archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/base/lsa/server/negotiat.hxx

636 lines
17 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1995.
  5. //
  6. // File: negotiat.hxx
  7. //
  8. // Contents: Negotiate Package prototypes
  9. //
  10. // Classes:
  11. //
  12. // Functions:
  13. //
  14. // History: 9-17-96 RichardW Created
  15. //
  16. //----------------------------------------------------------------------------
  18. #ifndef __NEGOTIAT_HXX__
  19. #define __NEGOTIAT_HXX__
  21. extern "C"
  22. {
  23. #include <spnego.h>
  24. #include <ntmsv1_0.h>
  25. #include <negossp.h>
  26. #include <ntlmsp.h>
  27. #include <windns.h>
  28. }
  30. SpInitializeFn NegInitialize;
  31. SpGetInfoFn NegGetInfo;
  32. LSA_AP_LOGON_USER NegOldLogonUser;
  34. SpAcceptCredentialsFn NegAcceptCredentials;
  35. SpAcquireCredentialsHandleFn NegAcquireCredentialsHandle;
  36. SpFreeCredentialsHandleFn NegFreeCredentialsHandle;
  37. SpSaveCredentialsFn NegSaveCredentials;
  38. SpGetCredentialsFn NegGetCredentials;
  39. SpDeleteCredentialsFn NegDeleteCredentials;
  41. SpInitLsaModeContextFn NegInitLsaModeContext;
  42. SpDeleteContextFn NegDeleteLsaModeContext;
  43. SpAcceptLsaModeContextFn NegAcceptLsaModeContext;
  45. LSA_AP_LOGON_TERMINATED NegLogoffNotify;
  46. SpApplyControlTokenFn NegApplyControlToken;
  47. SpShutdownFn NegShutdown;
  48. SpGetUserInfoFn NegGetUserInfo;
  49. SpQueryCredentialsAttributesFn NegQueryCredentialsAttributes;
  51. LSA_AP_CALL_PACKAGE NegCallPackage;
  52. LSA_AP_CALL_PACKAGE_UNTRUSTED NegCallPackageUntrusted;
  53. LSA_AP_CALL_PACKAGE_PASSTHROUGH NegCallPackagePassthrough;
  54. LSA_AP_LOGON_USER_EX2 NegLogonUserEx2;
  57. SpInitializeFn Neg2Initialize;
  58. SpGetInfoFn Neg2GetInfo;
  59. LSA_AP_LOGON_USER Neg2OldLogonUser;
  61. SpAcceptCredentialsFn Neg2AcceptCredentials;
  62. SpAcquireCredentialsHandleFn Neg2AcquireCredentialsHandle;
  63. SpFreeCredentialsHandleFn Neg2FreeCredentialsHandle;
  64. SpSaveCredentialsFn Neg2SaveCredentials;
  65. SpGetCredentialsFn Neg2GetCredentials;
  66. SpDeleteCredentialsFn Neg2DeleteCredentials;
  68. SpInitLsaModeContextFn Neg2InitLsaModeContext;
  69. SpDeleteContextFn Neg2DeleteLsaModeContext;
  70. SpAcceptLsaModeContextFn Neg2AcceptLsaModeContext;
  72. LSA_AP_LOGON_TERMINATED Neg2LogoffNotify;
  73. SpApplyControlTokenFn Neg2ApplyControlToken;
  74. SpShutdownFn Neg2Shutdown;
  75. SpGetUserInfoFn Neg2GetUserInfo;
  76. SpQueryCredentialsAttributesFn Neg2QueryCredentialsAttributes;
  78. LSA_AP_CALL_PACKAGE Neg2CallPackage;
  79. LSA_AP_CALL_PACKAGE_UNTRUSTED Neg2CallPackageUntrusted;
  81. SpGetExtendedInformationFn NegGetExtendedInformation ;
  82. SpGetExtendedInformationFn Neg2GetExtendedInformation ;
  83. SpQueryContextAttributesFn NegQueryContextAttributes ;
  85. typedef ASN1objectidentifier_t ObjectID;
  87. //
  88. // Negotiation control is performed via registry settings. These
  89. // settings control negotiation behavior, and compatibility with
  90. // prior, NT4, machines.
  91. //
  93. //
  94. // Level 0 means - no gain in security. NTLM is always allowed,
  95. // even if mutual authentication is requested
  96. //
  97. #define NEG_NEGLEVEL_NO_SECURITY 0
  99. //
  100. // Level 1 means best compatibility with NT4. NTLM is allowed
  101. // if there is a valid downgrade from a mutual auth protocol.
  102. // Mutual auth response is fudged in this case
  103. //
  104. #define NEG_NEGLEVEL_COMPATIBILITY 1
  106. //
  107. // Level 2 is the ideal level. Mutual auth is enforced, no
  108. // fallback to NTLM is allowed.
  109. //
  110. #define NEG_NEGLEVEL_NO_DOWNGRADE 2
  112. typedef struct _NEG_EXTRA_OID {
  113. ULONG Attributes ;
  114. ObjectID Oid ;
  115. } NEG_EXTRA_OID, * PNEG_EXTRA_OID ;
  118. typedef struct _NEG_PACKAGE {
  119. LIST_ENTRY List; // Package list
  120. PLSAP_SECURITY_PACKAGE LsaPackage; // LSA package structure
  121. ASN1objectidentifier_t ObjectId; // OID for this package
  122. struct _NEG_PACKAGE * RealPackage ; // pointer back to the "real" package
  123. ULONG Flags; // Flags
  124. ULONG TokenSize; // Token size
  125. ULONG PackageFlags; // Package Flags
  126. ULONG PrefixLen ;
  127. UCHAR Prefix[ NEGOTIATE_MAX_PREFIX ];
  128. } NEG_PACKAGE, * PNEG_PACKAGE ;
  130. //
  131. // Flags for the negotiate package structure:
  132. //
  134. #define NEG_PREFERRED 0x00000001 // Preferred package
  135. #define NEG_NT4_COMPAT 0x00000002 // NT4 compatible package
  136. #define NEG_PACKAGE_EXTRA_OID 0x00000004 // Package is an extra OID for existing package
  137. #define NEG_PACKAGE_INBOUND 0x00000008 // Package is available for inbound
  138. #define NEG_PACKAGE_OUTBOUND 0x00000010 // Package is available for outbound
  139. #define NEG_PACKAGE_LOOPBACK 0x00000020 // Package is preferred loopback handler
  140. #define NEG_PACKAGE_HAS_EXTRAS 0x00000040 // Package has extra OIDS.
  142. typedef struct _NEG_CRED_HANDLE {
  143. PNEG_PACKAGE Package;
  144. CredHandle Handle;
  145. ULONG Flags;
  146. } NEG_CRED_HANDLE, * PNEG_CRED_HANDLE ;
  148. #define NEG_CREDHANDLE_EXTRA_OID 0x00000001
  151. typedef struct _NEG_CREDS {
  152. ULONG Tag ;
  153. ULONG RefCount;
  154. LIST_ENTRY List;
  155. ULONG Flags ;
  156. ULONG_PTR DefaultPackage;
  157. RTL_CRITICAL_SECTION CredLock;
  158. LIST_ENTRY AdditionalCreds ;
  159. TimeStamp Expiry ;
  160. LUID ClientLogonId ;
  161. DWORD ClientProcessId ;
  162. DWORD Count ;
  163. PUCHAR ServerBuffer ;
  164. DWORD ServerBufferLength ;
  165. NEG_CRED_HANDLE Creds[ANYSIZE_ARRAY];
  166. } NEG_CREDS, * PNEG_CREDS;
  168. // deprecated in .NET server
  169. //#define NEGCRED_MULTI 0x00000004 // contains multiple credentials
  170. #define NEGCRED_USE_SNEGO 0x00000008 // Force snego use
  171. #define NEGCRED_KERNEL_CALLER 0x00000010 // This is a kernel caller
  172. #define NEGCRED_EXPLICIT_CREDS 0x00000020 // Explicit creds passed in
  173. // deprecated in .NET server
  174. //#define NEGCRED_MULTI_PART 0x00000040 // Is part of a multi-part credential
  175. #define NEGCRED_ALLOW_NTLM 0x00000080 // Allow negotiate down to NTLM
  176. #define NEGCRED_NEG_NTLM 0x00000100 // Negotiate NTLM
  177. #define NEGCRED_NTLM_LOOPBACK 0x00000200 // Use NTLM on loopbacks
  178. #define NEGCRED_DOMAIN_EXPLICIT_CREDS 0x00000400 // Explicit creds with supplied domain passed in
  181. //
  182. // Special flags to AcquireCredHandle:
  183. //
  184. #define NEG_CRED_DONT_LINK 0x80000000
  185. #
  187. #define NEGCRED_DUP_MASK ( NEGCRED_KERNEL_CALLER )
  189. #define NEGCRED_TAG 'drCN'
  194. typedef struct _NEG_CONTEXT {
  195. ULONG CheckMark;
  196. PNEG_CREDS Creds;
  197. ULONG_PTR CredIndex;
  198. CtxtHandle Handle;
  199. SECURITY_STRING Target;
  200. ULONG Attributes;
  201. SecBuffer MappedBuffer;
  202. BOOLEAN Mapped;
  203. UCHAR CallCount ;
  204. SECURITY_STATUS LastStatus;
  205. PCHECKSUM_FUNCTION Check;
  206. PCHECKSUM_BUFFER Buffer;
  207. TimeStamp Expiry;
  208. ULONG Flags;
  209. PUCHAR Message ;
  210. ULONG CurrentSize ;
  211. ULONG TotalSize ;
  212. struct MechTypeList *SupportedMechs;
  213. } NEG_CONTEXT, * PNEG_CONTEXT;
  215. #define NEGCONTEXT_CHECK 'XgeN'
  216. #define NEGCONTEXT2_CHECK '2geN'
  218. #define NEGOPT_HONOR_SERVER_PREF 0x00000001
  220. //
  221. // Negotiate context flags
  222. //
  224. #define NEG_CONTEXT_PACKAGE_CALLED 0x01 // Have called a package
  225. #define NEG_CONTEXT_FREE_EACH_MECH 0x02 // Free all mechs
  226. #define NEG_CONTEXT_NEGOTIATING 0x04 // Many round trips
  227. #define NEG_CONTEXT_FRAGMENTING 0x08 // Fragmented blob
  228. #define NEG_CONTEXT_FRAG_INBOUND 0x10 // assembling an input
  229. #define NEG_CONTEXT_FRAG_OUTBOUND 0x20 // providing an output
  230. #define NEG_CONTEXT_UPLEVEL 0x40 // Stick to the RFC2478
  231. #define NEG_CONTEXT_MUTUAL_AUTH 0x80 // set mutual auth bit
  233. #define NEG_INVALID_PACKAGE ((ULONG_PTR) -1)
  235. //
  236. // Fifteen minutes in standard time
  237. //
  239. #define FIFTEEN_MINUTES ( 15I64 * 60I64 * 10000000I64 )
  242. typedef struct _NEG_LOGON_SESSION {
  243. LIST_ENTRY List ;
  244. ULONG_PTR CreatingPackage ; // Package that created this logon
  245. ULONG_PTR DefaultPackage ; // Default package to use for this logon
  246. UNICODE_STRING AlternateName ; // Alternate name associated with this logon
  247. LUID LogonId ; // Logon Id of this logon
  248. LUID ParentLogonId ; // Logon Id of creating session
  249. ULONG RefCount ; // Ref
  250. } NEG_LOGON_SESSION, * PNEG_LOGON_SESSION ;
  253. typedef struct _NEG_TRUST_LIST {
  254. ULONG RefCount ; // Refcount for trust list
  255. ULONG TrustCount ; // Number of trusts
  256. PDS_DOMAIN_TRUSTS Trusts ; // Array of trusts
  257. } NEG_TRUST_LIST, *PNEG_TRUST_LIST ;
  259. typedef enum _NEG_DOMAIN_TYPES {
  260. NegUpLevelDomain,
  261. NegUpLevelTrustedDomain,
  262. NegDownLevelDomain,
  263. NegLocalDomain
  264. } NEG_DOMAIN_TYPES ;
  266. //
  267. // Variables global to the neg* source files:
  268. //
  270. extern LIST_ENTRY NegPackageList;
  271. extern LIST_ENTRY NegCredList;
  272. extern LIST_ENTRY NegLogonSessionList ;
  273. extern RTL_RESOURCE NegLock;
  274. extern RTL_CRITICAL_SECTION NegLogonSessionListLock ;
  275. extern RTL_CRITICAL_SECTION NegTrustListLock ;
  276. extern PNEG_TRUST_LIST NegTrustList ;
  277. extern LARGE_INTEGER NegTrustTime ;
  278. extern LIST_ENTRY NegDefaultCredList ;
  279. extern RTL_CRITICAL_SECTION NegComputerNamesLock;
  280. extern UNICODE_STRING NegNetbiosComputerName_U;
  281. extern UNICODE_STRING NegDnsComputerName_U;
  282. extern PVOID NegNotifyHandle;
  283. extern DWORD NegPackageCount;
  284. extern PUCHAR NegBlob;
  285. extern DWORD NegBlobSize;
  286. extern DWORD NegOptions;
  287. extern BOOL NegUplevelDomain ;
  288. extern DWORD_PTR NegPackageId ;
  289. extern DWORD_PTR NtlmPackageId ;
  290. extern UCHAR NegSpnegoMechEncodedOid[ 8 ];
  291. extern ULONG NegMachineState;
  292. extern ObjectID NegNtlmMechOid ;
  293. extern DWORD NegEventLogLevel ;
  294. extern UNICODE_STRING NegLocalHostName_U ;
  295. extern WCHAR NegLocalHostName[] ;
  297. #define NegWriteLockList() RtlAcquireResourceExclusive( &NegLock, TRUE )
  298. #define NegReadLockList() RtlAcquireResourceShared( &NegLock, TRUE )
  299. #define NegUnlockList() RtlReleaseResource( &NegLock )
  301. #define NegWriteLockComputerNames() RtlEnterCriticalSection( &NegComputerNamesLock )
  302. #define NegReadLockComputerNames() RtlEnterCriticalSection( &NegComputerNamesLock )
  303. #define NegUnlockComputerNames() RtlLeaveCriticalSection( &NegComputerNamesLock )
  305. #define NegWriteLockCredList() RtlAcquireResourceExclusive( &NegCredListLock, TRUE )
  306. #define NegReadLockCredList() RtlAcquireResourceShared( &NegCredListLock, TRUE )
  307. #define NegUnlockCredList() RtlReleaseResource( &NegCredListLock )
  309. ULONG
  310. NegGetPackageCaps(
  311. ULONG ContextReq
  312. );
  315. #define NegWriteLockCreds(p) RtlEnterCriticalSection( &((PNEG_CREDS) p)->CredLock );
  316. #define NegReadLockCreds(p) RtlEnterCriticalSection( &((PNEG_CREDS) p)->CredLock );
  317. #define NegUnlockCreds(p) RtlLeaveCriticalSection( &((PNEG_CREDS) p)->CredLock );
  319. #define NEG_MECH_LIMIT 16
  321. typedef enum _NEG_MATCH {
  322. MatchUnknown,
  323. PreferredSucceed,
  324. MatchSucceed,
  325. MatchFailed
  326. } NEG_MATCH ;
  328. #if DBG
  329. #define NegDumpOid(s,i) NegpDumpOid(s,i)
  330. #else
  331. #define NegDumpOid(s,i)
  332. #endif
  334. #if DBG
  335. #define NegpValidContext( C ) if (C) DsysAssert( ((PNEG_CONTEXT) C)->CheckMark == NEGCONTEXT_CHECK ) else DsysAssert( C )
  336. #else
  337. #define NegpValidContext( C )
  338. #endif
  340. #define NegpIsValidContext( C ) ((((PNEG_CONTEXT) C)->CheckMark == NEGCONTEXT_CHECK ) ? TRUE : FALSE )
  344. //
  345. // Prototypes
  346. //
  348. SECURITY_STATUS
  349. SpnegoInitAsn(
  350. IN OUT ASN1encoding_t * pEnc,
  351. IN OUT ASN1decoding_t * pDec
  352. );
  354. VOID
  355. SpnegoTermAsn(
  356. IN ASN1encoding_t pEnc,
  357. IN ASN1decoding_t pDec
  358. );
  360. SECURITY_STATUS
  361. SpnegoAsnErrorToSecStatus(
  362. IN ASN1error_e Asn1Err
  363. );
  365. SECURITY_STATUS
  366. SpnegoPackData(
  367. IN PVOID Data,
  368. IN ULONG PduValue,
  369. OUT PULONG DataSize,
  370. OUT PUCHAR * MarshalledData
  371. );
  373. SECURITY_STATUS
  374. SpnegoUnpackData(
  375. IN PUCHAR Data,
  376. IN ULONG DataSize,
  377. IN ULONG PduValue,
  378. OUT PVOID * DecodedData
  379. );
  381. VOID
  382. SpnegoFreeData(
  383. IN ULONG PduValue,
  384. IN PVOID Data
  385. );
  387. ObjectID
  388. NegpDecodeObjectId(
  389. PUCHAR Id,
  390. DWORD Len);
  392. ObjectID
  393. NegpCopyObjectId(
  394. IN ObjectID Id
  395. );
  397. VOID
  398. NegpFreeObjectId(
  399. ObjectID Id);
  402. SECURITY_STATUS
  403. NegpBuildMechListFromCreds(
  404. PNEG_CREDS Creds,
  405. ULONG fContextReq,
  406. ULONG MechAttributes,
  407. struct MechTypeList ** MechList);
  410. VOID
  411. NegpFreeMechList(
  412. struct MechTypeList *MechList);
  415. struct MechTypeList *
  416. NegpCopyMechList(
  417. struct MechTypeList *MechList);
  419. ULONG_PTR
  420. NegpFindPackageForOid(
  421. PNEG_CREDS Creds,
  422. ObjectID Oid);
  424. int
  425. NegpCompareOid(
  426. ObjectID A,
  427. ObjectID B);
  429. SECURITY_STATUS
  430. NegpParseBuffers(
  431. PSecBufferDesc pMessage,
  432. BOOL Map,
  433. PSecBuffer * pToken,
  434. PSecBuffer * pEmpty);
  436. VOID
  437. NegpDumpOid(
  438. PSTR Banner,
  439. ObjectID Id
  440. );
  442. ULONG
  443. NegoMapNegFlagsToPackageFlags(
  444. IN int NegFlags
  445. );
  446. int
  447. NegoMapNegFlasgToContextFlags(
  448. IN ULONG ContextFlags
  449. );
  452. int
  453. Neg_der_read_length(
  454. unsigned char **buf,
  455. LONG *bufsize,
  456. LONG * headersize
  457. );
  460. SECURITY_STATUS
  461. NegAddFragmentToContext(
  462. PNEG_CONTEXT Context,
  463. PSecBuffer Fragment
  464. );
  466. SECURITY_STATUS
  467. SEC_ENTRY
  468. NegCreateContextFromFragment(
  469. LSA_SEC_HANDLE dwCredHandle,
  470. LSA_SEC_HANDLE dwCtxtHandle,
  471. PSecBuffer Buffer,
  472. ULONG fContextReq,
  473. ULONG TargetDataRep,
  474. PLSA_SEC_HANDLE pdwNewContext,
  475. PSecBufferDesc pOutput,
  476. PULONG pfContextAttr
  477. );
  479. #ifdef __SPMGR_H__
  481. #endif
  482. PNEG_LOGON_SESSION
  483. NegpLocateLogonSession(
  484. PLUID LogonId
  485. );
  488. NEG_DOMAIN_TYPES
  489. NegpIsUplevelDomain(
  490. PLUID LogonId,
  491. SECURITY_LOGON_TYPE LogonType,
  492. PUNICODE_STRING Domain
  493. );
  495. VOID
  496. NegpDerefLogonSession(
  497. PNEG_LOGON_SESSION LogonSession
  498. );
  500. NTSTATUS
  501. NegpDetermineTokenPackage(
  502. IN ULONG_PTR CredHandle,
  503. IN PSecBuffer InitialToken,
  504. OUT PULONG PackageIndex
  505. );
  507. NTSTATUS
  508. NegpGetTokenOid(
  509. IN PUCHAR Buf,
  510. OUT ULONG BufSize,
  511. OUT ObjectID * ObjectId
  512. );
  514. VOID
  515. NegpReleaseCreds(
  516. PNEG_CREDS pCreds,
  517. BOOLEAN CleanupCall
  518. );
  520. NTSTATUS
  521. NegpCopyCredsToBuffer(
  522. IN PSECPKG_PRIMARY_CRED PrimaryCred,
  523. IN PSECPKG_SUPPLEMENTAL_CRED SupplementalCred,
  524. OUT PSECPKG_PRIMARY_CRED PrimaryCredCopy OPTIONAL,
  525. OUT PSECPKG_SUPPLEMENTAL_CRED SupplementalCredCopy OPTIONAL
  526. );
  529. BOOL
  530. NegpRearrangeMechsIfNeccessary(
  531. struct MechTypeList ** MechList,
  532. PSECURITY_STRING Target,
  533. PBOOL DirectPacket
  534. );
  536. VOID
  537. NegpReadRegistryParameters(
  538. HKEY Key
  539. );
  541. //
  542. // NT-specific functions
  543. //
  545. DWORD
  546. WINAPI
  547. NegParamChange(
  548. PVOID p
  549. );
  552. PNEG_TRUST_LIST
  553. NegpGetTrustList(
  554. VOID
  555. );
  557. VOID
  558. NegpDerefTrustList(
  559. PNEG_TRUST_LIST TrustList
  560. );
  562. VOID
  563. NegpReportEvent(
  564. IN WORD EventType,
  565. IN DWORD EventId,
  566. IN DWORD Category,
  567. IN NTSTATUS Status,
  568. IN DWORD NumberOfStrings,
  569. ...
  570. );
  572. VOID
  573. NTAPI
  574. NegLsaPolicyChangeCallback(
  575. IN POLICY_NOTIFICATION_INFORMATION_CLASS ChangedInfoClass
  576. );
  579. NTSTATUS
  580. NegEnumPackagePrefixesCall(
  581. IN PLSA_CLIENT_REQUEST ClientRequest,
  582. IN PVOID ProtocolSubmitBuffer,
  583. IN PVOID ClientBufferBase,
  584. IN ULONG SubmitBufferLength,
  585. OUT PVOID *ProtocolReturnBuffer,
  586. OUT PULONG ReturnBufferLength,
  587. OUT PNTSTATUS ProtocolStatus
  588. );
  591. NTSTATUS
  592. NegGetCallerNameCall(
  593. IN PLSA_CLIENT_REQUEST ClientRequest,
  594. IN PVOID ProtocolSubmitBuffer,
  595. IN PVOID ClientBufferBase,
  596. IN ULONG SubmitBufferLength,
  597. OUT PVOID *ProtocolReturnBuffer,
  598. OUT PULONG ReturnBufferLength,
  599. OUT PNTSTATUS ProtocolStatus
  600. );
  602. PNEG_LOGON_SESSION
  603. NegpBuildLogonSession(
  604. PLUID LogonId,
  605. ULONG_PTR LogonPackage,
  606. ULONG_PTR DefaultPackage
  607. );
  609. VOID
  610. NegpDerefLogonSession(
  611. PNEG_LOGON_SESSION LogonSession
  612. );
  614. VOID
  615. NegpDerefLogonSessionById(
  616. PLUID LogonId
  617. );
  620. PNEG_LOGON_SESSION
  621. NegpLocateLogonSession(
  622. PLUID LogonId
  623. );
  627. NTSTATUS
  628. NTAPI
  629. NegpMapLogonRequest(
  630. IN PVOID ProtocolSubmitBuffer,
  631. IN PVOID ClientBufferBase,
  632. IN ULONG SubmitBufferSize,
  633. OUT PMSV1_0_INTERACTIVE_LOGON * LogonInfo
  634. );
  636. #endif // __NEGOTIAT_HXX__