windows-nt/Source/XPSP1/NT/ds/win32/ntcrypto/inc/contman.h

483 lines
17 KiB
C
Raw Normal View History

2020-09-26 03:20:57 -05:00
/////////////////////////////////////////////////////////////////////////////
// FILE : contman.h //
// DESCRIPTION : include file //
// AUTHOR : //
// HISTORY : //
// Mar 16 1998 jeffspel Created //
// //
// Copyright (C) 1998 Microsoft Corporation All Rights Reserved //
/////////////////////////////////////////////////////////////////////////////
#ifndef __CONTMAN_H__
#define __CONTMAN_H__
#ifdef __cplusplus
extern "C" {
#endif
#ifndef RtlSecureZeroMemory
#define RtlSecureZeroMemory(ptr, cnt) (memset(ptr, 0x0, cnt))
#endif
extern LPVOID ContAlloc(ULONG cbLen);
extern LPVOID ContRealloc(LPVOID pvMem, ULONG cbLen);
extern void ContFree(LPVOID pvMem);
// Display Strings
typedef struct _CSP_STRINGS_ {
// RSA
LPWSTR pwszSignWExch;
LPWSTR pwszCreateRSASig;
LPWSTR pwszCreateRSAExch;
LPWSTR pwszRSASigDescr;
LPWSTR pwszRSAExchDescr;
LPWSTR pwszImportSimple;
// DSS-DH
LPWSTR pwszCreateDSS;
LPWSTR pwszCreateDH;
LPWSTR pwszImportDHPub;
LPWSTR pwszDSSSigDescr;
LPWSTR pwszDHExchDescr;
// BOTH
LPWSTR pwszSigning;
LPWSTR pwszMigrKeys;
LPWSTR pwszImportPrivSig;
LPWSTR pwszImportPrivExch;
LPWSTR pwszExportPrivSig;
LPWSTR pwszExportPrivExch;
LPWSTR pwszDeleteSig;
LPWSTR pwszDeleteMigrSig;
LPWSTR pwszDeleteExch;
LPWSTR pwszDeleteMigrExch;
LPWSTR pwszAuditCapiKey;
} CSP_STRINGS, *PCSP_STRINGS;
#define SZLOCALMACHINECRYPTO "Software\\Microsoft\\Cryptography"
#define SZCRYPTOMACHINEGUID "MachineGuid"
#define KEY_CONTAINER_FILE_FORMAT_VER 2
#define STUFF_TO_GO_INTO_MIX "Hj1diQ6kpUx7VC4m"
typedef struct _KEY_EXPORTABILITY_LENS_ {
DWORD cbSigExportability;
DWORD cbExchExportability;
} KEY_EXPORTABILITY_LENS, *PKEY_EXPORTABILITY_LENS;
typedef struct _KEY_CONTAINER_LENS_ {
DWORD dwUIOnKey;
DWORD cbName;
DWORD cbSigPub;
DWORD cbSigEncPriv;
DWORD cbExchPub;
DWORD cbExchEncPriv;
DWORD cbRandom; // length of Random number seed
} KEY_CONTAINER_LENS, *PKEY_CONTAINER_LENS;
typedef struct _KEY_CONTAINER_INFO_ {
DWORD dwVersion;
KEY_CONTAINER_LENS ContLens;
BOOL fCryptSilent;
BYTE *pbSigPub;
BYTE *pbSigEncPriv;
BOOL fSigExportable;
BYTE *pbExchPub;
BYTE *pbExchEncPriv;
BOOL fExchExportable;
BYTE *pbRandom;
LPSTR pszUserName;
WCHAR rgwszFileName[80];
HANDLE hFind; // for enuming containers
DWORD dwiRegEntry; // for enuming containers
DWORD cMaxRegEntry; // for enuming containers
DWORD cbRegEntry; // for enuming containers
CHAR *pchEnumRegEntries; // for enuming containers
BOOL fCryptFirst; // for enuming containers
BOOL fNoMoreFiles; // for enuming containers
DWORD cbOldMachKeyEntry; // for enuming containers
DWORD dwiOldMachKeyEntry; // for enuming containers
DWORD cMaxOldMachKeyEntry; // for enuming containers
CHAR *pchEnumOldMachKeyEntries; // for enuming containers
BOOL fForceHighKeyProtection;
