📄 mech_acl.c
字号:
/****************************************************************************
* *
* Mechanism ACLs *
* Copyright Peter Gutmann 1997-2004 *
* *
****************************************************************************/
#if defined( INC_ALL )
#include "crypt.h"
#include "acl.h"
#include "kernel.h"
#elif defined( INC_CHILD )
#include "../crypt.h"
#include "acl.h"
#include "kernel.h"
#else
#include "crypt.h"
#include "kernel/acl.h"
#include "kernel/kernel.h"
#endif /* Compiler-specific includes */
/* A pointer to the kernel data block */
static KERNEL_DATA *krnlData = NULL;
/****************************************************************************
* *
* Mechanism ACLs *
* *
****************************************************************************/
/* The ACL tables for each mechanism class */
static const FAR_BSS MECHANISM_ACL mechanismWrapACL[] = {
/* PKCS #1 encrypt */
{ MECHANISM_ENC_PKCS1,
{ MKACP_S_OPT( 64, MAX_PKCENCRYPTED_SIZE ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV | ST_CTX_MAC, /* Ctx containing key */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_PKC, /* Wrap PKC context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_UNUSED() } },
/* PKCS #1 encrypt using PGP formatting */
{ MECHANISM_ENC_PKCS1_PGP,
{ MKACP_S_OPT( 64, MAX_PKCENCRYPTED_SIZE ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV, /* Ctx containing key */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_PKC, /* Wrap PKC context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_UNUSED() } },
/* PKCS #1 encrypt of raw data */
{ MECHANISM_ENC_PKCS1_RAW,
{ MKACP_S_OPT( 64, CRYPT_MAX_PKCSIZE ),/* Wrapped raw data */
MKACP_S( 8, CRYPT_MAX_KEYSIZE ), /* Raw data */
MKACP_UNUSED(),
MKACP_O( ST_CTX_PKC, /* Wrap PKC context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_UNUSED() } },
/* CMS key wrap */
{ MECHANISM_ENC_CMS,
{ MKACP_S_OPT( 8 + 8, CRYPT_MAX_KEYSIZE + 16 ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV | ST_CTX_MAC, /* Ctx containing key */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_CONV, /* Wrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
/* KEA key agreement */
{ MECHANISM_ENC_KEA,
{ MKACP_S( 140, 140 ), /* sizeof( TEK( MEK ) + Ra ) */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV, /* Skipjack session key */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_PKC, /* Recipient KEA pubkey */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_O( ST_CTX_PKC, /* Sender KEA privkey */
ACL_FLAG_HIGH_STATE ) } },
/* Private key wrap */
{ MECHANISM_PRIVATEKEYWRAP,
{ MKACP_S_OPT( 16, MAX_PRIVATE_KEYSIZE ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_PKC, /* Ctx containing private key */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_O( ST_CTX_CONV, /* Wrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
/* Private key wrap */
{ MECHANISM_PRIVATEKEYWRAP_PKCS8,
{ MKACP_S_OPT( 16, MAX_PRIVATE_KEYSIZE ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_PKC, /* Ctx containing private key */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_O( ST_CTX_CONV, /* Wrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
{ MECHANISM_NONE,
{ MKACP_END() } }
};
static const FAR_BSS MECHANISM_ACL mechanismUnwrapACL[] = {
/* PKCS #1 decrypt */
{ MECHANISM_ENC_PKCS1,
