1 /**************************************************************************** 2 * * 3 * ACL Definitions * 4 * Copyright Peter Gutmann 1997-2005 * 5 * * 6 ****************************************************************************/ 7 8 #ifndef _ACL_DEFINED 9 10 #define _ACL_DEFINED 11 12 /**************************************************************************** 13 * * 14 * Object Type Information * 15 * * 16 ****************************************************************************/ 17 18 /* Bit flags for specifying valid object subtypes. Since the full field names 19 are rather long, we define a shortened form (only visible within the ACL 20 definitions) that reduces the space required to define them */ 21 22 #define ST_CTX_CONV SUBTYPE_CTX_CONV 23 #define ST_CTX_PKC SUBTYPE_CTX_PKC 24 #define ST_CTX_HASH SUBTYPE_CTX_HASH 25 #define ST_CTX_MAC SUBTYPE_CTX_MAC 26 #define ST_CTX_GENERIC SUBTYPE_CTX_GENERIC 27 #define ST_CTX_ANY ( ST_CTX_CONV | ST_CTX_PKC | ST_CTX_HASH | \ 28 ST_CTX_MAC | ST_CTX_GENERIC ) 29 30 #define ST_CERT_CERT SUBTYPE_CERT_CERT 31 #define ST_CERT_CERTREQ SUBTYPE_CERT_CERTREQ 32 #define ST_CERT_REQ_CERT SUBTYPE_CERT_REQ_CERT 33 #define ST_CERT_REQ_REV SUBTYPE_CERT_REQ_REV 34 #define ST_CERT_CERTCHAIN SUBTYPE_CERT_CERTCHAIN 35 #define ST_CERT_ATTRCERT SUBTYPE_CERT_ATTRCERT 36 #define ST_CERT_CRL SUBTYPE_CERT_CRL 37 #define ST_CERT_CMSATTR SUBTYPE_CERT_CMSATTR 38 #define ST_CERT_RTCS_REQ SUBTYPE_CERT_RTCS_REQ 39 #define ST_CERT_RTCS_RESP SUBTYPE_CERT_RTCS_RESP 40 #define ST_CERT_OCSP_REQ SUBTYPE_CERT_OCSP_REQ 41 #define ST_CERT_OCSP_RESP SUBTYPE_CERT_OCSP_RESP 42 #define ST_CERT_PKIUSER SUBTYPE_CERT_PKIUSER 43 #define ST_CERT_ANY_CERT ( ST_CERT_CERT | ST_CERT_CERTREQ | \ 44 SUBTYPE_CERT_REQ_CERT | ST_CERT_CERTCHAIN ) 45 #define ST_CERT_ANY ( ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | \ 46 ST_CERT_REQ_REV | ST_CERT_CRL | \ 47 ST_CERT_CMSATTR | ST_CERT_RTCS_REQ | \ 48 ST_CERT_RTCS_RESP | ST_CERT_OCSP_REQ | \ 49 ST_CERT_OCSP_RESP | ST_CERT_PKIUSER ) 50 51 #define ST_KEYSET_FILE SUBTYPE_KEYSET_FILE 52 #define ST_KEYSET_FILE_PARTIAL SUBTYPE_KEYSET_FILE_PARTIAL 53 #define ST_KEYSET_FILE_RO SUBTYPE_KEYSET_FILE_READONLY 54 #define ST_KEYSET_DBMS SUBTYPE_KEYSET_DBMS 55 #define ST_KEYSET_DBMS_STORE SUBTYPE_KEYSET_DBMS_STORE 56 #define ST_KEYSET_HTTP SUBTYPE_KEYSET_HTTP 57 #define ST_KEYSET_LDAP SUBTYPE_KEYSET_LDAP 58 #define ST_KEYSET_ANY ( ST_KEYSET_FILE | SUBTYPE_KEYSET_FILE_PARTIAL | \ 59 ST_KEYSET_FILE_RO | ST_KEYSET_DBMS | \ 60 ST_KEYSET_DBMS_STORE | ST_KEYSET_HTTP | \ 61 ST_KEYSET_LDAP ) 62 63 #define ST_ENV_ENV SUBTYPE_ENV_ENV 64 #define ST_ENV_ENV_PGP SUBTYPE_ENV_ENV_PGP 65 #define ST_ENV_DEENV SUBTYPE_ENV_DEENV 66 #define ST_ENV_ANY ( ST_ENV_ENV | ST_ENV_ENV_PGP | ST_ENV_DEENV ) 67 68 #define ST_DEV_SYSTEM SUBTYPE_DEV_SYSTEM 69 #define ST_DEV_P11 SUBTYPE_DEV_PKCS11 70 #define ST_DEV_CAPI SUBTYPE_DEV_CRYPTOAPI 71 #define ST_DEV_HW SUBTYPE_DEV_HARDWARE 72 #define ST_DEV_ANY_STD ( ST_DEV_P11 | ST_DEV_CAPI | ST_DEV_HW ) 73 #define ST_DEV_ANY ( ST_DEV_ANY_STD | ST_DEV_SYSTEM ) 74 75 #define ST_SESS_SSH SUBTYPE_SESSION_SSH 76 #define ST_SESS_SSH_SVR SUBTYPE_SESSION_SSH_SVR 77 #define ST_SESS_SSL SUBTYPE_SESSION_SSL 78 #define ST_SESS_SSL_SVR SUBTYPE_SESSION_SSL_SVR 79 #define ST_SESS_RTCS SUBTYPE_SESSION_RTCS 80 #define ST_SESS_RTCS_SVR SUBTYPE_SESSION_RTCS_SVR 81 #define ST_SESS_OCSP SUBTYPE_SESSION_OCSP 82 #define ST_SESS_OCSP_SVR SUBTYPE_SESSION_OCSP_SVR 83 #define ST_SESS_TSP SUBTYPE_SESSION_TSP 84 #define ST_SESS_TSP_SVR SUBTYPE_SESSION_TSP_SVR 85 #define ST_SESS_CMP SUBTYPE_SESSION_CMP 86 #define ST_SESS_CMP_SVR SUBTYPE_SESSION_CMP_SVR 87 #define ST_SESS_SCEP SUBTYPE_SESSION_SCEP 88 #define ST_SESS_SCEP_SVR SUBTYPE_SESSION_SCEP_SVR 89 #define ST_SESS_CERT_SVR SUBTYPE_SESSION_CERT_SVR 90 #define ST_SESS_ANY_SVR ( ST_SESS_SSH_SVR | ST_SESS_SSL_SVR | \ 91 ST_SESS_RTCS_SVR | ST_SESS_OCSP_SVR | \ 92 ST_SESS_TSP_SVR | ST_SESS_CMP_SVR | \ 93 ST_SESS_SCEP_SVR | ST_SESS_CERT_SVR ) 94 #define ST_SESS_ANY_CLIENT ( ST_SESS_SSH | ST_SESS_SSL | ST_SESS_RTCS | \ 95 ST_SESS_OCSP | ST_SESS_TSP | ST_SESS_CMP | \ 96 ST_SESS_SCEP ) 97 #define ST_SESS_ANY_DATA ( ST_SESS_SSH | ST_SESS_SSH_SVR | \ 98 ST_SESS_SSL | ST_SESS_SSL_SVR ) 99 #define ST_SESS_ANY_REQRESP ( ST_SESS_RTCS | ST_SESS_RTCS_SVR | \ 100 ST_SESS_OCSP | ST_SESS_OCSP_SVR | \ 101 ST_SESS_TSP | ST_SESS_TSP_SVR | \ 102 ST_SESS_CMP | ST_SESS_CMP_SVR | \ 103 ST_SESS_SCEP | ST_SESS_SCEP_SVR | \ 104 ST_SESS_CERT_SVR ) 105 #define ST_SESS_ANY_SEC ( ST_SESS_ANY_DATA | \ 106 ST_SESS_CMP | ST_SESSION_CMP_SVR ) 107 #define ST_SESS_ANY ( ST_SESS_ANY_CLIENT | ST_SESS_ANY_SVR ) 108 109 #define ST_USER_NORMAL SUBTYPE_USER_NORMAL 110 #define ST_USER_SO SUBTYPE_USER_SO 111 #define ST_USER_CA SUBTYPE_USER_CA 112 #define ST_USER_ANY ( ST_USER_NORMAL | ST_USER_SO | ST_USER_CA ) 113 114 /* Subtype values that allow access for any object subtype and for no 115 object subtypes */ 116 117 #define ST_ANY_A ( ST_CTX_ANY | ST_CERT_ANY ) 118 #define ST_ANY_B ( ST_ENV_ANY | ST_KEYSET_ANY | ST_DEV_ANY ) 119 #define ST_ANY_C ( ST_SESS_ANY | ST_USER_ANY ) 120 #define ST_NONE 0 121 122 /**************************************************************************** 123 * * 124 * Access Permission Information * 125 * * 126 ****************************************************************************/ 127 128 #if defined( INC_ALL ) 129 #include "acl_perm.h" 130 #else 131 #include "kernel/acl_perm.h" 132 #endif /* Compiler-specific includes */ 133 134 /**************************************************************************** 135 * * 136 * Routing Information * 137 * * 138 ****************************************************************************/ 139 140 /* Routing types, which specify the routing used for the message. This 141 routing applies not only for attribute manipulation messages but for all 142 messages in general, so that some of the routing types defined below only 143 apply for non-attribute messages. The routing types are: 144 145 ROUTE_NONE 146 Not routed (the message or attribute is valid for any object type). 147 148 ROUTE( target ) 149 ROUTE_ALT( target, altTarget ) 150 ROUTE_ALT2( target, altTarget1, altTarget2 ) 151 Fixed-target messages always routed to a particular object type or 152 set of types (e.g. a certificate attribute is always routed to a 153 certificate object; a generate key message is always routed to a 154 context). In some cases alternative targets are possible, e.g. a 155 get-key message can be sent to a keyset or a device. 156 157 ROUTE_FIXED( target ) 158 ROUTE_FIXED_ALT( target, altTarget ) 159 Not routed, but checked to make sure that they're addressed to the 160 required target type. These message types aren't routed because 161 they're specific to a particular object and are explicitly 162 unroutable. For example, a get key message sent to a cert or 163 context tied to a device shouldn't be forwarded on to the device, 164 since it would result in the cert acting as a keyset. This is 165 theoretically justifiable - "Get me another cert from the same place 166 that this one came from" - but it's stretching the orthogonality of 167 objects a bit far. 168 169 ROUTE_IMPLICIT 170 For object attribute manipulation messages, implicitly routed by 171 attribute type. 172 173 ROUTE_SPECIAL( routingFunction ) 174 Special-case, message-dependent routing */ 175 176 #define ROUTE_NONE \ 177 OBJECT_TYPE_NONE, NULL 178 #define ROUTE( target ) \ 179 ( target ), findTargetType 180 #define ROUTE_ALT( target, altTarget ) \ 181 ( target ) | ( ( altTarget ) << 8 ), findTargetType 182 #define ROUTE_ALT2( target, altTarget1, altTarget2 ) \ 183 ( target ) | ( ( altTarget1 ) << 8 ) | ( ( altTarget2 ) << 16 ), findTargetType 184 #define ROUTE_FIXED( target ) \ 185 ( target ), checkTargetType 186 #define ROUTE_FIXED_ALT( target, altTarget ) \ 187 ( target ) | ( ( altTarget ) << 8 ), checkTargetType 188 #define ROUTE_IMPLICIT \ 189 OBJECT_TYPE_LAST, findTargetType 190 #define ROUTE_SPECIAL( function ) \ 191 OBJECT_TYPE_NONE, ( route##function ) 192 193 /* Macros to determine which type of routing to apply */ 194 195 #define isImplicitRouting( target ) ( ( target ) == OBJECT_TYPE_LAST ) 196 #define isExplicitRouting( target ) ( ( target ) == OBJECT_TYPE_NONE ) 197 198 /**************************************************************************** 199 * * 200 * Value Range Information * 201 * * 202 ****************************************************************************/ 203 204 /* The value range (for numeric or boolean values) or length range (for 205 variable-length data). Some values aren't amenable to a simple range 206 check so we also allow various extended types of checking. To denote that 207 an extended check needs to be performed, we set the low range value to 208 RANGE_EXT_MARKER and the high range value to an indicator of the type of 209 check to be performed. The range types are: 210 211 RANGE_ANY 212 Allow any value 213 RANGE_ALLOWEDVALUES 214 extendedInfo contains int [] of allowed values, terminated by 215 CRYPT_ERROR 216 RANGE_SUBRANGES 217 extendedInfo contains subrange [] of allowed subranges, terminated 218 by { CRYPT_ERROR, CRYPT_ERROR } 219 RANGE_SUBTYPED 220 extendedInfo contains sub-acl [] of object type-specific sub-ACLs. 221 The main ACL is only used as a general template for checks, the real 222 checking is done via recursive application of the sub-ACL for the 223 specific object sub-type */ 224 225 typedef enum { 226 RANGEVAL_NONE, /* No range type */ 227 RANGEVAL_ANY, /* Any value allowed */ 228 RANGEVAL_ALLOWEDVALUES, /* List of permissible values */ 229 RANGEVAL_SUBRANGES, /* List of permissible subranges */ 230 RANGEVAL_SUBTYPED, /* Object-subtype-specific sub-ACL */ 231 RANGEVAL_LAST /* Last valid range type */ 232 } RANGEVAL_TYPE; 233 234 #define RANGE_EXT_MARKER ( -1000 )/* Marker to denote extended range value */ 235 236 #define RANGE_ANY RANGE_EXT_MARKER, RANGEVAL_ANY 237 #define RANGE_ALLOWEDVALUES RANGE_EXT_MARKER, RANGEVAL_ALLOWEDVALUES 238 #define RANGE_SUBRANGES RANGE_EXT_MARKER, RANGEVAL_SUBRANGES 239 #define RANGE_SUBTYPED RANGE_EXT_MARKER, RANGEVAL_SUBTYPED 240 #define RANGE( low, high ) ( low ), ( high ) 241 242 /* The maximum possible integer value, used to indicate that any value is 243 allowed (e.g. when returning device-specific error codes). Note that 244 this differs from the MAX_INTLENGTH value defined in crypt.h, which 245 defines the maximum data length value that can be safely specified by a 246 signed integer */ 247 248 #define RANGE_MAX ( INT_MAX - 128 ) 249 250 /* Data structures to contain special-case range information */ 251 252 typedef struct { const int lowRange, highRange; } RANGE_SUBRANGE_TYPE; 253 254 /* Macro to check whether it's an extended range and to extract the special 255 range type */ 256 257 #define isSpecialRange( attributeACL ) \ 258 ( ( attributeACL )->lowRange == RANGE_EXT_MARKER ) 259 #define getSpecialRangeType( attributeACL ) ( ( attributeACL )->highRange ) 260 #define getSpecialRangeInfo( attributeACL ) ( ( attributeACL )->extendedInfo ) 261 262 /**************************************************************************** 263 * * 264 * ACL Flags * 265 * * 266 ****************************************************************************/ 267 268 /* Flags for attribute ACLs: 269 270 FLAG_OBJECTPROPERTY 271 This is an object property attribute which is handled by the kernel 272 rather than being forwarded to the object. 273 274 FLAG_TRIGGER 275 Successfully setting this attribute triggers a change from the low to 276 the high state */ 277 278 #define ATTRIBUTE_FLAG_NONE 0x00 279 #define ATTRIBUTE_FLAG_PROPERTY 0x01 280 #define ATTRIBUTE_FLAG_TRIGGER 0x02 281 #define ATTRIBUTE_FLAG_LAST 0x04 282 283 /* Miscellaneous ACL flags: 284 285 FLAG_LOW_STATE 286 FLAG_HIGH_STATE 287 FLAG_ANY_STATE 288 Whether the object should be in a particular state. 289 290 FLAG_ROUTE_TO_CTX 291 FLAG_ROUTE_TO_CERT 292 Whether routing should be applied to an object to locate an 293 underlying object (e.g. a PKC object for a certificate or a 294 certificate for a PKC object). The need to apply routing is 295 unfortunate but is required in order to apply the subtype check to 296 PKC/cert objects, sorting out which (pre-routed) object types are 297 permissible is beyond the scope of the ACL validation routines, 298 which would have to take into consideration the intricacies of all 299 manner of certificate objects paired with public and private keys */ 300 301 #define ACL_FLAG_NONE 0x00 302 #define ACL_FLAG_LOW_STATE 0x01 303 #define ACL_FLAG_HIGH_STATE 0x02 304 #define ACL_FLAG_ANY_STATE 0x03 305 #define ACL_FLAG_ROUTE_TO_CTX 0x04 306 #define ACL_FLAG_ROUTE_TO_CERT 0x08 307 308 #define ACL_FLAG_MASK 0x0F 309 #define ACL_FLAG_STATE_MASK 0x03 310 311 /* Macros to check the misc.ACL flags */ 312 313 #define checkObjectState( flags, objectHandle ) \ 314 ( ( ( flags & ACL_FLAG_LOW_STATE ) && \ 315 !isInHighState( objectHandle ) ) || \ 316 ( ( flags & ACL_FLAG_HIGH_STATE ) && \ 317 isInHighState( objectHandle ) ) ) 318 319 /**************************************************************************** 320 * * 321 * Attribute ACL Definitions * 322 * * 323 ****************************************************************************/ 324 325 /* The attribute's type, for attribute ACLs. The basic values are boolean, 326 numeric, or byte string, there are also some special types such as object 327 handles that place extra constraints on the attribute */ 328 329 typedef enum { 330 ATTRIBUTE_VALUE_NONE, /* Non-value */ 331 ATTRIBUTE_VALUE_BOOLEAN, /* Boolean flag */ 332 ATTRIBUTE_VALUE_NUMERIC, /* Numeric value */ 333 ATTRIBUTE_VALUE_STRING, /* Byte string */ 334 ATTRIBUTE_VALUE_WCSTRING, /* (Possible) widechar string */ 335 ATTRIBUTE_VALUE_OBJECT, /* Object handle */ 336 ATTRIBUTE_VALUE_TIME, /* Timestamp */ 337 ATTRIBUTE_VALUE_SPECIAL, /* Special-case value with sub-ACLs */ 338 ATTRIBUTE_VALUE_LAST /* Last attribute value type */ 339 } ATTRIBUTE_VALUE_TYPE; 340 341 /* Attribute ACL entry. If the code is compiled in debug mode, we also add 342 the attribute type, which is used for an internal consistency check */ 343 344 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 2 ) ) \ 345 int ( *ROUTING_FUNCTION )( IN_HANDLE \ 346 const CRYPT_HANDLE originalObjectHandle, 347 OUT_HANDLE_OPT \ 348 CRYPT_HANDLE *targetObjectHandle, 349 const long targets ); 350 351 typedef struct { 352 #ifndef NDEBUG 353 /* The attribute type, used for consistency checking */ 354 const CRYPT_ATTRIBUTE_TYPE attribute;/* Attribute */ 355 #endif /* NDEBUG */ 356 357 /* Attribute type checking information: The attribute value type and 358 object subtypes for which the attribute is valid */ 359 const ATTRIBUTE_VALUE_TYPE valueType;/* Attribute value type */ 360 const OBJECT_SUBTYPE subTypeA, subTypeB, subTypeC; 361 /* Object subtypes for which attr.valid */ 362 363 /* Access information: The type of access and object states that are 364 permitted, and attribute flags for this attribute */ 