Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1894 lines
56 KiB

/*++ BUILD Version: 0000 Increment this if a change has global effects
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
ntsecpkg.h
Abstract:
This module defines the structures and APIs for use by a
authentication or security package.
Revision History:
--*/
#ifndef _NTSECPKG_
#define _NTSECPKG_
#ifdef __cplusplus
extern "C" {
#endif
/////////////////////////////////////////////////////////////////////////
// //
// Data types used by authentication packages //
// //
/////////////////////////////////////////////////////////////////////////
//
// opaque data type which represents a client request
//
typedef PVOID *PLSA_CLIENT_REQUEST;
//
// When a logon of a user is requested, the authentication package
// is expected to return one of the following structures indicating
// the contents of a user's token.
//
typedef enum _LSA_TOKEN_INFORMATION_TYPE {
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
//
// The NULL information is used in cases where a non-authenticated
// system access is needed. For example, a non-authentication network
// circuit (such as LAN Manager's null session) can be given NULL
// information. This will result in an anonymous token being generated
// for the logon that gives the user no ability to access protected system
// resources, but does allow access to non-protected system resources.
//
typedef struct _LSA_TOKEN_INFORMATION_NULL {
//
// Time at which the security context becomes invalid.
// Use a value in the distant future if the context
// never expires.
//
LARGE_INTEGER ExpirationTime;
//
// The SID(s) of groups the user is to be made a member of. This should
// not include WORLD or other system defined and assigned
// SIDs. These will be added automatically by LSA.
//
// Each SID is expected to be in a separately allocated block
// of memory. The TOKEN_GROUPS structure is also expected to
// be in a separately allocated block of memory.
//
PTOKEN_GROUPS Groups;
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
//
// The V1 token information structure is superceeded by the V2 token
// information structure. The V1 strucure should only be used for
// backwards compatability.
// This structure contains information that an authentication package
// can place in a Version 1 NT token object.
//
typedef struct _LSA_TOKEN_INFORMATION_V1 {
//
// Time at which the security context becomes invalid.
// Use a value in the distant future if the context
// never expires.
//
LARGE_INTEGER ExpirationTime;
//
// The SID of the user logging on. The SID value is in a
// separately allocated block of memory.
//
TOKEN_USER User;
//
// The SID(s) of groups the user is a member of. This should
// not include WORLD or other system defined and assigned
// SIDs. These will be added automatically by LSA.
//
// Each SID is expected to be in a separately allocated block
// of memory. The TOKEN_GROUPS structure is also expected to
// be in a separately allocated block of memory.
//
PTOKEN_GROUPS Groups;
//
// This field is used to establish the primary group of the user.
// This value does not have to correspond to one of the SIDs
// assigned to the user.
//
// The SID pointed to by this structure is expected to be in
// a separately allocated block of memory.
//
// This field is mandatory and must be filled in.
//
TOKEN_PRIMARY_GROUP PrimaryGroup;
//
// The privileges the user is assigned. This list of privileges
// will be augmented or over-ridden by any local security policy
// assigned privileges.
//
// Each privilege is expected to be in a separately allocated
// block of memory. The TOKEN_PRIVILEGES structure is also
// expected to be in a separately allocated block of memory.
//
// If there are no privileges to assign to the user, this field
// may be set to NULL.
//
PTOKEN_PRIVILEGES Privileges;
//
// This field may be used to establish an explicit default
// owner. Normally, the user ID is used as the default owner.
// If another value is desired, it must be specified here.
//
// The Owner.Sid field may be set to NULL to indicate there is no
// alternate default owner value.
//
TOKEN_OWNER Owner;
//
// This field may be used to establish a default
// protection for the user. If no value is provided, then
// a default protection that grants everyone all access will
// be established.
//
// The DefaultDacl.DefaultDacl field may be set to NULL to indicate
// there is no default protection.
//
TOKEN_DEFAULT_DACL DefaultDacl;
} LSA_TOKEN_INFORMATION_V1, *PLSA_TOKEN_INFORMATION_V1;
//
// The V2 information is used in most cases of logon. The structure is identical
// to the V1 token information structure, with the exception that the memory allocation
// is handled differently. The LSA_TOKEN_INFORMATION_V2 structure is intended to be
// allocated monolithiclly, with the privileges, DACL, sids, and group array either part of
// same allocation, or allocated and freed externally.
//
typedef LSA_TOKEN_INFORMATION_V1 LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2;
/////////////////////////////////////////////////////////////////////////
// //
// Interface definitions available for use by authentication packages //
// //
/////////////////////////////////////////////////////////////////////////
typedef NTSTATUS
(NTAPI LSA_CREATE_LOGON_SESSION) (
IN PLUID LogonId
);
typedef NTSTATUS
(NTAPI LSA_DELETE_LOGON_SESSION) (
IN PLUID LogonId
);
typedef NTSTATUS
(NTAPI LSA_ADD_CREDENTIAL) (
IN PLUID LogonId,
IN ULONG AuthenticationPackage,
IN PLSA_STRING PrimaryKeyValue,
IN PLSA_STRING Credentials
);
typedef NTSTATUS
(NTAPI LSA_GET_CREDENTIALS) (
IN PLUID LogonId,
IN ULONG AuthenticationPackage,
IN OUT PULONG QueryContext,
IN BOOLEAN RetrieveAllCredentials,
IN PLSA_STRING PrimaryKeyValue,
OUT PULONG PrimaryKeyLength,
IN PLSA_STRING Credentials
);
typedef NTSTATUS
(NTAPI LSA_DELETE_CREDENTIAL) (
IN PLUID LogonId,
IN ULONG AuthenticationPackage,
IN PLSA_STRING PrimaryKeyValue
);
typedef PVOID
(NTAPI LSA_ALLOCATE_LSA_HEAP) (
IN ULONG Length
);
typedef VOID
(NTAPI LSA_FREE_LSA_HEAP) (
IN PVOID Base
);
typedef PVOID
(NTAPI LSA_ALLOCATE_PRIVATE_HEAP) (
IN SIZE_T Length
);
typedef VOID
(NTAPI LSA_FREE_PRIVATE_HEAP) (
IN PVOID Base
);
typedef NTSTATUS
(NTAPI LSA_ALLOCATE_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN ULONG LengthRequired,
OUT PVOID *ClientBaseAddress
);
typedef NTSTATUS
(NTAPI LSA_FREE_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN PVOID ClientBaseAddress
);
typedef NTSTATUS
(NTAPI LSA_COPY_TO_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN ULONG Length,
IN PVOID ClientBaseAddress,
IN PVOID BufferToCopy
);
typedef NTSTATUS
(NTAPI LSA_COPY_FROM_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN ULONG Length,
IN PVOID BufferToCopy,
IN PVOID ClientBaseAddress
);
typedef LSA_CREATE_LOGON_SESSION * PLSA_CREATE_LOGON_SESSION ;
typedef LSA_DELETE_LOGON_SESSION * PLSA_DELETE_LOGON_SESSION ;
typedef LSA_ADD_CREDENTIAL * PLSA_ADD_CREDENTIAL ;
typedef LSA_GET_CREDENTIALS * PLSA_GET_CREDENTIALS ;
typedef LSA_DELETE_CREDENTIAL * PLSA_DELETE_CREDENTIAL ;
typedef LSA_ALLOCATE_LSA_HEAP * PLSA_ALLOCATE_LSA_HEAP ;
typedef LSA_FREE_LSA_HEAP * PLSA_FREE_LSA_HEAP ;
typedef LSA_ALLOCATE_PRIVATE_HEAP * PLSA_ALLOCATE_PRIVATE_HEAP ;
typedef LSA_FREE_PRIVATE_HEAP * PLSA_FREE_PRIVATE_HEAP ;
typedef LSA_ALLOCATE_CLIENT_BUFFER * PLSA_ALLOCATE_CLIENT_BUFFER ;
typedef LSA_FREE_CLIENT_BUFFER * PLSA_FREE_CLIENT_BUFFER ;
typedef LSA_COPY_TO_CLIENT_BUFFER * PLSA_COPY_TO_CLIENT_BUFFER ;
typedef LSA_COPY_FROM_CLIENT_BUFFER * PLSA_COPY_FROM_CLIENT_BUFFER ;
//
// The dispatch table of LSA services which are available to
// authentication packages.