// Context items required for caching private keys
BOOL fCachePrivateKeys;
DWORD cMaxKeyLifetime; // in milliseconds
DWORD dwSigKeyTimestamp;
DWORD dwKeyXKeyTimestamp;
} KEY_CONTAINER_INFO, *PKEY_CONTAINER_INFO;
// define flag for leaving old keys in the registry if they are in the .Default
// hive but are user keys
#define LEAVE_OLD_KEYS 1
// define flag indicating that the thread cannot get the SACL info from the
// old registry key when migrating keys
#define PRIVILEDGE_FOR_SACL 2
DWORD MyRtlEncryptMemory(
IN PVOID pvMem,
IN DWORD cbMem);
DWORD MyRtlDecryptMemory(
IN PVOID pvMem,
IN DWORD cbMem);
//
// Just tries to use DPAPI to make sure it works before creating a key
// container.
//
DWORD TryDPAPI();
DWORD
MyCryptProtectData(
IN DATA_BLOB* pDataIn,
IN LPCWSTR szDataDescr,
IN OPTIONAL DATA_BLOB* pOptionalEntropy,
IN PVOID pvReserved,
IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
IN DWORD dwFlags,
OUT DATA_BLOB* pDataOut // out encr blob
);
DWORD
MyCryptUnprotectData(
IN DATA_BLOB* pDataIn, // in encr blob
OUT OPTIONAL LPWSTR* ppszDataDescr, // out
IN OPTIONAL DATA_BLOB* pOptionalEntropy,
IN PVOID pvReserved,
IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
IN DWORD dwFlags,
OUT DATA_BLOB* pDataOut,
OUT LPDWORD pdwReprotectFlags);
void FreeEnumOldMachKeyEntries(
PKEY_CONTAINER_INFO pInfo
);
void FreeEnumRegEntries(
PKEY_CONTAINER_INFO pInfo
);
void FreeContainerInfo(
PKEY_CONTAINER_INFO pInfo
);
BOOL WINAPI FIsWinNT(void);
DWORD
IsLocalSystem(
BOOL *pfIsLocalSystem
);
DWORD
GetUserTextualSidA(
LPSTR lpBuffer,
LPDWORD nSize
);
DWORD
GetUserTextualSidW(
LPWSTR lpBuffer,
LPDWORD nSize
);
DWORD SetMachineGUID();
DWORD SetContainerUserName(
IN LPSTR pszUserName,
IN PKEY_CONTAINER_INFO pContInfo
);
DWORD ReadContainerInfo(
IN DWORD dwProvType,
IN LPSTR pszContainerName,
IN BOOL fMachineKeyset,
IN DWORD dwFlags,
OUT PKEY_CONTAINER_INFO pContInfo
);
DWORD WriteContainerInfo(
IN DWORD dwProvType,
IN LPWSTR pwszFileName,
IN BOOL fMachineKeyset,
IN PKEY_CONTAINER_INFO pContInfo
);
DWORD DeleteContainerInfo(
IN DWORD dwProvType,
IN LPSTR pszFileName,
IN BOOL fMachineKeyset
);
DWORD GetUniqueContainerName(
IN KEY_CONTAINER_INFO *pContInfo,
OUT BYTE *pbData,
OUT DWORD *pcbData
);
DWORD GetNextContainer(
IN DWORD dwProvType,
IN BOOL fMachineKeyset,
IN DWORD dwFlags,
OUT LPSTR pszNextContainer,
IN OUT DWORD *pcbNextContainer,
IN OUT HANDLE *phFind
);
DWORD SetSecurityOnContainer(
IN LPCWSTR wszFileName,
IN DWORD dwProvType,
IN DWORD fMachineKeyset,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR pSecurityDescriptor
);
//+ ===========================================================================
//
// The function adjusts the token priviledges so that SACL information
// may be set on a key container. If the token priviledges may be set
// indicated by the pUser->dwOldKeyFlags having the PRIVILEDGE_FOR_SACL value set.