365 const int access; /* Permitted access type */ 366 const int flags; /* Attribute flags */ 367 368 /* Routing information: The object type (or types, packed into a single 369 value if there are more than one type) that the attribute applies to, 370 and the routing function applied to the attribute message */ 371 const long routingTarget; /* Target type(s) if routable */ 372 ROUTING_FUNCTION routingFunction; 373 374 /* Attribute value checking information */ 375 const int lowRange; /* Min/max allowed if numeric/boolean, */ 376 #ifdef SYSTEM_16BIT 377 const long highRange; /* length if string */ 378 #else 379 const int highRange; /* length if string */ 380 #endif /* 16- vs. 32-bit systems */ 381 const void *extendedInfo; /* Extended ACL/checking information */ 382 } ATTRIBUTE_ACL; 383 384 /* Macros to set up attribute ACL's. We have one for each of the basic types 385 and two general-purpose ones that provide more control over the values */ 386 387 #ifndef NDEBUG 388 /* Standard ACL entries */ 389 #define MKACL_B( attribute, subTypeA, subTypeB, subTypeC, access, routing ) \ 390 { attribute, ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, subTypeC, access, \ 391 0, routing, FALSE, TRUE, NULL } 392 #define MKACL_N( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 393 { attribute, ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, subTypeC, access, \ 394 0, routing, range, NULL } 395 #define MKACL_S( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 396 { attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, subTypeC, access, \ 397 0, routing, range, NULL } 398 #define MKACL_WCS( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 399 { attribute, ATTRIBUTE_VALUE_WCSTRING, subTypeA, subTypeB, subTypeC, access, \ 400 0, routing, range, NULL } 401 #define MKACL_O( attribute, subTypeA, subTypeB, subTypeC, access, routing, type ) \ 402 { attribute, ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, subTypeC, access, \ 403 0, routing, 0, 0, type } 404 #define MKACL_T( attribute, subTypeA, subTypeB, subTypeC, access, routing ) \ 405 { attribute, ATTRIBUTE_VALUE_TIME, subTypeA, subTypeB, subTypeC, access, \ 406 0, routing, 0, 0, NULL } 407 #define MKACL_X( attribute, subTypeA, subTypeB, subTypeC, access, routing, subACL ) \ 408 { attribute, ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, subTypeC, access, \ 409 0, routing, RANGE_SUBTYPED, subACL } 410 411 /* Extended types */ 412 #define MKACL_B_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing ) \ 413 { attribute, ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, subTypeC, access, \ 414 flags, routing, FALSE, TRUE, NULL } 415 #define MKACL_N_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, range ) \ 416 { attribute, ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, subTypeC, access, \ 417 flags, routing, range, NULL } 418 #define MKACL_S_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, range ) \ 419 { attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, subTypeC, access, \ 420 flags, routing, range, NULL } 421 #define MKACL_O_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, type ) \ 422 { attribute, ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, subTypeC, access, \ 423 flags, routing, 0, 0, type } 424 #define MKACL_X_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, subACL ) \ 425 { attribute, ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, subTypeC, access, \ 426 flags, routing, RANGE_SUBTYPED, subACL } 427 428 /* General-purpose ACL macros */ 429 #define MKACL( attribute, valueType, subTypeA, subTypeB, subTypeC, access, flags, routing, range ) \ 430 { attribute, valueType, subTypeA, subTypeB, subTypeC, access, flags, \ 431 routing, range, NULL } 432 #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, subTypeC, access, flags, routing, range, allowed ) \ 433 { attribute, valueType, subTypeA, subTypeB, subTypeC, access, flags, \ 434 routing, range, allowed } 435 436 /* End-of-ACL canary */ 437 #define MKACL_END() \ 438 { CRYPT_ERROR, ATTRIBUTE_VALUE_NONE, 0, 0, 0, ACCESS_xxx_xxx, \ 439 0, 0, NULL, 0, 0, NULL } 440 441 /* End-of-ACL marker, used to terminate variable-length sub-ACL lists. The 442 ST_ANY_A/B/C match ensures that it matches any object types */ 443 #define MKACL_END_SUBACL() \ 444 { CRYPT_ERROR, ATTRIBUTE_VALUE_NONE, ST_ANY_A, ST_ANY_B, ST_ANY_C, ACCESS_xxx_xxx, \ 445 0, 0, NULL, 0, 0, NULL } 446 #else 447 /* Standard ACL entries */ 448 #define MKACL_B( attribute, subTypeA, subTypeB, subTypeC, access, routing ) \ 449 { ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, subTypeC, access, 0, \ 450 routing, FALSE, TRUE, NULL } 451 #define MKACL_N( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 452 { ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, subTypeC, access, 0, \ 453 routing, range, NULL } 454 #define MKACL_S( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 455 { ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, subTypeC, access, 0, \ 456 