/*++
Copyright (c) 1993 Microsoft Corporation
Module Name:
ntlmsspi.h
Abstract:
Header file describing the interface to code common to the
NT Lanman Security Support Provider (NtLmSsp) Service and the DLL.
Author:
Cliff Van Dyke (CliffV) 17-Sep-1993
Revision History:
--*/
#ifndef _NTLMSSPI_INCLUDED_
#define _NTLMSSPI_INCLUDED_
//
// init.c will #include this file with NTLMCOMN_ALLOCATE defined.
// That will cause each of these variables to be allocated.
//
#ifdef NTLMSSPI_ALLOCATE
#define EXTERN
#else
#define EXTERN extern
#endif
////////////////////////////////////////////////////////////////////////
//
// Global Definitions
//
////////////////////////////////////////////////////////////////////////
//
// Description of a credential.
//
typedef struct _SSP_CREDENTIAL {
//
// Global list of all Credentials.
// (Serialized by SspCredentialCritSect)
//
LIST_ENTRY Next;
//
// List of all Credentials for this ClientConnection.
// (Serialized by SspCredentialCritSect)
//
LIST_ENTRY NextForThisClient;
//
// Used to prevent this Credential from being deleted prematurely.
// (Serialized by SspCredentialCritSect)
//
ULONG References;
//
// Used by this credential to allow a single credential to be
// returned from multiple calls to AcquireCredential.
//
ULONG CredentialReferences;
//
// Flag of how credential may be used.
//
// SECPKG_CRED_* flags
//
ULONG CredentialUseFlags;
//
// Default credentials on client context, on server context UserName
// holds a full user name (domain\user) and the other two should be
// NULL.
//
UNICODE_STRING DomainName;
UNICODE_STRING UserName;
UNICODE_STRING Password;
//
// ClientConnection that originally created the credential.
//
// Note: we don't have a reference to the ClientConnection. This field
// is merely used as a tag that someone who does have a reference to the
// ClientConnection can compare with. (Keep it a PVOID to prevent
// accidental use as anything else)
//
PVOID ClientConnection;
//
// Token Handle of client
//
PHANDLE ClientTokenHandle;
//
// Logon ID of the client
//
LUID LogonId;
//
// This flag should be set when the credential is unlinked
// from the list.
//
BOOLEAN Unlinked;
} SSP_CREDENTIAL, *PSSP_CREDENTIAL;
//
// Description of a Context
//
typedef struct _SSP_CONTEXT {
//
// Global list of all Contexts
// (Serialized by SspContextCritSect)
//
LIST_ENTRY Next;
//
// List of all Contexts for this ClientConnection.
// (Serialized by SspContextCritSect)
//
LIST_ENTRY NextForThisClient;
//
// Timeout the context after awhile.
//
LARGE_INTEGER StartTime;
ULONG Interval;
//
// Used to prevent this Context from being deleted prematurely.
// (Serialized by SspContextCritSect)
//
ULONG References;
//
// ClientConnection that originally created the context.
//
// Note: we don't have a reference to the ClientConnection. This field
// is merely used as a tag that someone who does have a reference to the
// ClientConnection can compare with. (Keep it a PVOID to prevent
// accidental use as anything else)
//
PVOID ClientConnection;
//
// Maintain the Negotiated protocol
//
ULONG NegotiateFlags;
//
// Maintain the context requirements
//
ULONG ContextFlags;
//
// State of the context
//
enum {
IdleState,
NegotiateSentState, // Outbound context only
ChallengeSentState, // Inbound context only
AuthenticateSentState, // Outbound context only
AuthenticatedState, // Inbound context only
PassedToServiceState // Outbound context only
} State;
//
// Token Handle of authenticated user
// Only valid when in AuthenticatedState.
//
HANDLE TokenHandle;
//
// Referenced pointer to the credential used to create this
// context.
//
PSSP_CREDENTIAL Credential;
//
// The challenge passed to the client.
// Only valid when in ChallengeSentState.
