//+----------------------------------------------------------------------- // // Microsoft Windows // // Copyright (c) Microsoft Corporation 1992 - 1996 // // File: digestsspi.h // // Contents: credential and context structures // // // History: KDamour 15Mar00 Stolen from msv_sspi\ntlmsspi.h // //------------------------------------------------------------------------ #ifndef NTDIGEST_DIGESTSSPI_H #define NTDIGEST_DIGESTSSPI_H #include #include #include "auth.h" //////////////////////////////////////////////////////////////////////// // // Global Definitions // //////////////////////////////////////////////////////////////////////// // // Description of a logon session - stores the username, domain, password. // Notation used for LogonSession is LogSess // typedef struct _DIGEST_LOGONSESSION { // Global list of all LogonSessions. // (Serialized by SspLogonSessionCritSect) LIST_ENTRY Next; // This is the Handle for this LogonSession - same as its memory address - no need to ref count ULONG_PTR LogonSessionHandle; // Ref Counter Used to prevent this LogonSession from being deleted prematurely. // Two cases for initial value // AcceptCredential sets to one and enters it into active logon list. Call to ApLogonTerminate // decrements count and removes it from list. // In both cases, a refcount of zero causes the logonsession to be deleted from memory LONG lReferences; // Logon ID of the client LUID LogonId; // Default credentials on client context, on server context UserName // Gathered from calls to SpAcceptCredentials SECURITY_LOGON_TYPE LogonType; UNICODE_STRING ustrAccountName; UNICODE_STRING ustrDomainName; // Netbios domain name where account is located // IMPORTANT NOTE - you must use CredHandlerPasswdSet and CredHandlerPasswdGet once the // credential is placed into the list. The main reason for this is that multiple threads // will be utilizing the same memory and this value can change as updates come in from // SpAcceptCredential // It is encrypted with LsaFunctions->LsaProtectMemory( Password->Buffer, (ULONG)Password->Length ); // Need to decrypt with LsaFunctions->LsaUnprotectMemory( HiddenPassword->Buffer, (ULONG)HiddenPassword->Length ); // Stores the current plaintext password (if available) with reversible encryption UNICODE_STRING ustrPassword; UNICODE_STRING ustrDnsDomainName; // DNS domain name where account is located (if known) UNICODE_STRING ustrUpn; // UPN of account (if known) } DIGEST_LOGONSESSION, *PDIGEST_LOGONSESSION; // // Description of a credential. // We use this for a combined list of logon sessions and credentials // typedef struct _DIGEST_CREDENTIAL { // // Global list of all Credentials. // (Serialized by SspCredentialCritSect) // LIST_ENTRY Next; // // Used to prevent this Credential from being deleted prematurely. // LONG lReferences; // // Flag to indicate that Credential is not attached to CredentialList // once References is 0 and Unlinked is True - this record can be removed from list BOOL Unlinked; // // This is the Handle for this credential - same as its memory address // ULONG_PTR CredentialHandle; // // Flag of how credential may be used. // // SECPKG_CRED_* flags // ULONG CredentialUseFlags; // // Default credentials on client context, on server context UserName // Gathered from calls to SpAcceptCredentials // SECURITY_LOGON_TYPE LogonType; UNICODE_STRING ustrAccountName; LUID LogonId; // Logon ID of the client UNICODE_STRING ustrDomainName; // Netbios domain name where account is located // Stores the current plaintext (if available) version of the logon users account // IMPORTANT NOTE - you must use CredHandlerPasswdSet and CredHandlerPasswdGet once the // credential is placed into the list. The main reason for this is that multiple threads // will be utilizing the same memory and this value can change as updates come in from // SpAcceptCredential // Password will be encryped with LSAFunction as in LogonSession UNICODE_STRING ustrPassword; UNICODE_STRING ustrDomain; // NetBios or DNS domain name where account is located will be used in realm directive UNICODE_STRING ustrUpn; // UPN of account (if known) // // Process Id of client // ULONG ClientProcessID; } DIGEST_CREDENTIAL, *PDIGEST_CREDENTIAL; // // Description of a Context // typedef struct _DIGEST_CONTEXT { // Global list of all Contexts // (Serialized by SspContextCritSect) LIST_ENTRY Next; // This is the Handle for this context - same as its memory address ULONG_PTR ContextHandle; // Used to prevent this Context from being deleted prematurely. // (Serialized by SspContextCritSect) LONG lReferences; // Flag to indicate that Context is not attached to List BOOL bUnlinked; // Maintain the context requirements ULONG ContextReq; // Flags for context // FLAG_CONTEXT_AUTHZID_PROVIDED ULONG ulFlags; // Digest Parameters for this context DIGEST_TYPE typeDigest; // Digest Parameters for this context QOP_TYPE typeQOP; // Digest Parameters for this context ALGORITHM_TYPE typeAlgorithm; // Cipher to use for encrypt/decrypt CIPHER_TYPE typeCipher; // Charset used for digest directive values CHARSET_TYPE typeCharset; // Server generated Nonce for Context STRING strNonce; // Client generated CNonce for Context STRING strCNonce; // Nonce count for replay prevention ULONG ulNC; // Maximum size for the buffers to send and receive data for auth-int and auth-conf (SASL mode) ULONG ulSendMaxBuf; ULONG ulRecvMaxBuf; // Unique Reference for this Context BinHex(rand[128]) // Utilize the First N chars of this as the CNONCE for InitializeSecurityContect STRING strOpaque; // BinHex(H(A1)) sent from DC and stored in context for future // auth without going to the DC STRING strSessionKey; // Client only - calculated response auth to be returned from server STRING strResponseAuth; // Copy of directive values from auth - used for rspauth support STRING strDirective[MD5_AUTH_LAST]; // Only valid after ASC has successfully authenticated and converted AuthData to Token // Token Handle of authenticated user HANDLE TokenHandle; // LogonID used in the Token LUID LoginID; // // Information from Credentials // // // Maintain a copy of the credential UseFlags (we can tell if inbound or outbound) // ULONG CredentialUseFlags; // Copy of the account info UNICODE_STRING ustrDomain; UNICODE_STRING ustrPassword; // Encrypted UNICODE_STRING ustrAccountName; // Set time when Context is to Expire TimeStamp ExpirationTime; } DIGEST_CONTEXT, *PDIGEST_CONTEXT; // This structure contains the state info for the User mode // security context. It is passwd between the LSAMode and the UserMode address spaces // In UserMode, this is unpacked into the DIGEST_USERCONTEXT struct typedef struct _DIGEST_PACKED_USERCONTEXT{ ULONG ulFlags; // Flags to control processing of packed UserContext // // Timeout the context after awhile. // TimeStamp ExpirationTime; // Time inwhich session key expires // // Maintain the context requirements // ULONG ContextReq; // // Maintain a copy of the credential UseFlags (we can tell if inbound or outbound) // ULONG CredentialUseFlags; // // Digest Parameters for this context // ULONG typeDigest; // // Digest Parameters for this context // ULONG typeQOP; // // Digest Parameters for this context // ULONG typeAlgorithm; // // Cipher to use for encrypt/decrypt // ULONG typeCipher; // // Charset used for digest directive values // ULONG typeCharset; // // Max-size of message buffer to allow for auth-int & auth-conf processing // This is the combined size of (HEADER + Data + Trailer) // in SASL Header is zero length, max Trailer size if padding+HMAC // ULONG ulSendMaxBuf; ULONG ulRecvMaxBuf; // // Token Handle of authenticated user // Only valid when in AuthenticatedState. // Filled in only by AcceptSecurityContext // It will be NULL is struct is from InitializeSecurityContext // Must cast this to a HANDLE once back into the usermode context // ULONG ClientTokenHandle; // Size of each component set over ULONG uSessionKeyLen; ULONG uAccountNameLen; ULONG uDigestLen[MD5_AUTH_LAST]; // All directive data will be passed as single byte charaters // Order is the same as in auth.h (MD5_AUTH_NAME) // username, realm, nonce, cnonce ... then sessionkey UCHAR ucData; } DIGEST_PACKED_USERCONTEXT, * PDIGEST_PACKED_USERCONTEXT; // This structure contains the state info for the User mode // security context. typedef struct _DIGEST_USERCONTEXT{ // // Global list of all Contexts // (Serialized by UserContextCritSect) // LIST_ENTRY Next; // // Handle to the LsaContext // This will have the handle to the context in LSAMode Address space // ULONG_PTR LsaContext; // // Timeout the context after awhile. // TimeStamp ExpirationTime; // Time inwhich session key expires // // Used to prevent this Context from being deleted prematurely. // This is used ONLY for internal SSP pointer references. For application handles // lReferenceHandles is used. This was necessary to do to keep the count separate for // internal pointer references and handles that are passed to the application. This will // prevent the application from calling DeleteSecurityContext() too many times and accidently // dereferencing an internal pointer. // LONG lReferences; // ref count on SSP pointers issued LONG lReferenceHandles; // ref count on application securityContext handles issued // // Flag to indicate that Context is not attached to List - skip when scanning list // BOOL bUnlinked; // // Digest Parameters for this context // DIGEST_TYPE typeDigest; // // QOP selected for this context // QOP_TYPE typeQOP; // // Digest Parameters for this context // ALGORITHM_TYPE typeAlgorithm; // // Cipher to use for encrypt/decrypt // CIPHER_TYPE typeCipher; // // Charset used for digest directive values // CHARSET_TYPE typeCharset; // // Token Handle of authenticated user // Only valid when in AuthenticatedState. // Filled in only by AcceptSecurityContext - so we are the server // Mapped to UserMode Client space from LSA TokenHandle // It will be NULL is struct is from InitializeSecurityContext - so we are client // HANDLE ClientTokenHandle; // // Maintain the context requirements // ULONG ContextReq; // // Maintain a copy of the credential UseFlags (we can tell if inbound or outbound) // ULONG CredentialUseFlags; // Flags // FLAG_CONTEXT_AUTHZID_PROVIDED ULONG ulFlags; // Nonce Count ULONG ulNC; // Maxbuffer for auth-int and auth-conf processing ULONG ulSendMaxBuf; ULONG ulRecvMaxBuf; // SASL sequence numbering DWORD dwSendSeqNum; // Makesignature/verifysignature server to client sequence number DWORD dwRecvSeqNum; // Makesignature/verifysignature server to client sequence number // SASL Sign and Seal Keys. Save calculated values on sequence number = 0 BYTE bKcSealHashData[MD5_HASH_BYTESIZE]; BYTE bKiSignHashData[MD5_HASH_BYTESIZE]; BYTE bKcUnsealHashData[MD5_HASH_BYTESIZE]; BYTE bKiVerifyHashData[MD5_HASH_BYTESIZE]; BYTE bSealKey[MD5_HASH_BYTESIZE]; BYTE bUnsealKey[MD5_HASH_BYTESIZE]; HCRYPTKEY hSealCryptKey; // Handle to Cryptkey based on Byte keys HCRYPTKEY hUnsealCryptKey; // // Hex(H(A1)) sent from DC and stored in context for future // auth without going to the DC. Binary version is derived from HEX(H(A1)) // and is used in SASL mode for integrity protection and encryption // STRING strSessionKey; BYTE bSessionKey[MD5_HASH_BYTESIZE]; // Account name used in token creation for securityContext session UNICODE_STRING ustrAccountName; // // Values utilized in the Initial Digest Auth ChallResponse // STRING strParam[MD5_AUTH_LAST]; // points to owned memory - will need to free up! } DIGEST_USERCONTEXT, * PDIGEST_USERCONTEXT; #endif // ifndef NTDIGEST_DIGESTSSPI_H