cryptacd.h

老外写的加密库cryptlib(版本3.1)

			{ attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, \
			  0, routing, range, NULL }
  #define MKACL_WCS( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_WCSTRING, subTypeA, subTypeB, access, \
			  0, routing, range, NULL }
  #define MKACL_O( attribute, subTypeA, subTypeB, access, routing, type ) \
			{ attribute, ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, \
			  0, routing, 0, 0, type }
  #define MKACL_T( attribute, subTypeA, subTypeB, access, routing ) \
			{ attribute, ATTRIBUTE_VALUE_TIME, subTypeA, subTypeB, access, \
			  0, routing, 0, 0, NULL }
  #define MKACL_X( attribute, subTypeA, subTypeB, access, routing, subACL ) \
			{ attribute, ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, access, \
			  0, routing, RANGE_SUBTYPED, subACL }

  /* Extended types */
  #define MKACL_B_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ attribute, ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, \
			  flags, routing, FALSE, TRUE, NULL }
  #define MKACL_N_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, \
			  flags, routing, range, NULL }
  #define MKACL_S_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, \
			  flags, routing, range, NULL }
  #define MKACL_O_EX( attribute, subTypeA, subTypeB, access, flags, routing, type ) \
			{ attribute, ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, \
			  flags, routing, 0, 0, type }

  /* General-purpose ACL macros */
  #define MKACL( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, valueType, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range, allowed ) \
			{ attribute, valueType, subTypeA, subTypeB, access, flags, \
			  routing, range, allowed }

  /* End-of-ACL canary.  Note that the comma is necessary in order to allow
     the non-debug version to evaluate to nothing */
  #define MKACL_END() \
			, { CRYPT_ERROR, ATTRIBUTE_VALUE_NONE, 0, 0, ACCESS_xxx_xxx, \
				0, 0, NULL, 0, 0, NULL }

  /* End-of-ACL marker, used to terminate variable-length sub-ACL lists.  The
     ST_ANY match ensures it matches any object types */
  #define MKACL_END_SUBACL() \
			{ CRYPT_ERROR, ATTRIBUTE_VALUE_NONE, ST_ANY, ST_ANY, ACCESS_xxx_xxx, \
			  0, 0, NULL, 0, 0, NULL }
#else
  /* Standard ACL entries */
  #define MKACL_B( attribute, subTypeA, subTypeB, access, routing ) \
			{ ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, 0, \
			  routing, FALSE, TRUE, NULL }
  #define MKACL_N( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_S( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_WCS( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ ATTRIBUTE_VALUE_WCSTRING, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_O( attribute, subTypeA, subTypeB, access, routing, type ) \
			{ ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, 0, \
			  routing, 0, 0, type }
  #define MKACL_T( attribute, subTypeA, subTypeB, access, routing ) \
			{ ATTRIBUTE_VALUE_TIME, subTypeA, subTypeB, access, 0, \
			  routing, 0, 0, NULL }
  #define MKACL_X( attribute, subTypeA, subTypeB, access, routing, subACL ) \
			{ ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, access, 0, \
			  routing, RANGE_SUBTYPED, subACL }

  /* Extended types */
  #define MKACL_B_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, flags, \
			  routing, FALSE, TRUE, NULL }
  #define MKACL_N_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_S_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_O_EX( attribute, subTypeA, subTypeB, access, flags, routing, type ) \
			{ ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, flags, \
			  routing, 0, 0, type }

  /* General-purpose ACL macros */
  #define MKACL( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range ) \
			{ valueType, subTypeA, subTypeB, access, flags, routing, range, NULL }
  #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range, allowed ) \
			{ valueType, subTypeA, subTypeB, access, flags, routing, range, allowed }

  /* End-of-ACL canary.  Note that the comma is necessary in order to allow
     the non-debug version to evaluate to nothing */
  #define MKACL_END()

  /* End-of-ACL marker, used to terminate variable-length sub-ACL lists.  The
     ST_ANY match ensures it matches any object types */
  #define MKACL_END_SUBACL() \
			{ ATTRIBUTE_VALUE_NONE, ST_ANY, ST_ANY, ACCESS_xxx_xxx, \
			  0, 0, NULL, 0, 0, NULL }
#endif /* NDEBUG */

