cryptkrn.h

提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发

/****************************************************************************
*																			*
*					  cryptlib Kernel Interface Header File 				*
*						Copyright Peter Gutmann 1992-2002					*
*																			*
****************************************************************************/

#ifndef _CRYPTKRN_DEFINED

#define _CRYPTKRN_DEFINED

/* Macros to handle code correctness checking.  By default these are mapped 
   directly to C assertions, but they can be remapped for use by an external 
   verifier if USE_EXTERNAL_CHECKER is defined (typically this means turning 
   them into nops for ADL) */

#ifndef USE_EXTERNAL_CHECKER

/* Preconditions, invariants, postconditions */

#define PRE( x )			assert( x )
#define INV( x )			assert( x )
#define POST( x )			assert( x )

/* Value of a variable at the start of block scope, used for postcondition
   predicates.  The pointer is declared as char * rather than the more
   general void * in order to allow range comparisons.  Note that these
   declarations must be the last in any set of variable declarations since
   the release build expands them to nothing, leaving only the terminating
   semicolon on the line which must follow all other declarations */

#define ORIGINAL_VALUE( x )		orig_##x
#define ORIGINAL_INT( x )		const int orig_##x = ( int ) x
#define ORIGINAL_PTR( x )		const char *orig_##x = ( const char * ) x

/* Sometimes we can't use the preprocessor tricks above because the value
   being saved isn't a primitive type, in which case we have to use the
   somewhat less transaparent macros below */

#define ORIGINAL_INT_VAR( x, y ) const int x = ( y )
#define ORIGINAL_VALUE_VAR( x )	x

/* Sometimes we need to declare temporary intermediate variables to avoid 
   having to cram a dozen lines of expression into a single assertion, the
   following define allows this */

#define TEMP_VAR( x )		int x

/* Universal qualifiers: for_all, there_exists */

#define FORALL( iter, start, end, condition ) \
		{ \
		int iter; \
		\
		for( iter = ( start ); iter < ( end ); iter++ ) \
			assert( condition ); \
		}

/* If we're compiling a non-debug version, the above checks aren't used, it's
   easier to undefine them again here than to make each one conditional */

#ifdef NDEBUG
  #undef ORIGINAL_INT
  #define ORIGINAL_INT( a )
  #undef ORIGINAL_PTR
  #define ORIGINAL_PTR( a )
  #undef ORIGINAL_INT_VAR
  #define ORIGINAL_INT_VAR( a, b )
  #undef TEMP_VAR
  #define TEMP_VAR( a )
  #undef FORALL
  #define FORALL( a, b, c, d )
#endif /* NDEBUG */

#endif /* USE_EXTERNAL_CHECKER */

/****************************************************************************
*																			*
*							Object Message Types							*
*																			*
****************************************************************************/

/* The object types */

typedef enum {
	OBJECT_TYPE_NONE,				/* No object type */
	OBJECT_TYPE_CONTEXT,			/* Context */
	OBJECT_TYPE_KEYSET,				/* Keyset */
	OBJECT_TYPE_ENVELOPE,			/* Envelope */
	OBJECT_TYPE_CERTIFICATE,		/* Certificate */
	OBJECT_TYPE_DEVICE,				/* Crypto device */
	OBJECT_TYPE_SESSION,			/* Secure session */
	OBJECT_TYPE_USER,				/* User object */
	OBJECT_TYPE_LAST				/* Last object type */
	} OBJECT_TYPE;

/* Object subtypes.  The subtype names aren't needed by the kernel (it just 
   treats the values as an anonymous bitfield during an ACL check) but they 
   are used in the ACL definitions and by the code which calls 
   krnlCreateObject(), so they need to be defined here.

   Because there are so many object subtypes we have to split them across 
   two 32-bit bitfields in order to permit a simple bitwise and check, if we 
   ordered them by the more obvious major and minor type (that is, object 
   type and subtype) this wouldn't be necessary but it would increase the 
   size of the compiled ACL table (from 2 * 32 bits to NO_OBJECT_TYPES * 
   32 bits) and would make automated consistency checking difficult since 
   it's no longer possible to spot a case where a subtype bit for object A 
   has been set for object B.  
   
