📄 attr_acl.c
字号:
/****************************************************************************
* *
* Object Attribute ACLs *
* Copyright Peter Gutmann 1997-2004 *
* *
****************************************************************************/
#if defined( INC_ALL )
#include "crypt.h"
#include "acl.h"
#include "kernel.h"
#elif defined( INC_CHILD )
#include "../crypt.h"
#include "acl.h"
#include "kernel.h"
#else
#include "crypt.h"
#include "kernel/acl.h"
#include "kernel/kernel.h"
#endif /* Compiler-specific includes */
/* Common object ACLs for various object types */
static const FAR_BSS OBJECT_ACL objectCtxConv = {
ST_CTX_CONV, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCtxPKC = {
ST_CTX_PKC, ST_NONE, ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX };
static const FAR_BSS OBJECT_ACL objectCtxHash = {
ST_CTX_HASH, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertificate = {
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CERT };
static const FAR_BSS OBJECT_ACL objectCertificateTemplate = {
ST_CERT_CERT, ST_NONE, ACL_FLAG_ANY_STATE }; /* Template for cert.attrs */
static const FAR_BSS OBJECT_ACL objectCertRequest = {
ST_CERT_CERTREQ | ST_CERT_REQ_CERT, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertRevRequest = {
ST_CERT_REQ_REV, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
static const FAR_BSS OBJECT_ACL objectCertSessionRTCSRequest = {
ST_CERT_RTCS_REQ, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
static const FAR_BSS OBJECT_ACL objectCertSessionOCSPRequest = {
ST_CERT_OCSP_REQ, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
static const FAR_BSS OBJECT_ACL objectCertSessionCMPRequest = {
ST_CERT_CERTREQ | ST_CERT_REQ_CERT | ST_CERT_REQ_REV, ST_NONE, ACL_FLAG_ANY_STATE };
static const FAR_BSS OBJECT_ACL objectCertSessionUnsignedPKCS10Request = {
ST_CERT_CERTREQ, ST_NONE, ACL_FLAG_LOW_STATE };
static const FAR_BSS OBJECT_ACL objectCertRTCSRequest = {
ST_CERT_RTCS_REQ, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertRTCSResponse = {
ST_CERT_RTCS_RESP, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertOCSPRequest = {
ST_CERT_OCSP_REQ, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertOCSPResponse = {
ST_CERT_OCSP_RESP, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertPKIUser = {
ST_CERT_PKIUSER, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCMSAttr = {
ST_CERT_CMSATTR, ST_NONE, ACL_FLAG_ANY_STATE };
static const FAR_BSS OBJECT_ACL objectKeyset = {
ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectKeysetCerts = {
ST_KEYSET_DBMS | SUBTYPE_KEYSET_DBMS_STORE, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectKeysetPrivate = {
ST_KEYSET_FILE | ST_DEV_FORT | ST_DEV_P11, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectKeysetConfigdata = {
SUBTYPE_KEYSET_FILE, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectDeenvelope = {
ST_NONE, ST_ENV_DEENV, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectSessionDataClient = {
ST_NONE, ST_SESS_SSH | ST_SESS_SSL, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectSessionDataServer = {
ST_NONE, ST_SESS_SSH_SVR | ST_SESS_SSL_SVR, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectSessionTSP = {
ST_NONE, ST_SESS_TSP, ACL_FLAG_LOW_STATE };
/****************************************************************************
* *
* Object/Property ACLs *
* *
****************************************************************************/
static const FAR_BSS RANGE_SUBRANGE_TYPE allowedCertCursorSubranges[] = {
{ CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
{ CRYPT_CERTINFO_FIRST_EXTENSION, CRYPT_CERTINFO_LAST_EXTENSION },
{ CRYPT_ERROR, CRYPT_ERROR } };
static const FAR_BSS RANGE_SUBRANGE_TYPE allowedEnvCursorSubranges[] = {
{ CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
{ CRYPT_ENVINFO_FIRST, CRYPT_ENVINFO_LAST },
{ CRYPT_ERROR, CRYPT_ERROR } };
static const FAR_BSS RANGE_SUBRANGE_TYPE allowedSessionCursorSubranges[] = {
{ CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
{ CRYPT_SESSINFO_FIRST, CRYPT_SESSINFO_LAST },
{ CRYPT_ERROR, CRYPT_ERROR } };
static const FAR_BSS ATTRIBUTE_ACL subACL_AttributeCurrentGroup[] = {
MKACL_EX( /* Certs */
CRYPT_ATTRIBUTE_CURRENT_GROUP, ATTRIBUTE_VALUE_NUMERIC,
ST_CERT_ANY, ST_NONE, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE_SUBRANGES, allowedCertCursorSubranges ),
MKACL_EX( /* Envelopes */
CRYPT_ATTRIBUTE_CURRENT_GROUP, ATTRIBUTE_VALUE_NUMERIC,
ST_NONE, ST_ENV_DEENV, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_ENVELOPE ),
RANGE_SUBRANGES, allowedEnvCursorSubranges ),
MKACL_EX( /* Sessions */
CRYPT_ATTRIBUTE_CURRENT_GROUP, ATTRIBUTE_VALUE_NUMERIC,
ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_SESSION ),
RANGE_SUBRANGES, allowedSessionCursorSubranges ),
MKACL_END_SUBACL()
};
static const FAR_BSS ATTRIBUTE_ACL subACL_AttributeCurrent[] = {
MKACL_EX( /* Certs */
CRYPT_ATTRIBUTE_CURRENT, ATTRIBUTE_VALUE_NUMERIC,
ST_CERT_ANY, ST_NONE, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE_SUBRANGES, allowedCertCursorSubranges ),
MKACL_EX( /* Envelopes */
CRYPT_ATTRIBUTE_CURRENT, ATTRIBUTE_VALUE_NUMERIC,
ST_NONE, ST_ENV_DEENV, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_ENVELOPE ),
RANGE_SUBRANGES, allowedEnvCursorSubranges ),
MKACL_EX( /* Sessions */
CRYPT_ATTRIBUTE_CURRENT, ATTRIBUTE_VALUE_NUMERIC,
ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_SESSION ),
RANGE_SUBRANGES, allowedSessionCursorSubranges ),
MKACL_END_SUBACL()
};
/* Object properties */
static const FAR_BSS ATTRIBUTE_ACL propertyACL[] = {
MKACL( /* Owned+non-forwardable+locked */
CRYPT_PROPERTY_HIGHSECURITY, ATTRIBUTE_VALUE_BOOLEAN,
ST_ANY_A, ST_ANY_B, ACCESS_xWx_xWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( TRUE, TRUE ) ),
MKACL_N_EX( /* Object owner */
CRYPT_PROPERTY_OWNER,
ST_ANY_A, ST_ANY_B, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE_ANY ),
MKACL_N_EX( /* No.of times object can be forwarded */
CRYPT_PROPERTY_FORWARDCOUNT,
ST_ANY_A, ST_ANY_B, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( 1, 1000 ) ),
MKACL( /* Whether properties can be chged/read */
CRYPT_PROPERTY_LOCKED, ATTRIBUTE_VALUE_BOOLEAN,
ST_ANY_A, ST_ANY_B, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( TRUE, TRUE ) ),
MKACL_N_EX( /* Usage count before object expires */
CRYPT_PROPERTY_USAGECOUNT,
ST_ANY_A, ST_ANY_B, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( 1, 1000 ) ),
MKACL( /* Whether key is nonexp.from context */
CRYPT_PROPERTY_NONEXPORTABLE, ATTRIBUTE_VALUE_BOOLEAN,
ST_CTX_ANY, ST_NONE, ACCESS_xxx_xxx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( TRUE, TRUE ) )
MKACL_END()
};
/* Generic attributes */
static const FAR_BSS ATTRIBUTE_ACL genericACL[] = {
MKACL_N( /* Type of last error */
CRYPT_ATTRIBUTE_ERRORTYPE,
ST_ANY_A, ST_ANY_B, ACCESS_Rxx_Rxx,
ROUTE_NONE, RANGE( CRYPT_ERRTYPE_NONE, CRYPT_ERRTYPE_LAST - 1 ) ),
MKACL_N( /* Locus of last error */
CRYPT_ATTRIBUTE_ERRORLOCUS,
ST_ANY_A, ST_ANY_B, ACCESS_Rxx_Rxx,
ROUTE_NONE, RANGE( CRYPT_ATTRIBUTE_NONE, CRYPT_ATTRIBUTE_LAST ) ),
MKACL_N( /* Low-level, software-specific */
CRYPT_ATTRIBUTE_INT_ERRORCODE,
ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY, ACCESS_Rxx_Rxx,
ROUTE_ALT2( OBJECT_TYPE_DEVICE, OBJECT_TYPE_KEYSET, OBJECT_TYPE_SESSION ), RANGE_ANY ),
MKACL_S( /* error code and message */
CRYPT_ATTRIBUTE_INT_ERRORMESSAGE,
ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY, ACCESS_Rxx_Rxx,
ROUTE_ALT2( OBJECT_TYPE_DEVICE, OBJECT_TYPE_KEYSET, OBJECT_TYPE_SESSION ), RANGE( 0, 512 ) ),
MKACL_X( /* Cursor mgt: Group in attribute list */
/* In = cursor components, out = component type */
CRYPT_ATTRIBUTE_CURRENT_GROUP,
ST_CERT_ANY, ST_ENV_DEENV | ST_SESS_SSH | ST_SESS_SSH_SVR, ACCESS_RWx_RWx,
ROUTE_ALT2( OBJECT_TYPE_CERTIFICATE, OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ),
subACL_AttributeCurrentGroup ),
MKACL_X( /* Cursor mgt: Entry in attribute list */
/* In = cursor components, out = component type */
CRYPT_ATTRIBUTE_CURRENT,
ST_CERT_ANY, ST_ENV_DEENV | ST_SESS_SSH | ST_SESS_SSH_SVR, ACCESS_RWx_RWx,
ROUTE_ALT2( OBJECT_TYPE_CERTIFICATE, OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ),
subACL_AttributeCurrent ),
MKACL_N( /* Cursor mgt: Instance in attribute list */
/* In = cursor components, out = component type */
/* This value is readable but always returns the basic field value
since it represents multiple instantiations of the same field */
CRYPT_ATTRIBUTE_CURRENT_INSTANCE,
ST_CERT_ANY, ST_ENV_DEENV | ST_SESS_SSH | ST_SESS_SSH_SVR, ACCESS_RWx_RWx,
ROUTE_ALT2( OBJECT_TYPE_CERTIFICATE, OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ),
RANGE( CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST ) ),
MKACL_N( /* Internal data buffer size */
CRYPT_ATTRIBUTE_BUFFERSIZE,
ST_NONE, ST_ENV_ANY | ST_SESS_ANY, ACCESS_Rxx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ), RANGE( MIN_BUFFER_SIZE, RANGE_MAX ) )
MKACL_END()
};
/****************************************************************************
* *
* Config Option ACLs *
* *
****************************************************************************/
static const FAR_BSS RANGE_SUBRANGE_TYPE allowedEncrAlgoSubranges[] = {
{ CRYPT_ALGO_3DES, CRYPT_ALGO_CAST }, /* No DES */
{ CRYPT_ALGO_RC5, CRYPT_ALGO_BLOWFISH }, /* No RC2, RC4 */
{ CRYPT_ALGO_SKIPJACK + 1, CRYPT_ALGO_LAST_CONVENTIONAL },/* No Skipjack */
{ CRYPT_ERROR, CRYPT_ERROR } };
static const FAR_BSS RANGE_SUBRANGE_TYPE allowedSelftestSubranges[] = {
{ CRYPT_ALGO_NONE + 1, CRYPT_ALGO_LAST - 1 },
{ CRYPT_USE_DEFAULT, CRYPT_USE_DEFAULT },
{ CRYPT_ERROR, CRYPT_ERROR } };
static const FAR_BSS int allowedLDAPObjectTypes[] = {
CRYPT_CERTTYPE_NONE, CRYPT_CERTTYPE_CERTIFICATE, CRYPT_CERTTYPE_CRL,
CRYPT_ERROR };
/* Config attributes */
static const FAR_BSS ATTRIBUTE_ACL optionACL[] = {
MKACL_S( /* Text description */
CRYPT_OPTION_INFO_DESCRIPTION,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Copyright notice */
CRYPT_OPTION_INFO_COPYRIGHT,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
MKACL_N( /* Major release version */
CRYPT_OPTION_INFO_MAJORVERSION,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 3, 3 ) ),
MKACL_N( /* Minor release version */
CRYPT_OPTION_INFO_MINORVERSION,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 0, 5 ) ),
MKACL_N( /* Stepping version */
CRYPT_OPTION_INFO_STEPPING,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 1, 50 ) ),
MKACL_EX( /* Encryption algorithm */
/* We restrict the subrange to disallow the selection of the
insecure or deprecated DES, RC2, RC4, and Skipjack algorithms
as the default encryption algorithms */
CRYPT_OPTION_ENCR_ALGO, ATTRIBUTE_VALUE_NUMERIC,
ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP | ST_USER_ANY, ACCESS_RWx_RWx, 0,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
RANGE_SUBRANGES, allowedEncrAlgoSubranges ),
MKACL_N( /* Hash algorithm */
/* We restrict the subrange to disallow the selection of the
insecure or deprecated MD2, MD4, and MD5 algorithms as the
default hash algorithm */
CRYPT_OPTION_ENCR_HASH,
ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_SHA, CRYPT_ALGO_LAST_HASH ) ),
MKACL_N( /* MAC algorithm */
CRYPT_OPTION_ENCR_MAC,
ST_NONE, ST_ENV_ENV | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_MAC, CRYPT_ALGO_LAST_MAC ) ),
MKACL_N( /* Public-key encryption algorithm */
CRYPT_OPTION_PKC_ALGO,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
MKACL_N( /* Public-key encryption key size */
CRYPT_OPTION_PKC_KEYSIZE,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( bitsToBytes( 512 ), CRYPT_MAX_PKCSIZE ) ),
MKACL_N( /* Signature algorithm */
CRYPT_OPTION_SIG_ALGO,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
MKACL_N( /* Signature keysize */
CRYPT_OPTION_SIG_KEYSIZE,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( bitsToBytes( 512 ), CRYPT_MAX_PKCSIZE ) ),
MKACL_N( /* Key processing algorithm */
CRYPT_OPTION_KEYING_ALGO,
ST_CTX_CONV, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_HMAC_SHA, CRYPT_ALGO_HMAC_SHA ) ),
MKACL_N( /* Key processing iterations */
CRYPT_OPTION_KEYING_ITERATIONS,
ST_CTX_CONV, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
RANGE( 1, 20000 ) ),
MKACL_B( /* Whether to sign unrecog.attrs */
CRYPT_OPTION_CERT_SIGNUNRECOGNISEDATTRIBUTES,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -