Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

222 lines
7.5 KiB

  1. //+-----------------------------------------------------------------------
  2. //
  3. // Copyright (c) 1990-1999 Microsoft Corporation
  4. //
  5. // File: KERBCON.H
  6. //
  7. // Contents: Microsoft Kerberos constants
  8. //
  9. //
  10. // History: 25 Feb 92 RichardW Compiled from other files
  11. //
  12. //------------------------------------------------------------------------
  13. #ifndef __KERBCON_H__
  14. #define __KERBCON_H__
  15. #if _MSC_VER > 1000
  16. #pragma once
  17. #endif
  18. // begin_ntsecapi
  19. // Revision of the Kerberos Protocol. MS uses Version 5, Revision 6
  20. #define KERBEROS_VERSION 5
  21. #define KERBEROS_REVISION 6
  22. // Encryption Types:
  23. // These encryption types are supported by the default MS KERBSUPP DLL
  24. // as crypto systems. Values over 127 are local values, and may be changed
  25. // without notice.
  26. #define KERB_ETYPE_NULL 0
  27. #define KERB_ETYPE_DES_CBC_CRC 1
  28. #define KERB_ETYPE_DES_CBC_MD4 2
  29. #define KERB_ETYPE_DES_CBC_MD5 3
  30. // end_ntsecapi
  31. #define KERB_ETYPE_OLD_RC4_MD4 128
  32. #define KERB_ETYPE_OLD_RC4_PLAIN 129
  33. #define KERB_ETYPE_OLD_RC4_LM 130
  34. #define KERB_ETYPE_OLD_RC4_SHA 131
  35. #define KERB_ETYPE_OLD_DES_PLAIN 132
  36. // begin_ntsecapi
  37. #define KERB_ETYPE_RC4_MD4 -128 // FFFFFF80
  38. #define KERB_ETYPE_RC4_PLAIN2 -129
  39. #define KERB_ETYPE_RC4_LM -130
  40. #define KERB_ETYPE_RC4_SHA -131
  41. #define KERB_ETYPE_DES_PLAIN -132
  42. #define KERB_ETYPE_RC4_HMAC_OLD -133 // FFFFFF7B
  43. #define KERB_ETYPE_RC4_PLAIN_OLD -134
  44. #define KERB_ETYPE_RC4_HMAC_OLD_EXP -135
  45. #define KERB_ETYPE_RC4_PLAIN_OLD_EXP -136
  46. #define KERB_ETYPE_RC4_PLAIN -140
  47. #define KERB_ETYPE_RC4_PLAIN_EXP -141
  48. //
  49. // Pkinit encryption types
  50. //
  51. #define KERB_ETYPE_DSA_SHA1_CMS 9
  52. #define KERB_ETYPE_RSA_MD5_CMS 10
  53. #define KERB_ETYPE_RSA_SHA1_CMS 11
  54. #define KERB_ETYPE_RC2_CBC_ENV 12
  55. #define KERB_ETYPE_RSA_ENV 13
  56. #define KERB_ETYPE_RSA_ES_OEAP_ENV 14
  57. #define KERB_ETYPE_DES_EDE3_CBC_ENV 15
  58. //
  59. // Deprecated
  60. //
  61. #define KERB_ETYPE_DSA_SIGN 8
  62. #define KERB_ETYPE_RSA_PRIV 9
  63. #define KERB_ETYPE_RSA_PUB 10
  64. #define KERB_ETYPE_RSA_PUB_MD5 11
  65. #define KERB_ETYPE_RSA_PUB_SHA1 12
  66. #define KERB_ETYPE_PKCS7_PUB 13
  67. //
  68. // Unsupported but defined types
  69. //
  70. #define KERB_ETYPE_DES3_CBC_MD5 5
  71. #define KERB_ETYPE_DES3_CBC_SHA1 7
  72. #define KERB_ETYPE_DES3_CBC_SHA1_KD 16
  73. //
  74. // In use types
  75. //
  76. #define KERB_ETYPE_DES_CBC_MD5_NT 20
  77. #define KERB_ETYPE_RC4_HMAC_NT 23
  78. #define KERB_ETYPE_RC4_HMAC_NT_EXP 24
  79. // Checksum algorithms.
  80. // These algorithms are keyed internally for our use.
  81. #define KERB_CHECKSUM_NONE 0
  82. #define KERB_CHECKSUM_CRC32 1
  83. #define KERB_CHECKSUM_MD4 2
  84. #define KERB_CHECKSUM_KRB_DES_MAC 4
  85. #define KERB_CHECKSUM_KRB_DES_MAC_K 5
  86. #define KERB_CHECKSUM_MD5 7
  87. #define KERB_CHECKSUM_MD5_DES 8
  88. #define KERB_CHECKSUM_LM -130
  89. #define KERB_CHECKSUM_SHA1 -131
  90. #define KERB_CHECKSUM_REAL_CRC32 -132
  91. #define KERB_CHECKSUM_DES_MAC -133
  92. #define KERB_CHECKSUM_DES_MAC_MD5 -134
  93. #define KERB_CHECKSUM_MD25 -135
  94. #define KERB_CHECKSUM_RC4_MD5 -136
  95. #define KERB_CHECKSUM_MD5_HMAC -137 // used by netlogon
  96. #define KERB_CHECKSUM_HMAC_MD5 -138 // used by Kerberos
  97. #define AUTH_REQ_ALLOW_FORWARDABLE 0x00000001
  98. #define AUTH_REQ_ALLOW_PROXIABLE 0x00000002
  99. #define AUTH_REQ_ALLOW_POSTDATE 0x00000004
  100. #define AUTH_REQ_ALLOW_RENEWABLE 0x00000008
  101. #define AUTH_REQ_ALLOW_NOADDRESS 0x00000010
  102. #define AUTH_REQ_ALLOW_ENC_TKT_IN_SKEY 0x00000020
  103. #define AUTH_REQ_ALLOW_VALIDATE 0x00000040
  104. #define AUTH_REQ_VALIDATE_CLIENT 0x00000080
  105. #define AUTH_REQ_OK_AS_DELEGATE 0x00000100
  106. #define AUTH_REQ_PREAUTH_REQUIRED 0x00000200
  107. #define AUTH_REQ_TRANSITIVE_TRUST 0x00000400
  108. #define AUTH_REQ_ALLOW_S4U_DELEGATE 0x00000800
  109. #define AUTH_REQ_PER_USER_FLAGS (AUTH_REQ_ALLOW_FORWARDABLE | \
  110. AUTH_REQ_ALLOW_PROXIABLE | \
  111. AUTH_REQ_ALLOW_POSTDATE | \
  112. AUTH_REQ_ALLOW_RENEWABLE | \
  113. AUTH_REQ_ALLOW_VALIDATE )
  114. //
  115. // Ticket Flags:
  116. //
  117. #define KERB_TICKET_FLAGS_reserved 0x80000000
  118. #define KERB_TICKET_FLAGS_forwardable 0x40000000
  119. #define KERB_TICKET_FLAGS_forwarded 0x20000000
  120. #define KERB_TICKET_FLAGS_proxiable 0x10000000
  121. #define KERB_TICKET_FLAGS_proxy 0x08000000
  122. #define KERB_TICKET_FLAGS_may_postdate 0x04000000
  123. #define KERB_TICKET_FLAGS_postdated 0x02000000
  124. #define KERB_TICKET_FLAGS_invalid 0x01000000
  125. #define KERB_TICKET_FLAGS_renewable 0x00800000
  126. #define KERB_TICKET_FLAGS_initial 0x00400000
  127. #define KERB_TICKET_FLAGS_pre_authent 0x00200000
  128. #define KERB_TICKET_FLAGS_hw_authent 0x00100000
  129. #define KERB_TICKET_FLAGS_ok_as_delegate 0x00040000
  130. #define KERB_TICKET_FLAGS_name_canonicalize 0x00010000
  131. #define KERB_TICKET_FLAGS_reserved1 0x00000001
  132. // end_ntsecapi
  133. //
  134. // Policy
  135. //
  136. #define KERBDEF_MAX_TICKET 10 // hours
  137. #define KERBDEF_MAX_RENEW 7 // days
  138. #define KERBDEF_MAX_SERVICE 600 // minutes
  139. #define KERBDEF_MAX_CLOCK 5 // minutes
  140. #define KERBDEF_VALIDATE 1 // yes
  141. #define KDC_AUDIT_AS_SUCCESS 0x1
  142. #define KDC_AUDIT_AS_FAILURE 0x2
  143. #define KDC_AUDIT_TGS_SUCCESS 0x4
  144. #define KDC_AUDIT_TGS_FAILURE 0x8
  145. #define KDC_AUDIT_MAP_SUCCESS 0x10
  146. #define KDC_AUDIT_MAP_FAILURE 0x20
  147. #define KDC_MAKE_STATE(AuthFlag, AuditFlag) (((AuditFlag) << 16) | ((AuthFlag) & 0xffff))
  148. #define KDC_AUTH_STATE(StateFlags) ((StateFlags) & 0xffff)
  149. #define KDC_AUDIT_STATE(StateFlags) ((StateFlags) >> 16)
  150. // begin_ntsecapi
  151. //
  152. // Name types
  153. //
  154. #define KRB_NT_UNKNOWN 0 // Name type not known
  155. #define KRB_NT_PRINCIPAL 1 // Just the name of the principal as in DCE, or for users
  156. #define KRB_NT_PRINCIPAL_AND_ID -131 // Name of the principal and its SID.
  157. #define KRB_NT_SRV_INST 2 // Service and other unique instance (krbtgt)
  158. #define KRB_NT_SRV_INST_AND_ID -132 // SPN and SID
  159. #define KRB_NT_SRV_HST 3 // Service with host name as instance (telnet, rcommands)
  160. #define KRB_NT_SRV_XHST 4 // Service with host as remaining components
  161. #define KRB_NT_UID 5 // Unique ID
  162. #define KRB_NT_ENTERPRISE_PRINCIPAL 10 // UPN **ONLY**
  163. #define KRB_NT_ENT_PRINCIPAL_AND_ID -130 // UPN and SID
  164. //
  165. // MS extensions, negative according to the RFC
  166. //
  167. #define KRB_NT_MS_PRINCIPAL -128 // NT4 style name
  168. #define KRB_NT_MS_PRINCIPAL_AND_ID -129 // nt4 style name with sid
  169. #define KERB_IS_MS_PRINCIPAL(_x_) (((_x_) <= KRB_NT_MS_PRINCIPAL) || ((_x_) >= KRB_NT_ENTERPRISE_PRINCIPAL))
  170. // end_ntsecapi
  171. #endif // __KERBCON_H__