   To resolve this, we divide the subtype bit field into two smaller bit
   fields (classes) with the high two bits designating which class the 
   subtype is in (actually we use the bits one below the high bit since 
   this may be interpreted as a sign bit by some preprocessors even if it's
   declared as a xxxxUL, so in the following discussion we're talking about
   logical rather than physical high bits).  Class A is always 01xxx..., 
   class B is always 10xxx...  If we get an entry which has 11xxx... we know 
   that that ACL entry is inconsistent.  This isn't pretty, but it's the 
   least ugly way to do it which still allows the ACL table to be built 
   using the preprocessor.
   
   Note that the device and keyset values must be in the same class, since
   they're interchangeable for many message types and this simplifies some
   of the MKACL() macros which only need to initialise one class type */

#define SUBTYPE_CLASS_MASK			0x60000000L
#define SUBTYPE_CLASS_A				0x20000000L
#define SUBTYPE_CLASS_B				0x40000000L

#define SUBTYPE_CTX_CONV			0x20000001L
#define SUBTYPE_CTX_PKC				0x20000002L
#define SUBTYPE_CTX_HASH			0x20000004L
#define SUBTYPE_CTX_MAC				0x20000008L

#define SUBTYPE_CERT_CERT			0x20000010L
#define SUBTYPE_CERT_CERTREQ		0x20000020L
#define SUBTYPE_CERT_REQ_CERT		0x20000040L
#define SUBTYPE_CERT_REQ_REV		0x20000080L
#define SUBTYPE_CERT_CERTCHAIN		0x20000100L
#define SUBTYPE_CERT_ATTRCERT		0x20000200L
#define SUBTYPE_CERT_CRL			0x20000400L
#define SUBTYPE_CERT_CMSATTR		0x20000800L
#define SUBTYPE_CERT_OCSP_REQ		0x20001000L
#define SUBTYPE_CERT_OCSP_RESP		0x20002000L
#define SUBTYPE_CERT_PKIUSER		0x20004000L

#define SUBTYPE_KEYSET_FILE			0x20008000L
#define SUBTYPE_KEYSET_DBMS			0x20010000L
#define SUBTYPE_KEYSET_DBMS_STORE	0x20020000L
#define SUBTYPE_KEYSET_HTTP			0x20040000L
#define SUBTYPE_KEYSET_LDAP			0x20080000L

#define SUBTYPE_DEV_SYSTEM			0x20100000L
#define SUBTYPE_DEV_FORTEZZA		0x20200000L
#define SUBTYPE_DEV_PKCS11			0x20400000L

#define SUBTYPE_ENV_ENV				0x40000001L
#define SUBTYPE_ENV_ENV_PGP			0x40000002L
#define SUBTYPE_ENV_DEENV			0x40000004L

#define SUBTYPE_SESSION_SSH			0x40000400L
#define SUBTYPE_SESSION_SSH_SVR		0x40000800L
#define SUBTYPE_SESSION_SSL			0x40001000L
#define SUBTYPE_SESSION_SSL_SVR		0x40002000L
#define SUBTYPE_SESSION_OCSP		0x40004000L
#define SUBTYPE_SESSION_OCSP_SVR	0x40008000L
#define SUBTYPE_SESSION_TSP			0x40010000L
#define SUBTYPE_SESSION_TSP_SVR		0x40020000L
#define SUBTYPE_SESSION_CMP			0x40040000L
#define SUBTYPE_SESSION_CMP_SVR		0x40080000L

#define SUBTYPE_USER_SO				0x40100000L
#define SUBTYPE_USER_NORMAL			0x40200000L
#define SUBTYPE_USER_CA				0x40400000L

/* Message flags.  Normally messages can only be sent to external objects, 
   however we can also explicitly send them to internal objects which means 
   the external access ACL isn't checked.  This can only be done from inside 
   cryptlib, for example when an object sends a message to a subordinate 
   object */

#define RESOURCE_MESSAGE_INTERNAL	0x100
#define MKINTERNAL( message )		( message | RESOURCE_MESSAGE_INTERNAL )

/* A mask to extract the basic message type */

#define RESOURCE_MESSAGE_MASK		0xFF

/* The message types which can be sent to an object via krnlSendMessage().  
   By default messages can only be sent to externally visible objects, there 
   are also internal versions which can be sent to all objects.  
   
