archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/public/sdk/inc/ntsecpkg.h

1894 lines
56 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++ BUILD Version: 0000 Increment this if a change has global effects
  3. Copyright (c) Microsoft Corporation. All rights reserved.
  5. Module Name:
  7. ntsecpkg.h
  9. Abstract:
  11. This module defines the structures and APIs for use by a
  12. authentication or security package.
  14. Revision History:
  16. --*/
  18. #ifndef _NTSECPKG_
  19. #define _NTSECPKG_
  21. #ifdef __cplusplus
  22. extern "C" {
  23. #endif
  26. /////////////////////////////////////////////////////////////////////////
  27. // //
  28. // Data types used by authentication packages //
  29. // //
  30. /////////////////////////////////////////////////////////////////////////
  32. //
  33. // opaque data type which represents a client request
  34. //
  36. typedef PVOID *PLSA_CLIENT_REQUEST;
  39. //
  40. // When a logon of a user is requested, the authentication package
  41. // is expected to return one of the following structures indicating
  42. // the contents of a user's token.
  43. //
  45. typedef enum _LSA_TOKEN_INFORMATION_TYPE {
  46. LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
  47. LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
  48. LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
  49. } LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
  52. //
  53. // The NULL information is used in cases where a non-authenticated
  54. // system access is needed. For example, a non-authentication network
  55. // circuit (such as LAN Manager's null session) can be given NULL
  56. // information. This will result in an anonymous token being generated
  57. // for the logon that gives the user no ability to access protected system
  58. // resources, but does allow access to non-protected system resources.
  59. //
  61. typedef struct _LSA_TOKEN_INFORMATION_NULL {
  63. //
  64. // Time at which the security context becomes invalid.
  65. // Use a value in the distant future if the context
  66. // never expires.
  67. //
  69. LARGE_INTEGER ExpirationTime;
  71. //
  72. // The SID(s) of groups the user is to be made a member of. This should
  73. // not include WORLD or other system defined and assigned
  74. // SIDs. These will be added automatically by LSA.
  75. //
  76. // Each SID is expected to be in a separately allocated block
  77. // of memory. The TOKEN_GROUPS structure is also expected to
  78. // be in a separately allocated block of memory.
  79. //
  81. PTOKEN_GROUPS Groups;
  83. } LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
  86. //
  87. // The V1 token information structure is superceeded by the V2 token
  88. // information structure. The V1 strucure should only be used for
  89. // backwards compatability.
  90. // This structure contains information that an authentication package
  91. // can place in a Version 1 NT token object.
  92. //
  94. typedef struct _LSA_TOKEN_INFORMATION_V1 {
  96. //
  97. // Time at which the security context becomes invalid.
  98. // Use a value in the distant future if the context
  99. // never expires.
  100. //
  102. LARGE_INTEGER ExpirationTime;
  104. //
  105. // The SID of the user logging on. The SID value is in a
  106. // separately allocated block of memory.
  107. //
  109. TOKEN_USER User;
  111. //
  112. // The SID(s) of groups the user is a member of. This should
  113. // not include WORLD or other system defined and assigned
  114. // SIDs. These will be added automatically by LSA.
  115. //
  116. // Each SID is expected to be in a separately allocated block
  117. // of memory. The TOKEN_GROUPS structure is also expected to
  118. // be in a separately allocated block of memory.
  119. //
  121. PTOKEN_GROUPS Groups;
  123. //
  124. // This field is used to establish the primary group of the user.
  125. // This value does not have to correspond to one of the SIDs
  126. // assigned to the user.
  127. //
  128. // The SID pointed to by this structure is expected to be in
  129. // a separately allocated block of memory.
  130. //
  131. // This field is mandatory and must be filled in.
  132. //
  134. TOKEN_PRIMARY_GROUP PrimaryGroup;
  138. //
  139. // The privileges the user is assigned. This list of privileges
  140. // will be augmented or over-ridden by any local security policy
  141. // assigned privileges.
  142. //
  143. // Each privilege is expected to be in a separately allocated
  144. // block of memory. The TOKEN_PRIVILEGES structure is also
  145. // expected to be in a separately allocated block of memory.
  146. //
  147. // If there are no privileges to assign to the user, this field
  148. // may be set to NULL.
  149. //
  151. PTOKEN_PRIVILEGES Privileges;
  155. //
  156. // This field may be used to establish an explicit default
  157. // owner. Normally, the user ID is used as the default owner.
  158. // If another value is desired, it must be specified here.
  159. //
  160. // The Owner.Sid field may be set to NULL to indicate there is no
  161. // alternate default owner value.
  162. //
  164. TOKEN_OWNER Owner;
  166. //
  167. // This field may be used to establish a default
  168. // protection for the user. If no value is provided, then
  169. // a default protection that grants everyone all access will
  170. // be established.
  171. //
  172. // The DefaultDacl.DefaultDacl field may be set to NULL to indicate
  173. // there is no default protection.
  174. //
  176. TOKEN_DEFAULT_DACL DefaultDacl;
  178. } LSA_TOKEN_INFORMATION_V1, *PLSA_TOKEN_INFORMATION_V1;
  180. //
  181. // The V2 information is used in most cases of logon. The structure is identical
  182. // to the V1 token information structure, with the exception that the memory allocation
  183. // is handled differently. The LSA_TOKEN_INFORMATION_V2 structure is intended to be
  184. // allocated monolithiclly, with the privileges, DACL, sids, and group array either part of
  185. // same allocation, or allocated and freed externally.
  186. //
  188. typedef LSA_TOKEN_INFORMATION_V1 LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2;
  191. /////////////////////////////////////////////////////////////////////////
  192. // //
  193. // Interface definitions available for use by authentication packages //
  194. // //
  195. /////////////////////////////////////////////////////////////////////////
  199. typedef NTSTATUS
  200. (NTAPI LSA_CREATE_LOGON_SESSION) (
  201. IN PLUID LogonId
  202. );
  204. typedef NTSTATUS
  205. (NTAPI LSA_DELETE_LOGON_SESSION) (
  206. IN PLUID LogonId
  207. );
  209. typedef NTSTATUS
  210. (NTAPI LSA_ADD_CREDENTIAL) (
  211. IN PLUID LogonId,
  212. IN ULONG AuthenticationPackage,
  213. IN PLSA_STRING PrimaryKeyValue,
  214. IN PLSA_STRING Credentials
  215. );
  217. typedef NTSTATUS
  218. (NTAPI LSA_GET_CREDENTIALS) (
  219. IN PLUID LogonId,
  220. IN ULONG AuthenticationPackage,
  221. IN OUT PULONG QueryContext,
  222. IN BOOLEAN RetrieveAllCredentials,
  223. IN PLSA_STRING PrimaryKeyValue,
  224. OUT PULONG PrimaryKeyLength,
  225. IN PLSA_STRING Credentials
  226. );
  228. typedef NTSTATUS
  229. (NTAPI LSA_DELETE_CREDENTIAL) (
  230. IN PLUID LogonId,
  231. IN ULONG AuthenticationPackage,
  232. IN PLSA_STRING PrimaryKeyValue
  233. );
  235. typedef PVOID
  236. (NTAPI LSA_ALLOCATE_LSA_HEAP) (
  237. IN ULONG Length
  238. );
  240. typedef VOID
  241. (NTAPI LSA_FREE_LSA_HEAP) (
  242. IN PVOID Base
  243. );
  245. typedef PVOID
  246. (NTAPI LSA_ALLOCATE_PRIVATE_HEAP) (
  247. IN SIZE_T Length
  248. );
  250. typedef VOID
  251. (NTAPI LSA_FREE_PRIVATE_HEAP) (
  252. IN PVOID Base
  253. );
  255. typedef NTSTATUS
  256. (NTAPI LSA_ALLOCATE_CLIENT_BUFFER) (
  257. IN PLSA_CLIENT_REQUEST ClientRequest,
  258. IN ULONG LengthRequired,
  259. OUT PVOID *ClientBaseAddress
  260. );
  262. typedef NTSTATUS
  263. (NTAPI LSA_FREE_CLIENT_BUFFER) (
  264. IN PLSA_CLIENT_REQUEST ClientRequest,
  265. IN PVOID ClientBaseAddress
  266. );
  268. typedef NTSTATUS
  269. (NTAPI LSA_COPY_TO_CLIENT_BUFFER) (
  270. IN PLSA_CLIENT_REQUEST ClientRequest,
  271. IN ULONG Length,
  272. IN PVOID ClientBaseAddress,
  273. IN PVOID BufferToCopy
  274. );
  276. typedef NTSTATUS
  277. (NTAPI LSA_COPY_FROM_CLIENT_BUFFER) (
  278. IN PLSA_CLIENT_REQUEST ClientRequest,
  279. IN ULONG Length,
  280. IN PVOID BufferToCopy,
  281. IN PVOID ClientBaseAddress
  282. );
  284. typedef LSA_CREATE_LOGON_SESSION * PLSA_CREATE_LOGON_SESSION ;
  285. typedef LSA_DELETE_LOGON_SESSION * PLSA_DELETE_LOGON_SESSION ;
  286. typedef LSA_ADD_CREDENTIAL * PLSA_ADD_CREDENTIAL ;
  287. typedef LSA_GET_CREDENTIALS * PLSA_GET_CREDENTIALS ;
  288. typedef LSA_DELETE_CREDENTIAL * PLSA_DELETE_CREDENTIAL ;
  289. typedef LSA_ALLOCATE_LSA_HEAP * PLSA_ALLOCATE_LSA_HEAP ;
  290. typedef LSA_FREE_LSA_HEAP * PLSA_FREE_LSA_HEAP ;
  291. typedef LSA_ALLOCATE_PRIVATE_HEAP * PLSA_ALLOCATE_PRIVATE_HEAP ;
  292. typedef LSA_FREE_PRIVATE_HEAP * PLSA_FREE_PRIVATE_HEAP ;
  293. typedef LSA_ALLOCATE_CLIENT_BUFFER * PLSA_ALLOCATE_CLIENT_BUFFER ;
  294. typedef LSA_FREE_CLIENT_BUFFER * PLSA_FREE_CLIENT_BUFFER ;
  295. typedef LSA_COPY_TO_CLIENT_BUFFER * PLSA_COPY_TO_CLIENT_BUFFER ;
  296. typedef LSA_COPY_FROM_CLIENT_BUFFER * PLSA_COPY_FROM_CLIENT_BUFFER ;
  298. //
  299. // The dispatch table of LSA services which are available to
  300. // authentication packages.
  301. //
  302. typedef struct _LSA_DISPATCH_TABLE {
  303. PLSA_CREATE_LOGON_SESSION CreateLogonSession;
  304. PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
  305. PLSA_ADD_CREDENTIAL AddCredential;
  306. PLSA_GET_CREDENTIALS GetCredentials;
  307. PLSA_DELETE_CREDENTIAL DeleteCredential;
  308. PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
  309. PLSA_FREE_LSA_HEAP FreeLsaHeap;
  310. PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
  311. PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
  312. PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
  313. PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
  314. } LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;
  318. ////////////////////////////////////////////////////////////////////////////
  319. // //
  320. // Interface definitions of services provided by authentication packages //
  321. // //
  322. ////////////////////////////////////////////////////////////////////////////
  326. //
  327. // Routine names
  328. //
  329. // The routines provided by the DLL must be assigned the following names
  330. // so that their addresses can be retrieved when the DLL is loaded.
  331. //
  333. #define LSA_AP_NAME_INITIALIZE_PACKAGE "LsaApInitializePackage\0"
  334. #define LSA_AP_NAME_LOGON_USER "LsaApLogonUser\0"
  335. #define LSA_AP_NAME_LOGON_USER_EX "LsaApLogonUserEx\0"
  336. #define LSA_AP_NAME_CALL_PACKAGE "LsaApCallPackage\0"
  337. #define LSA_AP_NAME_LOGON_TERMINATED "LsaApLogonTerminated\0"
  338. #define LSA_AP_NAME_CALL_PACKAGE_UNTRUSTED "LsaApCallPackageUntrusted\0"
  339. #define LSA_AP_NAME_CALL_PACKAGE_PASSTHROUGH "LsaApCallPackagePassthrough\0"
  342. //
  343. // Routine templates
  344. //
  347. typedef NTSTATUS
  348. (NTAPI LSA_AP_INITIALIZE_PACKAGE) (
  349. IN ULONG AuthenticationPackageId,
  350. IN PLSA_DISPATCH_TABLE LsaDispatchTable,
  351. IN PLSA_STRING Database OPTIONAL,
  352. IN PLSA_STRING Confidentiality OPTIONAL,
  353. OUT PLSA_STRING *AuthenticationPackageName
  354. );
  356. typedef NTSTATUS
  357. (NTAPI LSA_AP_LOGON_USER) (
  358. IN PLSA_CLIENT_REQUEST ClientRequest,
  359. IN SECURITY_LOGON_TYPE LogonType,
  360. IN PVOID AuthenticationInformation,
  361. IN PVOID ClientAuthenticationBase,
  362. IN ULONG AuthenticationInformationLength,
  363. OUT PVOID *ProfileBuffer,
  364. OUT PULONG ProfileBufferLength,
  365. OUT PLUID LogonId,
  366. OUT PNTSTATUS SubStatus,
  367. OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  368. OUT PVOID *TokenInformation,
  369. OUT PLSA_UNICODE_STRING *AccountName,
  370. OUT PLSA_UNICODE_STRING *AuthenticatingAuthority
  371. );
  373. typedef NTSTATUS
  374. (NTAPI LSA_AP_LOGON_USER_EX) (
  375. IN PLSA_CLIENT_REQUEST ClientRequest,
  376. IN SECURITY_LOGON_TYPE LogonType,
  377. IN PVOID AuthenticationInformation,
  378. IN PVOID ClientAuthenticationBase,
  379. IN ULONG AuthenticationInformationLength,
  380. OUT PVOID *ProfileBuffer,
  381. OUT PULONG ProfileBufferLength,
  382. OUT PLUID LogonId,
  383. OUT PNTSTATUS SubStatus,
  384. OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  385. OUT PVOID *TokenInformation,
  386. OUT PUNICODE_STRING *AccountName,
  387. OUT PUNICODE_STRING *AuthenticatingAuthority,
  388. OUT PUNICODE_STRING *MachineName
  389. );
  391. typedef NTSTATUS
  392. (NTAPI LSA_AP_CALL_PACKAGE) (
  393. IN PLSA_CLIENT_REQUEST ClientRequest,
  394. IN PVOID ProtocolSubmitBuffer,
  395. IN PVOID ClientBufferBase,
  396. IN ULONG SubmitBufferLength,
  397. OUT PVOID *ProtocolReturnBuffer,
  398. OUT PULONG ReturnBufferLength,
  399. OUT PNTSTATUS ProtocolStatus
  400. );
  402. typedef NTSTATUS
  403. (NTAPI LSA_AP_CALL_PACKAGE_PASSTHROUGH) (
  404. IN PLSA_CLIENT_REQUEST ClientRequest,
  405. IN PVOID ProtocolSubmitBuffer,
  406. IN PVOID ClientBufferBase,
  407. IN ULONG SubmitBufferLength,
  408. OUT PVOID *ProtocolReturnBuffer,
  409. OUT PULONG ReturnBufferLength,
  410. OUT PNTSTATUS ProtocolStatus
  411. );
  413. typedef VOID
  414. (NTAPI LSA_AP_LOGON_TERMINATED) (
  415. IN PLUID LogonId
  416. );
  418. typedef LSA_AP_CALL_PACKAGE LSA_AP_CALL_PACKAGE_UNTRUSTED;
  420. typedef LSA_AP_INITIALIZE_PACKAGE * PLSA_AP_INITIALIZE_PACKAGE ;
  421. typedef LSA_AP_LOGON_USER * PLSA_AP_LOGON_USER ;
  422. typedef LSA_AP_LOGON_USER_EX * PLSA_AP_LOGON_USER_EX ;
  423. typedef LSA_AP_CALL_PACKAGE * PLSA_AP_CALL_PACKAGE ;
  424. typedef LSA_AP_CALL_PACKAGE_PASSTHROUGH * PLSA_AP_CALL_PACKAGE_PASSTHROUGH ;
  425. typedef LSA_AP_LOGON_TERMINATED * PLSA_AP_LOGON_TERMINATED ;
  426. typedef LSA_AP_CALL_PACKAGE_UNTRUSTED * PLSA_AP_CALL_PACKAGE_UNTRUSTED ;
  429. #ifndef _SAM_CREDENTIAL_UPDATE_DEFINED
  430. #define _SAM_CREDENTIAL_UPDATE_DEFINED
  432. typedef NTSTATUS (*PSAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE) (
  433. IN PUNICODE_STRING ClearPassword,
  434. IN PVOID OldCredentials,
  435. IN ULONG OldCredentialSize,
  436. IN ULONG UserAccountControl,
  437. IN PUNICODE_STRING UPN, OPTIONAL
  438. IN PUNICODE_STRING UserName,
  439. IN PUNICODE_STRING NetbiosDomainName,
  440. IN PUNICODE_STRING DnsDomainName,
  441. OUT PVOID * NewCredentials,
  442. OUT ULONG * NewCredentialSize
  443. );
  445. #define SAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE "CredentialUpdateNotify"
  447. typedef BOOLEAN (*PSAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE) (
  448. OUT PUNICODE_STRING CredentialName
  449. );
  451. #define SAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE "CredentialUpdateRegister"
  453. typedef VOID (*PSAM_CREDENTIAL_UPDATE_FREE_ROUTINE) (
  454. IN PVOID p
  455. );
  457. #define SAM_CREDENTIAL_UPDATE_FREE_ROUTINE "CredentialUpdateFree"
  459. #endif // _SAM_CREDENTIAL_UPDATE_DEFINED
  462. #ifdef SECURITY_KERNEL
  463. //
  464. // Can't use the windows.h def'ns in kernel mode.
  465. //
  466. typedef PVOID SEC_THREAD_START;
  467. typedef PVOID SEC_ATTRS;
  468. #else
  469. typedef LPTHREAD_START_ROUTINE SEC_THREAD_START;
  470. typedef LPSECURITY_ATTRIBUTES SEC_ATTRS;
  471. #endif
  474. #define SecEqualLuid(L1, L2) \
  475. ( ( ((PLUID)L1)->LowPart == ((PLUID)L2)->LowPart ) && \
  476. ( ((PLUID)L1)->HighPart == ((PLUID)L2)->HighPart ) ) \
  478. #define SecIsZeroLuid( L1 ) \
  479. ( ( L1->LowPart | L1->HighPart ) == 0 )
  481. //
  482. // The following structures are used by the helper functions
  483. //
  485. typedef struct _SECPKG_CLIENT_INFO {
  486. LUID LogonId; // Effective Logon Id
  487. ULONG ProcessID; // Process Id of caller
  488. ULONG ThreadID; // Thread Id of caller
  489. BOOLEAN HasTcbPrivilege; // Client has TCB
  490. BOOLEAN Impersonating; // Client is impersonating
  491. BOOLEAN Restricted; // Client is restricted
  493. //
  494. // NT 5.1
  495. //
  497. UCHAR ClientFlags; // Extra flags about the client
  498. SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Impersonation level of client
  500. } SECPKG_CLIENT_INFO, * PSECPKG_CLIENT_INFO;
  502. #define SECPKG_CLIENT_PROCESS_TERMINATED 0x01 // The client process has terminated
  503. #define SECPKG_CLIENT_THREAD_TERMINATED 0x02 // The client thread has terminated
  505. typedef struct _SECPKG_CALL_INFO {
  506. ULONG ProcessId ;
  507. ULONG ThreadId ;
  508. ULONG Attributes ;
  509. ULONG CallCount ;
  510. } SECPKG_CALL_INFO, * PSECPKG_CALL_INFO ;
  512. #define SECPKG_CALL_KERNEL_MODE 0x00000001 // Call originated in kernel mode
  513. #define SECPKG_CALL_ANSI 0x00000002 // Call came from ANSI stub
  514. #define SECPKG_CALL_URGENT 0x00000004 // Call designated urgent
  515. #define SECPKG_CALL_RECURSIVE 0x00000008 // Call is recursing
  516. #define SECPKG_CALL_IN_PROC 0x00000010 // Call originated in process
  517. #define SECPKG_CALL_CLEANUP 0x00000020 // Call is cleanup from a client
  518. #define SECPKG_CALL_WOWCLIENT 0x00000040 // Call is from a WOW client process
  519. #define SECPKG_CALL_THREAD_TERM 0x00000080 // Call is from a thread that has term'd
  520. #define SECPKG_CALL_PROCESS_TERM 0x00000100 // Call is from a process that has term'd
  521. #define SECPKG_CALL_IS_TCB 0x00000200 // Call is from TCB
  524. typedef struct _SECPKG_SUPPLEMENTAL_CRED {
  525. UNICODE_STRING PackageName;
  526. ULONG CredentialSize;
  527. #ifdef MIDL_PASS
  528. [size_is(CredentialSize)]
  529. #endif // MIDL_PASS
  530. PUCHAR Credentials;
  531. } SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
  533. typedef ULONG_PTR LSA_SEC_HANDLE ;
  534. typedef LSA_SEC_HANDLE * PLSA_SEC_HANDLE ;
  535. typedef struct _SECPKG_SUPPLEMENTAL_CRED_ARRAY {
  536. ULONG CredentialCount;
  537. #ifdef MIDL_PASS
  538. [size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
  539. #else // MIDL_PASS
  540. SECPKG_SUPPLEMENTAL_CRED Credentials[1];
  541. #endif // MIDL_PASS
  542. } SECPKG_SUPPLEMENTAL_CRED_ARRAY, *PSECPKG_SUPPLEMENTAL_CRED_ARRAY;
  544. //
  545. // This flag is used for to indicate which buffers in the LSA are located
  546. // in the client's address space
  547. //
  549. #define SECBUFFER_UNMAPPED 0x40000000
  551. //
  552. // This flag is used to indicate that the buffer was mapped into the LSA
  553. // from kernel mode.
  554. //
  556. #define SECBUFFER_KERNEL_MAP 0x20000000
  558. typedef NTSTATUS
  559. (NTAPI LSA_CALLBACK_FUNCTION)(
  560. ULONG_PTR Argument1,
  561. ULONG_PTR Argument2,
  562. PSecBuffer InputBuffer,
  563. PSecBuffer OutputBuffer
  564. );
  566. typedef LSA_CALLBACK_FUNCTION * PLSA_CALLBACK_FUNCTION ;
  570. #define PRIMARY_CRED_CLEAR_PASSWORD 0x1
  571. #define PRIMARY_CRED_OWF_PASSWORD 0x2
  572. #define PRIMARY_CRED_UPDATE 0x4 // this is a change of existing creds
  573. #define PRIMARY_CRED_CACHED_LOGON 0x8
  574. #define PRIMARY_CRED_LOGON_NO_TCB 0x10
  576. #define PRIMARY_CRED_LOGON_PACKAGE_SHIFT 24
  577. #define PRIMARY_CRED_PACKAGE_MASK 0xff000000
  579. //
  580. // For cached logons, the RPC id of the package doing the logon is identified
  581. // by shifting the flags to the right by the PRIMARY_CRED_LOGON_PACKAGE_SHIFT.
  582. //
  584. typedef struct _SECPKG_PRIMARY_CRED {
  585. LUID LogonId;
  586. UNICODE_STRING DownlevelName; // Sam Account Name
  587. UNICODE_STRING DomainName; // Netbios domain name where account is located
  588. UNICODE_STRING Password;
  589. UNICODE_STRING OldPassword;
  590. PSID UserSid;
  591. ULONG Flags;
  592. UNICODE_STRING DnsDomainName; // DNS domain name where account is located (if known)
  593. UNICODE_STRING Upn; // UPN of account (if known)
  595. UNICODE_STRING LogonServer;
  596. UNICODE_STRING Spare1;
  597. UNICODE_STRING Spare2;
  598. UNICODE_STRING Spare3;
  599. UNICODE_STRING Spare4;
  600. } SECPKG_PRIMARY_CRED, *PSECPKG_PRIMARY_CRED;
  602. //
  603. // Maximum size of stored credentials.
  604. //
  606. #define MAX_CRED_SIZE 1024
  608. // Values for MachineState
  610. #define SECPKG_STATE_ENCRYPTION_PERMITTED 0x01
  611. #define SECPKG_STATE_STRONG_ENCRYPTION_PERMITTED 0x02
  612. #define SECPKG_STATE_DOMAIN_CONTROLLER 0x04
  613. #define SECPKG_STATE_WORKSTATION 0x08
  614. #define SECPKG_STATE_STANDALONE 0x10
  616. typedef struct _SECPKG_PARAMETERS {
  617. ULONG Version;
  618. ULONG MachineState;
  619. ULONG SetupMode;
  620. PSID DomainSid;
  621. UNICODE_STRING DomainName;
  622. UNICODE_STRING DnsDomainName;
  623. GUID DomainGuid;
  624. } SECPKG_PARAMETERS, *PSECPKG_PARAMETERS;
  627. //
  628. // Extended Package information structures
  629. //
  631. typedef enum _SECPKG_EXTENDED_INFORMATION_CLASS {
  632. SecpkgGssInfo = 1,
  633. SecpkgContextThunks,
  634. SecpkgMutualAuthLevel,
  635. SecpkgWowClientDll,
  636. SecpkgExtraOids,
  637. SecpkgMaxInfo
  638. } SECPKG_EXTENDED_INFORMATION_CLASS ;
  640. typedef struct _SECPKG_GSS_INFO {
  641. ULONG EncodedIdLength ;
  642. UCHAR EncodedId[4] ;
  643. } SECPKG_GSS_INFO, * PSECPKG_GSS_INFO ;
  645. typedef struct _SECPKG_CONTEXT_THUNKS {
  646. ULONG InfoLevelCount ;
  647. ULONG Levels[1] ;
  648. } SECPKG_CONTEXT_THUNKS, *PSECPKG_CONTEXT_THUNKS ;
  650. typedef struct _SECPKG_MUTUAL_AUTH_LEVEL {
  651. ULONG MutualAuthLevel ;
  652. } SECPKG_MUTUAL_AUTH_LEVEL, * PSECPKG_MUTUAL_AUTH_LEVEL ;
  654. typedef struct _SECPKG_WOW_CLIENT_DLL {
  655. SECURITY_STRING WowClientDllPath;
  656. } SECPKG_WOW_CLIENT_DLL, * PSECPKG_WOW_CLIENT_DLL ;
  658. #define SECPKG_MAX_OID_LENGTH 32
  660. typedef struct _SECPKG_SERIALIZED_OID {
  661. ULONG OidLength ;
  662. ULONG OidAttributes ;
  663. UCHAR OidValue[ SECPKG_MAX_OID_LENGTH ];
  664. } SECPKG_SERIALIZED_OID, * PSECPKG_SERIALIZED_OID ;
  666. typedef struct _SECPKG_EXTRA_OIDS {
  667. ULONG OidCount ;
  668. SECPKG_SERIALIZED_OID Oids[ 1 ];
  669. } SECPKG_EXTRA_OIDS, * PSECPKG_EXTRA_OIDS;
  672. typedef struct _SECPKG_EXTENDED_INFORMATION {
  673. SECPKG_EXTENDED_INFORMATION_CLASS Class ;
  674. union {
  675. SECPKG_GSS_INFO GssInfo ;
  676. SECPKG_CONTEXT_THUNKS ContextThunks ;
  677. SECPKG_MUTUAL_AUTH_LEVEL MutualAuthLevel ;
  678. SECPKG_WOW_CLIENT_DLL WowClientDll ;
  679. SECPKG_EXTRA_OIDS ExtraOids ;
  680. } Info ;
  681. } SECPKG_EXTENDED_INFORMATION, * PSECPKG_EXTENDED_INFORMATION ;
  684. #define SECPKG_ATTR_SASL_CONTEXT 0x00010000
  686. typedef struct _SecPkgContext_SaslContext {
  687. PVOID SaslContext ;
  688. } SecPkgContext_SaslContext, * PSecPkgContext_SaslContext ;
  690. //
  691. // Setting this value as the first context thunk value will cause all
  692. // calls to go to the LSA:
  693. //
  695. #define SECPKG_ATTR_THUNK_ALL 0x00010000
  698. #ifndef SECURITY_USER_DATA_DEFINED
  699. #define SECURITY_USER_DATA_DEFINED
  701. typedef struct _SECURITY_USER_DATA {
  702. SECURITY_STRING UserName; // User name
  703. SECURITY_STRING LogonDomainName; // Domain the user logged on to
  704. SECURITY_STRING LogonServer; // Server that logged the user on
  705. PSID pSid; // SID of user
  706. } SECURITY_USER_DATA, *PSECURITY_USER_DATA;
  708. typedef SECURITY_USER_DATA SecurityUserData, * PSecurityUserData;
  711. #define UNDERSTANDS_LONG_NAMES 1
  712. #define NO_LONG_NAMES 2
  714. #endif // SECURITY_USER_DATA_DEFINED
  716. //////////////////////////////////////////////////////////////////////////
  717. //
  718. // The following prototypes are to functions that are provided by the SPMgr
  719. // to security packages.
  720. //
  721. //////////////////////////////////////////////////////////////////////////
  723. typedef NTSTATUS
  724. (NTAPI LSA_IMPERSONATE_CLIENT) (
  725. VOID
  726. );
  729. typedef NTSTATUS
  730. (NTAPI LSA_UNLOAD_PACKAGE)(
  731. VOID
  732. );
  734. typedef NTSTATUS
  735. (NTAPI LSA_DUPLICATE_HANDLE)(
  736. IN HANDLE SourceHandle,
  737. OUT PHANDLE DestionationHandle);
  740. typedef NTSTATUS
  741. (NTAPI LSA_SAVE_SUPPLEMENTAL_CREDENTIALS)(
  742. IN PLUID LogonId,
  743. IN ULONG SupplementalCredSize,
  744. IN PVOID SupplementalCreds,
  745. IN BOOLEAN Synchronous
  746. );
  749. typedef HANDLE
  750. (NTAPI LSA_CREATE_THREAD)(
  751. IN SEC_ATTRS SecurityAttributes,
  752. IN ULONG StackSize,
  753. IN SEC_THREAD_START StartFunction,
  754. IN PVOID ThreadParameter,
  755. IN ULONG CreationFlags,
  756. OUT PULONG ThreadId
  757. );
  760. typedef NTSTATUS
  761. (NTAPI LSA_GET_CLIENT_INFO)(
  762. OUT PSECPKG_CLIENT_INFO ClientInfo
  763. );
  766. typedef HANDLE
  767. (NTAPI LSA_REGISTER_NOTIFICATION)(
  768. IN SEC_THREAD_START StartFunction,
  769. IN PVOID Parameter,
  770. IN ULONG NotificationType,
  771. IN ULONG NotificationClass,
  772. IN ULONG NotificationFlags,
  773. IN ULONG IntervalMinutes,
  774. IN OPTIONAL HANDLE WaitEvent
  775. );
  778. typedef NTSTATUS
  779. (NTAPI LSA_CANCEL_NOTIFICATION)(
  780. IN HANDLE NotifyHandle
  781. );
  783. typedef NTSTATUS
  784. (NTAPI LSA_MAP_BUFFER)(
  785. IN PSecBuffer InputBuffer,
  786. OUT PSecBuffer OutputBuffer
  787. );
  789. typedef NTSTATUS
  790. (NTAPI LSA_CREATE_TOKEN) (
  791. IN PLUID LogonId,
  792. IN PTOKEN_SOURCE TokenSource,
  793. IN SECURITY_LOGON_TYPE LogonType,
  794. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  795. IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  796. IN PVOID TokenInformation,
  797. IN PTOKEN_GROUPS TokenGroups,
  798. IN PUNICODE_STRING AccountName,
  799. IN PUNICODE_STRING AuthorityName,
  800. IN PUNICODE_STRING Workstation,
  801. IN PUNICODE_STRING ProfilePath,
  802. OUT PHANDLE Token,
  803. OUT PNTSTATUS SubStatus
  804. );
  806. typedef enum _SECPKG_SESSIONINFO_TYPE {
  807. SecSessionPrimaryCred // SessionInformation is SECPKG_PRIMARY_CRED
  808. } SECPKG_SESSIONINFO_TYPE ;
  810. typedef NTSTATUS
  811. (NTAPI LSA_CREATE_TOKEN_EX) (
  812. IN PLUID LogonId,
  813. IN PTOKEN_SOURCE TokenSource,
  814. IN SECURITY_LOGON_TYPE LogonType,
  815. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  816. IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  817. IN PVOID TokenInformation,
  818. IN PTOKEN_GROUPS TokenGroups,
  819. IN PUNICODE_STRING Workstation,
  820. IN PUNICODE_STRING ProfilePath,
  821. IN PVOID SessionInformation,
  822. IN SECPKG_SESSIONINFO_TYPE SessionInformationType,
  823. OUT PHANDLE Token,
  824. OUT PNTSTATUS SubStatus
  825. );
  827. typedef VOID
  828. (NTAPI LSA_AUDIT_LOGON) (
  829. IN NTSTATUS Status,
  830. IN NTSTATUS SubStatus,
  831. IN PUNICODE_STRING AccountName,
  832. IN PUNICODE_STRING AuthenticatingAuthority,
  833. IN PUNICODE_STRING WorkstationName,
  834. IN OPTIONAL PSID UserSid,
  835. IN SECURITY_LOGON_TYPE LogonType,
  836. IN PTOKEN_SOURCE TokenSource,
  837. IN PLUID LogonId
  838. );
  840. typedef NTSTATUS
  841. (NTAPI LSA_CALL_PACKAGE) (
  842. IN PUNICODE_STRING AuthenticationPackage,
  843. IN PVOID ProtocolSubmitBuffer,
  844. IN ULONG SubmitBufferLength,
  845. OUT PVOID *ProtocolReturnBuffer,
  846. OUT PULONG ReturnBufferLength,
  847. OUT PNTSTATUS ProtocolStatus
  848. );
  850. typedef NTSTATUS
  851. (NTAPI LSA_CALL_PACKAGEEX) (
  852. IN PUNICODE_STRING AuthenticationPackage,
  853. IN PVOID ClientBufferBase,
  854. IN PVOID ProtocolSubmitBuffer,
  855. IN ULONG SubmitBufferLength,
  856. OUT PVOID *ProtocolReturnBuffer,
  857. OUT PULONG ReturnBufferLength,
  858. OUT PNTSTATUS ProtocolStatus
  859. );
  861. typedef NTSTATUS
  862. (NTAPI LSA_CALL_PACKAGE_PASSTHROUGH) (
  863. IN PUNICODE_STRING AuthenticationPackage,
  864. IN PVOID ClientBufferBase,
  865. IN PVOID ProtocolSubmitBuffer,
  866. IN ULONG SubmitBufferLength,
  867. OUT PVOID *ProtocolReturnBuffer,
  868. OUT PULONG ReturnBufferLength,
  869. OUT PNTSTATUS ProtocolStatus
  870. );
  872. typedef BOOLEAN
  873. (NTAPI LSA_GET_CALL_INFO) (
  874. OUT PSECPKG_CALL_INFO Info
  875. );
  877. typedef PVOID
  878. (NTAPI LSA_CREATE_SHARED_MEMORY)(
  879. ULONG MaxSize,
  880. ULONG InitialSize
  881. );
  883. typedef PVOID
  884. (NTAPI LSA_ALLOCATE_SHARED_MEMORY)(
  885. PVOID SharedMem,
  886. ULONG Size
  887. );
  889. typedef VOID
  890. (NTAPI LSA_FREE_SHARED_MEMORY)(
  891. PVOID SharedMem,
  892. PVOID Memory
  893. );
  895. typedef BOOLEAN
  896. (NTAPI LSA_DELETE_SHARED_MEMORY)(
  897. PVOID SharedMem
  898. );
  900. //
  901. // Account Access
  902. //
  904. typedef enum _SECPKG_NAME_TYPE {
  905. SecNameSamCompatible,
  906. SecNameAlternateId,
  907. SecNameFlat,
  908. SecNameDN,
  909. SecNameSPN
  910. } SECPKG_NAME_TYPE ;
  912. typedef NTSTATUS
  913. (NTAPI LSA_OPEN_SAM_USER)(
  914. PSECURITY_STRING Name,
  915. SECPKG_NAME_TYPE NameType,
  916. PSECURITY_STRING Prefix,
  917. BOOLEAN AllowGuest,
  918. ULONG Reserved,
  919. PVOID * UserHandle
  920. );
  922. typedef NTSTATUS
  923. (NTAPI LSA_GET_USER_CREDENTIALS)(
  924. PVOID UserHandle,
  925. PVOID * PrimaryCreds,
  926. PULONG PrimaryCredsSize,
  927. PVOID * SupplementalCreds,
  928. PULONG SupplementalCredsSize
  929. );
  931. typedef NTSTATUS
  932. (NTAPI LSA_GET_USER_AUTH_DATA)(
  933. PVOID UserHandle,
  934. PUCHAR * UserAuthData,
  935. PULONG UserAuthDataSize
  936. );
  938. typedef NTSTATUS
  939. (NTAPI LSA_CLOSE_SAM_USER)(
  940. PVOID UserHandle
  941. );
  943. typedef NTSTATUS
  944. (NTAPI LSA_GET_AUTH_DATA_FOR_USER)(
  945. PSECURITY_STRING Name,
  946. SECPKG_NAME_TYPE NameType,
  947. PSECURITY_STRING Prefix,
  948. PUCHAR * UserAuthData,
  949. PULONG UserAuthDataSize,
  950. PUNICODE_STRING UserFlatName
  951. );
  953. typedef NTSTATUS
  954. (NTAPI LSA_CONVERT_AUTH_DATA_TO_TOKEN)(
  955. IN PVOID UserAuthData,
  956. IN ULONG UserAuthDataSize,
  957. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  958. IN PTOKEN_SOURCE TokenSource,
  959. IN SECURITY_LOGON_TYPE LogonType,
  960. IN PUNICODE_STRING AuthorityName,
  961. OUT PHANDLE Token,
  962. OUT PLUID LogonId,
  963. OUT PUNICODE_STRING AccountName,
  964. OUT PNTSTATUS SubStatus
  965. );
  967. typedef NTSTATUS
  968. (NTAPI LSA_CRACK_SINGLE_NAME)(
  969. IN ULONG FormatOffered,
  970. IN BOOLEAN PerformAtGC,
  971. IN PUNICODE_STRING NameInput,
  972. IN PUNICODE_STRING Prefix OPTIONAL,
  973. IN ULONG RequestedFormat,
  974. OUT PUNICODE_STRING CrackedName,
  975. OUT PUNICODE_STRING DnsDomainName,
  976. OUT PULONG SubStatus
  977. );
  979. typedef NTSTATUS
  980. (NTAPI LSA_AUDIT_ACCOUNT_LOGON)(
  981. IN ULONG AuditId,
  982. IN BOOLEAN Success,
  983. IN PUNICODE_STRING Source,
  984. IN PUNICODE_STRING ClientName,
  985. IN PUNICODE_STRING MappedName,
  986. IN NTSTATUS Status
  987. );
  990. typedef NTSTATUS
  991. (NTAPI LSA_CLIENT_CALLBACK)(
  992. PCHAR Callback,
  993. ULONG_PTR Argument1,
  994. ULONG_PTR Argument2,
  995. PSecBuffer Input,
  996. PSecBuffer Output
  997. );
  999. typedef
  1000. NTSTATUS
  1001. (NTAPI LSA_REGISTER_CALLBACK)(
  1002. ULONG CallbackId,
  1003. PLSA_CALLBACK_FUNCTION Callback
  1004. );
  1006. #define NOTIFIER_FLAG_NEW_THREAD 0x00000001
  1007. #define NOTIFIER_FLAG_ONE_SHOT 0x00000002
  1008. #define NOTIFIER_FLAG_SECONDS 0x80000000
  1010. #define NOTIFIER_TYPE_INTERVAL 1
  1011. #define NOTIFIER_TYPE_HANDLE_WAIT 2
  1012. #define NOTIFIER_TYPE_STATE_CHANGE 3
  1013. #define NOTIFIER_TYPE_NOTIFY_EVENT 4
  1014. #define NOTIFIER_TYPE_IMMEDIATE 16
  1016. #define NOTIFY_CLASS_PACKAGE_CHANGE 1
  1017. #define NOTIFY_CLASS_ROLE_CHANGE 2
  1018. #define NOTIFY_CLASS_DOMAIN_CHANGE 3
  1019. #define NOTIFY_CLASS_REGISTRY_CHANGE 4
  1021. typedef struct _SECPKG_EVENT_PACKAGE_CHANGE {
  1022. ULONG ChangeType;
  1023. LSA_SEC_HANDLE PackageId;
  1024. SECURITY_STRING PackageName;
  1025. } SECPKG_EVENT_PACKAGE_CHANGE, * PSECPKG_EVENT_PACKAGE_CHANGE ;
  1027. #define SECPKG_PACKAGE_CHANGE_LOAD 0
  1028. #define SECPKG_PACKAGE_CHANGE_UNLOAD 1
  1029. #define SECPKG_PACKAGE_CHANGE_SELECT 2
  1031. typedef struct _SECPKG_EVENT_ROLE_CHANGE {
  1032. ULONG PreviousRole ;
  1033. ULONG NewRole ;
  1034. } SECPKG_EVENT_ROLE_CHANGE, * PSECPKG_EVENT_ROLE_CHANGE ;
  1036. typedef struct _SECPKG_PARAMETERS SECPKG_EVENT_DOMAIN_CHANGE ;
  1037. typedef struct _SECPKG_PARAMETERS * PSECPKG_EVENT_DOMAIN_CHANGE ;
  1040. typedef struct _SECPKG_EVENT_NOTIFY {
  1041. ULONG EventClass;
  1042. ULONG Reserved;
  1043. ULONG EventDataSize;
  1044. PVOID EventData;
  1045. PVOID PackageParameter;
  1046. } SECPKG_EVENT_NOTIFY, *PSECPKG_EVENT_NOTIFY ;
  1049. typedef
  1050. NTSTATUS
  1051. (NTAPI LSA_UPDATE_PRIMARY_CREDENTIALS)(
  1052. IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
  1053. IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials
  1054. );
  1056. typedef
  1057. VOID
  1058. (NTAPI LSA_PROTECT_MEMORY)(
  1059. IN PVOID Buffer,
  1060. IN ULONG BufferSize
  1061. );
  1063. typedef
  1064. NTSTATUS
  1065. (NTAPI LSA_OPEN_TOKEN_BY_LOGON_ID)(
  1066. IN PLUID LogonId,
  1067. OUT HANDLE *RetTokenHandle
  1068. );
  1070. typedef
  1071. NTSTATUS
  1072. (NTAPI LSA_EXPAND_AUTH_DATA_FOR_DOMAIN)(
  1073. IN PUCHAR UserAuthData,
  1074. IN ULONG UserAuthDataSize,
  1075. IN PVOID Reserved,
  1076. OUT PUCHAR * ExpandedAuthData,
  1077. OUT PULONG ExpandedAuthDataSize
  1078. );
  1080. typedef LSA_IMPERSONATE_CLIENT * PLSA_IMPERSONATE_CLIENT;
  1081. typedef LSA_UNLOAD_PACKAGE * PLSA_UNLOAD_PACKAGE;
  1082. typedef LSA_DUPLICATE_HANDLE * PLSA_DUPLICATE_HANDLE ;
  1083. typedef LSA_SAVE_SUPPLEMENTAL_CREDENTIALS * PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS;
  1084. typedef LSA_CREATE_THREAD * PLSA_CREATE_THREAD;
  1085. typedef LSA_GET_CLIENT_INFO * PLSA_GET_CLIENT_INFO;
  1086. typedef LSA_REGISTER_NOTIFICATION * PLSA_REGISTER_NOTIFICATION;
  1087. typedef LSA_CANCEL_NOTIFICATION * PLSA_CANCEL_NOTIFICATION;
  1088. typedef LSA_MAP_BUFFER * PLSA_MAP_BUFFER;
  1089. typedef LSA_CREATE_TOKEN * PLSA_CREATE_TOKEN;
  1090. typedef LSA_AUDIT_LOGON * PLSA_AUDIT_LOGON;
  1091. typedef LSA_CALL_PACKAGE * PLSA_CALL_PACKAGE;
  1092. typedef LSA_CALL_PACKAGEEX * PLSA_CALL_PACKAGEEX;
  1093. typedef LSA_GET_CALL_INFO * PLSA_GET_CALL_INFO ;
  1094. typedef LSA_CREATE_SHARED_MEMORY * PLSA_CREATE_SHARED_MEMORY ;
  1095. typedef LSA_ALLOCATE_SHARED_MEMORY * PLSA_ALLOCATE_SHARED_MEMORY ;
  1096. typedef LSA_FREE_SHARED_MEMORY * PLSA_FREE_SHARED_MEMORY ;
  1097. typedef LSA_DELETE_SHARED_MEMORY * PLSA_DELETE_SHARED_MEMORY ;
  1098. typedef LSA_OPEN_SAM_USER * PLSA_OPEN_SAM_USER ;
  1099. typedef LSA_GET_USER_CREDENTIALS * PLSA_GET_USER_CREDENTIALS ;
  1100. typedef LSA_GET_USER_AUTH_DATA * PLSA_GET_USER_AUTH_DATA ;
  1101. typedef LSA_CLOSE_SAM_USER * PLSA_CLOSE_SAM_USER ;
  1102. typedef LSA_CONVERT_AUTH_DATA_TO_TOKEN * PLSA_CONVERT_AUTH_DATA_TO_TOKEN ;
  1103. typedef LSA_CLIENT_CALLBACK * PLSA_CLIENT_CALLBACK ;
  1104. typedef LSA_REGISTER_CALLBACK * PLSA_REGISTER_CALLBACK ;
  1105. typedef LSA_UPDATE_PRIMARY_CREDENTIALS * PLSA_UPDATE_PRIMARY_CREDENTIALS;
  1106. typedef LSA_GET_AUTH_DATA_FOR_USER * PLSA_GET_AUTH_DATA_FOR_USER ;
  1107. typedef LSA_CRACK_SINGLE_NAME * PLSA_CRACK_SINGLE_NAME ;
  1108. typedef LSA_AUDIT_ACCOUNT_LOGON * PLSA_AUDIT_ACCOUNT_LOGON ;
  1109. typedef LSA_CALL_PACKAGE_PASSTHROUGH * PLSA_CALL_PACKAGE_PASSTHROUGH;
  1110. typedef LSA_PROTECT_MEMORY * PLSA_PROTECT_MEMORY;
  1111. typedef LSA_OPEN_TOKEN_BY_LOGON_ID * PLSA_OPEN_TOKEN_BY_LOGON_ID;
  1112. typedef LSA_EXPAND_AUTH_DATA_FOR_DOMAIN * PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN;
  1113. typedef LSA_CREATE_TOKEN_EX * PLSA_CREATE_TOKEN_EX;
  1115. #ifdef _WINCRED_H_
  1117. //
  1118. // When passing a credential around, the CredentialBlob field is encrypted.
  1119. // This structure describes this encrypted form.
  1120. //
  1121. //
  1122. #ifndef _ENCRYPTED_CREDENTIAL_DEFINED
  1123. #define _ENCRYPTED_CREDENTIAL_DEFINED
  1125. typedef struct _ENCRYPTED_CREDENTIALW {
  1127. //
  1128. // The credential
  1129. //
  1130. // The CredentialBlob field points to the encrypted credential
  1131. // The CredentialBlobSize field is the length (in bytes) of the encrypted credential
  1132. //
  1134. CREDENTIALW Cred;
  1136. //
  1137. // The size in bytes of the clear text credential blob
  1138. //
  1140. ULONG ClearCredentialBlobSize;
  1141. } ENCRYPTED_CREDENTIALW, *PENCRYPTED_CREDENTIALW;
  1142. #endif // _ENCRYPTED_CREDENTIAL_DEFINED
  1144. //
  1145. // Values for CredFlags parameter
  1146. //
  1148. #define CREDP_FLAGS_IN_PROCESS 0x01 // Caller is in-process. Password data may be returned
  1149. #define CREDP_FLAGS_USE_MIDL_HEAP 0x02 // Allocated buffer should use MIDL_user_allocte
  1150. #define CREDP_FLAGS_DONT_CACHE_TI 0x04 // TargetInformation shouldn't be cached for CredGetTargetInfo
  1151. #define CREDP_FLAGS_CLEAR_PASSWORD 0x08 // Credential blob is passed in in-the-clear
  1152. #define CREDP_FLAGS_USER_ENCRYPTED_PASSWORD 0x10 // Credential blob is passed protected by RtlEncryptMemory
  1154. typedef NTSTATUS
  1155. (NTAPI CredReadFn) (
  1156. IN PLUID LogonId,
  1157. IN ULONG CredFlags,
  1158. IN LPWSTR TargetName,
  1159. IN ULONG Type,
  1160. IN ULONG Flags,
  1161. OUT PENCRYPTED_CREDENTIALW *Credential
  1162. );
  1164. typedef NTSTATUS
  1165. (NTAPI CredReadDomainCredentialsFn) (
  1166. IN PLUID LogonId,
  1167. IN ULONG CredFlags,
  1168. IN PCREDENTIAL_TARGET_INFORMATIONW TargetInfo,
  1169. IN ULONG Flags,
  1170. OUT PULONG Count,
  1171. OUT PENCRYPTED_CREDENTIALW **Credential
  1172. );
  1174. typedef VOID
  1175. (NTAPI CredFreeCredentialsFn) (
  1176. IN ULONG Count,
  1177. IN PENCRYPTED_CREDENTIALW *Credentials OPTIONAL
  1178. );
  1180. typedef NTSTATUS
  1181. (NTAPI CredWriteFn) (
  1182. IN PLUID LogonId,
  1183. IN ULONG CredFlags,
  1184. IN PENCRYPTED_CREDENTIALW Credential,
  1185. IN ULONG Flags
  1186. );
  1188. NTSTATUS
  1189. CredMarshalTargetInfo (
  1190. IN PCREDENTIAL_TARGET_INFORMATIONW InTargetInfo,
  1191. OUT PUSHORT *Buffer,
  1192. OUT PULONG BufferSize
  1193. );
  1195. NTSTATUS
  1196. CredUnmarshalTargetInfo (
  1197. IN PUSHORT Buffer,
  1198. IN ULONG BufferSize,
  1199. OUT PCREDENTIAL_TARGET_INFORMATIONW *RetTargetInfo OPTIONAL,
  1200. OUT PULONG RetActualSize OPTIONAL
  1201. );
  1203. // Number of bytes consumed by the trailing size ULONG
  1204. #define CRED_MARSHALED_TI_SIZE_SIZE 12
  1206. #endif // _WINCRED_H_
  1209. //
  1210. // Pure 32-bit versions of credential structures for packages
  1211. // running wow64:
  1212. //
  1214. typedef struct _SEC_WINNT_AUTH_IDENTITY32 {
  1215. ULONG User ;
  1216. ULONG UserLength ;
  1217. ULONG Domain ;
  1218. ULONG DomainLength ;
  1219. ULONG Password ;
  1220. ULONG PasswordLength ;
  1221. ULONG Flags ;
  1222. } SEC_WINNT_AUTH_IDENTITY32, * PSEC_WINNT_AUTH_IDENTITY32 ;
  1224. typedef struct _SEC_WINNT_AUTH_IDENTITY_EX32 {
  1225. ULONG Version ;
  1226. ULONG Length ;
  1227. ULONG User ;
  1228. ULONG UserLength ;
  1229. ULONG Domain ;
  1230. ULONG DomainLength ;
  1231. ULONG Password ;
  1232. ULONG PasswordLength ;
  1233. ULONG Flags ;
  1234. ULONG PackageList ;
  1235. ULONG PackageListLength ;
  1236. } SEC_WINNT_AUTH_IDENTITY_EX32, * PSEC_WINNT_AUTH_IDENTITY_EX32 ;
  1238. // Functions provided by the SPM to the packages:
  1239. typedef struct _LSA_SECPKG_FUNCTION_TABLE {
  1240. PLSA_CREATE_LOGON_SESSION CreateLogonSession;
  1241. PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
  1242. PLSA_ADD_CREDENTIAL AddCredential;
  1243. PLSA_GET_CREDENTIALS GetCredentials;
  1244. PLSA_DELETE_CREDENTIAL DeleteCredential;
  1245. PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
  1246. PLSA_FREE_LSA_HEAP FreeLsaHeap;
  1247. PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
  1248. PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
  1249. PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
  1250. PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
  1251. PLSA_IMPERSONATE_CLIENT ImpersonateClient;
  1252. PLSA_UNLOAD_PACKAGE UnloadPackage;
  1253. PLSA_DUPLICATE_HANDLE DuplicateHandle;
  1254. PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS SaveSupplementalCredentials;
  1255. PLSA_CREATE_THREAD CreateThread;
  1256. PLSA_GET_CLIENT_INFO GetClientInfo;
  1257. PLSA_REGISTER_NOTIFICATION RegisterNotification;
  1258. PLSA_CANCEL_NOTIFICATION CancelNotification;
  1259. PLSA_MAP_BUFFER MapBuffer;
  1260. PLSA_CREATE_TOKEN CreateToken;
  1261. PLSA_AUDIT_LOGON AuditLogon;
  1262. PLSA_CALL_PACKAGE CallPackage;
  1263. PLSA_FREE_LSA_HEAP FreeReturnBuffer;
  1264. PLSA_GET_CALL_INFO GetCallInfo;
  1265. PLSA_CALL_PACKAGEEX CallPackageEx;
  1266. PLSA_CREATE_SHARED_MEMORY CreateSharedMemory;
  1267. PLSA_ALLOCATE_SHARED_MEMORY AllocateSharedMemory;
  1268. PLSA_FREE_SHARED_MEMORY FreeSharedMemory;
  1269. PLSA_DELETE_SHARED_MEMORY DeleteSharedMemory;
  1270. PLSA_OPEN_SAM_USER OpenSamUser ;
  1271. PLSA_GET_USER_CREDENTIALS GetUserCredentials ;
  1272. PLSA_GET_USER_AUTH_DATA GetUserAuthData ;
  1273. PLSA_CLOSE_SAM_USER CloseSamUser ;
  1274. PLSA_CONVERT_AUTH_DATA_TO_TOKEN ConvertAuthDataToToken ;
  1275. PLSA_CLIENT_CALLBACK ClientCallback ;
  1276. PLSA_UPDATE_PRIMARY_CREDENTIALS UpdateCredentials ;
  1277. PLSA_GET_AUTH_DATA_FOR_USER GetAuthDataForUser ;
  1278. PLSA_CRACK_SINGLE_NAME CrackSingleName ;
  1279. PLSA_AUDIT_ACCOUNT_LOGON AuditAccountLogon ;
  1280. PLSA_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough ;
  1281. #ifdef _WINCRED_H_
  1282. CredReadFn *CrediRead;
  1283. CredReadDomainCredentialsFn *CrediReadDomainCredentials;
  1284. CredFreeCredentialsFn *CrediFreeCredentials;
  1285. #else // _WINCRED_H_
  1286. PLSA_PROTECT_MEMORY DummyFunction1;
  1287. PLSA_PROTECT_MEMORY DummyFunction2;
  1288. PLSA_PROTECT_MEMORY DummyFunction3;
  1289. #endif // _WINCRED_H_
  1290. PLSA_PROTECT_MEMORY LsaProtectMemory;
  1291. PLSA_PROTECT_MEMORY LsaUnprotectMemory;
  1292. PLSA_OPEN_TOKEN_BY_LOGON_ID OpenTokenByLogonId;
  1293. PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN ExpandAuthDataForDomain;
  1294. PLSA_ALLOCATE_PRIVATE_HEAP AllocatePrivateHeap;
  1295. PLSA_FREE_PRIVATE_HEAP FreePrivateHeap;
  1296. PLSA_CREATE_TOKEN_EX CreateTokenEx;
  1297. #ifdef _WINCRED_H_
  1298. CredWriteFn *CrediWrite;
  1299. #else // _WINCRED_H_
  1300. PLSA_PROTECT_MEMORY DummyFunction4;
  1301. #endif // _WINCRED_H_
  1302. } LSA_SECPKG_FUNCTION_TABLE, *PLSA_SECPKG_FUNCTION_TABLE;
  1304. typedef struct _SECPKG_DLL_FUNCTIONS {
  1305. PLSA_ALLOCATE_LSA_HEAP AllocateHeap;
  1306. PLSA_FREE_LSA_HEAP FreeHeap;
  1307. PLSA_REGISTER_CALLBACK RegisterCallback ;
  1308. } SECPKG_DLL_FUNCTIONS, * PSECPKG_DLL_FUNCTIONS;
  1313. //
  1314. // The following prototypes are to functions that will be called only while
  1315. // in the Security Package Manager context.
  1316. //
  1318. typedef NTSTATUS
  1319. (NTAPI SpInitializeFn)(
  1320. IN ULONG_PTR PackageId,
  1321. IN PSECPKG_PARAMETERS Parameters,
  1322. IN PLSA_SECPKG_FUNCTION_TABLE FunctionTable
  1323. );
  1325. typedef NTSTATUS
  1326. (NTAPI SpShutdownFn)(
  1327. VOID
  1328. );
  1330. typedef NTSTATUS
  1331. (NTAPI SpGetInfoFn)(
  1332. OUT PSecPkgInfo PackageInfo
  1333. );
  1335. typedef NTSTATUS
  1336. (NTAPI SpGetExtendedInformationFn)(
  1337. IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
  1338. OUT PSECPKG_EXTENDED_INFORMATION * ppInformation
  1339. );
  1341. typedef NTSTATUS
  1342. (NTAPI SpSetExtendedInformationFn)(
  1343. IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
  1344. IN PSECPKG_EXTENDED_INFORMATION Info
  1345. );
  1347. typedef NTSTATUS
  1348. (LSA_AP_LOGON_USER_EX2) (
  1349. IN PLSA_CLIENT_REQUEST ClientRequest,
  1350. IN SECURITY_LOGON_TYPE LogonType,
  1351. IN PVOID AuthenticationInformation,
  1352. IN PVOID ClientAuthenticationBase,
  1353. IN ULONG AuthenticationInformationLength,
  1354. OUT PVOID *ProfileBuffer,
  1355. OUT PULONG ProfileBufferLength,
  1356. OUT PLUID LogonId,
  1357. OUT PNTSTATUS SubStatus,
  1358. OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  1359. OUT PVOID *TokenInformation,
  1360. OUT PUNICODE_STRING *AccountName,
  1361. OUT PUNICODE_STRING *AuthenticatingAuthority,
  1362. OUT PUNICODE_STRING *MachineName,
  1363. OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
  1364. OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
  1365. );
  1367. typedef LSA_AP_LOGON_USER_EX2 *PLSA_AP_LOGON_USER_EX2;
  1368. #define LSA_AP_NAME_LOGON_USER_EX2 "LsaApLogonUserEx2\0"
  1370. typedef NTSTATUS
  1371. (NTAPI SpAcceptCredentialsFn)(
  1372. IN SECURITY_LOGON_TYPE LogonType,
  1373. IN PUNICODE_STRING AccountName,
  1374. IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
  1375. IN PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials
  1376. );
  1377. #define SP_ACCEPT_CREDENTIALS_NAME "SpAcceptCredentials\0"
  1379. typedef NTSTATUS
  1380. (NTAPI SpAcquireCredentialsHandleFn)(
  1381. IN OPTIONAL PUNICODE_STRING PrincipalName,
  1382. IN ULONG CredentialUseFlags,
  1383. IN OPTIONAL PLUID LogonId,
  1384. IN PVOID AuthorizationData,
  1385. IN PVOID GetKeyFunciton,
  1386. IN PVOID GetKeyArgument,
  1387. OUT PLSA_SEC_HANDLE CredentialHandle,
  1388. OUT PTimeStamp ExpirationTime
  1389. );
  1391. typedef NTSTATUS
  1392. (NTAPI SpFreeCredentialsHandleFn)(
  1393. IN LSA_SEC_HANDLE CredentialHandle
  1394. );
  1396. typedef NTSTATUS
  1397. (NTAPI SpQueryCredentialsAttributesFn)(
  1398. IN LSA_SEC_HANDLE CredentialHandle,
  1399. IN ULONG CredentialAttribute,
  1400. IN OUT PVOID Buffer
  1401. );
  1403. typedef NTSTATUS
  1404. (NTAPI SpAddCredentialsFn)(
  1405. IN LSA_SEC_HANDLE CredentialHandle,
  1406. IN OPTIONAL PUNICODE_STRING PrincipalName,
  1407. IN PUNICODE_STRING Package,
  1408. IN ULONG CredentialUseFlags,
  1409. IN PVOID AuthorizationData,
  1410. IN PVOID GetKeyFunciton,
  1411. IN PVOID GetKeyArgument,
  1412. OUT PTimeStamp ExpirationTime
  1413. );
  1415. typedef NTSTATUS
  1416. (NTAPI SpSaveCredentialsFn)(
  1417. IN LSA_SEC_HANDLE CredentialHandle,
  1418. IN PSecBuffer Credentials);
  1420. typedef NTSTATUS
  1421. (NTAPI SpGetCredentialsFn)(
  1422. IN LSA_SEC_HANDLE CredentialHandle,
  1423. IN OUT PSecBuffer Credentials
  1424. );
  1426. typedef NTSTATUS
  1427. (NTAPI SpDeleteCredentialsFn)(
  1428. IN LSA_SEC_HANDLE CredentialHandle,
  1429. IN PSecBuffer Key
  1430. );
  1432. typedef NTSTATUS
  1433. (NTAPI SpInitLsaModeContextFn)(
  1434. IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
  1435. IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
  1436. IN OPTIONAL PUNICODE_STRING TargetName,
  1437. IN ULONG ContextRequirements,
  1438. IN ULONG TargetDataRep,
  1439. IN PSecBufferDesc InputBuffers,
  1440. OUT PLSA_SEC_HANDLE NewContextHandle,
  1441. IN OUT PSecBufferDesc OutputBuffers,
  1442. OUT PULONG ContextAttributes,
  1443. OUT PTimeStamp ExpirationTime,
  1444. OUT PBOOLEAN MappedContext,
  1445. OUT PSecBuffer ContextData
  1446. );
  1451. typedef NTSTATUS
  1452. (NTAPI SpDeleteContextFn)(
  1453. IN LSA_SEC_HANDLE ContextHandle
  1454. );
  1456. typedef NTSTATUS
  1457. (NTAPI SpApplyControlTokenFn)(
  1458. IN LSA_SEC_HANDLE ContextHandle,
  1459. IN PSecBufferDesc ControlToken);
  1462. typedef NTSTATUS
  1463. (NTAPI SpAcceptLsaModeContextFn)(
  1464. IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
  1465. IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
  1466. IN PSecBufferDesc InputBuffer,
  1467. IN ULONG ContextRequirements,
  1468. IN ULONG TargetDataRep,
  1469. OUT PLSA_SEC_HANDLE NewContextHandle,
  1470. OUT PSecBufferDesc OutputBuffer,
  1471. OUT PULONG ContextAttributes,
  1472. OUT PTimeStamp ExpirationTime,
  1473. OUT PBOOLEAN MappedContext,
  1474. OUT PSecBuffer ContextData
  1475. );
  1480. typedef NTSTATUS
  1481. (NTAPI SpGetUserInfoFn)(
  1482. IN PLUID LogonId,
  1483. IN ULONG Flags,
  1484. OUT PSecurityUserData * UserData
  1485. );
  1487. typedef NTSTATUS
  1488. (NTAPI SpQueryContextAttributesFn)(
  1489. IN LSA_SEC_HANDLE ContextHandle,
  1490. IN ULONG ContextAttribute,
  1491. IN OUT PVOID Buffer);
  1493. typedef NTSTATUS
  1494. (NTAPI SpSetContextAttributesFn)(
  1495. IN LSA_SEC_HANDLE ContextHandle,
  1496. IN ULONG ContextAttribute,
  1497. IN PVOID Buffer,
  1498. IN ULONG BufferSize );
  1502. typedef struct _SECPKG_FUNCTION_TABLE {
  1503. PLSA_AP_INITIALIZE_PACKAGE InitializePackage;
  1504. PLSA_AP_LOGON_USER LogonUser;
  1505. PLSA_AP_CALL_PACKAGE CallPackage;
  1506. PLSA_AP_LOGON_TERMINATED LogonTerminated;
  1507. PLSA_AP_CALL_PACKAGE_UNTRUSTED CallPackageUntrusted;
  1508. PLSA_AP_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough;
  1509. PLSA_AP_LOGON_USER_EX LogonUserEx;
  1510. PLSA_AP_LOGON_USER_EX2 LogonUserEx2;
  1511. SpInitializeFn * Initialize;
  1512. SpShutdownFn * Shutdown;
  1513. SpGetInfoFn * GetInfo;
  1514. SpAcceptCredentialsFn * AcceptCredentials;
  1515. SpAcquireCredentialsHandleFn * AcquireCredentialsHandle;
  1516. SpQueryCredentialsAttributesFn * QueryCredentialsAttributes;
  1517. SpFreeCredentialsHandleFn * FreeCredentialsHandle;
  1518. SpSaveCredentialsFn * SaveCredentials;
  1519. SpGetCredentialsFn * GetCredentials;
  1520. SpDeleteCredentialsFn * DeleteCredentials;
  1521. SpInitLsaModeContextFn * InitLsaModeContext;
  1522. SpAcceptLsaModeContextFn * AcceptLsaModeContext;
  1523. SpDeleteContextFn * DeleteContext;
  1524. SpApplyControlTokenFn * ApplyControlToken;
  1525. SpGetUserInfoFn * GetUserInfo;
  1526. SpGetExtendedInformationFn * GetExtendedInformation ;
  1527. SpQueryContextAttributesFn * QueryContextAttributes ;
  1528. SpAddCredentialsFn * AddCredentials ;
  1529. SpSetExtendedInformationFn * SetExtendedInformation ;
  1530. SpSetContextAttributesFn * SetContextAttributes ;
  1531. } SECPKG_FUNCTION_TABLE, *PSECPKG_FUNCTION_TABLE;
  1533. //
  1534. // The following prototypes are to functions that will be called while in the
  1535. // context of a user process that is using the functions through the security
  1536. // DLL.
  1537. //
  1539. typedef NTSTATUS
  1540. (NTAPI SpInstanceInitFn)(
  1541. IN ULONG Version,
  1542. IN PSECPKG_DLL_FUNCTIONS FunctionTable,
  1543. OUT PVOID * UserFunctions
  1544. );
  1547. typedef NTSTATUS
  1548. (NTAPI SpInitUserModeContextFn)(
  1549. IN LSA_SEC_HANDLE ContextHandle,
  1550. IN PSecBuffer PackedContext
  1551. );
  1553. typedef NTSTATUS
  1554. (NTAPI SpMakeSignatureFn)(
  1555. IN LSA_SEC_HANDLE ContextHandle,
  1556. IN ULONG QualityOfProtection,
  1557. IN PSecBufferDesc MessageBuffers,
  1558. IN ULONG MessageSequenceNumber
  1559. );
  1561. typedef NTSTATUS
  1562. (NTAPI SpVerifySignatureFn)(
  1563. IN LSA_SEC_HANDLE ContextHandle,
  1564. IN PSecBufferDesc MessageBuffers,
  1565. IN ULONG MessageSequenceNumber,
  1566. OUT PULONG QualityOfProtection
  1567. );
  1569. typedef NTSTATUS
  1570. (NTAPI SpSealMessageFn)(
  1571. IN LSA_SEC_HANDLE ContextHandle,
  1572. IN ULONG QualityOfProtection,
  1573. IN PSecBufferDesc MessageBuffers,
  1574. IN ULONG MessageSequenceNumber
  1575. );
  1577. typedef NTSTATUS
  1578. (NTAPI SpUnsealMessageFn)(
  1579. IN LSA_SEC_HANDLE ContextHandle,
  1580. IN PSecBufferDesc MessageBuffers,
  1581. IN ULONG MessageSequenceNumber,
  1582. OUT PULONG QualityOfProtection
  1583. );
  1586. typedef NTSTATUS
  1587. (NTAPI SpGetContextTokenFn)(
  1588. IN LSA_SEC_HANDLE ContextHandle,
  1589. OUT PHANDLE ImpersonationToken
  1590. );
  1593. typedef NTSTATUS
  1594. (NTAPI SpExportSecurityContextFn)(
  1595. LSA_SEC_HANDLE phContext, // (in) context to export
  1596. ULONG fFlags, // (in) option flags
  1597. PSecBuffer pPackedContext, // (out) marshalled context
  1598. PHANDLE pToken // (out, optional) token handle for impersonation
  1599. );
  1601. typedef NTSTATUS
  1602. (NTAPI SpImportSecurityContextFn)(
  1603. PSecBuffer pPackedContext, // (in) marshalled context
  1604. HANDLE Token, // (in, optional) handle to token for context
  1605. PLSA_SEC_HANDLE phContext // (out) new context handle
  1606. );
  1609. typedef NTSTATUS
  1610. (NTAPI SpCompleteAuthTokenFn)(
  1611. IN LSA_SEC_HANDLE ContextHandle,
  1612. IN PSecBufferDesc InputBuffer
  1613. );
  1616. typedef NTSTATUS
  1617. (NTAPI SpFormatCredentialsFn)(
  1618. IN PSecBuffer Credentials,
  1619. OUT PSecBuffer FormattedCredentials
  1620. );
  1622. typedef NTSTATUS
  1623. (NTAPI SpMarshallSupplementalCredsFn)(
  1624. IN ULONG CredentialSize,
  1625. IN PUCHAR Credentials,
  1626. OUT PULONG MarshalledCredSize,
  1627. OUT PVOID * MarshalledCreds);
  1630. typedef struct _SECPKG_USER_FUNCTION_TABLE {
  1631. SpInstanceInitFn * InstanceInit;
  1632. SpInitUserModeContextFn * InitUserModeContext;
  1633. SpMakeSignatureFn * MakeSignature;
  1634. SpVerifySignatureFn * VerifySignature;
  1635. SpSealMessageFn * SealMessage;
  1636. SpUnsealMessageFn * UnsealMessage;
  1637. SpGetContextTokenFn * GetContextToken;
  1638. SpQueryContextAttributesFn * QueryContextAttributes;
  1639. SpCompleteAuthTokenFn * CompleteAuthToken;
  1640. SpDeleteContextFn * DeleteUserModeContext;
  1641. SpFormatCredentialsFn * FormatCredentials;
  1642. SpMarshallSupplementalCredsFn * MarshallSupplementalCreds;
  1643. SpExportSecurityContextFn * ExportContext;
  1644. SpImportSecurityContextFn * ImportContext;
  1645. } SECPKG_USER_FUNCTION_TABLE, *PSECPKG_USER_FUNCTION_TABLE;
  1647. typedef NTSTATUS
  1648. (SEC_ENTRY * SpLsaModeInitializeFn)(
  1649. IN ULONG LsaVersion,
  1650. OUT PULONG PackageVersion,
  1651. OUT PSECPKG_FUNCTION_TABLE * ppTables,
  1652. OUT PULONG pcTables);
  1654. typedef NTSTATUS
  1655. (SEC_ENTRY * SpUserModeInitializeFn)(
  1656. IN ULONG LsaVersion,
  1657. OUT PULONG PackageVersion,
  1658. OUT PSECPKG_USER_FUNCTION_TABLE *ppTables,
  1659. OUT PULONG pcTables
  1660. );
  1664. #define SECPKG_LSAMODEINIT_NAME "SpLsaModeInitialize"
  1665. #define SECPKG_USERMODEINIT_NAME "SpUserModeInitialize"
  1667. //
  1668. // Version of the security package interface.
  1669. //
  1670. // These define are used for all of the following:
  1671. // * Passed by the LSA to SpLsaModeInitializeFn to indicate the version of the LSA.
  1672. // All packages currently expect the LSA to pass SECPKG_INTERFACE_VERSION.
  1673. // * Passed by secur32.dll to SpUserModeInitialzeFn to indicate the version of the secur32 DLL.
  1674. // All packages currently expect secur32 to pass SECPKG_INTERFACE_VERSION.
  1675. // * Returned from SpLsaModeInitializeFn to indicate the version of SECPKG_FUNCTION_TABLE.
  1676. // SECPKG_INTERFACE_VERSION indicates all fields through SetExtendedInformation are defined (potentially to NULL)
  1677. // SECPKG_INTERFACE_VERSION_2 indicates all fields through SetContextAttributes are defined (potentially to NULL)
  1678. // * Returned from SpUserModeInitializeFn to indicate the version of the auth package.
  1679. // All packages currently return SECPKG_INTERFACE_VERSION
  1680. //
  1682. #define SECPKG_INTERFACE_VERSION 0x00010000
  1683. #define SECPKG_INTERFACE_VERSION_2 0x00020000
  1687. typedef enum _KSEC_CONTEXT_TYPE {
  1688. KSecPaged,
  1689. KSecNonPaged
  1690. } KSEC_CONTEXT_TYPE ;
  1692. typedef struct _KSEC_LIST_ENTRY {
  1693. LIST_ENTRY List ;
  1694. LONG RefCount ;
  1695. ULONG Signature ;
  1696. PVOID OwningList ;
  1697. PVOID Reserved ;
  1698. } KSEC_LIST_ENTRY, * PKSEC_LIST_ENTRY ;
  1700. #define KsecInitializeListEntry( Entry, SigValue ) \
  1701. ((PKSEC_LIST_ENTRY) Entry)->List.Flink = ((PKSEC_LIST_ENTRY) Entry)->List.Blink = NULL ; \
  1702. ((PKSEC_LIST_ENTRY) Entry)->RefCount = 1 ; \
  1703. ((PKSEC_LIST_ENTRY) Entry)->Signature = SigValue ; \
  1704. ((PKSEC_LIST_ENTRY) Entry)->OwningList = NULL ; \
  1705. ((PKSEC_LIST_ENTRY) Entry)->Reserved = NULL ;
  1709. typedef PVOID
  1710. (SEC_ENTRY KSEC_CREATE_CONTEXT_LIST)(
  1711. IN KSEC_CONTEXT_TYPE Type
  1712. );
  1714. typedef VOID
  1715. (SEC_ENTRY KSEC_INSERT_LIST_ENTRY)(
  1716. IN PVOID List,
  1717. IN PKSEC_LIST_ENTRY Entry
  1718. );
  1720. typedef NTSTATUS
  1721. (SEC_ENTRY KSEC_REFERENCE_LIST_ENTRY)(
  1722. IN PKSEC_LIST_ENTRY Entry,
  1723. IN ULONG Signature,
  1724. IN BOOLEAN RemoveNoRef
  1725. );
  1727. typedef VOID
  1728. (SEC_ENTRY KSEC_DEREFERENCE_LIST_ENTRY)(
  1729. IN PKSEC_LIST_ENTRY Entry,
  1730. OUT BOOLEAN * Delete OPTIONAL
  1731. );
  1733. typedef NTSTATUS
  1734. (SEC_ENTRY KSEC_SERIALIZE_WINNT_AUTH_DATA)(
  1735. IN PVOID pvAuthData,
  1736. OUT PULONG Size,
  1737. OUT PVOID * SerializedData );
  1739. #ifndef MIDL_PASS
  1741. KSEC_CREATE_CONTEXT_LIST KSecCreateContextList ;
  1742. KSEC_INSERT_LIST_ENTRY KSecInsertListEntry ;
  1743. KSEC_REFERENCE_LIST_ENTRY KSecReferenceListEntry ;
  1744. KSEC_DEREFERENCE_LIST_ENTRY KSecDereferenceListEntry ;
  1745. KSEC_SERIALIZE_WINNT_AUTH_DATA KSecSerializeWinntAuthData ;
  1747. #endif // not valid for MIDL_PASS
  1749. typedef KSEC_CREATE_CONTEXT_LIST * PKSEC_CREATE_CONTEXT_LIST ;
  1750. typedef KSEC_INSERT_LIST_ENTRY * PKSEC_INSERT_LIST_ENTRY ;
  1751. typedef KSEC_REFERENCE_LIST_ENTRY * PKSEC_REFERENCE_LIST_ENTRY ;
  1752. typedef KSEC_DEREFERENCE_LIST_ENTRY * PKSEC_DEREFERENCE_LIST_ENTRY ;
  1753. typedef KSEC_SERIALIZE_WINNT_AUTH_DATA * PKSEC_SERIALIZE_WINNT_AUTH_DATA ;
  1756. typedef struct _SECPKG_KERNEL_FUNCTIONS {
  1757. PLSA_ALLOCATE_LSA_HEAP AllocateHeap;
  1758. PLSA_FREE_LSA_HEAP FreeHeap;
  1759. PKSEC_CREATE_CONTEXT_LIST CreateContextList ;
  1760. PKSEC_INSERT_LIST_ENTRY InsertListEntry ;
  1761. PKSEC_REFERENCE_LIST_ENTRY ReferenceListEntry ;
  1762. PKSEC_DEREFERENCE_LIST_ENTRY DereferenceListEntry ;
  1763. PKSEC_SERIALIZE_WINNT_AUTH_DATA SerializeWinntAuthData ;
  1764. } SECPKG_KERNEL_FUNCTIONS, *PSECPKG_KERNEL_FUNCTIONS;
  1767. typedef NTSTATUS
  1768. (NTAPI KspInitPackageFn)(
  1769. PSECPKG_KERNEL_FUNCTIONS FunctionTable
  1770. );
  1773. typedef NTSTATUS
  1774. (NTAPI KspDeleteContextFn)(
  1775. IN LSA_SEC_HANDLE ContextId,
  1776. OUT PLSA_SEC_HANDLE LsaContextId
  1777. );
  1779. typedef NTSTATUS
  1780. (NTAPI KspInitContextFn)(
  1781. IN LSA_SEC_HANDLE ContextId,
  1782. IN PSecBuffer ContextData,
  1783. OUT PLSA_SEC_HANDLE NewContextId
  1784. );
  1786. typedef NTSTATUS
  1787. (NTAPI KspMakeSignatureFn)(
  1788. IN LSA_SEC_HANDLE ContextId,
  1789. IN ULONG fQOP,
  1790. IN OUT PSecBufferDesc Message,
  1791. IN ULONG MessageSeqNo
  1792. );
  1794. typedef NTSTATUS
  1795. (NTAPI KspVerifySignatureFn)(
  1796. IN LSA_SEC_HANDLE ContextId,
  1797. IN OUT PSecBufferDesc Message,
  1798. IN ULONG MessageSeqNo,
  1799. OUT PULONG pfQOP
  1800. );
  1803. typedef NTSTATUS
  1804. (NTAPI KspSealMessageFn)(
  1805. IN LSA_SEC_HANDLE ContextId,
  1806. IN ULONG fQOP,
  1807. IN OUT PSecBufferDesc Message,
  1808. IN ULONG MessageSeqNo
  1809. );
  1811. typedef NTSTATUS
  1812. (NTAPI KspUnsealMessageFn)(
  1813. IN LSA_SEC_HANDLE ContextId,
  1814. IN OUT PSecBufferDesc Message,
  1815. IN ULONG MessageSeqNo,
  1816. OUT PULONG pfQOP
  1817. );
  1819. typedef NTSTATUS
  1820. (NTAPI KspGetTokenFn)(
  1821. IN LSA_SEC_HANDLE ContextId,
  1822. OUT PHANDLE ImpersonationToken,
  1823. OUT OPTIONAL PACCESS_TOKEN * RawToken
  1824. );
  1826. typedef NTSTATUS
  1827. (NTAPI KspQueryAttributesFn)(
  1828. IN LSA_SEC_HANDLE ContextId,
  1829. IN ULONG Attribute,
  1830. IN OUT PVOID Buffer
  1831. );
  1833. typedef NTSTATUS
  1834. (NTAPI KspCompleteTokenFn)(
  1835. IN LSA_SEC_HANDLE ContextId,
  1836. IN PSecBufferDesc Token
  1837. );
  1840. typedef NTSTATUS
  1841. (NTAPI KspMapHandleFn)(
  1842. IN LSA_SEC_HANDLE ContextId,
  1843. OUT PLSA_SEC_HANDLE LsaContextId
  1844. );
  1846. typedef NTSTATUS
  1847. (NTAPI KspSetPagingModeFn)(
  1848. IN BOOLEAN PagingMode
  1849. );
  1851. typedef NTSTATUS
  1852. (NTAPI KspSerializeAuthDataFn)(
  1853. IN PVOID pvAuthData,
  1854. OUT PULONG Size,
  1855. OUT PVOID * SerializedData
  1856. );
  1858. typedef struct _SECPKG_KERNEL_FUNCTION_TABLE {
  1859. KspInitPackageFn * Initialize;
  1860. KspDeleteContextFn * DeleteContext;
  1861. KspInitContextFn * InitContext;
  1862. KspMapHandleFn * MapHandle;
  1863. KspMakeSignatureFn * Sign;
  1864. KspVerifySignatureFn * Verify;
  1865. KspSealMessageFn * Seal;
  1866. KspUnsealMessageFn * Unseal;
  1867. KspGetTokenFn * GetToken;
  1868. KspQueryAttributesFn * QueryAttributes;
  1869. KspCompleteTokenFn * CompleteToken;
  1870. SpExportSecurityContextFn * ExportContext;
  1871. SpImportSecurityContextFn * ImportContext;
  1872. KspSetPagingModeFn * SetPackagePagingMode ;
  1873. KspSerializeAuthDataFn * SerializeAuthData ;
  1874. } SECPKG_KERNEL_FUNCTION_TABLE, *PSECPKG_KERNEL_FUNCTION_TABLE;
  1876. SECURITY_STATUS
  1877. SEC_ENTRY
  1878. KSecRegisterSecurityProvider(
  1879. PSECURITY_STRING ProviderName,
  1880. PSECPKG_KERNEL_FUNCTION_TABLE Table
  1881. );
  1885. extern SECPKG_KERNEL_FUNCTIONS KspKernelFunctions;
  1889. #ifdef __cplusplus
  1890. }
  1891. #endif
  1893. #endif /* _NTSECPKG_ */