschap implementation
to handle variable length NT response for NTLMv2.

fix some minor bugs.

only tested with cifs so far.

sys/src/cmd/auth/authsrv.c

@@ -34,6 +34,7 @@ void	mkkey(char*);
 void	randombytes(uchar*, int);
 void	nthash(uchar hash[MShashlen], char *passwd);
 void	lmhash(uchar hash[MShashlen], char *passwd);
+void	ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom);
 void	mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen]);
 void	desencrypt(uchar data[8], uchar key[7]);
 int	tickauthreply(Ticketreq*, char*);
@@ -629,19 +630,59 @@ printresp(uchar resp[MSresplen])
 	syslog(0, AUTHLOG, "resp = %s", buf);
 }
 
+enum {
+	MsvAvEOL = 0,
+	MsvAvNbComputerName,
+	MsvAvNbDomainName,
+	MsvAvDnsComputerName,
+	MsvAvDnsomainName,
+};
+
+char*
+getname(int id, uchar *ntblob, int ntbloblen, char *buf, int nbuf)
+{
+	int aid, alen, i;
+	uchar *p, *e;
+	char *d;
+	Rune r;
+
+	d = buf;
+	p = ntblob+8+8+8+4;	/* AvPair offset */
+	e = ntblob+ntbloblen;
+	while(p+4 <= e){
+		aid = *p++;
+		aid |= *p++ << 8;
+		alen = *p++;
+		alen |= *p++ << 8;
+
+		if(p+alen > e)
+			break;
+		if(aid == id){
+			for(i=0; i+1 < alen && d-buf < nbuf-(UTFmax+1); i+=2){
+				r = p[i] | p[i+1]<<8;
+				d += runetochar(d, &r);
+			}
+			break;
+		}
+		p += alen;
+	}
+	*d = '\0';
+	return buf;
+}
+
+static uchar ntblobsig[] = {0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 
 void
 mschap(Ticketreq *tr)
 {
-
 	char *secret, *hkey;
-	char sbuf[SECRETLEN], hbuf[DESKEYLEN];
-	uchar chal[CHALLEN];
+	char sbuf[SECRETLEN], hbuf[DESKEYLEN], windom[128];
+	uchar chal[CHALLEN], ntblob[1024];
 	uchar hash[MShashlen];
 	uchar hash2[MShashlen];
 	uchar resp[MSresplen];
 	OMSchapreply reply;
-	int dupe, lmok, ntok;
+	int dupe, lmok, ntok, ntbloblen;
 	DigestState *s;
 	uchar digest[SHA1dlen];
 
@@ -657,6 +698,43 @@ mschap(Ticketreq *tr)
 	if(readn(0, &reply, sizeof(reply)) < 0)
 		exits(0);
 
+	/*
+	 * CIFS/NTLMv2 uses variable length NT response.
+	 */
+	ntbloblen = 0;
+	if(memcmp(reply.NTresp+16, ntblobsig, sizeof(ntblobsig)) == 0){
+		/* Version[1], HiVision[1], Z[6] */
+		ntbloblen += 1+1+6;
+		memmove(ntblob, reply.NTresp+16, ntbloblen);
+
+		/* Time[8], CC[8], Z[4] */
+		if(readn(0, ntblob+ntbloblen, 8+8+4) < 0)
+			exits(0);
+		ntbloblen += 8+8+4;
+
+		/* variable AvPairs */
+		for(;;){
+			int len, id;
+
+			if(ntbloblen > sizeof(ntblob)-4)
+				exits(0);
+			/* AvId[2], AvLen[2], Vairable[AvLen] */
+			if(readn(0, ntblob+ntbloblen, 4) < 0)
+				exits(0);
+			id = ntblob[ntbloblen+0] | ntblob[ntbloblen+1]<<8;
+			len = ntblob[ntbloblen+2] | ntblob[ntbloblen+3]<<8;
+			ntbloblen += 4;
+
+			if(ntbloblen+len > sizeof(ntblob))
+				exits(0);
+			if(readn(0, ntblob+ntbloblen, len) < 0)
+				exits(0);
+			ntbloblen += len;
+			if(id == MsvAvEOL)
+				break;
+		}
+	}
+
 	safecpy(tr->uid, reply.uid, sizeof(tr->uid));
 	/*
 	 * lookup
@@ -670,6 +748,25 @@ mschap(Ticketreq *tr)
 		exits(0);
 	}
 
+	if(ntbloblen > 0){
+		getname(MsvAvNbDomainName, ntblob, ntbloblen, windom, sizeof(windom));
+		ntv2hash(hash, secret, tr->uid, windom);
+
+		/*
+		 * LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
+		 */
+		s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
+		hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s);
+		lmok = memcmp(resp, reply.LMresp, 16) == 0;
+
+		/*
+		 * NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob)
+		 */
+		s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
+		hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s);
+		ntok = memcmp(resp, reply.NTresp, 16) == 0;
+		dupe = 0;
+	} else {
 		lmhash(hash, secret);
 		mschalresp(resp, hash, chal);
 		lmok = memcmp(resp, reply.LMresp, MSresplen) == 0;
@@ -677,6 +774,7 @@ mschap(Ticketreq *tr)
 		mschalresp(resp, hash, chal);
 		ntok = memcmp(resp, reply.NTresp, MSresplen) == 0;
 		dupe = memcmp(reply.LMresp, reply.NTresp, MSresplen) == 0;
+	}
 
 	/*
 	 * It is valid to send the same response in both the LM and NTLM 
@@ -707,8 +805,7 @@ mschap(Ticketreq *tr)
 		exits(0);
 
 	if(debug)
-		replyerror("mschap-ok %s/%s(%s) %ux",
-			tr->uid, tr->hostid, raddr);
+		replyerror("mschap-ok %s/%s(%s)", tr->uid, tr->hostid, raddr);
 
 	nthash(hash, secret);
 	md4(hash, 16, hash2, 0);
@@ -723,19 +820,52 @@ mschap(Ticketreq *tr)
 void
 nthash(uchar hash[MShashlen], char *passwd)
 {
-	uchar buf[512];
-	int i;
-
-	for (i = 0; *passwd && i + 1 < sizeof(buf);) {
+	DigestState *ds;
+	uchar b[2];
 	Rune r;
+
+	ds = md4(nil, 0, nil, nil);
+	while(*passwd){
 		passwd += chartorune(&r, passwd);
-		buf[i++] = r;
-		buf[i++] = r >> 8;
+		b[0] = r & 0xff;
+		b[1] = r >> 8;
+		md4(b, 2, nil, ds);
 	}
+	md4(nil, 0, hash, ds);
+}
 
-	memset(hash, 0, 16);
+void
+ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom)
+{
+	uchar v1hash[MShashlen];
+	DigestState *ds;
+	uchar b[2];
+	Rune r;
 
-	md4(buf, i, hash, 0);
+	nthash(v1hash, passwd);
+
+	/*
+	 * Some documentation insists that the username must be forced to
+	 * uppercase, but the domain name should not be. Other shows both
+	 * being forced to uppercase. I am pretty sure this is irrevevant as the
+	 * domain name passed from the remote server always seems to be in
+	 * uppercase already.
+	 */
+        ds = hmac_md5(nil, 0, v1hash, sizeof(v1hash), nil, nil);
+	while(*user){
+		user += chartorune(&r, user);
+		r = toupperrune(r);
+		b[0] = r & 0xff;
+		b[1] = r >> 8;
+        	hmac_md5(b, 2, v1hash, sizeof(v1hash), nil, ds);
+	}
+	while(*dom){
+		dom += chartorune(&r, dom);
+		b[0] = r & 0xff;
+		b[1] = r >> 8;
+        	hmac_md5(b, 2, v1hash, sizeof(v1hash), nil, ds);
+	}
+        hmac_md5(nil, 0, v1hash, sizeof(v1hash), hash, ds);
 }
 
 void
@@ -745,12 +875,12 @@ lmhash(uchar hash[MShashlen], char *passwd)
 	char *stdtext = "KGS!@#$%";
 	int i;
 
+	memset(buf, 0, sizeof(buf));
 	strncpy((char*)buf, passwd, sizeof(buf));
 	for(i=0; i<sizeof(buf); i++)
 		if(buf[i] >= 'a' && buf[i] <= 'z')
 			buf[i] += 'A' - 'a';
 
-	memset(hash, 0, 16);
 	memcpy(hash, stdtext, 8);
 	memcpy(hash+8, stdtext, 8);
 

sys/src/cmd/auth/factotum/chap.c

@@ -130,14 +130,14 @@ chapwrite(Fsstate *fss, void *va, uint n)
 {
 	int ret, nreply;
 	char *a, *v;
-	void *reply;
 	Key *k;
 	Keyinfo ki;
 	State *s;
-	Chapreply cr;
-	MSchapreply mcr;
-	OChapreply ocr;
-	OMSchapreply omcr;
+	Chapreply *cr;
+	MSchapreply *mcr;
+	OChapreply *ocr;
+	OMSchapreply *omcr;
+	uchar reply[4*1024];
 
 	s = fss->ps;
 	a = va;
@@ -150,17 +150,28 @@ chapwrite(Fsstate *fss, void *va, uint n)
 		if(ret != RpcOk)
 			return ret;
 		v = _strfindattr(k->privattr, "!password");
-		if(v == nil)
+		if(v == nil){
+			closekey(k);
 			return failure(fss, "key has no password");
+		}
 		setattrs(fss->attr, k->attr);
 		switch(s->astype){
 		default:
-			abort();
+			closekey(k);
+			return failure(fss, "chap internal botch");
 		case AuthMSchap:
+			if(n < ChapChallen){
+				closekey(k);
+				return failure(fss, "challenge too short");
+			}
 			doLMchap(v, (uchar *)a, (uchar *)s->mcr.LMresp);
 			doNTchap(v, (uchar *)a, (uchar *)s->mcr.NTresp);
 			break;
 		case AuthChap:
+			if(n < ChapChallen+1){
+				closekey(k);
+				return failure(fss, "challenge too short");
+			}
 			dochap(v, *a, a+1, (uchar *)s->cr);
 			break;
 		}
@@ -181,26 +192,28 @@ chapwrite(Fsstate *fss, void *va, uint n)
 		default:
 			return failure(fss, "chap internal botch");
 		case AuthChap:
-			if(n != sizeof(Chapreply))
+			if(n != sizeof(*cr))
 				return failure(fss, "did not get Chapreply");
-			memmove(&cr, va, sizeof cr);
-			ocr.id = cr.id;
-			memmove(ocr.resp, cr.resp, sizeof ocr.resp);
-			memset(omcr.uid, 0, sizeof(omcr.uid));
-			strecpy(ocr.uid, ocr.uid+sizeof ocr.uid, s->user);
-			reply = &ocr;
-			nreply = sizeof ocr;
+			cr = (Chapreply*)va;
+			nreply = sizeof(*ocr);
+			memset(reply, 0, nreply);
+			ocr = (OChapreply*)reply;
+			strecpy(ocr->uid, ocr->uid+sizeof(ocr->uid), s->user);
+			ocr->id = cr->id;
+			memmove(ocr->resp, cr->resp, sizeof(ocr->resp));
 			break;
 		case AuthMSchap:
-			if(n != sizeof(MSchapreply))
+			if(n < sizeof(*mcr))
 				return failure(fss, "did not get MSchapreply");
-			memmove(&mcr, va, sizeof mcr);
-			memmove(omcr.LMresp, mcr.LMresp, sizeof omcr.LMresp);
-			memmove(omcr.NTresp, mcr.NTresp, sizeof omcr.NTresp);
-			memset(omcr.uid, 0, sizeof(omcr.uid));
-			strecpy(omcr.uid, omcr.uid+sizeof omcr.uid, s->user);
-			reply = &omcr;
-			nreply = sizeof omcr;
+			if(n > sizeof(reply)+sizeof(*mcr)-sizeof(*omcr))
+				return failure(fss, "MSchapreply too long");
+			mcr = (MSchapreply*)va;
+			nreply = n+sizeof(*omcr)-sizeof(*mcr);
+			memset(reply, 0, nreply);
+			omcr = (OMSchapreply*)reply;
+			strecpy(omcr->uid, omcr->uid+sizeof(omcr->uid), s->user);
+			memmove(omcr->LMresp, mcr->LMresp, sizeof(omcr->LMresp));
+			memmove(omcr->NTresp, mcr->NTresp, n+sizeof(mcr->NTresp)-sizeof(*mcr));
 			break;
 		}
 		if(doreply(s, reply, nreply) < 0)

sys/src/cmd/ip/cifsd/smb.c

@@ -99,22 +99,25 @@ smbsessionsetupandx(Req *r, uchar *h, uchar *p, uchar *e)
 		logit("ignoring bad session key");
 	while(!remoteuser){
 		if(needauth){
-			MSchapreply mcr;
+			MSchapreply *mcr;
 
 			if(smbcs == nil || strlen(user) == 0)
 				break;
-			memset(&mcr, 0, sizeof(mcr));
-			if((lme - lm) == sizeof(mcr.LMresp))
-				memmove(mcr.LMresp, lm, lme - lm);
-			if((nte - nt) == sizeof(mcr.NTresp))
-				memmove(mcr.NTresp, nt, nte - nt);
 			smbcs->user = user;
-			smbcs->resp = &mcr;
-			smbcs->nresp = sizeof(mcr);
+			smbcs->nresp = (nte - nt)+sizeof(*mcr)-sizeof(mcr->NTresp);
+			if(smbcs->nresp < sizeof(*mcr))
+				smbcs->nresp = sizeof(*mcr);
+			smbcs->resp = mallocz(smbcs->nresp, 1);
+			mcr = (MSchapreply*)smbcs->resp;
+			if((lme - lm) <= sizeof(mcr->LMresp))
+				memmove(mcr->LMresp, lm, lme - lm);
+			if((nte - nt) > 0)
+				memmove(mcr->NTresp, nt, nte - nt);
 			if((ai = auth_response(smbcs)) == nil)
 				logit("auth_response: %r");
 			auth_freechal(smbcs);
 			smbcs = nil;
+			free(mcr);
 			if(ai == nil)
 				break;
 			if(auth_chuid(ai, nil) < 0)