   The declaration has to be here because it's needed for the object table 
   declaration.

   The object messages have the following arguments:

	Type								DataPtr			Value
	---------------------------			-------			-----
	MESSAGE_DESTROY						NULL			0
	MESSAGE_INC/DECREFCOUNT				NULL			0
	MESSAGE_GETDEPENDENT				&objectHandle	objectType
	MESSAGE_SETDEPENDENT				&objectHandle	incRefCount
	MESSAGE_GET/SETATTRIBUTE			&value			attributeType
	MESSAGE_DELETEATTRIBUTE				NULL			attributeType
	MESSAGE_COMPARE						&value			compareType
	MESSAGE_CLONE						&clonedHandle	0
	MESSAGE_CHECK						NULL			requestedUse
	MESSAGE_LOCK/UNLOCK					NULL			0

	MESSAGE_CHANGENOTIFY				&value			attributeType
										Data from message which triggered the
										changeNotify

	MESSAGE_CTX_ENC/DEC/SIG/SIGCHK/HASH	&value			valueLength
	MESSAGE_CTX_GENKEY					NULL			isAsync
	MESSAGE_CTX_GENIV					NULL			0

	MESSAGE_CRT_SIGN,					NULL			sigKey
	MESSAGE_CRT_SIGCHECK,				NULL			verifyObject

	MESSAGE_DEV_QUERYCAPABILITY			&queryInfo		algorithm
	MESSAGE_DEV_EXP/IMP/SIG/SIGCHK/DER	&mechanismInfo	mechanismType
	MESSAGE_DEV_CREATEOBJECT			&createInfo		objectType
	MESSAGE_DEV_CREATEOBJECT_INDIRECT	&createInfo		objectType

	MESSAGE_ENV_PUSH/POPDATA			&value			0

	MESSAGE_KEY_GET/DELETEKEY			&keymgmtInfo	itemType
	MESSAGE_KEY_SETKEY					&keymgmtInfo	itemType
	MESSAGE_KEY_GETFIRST/NEXTCERT		&keymgmtInfo	itemType
	MESSAGE_KEY_CERTMGMT				&certMgmtInfo	action */

typedef enum {
	RESOURCE_MESSAGE_NONE,				/* No message */

	/* Control messages to externally visible objects.  These messages are
	   handled directly by the kernel and don't affect the object itself.  If 
	   the object status is anything other than CRYPT_OK then any attempt to
	   send a non-control message to it will return the object status as an 
	   error code.  This is because it's possible to perform control 
	   functions which are handled by the kernel on an object in an abnormal
	   state (eg busy, signalled, notinited), but it's not possible to use it
	   in a normal manner */
	RESOURCE_MESSAGE_DESTROY,			/* Destroy the object */
	RESOURCE_MESSAGE_INCREFCOUNT,		/* Increment object ref.count */
	RESOURCE_MESSAGE_DECREFCOUNT,		/* Decrement object ref.count */
	RESOURCE_MESSAGE_GETDEPENDENT,		/* Get dependent object */
	RESOURCE_MESSAGE_SETDEPENDENT,		/* Set dependent object (eg ctx->dev) */

	/* General messages to externally visible objects.  The reason for the
	   numeric vs non-numeric attribute messages is that the data types 
	   these work with are explicitly specified by the user based on which
	   function they call to get/set them rather than being implicitly 
	   specified by the attribute ID.  Because of the explicit typing, the 
	   handlers have to be able to check to make sure the actual type matches
	   what the user specified, so we need one message type for numeric
	   attributes and one for string attributes.
	   
	   The check message is used for informational purposes only so that 
	   problems (eg attempt to use a public key where a private key is 
	   required) can be reported to the user immediately as a function 
	   parameter error rather than appearing much later as an object use