{ MKACP_S_OPT( 60, CRYPT_MAX_PKCSIZE ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV | ST_CTX_MAC, /* Ctx to contain key */
ACL_FLAG_LOW_STATE ),
MKACP_O( ST_CTX_PKC, /* Unwrap PKC context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_UNUSED() } },
/* PKCS #1 decrypt using PGP formatting */
{ MECHANISM_ENC_PKCS1_PGP,
{ MKACP_S_OPT( 60, 4 + ( 2 * CRYPT_MAX_PKCSIZE ) ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_UNUSED(), /* Placeholder for ctx to contain key */
MKACP_O( ST_CTX_PKC, /* Unwrap PKC context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_UNUSED() } },
/* PKCS #1 decrypt of raw data */
{ MECHANISM_ENC_PKCS1_RAW,
{ MKACP_S_OPT( 64, CRYPT_MAX_PKCSIZE ),/* Wrapped raw data */
MKACP_S( 8, CRYPT_MAX_PKCSIZE ), /* Raw data */
MKACP_UNUSED(),
MKACP_O( ST_CTX_PKC, /* Unwrap PKC context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ),
MKACP_UNUSED() } },
/* CMS key unwrap */
{ MECHANISM_ENC_CMS,
{ MKACP_S( 8 + 8, CRYPT_MAX_KEYSIZE + 16 ),/* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV | ST_CTX_MAC, /* Ctx to contain key */
ACL_FLAG_LOW_STATE ),
MKACP_O( ST_CTX_CONV, /* Unwrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
/* KEA key agreement */
{ MECHANISM_ENC_KEA,
{ MKACP_S( 140, 140 ), /* sizeof( TEK( MEK ) + Ra ) */
MKACP_S_NONE(),
MKACP_O( ST_CTX_CONV, /* Skipjack session key */
ACL_FLAG_LOW_STATE ),
MKACP_O( ST_CTX_PKC, /* Recipient KEA privkey */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_PKC, /* Sender KEA pubkey */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ) } },
/* Private key unwrap */
{ MECHANISM_PRIVATEKEYWRAP,
{ MKACP_S( 16, MAX_PRIVATE_KEYSIZE ), /* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_PKC, /* Ctx to contain private key */
ACL_FLAG_LOW_STATE ),
MKACP_O( ST_CTX_CONV, /* Unwrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
/* Private key unwrap */
{ MECHANISM_PRIVATEKEYWRAP_PGP,
{ MKACP_S( 16, MAX_PRIVATE_KEYSIZE ), /* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_PKC, /* Ctx to contain private key */
ACL_FLAG_LOW_STATE ),
MKACP_O( ST_CTX_CONV, /* Unwrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
/* Private key unwrap */
{ MECHANISM_PRIVATEKEYWRAP_OPENPGP,
{ MKACP_S( 16, MAX_PRIVATE_KEYSIZE ), /* Wrapped key */
MKACP_S_NONE(),
MKACP_O( ST_CTX_PKC, /* Ctx to contain private key */
ACL_FLAG_LOW_STATE ),
MKACP_O( ST_CTX_CONV, /* Unwrap context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED() } },
{ MECHANISM_NONE,
{ MKACP_END() } }
};
static const FAR_BSS MECHANISM_ACL mechanismSignACL[] = {
/* PKCS #1 sign */
{ MECHANISM_SIG_PKCS1,
{ MKACP_S_OPT( 64, CRYPT_MAX_PKCSIZE ),/* Signature */
MKACP_O( ST_CTX_HASH, /* Hash context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED(), /* Secondary hash context */
MKACP_O( ST_CTX_PKC, /* Signing context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ) } },
/* SSL sign with dual hashes */
{ MECHANISM_SIG_SSL,
{ MKACP_S_OPT( 64, CRYPT_MAX_PKCSIZE ),/* Signature */
MKACP_O( ST_CTX_HASH, /* Hash context */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_HASH, /* Secondary hash context */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_PKC, /* Signing context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ) } },
{ MECHANISM_NONE,
{ MKACP_END() } }
};
