📄 cryptkrn.h
字号:
void *keyData; /* Raw key */
int keyDataLength;
CRYPT_HANDLE keyContext; /* Context containing raw key */
CRYPT_HANDLE wrapContext; /* Wrap/unwrap context */
CRYPT_HANDLE auxContext; /* Auxiliary context */
} MECHANISM_WRAP_INFO;
/* A structure to hold information needed by the sign/sig check mechanism:
PKCS #1 signature = signature
hashContext = hash to sign
signContext = signing key */
typedef struct {
void *signature; /* Signature */
int signatureLength;
CRYPT_CONTEXT hashContext; /* Hash context */
CRYPT_HANDLE signContext; /* Signing context */
} MECHANISM_SIGN_INFO;
/* A structure to hold information needed by the key derive mechanism:
PKCS #5 dataOut = key data
CMP dataIn = password
PGP hashAlgo = hash algorithm
salt = salt
iterations = iteration count
SSL/TLS dataOut = key data/master secret
dataIn = master secret/premaster secret
hashAlgo = CRYPT_USE_DEFAULT
salt = client || server random/server || client random
iterations = CRYPT_UNUSED */
typedef struct {
void *dataOut; /* Output keying information */
int dataOutLength;
const void *dataIn; /* Input keying information */
int dataInLength;
CRYPT_ALGO_TYPE hashAlgo; /* Hash algorithm */
const void *salt; /* Salt/randomiser */
int saltLength;
int iterations; /* Iterations of derivation function */
} MECHANISM_DERIVE_INFO;
/* Macros to make it easier to work with the mechanism info types. The
shortened name forms in the macro args are necessary to avoid clashes with
the struct members. The long lines are necessary because older Borland
compilers can't handle line breaks at this point in a macro definition */
#define clearMechanismInfo( mechanismInfo ) \
memset( mechanismInfo, 0, sizeof( *mechanismInfo ) )
#define setMechanismWrapInfo( mechanismInfo, wrapped, wrappedLen, key, keyLen, keyCtx, wrapCtx, auxCtx ) \
{ \
( mechanismInfo )->wrappedData = ( wrapped ); \
( mechanismInfo )->wrappedDataLength = ( wrappedLen ); \
( mechanismInfo )->keyData = ( key ); \
( mechanismInfo )->keyDataLength = ( keyLen ); \
( mechanismInfo )->keyContext = ( keyCtx ); \
( mechanismInfo )->wrapContext = ( wrapCtx ); \
( mechanismInfo )->auxContext = ( auxCtx ); \
}
#define setMechanismSignInfo( mechanismInfo, sig, sigLen, hashCtx, signCtx ) \
{ \
( mechanismInfo )->signature = ( sig ); \
( mechanismInfo )->signatureLength = ( sigLen ); \
( mechanismInfo )->hashContext = ( hashCtx ); \
( mechanismInfo )->signContext = ( signCtx ); \
}
#define setMechanismDeriveInfo( mechanismInfo, out, outLen, in, inLen, hAlgo, slt, sltLen, iters ) \
{ \
( mechanismInfo )->dataOut = ( out ); \
( mechanismInfo )->dataOutLength = ( outLen ); \
( mechanismInfo )->dataIn = ( in ); \
( mechanismInfo )->dataInLength = ( inLen ); \
( mechanismInfo )->hashAlgo = ( hAlgo ); \
( mechanismInfo )->salt = ( slt ); \
( mechanismInfo )->saltLength = ( sltLen ); \
( mechanismInfo )->iterations = ( iters ); \
}
/****************************************************************************
* *
* Misc Message Types *
* *
****************************************************************************/
/* Beside the general value+length and mechanism messages, we also have a
number of special-purposes messages that require their own parameter
data structures. These are:
Create object messages, used to create objects via a device, either
directly or indirectly by instantiating the object from encoded data (for
example a certificate object from a certificate). Usually the device is
the system object, but it can also be used to create contexts in hardware
devices. In addition to the creation parameters we also pass in the
owner's user object to be stored with the object data for use when
needed */
typedef struct {
CRYPT_HANDLE cryptHandle; /* Handle to created object */
CRYPT_USER cryptOwner; /* New object's owner */
int arg1, arg2; /* Integer args */
void *strArg1, *strArg2; /* String args */
int strArgLen1, strArgLen2;
} MESSAGE_CREATEOBJECT_INFO;
#define setMessageCreateObjectInfo( createObjectInfo, a1 ) \
{ \
memset( createObjectInfo, 0, sizeof( MESSAGE_CREATEOBJECT_INFO ) ); \
( createObjectInfo )->cryptHandle = CRYPT_ERROR; \
( createObjectInfo )->cryptOwner = CRYPT_ERROR; \
( createObjectInfo )->arg1 = ( a1 ); \
}
#define setMessageCreateObjectIndirectInfo( createObjectInfo, data, dataLen, type ) \
{ \
memset( createObjectInfo, 0, sizeof( MESSAGE_CREATEOBJECT_INFO ) ); \
( createObjectInfo )->cryptHandle = CRYPT_ERROR; \
( createObjectInfo )->cryptOwner = CRYPT_ERROR; \
( createObjectInfo )->strArg1 = ( data ); \
( createObjectInfo )->strArgLen1 = ( dataLen ); \
( createObjectInfo )->arg1 = ( type ); \
}
/* Key management messages, used to set, get and delete keys. The item type,
keyIDtype, keyID, and keyIDlength are mandatory, the aux.info depends on
the type of message (optional password for private key get/set, state
information for get next cert, null otherwise), and the flags are
generally only required where the keyset can hold multiple types of keys
(for example a crypto device acting as a keyset, or a PKCS #15 token).
