4 files changed, 37 insertions, 24 deletions

diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
index 74d6aebdff..566837fe2d 100644
--- a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
+++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
@@ -21,7 +21,7 @@
 
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2012 Nexenta Systems, Inc.  All rights reserved.
  */
 
 /*
@@ -348,6 +348,11 @@ netr_server_samlogon(mlsvc_handle_t *netr_handle, netr_info_t *netr_info,
 		break;
 
 	case NETR_NETWORK_LOGON:
+		if (user_info->lg_challenge_key.len < 8 ||
+		    user_info->lg_challenge_key.val == NULL) {
+			ndr_rpc_release(netr_handle);
+			return (NT_STATUS_INVALID_PARAMETER);
+		}
 		netr_setup_identity(heap, user_info, &info2.identity);
 		netr_network_samlogon(heap, netr_info, user_info, &info2);
 		arg.logon_info.ru.info2 = &info2;
@@ -433,7 +438,13 @@ netr_network_samlogon(ndr_heap_t *heap, netr_info_t *netr_info,
 {
 	uint32_t len;
 
-	bcopy(user_info->lg_challenge_key.val, info2->lm_challenge.data, 8);
+	if (user_info->lg_challenge_key.len >= 8 &&
+	    user_info->lg_challenge_key.val != 0) {
+		bcopy(user_info->lg_challenge_key.val,
+		    info2->lm_challenge.data, 8);
+	} else {
+		bzero(info2->lm_challenge.data, 8);
+	}
 
 	if ((len = user_info->lg_nt_password.len) != 0) {
 		ndr_heap_mkvcb(heap, user_info->lg_nt_password.val, len,
diff --git a/usr/src/uts/common/fs/smbsrv/smb_negotiate.c b/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
index a907943aa4..fc6d006582 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2012 Nexenta Systems, Inc.  All rights reserved.
  */
 
 /*
@@ -188,7 +189,6 @@
 #include <sys/strsubr.h>
 #include <sys/socketvar.h>
 #include <sys/socket.h>
-#include <sys/random.h>
 #include <netinet/in.h>
 #include <smbsrv/smb_kproto.h>
 #include <smbsrv/smbinfo.h>
@@ -229,7 +229,6 @@ static smb_xlate_t smb_dialect[] = {
 static uint32_t	smb_dos_tcp_rcvbuf = 8700;
 static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
 
-static void smb_negotiate_genkey(smb_request_t *);
 static int smb_xlate_dialect(const char *);
 
 int smb_cap_passthru = 1;
@@ -303,13 +302,13 @@ smb_com_negotiate(smb_request_t *sr)
 	sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE |
 	    NEGOTIATE_SECURITY_USER_LEVEL;
 	secmode = sr->session->secmode;
-
-	smb_negotiate_genkey(sr);
 	sesskey = sr->session->sesskey;
 
 	(void) microtime(&negprot->ni_servertime);
 	negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
 	negprot->ni_maxmpxcount = sr->sr_cfg->skc_maxworkers;
+	negprot->ni_keylen = SMB_CHALLENGE_SZ;
+	bcopy(&sr->session->challenge_key, negprot->ni_key, SMB_CHALLENGE_SZ);
 	nbdomain = sr->sr_cfg->skc_nbdomain;
 
 	/*
@@ -484,23 +483,6 @@ smb_com_negotiate(smb_request_t *sr)
 	return (SDRC_SUCCESS);
 }
 
-static void
-smb_negotiate_genkey(smb_request_t *sr)
-{
-	smb_arg_negotiate_t	*negprot = sr->sr_negprot;
-	uint8_t			tmp_key[8];
-
-	(void) random_get_pseudo_bytes(tmp_key, 8);
-	bcopy(tmp_key, &sr->session->challenge_key, 8);
-	sr->session->challenge_len = 8;
-	negprot->ni_keylen = 8;
-	bcopy(tmp_key, negprot->ni_key, 8);
-
-	(void) random_get_pseudo_bytes(tmp_key, 4);
-	sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
-	    tmp_key[2] << 16 | tmp_key[3] << 24;
-}
-
 static int
 smb_xlate_dialect(const char *dialect)
 {
diff --git a/usr/src/uts/common/fs/smbsrv/smb_session.c b/usr/src/uts/common/fs/smbsrv/smb_session.c
index f2a337158f..be34af23b9 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_session.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_session.c
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 #include <sys/socketvar.h>
 #include <sys/sdt.h>
+#include <sys/random.h>
 #include <smbsrv/netbios.h>
 #include <smbsrv/smb_kproto.h>
 #include <smbsrv/string.h>
@@ -45,6 +46,7 @@ static smb_user_t *smb_session_lookup_user(smb_session_t *, char *, char *);
 static void smb_session_logoff(smb_session_t *);
 static void smb_request_init_command_mbuf(smb_request_t *sr);
 void dump_smb_inaddr(smb_inaddr_t *ipaddr);
+static void smb_session_genkey(smb_session_t *);
 
 void
 smb_session_timers(smb_llist_t *ll)
@@ -643,6 +645,8 @@ smb_session_create(ksocket_t new_so, uint16_t port, smb_server_t *sv,
 	session->keep_alive = smb_keep_alive;
 	session->activity_timestamp = now;
 
+	smb_session_genkey(session);
+
 	smb_slist_constructor(&session->s_req_list, sizeof (smb_request_t),
 	    offsetof(smb_request_t, sr_session_lnd));
 
@@ -1214,3 +1218,17 @@ smb_session_oplock_break(smb_session_t *session,
 	}
 	smb_rwx_rwexit(&session->s_lock);
 }
+
+static void
+smb_session_genkey(smb_session_t *session)
+{
+	uint8_t		tmp_key[SMB_CHALLENGE_SZ];
+
+	(void) random_get_pseudo_bytes(tmp_key, SMB_CHALLENGE_SZ);
+	bcopy(tmp_key, &session->challenge_key, SMB_CHALLENGE_SZ);
+	session->challenge_len = SMB_CHALLENGE_SZ;
+
+	(void) random_get_pseudo_bytes(tmp_key, 4);
+	session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
+	    tmp_key[2] << 16 | tmp_key[3] << 24;
+}
diff --git a/usr/src/uts/common/smbsrv/smb_ktypes.h b/usr/src/uts/common/smbsrv/smb_ktypes.h
index 53bceab332..c6b67055f8 100644
--- a/usr/src/uts/common/smbsrv/smb_ktypes.h
+++ b/usr/src/uts/common/smbsrv/smb_ktypes.h
@@ -882,6 +882,8 @@ struct smb_sign {
 #define	SMB_SESSION_VALID(p)	\
     ASSERT(((p) != NULL) && ((p)->s_magic == SMB_SESSION_MAGIC))
 
+#define	SMB_CHALLENGE_SZ	8
+
 typedef enum {
 	SMB_SESSION_STATE_INITIALIZED = 0,
 	SMB_SESSION_STATE_DISCONNECTED,
@@ -939,7 +941,7 @@ typedef struct smb_session {
 	uint16_t		secmode;
 	uint32_t		sesskey;
 	uint32_t		challenge_len;
-	unsigned char		challenge_key[8];
+	unsigned char		challenge_key[SMB_CHALLENGE_SZ];
 	unsigned char		MAC_key[44];
 	int64_t			activity_timestamp;
 	/*