static const FAR_BSS MECHANISM_ACL mechanismSigCheckACL[] = {
/* PKCS #1 sig check */
{ MECHANISM_SIG_PKCS1,
{ MKACP_S( 60, CRYPT_MAX_PKCSIZE ), /* Signature */
MKACP_O( ST_CTX_HASH, /* Hash context */
ACL_FLAG_HIGH_STATE ),
MKACP_UNUSED(), /* Secondary hash context */
MKACP_O( ST_CTX_PKC, /* Sig.check context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ) } },
/* SSL sign with dual hashes */
{ MECHANISM_SIG_SSL,
{ MKACP_S( 60, CRYPT_MAX_PKCSIZE ), /* Signature */
MKACP_O( ST_CTX_HASH, /* Hash context */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_HASH, /* Secondary hash context */
ACL_FLAG_HIGH_STATE ),
MKACP_O( ST_CTX_PKC, /* Sig.check context */
ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX ) } },
{ MECHANISM_NONE,
{ MKACP_END() } }
};
static const FAR_BSS MECHANISM_ACL mechanismDeriveACL[] = {
/* PKCS #5 derive */
{ MECHANISM_DERIVE_PKCS5,
{ MKACP_S( 1, CRYPT_MAX_KEYSIZE ), /* Key data */
MKACP_S( 2, MAX_ATTRIBUTE_SIZE ), /* Keying material */
MKACP_N( CRYPT_ALGO_HMAC_SHA, CRYPT_ALGO_HMAC_SHA ),/* Hash algo */
MKACP_S( 4, 512 ), /* Salt */
MKACP_N( 1, INT_MAX ) } }, /* Iterations */
/* SSL derive */
{ MECHANISM_DERIVE_SSL,
{ MKACP_S( 48, 512 ), /* Master secret/key data */
MKACP_S( 48, CRYPT_MAX_PKCSIZE ), /* Premaster secret/master secret */
MKACP_N( CRYPT_USE_DEFAULT, CRYPT_USE_DEFAULT ),/* SSL uses dual hash */
MKACP_S( 64, 64 ), /* Salt */
MKACP_N( 1, 1 ) } }, /* Iterations */
/* TLS derive. The odd lower bounds on the output and salt are needed
when generating the TLS hashed MAC and (for the salt and output) and
when generating a master secret from a fixed shared key (for the
input) */
{ MECHANISM_DERIVE_TLS,
{ MKACP_S( 12, 512 ), /* Master secret/key data (usually 48) */
MKACP_S( 6, CRYPT_MAX_PKCSIZE ), /* Premaster secret/master secret (us'ly 48) */
MKACP_N( CRYPT_USE_DEFAULT, CRYPT_USE_DEFAULT ),/* TLS uses dual hash */
MKACP_S( 13, 512 ), /* Salt (usually 64) */
MKACP_N( 1, 1 ) } }, /* Iterations */
/* CMP/Entrust derive */
{ MECHANISM_DERIVE_CMP,
{ MKACP_S( 20, 20 ), /* HMAC-SHA key */
MKACP_S( 1, 512 ), /* Key data */
MKACP_N( CRYPT_ALGO_SHA, CRYPT_ALGO_SHA ),/* Hash algo */
MKACP_S( 1, 512 ), /* Salt */
MKACP_N( 1, INT_MAX ) } }, /* Iterations */
/* OpenPGP S2K derive */
{ MECHANISM_DERIVE_PGP,
{ MKACP_S( 16, CRYPT_MAX_KEYSIZE ), /* Key data */
MKACP_S( 2, MAX_ATTRIBUTE_SIZE ), /* Keying material */
MKACP_N( CRYPT_ALGO_MD5, CRYPT_ALGO_RIPEMD160 ),/* Hash algo */
MKACP_S( 8, 8 ), /* Salt */
MKACP_N( 0, INT_MAX ) } }, /* Iterations (0 = don't iterate) */
/* PKCS #12 derive */
{ MECHANISM_DERIVE_PKCS12,
{ MKACP_S( 20, 20 ), /* Key data */
MKACP_S( 2, CRYPT_MAX_TEXTSIZE ), /* Keying material */
MKACP_N( CRYPT_ALGO_SHA, CRYPT_ALGO_SHA ),/* Hash algo */
MKACP_S( 9, 9 ), /* Salt (+ ID byte) */
MKACP_N( 1, INT_MAX ) } }, /* Iterations */
{ MECHANISM_NONE,
{ MKACP_END() } }
};
/****************************************************************************
* *
* Init/Shutdown Functions *
* *
****************************************************************************/
int initMechanismACL( KERNEL_DATA *krnlDataPtr )
{
/* Set up the reference to the kernel data block */
krnlData = krnlDataPtr;
return( CRYPT_OK );
}
void endMechanismACL( void )
{
krnlData = NULL;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -