You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
370 lines
10 KiB
370 lines
10 KiB
//+---------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 1992 - 1993.
|
|
//
|
|
// File: kerbtick.h
|
|
//
|
|
// Contents: Structures for ticket request and creation
|
|
//
|
|
// Classes:
|
|
//
|
|
// Functions:
|
|
//
|
|
// History: 22-April-1996 Created MikeSw
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
#ifndef __KERBTICK_H__
|
|
#define __KERBTICK_H__
|
|
|
|
//
|
|
// Macros used for building tickets
|
|
//
|
|
|
|
#define KERB_ENCRYPT_SIZE(_x_) (sizeof(KERB_ENCRYPTED_DATA) - 1 + (_x_))
|
|
|
|
//
|
|
// Structures used for AP (authentication protocol) exchanges with a server
|
|
//
|
|
|
|
//#define KERB_AP_INTEGRITY 0x80000000 // Integrity Request
|
|
//#define KERB_AP_PRIVACY 0x40000000 // Privacy
|
|
//#define KERB_AP_THREE_LEG 0x20000000 // Mutual Auth 3-leg
|
|
//#define KERB_AP_RETURN_EE 0x10000000 // Return extended error info
|
|
//#define KERB_AP_USE_SKEY 0x00000002 // Use session key
|
|
//#define KERB_AP_MUTUAL_REQ 0x00000004
|
|
|
|
//
|
|
// Structure used to store GSS checksum
|
|
//
|
|
|
|
typedef struct _KERB_GSS_CHECKSUM {
|
|
ULONG BindLength;
|
|
ULONG BindHash[4];
|
|
ULONG GssFlags;
|
|
USHORT Delegation;
|
|
USHORT DelegationLength;
|
|
UCHAR DelegationInfo[ANYSIZE_ARRAY];
|
|
} KERB_GSS_CHECKSUM, *PKERB_GSS_CHECKSUM;
|
|
|
|
#define GSS_C_DELEG_FLAG 0x01
|
|
#define GSS_C_MUTUAL_FLAG 0x02
|
|
#define GSS_C_REPLAY_FLAG 0x04
|
|
#define GSS_C_SEQUENCE_FLAG 0x08
|
|
#define GSS_C_CONF_FLAG 0x10
|
|
#define GSS_C_INTEG_FLAG 0x20
|
|
#define GSS_C_ANON_FLAG 0x40
|
|
#define GSS_C_DCE_STYLE 0x1000
|
|
#define GSS_C_IDENTIFY_FLAG 0x2000
|
|
#define GSS_C_EXTENDED_ERROR_FLAG 0x4000
|
|
|
|
#define GSS_CHECKSUM_TYPE 0x8003
|
|
#define GSS_CHECKSUM_SIZE 24
|
|
|
|
// This was added due to sizeof() byte alignment issues on
|
|
// the KREB_GSS_CHECKSUM structure.
|
|
#define GSS_DELEGATE_CHECKSUM_SIZE 28
|
|
|
|
//
|
|
// KerbGetTgsTicket retry flags
|
|
//
|
|
|
|
#define KERB_MIT_NO_CANONICALIZE_RETRY 0x00000001 // for MIT no canonicalize retry case and usage of host to realm mappings
|
|
#define KERB_RETRY_WITH_NEW_TGT 0x00000002
|
|
#define KERB_RETRY_DISABLE_S4U 0x00000004 // Turn off S4U
|
|
#define KERB_RETRY_NO_S4UMATCH 0x00000008 // cache this SPN as not avail. for S4U
|
|
|
|
//
|
|
// Default flags for use in ticket requests
|
|
//
|
|
|
|
#define KERB_DEFAULT_TICKET_FLAGS (KERB_KDC_OPTIONS_forwardable | \
|
|
KERB_KDC_OPTIONS_renewable | \
|
|
KERB_KDC_OPTIONS_renewable_ok | \
|
|
KERB_KDC_OPTIONS_name_canonicalize )
|
|
|
|
|
|
//
|
|
// These flags don't have to be in the TGT in order to be honored. Reg.
|
|
// configurable.
|
|
//
|
|
#define KERB_ADDITIONAL_KDC_OPTIONS (KERB_KDC_OPTIONS_name_canonicalize)
|
|
|
|
|
|
NTSTATUS
|
|
KerbGetReferralNames(
|
|
IN PKERB_ENCRYPTED_KDC_REPLY KdcReply,
|
|
IN PKERB_INTERNAL_NAME OriginalTargetName,
|
|
OUT PUNICODE_STRING ReferralRealm
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbMITGetMachineDomain(
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN OUT PUNICODE_STRING TargetDomainName,
|
|
IN OUT PKERB_TICKET_CACHE_ENTRY *TicketGrantingTicket
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbGetTgtForService(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN OPTIONAL PUNICODE_STRING SuppRealm,
|
|
IN PUNICODE_STRING TargetDomain,
|
|
IN ULONG TargetFlags,
|
|
OUT PKERB_TICKET_CACHE_ENTRY * NewCacheEntry,
|
|
OUT PBOOLEAN CrossRealm
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbGetTgsTicket(
|
|
IN PUNICODE_STRING ClientRealm,
|
|
IN PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket,
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN ULONG Flags,
|
|
IN OPTIONAL ULONG TicketOptions,
|
|
IN OPTIONAL ULONG EncryptionType,
|
|
IN OPTIONAL PKERB_AUTHORIZATION_DATA AuthorizationData,
|
|
IN OPTIONAL PKERB_PA_DATA_LIST PADataList,
|
|
IN OPTIONAL PKERB_TGT_REPLY TgtReply,
|
|
IN OPTIONAL PKERB_TICKET EvidenceTicket,
|
|
IN OPTIONAL PTimeStamp OptionalEndTime,
|
|
OUT PKERB_KDC_REPLY * KdcReply,
|
|
OUT PKERB_ENCRYPTED_KDC_REPLY * ReplyBody,
|
|
OUT PULONG pRetryFlags
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbGetServiceTicket(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN PUNICODE_STRING TargetDomainName,
|
|
IN OPTIONAL PKERB_SPN_CACHE_ENTRY SpnCacheEntry,
|
|
IN ULONG Flags,
|
|
IN OPTIONAL ULONG TicketOptions,
|
|
IN OPTIONAL ULONG EncryptionType,
|
|
IN OPTIONAL PKERB_ERROR ErrorMessage,
|
|
IN OPTIONAL PKERB_AUTHORIZATION_DATA AuthorizationData,
|
|
IN OPTIONAL PKERB_TGT_REPLY TgtReply,
|
|
OUT PKERB_TICKET_CACHE_ENTRY * NewCacheEntry,
|
|
OUT LPGUID pLogonGuid OPTIONAL
|
|
);
|
|
|
|
#define KERB_GET_TICKET_NO_CACHE 0x1
|
|
#define KERB_GET_TICKET_NO_CANONICALIZE 0x2
|
|
#define KERB_TARGET_DID_ALTNAME_LOOKUP 0x8
|
|
|
|
#define KERB_TARGET_USED_SPN_CACHE 0x1000
|
|
#define KERB_TARGET_UNKNOWN_SPN 0x2000
|
|
#define KERB_MIT_REALM_USED 0x4000
|
|
#define KERB_TARGET_REFERRAL 0x8000
|
|
#define KERB_TARGET_SPN_NO_PROXY 0x10000
|
|
|
|
BOOL
|
|
KerbHaveKeyMaterials(
|
|
IN OPTIONAL PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_PRIMARY_CREDENTIAL PrimaryCred
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildApRequest(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN OPTIONAL PKERB_CREDENTIAL Credential,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN PKERB_TICKET_CACHE_ENTRY TicketCacheEntry,
|
|
IN OPTIONAL PKERB_ERROR ErrorMessage,
|
|
IN ULONG ContextAttributes,
|
|
IN OUT PULONG ContextFlags,
|
|
OUT PUCHAR * MarshalledApRequest,
|
|
OUT PULONG ApRequestSize,
|
|
OUT PULONG Nonce,
|
|
OUT OPTIONAL PTimeStamp pAuthenticatorTime,
|
|
OUT PKERB_ENCRYPTION_KEY SubSessionKey,
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildNullSessionApRequest(
|
|
OUT PUCHAR * MarshalledApRequest,
|
|
OUT PULONG ApRequestSize
|
|
);
|
|
|
|
KERBERR
|
|
KerbCreateApRequest(
|
|
IN PKERB_INTERNAL_NAME ClientName,
|
|
IN PUNICODE_STRING ClientRealm,
|
|
IN PKERB_ENCRYPTION_KEY SessionKey,
|
|
IN PKERB_ENCRYPTION_KEY SubSessionKey,
|
|
IN ULONG Nonce,
|
|
OUT OPTIONAL PTimeStamp pAuthenticatorTime,
|
|
IN PKERB_TICKET ServiceTicket,
|
|
IN ULONG ApOptions,
|
|
IN OPTIONAL PKERB_CHECKSUM GssChecksum,
|
|
IN OPTIONAL PTimeStamp ServerSkewTime,
|
|
IN BOOLEAN KdcRequest,
|
|
OUT PULONG RequestSize,
|
|
OUT PUCHAR * Request
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbVerifyApRequest(
|
|
IN OPTIONAL PKERB_CONTEXT Context,
|
|
IN PUCHAR RequestMessage,
|
|
IN ULONG RequestSize,
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN BOOLEAN UseSuppliedCreds,
|
|
IN BOOLEAN CheckForReplay,
|
|
OUT PKERB_AP_REQUEST * ApRequest,
|
|
OUT PKERB_ENCRYPTED_TICKET * NewTicket,
|
|
OUT PKERB_AUTHENTICATOR * NewAuthenticator,
|
|
OUT PKERB_ENCRYPTION_KEY SessionKey,
|
|
OUT PKERB_ENCRYPTION_KEY TicketKey,
|
|
OUT PKERB_ENCRYPTION_KEY ServerKey,
|
|
OUT PULONG ContextFlags,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PKERBERR KerbError,
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbComputeGssBindHash(
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings,
|
|
OUT PUCHAR HashBuffer
|
|
);
|
|
|
|
//
|
|
// From credapi.cxx
|
|
//
|
|
|
|
NTSTATUS
|
|
KerbCaptureSuppliedCreds(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN OPTIONAL PVOID AuthorizationData,
|
|
IN OPTIONAL PUNICODE_STRING PrincipalName,
|
|
OUT PKERB_PRIMARY_CREDENTIAL * SuppliedCreds,
|
|
OUT PULONG Flags
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildApReply(
|
|
IN PKERB_AUTHENTICATOR InternalAuthenticator,
|
|
IN PKERB_AP_REQUEST Request,
|
|
IN ULONG ContextFlags,
|
|
IN ULONG ContextAtributes,
|
|
IN PKERB_ENCRYPTION_KEY TicketKey,
|
|
IN OUT PKERB_ENCRYPTION_KEY SessionKey,
|
|
OUT PULONG Nonce,
|
|
OUT PUCHAR * NewReply,
|
|
OUT PULONG NewReplySize
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildThirdLegApReply(
|
|
IN PKERB_CONTEXT Context,
|
|
IN ULONG ReceiveNonce,
|
|
OUT PUCHAR * NewReply,
|
|
OUT PULONG NewReplySize
|
|
);
|
|
|
|
BOOLEAN
|
|
KerbKerbTimeEqual(
|
|
PKERB_TIME pt1,
|
|
PKERB_TIME pt2
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbVerifyApReply(
|
|
IN PKERB_CONTEXT Context,
|
|
IN PUCHAR PackedReply,
|
|
IN ULONG PackedReplySize,
|
|
OUT PULONG ReceiveNonce
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbInitTicketHandling(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbInitGlobalVariables(
|
|
VOID
|
|
);
|
|
|
|
VOID
|
|
KerbCleanupTicketHandling(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbMakeSocketCall(
|
|
IN PUNICODE_STRING RealmName,
|
|
IN OPTIONAL PUNICODE_STRING AccountName,
|
|
IN BOOLEAN CallPDC,
|
|
IN BOOLEAN UseTcp,
|
|
IN BOOLEAN CallKpasswd,
|
|
IN PKERB_MESSAGE_BUFFER RequestMessage,
|
|
IN PKERB_MESSAGE_BUFFER ReplyMessage,
|
|
IN OPTIONAL PKERB_BINDING_CACHE_ENTRY OptionalBindingHandle,
|
|
IN ULONG AdditionalFlags,
|
|
OUT PBOOLEAN CalledPDC
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbHandleTgtRequest(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN BOOLEAN UseSuppliedCreds,
|
|
IN PUCHAR RequestMessage,
|
|
IN ULONG RequestSize,
|
|
IN ULONG ContextRequirements,
|
|
IN PSecBuffer OutputToken,
|
|
IN PLUID LogonId,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PKERB_CONTEXT * Context,
|
|
OUT PTimeStamp ContextLifetime,
|
|
OUT PKERBERR ReturnedError
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildTgtRequest(
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN PUNICODE_STRING TargetRealm,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PUCHAR * MarshalladTgtRequest,
|
|
OUT PULONG TgtRequestSize
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbUnpackTgtReply(
|
|
IN PKERB_CONTEXT Context,
|
|
IN PUCHAR ReplyMessage,
|
|
IN ULONG ReplySize,
|
|
OUT PKERB_INTERNAL_NAME * TargetName,
|
|
OUT PUNICODE_STRING TargetRealm,
|
|
OUT PKERB_TGT_REPLY * Reply
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildTgtErrorReply(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credentials,
|
|
IN BOOLEAN UseSuppliedCreds,
|
|
IN OUT PKERB_CONTEXT Context,
|
|
OUT PULONG ReplySize,
|
|
OUT PBYTE * Reply
|
|
);
|
|
|
|
NTSTATUS
|
|
KerbBuildKerbCred(
|
|
IN OPTIONAL PKERB_TICKET_CACHE_ENTRY Ticket,
|
|
IN PKERB_TICKET_CACHE_ENTRY DelegationTicket,
|
|
OUT PUCHAR * MarshalledKerbCred,
|
|
OUT PULONG KerbCredSize
|
|
);
|
|
|
|
#endif // __KERBTICK_H__
|