You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
307 lines
9.2 KiB
307 lines
9.2 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 1992 - 1996
|
|
//
|
|
// File: kerbdefs.h
|
|
//
|
|
// Contents: defines for all internal Kerberos lists
|
|
//
|
|
//
|
|
// History: 03-May-1999 ChandanS Created
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
#ifndef __KERBDEFS_H__
|
|
#define __KERBDEFS_H__
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
#include <safelock.h>
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// All Kerberos list structures are defined here
|
|
//
|
|
|
|
typedef struct _KERBEROS_LIST {
|
|
LIST_ENTRY List;
|
|
SAFE_CRITICAL_SECTION Lock;
|
|
} KERBEROS_LIST, *PKERBEROS_LIST;
|
|
|
|
typedef struct _KERBEROS_LIST_ENTRY {
|
|
LIST_ENTRY Next;
|
|
ULONG ReferenceCount;
|
|
} KERBEROS_LIST_ENTRY, *PKERBEROS_LIST_ENTRY;
|
|
|
|
|
|
//
|
|
// NOTE: If you add members to this struct, be sure to
|
|
// modify KerbDuplicateTicketCacheEntry!!!!
|
|
//
|
|
|
|
typedef struct _KERB_TICKET_CACHE_ENTRY {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
volatile LONG Linked;
|
|
PKERB_INTERNAL_NAME ServiceName;
|
|
PKERB_INTERNAL_NAME TargetName;
|
|
UNICODE_STRING DomainName;
|
|
UNICODE_STRING TargetDomainName;
|
|
UNICODE_STRING AltTargetDomainName;
|
|
UNICODE_STRING ClientDomainName;
|
|
PKERB_INTERNAL_NAME ClientName;
|
|
PKERB_INTERNAL_NAME AltClientName;
|
|
ULONG TicketFlags;
|
|
ULONG CacheFlags;
|
|
KERB_ENCRYPTION_KEY SessionKey;
|
|
KERB_ENCRYPTION_KEY CredentialKey; // used for pkiint only.
|
|
TimeStamp StartTime;
|
|
TimeStamp EndTime;
|
|
TimeStamp RenewUntil;
|
|
KERB_TICKET Ticket;
|
|
TimeStamp TimeSkew;
|
|
LUID EvidenceLogonId;
|
|
void * ScavengerHandle;
|
|
#if DBG
|
|
LIST_ENTRY GlobalListEntry;
|
|
#endif
|
|
} KERB_TICKET_CACHE_ENTRY, *PKERB_TICKET_CACHE_ENTRY;
|
|
|
|
typedef struct _KERB_TICKET_CACHE {
|
|
LIST_ENTRY CacheEntries;
|
|
TimeStamp LastCleanup;
|
|
} KERB_TICKET_CACHE, *PKERB_TICKET_CACHE;
|
|
|
|
|
|
//
|
|
// Smartcard flags
|
|
//
|
|
#define CSP_DATA_INITIALIZED 0x01
|
|
#define CSP_DATA_REUSED 0x02
|
|
|
|
//
|
|
// Context flags used to determine pin caching behavior.
|
|
//
|
|
#define CONTEXT_INITIALIZED_WITH_CRED_MAN_CREDS 0x10
|
|
#define CONTEXT_INITIALIZED_WITH_ACH 0x20
|
|
|
|
typedef struct _KERB_PUBLIC_KEY_CREDENTIALS {
|
|
UNICODE_STRING Pin;
|
|
UNICODE_STRING AlternateDomainName;
|
|
PCCERT_CONTEXT CertContext;
|
|
ULONG_PTR KerbHProv;
|
|
ULONG InitializationInfo;
|
|
ULONG CspDataLength;
|
|
BYTE CspData[1];
|
|
} KERB_PUBLIC_KEY_CREDENTIALS, *PKERB_PUBLIC_KEY_CREDENTIALS;
|
|
|
|
typedef struct _KERB_PRIMARY_CREDENTIAL {
|
|
UNICODE_STRING UserName;
|
|
UNICODE_STRING DomainName;
|
|
UNICODE_STRING ClearPassword; // this is only present until a ticket has been obtained.
|
|
|
|
UNICODE_STRING OldUserName; // original user name in explicit
|
|
UNICODE_STRING OldDomainName; // original domain name in explicit cred
|
|
NT_OWF_PASSWORD OldHashPassword; // hash of encrypted ClearPassword
|
|
|
|
PKERB_STORED_CREDENTIAL Passwords;
|
|
PKERB_STORED_CREDENTIAL OldPasswords;
|
|
KERB_TICKET_CACHE ServerTicketCache;
|
|
KERB_TICKET_CACHE S4UTicketCache;
|
|
KERB_TICKET_CACHE AuthenticationTicketCache;
|
|
PKERB_PUBLIC_KEY_CREDENTIALS PublicKeyCreds;
|
|
} KERB_PRIMARY_CREDENTIAL, *PKERB_PRIMARY_CREDENTIAL;
|
|
|
|
typedef struct _KERB_EXTRA_CRED {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
volatile LONG Linked;
|
|
UNICODE_STRING cName;
|
|
UNICODE_STRING cRealm;
|
|
PKERB_STORED_CREDENTIAL Passwords;
|
|
PKERB_STORED_CREDENTIAL OldPasswords;
|
|
} KERB_EXTRA_CRED, *PKERB_EXTRA_CRED;
|
|
|
|
typedef struct _EXTRA_CRED_LIST {
|
|
KERBEROS_LIST CredList;
|
|
ULONG Count;
|
|
} EXTRA_CRED_LIST, *PEXTRA_CRED_LIST;
|
|
|
|
typedef struct _KERB_LOGON_SESSION {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
KERBEROS_LIST CredmanCredentials;
|
|
LUID LogonId; // constant
|
|
TimeStamp Lifetime;
|
|
SAFE_CRITICAL_SECTION Lock;
|
|
KERB_PRIMARY_CREDENTIAL PrimaryCredentials;
|
|
EXTRA_CRED_LIST ExtraCredentials;
|
|
ULONG LogonSessionFlags;
|
|
void* TaskHandle;
|
|
} KERB_LOGON_SESSION, *PKERB_LOGON_SESSION;
|
|
|
|
|
|
#define KERB_CREDENTIAL_TAG_ACTIVE (ULONG)'AdrC'
|
|
#define KERB_CREDENTIAL_TAG_DELETE (ULONG)'DdrC'
|
|
|
|
typedef struct _KERB_CREDENTIAL {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
ULONG HandleCount;
|
|
LUID LogonId; // constant
|
|
TimeStamp Lifetime;
|
|
UNICODE_STRING CredentialName;
|
|
ULONG CredentialFlags;
|
|
ULONG ClientProcess; // constant
|
|
PKERB_PRIMARY_CREDENTIAL SuppliedCredentials;
|
|
PKERB_AUTHORIZATION_DATA AuthData;
|
|
ULONG CredentialTag;
|
|
} KERB_CREDENTIAL, *PKERB_CREDENTIAL;
|
|
|
|
typedef struct _KERB_CREDMAN_CRED {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
ULONG CredentialFlags;
|
|
UNICODE_STRING CredmanUserName; // added since TGT information can overwrite primary credentials...
|
|
UNICODE_STRING CredmanDomainName;
|
|
PKERB_PRIMARY_CREDENTIAL SuppliedCredentials;
|
|
} KERB_CREDMAN_CRED, *PKERB_CREDMAN_CRED;
|
|
|
|
|
|
typedef enum _KERB_CONTEXT_STATE {
|
|
IdleState,
|
|
TgtRequestSentState,
|
|
TgtReplySentState,
|
|
ApRequestSentState,
|
|
ApReplySentState,
|
|
AuthenticatedState,
|
|
ErrorMessageSentState,
|
|
InvalidState
|
|
} KERB_CONTEXT_STATE, *PKERB_CONTEXT_STATE;
|
|
|
|
|
|
#define KERB_CONTEXT_TAG_ACTIVE (ULONG)'AxtC'
|
|
#define KERB_CONTEXT_TAG_DELETE (ULONG)'DxtC'
|
|
|
|
typedef struct _KERB_CONTEXT {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
TimeStamp Lifetime; // end time/expiration time
|
|
TimeStamp RenewTime; // time to renew until
|
|
TimeStamp StartTime;
|
|
UNICODE_STRING ClientName;
|
|
UNICODE_STRING ClientRealm;
|
|
UNICODE_STRING ClientDnsRealm;
|
|
union {
|
|
ULONG ClientProcess;
|
|
LSA_SEC_HANDLE LsaContextHandle;
|
|
};
|
|
LUID LogonId;
|
|
HANDLE TokenHandle;
|
|
ULONG_PTR CredentialHandle;
|
|
KERB_ENCRYPTION_KEY SessionKey;
|
|
ULONG Nonce;
|
|
ULONG ReceiveNonce;
|
|
ULONG ContextFlags;
|
|
ULONG ContextAttributes;
|
|
ULONG NegotiationInfo;
|
|
ULONG EncryptionType;
|
|
PSID UserSid;
|
|
KERB_CONTEXT_STATE ContextState;
|
|
ULONG Retries;
|
|
KERB_ENCRYPTION_KEY TicketKey;
|
|
PKERB_TICKET_CACHE_ENTRY TicketCacheEntry; // for clients, is ticket to server, for servers, is TGT used in user-to-user
|
|
UNICODE_STRING ClientPrincipalName;
|
|
UNICODE_STRING ServerPrincipalName;
|
|
PKERB_CREDMAN_CRED CredManCredentials;
|
|
|
|
//
|
|
// marshalled target info for DFS/RDR.
|
|
//
|
|
|
|
PBYTE pbMarshalledTargetInfo;
|
|
ULONG cbMarshalledTargetInfo;
|
|
|
|
TimeStamp AuthenticatorTime;
|
|
|
|
ULONG ContextTag;
|
|
} KERB_CONTEXT, *PKERB_CONTEXT;
|
|
|
|
typedef struct _KERB_PACKED_CONTEXT {
|
|
ULONG ContextType ; // Indicates the type of the context
|
|
ULONG Pad; // Pad data
|
|
TimeStamp Lifetime; // Matches basic context above
|
|
TimeStamp RenewTime ;
|
|
TimeStamp StartTime;
|
|
UNICODE_STRING32 ClientName ;
|
|
UNICODE_STRING32 ClientRealm ;
|
|
ULONG LsaContextHandle ;
|
|
LUID LogonId ;
|
|
ULONG TokenHandle ;
|
|
ULONG CredentialHandle ;
|
|
ULONG SessionKeyType ;
|
|
ULONG SessionKeyOffset ;
|
|
ULONG SessionKeyLength ;
|
|
ULONG Nonce ;
|
|
ULONG ReceiveNonce ;
|
|
ULONG ContextFlags ;
|
|
ULONG ContextAttributes ;
|
|
ULONG EncryptionType ;
|
|
KERB_CONTEXT_STATE ContextState ;
|
|
ULONG Retries ;
|
|
ULONG MarshalledTargetInfo; // offset
|
|
ULONG MarshalledTargetInfoLength;
|
|
} KERB_PACKED_CONTEXT, * PKERB_PACKED_CONTEXT;
|
|
|
|
typedef struct _KERB_SESSION_KEY_ENTRY {
|
|
LIST_ENTRY ListEntry;
|
|
KERB_ENCRYPTION_KEY SessionKey;
|
|
FILETIME ExpireTime; // time when SessionKey expires
|
|
} KERB_SESSION_KEY_ENTRY, * PKERB_SESSION_KEY_ENTRY;
|
|
|
|
#define KERB_PACKED_CONTEXT_MAP 0
|
|
#define KERB_PACKED_CONTEXT_EXPORT 1
|
|
|
|
//
|
|
// The order of this enum is the order in which locks
|
|
// must be acquired. Violating this order will result
|
|
// in asserts firing in debug builds.
|
|
//
|
|
// Do not change the order of this enum without first verifying
|
|
// thoroughly that the change is safe.
|
|
//
|
|
|
|
typedef enum {
|
|
|
|
//
|
|
// No-dependency locks
|
|
//
|
|
|
|
LS_LIST_LOCK_ENUM = 0, // (LSLS)
|
|
LOCAL_LOOPBACK_SKEY_LOCK = 0, // (LLBK)
|
|
HOST_2_REALM_LIST_LOCK = 0, // (H2RL)
|
|
|
|
//
|
|
// Locks with dependencies
|
|
//
|
|
|
|
CRED_MGR_LOCK_ENUM = 1, // (CRED)
|
|
LOGON_SESSION_LOCK_ENUM, // (LOGO)
|
|
CONTEXT_LIST_LOCK_ENUM, // (CLIS) --- LOGO
|
|
LS_EXTRACRED_LOCK_ENUM, // (LSXC) --- LOGO
|
|
LS_CREDMAN_LOCK_ENUM, // (LSCM) --- LOGO
|
|
TICKET_CACHE_LOCK_ENUM, // (TICK) --- CRED LOGO CLIS LSXC LSCM
|
|
GLOBAL_RESOURCE_LOCK_ENUM, // (GLOB) --- LOGO
|
|
MIT_REALM_LIST_LOCK_ENUM, // (MITR) --- GLOB
|
|
BINDING_CACHE_LOCK_ENUM, // (BNDC) --- GLOB
|
|
SPN_CACHE_LOCK_ENUM, // (SPNC) --- GLOB
|
|
CONTEXT_RESOURCE_LOCK_ENUM, // (CRES) --- TICK LSXC
|
|
S4U_CACHE_LOCK_ENUM, // (S4UC) --- TICK
|
|
DISABLED_SPNS_LOCK_ENUM, // (DISA) --- TICK
|
|
KERB_SKEW_STATE_LOCK_ENUM, // (SKEW) --- TICK
|
|
KDC_DATA_LOCK_ENUM, // (KDLK) --- LOGO LSCM
|
|
|
|
KERB_MAX_LOCK_ENUM,
|
|
|
|
} KERB_LOCK_ENUM;
|
|
|
|
#endif // __KERBDEFS_H_
|