//
UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
//
// The session key calculated by the LSA
//
UCHAR SessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
//
// Default credentials.
//
UNICODE_STRING DomainName;
UNICODE_STRING UserName;
UNICODE_STRING Password;
CtxtHandle ServerContextHandle;
} SSP_CONTEXT, *PSSP_CONTEXT;
//
// Maximum lifetime of a context
//
#define NTLMSSP_MAX_LIFETIME (2*60*1000) // 2 minutes
////////////////////////////////////////////////////////////////////////
//
// Opaque Messages passed between client and server
//
////////////////////////////////////////////////////////////////////////
#define NTLMSSP_SIGNATURE "NTLMSSP"
//
// MessageType for the following messages.
//
typedef enum {
NtLmNegotiate = 1,
NtLmChallenge,
NtLmAuthenticate
} NTLM_MESSAGE_TYPE;
//
// Valid values of NegotiateFlags
//
#define NTLMSSP_NEGOTIATE_UNICODE 0x0001 // Text strings are in unicode
#define NTLMSSP_NEGOTIATE_OEM 0x0002 // Text strings are in OEM
#define NTLMSSP_REQUEST_TARGET 0x0004 // Server should return its
// authentication realm
#define NTLMSSP_NEGOTIATE_SIGN 0x0010 // Request signature capability
#define NTLMSSP_NEGOTIATE_SEAL 0x0020 // Request confidentiality
#define NTLMSSP_NEGOTIATE_DATAGRAM 0x0040 // Use datagram style authentication
#define NTLMSSP_NEGOTIATE_LM_KEY 0x0080 // Use LM session key for sign/seal
#define NTLMSSP_NEGOTIATE_NETWARE 0x0100 // NetWare authentication
#define NTLMSSP_NEGOTIATE_NTLM 0x0200 // NTLM authentication
#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0x1000 // Domain Name supplied on negotiate
#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0x2000 // Workstation Name supplied on negotiate
#define NTLMSSP_NEGOTIATE_LOCAL_CALL 0x4000 // Indicates client/server are same machine
#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x8000 // Sign for all security levels
//
// Valid target types returned by the server in Negotiate Flags
//
#define NTLMSSP_TARGET_TYPE_DOMAIN 0x10000 // TargetName is a domain name
#define NTLMSSP_TARGET_TYPE_SERVER 0x20000 // TargetName is a server name
#define NTLMSSP_TARGET_TYPE_SHARE 0x40000 // TargetName is a share name
//
// Additional negotiated flags
//
#define NTLMSSP_NEGOTIATE_IDENTIFY 0x100000 // Create identify level token
#ifndef EXPORT_BUILD
#define NTLMSSP_NEGOTIATE_STRONG_CRYPT 0x200000 // Allow string encryption
#endif // EXPORT_BUILD
//
// Opaque message returned from first call to InitializeSecurityContext
//
typedef struct _NEGOTIATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
ULONG NegotiateFlags;
STRING OemDomainName;
STRING OemWorkstationName;
} NEGOTIATE_MESSAGE, *PNEGOTIATE_MESSAGE;
//
// Old version of the message, for old clients
//
typedef struct _OLD_NEGOTIATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
ULONG NegotiateFlags;
} OLD_NEGOTIATE_MESSAGE, *POLD_NEGOTIATE_MESSAGE;
//
// Opaque message returned from first call to AcceptSecurityContext
//
typedef struct _CHALLENGE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING TargetName;
ULONG NegotiateFlags;
UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
ULONG ServerContextHandleLower;
ULONG ServerContextHandleUpper;
} CHALLENGE_MESSAGE, *PCHALLENGE_MESSAGE;
//
// Old version of the challenge message