// value set then the token privilege is adjusted before the security
// descriptor is set on the container. This is needed for the key
// migration case when keys are being migrated from the registry to files.
//- ============================================================================
DWORD SetSecurityOnContainerWithTokenPriviledges(
IN DWORD dwOldKeyFlags,
IN LPCWSTR wszFileName,
IN DWORD dwProvType,
IN DWORD fMachineKeyset,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR pSecurityDescriptor
);
DWORD GetSecurityOnContainer(
IN LPCWSTR wszFileName,
IN DWORD dwProvType,
IN DWORD fMachineKeyset,
IN SECURITY_INFORMATION RequestedInformation,
OUT PSECURITY_DESCRIPTOR pSecurityDescriptor,
IN OUT DWORD *pcbSecurityDescriptor
);
// Converts to UNICODE and uses RegOpenKeyExW
DWORD MyRegOpenKeyEx(IN HKEY hRegKey,
IN LPSTR pszKeyName,
IN DWORD dwReserved,
IN REGSAM SAMDesired,
OUT HKEY *phNewRegKey);
// Converts to UNICODE and uses RegDeleteKeyW
DWORD MyRegDeleteKey(IN HKEY hRegKey,
IN LPSTR pszKeyName);
DWORD AllocAndSetLocationBuff(
BOOL fMachineKeySet,
DWORD dwProvType,
CONST char *pszUserID,
HKEY *phTopRegKey,
TCHAR **ppszLocBuff,
BOOL fUserKeys,
BOOL *pfLeaveOldKeys,
LPDWORD pcbBuff);
//
// Enumerates the old machine keys in the file system
// keys were in this location in Beta 2 and Beta 3 of NT5/Win2K
//
DWORD EnumOldMachineKeys(
IN DWORD dwProvType,
IN OUT PKEY_CONTAINER_INFO pContInfo
);
DWORD GetNextEnumedOldMachKeys(
IN PKEY_CONTAINER_INFO pContInfo,
IN BOOL fMachineKeyset,
OUT BYTE *pbData,
OUT DWORD *pcbData
);
//
// Enumerates the keys in the registry into a list of entries
//
DWORD EnumRegKeys(
IN OUT PKEY_CONTAINER_INFO pContInfo,
IN BOOL fMachineKeySet,
IN DWORD dwProvType,
OUT BYTE *pbData,
IN OUT DWORD *pcbData
);
DWORD GetNextEnumedRegKeys(
IN PKEY_CONTAINER_INFO pContInfo,
OUT BYTE *pbData,
OUT DWORD *pcbData
);
//+ ===========================================================================
//
// The function adjusts the token priviledges so that SACL information
// may be gotten and then opens the indicated registry key. If the token
// priviledges may be set then the reg key is opened anyway but the
// flags field will not have the PRIVILEDGE_FOR_SACL value set.
//
//- ============================================================================
DWORD OpenRegKeyWithTokenPriviledges(
IN HKEY hTopRegKey,
IN LPSTR pszRegKey,
OUT HKEY *phRegKey,
OUT DWORD *pdwFlags);
DWORD LoadStrings();
void UnloadStrings();
typedef struct _EXPO_OFFLOAD_STRUCT {
DWORD dwVersion;
HMODULE hInst;
FARPROC pExpoFunc;
} EXPO_OFFLOAD_STRUCT, *PEXPO_OFFLOAD_STRUCT;
//
// Function : FreeOffloadInfo
//
// Description : The function takes a pointer to Offload Information as the
// first parameter of the call. The function frees the
// information.