An itemType of KEYMGMT_ITEM_PUBLICKEY is somewhat more general than its
name implies in that keysets/devices that store private key information
alongside public-key data may delete both types of items if asked to
delete a KEYMGMT_ITEM_PUBLICKEY since the two items are (implicitly)
connected.
In addition to the flags that are used to handle various special-case
read accesses, we can also specify a usage preference (e.g.
confidentiality vs.signature) for cases where we may have multiple keys
with the same keyID that differ only in required usage */
typedef enum {
KEYMGMT_ITEM_NONE, /* No item type */
KEYMGMT_ITEM_PUBLICKEY, /* Access public key */
KEYMGMT_ITEM_PRIVATEKEY, /* Access private key */
KEYMGMT_ITEM_SECRETKEY, /* Access secret key */
KEYMGMT_ITEM_REQUEST, /* Access cert request */
KEYMGMT_ITEM_PKIUSER, /* Access PKI user info */
KEYMGMT_ITEM_REVOCATIONINFO,/* Access revocation info/CRL */
KEYMGMT_ITEM_DATA, /* Other data (for PKCS #15 tokens) */
KEYMGMT_ITEM_LAST /* Last item type */
} KEYMGMT_ITEM_TYPE;
#define KEYMGMT_FLAG_NONE 0x0000 /* No flag */
#define KEYMGMT_FLAG_CHECK_ONLY 0x0001 /* Perform existence check only */
#define KEYMGMT_FLAG_LABEL_ONLY 0x0002 /* Get key label only */
#define KEYMGMT_FLAG_UPDATE 0x0004 /* Update existing (allow dups) */
#define KEYMGMT_FLAG_DATAONLY_CERT 0x0008 /* Create data-only certs */
#define KEYMGMT_FLAG_USAGE_CRYPT 0x0010 /* Prefer encryption key */
#define KEYMGMT_FLAG_USAGE_SIGN 0x0020 /* Prefer signature key */
#define KEYMGMT_FLAG_GETISSUER 0x0040 /* Get issuing PKI user for cert */
#define KEYMGMT_FLAG_LAST 0x0080 /* Last valid flag */
#define KEYMGMT_MASK_USAGEOPTIONS ( KEYMGMT_FLAG_USAGE_CRYPT | \
KEYMGMT_FLAG_USAGE_SIGN )
#define KEYMGMT_MASK_CERTOPTIONS ( KEYMGMT_FLAG_DATAONLY_CERT | \
KEYMGMT_FLAG_USAGE_CRYPT | \
KEYMGMT_FLAG_USAGE_SIGN )
typedef struct {
CRYPT_HANDLE cryptHandle; /* Returned key */
CRYPT_KEYID_TYPE keyIDtype; /* Key ID type */
const void *keyID; /* Key ID */
int keyIDlength;
void *auxInfo; /* Aux.info (e.g.password for private key) */
int auxInfoLength;
int flags; /* Access options */
} MESSAGE_KEYMGMT_INFO;
#define setMessageKeymgmtInfo( keymgmtInfo, idType, id, idLength, aux, auxLen, keyFlags ) \
{ \
( keymgmtInfo )->cryptHandle = CRYPT_ERROR; \
( keymgmtInfo )->keyIDtype = ( idType ); \
( keymgmtInfo )->keyID = ( id ); \
( keymgmtInfo )->keyIDlength = ( idLength ); \
( keymgmtInfo )->auxInfo = ( aux ); \
( keymgmtInfo )->auxInfoLength = ( auxLen ); \
( keymgmtInfo )->flags = ( keyFlags ); \
}
/* Cert management messages used to handle CA operations. All fields are
mandatory, however the cryptCert and request fields may be set to
CRYPT_UNUSED to indicate 'don't care' conditions */
typedef struct {
CRYPT_CERTIFICATE cryptCert; /* Returned cert */
CRYPT_CONTEXT caKey; /* CA key to sign item */
CRYPT_CERTIFICATE request; /* Request for operation */
} MESSAGE_CERTMGMT_INFO;
#define setMessageCertMgmtInfo( certMgmtInfo, mgmtCaKey, mgmtRequest ) \
{ \
( certMgmtInfo )->cryptCert = CRYPT_ERROR; \
( certMgmtInfo )->caKey = ( mgmtCaKey ); \
( certMgmtInfo )->request = ( mgmtRequest ); \
}
/****************************************************************************
* *
* Object Management Functions *
* *
****************************************************************************/
/* Prototype for an object's message-handling function */