//
typedef struct _OLD_CHALLENGE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING TargetName;
ULONG NegotiateFlags;
UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
} OLD_CHALLENGE_MESSAGE, *POLD_CHALLENGE_MESSAGE;
//
// Opaque message returned from second call to InitializeSecurityContext
//
typedef struct _AUTHENTICATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING LmChallengeResponse;
STRING NtChallengeResponse;
STRING DomainName;
STRING UserName;
STRING Workstation;
STRING SessionKey;
ULONG NegotiateFlags;
} AUTHENTICATE_MESSAGE, *PAUTHENTICATE_MESSAGE;
typedef struct _OLD_AUTHENTICATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING LmChallengeResponse;
STRING NtChallengeResponse;
STRING DomainName;
STRING UserName;
STRING Workstation;
} OLD_AUTHENTICATE_MESSAGE, *POLD_AUTHENTICATE_MESSAGE;
//
// Size of the largest message
// (The largest message is the AUTHENTICATE_MESSAGE)
//
#define NTLMSSP_MAX_MESSAGE_SIZE (sizeof(AUTHENTICATE_MESSAGE) + \
LM_RESPONSE_LENGTH + \
NT_RESPONSE_LENGTH + \
(DNLEN + 1) * sizeof(WCHAR) + \
(UNLEN + 1) * sizeof(WCHAR) + \
(CNLEN + 1) * sizeof(WCHAR))
////////////////////////////////////////////////////////////////////////
//
// Global Variables
//
////////////////////////////////////////////////////////////////////////
//
// Useful constants
//
EXTERN TimeStamp SspGlobalForever;
//
// Crit Sect to protect various globals in context.c
//
EXTERN CRITICAL_SECTION SspContextCritSect;
//
// The computername of the local system.
//
EXTERN WCHAR SspGlobalUnicodeComputerName[CNLEN + 1];
EXTERN UNICODE_STRING SspGlobalUnicodeComputerNameString;
EXTERN STRING SspGlobalOemComputerNameString;
//
// The domain name of the local system
//
EXTERN WCHAR SspGlobalUnicodePrimaryDomainName[DNLEN + 1];
EXTERN UNICODE_STRING SspGlobalUnicodePrimaryDomainNameString;
EXTERN STRING SspGlobalOemPrimaryDomainNameString;
//
// The TargetName of the local system
//
EXTERN NT_PRODUCT_TYPE SspGlobalNtProductType;
EXTERN UNICODE_STRING SspGlobalTargetName;
EXTERN STRING SspGlobalOemTargetName;
EXTERN ULONG SspGlobalTargetFlags;
EXTERN LSA_HANDLE SspGlobalLsaPolicyHandle;
EXTERN PSID SspGlobalLocalSystemSid;
EXTERN BOOLEAN SspGlobalEncryptionEnabled;
////////////////////////////////////////////////////////////////////////
//
// Procedure Forwards
//
////////////////////////////////////////////////////////////////////////
//
// Procedure forwards from credhand.c
//
NTSTATUS
SspCredentialInitialize(
VOID
);
VOID
SspCredentialTerminate(
VOID
);
PSSP_CREDENTIAL
SspCredentialReferenceCredential(
IN PCredHandle CredentialHandle,
IN PSSP_CLIENT_CONNECTION ClientConnection,
IN BOOLEAN DereferenceCredential,
IN BOOLEAN ForceRemoveCredential
);
VOID
SspCredentialDereferenceCredential(
PSSP_CREDENTIAL Credential
);
SECURITY_STATUS
SspCredentialGetPassword(
IN PSSP_CREDENTIAL Credential,
OUT PUNICODE_STRING Password
);
//
// Procedure forwards from context.c
//
NTSTATUS
SspContextRegisterLogonProcess(
VOID
);
VOID
SspContextDeregisterLogonProcess(
VOID
);
NTSTATUS
SspContextInitialize(
VOID
);
VOID
SspContextTerminate(
VOID
);
VOID
SspCleanupRNG(VOID);
VOID
SspInitializeRNG(VOID);
VOID
SspGenerateRandomBits(
PUCHAR pRandomData,
LONG cRandomData
);
#endif // ifndef _NTLMSSPI_INCLUDED_