//
void FreeOffloadInfo(
IN OUT PEXPO_OFFLOAD_STRUCT pOffloadInfo
);
//
// Function : InitExpOffloadInfo
//
// Description : The function takes a pointer to Offload Information as the
// first parameter of the call. The function checks in the
// registry to see if an offload module has been registered.
// If a module is registered then it loads the module
// and gets the OffloadModExpo function pointer.
//
BOOL InitExpOffloadInfo(
IN OUT PEXPO_OFFLOAD_STRUCT *ppExpoOffloadInfo
);
//
// Function : ModularExpOffload
//
// Description : This function does the offloading of modular exponentiation.
// The function takes a pointer to Offload Information as the
// first parameter of the call. If this pointer is not NULL
// then the function will use this module and call the function.
// The exponentiation with MOD function will implement
// Y^X MOD P where Y is the buffer pbBase, X is the buffer
// pbExpo and P is the buffer pbModulus. The length of the
// buffer pbExpo is cbExpo and the length of pbBase and
// pbModulus is cbModulus. The resulting value is output
// in the pbResult buffer and has length cbModulus.
// The pReserved and dwFlags parameters are currently ignored.
// If any of these functions fail then the function fails and
// returns FALSE. If successful then the function returns
// TRUE. If the function fails then most likely the caller
// should fall back to using hard linked modular exponentiation.
//
BOOL ModularExpOffload(
IN PEXPO_OFFLOAD_STRUCT pOffloadInfo,
IN BYTE *pbBase,
IN BYTE *pbExpo,
IN DWORD cbExpo,
IN BYTE *pbModulus,
IN DWORD cbModulus,
OUT BYTE *pbResult,
IN VOID *pReserved,
IN DWORD dwFlags
);
#ifdef USE_HW_RNG
#ifdef _M_IX86
// stuff for INTEL RNG usage
//
// Function : GetRNGDriverHandle
//
// Description : Gets the handle to the INTEL RNG driver if available, then
// checks if the chipset supports the hardware RNG. If so
// the previous driver handle is closed if necessary and the
// new handle is assigned to the passed in parameter.
//
extern DWORD
GetRNGDriverHandle(
IN OUT HANDLE *phDriver);
//
// Function : CheckIfRNGAvailable
//
// Description : Checks if the INTEL RNG driver is available, if so then
// checks if the chipset supports the hardware RNG.
//
extern DWORD
CheckIfRNGAvailable(
void);
//
// Function : HWRNGGenRandom
//
// Description : Uses the passed in handle to the INTEL RNG driver
// to fill the buffer with random bits. Actually uses
// XOR to fill the buffer so that the passed in buffer
// is also mixed in.
//
DWORD
HWRNGGenRandom(
IN HANDLE hRNGDriver,
IN OUT BYTE *pbBuffer,
IN DWORD dwLen);
#ifdef TEST_HW_RNG
//
// Function : SetupHWRNGIfRegistered
//
// Description : Checks if there is a registry setting indicating the HW RNG
// is to be used. If the registry entry is there then it attempts
// to get the HW RNG driver handle.
//
extern DWORD
SetupHWRNGIfRegistered(
OUT HANDLE *phRNGDriver);
#endif // TEST_HW_RNG
#endif // _M_IX86
#endif // USE_HW_RNG
//
// Function for managing Force High Key Protection
//
BOOL IsForceHighProtectionEnabled(
IN PKEY_CONTAINER_INFO pContInfo);
DWORD InitializeForceHighProtection(
IN OUT PKEY_CONTAINER_INFO pContInfo);
//
// Functions for managing cached private keys.
//
BOOL IsCachedKeyValid(
IN PKEY_CONTAINER_INFO pContInfo,
IN BOOL fSigKey);
DWORD SetCachedKeyTimestamp(
IN PKEY_CONTAINER_INFO pContInfo,
IN BOOL fSigKey);
DWORD InitializeKeyCacheInfo(
IN OUT PKEY_CONTAINER_INFO pContInfo);
#ifdef __cplusplus
}
#endif
#endif // __CONTMAN_H__