PSARC/2007/218 caller_context_t in all VOPs

PSARC/2007/227 VFS Feature Registration and ACL on Create
PSARC/2007/244 ZFS Case-insensitive support
PSARC/2007/315 Extensible Attribute Interfaces
PSARC/2007/394 ls(1) new command line options '-/' and '-%': CIFS system attributes support
PSARC/2007/403 Modified Access Checks for CIFS
PSARC/2007/410 Add system attribute support to chmod(1)
PSARC/2007/432 CIFS system attributes support for cp(1), pack(1), unpack(1), compress(1) and uncompress(1)
PSARC/2007/444 Rescind SETTABLE Attribute
PSARC/2007/459 CIFS system attributes support for cpio(1), pax(1), tar(1)
PSARC/2007/546 Update utilities to match CIFS system attributes changes.
PSARC/2007/560 ZFS sharesmb property
4890717 want append-only files
6417428 Case-insensitive file system name lookup to support CIFS
6417435 DOS attributes and additional timestamps to support for CIFS
6417442 File system quarantined and modified attributes to support an integrated Anti-Virus service
6417453 FS boolean property for rejecting/allowing invalid UTF-8 sequences in file names
6473733 RFE: Need support for open-deny modes
6473755 RFE:  Need ability to reconcile oplock and delegation conflicts
6494624 sharemgr needs to support CIFS shares better
6546705 All vnode operations need to pass caller_context_t
6546706 Need VOP_SETATTR/VOP_GETATTR to support new, optional attributes
6546893 Solaris system attribute support
6550962 ZFS ACL inheritance needs to be enhanced to support Automatic Inheritance
6553589 RFE: VFS Feature Registration facility
6553770 RFE: ZFS support for ACL-on-CREATE (PSARC 2007/227)
6565581 ls(1) should support file system attributes proposed in PSARC/2007/315
6566784 NTFS streams are not copied along with the files.
6576205 cp(1), pack(1) and compress(1) should support file system attributes proposed in PSARC/2007/315
6578875 RFE: kernel interfaces for nbmand need improvement
6578883 RFE: VOP_SHRLOCK needs additional access types
6578885 chmod(1) should support file system attributes proposed in PSARC/2007/315
6578886 RFE: disallow nbmand state to change on remount
6583349 ACL parser needs to support audit/alarm ACE types
6590347 tar(1) should support filesystem attributes proposed in PSARC/2007/315
6597357 *tar* xv@ doesn't show the hidden directory even though it is restored
6597360 *tar* should re-init xattr info if openat() fails during extraction of and extended attribute
6597368 *tar* cannot restore hard linked extended attributes
6597374 *tar* doesn't display "x " when hard linked attributes are restored
6597375 *tar* extended attribute header off by one
6614861 *cpio* incorrectly archives extended system attributes with -@
6614896 *pax* incorrectly archives extended system attributes with -@
6615225 *tar* incorrectly archives extended system attributes with -@
6617183 CIFS Service - PSARC 2006/715