/* Mechanism ACLs */

#define MKACM_B() \
			{ MECHPARAM_VALUE_BOOLEAN, 0, 0, 0, 0, 0 }
#define MKACM_N( min, max ) \
			{ MECHPARAM_VALUE_NUMERIC, min, max, 0, 0, 0 }
#define MKACM_S( minLen, maxLen ) \
			{ MECHPARAM_VALUE_STRING, minLen, maxLen, 0, 0, 0 }
#define MKACM_S_OPT( minLen, maxLen ) \
			{ MECHPARAM_VALUE_STRING_OPT, minLen, maxLen, 0, 0, 0 }
#define MKACM_S_NONE() \
			{ MECHPARAM_VALUE_STRING_NONE, 0, 0, 0, 0, 0 }
#define MKACM_O( subTypeA, flags ) \
			{ MECHPARAM_VALUE_OBJECT, 0, 0, flags, subTypeA, ST_NONE }
#define MKACM_UNUSED() \
			{ MECHPARAM_VALUE_UNUSED, 0, 0, 0, 0, 0 }

/* End-of-mechanism-ACL marker */

#define MKACM_END() \
			{ MECHPARAM_VALUE_NONE, 0, 0, 0, 0 }

/* Key management ACLs.  The basic form treats the RWD and FnQ groups as one
   value, the _RWD form specifies individual RWD and FnQ values, and the _EX
   form adds special-case checking for specific object types that must be
   written to some keyset types */

#ifndef NDEBUG
  #define MK_KEYACL( itemType, keysetRWDSubType, keysetFNQSubType, \
					 objectSubType, flags, idUseFlags, pwUseFlags ) \
			{ itemType, keysetRWDSubType, ST_NONE, keysetRWDSubType, ST_NONE, \
			  keysetRWDSubType, ST_NONE, keysetFNQSubType, ST_NONE, \
			  keysetFNQSubType, ST_NONE, objectSubType, ST_NONE, \
			  flags, idUseFlags, pwUseFlags, ST_NONE, ST_NONE }
  #define MK_KEYACL_RWD( itemType, keysetR_SubType, keysetW_SubType, keysetD_SubType, \
  					keysetFN_SubType, keysetQ_SubType, objectSubType, flags, \
  					idUseFlags, pwUseFlags ) \
			{ itemType, keysetR_SubType, ST_NONE, keysetW_SubType, ST_NONE, \
			  keysetD_SubType, ST_NONE, keysetFN_SubType, ST_NONE, \
			  keysetQ_SubType, ST_NONE, objectSubType, ST_NONE, \
			  flags, idUseFlags, pwUseFlags, ST_NONE, ST_NONE }
  #define MK_KEYACL_EX( itemType, keysetR_SubType, keysetW_SubType, keysetD_SubType, \
  					keysetFN_SubType, keysetQ_SubType, objectSubType, flags, \
  					idUseFlags, pwUseFlags, specificKeysetType, specificObjectType ) \
			{ itemType, keysetR_SubType, ST_NONE, keysetW_SubType, ST_NONE, \
			  keysetD_SubType, ST_NONE, keysetFN_SubType, ST_NONE, \
			  keysetQ_SubType, ST_NONE, objectSubType, ST_NONE, \
			  flags, idUseFlags, pwUseFlags, specificKeysetType, ST_NONE, \
			  specificObjectType, ST_NONE }
#else
  #define MK_KEYACL( itemType, keysetRWDSubType, keysetFNQSubType, \
					 objectSubType, flags, idUseFlags, pwUseFlags ) \
			{ keysetRWDSubType, ST_NONE, keysetRWDSubType, ST_NONE, \
			  keysetRWDSubType, ST_NONE, keysetFNQSubType, ST_NONE, \
			  keysetFNQSubType, ST_NONE, objectSubType, ST_NONE, \
			  flags, idUseFlags, pwUseFlags, ST_NONE, ST_NONE }
  #define MK_KEYACL_RWD( itemType, keysetR_SubType, keysetW_SubType, keysetD_SubType, \
  					keysetFN_SubType, keysetQ_SubType, objectSubType, flags, \
  					idUseFlags, pwUseFlags ) \
			{ keysetR_SubType, ST_NONE, keysetW_SubType, ST_NONE, \
			  keysetD_SubType, ST_NONE, keysetFN_SubType, ST_NONE, \
			  keysetQ_SubType, ST_NONE, objectSubType, ST_NONE, \
			  flags, idUseFlags, pwUseFlags, ST_NONE, ST_NONE }
  #define MK_KEYACL_EX( itemType, keysetR_SubType, keysetW_SubType, keysetD_SubType, \
  					keysetFN_SubType, keysetQ_SubType, objectSubType, flags, \
  					idUseFlags, pwUseFlags, specificKeysetType, specificObjectType ) \
			{ keysetR_SubType, ST_NONE, keysetW_SubType, ST_NONE, \
			  keysetD_SubType, ST_NONE, keysetFN_SubType, ST_NONE, \
			  keysetQ_SubType, ST_NONE, objectSubType, ST_NONE, \
			  flags, idUseFlags, pwUseFlags, specificKeysetType, ST_NONE, \
			  specificObjectType, ST_NONE }
#endif /* NDEBUG */

/****************************************************************************
*																			*
*							Miscellaneous Information						*
*																			*
****************************************************************************/

/* Flags for attribute ACLs:

	FLAG_OBJECTPROPERTY
		This is an object property attribute which is handled by the kernel
		rather than being forwarded to the object.

	FLAG_TRIGGER
		Successfully setting this attribute triggers a change from the low to
		the high state */

#define ATTRIBUTE_FLAG_NONE		0x00
#define ATTRIBUTE_FLAG_PROPERTY	0x01
#define ATTRIBUTE_FLAG_TRIGGER	0x02
#define ATTRIBUTE_FLAG_LAST		0x04

/* Miscellaneous ACL flags:

	FLAG_LOW_STATE
	FLAG_HIGH_STATE
	FLAG_ANY_STATE
		Whether the object should be in a particular state.

	FLAG_ROUTE_TO_CTX
	FLAG_ROUTE_TO_CERT
		Whether routing should be applied to an object to locate an 
		underlying object (e.g. a PKC object for a certificate or a 
		certificate for a PKC object).  The need to apply routing is 
		unfortunate but is required in order to apply the subtype check to 
		PKC/cert objects, sorting out which (pre-routed) object types are 
		permissible is beyond the scope of the ACL validation routines that 
		would have to take into consideration the intricacies of all manner 
		of certificate objects paired with public and private keys */

#define ACL_FLAG_NONE			0x00
#define ACL_FLAG_LOW_STATE		0x01
#define ACL_FLAG_HIGH_STATE		0x02
#define ACL_FLAG_ANY_STATE		0x03
#define ACL_FLAG_ROUTE_TO_CTX	0x04
#define ACL_FLAG_ROUTE_TO_CERT	0x08

#define ACL_FLAG_STATE_MASK		0x03

/* Macros to check the misc.ACL flags */

#define checkObjectState( flags, objectHandle ) \
		( ( ( flags & ACL_FLAG_LOW_STATE ) && \
			  !isInHighState( objectHandle ) ) || \
		  ( ( flags & ACL_FLAG_HIGH_STATE ) && \
			  isInHighState( objectHandle ) ) )

/* Macro to access the mechanism ACL information for a given parameter in a 
   list of mechanism parameter ACLs, and to get the subtype of an object */

#define paramInfo( mechanismACL, paramNo )	mechanismACL->paramACL[ paramNo ]
#define objectST( objectHandle )			objectTable[ objectHandle ].subType

/* Macros to check each mechanism parameter against an ACL entry */

#define checkMechParamNumeric( paramACL, value ) \
		( ( paramACL.valueType == MECHPARAM_VALUE_BOOLEAN && \
			( value == TRUE || value == FALSE ) ) || \
		  ( paramACL.valueType == MECHPARAM_VALUE_NUMERIC && \
			( value >= paramACL.lowRange && value <= paramACL.highRange ) ) )

#define checkMechParamString( paramACL, data, dataLen ) \
		( ( ( paramACL.valueType == MECHPARAM_VALUE_STRING_NONE || \
			  paramACL.valueType == MECHPARAM_VALUE_STRING_OPT ) && \
			data == NULL && dataLen == 0 ) || \
		  ( ( paramACL.valueType == MECHPARAM_VALUE_STRING || \
			  paramACL.valueType == MECHPARAM_VALUE_STRING_OPT ) && \
			data != NULL && ( dataLen >= paramACL.lowRange && \
							  dataLen <= paramACL.highRange ) ) )

#define checkMechParamObject( paramACL, objectHandle ) \
		( ( paramACL.valueType == MECHPARAM_VALUE_UNUSED && \
			objectHandle == CRYPT_UNUSED ) || \
		  ( paramACL.valueType == MECHPARAM_VALUE_OBJECT && \
			( ( paramACL.subTypeA & objectST( objectHandle ) ) == \
									objectST( objectHandle ) || \
			  ( paramACL.subTypeB & objectST( objectHandle ) ) == \
									objectST( objectHandle ) ) && \
			checkObjectState( paramACL.flags, objectHandle ) ) )

#endif /* _CRYPTACD_DEFINED */