routing, range, NULL } 457 #define MKACL_WCS( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 458 { ATTRIBUTE_VALUE_WCSTRING, subTypeA, subTypeB, subTypeC, access, 0, \ 459 routing, range, NULL } 460 #define MKACL_O( attribute, subTypeA, subTypeB, subTypeC, access, routing, type ) \ 461 { ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, subTypeC, access, 0, \ 462 routing, 0, 0, type } 463 #define MKACL_T( attribute, subTypeA, subTypeB, subTypeC, access, routing ) \ 464 { ATTRIBUTE_VALUE_TIME, subTypeA, subTypeB, subTypeC, access, 0, \ 465 routing, 0, 0, NULL } 466 #define MKACL_X( attribute, subTypeA, subTypeB, subTypeC, access, routing, subACL ) \ 467 { ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, subTypeC, access, 0, \ 468 routing, RANGE_SUBTYPED, subACL } 469 470 /* Extended types */ 471 #define MKACL_B_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing ) \ 472 { ATTRIBUTE_VALUE_BOOLEAN, subTypeA, subTypeB, subTypeC, access, flags, \ 473 routing, FALSE, TRUE, NULL } 474 #define MKACL_N_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, range ) \ 475 { ATTRIBUTE_VALUE_NUMERIC, subTypeA, subTypeB, subTypeC, access, flags, \ 476 routing, range, NULL } 477 #define MKACL_S_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, range ) \ 478 { ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, subTypeC, access, flags, \ 479 routing, range, NULL } 480 #define MKACL_O_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, type ) \ 481 { ATTRIBUTE_VALUE_OBJECT, subTypeA, subTypeB, subTypeC, access, flags, \ 482 routing, 0, 0, type } 483 #define MKACL_X_EX( attribute, subTypeA, subTypeB, subTypeC, access, flags, routing, subACL ) \ 484 { ATTRIBUTE_VALUE_SPECIAL, subTypeA, subTypeB, subTypeC, access, flags, \ 485 routing, RANGE_SUBTYPED, subACL } 486 487 /* General-purpose ACL macros */ 488 #define MKACL( attribute, valueType, subTypeA, subTypeB, subTypeC, access, flags, routing, range ) \ 489 { valueType, subTypeA, subTypeB, subTypeC, access, flags, routing, range, NULL } 490 #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, subTypeC, access, flags, routing, range, allowed ) \ 491 { valueType, subTypeA, subTypeB, subTypeC, access, flags, routing, range, allowed } 492 493 /* End-of-ACL canary */ 494 #define MKACL_END() \ 495 { ATTRIBUTE_VALUE_NONE, 0, 0, 0, ACCESS_xxx_xxx, \ 496 0, 0, NULL, 0, 0, NULL } 497 498 /* End-of-ACL marker, used to terminate variable-length sub-ACL lists. The 499 ST_ANY_A/B/C match ensures that it matches any object types */ 500 #define MKACL_END_SUBACL() \ 501 { ATTRIBUTE_VALUE_NONE, ST_ANY_A, ST_ANY_B, ST_ANY_C, ACCESS_xxx_xxx, \ 502 0, 0, NULL, 0, 0, NULL } 503 #endif /* NDEBUG */ 504 505 /* The attribute ACLs are usually implemented as a lookup table, but in some 506 cases we may use sparse ACLs to handle special-case situations where only 507 a few attributes need to be checked. In order to locate the appropriate 508 ACL entry, the 'attribute' member (normally only used for debugging 509 purposes) needs to be present. To handle this, we define an alternative 510 ACL entry entry type (and associated setup macros) that differs from the 511 standard one in that the attribute member is present unconditionally. 512 513 In addition to this, the "attribute" being checked may not be a standard 514 attribute but some other enumerated type, so we have to make the 515 supposed attribute a typeless 'int' to avoid type-conversion issues 516 (CRYPT_ATTRIBUTE_TYPE has an artificial member set to INT_MAX to make 517 sure that it's the same size as an integer for compilers with variable- 518 width enums). 519 520 We have to be especially careful here because the parent type differs 521 depending on whether it's a normal or debug build. For the debug build 522 the 'attribute' member is present at the start, for the release build 523 it's absent so we place it at the end where it doesn't interfere with the 524 other struct members */ 525 526 typedef struct { 527 #ifndef NDEBUG 528 const int /*CRYPT_ATTRIBUTE_TYPE*/ attribute;/* Attribute */ 529 #endif /* !NDEBUG */ 530 const ATTRIBUTE_VALUE_TYPE valueType;/* Attribute value type */ 531 const OBJECT_SUBTYPE subTypeA, subTypeB, subTypeC; 532 const int access; /* Permitted access type */ 533 const int flags; /* Attribute flags */ 534 const long routingTarget; /* Target type if routable */ 535 ROUTING_FUNCTION routingFunction; 536 const int lowRange; /* Min/max allowed if numeric/boolean, */ 537 const int highRange; /* length if string */ 538 const void *extendedInfo; /* Extended access information */ 539 #ifdef NDEBUG 540 const int /*CRYPT_ATTRIBUTE_TYPE*/ attribute;/* Attribute */ 541 #endif /* NDEBUG */ 542 } ATTRIBUTE_ACL_ALT; 543 544 #ifndef NDEBUG 545 #define MKACL_S_ALT( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 546 { attribute, ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, subTypeC, access, \ 547 0, routing, range, NULL } 548 #else 549 #define MKACL_S_ALT( attribute, subTypeA, subTypeB, subTypeC, access, routing, range ) \ 550 { ATTRIBUTE_VALUE_STRING, subTypeA, subTypeB, subTypeC, access, 0, \ 551 routing, range, NULL, attribute } 552 #endif /* !NDEBUG */ 553 554 /**************************************************************************** 555 * * 556 * Keyset ACL Definitions * 557 * * 558 ****************************************************************************/ 559 560 /* Key management ACL entry */ 561 562 typedef struct { 563 /* The item type */ 564 const KEYMGMT_ITEM_TYPE itemType;/* Key management item type */ 565 566 /* Valid keyset types and access types for this item type. This is a 567 matrix giving keyset types for which read/write/delete (R/W/D), 568 getFirst/Next (FN), and query (Q) access are valid */ 569 const OBJECT_SUBTYPE keysetR_subTypeA, keysetR_subTypeB, keysetR_subTypeC; 570 const OBJECT_SUBTYPE keysetW_subTypeA, keysetW_subTypeB, keysetW_subTypeC; 571 const OBJECT_SUBTYPE keysetD_subTypeA, keysetD_subTypeB, keysetD_subTypeC; 572 const OBJECT_SUBTYPE keysetFN_subTypeA, keysetFN_subTypeB, keysetFN_subTypeC; 573 const OBJECT_SUBTYPE keysetQ_subTypeA, keysetQ_subTypeB, keysetQ_subTypeC; 574 575 /* Permitted object types, key IDs, and key management flags for this 576 item type */ 577 const OBJECT_SUBTYPE objSubTypeA, objSubTypeB, objSubTypeC; 578 /* Permitted object types for item */ 579 const CRYPT_KEYID_TYPE *allowedKeyIDs; /* Permitted key IDs */ 580 const int allowedFlags; /* Permitted key management flags */ 581 582 /* Parameter flags for the mechanism information. These define which 583 types of optional/mandatory parameters can and can't be present, 584 using an extended form of the ACCESS_xxx flags to indicate whether 585 the parameter is required or not/permitted or not for read, write, 586 and delete messages */ 587 const int idUseFlags; /* ID required/not permitted */ 588 const int pwUseFlags; /* Password required/not permitted */ 589 590 /* In the case of public/private keys the general-purpose ACL entries 591 aren't quite specific enough since some keysets require specific 592 types of certificates while others require generic public-key objects. 593 In the latter case they can have almost any kind of certificate object 594 attached, which doesn't matter when we're interested only in the 595 public key but does matter if we want a specific type of cert. If we 596 want a specific cert type, we specify the subset of keysets that this 597 applies to and the cert type(s) here */ 598 const OBJECT_SUBTYPE specificKeysetSubTypeA, specificKeysetSubTypeB, \ 599 specificKeysetSubTypeC; 600 const OBJECT_SUBTYPE specificObjSubTypeA, specificObjSubTypeB, \ 601 specificObjSubTypeC; 602 } KEYMGMT_ACL; 603 604 /* Macros to set up key management ACLs. The basic form treats the RWD and 605 FnQ groups as one value, the _RWD form specifies individual RWD and FnQ 606 values, and the _EX form adds special-case checking for specific object 607 types that must be written to some keyset types */ 608 609 #define MK_KEYACL( itemType, keysetRWDSubType, keysetFNQSubType, \ 610 objectSubType, keyIDs, flags, idUseFlags, pwUseFlags ) \ 611 { itemType, ST_NONE, keysetRWDSubType, ST_NONE, \ 612 ST_NONE, keysetRWDSubType, ST_NONE, \ 613 ST_NONE, keysetRWDSubType, ST_NONE, \ 614 ST_NONE, keysetFNQSubType, ST_NONE, \ 615 ST_NONE, keysetFNQSubType, ST_NONE, \ 616 objectSubType, ST_NONE, ST_NONE, \ 617 keyIDs, flags, idUseFlags, pwUseFlags, \ 618 ST_NONE, ST_NONE, ST_NONE, ST_NONE, ST_NONE, ST_NONE } 619 #define MK_KEYACL_RWD( itemType, keysetR_SubType, keysetW_SubType, keysetD_SubType, \ 620 keysetFN_SubType, keysetQ_SubType, objectSubType, keyIDs, \ 621 flags, idUseFlags, pwUseFlags ) \ 622 { itemType, ST_NONE, keysetR_SubType, ST_NONE, \ 623 ST_NONE, keysetW_SubType, ST_NONE, \ 624 ST_NONE, keysetD_SubType, ST_NONE, \ 625 ST_NONE, keysetFN_SubType, ST_NONE, \ 626 ST_NONE, keysetQ_SubType, ST_NONE, \ 627 objectSubType, ST_NONE, ST_NONE, \ 628 keyIDs, flags, idUseFlags, pwUseFlags, \ 629 ST_NONE, ST_NONE, ST_NONE, ST_NONE, ST_NONE, ST_NONE } 630 #define MK_KEYACL_EX( itemType, keysetR_SubType, keysetW_SubType, keysetD_SubType, \ 631 keysetFN_SubType, keysetQ_SubType, objectSubType, keyIDs, \ 632 flags, idUseFlags, pwUseFlags, specificKeysetType, \ 633 specificObjectType ) \ 634 { itemType, ST_NONE, keysetR_SubType, ST_NONE, \ 635 ST_NONE, keysetW_SubType, ST_NONE, \ 636 ST_NONE, keysetD_SubType, ST_NONE, \ 637 ST_NONE, keysetFN_SubType, ST_NONE, \ 638 ST_NONE, keysetQ_SubType, ST_NONE, \ 639 objectSubType, ST_NONE, ST_NONE, \ 640 keyIDs, flags, idUseFlags, pwUseFlags, \ 641 ST_NONE, specificKeysetType, ST_NONE, \ 642 specificObjectType, ST_NONE, ST_NONE } 643 644 /**************************************************************************** 645 * * 646 * Parameter ACL Definitions * 647 * * 648 ****************************************************************************/ 649 650 /* The parameter's type. The basic values are boolean, numeric, or byte 651 string, there are also some special types such as object handles that 652 place extra constraints on the attribute */ 653 654 typedef enum { 655 PARAM_VALUE_NONE, /* Non-value */ 656 PARAM_VALUE_NUMERIC, /* Numeric value */ 657 PARAM_VALUE_STRING, /* Byte string */ 658 PARAM_VALUE_STRING_OPT, /* Byte string or (NULL, 0) */ 659 PARAM_VALUE_STRING_NONE, /* Empty (NULL, 0) string */ 660 PARAM_VALUE_OBJECT, /* Object handle */ 661 PARAM_VALUE_LAST /* Last valid parameter type */ 662 } PARAM_VALUE_TYPE; 663 664 /* Parameter ACL entry, which defines the type and valid values for a 665 message parameter. This ACL type is used as a sub-ACL in a variety of 666 other kernel ACLs */ 667 668 typedef struct { 669 const PARAM_VALUE_TYPE valueType;/* Parameter value type */ 670 const int lowRange, highRange; /* Min/max value or length */ 671 const OBJECT_SUBTYPE subTypeA, subTypeB, subTypeC; 672 /* Object subtypes for which param.valid */ 673 const int flags; /* ACL flags */ 674 } PARAM_ACL; 675 676 /* Macros to set up parameter ACLs */ 677 678 #define MKACP_B() \ 679 { PARAM_VALUE_NUMERIC, FALSE, TRUE, 0, 0, 0, 0 } 680 #define MKACP_N( min, max ) \ 681 { PARAM_VALUE_NUMERIC, min, max, 0, 0, 0, 0 } 682 #define MKACP_N_FIXED( value ) \ 683 { PARAM_VALUE_NUMERIC, value, value, 0, 0, 0, 0 } 684 #define MKACP_S( minLen, maxLen ) \ 685 { PARAM_VALUE_STRING, minLen, maxLen, 0, 0, 0, 0 } 686 #define MKACP_S_OPT( minLen, maxLen ) \ 687 { PARAM_VALUE_STRING_OPT, minLen, maxLen, 0, 0, 0, 0 } 688 #define MKACP_S_NONE() \ 689 { PARAM_VALUE_STRING_NONE, 0, 0, 0, 0, 0, 0 } 690 #define MKACP_O( subTypeA, flags ) \ 691 { PARAM_VALUE_OBJECT, 0, 0, subTypeA, ST_NONE, ST_NONE, flags } 692 693 /* End-of-mechanism-ACL marker */ 694 695 #define MKACP_END() \ 696 { PARAM_VALUE_NONE, 0, 0, 0, 0, 0 } 697 698 /* Macro to access the parameter ACL information for a given parameter in a 699 list of parameter ACLs */ 700 701 #define paramInfo( parentACL, paramNo ) parentACL->paramACL[ paramNo ] 702 703 /* Macro to get the subtype of an object */ 704 705 #define objectST( objectHandle ) objectTable[ objectHandle ].subType 706 707 /* Macros to check each parameter against a parameter ACL entry */ 708 709 #define checkParamNumeric( paramACL, value ) \ 710 ( paramACL.valueType == PARAM_VALUE_NUMERIC && \ 711 ( value >= paramACL.lowRange && value <= paramACL.highRange ) ) 712 713 #define checkParamString( paramACL, data, dataLen ) \ 714 ( ( ( paramACL.valueType == PARAM_VALUE_STRING_NONE || \ 715 paramACL.valueType == PARAM_VALUE_STRING_OPT ) && \ 716 data == NULL && dataLen == 0 ) || \ 717 ( ( paramACL.valueType == PARAM_VALUE_STRING || \ 718 paramACL.valueType == PARAM_VALUE_STRING_OPT ) && \ 719 ( dataLen >= paramACL.lowRange && \ 720 dataLen <= paramACL.highRange ) && \ 721 isReadPtr( data, dataLen ) ) ) 722 723 #define checkParamObject( paramACL, objectHandle ) \ 724 ( ( paramACL.valueType == PARAM_VALUE_NUMERIC && \ 725 paramACL.lowRange == CRYPT_UNUSED && \ 726 objectHandle == CRYPT_UNUSED ) || \ 727 ( paramACL.valueType == PARAM_VALUE_OBJECT && \ 728 ( ( paramACL.subTypeA & objectST( objectHandle ) ) == \ 729 objectST( objectHandle ) || \ 730 ( paramACL.subTypeB & objectST( objectHandle ) ) == \ 731 objectST( objectHandle ) || \ 732 ( paramACL.subTypeC & objectST( objectHandle ) ) == \ 733 objectST( objectHandle ) ) && \ 734 checkObjectState( paramACL.flags, objectHandle ) ) ) 735 736 /**************************************************************************** 737 * * 738 * Misc.ACL Definitions * 739 * * 740 ****************************************************************************/ 741 742 /* Object ACL entry for object parameters for messages. This is used as a 743 composite entry in various ACLs that apply to objects */ 744 745 typedef struct { 746 const OBJECT_SUBTYPE subTypeA, subTypeB, subTypeC; 747 /* Object subtypes for which attr.valid */ 748 const int flags; /* ACL flags */ 749 } OBJECT_ACL; 750 751 /* Message ACL entry */ 752 753 typedef struct { 754 const MESSAGE_TYPE type; /* Message type */ 755 const OBJECT_ACL objectACL; /* Valid objects for message type */ 756 } MESSAGE_ACL; 757 758 /* Mechanism ACL entry */ 759 760 typedef struct { 761 const MECHANISM_TYPE type; /* Mechanism type */ 762 const PARAM_ACL paramACL[ 6 ]; /* Parameter ACL information */ 763 } MECHANISM_ACL; 764 765 /* Create-object ACL entry */ 766 767 typedef struct CRA { 768 const OBJECT_TYPE type; /* Object type */ 769 const PARAM_ACL paramACL[ 5 ]; /* Parameter ACL information */ 770 const int exceptions[ 4 ]; /* Subtypes that need special handling */ 771 const struct CRA *exceptionACL; /* Special-handling ACL */ 772 } CREATE_ACL; 773 774 /* Cert mgmt.ACL entry. These have parameters that work similarly to the 775 mechanism ACLs, except that only a small subset (objects and unused) are 776 used in practice. In addition some objects require the presence of 777 secondary objects (dependent objects for the main object), for example 778 a CA's PKC context requires an attached CA certificate. This is 779 specified in the secondary parameter ACL, which