1 files changed, 207 insertions, 0 deletions

diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_mac.c b/usr/src/lib/smbsrv/libsmb/common/smb_mac.c
new file mode 100644
index 0000000000..57fb74530c
--- /dev/null
+++ b/usr/src/lib/smbsrv/libsmb/common/smb_mac.c
@@ -0,0 +1,207 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * SMB MAC Signing support.
+ */
+
+#include <strings.h>
+#include <security/cryptoki.h>
+#include <security/pkcs11.h>
+
+#include <smbsrv/libsmb.h>
+
+#include <smbsrv/smb.h>
+
+/*
+ * smb_mac_init
+ *
+ * Calculates the MAC key using the specified user session
+ * key (NTLM or NTLMv2).
+ *
+ * Returns SMBAUTH_SUCCESS if key generation was successful,
+ * SMBAUTH_FAILURE if not.
+ */
+int
+smb_mac_init(smb_sign_ctx_t *sign_ctx, smb_auth_info_t *auth)
+{
+	unsigned char S16[SMBAUTH_SESSION_KEY_SZ];
+
+	if (smb_auth_gen_session_key(auth, S16) != SMBAUTH_SUCCESS)
+		return (SMBAUTH_FAILURE);
+	bcopy(S16, sign_ctx->ssc_mackey, SMBAUTH_SESSION_KEY_SZ);
+	bcopy(auth->cs, &(sign_ctx->ssc_mackey[SMBAUTH_SESSION_KEY_SZ]),
+	    auth->cs_len);
+	sign_ctx->ssc_keylen = SMBAUTH_SESSION_KEY_SZ + auth->cs_len;
+	return (SMBAUTH_SUCCESS);
+}
+
+/*
+ * smb_mac_calc
+ *
+ * Calculates MAC signature for the given buffer and returns
+ * it in the mac_sign parameter.
+ *
+ * The MAC signature is calculated as follows:
+ *
+ * data = concat(MAC_Key, MAC_Key_Len, SMB_Msg, SMB_Msg_Len);
+ * hash = MD5(data);
+ * MAC  = head(hash, 8);
+ *
+ * The tricky part is that a sequence number should be used
+ * in calculation instead of the signature field in the
+ * SMB header.
+ *
+ * Returns SMBAUTH_SUCCESS if cryptology framework use was successful,
+ * SMBAUTH_FAILURE if not.
+ */
+int
+smb_mac_calc(smb_sign_ctx_t *sign_ctx, const unsigned char *buf,
+    size_t buf_len, unsigned char *mac_sign)
+{
+	CK_RV rv;
+	CK_MECHANISM mechanism;
+	CK_SESSION_HANDLE hSession;
+	unsigned long diglen = MD_DIGEST_LEN;
+	int rc = SMBAUTH_FAILURE;
+
+	int offset_end_of_sig = (SMB_SIG_OFFS + SMB_SIG_SIZE);
+	unsigned char seq_buf[SMB_SIG_SIZE];
+	unsigned char mac[16];
+
+	/*
+	 * put seq_num into the first 4 bytes and
+	 * zero out the next 4 bytes
+	 */
+	bcopy(&sign_ctx->ssc_seqnum, seq_buf, 4);
+	bzero(seq_buf + 4, 4);
+
+	mechanism.mechanism = CKM_MD5;
+	mechanism.pParameter = 0;
+	mechanism.ulParameterLen = 0;
+
+	rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession);
+	if (rv != CKR_OK)
+		return (SMBAUTH_FAILURE);
+
+	/* Initialize the digest operation in the session */
+	rv = C_DigestInit(hSession, &mechanism);
+	if (rv != CKR_OK)
+		goto smbmacdone;
+
+	/* init with the MAC key */
+	rv = C_DigestUpdate(hSession, sign_ctx->ssc_mackey,
+	    sign_ctx->ssc_keylen);
+	if (rv != CKR_OK)
+		goto smbmacdone;
+
+	/* copy in SMB packet info till signature field */
+	rv = C_DigestUpdate(hSession, (CK_BYTE_PTR)buf, SMB_SIG_OFFS);
+	if (rv != CKR_OK)
+		goto smbmacdone;
+
+	/* copy in the seq_buf instead of the signature */
+	rv = C_DigestUpdate(hSession, seq_buf, sizeof (seq_buf));
+	if (rv != CKR_OK)
+		goto smbmacdone;
+
+	/* copy in the rest of the packet, skipping the signature */
+	rv = C_DigestUpdate(hSession, (CK_BYTE_PTR)buf + offset_end_of_sig,
+	    buf_len - offset_end_of_sig);
+	if (rv != CKR_OK)
+		goto smbmacdone;
+
+	rv = C_DigestFinal(hSession, mac, &diglen);
+	if (rv != CKR_OK)
+		goto smbmacdone;
+
+	bcopy(mac, mac_sign, SMB_SIG_SIZE);
+	rc = SMBAUTH_SUCCESS;
+
+smbmacdone:
+	(void) C_CloseSession(hSession);
+	return (rc);
+}
+
+/*
+ * smb_mac_chk
+ *
+ * Calculates MAC signature for the given buffer
+ * and compares it to the signature in the given context.
+ * Return 1 if the signature are match, otherwise, return (0);
+ */
+int
+smb_mac_chk(smb_sign_ctx_t *sign_ctx,
+			const unsigned char *buf, size_t buf_len)
+{
+	unsigned char mac_sign[SMB_SIG_SIZE];
+
+	/* calculate mac signature */
+	if (smb_mac_calc(sign_ctx, buf, buf_len, mac_sign) != SMBAUTH_SUCCESS)
+		return (0);
+
+	/* compare the signatures */
+	if (memcmp(sign_ctx->ssc_sign, mac_sign, SMB_SIG_SIZE) == 0)
+		return (1);
+
+	return (0);
+}
+
+/*
+ * smb_mac_sign
+ *
+ * Calculates MAC signature for the given buffer,
+ * and write it to the buffer's signature field.
+ *
+ * Returns SMBAUTH_SUCCESS if cryptology framework use was successful,
+ * SMBAUTH_FAILURE if not.
+ */
+int
+smb_mac_sign(smb_sign_ctx_t *sign_ctx, unsigned char *buf, size_t buf_len)
+{
+	unsigned char mac_sign[SMB_SIG_SIZE];
+
+	/* calculate mac signature */
+	if (smb_mac_calc(sign_ctx, buf, buf_len, mac_sign) != SMBAUTH_SUCCESS)
+		return (SMBAUTH_FAILURE);
+
+	/* put mac signature in the header's signature field */
+	(void) memcpy(buf + SMB_SIG_OFFS, mac_sign, SMB_SIG_SIZE);
+	return (SMBAUTH_SUCCESS);
+}
+
+void
+smb_mac_inc_seqnum(smb_sign_ctx_t *sign_ctx)
+{
+	sign_ctx->ssc_seqnum++;
+}
+
+void
+smb_mac_dec_seqnum(smb_sign_ctx_t *sign_ctx)
+{
+	sign_ctx->ssc_seqnum--;
+}