typedef int ( *MESSAGE_FUNCTION )( const void *objectInfoPtr,
const MESSAGE_TYPE message,
void *messageDataPtr,
const int messageValue );
/* Object management functions. A dummy object is one that exists but
doesn't have the capabilities of the actual object, for example an
encryption context that just maps to underlying crypto hardware. This
doesn't affect krnlCreateObject(), but is used by the object-type-specific
routines which decorate the results of krnlCreateObject() with object-
specific extras */
#define CREATEOBJECT_FLAG_NONE 0x00 /* No create-object flags */
#define CREATEOBJECT_FLAG_SECUREMALLOC \
0x01 /* Use krnlMemAlloc() to alloc.*/
#define CREATEOBJECT_FLAG_DUMMY 0x02 /* Dummy obj.used as placeholder */
int krnlCreateObject( void **objectDataPtr, const int objectDataSize,
const OBJECT_TYPE type, const int subType,
const int createObjectFlags, const CRYPT_USER owner,
const int actionFlags,
MESSAGE_FUNCTION messageFunction );
int krnlSendMessage( const int objectHandle, const MESSAGE_TYPE message,
void *messageDataPtr, const int messageValue );
/* Since some messages contain no data but act only as notifiers, we define
the following macro to make using them less messy */
#define krnlSendNotifier( handle, message ) \
krnlSendMessage( handle, message, NULL, 0 )
/* In some rare cases we have to access an object directly without sending
it a message. This happens either with certs where we're already
processing a message for one cert and need to access internal data in
another cert, or when we're working with a device tied to a context where
we need access to both context and device internals at the same time.
This access handled by the following function */
int krnlGetObject( const int objectHandle, const OBJECT_TYPE type,
void **objectPtr, const int errorCode );
int krnlReleaseObject( const int objectHandle );
/* In even rarer cases, we have to allow a second thread access to an object
when another thread has it locked. This only occurs in one case, when a
background polling thread is adding entropy to the system device. The way
this works is that the calling thread hands ownership over to the polling
thread and suspends itself until the polling thread completes. When the
polling thread has completed, it terminates, whereupon ownership passes
back to the original thread */
int krnlReleaseSystemObject( const THREAD_HANDLE objectOwner );
int krnlReacquireSystemObject( void );
/* Semaphores and mutexes */
typedef enum {
SEMAPHORE_NONE, /* No semaphore */
SEMAPHORE_DRIVERBIND, /* Async driver bind */
SEMAPHORE_LAST /* Last semaphore */
} SEMAPHORE_TYPE;
typedef enum {
MUTEX_NONE, /* No mutex */
MUTEX_SESSIONCACHE, /* SSL/TLS session cache */
MUTEX_SOCKETPOOL, /* Network socket pool */
MUTEX_RANDOMPOLLING, /* Randomness polling */
MUTEX_LAST /* Last mutex */
} MUTEX_TYPE;
/* Set/clear/wait on a semaphore, enter and exit a mutex */
void setSemaphore( const SEMAPHORE_TYPE semaphore,
const SEMAPHORE_HANDLE object );
void clearSemaphore( const SEMAPHORE_TYPE semaphore );
void waitSemaphore( const SEMAPHORE_TYPE semaphore );
void enterMutex( const MUTEX_TYPE mutex );
void exitMutex( const MUTEX_TYPE mutex );
/* Secure memory handling functions */
int krnlMemalloc( void **pointer, int size );
void krnlMemfree( void **pointer );
int krnlMemsize( const void *pointer );
#endif /* _CRYPTKRN_DEFINED */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -