acl.h

cryptlib安全工具包

		by { CRYPT_ERROR, CRYPT_ERROR }
	RANGE_SUBTYPED
		extendedInfo contains sub-acl [] of object type-specific sub-ACLs.
		The main ACL is only used as a general template for checks, the real
		checking is done via recursive application of the sub-ACL for the
		specific object sub-type.
	RANGE_SELECTVALUE
		Special-case value that would normally be a RANGE_SUBTYPED value but
		which is used frequently enough that it's handled specially.  On
		write this value is CRYPT_UNUSED to select this attribute, on read
		it's a presence check and returns TRUE or FALSE.  This is used for
		composite attributes with sub-components, e.g. DNs */

typedef enum {
	RANGEVAL_NONE,					/* No range type */
	RANGEVAL_ANY,					/* Any value allowed */
	RANGEVAL_ALLOWEDVALUES,			/* List of permissible values */
	RANGEVAL_SUBRANGES,				/* List of permissible subranges */
	RANGEVAL_SUBTYPED,				/* Object-subtype-specific sub-ACL */
	RANGEVAL_SELECTVALUE,			/* Write = select attr, read = pres.chk */
	RANGEVAL_LAST					/* Last valid range type */
	} RANGEVAL_TYPE;

#define RANGE_EXT_MARKER	-1000	/* Marker to denote extended range value */

#define RANGE_ANY			RANGE_EXT_MARKER, RANGEVAL_ANY
#define RANGE_ALLOWEDVALUES	RANGE_EXT_MARKER, RANGEVAL_ALLOWEDVALUES
#define RANGE_SUBRANGES		RANGE_EXT_MARKER, RANGEVAL_SUBRANGES
#define RANGE_SUBTYPED		RANGE_EXT_MARKER, RANGEVAL_SUBTYPED
#define RANGE_SELECTVALUE	RANGE_EXT_MARKER, RANGEVAL_SELECTVALUE
#define RANGE( low, high )	( low ), ( high )

/* The maximum possible integer value, used to indicate that any value is
   allowed (e.g. when returning device-specific error codes).  Note that
   this differs from the MAX_INTLENGTH value defined in crypt.h, which
   defines the maximum data length value that can be safely specified by a
   signed integer */

#define RANGE_MAX			( INT_MAX - 128 )

/* Data structures to contain special-case range information */

typedef struct { const int lowRange, highRange; } RANGE_SUBRANGE_TYPE;

/* Macro to check whether it's an extended range and to extract the special
   range type */

#define isSpecialRange( attributeACL ) \
		( ( attributeACL )->lowRange == RANGE_EXT_MARKER )
#define getSpecialRangeType( attributeACL )	( ( attributeACL )->highRange )
#define getSpecialRangeInfo( attributeACL )	( ( attributeACL )->extendedInfo )

/****************************************************************************
*																			*
*									ACL Flags								*
*																			*
****************************************************************************/

/* Flags for attribute ACLs:

	FLAG_OBJECTPROPERTY
		This is an object property attribute which is handled by the kernel
		rather than being forwarded to the object.

	FLAG_TRIGGER
		Successfully setting this attribute triggers a change from the low to
		the high state */

#define ATTRIBUTE_FLAG_NONE		0x00
#define ATTRIBUTE_FLAG_PROPERTY	0x01
#define ATTRIBUTE_FLAG_TRIGGER	0x02
#define ATTRIBUTE_FLAG_LAST		0x04

/* Miscellaneous ACL flags:

	FLAG_LOW_STATE
	FLAG_HIGH_STATE
	FLAG_ANY_STATE
		Whether the object should be in a particular state.

	FLAG_ROUTE_TO_CTX
	FLAG_ROUTE_TO_CERT
		Whether routing should be applied to an object to locate an
		underlying object (e.g. a PKC object for a certificate or a
		certificate for a PKC object).  The need to apply routing is
		unfortunate but is required in order to apply the subtype check to
		PKC/cert objects, sorting out which (pre-routed) object types are
		permissible is beyond the scope of the ACL validation routines,
		which would have to take into consideration the intricacies of all
		manner of certificate objects paired with public and private keys */

#define ACL_FLAG_NONE			0x00
#define ACL_FLAG_LOW_STATE		0x01
#define ACL_FLAG_HIGH_STATE		0x02
#define ACL_FLAG_ANY_STATE		0x03
#define ACL_FLAG_ROUTE_TO_CTX	0x04
#define ACL_FLAG_ROUTE_TO_CERT	0x08

#define ACL_FLAG_STATE_MASK		0x03

/* Macros to check the misc.ACL flags */

#define checkObjectState( flags, objectHandle ) \
		( ( ( flags & ACL_FLAG_LOW_STATE ) && \
			  !isInHighState( objectHandle ) ) || \
		  ( ( flags & ACL_FLAG_HIGH_STATE ) && \
			  isInHighState( objectHandle ) ) )

/****************************************************************************
*																			*
*							Attribute ACL Definitions						*
*																			*
****************************************************************************/

/* The attribute's type, for attribute ACLs.  The basic values are boolean,
   numeric, or byte string, there are also some special types such as object
   handles that place extra constraints on the attribute */

typedef enum {
	ATTRIBUTE_VALUE_NONE,			/* Non-value */
	ATTRIBUTE_VALUE_BOOLEAN,		/* Boolean flag */
	ATTRIBUTE_VALUE_NUMERIC,		/* Numeric value */
	ATTRIBUTE_VALUE_STRING,			/* Byte string */
	ATTRIBUTE_VALUE_WCSTRING,		/* (Possible) widechar string */
	ATTRIBUTE_VALUE_OBJECT,			/* Object handle */
	ATTRIBUTE_VALUE_TIME,			/* Timestamp */
	ATTRIBUTE_VALUE_SPECIAL,		/* Special-case value with sub-ACLs */
	ATTRIBUTE_VALUE_LAST			/* Last attribute value type */
	} ATTRIBUTE_VALUE_TYPE;

/* Attribute ACL entry.  If the code is compiled in debug mode, we also add
   the attribute type, which is used for an internal consistency check */

typedef struct {
#ifndef NDEBUG
	/* The attribute type, used for consistency checking */
	const CRYPT_ATTRIBUTE_TYPE attribute;/* Attribute */
#endif /* NDEBUG */

	/* Attribute type checking information: The attribute value type and
	   object subtypes for which the attribute is valid */
	const ATTRIBUTE_VALUE_TYPE valueType;/* Attribute value type */
	const OBJECT_SUBTYPE subTypeA, subTypeB;
									/* Object subtypes for which attr.valid */

	/* Access information: The type of access and object states that are
	   permitted, and attribute flags for this attribute */
	const int access;				/* Permitted access type */
	const int flags;				/* Attribute flags */

	/* Routing information: The object type (or types, packed into a single
	   value if there are more than one type) that the attribute applies to,
	   and the routing function applied to the attribute message */
	const long routingTarget;		/* Target type(s) if routable */
	int ( *routingFunction )( const int objectHandle, const long arg );

	/* Attribute value checking information */
	const int lowRange;				/* Min/max allowed if numeric/boolean, */
#ifdef SYSTEM_16BIT
	const long highRange;			/*	length if string */
#else
	const int highRange;			/*	length if string */
#endif /* 16- vs. 32-bit systems */
	const void *extendedInfo;		/* Extended ACL/checking information */
	} ATTRIBUTE_ACL;

/* Macros to set up attribute ACL's.  We have one for each of the basic types
   and two general-purpose ones that provide more control over the values */

#ifndef NDEBUG
  /* Standard ACL entries */
  #define MKACL_B( attribute, subTypeA, subTypeB, access, routing ) \
			{ attribute, ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, \
			  0, routing, FALSE, TRUE, NULL }
  #define MKACL_N( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, \
			  0, routing, range, NULL }
  #define MKACL_S( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, \
			  0, routing, range, NULL }
  #define MKACL_WCS( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_WCSTRING, subTypeA, subTypeB, access, \
			  0, routing, range, NULL }
  #define MKACL_O( attribute, subTypeA, subTypeB, access, routing, type ) \
			{ attribute, ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, \
			  0, routing, 0, 0, type }
  #define MKACL_T( attribute, subTypeA, subTypeB, access, routing ) \
			{ attribute, ATTRIBUTE_VALUE_TIME, subTypeA, subTypeB, access, \
			  0, routing, 0, 0, NULL }
  #define MKACL_X( attribute, subTypeA, subTypeB, access, routing, subACL ) \
			{ attribute, ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, access, \
			  0, routing, RANGE_SUBTYPED, subACL }

  /* Extended types */
  #define MKACL_B_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ attribute, ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, \
			  flags, routing, FALSE, TRUE, NULL }
  #define MKACL_N_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, \
			  flags, routing, range, NULL }
  #define MKACL_S_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, \
			  flags, routing, range, NULL }
  #define MKACL_O_EX( attribute, subTypeA, subTypeB, access, flags, routing, type ) \
			{ attribute, ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, \
			  flags, routing, 0, 0, type }
  #define MKACL_X_EX( attribute, subTypeA, subTypeB, access, flags, routing, subACL ) \
			{ attribute, ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, access, \
			  flags, routing, RANGE_SUBTYPED, subACL }

  /* General-purpose ACL macros */
  #define MKACL( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, valueType, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range, allowed ) \
			{ attribute, valueType, subTypeA, subTypeB, access, flags, \
			  routing, range, allowed }

  /* End-of-ACL canary */
  #define MKACL_END() \
			{ CRYPT_ERROR, ATTRIBUTE_VALUE_NONE, 0, 0, ACCESS_xxx_xxx, \
			  0, 0, NULL, 0, 0, NULL }

  /* End-of-ACL marker, used to terminate variable-length sub-ACL lists.  The
     ST_ANY_A/B match ensures that it matches any object types */
  #define MKACL_END_SUBACL() \
			{ CRYPT_ERROR, ATTRIBUTE_VALUE_NONE, ST_ANY_A, ST_ANY_B, ACCESS_xxx_xxx, \
			  0, 0, NULL, 0, 0, NULL }
#else
  /* Standard ACL entries */
  #define MKACL_B( attribute, subTypeA, subTypeB, access, routing ) \
			{ ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, 0, \
			  routing, FALSE, TRUE, NULL }
  #define MKACL_N( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_S( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_WCS( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ ATTRIBUTE_VALUE_WCSTRING, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_O( attribute, subTypeA, subTypeB, access, routing, type ) \
			{ ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, 0, \
			  routing, 0, 0, type }
  #define MKACL_T( attribute, subTypeA, subTypeB, access, routing ) \
			{ ATTRIBUTE_VALUE_TIME, subTypeA, subTypeB, access, 0, \
			  routing, 0, 0, NULL }
  #define MKACL_X( attribute, subTypeA, subTypeB, access, routing, subACL ) \
			{ ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, access, 0, \
			  routing, RANGE_SUBTYPED, subACL }

  /* Extended types */
  #define MKACL_B_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, access, flags, \
			  routing, FALSE, TRUE, NULL }
  #define MKACL_N_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_S_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_O_EX( attribute, subTypeA, subTypeB, access, flags, routing, type ) \
			{ ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, access, flags, \
			  routing, 0, 0, type }
  #define MKACL_X_EX( attribute, subTypeA, subTypeB, access, flags, routing, subACL ) \
			{ ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, access, flags, \
			  routing, RANGE_SUBTYPED, subACL }

  /* General-purpose ACL macros */
  #define MKACL( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range ) \
			{ valueType, subTypeA, subTypeB, access, flags, routing, range, NULL }
  #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range, allowed ) \
			{ valueType, subTypeA, subTypeB, access, flags, routing, range, allowed }

  /* End-of-ACL canary */
  #define MKACL_END() \
			{ ATTRIBUTE_VALUE_NONE, 0, 0, ACCESS_xxx_xxx, \
			  0, 0, NULL, 0, 0, NULL }

  /* End-of-ACL marker, used to terminate variable-length sub-ACL lists.  The
     ST_ANY_A/B match ensures that it matches any object types */
  #define MKACL_END_SUBACL() \
			{ ATTRIBUTE_VALUE_NONE, ST_ANY_A, ST_ANY_B, ACCESS_xxx_xxx, \
			  0, 0, NULL, 0, 0, NULL }
#endif /* NDEBUG */

/* The attribute ACLs are usually implemented as a lookup table, but in some
   cases we may use sparse ACLs to handle special-case situations where only
   a few attributes need to be checked.  In order to locate the appropriate
   ACL entry, the 'attribute' member (normally only used for debugging
   purposes) needs to be present.  To handle this, we define an alternative
   ACL entry entry type (and associated setup macros) that differs from the
   standard one in that the attribute member is present unconditionally.

   We have to be especially careful here because the parent type differs
   depending on whether it's a normal or debug build.  For the debug build
   the 'attribute' member is present at the start, for the release build
   it's absent so we place it at the end where it doesn't interfere with the
   other struct members */

typedef struct {
#ifndef NDEBUG
	const CRYPT_ATTRIBUTE_TYPE attribute;/* Attribute */
#endif /* !NDEBUG */
	const ATTRIBUTE_VALUE_TYPE valueType;/* Attribute value type */
	const OBJECT_SUBTYPE subTypeA, subTypeB;
	const int access;				/* Permitted access type */
	const int flags;				/* Attribute flags */
	const long routingTarget;		/* Target type if routable */
	int ( *routingFunction )( const int objectHandle, const long arg );
	const int lowRange;				/* Min/max allowed if numeric/boolean, */
	const int highRange;			/*	length if string */
	const void *extendedInfo;		/* Extended access information */
#ifdef NDEBUG
	const CRYPT_ATTRIBUTE_TYPE attribute;/* Attribute */
#endif /* NDEBUG */
	} ATTRIBUTE_ACL_ALT;

#ifndef NDEBUG
  #define MKACL_S_ALT( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, access, \
			  0, routing, range, NULL }
#else
  #define MKACL_S_ALT( attribute, subTypeA, subTypeB, access, routing, range ) \