mirrors the main 780 parameter ACL */ 781 782 typedef struct { 783 const CRYPT_CERTACTION_TYPE action; /* Cert mgmt.action */ 784 const int access; /* Permitted access type */ 785 const PARAM_ACL paramACL[ 3 ]; /* Parameter ACL information */ 786 const PARAM_ACL secParamACL[ 3 ];/* Parameter ACL for dep.objects */ 787 } CERTMGMT_ACL; 788 789 /* Compare-message ACL entry */ 790 791 typedef struct { 792 const MESSAGE_COMPARE_TYPE compareType; /* Compare message type */ 793 const OBJECT_ACL objectACL; /* Valid objects for message type */ 794 const PARAM_ACL paramACL[ 1 ]; /* Parameter ACL information */ 795 } COMPARE_ACL; 796 797 /* Macros to access the parameter ACLs as an array of PARAM_ACL entries */ 798 799 #define getParamACL( aclInfo ) ( &( aclInfo )->paramACL[ 0 ] ) 800 #define getParamACLSize( aclInfo ) ( sizeof( ( aclInfo )->paramACL ) / sizeof( PARAM_ACL ) ) 801 802 /* Macros to set up compare ACLs */ 803 804 #define MK_CMPACL_S( objSTA, lowRange, highRange ) \ 805 { objSTA, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE }, \ 806 { MKACP_S( lowRange, highRange ) } 807 #define MK_CMPACL_O( objSTA, pObjSTA ) \ 808 { objSTA, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE }, \ 809 { MKACP_O( pObjSTA, ACL_FLAG_HIGH_STATE ) } 810 #define MK_CMPACL_END() \ 811 { ST_NONE, ST_NONE, ST_NONE, ACL_FLAG_NONE }, \ 812 { MKACP_END() } 813 814 /* Check-message ACL entry. Most checks are for the same capability in a 815 single object type (e.g. encryption capability in a PKC context and/or 816 cert), for which we check the object type and action corresponding to the 817 check. However, some checks apply to dependent but object pairs but with 818 different capabilities (for example a PKC context and a CA certificate). 819 In this case the check can be applied to either of the two object types, 820 so we allow for a secondary ACL entry for the related object type. In 821 addition once we've applied the check to the primary object, we have to 822 forward it to the secondary object, however in order to avoid message 823 loops the forwarded check type applies only to the secondary object 824 rather than being the same as the one that was applied to the primary 825 object */ 826 827 typedef struct { 828 const MESSAGE_CHECK_TYPE checkType; /* Check message type */ 829 const MESSAGE_TYPE actionType; /* Action corresponding to check */ 830 const OBJECT_ACL objectACL; /* Valid objects for message type */ 831 const struct CAA *altACL; /* Ptr. to alt.ACL */ 832 } CHECK_ACL; 833 834 typedef struct CAA { 835 const OBJECT_TYPE object; /* Object type this entry applies to */ 836 const MESSAGE_CHECK_TYPE checkType; /* Check message type */ 837 const OBJECT_TYPE depObject; /* Dependent object type */ 838 const OBJECT_ACL depObjectACL; /* Valid objects for message type */ 839 const MESSAGE_CHECK_TYPE fdCheckType; /* Fwded check type for related obj.*/ 840 } CHECK_ALT_ACL; 841 842 /* Macros to set up check ACLs. For the standard check ACL the first 843 parameter, the check type, is supplied explicitly and isn't present in 844 the macro */ 845 846 #define MK_CHKACL( action, objSTA ) \ 847 action, { objSTA, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE }, NULL 848 #define MK_CHKACL_EX( action, objSTA, objSTB, flags ) \ 849 action, { objSTA, objSTB, ST_NONE, flags } 850 #define MK_CHKACL_EXT( action, objSTA, extACL ) \ 851 action, { objSTA, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE }, extACL 852 #define MK_CHKACL_END() \ 853 MESSAGE_NONE, { ST_NONE, ST_NONE, ST_NONE, ACL_FLAG_NONE } 854 855 #define MK_CHKACL_ALT( depObj, depObjSTA, fdCheck ) \ 856 depObj, { depObjSTA, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE }, fdCheck 857 #define MK_CHKACL_ALT_END() \ 858 MESSAGE_CHECK_NONE, \ 859 OBJECT_TYPE_NONE, { ST_NONE, ST_NONE, ST_NONE, ACL_FLAG_NONE }, MESSAGE_CHECK_NONE 860 861 /* Object dependency ACL entry, used when making one object dependent on 862 another */ 863 864 typedef struct { 865 const OBJECT_TYPE type; /* Object type and subtype */ 866 const OBJECT_SUBTYPE subTypeA, subTypeB, subTypeC; 867 const OBJECT_TYPE dType; /* Dependent object type and subtype */ 868 const OBJECT_SUBTYPE dSubTypeA, dSubTypeB, dSubTypeC; 869 const int flags; /* Dependency flags */ 870 } DEPENDENCY_ACL; 871 872 /* Macros to set up dependency ACLs */ 873 874 #define MK_DEPACL( objType, objSTA, objSTB, objSTC, dObjType, dObjSTA, dObjSTB, dObjSTC ) \ 875 { objType, objSTA, objSTB, objSTC, dObjType, dObjSTA, dObjSTB, dObjSTC, DEP_FLAG_NONE } 876 #define MK_DEPACL_EX( objType, objSTA, objSTB, objSTC, dObjType, dObjSTA, dObjSTB, dObjSTC, flags ) \ 877 { objType, objSTA, objSTB, objSTC, dObjType, dObjSTA, dObjSTB, dObjSTC, flags } 878 #define MK_DEPACL_END() \ 879 { OBJECT_TYPE_NONE, 0, 0, 0, OBJECT_TYPE_NONE, 0, 0, 0, DEP_FLAG_NONE } 880 881 /* Flags for the dependency ACLs */ 882 883 #define DEP_FLAG_NONE 0x00 /* No dependency flag */ 884 #define DEP_FLAG_UPDATEDEP 0x01 /* Update dependent object */ 885 886 #endif /* _ACL_DEFINED */ 887