//
typedef struct _LSA_DISPATCH_TABLE {
PLSA_CREATE_LOGON_SESSION CreateLogonSession;
PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
PLSA_ADD_CREDENTIAL AddCredential;
PLSA_GET_CREDENTIALS GetCredentials;
PLSA_DELETE_CREDENTIAL DeleteCredential;
PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
PLSA_FREE_LSA_HEAP FreeLsaHeap;
PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
} LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;
////////////////////////////////////////////////////////////////////////////
// //
// Interface definitions of services provided by authentication packages //
// //
////////////////////////////////////////////////////////////////////////////
//
// Routine names
//
// The routines provided by the DLL must be assigned the following names
// so that their addresses can be retrieved when the DLL is loaded.
//
#define LSA_AP_NAME_INITIALIZE_PACKAGE "LsaApInitializePackage\0"
#define LSA_AP_NAME_LOGON_USER "LsaApLogonUser\0"
#define LSA_AP_NAME_LOGON_USER_EX "LsaApLogonUserEx\0"
#define LSA_AP_NAME_CALL_PACKAGE "LsaApCallPackage\0"
#define LSA_AP_NAME_LOGON_TERMINATED "LsaApLogonTerminated\0"
#define LSA_AP_NAME_CALL_PACKAGE_UNTRUSTED "LsaApCallPackageUntrusted\0"
#define LSA_AP_NAME_CALL_PACKAGE_PASSTHROUGH "LsaApCallPackagePassthrough\0"
//
// Routine templates
//
typedef NTSTATUS
(NTAPI LSA_AP_INITIALIZE_PACKAGE) (
IN ULONG AuthenticationPackageId,
IN PLSA_DISPATCH_TABLE LsaDispatchTable,
IN PLSA_STRING Database OPTIONAL,
IN PLSA_STRING Confidentiality OPTIONAL,
OUT PLSA_STRING *AuthenticationPackageName
);
typedef NTSTATUS
(NTAPI LSA_AP_LOGON_USER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PLSA_UNICODE_STRING *AccountName,
OUT PLSA_UNICODE_STRING *AuthenticatingAuthority
);
typedef NTSTATUS
(NTAPI LSA_AP_LOGON_USER_EX) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName
);
typedef NTSTATUS
(NTAPI LSA_AP_CALL_PACKAGE) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN PVOID ProtocolSubmitBuffer,
IN PVOID ClientBufferBase,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef NTSTATUS
(NTAPI LSA_AP_CALL_PACKAGE_PASSTHROUGH) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN PVOID ProtocolSubmitBuffer,
IN PVOID ClientBufferBase,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef VOID
(NTAPI LSA_AP_LOGON_TERMINATED) (
IN PLUID LogonId
);
typedef LSA_AP_CALL_PACKAGE LSA_AP_CALL_PACKAGE_UNTRUSTED;
typedef LSA_AP_INITIALIZE_PACKAGE * PLSA_AP_INITIALIZE_PACKAGE ;
typedef LSA_AP_LOGON_USER * PLSA_AP_LOGON_USER ;
typedef LSA_AP_LOGON_USER_EX * PLSA_AP_LOGON_USER_EX ;
typedef LSA_AP_CALL_PACKAGE * PLSA_AP_CALL_PACKAGE ;
typedef LSA_AP_CALL_PACKAGE_PASSTHROUGH * PLSA_AP_CALL_PACKAGE_PASSTHROUGH ;
typedef LSA_AP_LOGON_TERMINATED * PLSA_AP_LOGON_TERMINATED ;
typedef LSA_AP_CALL_PACKAGE_UNTRUSTED * PLSA_AP_CALL_PACKAGE_UNTRUSTED ;
#ifndef _SAM_CREDENTIAL_UPDATE_DEFINED
#define _SAM_CREDENTIAL_UPDATE_DEFINED
typedef NTSTATUS (*PSAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE) (
IN PUNICODE_STRING ClearPassword,
IN PVOID OldCredentials,
IN ULONG OldCredentialSize,
IN ULONG UserAccountControl,
IN PUNICODE_STRING UPN, OPTIONAL
IN PUNICODE_STRING UserName,
IN PUNICODE_STRING NetbiosDomainName,
IN PUNICODE_STRING DnsDomainName,
OUT PVOID * NewCredentials,
OUT ULONG * NewCredentialSize
);
#define SAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE "CredentialUpdateNotify"
typedef BOOLEAN (*PSAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE) (
OUT PUNICODE_STRING CredentialName
);
#define SAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE "CredentialUpdateRegister"
typedef VOID (*PSAM_CREDENTIAL_UPDATE_FREE_ROUTINE) (
IN PVOID p
);
#define SAM_CREDENTIAL_UPDATE_FREE_ROUTINE "CredentialUpdateFree"
#endif // _SAM_CREDENTIAL_UPDATE_DEFINED
#ifdef SECURITY_KERNEL
//
// Can't use the windows.h def'ns in kernel mode.
//
typedef PVOID SEC_THREAD_START;
typedef PVOID SEC_ATTRS;
#else
typedef LPTHREAD_START_ROUTINE SEC_THREAD_START;
typedef LPSECURITY_ATTRIBUTES SEC_ATTRS;
#endif
#define SecEqualLuid(L1, L2) \
( ( ((PLUID)L1)->LowPart == ((PLUID)L2)->LowPart ) && \
( ((PLUID)L1)->HighPart == ((PLUID)L2)->HighPart ) ) \
#define SecIsZeroLuid( L1 ) \
( ( L1->LowPart | L1->HighPart ) == 0 )
//
// The following structures are used by the helper functions
//
typedef struct _SECPKG_CLIENT_INFO {
LUID LogonId; // Effective Logon Id
ULONG ProcessID; // Process Id of caller
ULONG ThreadID; // Thread Id of caller
BOOLEAN HasTcbPrivilege; // Client has TCB
BOOLEAN Impersonating; // Client is impersonating
BOOLEAN Restricted; // Client is restricted
//
// NT 5.1
//
UCHAR ClientFlags; // Extra flags about the client
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Impersonation level of client
} SECPKG_CLIENT_INFO, * PSECPKG_CLIENT_INFO;
#define SECPKG_CLIENT_PROCESS_TERMINATED 0x01 // The client process has terminated
#define SECPKG_CLIENT_THREAD_TERMINATED 0x02 // The client thread has terminated
typedef struct _SECPKG_CALL_INFO {
ULONG ProcessId ;
ULONG ThreadId ;
ULONG Attributes ;
ULONG CallCount ;
} SECPKG_CALL_INFO, * PSECPKG_CALL_INFO ;
#define SECPKG_CALL_KERNEL_MODE 0x00000001 // Call originated in kernel mode
#define SECPKG_CALL_ANSI 0x00000002 // Call came from ANSI stub
#define SECPKG_CALL_URGENT 0x00000004 // Call designated urgent
#define SECPKG_CALL_RECURSIVE 0x00000008 // Call is recursing
#define SECPKG_CALL_IN_PROC 0x00000010 // Call originated in process
#define SECPKG_CALL_CLEANUP 0x00000020 // Call is cleanup from a client
#define SECPKG_CALL_WOWCLIENT 0x00000040 // Call is from a WOW client process
#define SECPKG_CALL_THREAD_TERM 0x00000080 // Call is from a thread that has term'd
#define SECPKG_CALL_PROCESS_TERM 0x00000100 // Call is from a process that has term'd
#define SECPKG_CALL_IS_TCB 0x00000200 // Call is from TCB
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
#ifdef MIDL_PASS
[size_is(CredentialSize)]
#endif // MIDL_PASS
PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
typedef ULONG_PTR LSA_SEC_HANDLE ;
typedef LSA_SEC_HANDLE * PLSA_SEC_HANDLE ;
typedef struct _SECPKG_SUPPLEMENTAL_CRED_ARRAY {
ULONG CredentialCount;
#ifdef MIDL_PASS
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
#else // MIDL_PASS
SECPKG_SUPPLEMENTAL_CRED Credentials[1];
#endif // MIDL_PASS
} SECPKG_SUPPLEMENTAL_CRED_ARRAY, *PSECPKG_SUPPLEMENTAL_CRED_ARRAY;
//
// This flag is used for to indicate which buffers in the LSA are located
// in the client's address space
//
#define SECBUFFER_UNMAPPED 0x40000000
//
// This flag is used to indicate that the buffer was mapped into the LSA
// from kernel mode.
//
#define SECBUFFER_KERNEL_MAP 0x20000000
typedef NTSTATUS
(NTAPI LSA_CALLBACK_FUNCTION)(
ULONG_PTR Argument1,
ULONG_PTR Argument2,
PSecBuffer InputBuffer,
PSecBuffer OutputBuffer
);
typedef LSA_CALLBACK_FUNCTION * PLSA_CALLBACK_FUNCTION ;
#define PRIMARY_CRED_CLEAR_PASSWORD 0x1
#define PRIMARY_CRED_OWF_PASSWORD 0x2
#define PRIMARY_CRED_UPDATE 0x4 // this is a change of existing creds
#define PRIMARY_CRED_CACHED_LOGON 0x8
#define PRIMARY_CRED_LOGON_NO_TCB 0x10
#define PRIMARY_CRED_LOGON_PACKAGE_SHIFT 24
#define PRIMARY_CRED_PACKAGE_MASK 0xff000000
//
// For cached logons, the RPC id of the package doing the logon is identified
// by shifting the flags to the right by the PRIMARY_CRED_LOGON_PACKAGE_SHIFT.
//
typedef struct _SECPKG_PRIMARY_CRED {
LUID LogonId;
UNICODE_STRING DownlevelName; // Sam Account Name
UNICODE_STRING DomainName; // Netbios domain name where account is located
UNICODE_STRING Password;
UNICODE_STRING OldPassword;
PSID UserSid;
ULONG Flags;
UNICODE_STRING DnsDomainName; // DNS domain name where account is located (if known)
UNICODE_STRING Upn; // UPN of account (if known)
UNICODE_STRING LogonServer;
UNICODE_STRING Spare1;
UNICODE_STRING Spare2;
UNICODE_STRING Spare3;
UNICODE_STRING Spare4;
} SECPKG_PRIMARY_CRED, *PSECPKG_PRIMARY_CRED;
//
// Maximum size of stored credentials.
//
#define MAX_CRED_SIZE 1024
// Values for MachineState
#define SECPKG_STATE_ENCRYPTION_PERMITTED 0x01
#define SECPKG_STATE_STRONG_ENCRYPTION_PERMITTED 0x02
#define SECPKG_STATE_DOMAIN_CONTROLLER 0x04
#define SECPKG_STATE_WORKSTATION 0x08
#define SECPKG_STATE_STANDALONE 0x10
typedef struct _SECPKG_PARAMETERS {
ULONG Version;
ULONG MachineState;
ULONG SetupMode;
PSID DomainSid;
UNICODE_STRING DomainName;
UNICODE_STRING DnsDomainName;
GUID DomainGuid;
} SECPKG_PARAMETERS, *PSECPKG_PARAMETERS;
//
// Extended Package information structures
//
typedef enum _SECPKG_EXTENDED_INFORMATION_CLASS {
SecpkgGssInfo = 1,
SecpkgContextThunks,
SecpkgMutualAuthLevel,
SecpkgWowClientDll,
SecpkgExtraOids,
SecpkgMaxInfo
} SECPKG_EXTENDED_INFORMATION_CLASS ;
typedef struct _SECPKG_GSS_INFO {
ULONG EncodedIdLength ;
UCHAR EncodedId[4] ;
} SECPKG_GSS_INFO, * PSECPKG_GSS_INFO ;
typedef struct _SECPKG_CONTEXT_THUNKS {
ULONG InfoLevelCount ;
ULONG Levels[1] ;
} SECPKG_CONTEXT_THUNKS, *PSECPKG_CONTEXT_THUNKS ;
typedef struct _SECPKG_MUTUAL_AUTH_LEVEL {
ULONG MutualAuthLevel ;
} SECPKG_MUTUAL_AUTH_LEVEL, * PSECPKG_MUTUAL_AUTH_LEVEL ;
typedef struct _SECPKG_WOW_CLIENT_DLL {
SECURITY_STRING WowClientDllPath;
} SECPKG_WOW_CLIENT_DLL, * PSECPKG_WOW_CLIENT_DLL ;
#define SECPKG_MAX_OID_LENGTH 32
typedef struct _SECPKG_SERIALIZED_OID {
ULONG OidLength ;
ULONG OidAttributes ;
UCHAR OidValue[ SECPKG_MAX_OID_LENGTH ];
} SECPKG_SERIALIZED_OID, * PSECPKG_SERIALIZED_OID ;
typedef struct _SECPKG_EXTRA_OIDS {
ULONG OidCount ;
SECPKG_SERIALIZED_OID Oids[ 1 ];
} SECPKG_EXTRA_OIDS, * PSECPKG_EXTRA_OIDS;
typedef struct _SECPKG_EXTENDED_INFORMATION {
SECPKG_EXTENDED_INFORMATION_CLASS Class ;
union {
SECPKG_GSS_INFO GssInfo ;
SECPKG_CONTEXT_THUNKS ContextThunks ;
SECPKG_MUTUAL_AUTH_LEVEL MutualAuthLevel ;
SECPKG_WOW_CLIENT_DLL WowClientDll ;
SECPKG_EXTRA_OIDS ExtraOids ;
} Info ;
} SECPKG_EXTENDED_INFORMATION, * PSECPKG_EXTENDED_INFORMATION ;
#define SECPKG_ATTR_SASL_CONTEXT 0x00010000
typedef struct _SecPkgContext_SaslContext {
PVOID SaslContext ;
} SecPkgContext_SaslContext, * PSecPkgContext_SaslContext ;
//
// Setting this value as the first context thunk value will cause all
// calls to go to the LSA:
//
#define SECPKG_ATTR_THUNK_ALL 0x00010000
#ifndef SECURITY_USER_DATA_DEFINED
#define SECURITY_USER_DATA_DEFINED
typedef struct _SECURITY_USER_DATA {
SECURITY_STRING UserName; // User name
SECURITY_STRING LogonDomainName; // Domain the user logged on to
SECURITY_STRING LogonServer; // Server that logged the user on
PSID pSid; // SID of user
} SECURITY_USER_DATA, *PSECURITY_USER_DATA;
typedef SECURITY_USER_DATA SecurityUserData, * PSecurityUserData;
#define UNDERSTANDS_LONG_NAMES 1
#define NO_LONG_NAMES 2
#endif // SECURITY_USER_DATA_DEFINED
//////////////////////////////////////////////////////////////////////////
//
// The following prototypes are to functions that are provided by the SPMgr
// to security packages.
//
//////////////////////////////////////////////////////////////////////////
typedef NTSTATUS
(NTAPI LSA_IMPERSONATE_CLIENT) (
VOID
);
typedef NTSTATUS
(NTAPI LSA_UNLOAD_PACKAGE)(
VOID
);
typedef NTSTATUS
(NTAPI LSA_DUPLICATE_HANDLE)(
IN HANDLE SourceHandle,
OUT PHANDLE DestionationHandle);
typedef NTSTATUS
(NTAPI LSA_SAVE_SUPPLEMENTAL_CREDENTIALS)(
IN PLUID LogonId,
IN ULONG SupplementalCredSize,
IN PVOID SupplementalCreds,
IN BOOLEAN Synchronous
);
typedef HANDLE
(NTAPI LSA_CREATE_THREAD)(
IN SEC_ATTRS SecurityAttributes,
IN ULONG StackSize,
IN SEC_THREAD_START StartFunction,
IN PVOID ThreadParameter,
IN ULONG CreationFlags,
OUT PULONG ThreadId
);
typedef NTSTATUS
(NTAPI LSA_GET_CLIENT_INFO)(
OUT PSECPKG_CLIENT_INFO ClientInfo
);
typedef HANDLE
(NTAPI LSA_REGISTER_NOTIFICATION)(
IN SEC_THREAD_START StartFunction,
IN PVOID Parameter,
IN ULONG NotificationType,
IN ULONG NotificationClass,
IN ULONG NotificationFlags,
IN ULONG IntervalMinutes,
IN OPTIONAL HANDLE WaitEvent
);
typedef NTSTATUS
(NTAPI LSA_CANCEL_NOTIFICATION)(
IN HANDLE NotifyHandle
);
typedef NTSTATUS
(NTAPI LSA_MAP_BUFFER)(
IN PSecBuffer InputBuffer,
OUT PSecBuffer OutputBuffer
);
typedef NTSTATUS
(NTAPI LSA_CREATE_TOKEN) (
IN PLUID LogonId,
IN PTOKEN_SOURCE TokenSource,
IN SECURITY_LOGON_TYPE LogonType,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
IN PVOID TokenInformation,
IN PTOKEN_GROUPS TokenGroups,
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING AuthorityName,
IN PUNICODE_STRING Workstation,
IN PUNICODE_STRING ProfilePath,
OUT PHANDLE Token,
OUT PNTSTATUS SubStatus
);
typedef enum _SECPKG_SESSIONINFO_TYPE {
SecSessionPrimaryCred // SessionInformation is SECPKG_PRIMARY_CRED
} SECPKG_SESSIONINFO_TYPE ;
typedef NTSTATUS
(NTAPI LSA_CREATE_TOKEN_EX) (
IN PLUID LogonId,
IN PTOKEN_SOURCE TokenSource,
IN SECURITY_LOGON_TYPE LogonType,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
IN PVOID TokenInformation,
IN PTOKEN_GROUPS TokenGroups,
IN PUNICODE_STRING Workstation,
IN PUNICODE_STRING ProfilePath,
IN PVOID SessionInformation,
IN SECPKG_SESSIONINFO_TYPE SessionInformationType,
OUT PHANDLE Token,
OUT PNTSTATUS SubStatus
);
typedef VOID
(NTAPI LSA_AUDIT_LOGON) (
IN NTSTATUS Status,
IN NTSTATUS SubStatus,
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING AuthenticatingAuthority,
IN PUNICODE_STRING WorkstationName,
IN OPTIONAL PSID UserSid,
IN SECURITY_LOGON_TYPE LogonType,
IN PTOKEN_SOURCE TokenSource,
IN PLUID LogonId
);
typedef NTSTATUS
(NTAPI LSA_CALL_PACKAGE) (
IN PUNICODE_STRING AuthenticationPackage,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef NTSTATUS
(NTAPI LSA_CALL_PACKAGEEX) (
IN PUNICODE_STRING AuthenticationPackage,
IN PVOID ClientBufferBase,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef NTSTATUS
(NTAPI LSA_CALL_PACKAGE_PASSTHROUGH) (
IN PUNICODE_STRING AuthenticationPackage,
IN PVOID ClientBufferBase,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef BOOLEAN
(NTAPI LSA_GET_CALL_INFO) (
OUT PSECPKG_CALL_INFO Info
);
typedef PVOID
(NTAPI LSA_CREATE_SHARED_MEMORY)(
ULONG MaxSize,
ULONG InitialSize
);
typedef PVOID
(NTAPI LSA_ALLOCATE_SHARED_MEMORY)(
PVOID SharedMem,
ULONG Size
);
typedef VOID
(NTAPI LSA_FREE_SHARED_MEMORY)(
PVOID SharedMem,
PVOID Memory
);
typedef BOOLEAN
(NTAPI LSA_DELETE_SHARED_MEMORY)(
PVOID SharedMem
);
//
// Account Access
//
typedef enum _SECPKG_NAME_TYPE {
SecNameSamCompatible,
SecNameAlternateId,
SecNameFlat,
SecNameDN,
SecNameSPN
} SECPKG_NAME_TYPE ;
typedef NTSTATUS
(NTAPI LSA_OPEN_SAM_USER)(
PSECURITY_STRING Name,
SECPKG_NAME_TYPE NameType,
PSECURITY_STRING Prefix,
BOOLEAN AllowGuest,
ULONG Reserved,
PVOID * UserHandle
);
typedef NTSTATUS
(NTAPI LSA_GET_USER_CREDENTIALS)(
PVOID UserHandle,
PVOID * PrimaryCreds,
PULONG PrimaryCredsSize,
PVOID * SupplementalCreds,
PULONG SupplementalCredsSize
);
typedef NTSTATUS
(NTAPI LSA_GET_USER_AUTH_DATA)(
PVOID UserHandle,
PUCHAR * UserAuthData,
PULONG UserAuthDataSize
);
typedef NTSTATUS
(NTAPI LSA_CLOSE_SAM_USER)(
PVOID UserHandle
);
typedef NTSTATUS
(NTAPI LSA_GET_AUTH_DATA_FOR_USER)(
PSECURITY_STRING Name,
SECPKG_NAME_TYPE NameType,
PSECURITY_STRING Prefix,
PUCHAR * UserAuthData,
PULONG UserAuthDataSize,
PUNICODE_STRING UserFlatName
);
typedef NTSTATUS
(NTAPI LSA_CONVERT_AUTH_DATA_TO_TOKEN)(
IN PVOID UserAuthData,
IN ULONG UserAuthDataSize,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
IN PTOKEN_SOURCE TokenSource,
IN SECURITY_LOGON_TYPE LogonType,
IN PUNICODE_STRING AuthorityName,
OUT PHANDLE Token,
OUT PLUID LogonId,
OUT PUNICODE_STRING AccountName,
OUT PNTSTATUS SubStatus
);
typedef NTSTATUS
(NTAPI LSA_CRACK_SINGLE_NAME)(
IN ULONG FormatOffered,
IN BOOLEAN PerformAtGC,
IN PUNICODE_STRING NameInput,
IN PUNICODE_STRING Prefix OPTIONAL,
IN ULONG RequestedFormat,
OUT PUNICODE_STRING CrackedName,
OUT PUNICODE_STRING DnsDomainName,
OUT PULONG SubStatus
);
typedef NTSTATUS
(NTAPI LSA_AUDIT_ACCOUNT_LOGON)(
IN ULONG AuditId,
IN BOOLEAN Success,
IN PUNICODE_STRING Source,
IN PUNICODE_STRING ClientName,
IN PUNICODE_STRING MappedName,
IN NTSTATUS Status
);
typedef NTSTATUS
(NTAPI LSA_CLIENT_CALLBACK)(
PCHAR Callback,
ULONG_PTR Argument1,
ULONG_PTR Argument2,
PSecBuffer Input,
PSecBuffer Output
);
typedef
NTSTATUS
(NTAPI LSA_REGISTER_CALLBACK)(
ULONG CallbackId,
PLSA_CALLBACK_FUNCTION Callback
);
#define NOTIFIER_FLAG_NEW_THREAD 0x00000001
#define NOTIFIER_FLAG_ONE_SHOT 0x00000002
#define NOTIFIER_FLAG_SECONDS 0x80000000
#define NOTIFIER_TYPE_INTERVAL 1
#define NOTIFIER_TYPE_HANDLE_WAIT 2
#define NOTIFIER_TYPE_STATE_CHANGE 3
#define NOTIFIER_TYPE_NOTIFY_EVENT 4
#define NOTIFIER_TYPE_IMMEDIATE 16
#define NOTIFY_CLASS_PACKAGE_CHANGE 1
#define NOTIFY_CLASS_ROLE_CHANGE 2
#define NOTIFY_CLASS_DOMAIN_CHANGE 3
#define NOTIFY_CLASS_REGISTRY_CHANGE 4
typedef struct _SECPKG_EVENT_PACKAGE_CHANGE {
ULONG ChangeType;
LSA_SEC_HANDLE PackageId;
SECURITY_STRING PackageName;
} SECPKG_EVENT_PACKAGE_CHANGE, * PSECPKG_EVENT_PACKAGE_CHANGE ;
#define SECPKG_PACKAGE_CHANGE_LOAD 0
#define SECPKG_PACKAGE_CHANGE_UNLOAD 1
#define SECPKG_PACKAGE_CHANGE_SELECT 2
typedef struct _SECPKG_EVENT_ROLE_CHANGE {
ULONG PreviousRole ;
ULONG NewRole ;
} SECPKG_EVENT_ROLE_CHANGE, * PSECPKG_EVENT_ROLE_CHANGE ;
typedef struct _SECPKG_PARAMETERS SECPKG_EVENT_DOMAIN_CHANGE ;
typedef struct _SECPKG_PARAMETERS * PSECPKG_EVENT_DOMAIN_CHANGE ;
typedef struct _SECPKG_EVENT_NOTIFY {
ULONG EventClass;
ULONG Reserved;
ULONG EventDataSize;
PVOID EventData;
PVOID PackageParameter;
} SECPKG_EVENT_NOTIFY, *PSECPKG_EVENT_NOTIFY ;
typedef
NTSTATUS
(NTAPI LSA_UPDATE_PRIMARY_CREDENTIALS)(
IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials
);
typedef
VOID
(NTAPI LSA_PROTECT_MEMORY)(
IN PVOID Buffer,
IN ULONG BufferSize
);
typedef
NTSTATUS
(NTAPI LSA_OPEN_TOKEN_BY_LOGON_ID)(
IN PLUID LogonId,
OUT HANDLE *RetTokenHandle
);
typedef
NTSTATUS
(NTAPI LSA_EXPAND_AUTH_DATA_FOR_DOMAIN)(
IN PUCHAR UserAuthData,
IN ULONG UserAuthDataSize,
IN PVOID Reserved,
OUT PUCHAR * ExpandedAuthData,
OUT PULONG ExpandedAuthDataSize
);
typedef LSA_IMPERSONATE_CLIENT * PLSA_IMPERSONATE_CLIENT;
typedef LSA_UNLOAD_PACKAGE * PLSA_UNLOAD_PACKAGE;
typedef LSA_DUPLICATE_HANDLE * PLSA_DUPLICATE_HANDLE ;
typedef LSA_SAVE_SUPPLEMENTAL_CREDENTIALS * PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS;
typedef LSA_CREATE_THREAD * PLSA_CREATE_THREAD;
typedef LSA_GET_CLIENT_INFO * PLSA_GET_CLIENT_INFO;
typedef LSA_REGISTER_NOTIFICATION * PLSA_REGISTER_NOTIFICATION;
typedef LSA_CANCEL_NOTIFICATION * PLSA_CANCEL_NOTIFICATION;
typedef LSA_MAP_BUFFER * PLSA_MAP_BUFFER;
typedef LSA_CREATE_TOKEN * PLSA_CREATE_TOKEN;
typedef LSA_AUDIT_LOGON * PLSA_AUDIT_LOGON;
typedef LSA_CALL_PACKAGE * PLSA_CALL_PACKAGE;
typedef LSA_CALL_PACKAGEEX * PLSA_CALL_PACKAGEEX;
typedef LSA_GET_CALL_INFO * PLSA_GET_CALL_INFO ;
typedef LSA_CREATE_SHARED_MEMORY * PLSA_CREATE_SHARED_MEMORY ;
typedef LSA_ALLOCATE_SHARED_MEMORY * PLSA_ALLOCATE_SHARED_MEMORY ;
typedef LSA_FREE_SHARED_MEMORY * PLSA_FREE_SHARED_MEMORY ;
typedef LSA_DELETE_SHARED_MEMORY * PLSA_DELETE_SHARED_MEMORY ;
typedef LSA_OPEN_SAM_USER * PLSA_OPEN_SAM_USER ;
typedef LSA_GET_USER_CREDENTIALS * PLSA_GET_USER_CREDENTIALS ;
typedef LSA_GET_USER_AUTH_DATA * PLSA_GET_USER_AUTH_DATA ;
typedef LSA_CLOSE_SAM_USER * PLSA_CLOSE_SAM_USER ;
typedef LSA_CONVERT_AUTH_DATA_TO_TOKEN * PLSA_CONVERT_AUTH_DATA_TO_TOKEN ;
typedef LSA_CLIENT_CALLBACK * PLSA_CLIENT_CALLBACK ;
typedef LSA_REGISTER_CALLBACK * PLSA_REGISTER_CALLBACK ;
typedef LSA_UPDATE_PRIMARY_CREDENTIALS * PLSA_UPDATE_PRIMARY_CREDENTIALS;
typedef LSA_GET_AUTH_DATA_FOR_USER * PLSA_GET_AUTH_DATA_FOR_USER ;
typedef LSA_CRACK_SINGLE_NAME * PLSA_CRACK_SINGLE_NAME ;
typedef LSA_AUDIT_ACCOUNT_LOGON * PLSA_AUDIT_ACCOUNT_LOGON ;
typedef LSA_CALL_PACKAGE_PASSTHROUGH * PLSA_CALL_PACKAGE_PASSTHROUGH;
typedef LSA_PROTECT_MEMORY * PLSA_PROTECT_MEMORY;
typedef LSA_OPEN_TOKEN_BY_LOGON_ID * PLSA_OPEN_TOKEN_BY_LOGON_ID;
typedef LSA_EXPAND_AUTH_DATA_FOR_DOMAIN * PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN;
typedef LSA_CREATE_TOKEN_EX * PLSA_CREATE_TOKEN_EX;
#ifdef _WINCRED_H_
//
// When passing a credential around, the CredentialBlob field is encrypted.
// This structure describes this encrypted form.
//
//
#ifndef _ENCRYPTED_CREDENTIAL_DEFINED
#define _ENCRYPTED_CREDENTIAL_DEFINED
typedef struct _ENCRYPTED_CREDENTIALW {
//
// The credential
//
// The CredentialBlob field points to the encrypted credential
// The CredentialBlobSize field is the length (in bytes) of the encrypted credential
//
CREDENTIALW Cred;
//
// The size in bytes of the clear text credential blob
//
ULONG ClearCredentialBlobSize;
} ENCRYPTED_CREDENTIALW, *PENCRYPTED_CREDENTIALW;
#endif // _ENCRYPTED_CREDENTIAL_DEFINED
//
// Values for CredFlags parameter
//
#define CREDP_FLAGS_IN_PROCESS 0x01 // Caller is in-process. Password data may be returned
#define CREDP_FLAGS_USE_MIDL_HEAP 0x02 // Allocated buffer should use MIDL_user_allocte
#define CREDP_FLAGS_DONT_CACHE_TI 0x04 // TargetInformation shouldn't be cached for CredGetTargetInfo
#define CREDP_FLAGS_CLEAR_PASSWORD 0x08 // Credential blob is passed in in-the-clear
#define CREDP_FLAGS_USER_ENCRYPTED_PASSWORD 0x10 // Credential blob is passed protected by RtlEncryptMemory
typedef NTSTATUS
(NTAPI CredReadFn) (
IN PLUID LogonId,
IN ULONG CredFlags,
IN LPWSTR TargetName,
IN ULONG Type,
IN ULONG Flags,
OUT PENCRYPTED_CREDENTIALW *Credential
);
typedef NTSTATUS
(NTAPI CredReadDomainCredentialsFn) (
IN PLUID LogonId,
IN ULONG CredFlags,
IN PCREDENTIAL_TARGET_INFORMATIONW TargetInfo,
IN ULONG Flags,
OUT PULONG Count,
OUT PENCRYPTED_CREDENTIALW **Credential
);
typedef VOID
(NTAPI CredFreeCredentialsFn) (
IN ULONG Count,
IN PENCRYPTED_CREDENTIALW *Credentials OPTIONAL
);
typedef NTSTATUS
(NTAPI CredWriteFn) (
IN PLUID LogonId,
IN ULONG CredFlags,
IN PENCRYPTED_CREDENTIALW Credential,
IN ULONG Flags
);
NTSTATUS
CredMarshalTargetInfo (
IN PCREDENTIAL_TARGET_INFORMATIONW InTargetInfo,
OUT PUSHORT *Buffer,
OUT PULONG BufferSize
);
NTSTATUS
CredUnmarshalTargetInfo (
IN PUSHORT Buffer,
IN ULONG BufferSize,
OUT PCREDENTIAL_TARGET_INFORMATIONW *RetTargetInfo OPTIONAL,
OUT PULONG RetActualSize OPTIONAL
);
// Number of bytes consumed by the trailing size ULONG
#define CRED_MARSHALED_TI_SIZE_SIZE 12
#endif // _WINCRED_H_
//
// Pure 32-bit versions of credential structures for packages
// running wow64:
//
typedef struct _SEC_WINNT_AUTH_IDENTITY32 {
ULONG User ;
ULONG UserLength ;
ULONG Domain ;
ULONG DomainLength ;
ULONG Password ;
ULONG PasswordLength ;
ULONG Flags ;
} SEC_WINNT_AUTH_IDENTITY32, * PSEC_WINNT_AUTH_IDENTITY32 ;
typedef struct _SEC_WINNT_AUTH_IDENTITY_EX32 {
ULONG Version ;
ULONG Length ;
ULONG User ;
ULONG UserLength ;
ULONG Domain ;
ULONG DomainLength ;
ULONG Password ;
ULONG PasswordLength ;
ULONG Flags ;
ULONG PackageList ;
ULONG PackageListLength ;
} SEC_WINNT_AUTH_IDENTITY_EX32, * PSEC_WINNT_AUTH_IDENTITY_EX32 ;
// Functions provided by the SPM to the packages:
typedef struct _LSA_SECPKG_FUNCTION_TABLE {
PLSA_CREATE_LOGON_SESSION CreateLogonSession;
PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
PLSA_ADD_CREDENTIAL AddCredential;
PLSA_GET_CREDENTIALS GetCredentials;
PLSA_DELETE_CREDENTIAL DeleteCredential;
PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
PLSA_FREE_LSA_HEAP FreeLsaHeap;
PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
PLSA_IMPERSONATE_CLIENT ImpersonateClient;
PLSA_UNLOAD_PACKAGE UnloadPackage;
PLSA_DUPLICATE_HANDLE DuplicateHandle;
PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS SaveSupplementalCredentials;
PLSA_CREATE_THREAD CreateThread;
PLSA_GET_CLIENT_INFO GetClientInfo;
PLSA_REGISTER_NOTIFICATION RegisterNotification;
PLSA_CANCEL_NOTIFICATION CancelNotification;
PLSA_MAP_BUFFER MapBuffer;
PLSA_CREATE_TOKEN CreateToken;
PLSA_AUDIT_LOGON AuditLogon;
PLSA_CALL_PACKAGE CallPackage;
PLSA_FREE_LSA_HEAP FreeReturnBuffer;
PLSA_GET_CALL_INFO GetCallInfo;
PLSA_CALL_PACKAGEEX CallPackageEx;
PLSA_CREATE_SHARED_MEMORY CreateSharedMemory;
PLSA_ALLOCATE_SHARED_MEMORY AllocateSharedMemory;
PLSA_FREE_SHARED_MEMORY FreeSharedMemory;
PLSA_DELETE_SHARED_MEMORY DeleteSharedMemory;
PLSA_OPEN_SAM_USER OpenSamUser ;
PLSA_GET_USER_CREDENTIALS GetUserCredentials ;
PLSA_GET_USER_AUTH_DATA GetUserAuthData ;
PLSA_CLOSE_SAM_USER CloseSamUser ;
PLSA_CONVERT_AUTH_DATA_TO_TOKEN ConvertAuthDataToToken ;
PLSA_CLIENT_CALLBACK ClientCallback ;
PLSA_UPDATE_PRIMARY_CREDENTIALS UpdateCredentials ;
PLSA_GET_AUTH_DATA_FOR_USER GetAuthDataForUser ;
PLSA_CRACK_SINGLE_NAME CrackSingleName ;
PLSA_AUDIT_ACCOUNT_LOGON AuditAccountLogon ;
PLSA_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough ;
#ifdef _WINCRED_H_
CredReadFn *CrediRead;
CredReadDomainCredentialsFn *CrediReadDomainCredentials;
CredFreeCredentialsFn *CrediFreeCredentials;
#else // _WINCRED_H_
PLSA_PROTECT_MEMORY DummyFunction1;
PLSA_PROTECT_MEMORY DummyFunction2;
PLSA_PROTECT_MEMORY DummyFunction3;
#endif // _WINCRED_H_
PLSA_PROTECT_MEMORY LsaProtectMemory;
PLSA_PROTECT_MEMORY LsaUnprotectMemory;
PLSA_OPEN_TOKEN_BY_LOGON_ID OpenTokenByLogonId;
PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN ExpandAuthDataForDomain;
PLSA_ALLOCATE_PRIVATE_HEAP AllocatePrivateHeap;
PLSA_FREE_PRIVATE_HEAP FreePrivateHeap;
PLSA_CREATE_TOKEN_EX CreateTokenEx;
#ifdef _WINCRED_H_
CredWriteFn *CrediWrite;
#else // _WINCRED_H_
PLSA_PROTECT_MEMORY DummyFunction4;
#endif // _WINCRED_H_
} LSA_SECPKG_FUNCTION_TABLE, *PLSA_SECPKG_FUNCTION_TABLE;
typedef struct _SECPKG_DLL_FUNCTIONS {
PLSA_ALLOCATE_LSA_HEAP AllocateHeap;
PLSA_FREE_LSA_HEAP FreeHeap;
PLSA_REGISTER_CALLBACK RegisterCallback ;
} SECPKG_DLL_FUNCTIONS, * PSECPKG_DLL_FUNCTIONS;
//
// The following prototypes are to functions that will be called only while
// in the Security Package Manager context.
//
typedef NTSTATUS
(NTAPI SpInitializeFn)(
IN ULONG_PTR PackageId,
IN PSECPKG_PARAMETERS Parameters,
IN PLSA_SECPKG_FUNCTION_TABLE FunctionTable
);
typedef NTSTATUS
(NTAPI SpShutdownFn)(
VOID
);
typedef NTSTATUS
(NTAPI SpGetInfoFn)(
OUT PSecPkgInfo PackageInfo
);
typedef NTSTATUS
(NTAPI SpGetExtendedInformationFn)(
IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
OUT PSECPKG_EXTENDED_INFORMATION * ppInformation
);
typedef NTSTATUS
(NTAPI SpSetExtendedInformationFn)(
IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
IN PSECPKG_EXTENDED_INFORMATION Info
);
typedef NTSTATUS
(LSA_AP_LOGON_USER_EX2) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName,
OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
);
typedef LSA_AP_LOGON_USER_EX2 *PLSA_AP_LOGON_USER_EX2;
#define LSA_AP_NAME_LOGON_USER_EX2 "LsaApLogonUserEx2\0"
typedef NTSTATUS
(NTAPI SpAcceptCredentialsFn)(
IN SECURITY_LOGON_TYPE LogonType,
IN PUNICODE_STRING AccountName,
IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
IN PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials
);
#define SP_ACCEPT_CREDENTIALS_NAME "SpAcceptCredentials\0"
typedef NTSTATUS
(NTAPI SpAcquireCredentialsHandleFn)(
IN OPTIONAL PUNICODE_STRING PrincipalName,
IN ULONG CredentialUseFlags,
IN OPTIONAL PLUID LogonId,
IN PVOID AuthorizationData,
IN PVOID GetKeyFunciton,
IN PVOID GetKeyArgument,
OUT PLSA_SEC_HANDLE CredentialHandle,
OUT PTimeStamp ExpirationTime
);
typedef NTSTATUS
(NTAPI SpFreeCredentialsHandleFn)(
IN LSA_SEC_HANDLE CredentialHandle
);
typedef NTSTATUS
(NTAPI SpQueryCredentialsAttributesFn)(
IN LSA_SEC_HANDLE CredentialHandle,
IN ULONG CredentialAttribute,
IN OUT PVOID Buffer
);
typedef NTSTATUS
(NTAPI SpAddCredentialsFn)(
IN LSA_SEC_HANDLE CredentialHandle,
IN OPTIONAL PUNICODE_STRING PrincipalName,
IN PUNICODE_STRING Package,
IN ULONG CredentialUseFlags,
IN PVOID AuthorizationData,
IN PVOID GetKeyFunciton,
IN PVOID GetKeyArgument,
OUT PTimeStamp ExpirationTime
);
typedef NTSTATUS
(NTAPI SpSaveCredentialsFn)(
IN LSA_SEC_HANDLE CredentialHandle,
IN PSecBuffer Credentials);
typedef NTSTATUS
(NTAPI SpGetCredentialsFn)(
IN LSA_SEC_HANDLE CredentialHandle,
IN OUT PSecBuffer Credentials
);
typedef NTSTATUS
(NTAPI SpDeleteCredentialsFn)(
IN LSA_SEC_HANDLE CredentialHandle,
IN PSecBuffer Key
);
typedef NTSTATUS
(NTAPI SpInitLsaModeContextFn)(
IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
IN OPTIONAL PUNICODE_STRING TargetName,
IN ULONG ContextRequirements,
IN ULONG TargetDataRep,
IN PSecBufferDesc InputBuffers,
OUT PLSA_SEC_HANDLE NewContextHandle,
IN OUT PSecBufferDesc OutputBuffers,
OUT PULONG ContextAttributes,
OUT PTimeStamp ExpirationTime,
OUT PBOOLEAN MappedContext,
OUT PSecBuffer ContextData
);
typedef NTSTATUS
(NTAPI SpDeleteContextFn)(
IN LSA_SEC_HANDLE ContextHandle
);
typedef NTSTATUS
(NTAPI SpApplyControlTokenFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN PSecBufferDesc ControlToken);
typedef NTSTATUS
(NTAPI SpAcceptLsaModeContextFn)(
IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
IN PSecBufferDesc InputBuffer,
IN ULONG ContextRequirements,
IN ULONG TargetDataRep,
OUT PLSA_SEC_HANDLE NewContextHandle,
OUT PSecBufferDesc OutputBuffer,
OUT PULONG ContextAttributes,
OUT PTimeStamp ExpirationTime,
OUT PBOOLEAN MappedContext,
OUT PSecBuffer ContextData
);
typedef NTSTATUS
(NTAPI SpGetUserInfoFn)(
IN PLUID LogonId,
IN ULONG Flags,
OUT PSecurityUserData * UserData
);
typedef NTSTATUS
(NTAPI SpQueryContextAttributesFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN ULONG ContextAttribute,
IN OUT PVOID Buffer);
typedef NTSTATUS
(NTAPI SpSetContextAttributesFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN ULONG ContextAttribute,
IN PVOID Buffer,
IN ULONG BufferSize );
typedef struct _SECPKG_FUNCTION_TABLE {
PLSA_AP_INITIALIZE_PACKAGE InitializePackage;
PLSA_AP_LOGON_USER LogonUser;
PLSA_AP_CALL_PACKAGE CallPackage;
PLSA_AP_LOGON_TERMINATED LogonTerminated;
PLSA_AP_CALL_PACKAGE_UNTRUSTED CallPackageUntrusted;
PLSA_AP_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough;
PLSA_AP_LOGON_USER_EX LogonUserEx;
PLSA_AP_LOGON_USER_EX2 LogonUserEx2;
SpInitializeFn * Initialize;
SpShutdownFn * Shutdown;
SpGetInfoFn * GetInfo;
SpAcceptCredentialsFn * AcceptCredentials;
SpAcquireCredentialsHandleFn * AcquireCredentialsHandle;
SpQueryCredentialsAttributesFn * QueryCredentialsAttributes;
SpFreeCredentialsHandleFn * FreeCredentialsHandle;
SpSaveCredentialsFn * SaveCredentials;
SpGetCredentialsFn * GetCredentials;
SpDeleteCredentialsFn * DeleteCredentials;
SpInitLsaModeContextFn * InitLsaModeContext;
SpAcceptLsaModeContextFn * AcceptLsaModeContext;
SpDeleteContextFn * DeleteContext;
SpApplyControlTokenFn * ApplyControlToken;
SpGetUserInfoFn * GetUserInfo;
SpGetExtendedInformationFn * GetExtendedInformation ;
SpQueryContextAttributesFn * QueryContextAttributes ;
SpAddCredentialsFn * AddCredentials ;
SpSetExtendedInformationFn * SetExtendedInformation ;
SpSetContextAttributesFn * SetContextAttributes ;
} SECPKG_FUNCTION_TABLE, *PSECPKG_FUNCTION_TABLE;
//
// The following prototypes are to functions that will be called while in the
// context of a user process that is using the functions through the security
// DLL.
//
typedef NTSTATUS
(NTAPI SpInstanceInitFn)(
IN ULONG Version,
IN PSECPKG_DLL_FUNCTIONS FunctionTable,
OUT PVOID * UserFunctions
);
typedef NTSTATUS
(NTAPI SpInitUserModeContextFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN PSecBuffer PackedContext
);
typedef NTSTATUS
(NTAPI SpMakeSignatureFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN ULONG QualityOfProtection,
IN PSecBufferDesc MessageBuffers,
IN ULONG MessageSequenceNumber
);
typedef NTSTATUS
(NTAPI SpVerifySignatureFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN PSecBufferDesc MessageBuffers,
IN ULONG MessageSequenceNumber,
OUT PULONG QualityOfProtection
);
typedef NTSTATUS
(NTAPI SpSealMessageFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN ULONG QualityOfProtection,
IN PSecBufferDesc MessageBuffers,
IN ULONG MessageSequenceNumber
);
typedef NTSTATUS
(NTAPI SpUnsealMessageFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN PSecBufferDesc MessageBuffers,
IN ULONG MessageSequenceNumber,
OUT PULONG QualityOfProtection
);
typedef NTSTATUS
(NTAPI SpGetContextTokenFn)(
IN LSA_SEC_HANDLE ContextHandle,
OUT PHANDLE ImpersonationToken
);
typedef NTSTATUS
(NTAPI SpExportSecurityContextFn)(
LSA_SEC_HANDLE phContext, // (in) context to export
ULONG fFlags, // (in) option flags
PSecBuffer pPackedContext, // (out) marshalled context
PHANDLE pToken // (out, optional) token handle for impersonation
);
typedef NTSTATUS
(NTAPI SpImportSecurityContextFn)(
PSecBuffer pPackedContext, // (in) marshalled context
HANDLE Token, // (in, optional) handle to token for context
PLSA_SEC_HANDLE phContext // (out) new context handle
);
typedef NTSTATUS
(NTAPI SpCompleteAuthTokenFn)(
IN LSA_SEC_HANDLE ContextHandle,
IN PSecBufferDesc InputBuffer
);
typedef NTSTATUS
(NTAPI SpFormatCredentialsFn)(
IN PSecBuffer Credentials,
OUT PSecBuffer FormattedCredentials
);
typedef NTSTATUS
(NTAPI SpMarshallSupplementalCredsFn)(
IN ULONG CredentialSize,
IN PUCHAR Credentials,
OUT PULONG MarshalledCredSize,
OUT PVOID * MarshalledCreds);
typedef struct _SECPKG_USER_FUNCTION_TABLE {
SpInstanceInitFn * InstanceInit;
SpInitUserModeContextFn * InitUserModeContext;
SpMakeSignatureFn * MakeSignature;
SpVerifySignatureFn * VerifySignature;
SpSealMessageFn * SealMessage;
SpUnsealMessageFn * UnsealMessage;
SpGetContextTokenFn * GetContextToken;
SpQueryContextAttributesFn * QueryContextAttributes;
SpCompleteAuthTokenFn * CompleteAuthToken;
SpDeleteContextFn * DeleteUserModeContext;
SpFormatCredentialsFn * FormatCredentials;
SpMarshallSupplementalCredsFn * MarshallSupplementalCreds;
SpExportSecurityContextFn * ExportContext;
SpImportSecurityContextFn * ImportContext;
} SECPKG_USER_FUNCTION_TABLE, *PSECPKG_USER_FUNCTION_TABLE;
typedef NTSTATUS
(SEC_ENTRY * SpLsaModeInitializeFn)(
IN ULONG LsaVersion,
OUT PULONG PackageVersion,
OUT PSECPKG_FUNCTION_TABLE * ppTables,
OUT PULONG pcTables);
typedef NTSTATUS
(SEC_ENTRY * SpUserModeInitializeFn)(
IN ULONG LsaVersion,
OUT PULONG PackageVersion,
OUT PSECPKG_USER_FUNCTION_TABLE *ppTables,
OUT PULONG pcTables
);
#define SECPKG_LSAMODEINIT_NAME "SpLsaModeInitialize"
#define SECPKG_USERMODEINIT_NAME "SpUserModeInitialize"
//
// Version of the security package interface.
//
// These define are used for all of the following:
// * Passed by the LSA to SpLsaModeInitializeFn to indicate the version of the LSA.
// All packages currently expect the LSA to pass SECPKG_INTERFACE_VERSION.
// * Passed by secur32.dll to SpUserModeInitialzeFn to indicate the version of the secur32 DLL.
// All packages currently expect secur32 to pass SECPKG_INTERFACE_VERSION.
// * Returned from SpLsaModeInitializeFn to indicate the version of SECPKG_FUNCTION_TABLE.
// SECPKG_INTERFACE_VERSION indicates all fields through SetExtendedInformation are defined (potentially to NULL)
// SECPKG_INTERFACE_VERSION_2 indicates all fields through SetContextAttributes are defined (potentially to NULL)
// * Returned from SpUserModeInitializeFn to indicate the version of the auth package.
// All packages currently return SECPKG_INTERFACE_VERSION
//
#define SECPKG_INTERFACE_VERSION 0x00010000
#define SECPKG_INTERFACE_VERSION_2 0x00020000
typedef enum _KSEC_CONTEXT_TYPE {
KSecPaged,
KSecNonPaged
} KSEC_CONTEXT_TYPE ;
typedef struct _KSEC_LIST_ENTRY {
LIST_ENTRY List ;
LONG RefCount ;
ULONG Signature ;
PVOID OwningList ;
PVOID Reserved ;
} KSEC_LIST_ENTRY, * PKSEC_LIST_ENTRY ;
#define KsecInitializeListEntry( Entry, SigValue ) \
((PKSEC_LIST_ENTRY) Entry)->List.Flink = ((PKSEC_LIST_ENTRY) Entry)->List.Blink = NULL ; \
((PKSEC_LIST_ENTRY) Entry)->RefCount = 1 ; \
((PKSEC_LIST_ENTRY) Entry)->Signature = SigValue ; \
((PKSEC_LIST_ENTRY) Entry)->OwningList = NULL ; \
((PKSEC_LIST_ENTRY) Entry)->Reserved = NULL ;
typedef PVOID
(SEC_ENTRY KSEC_CREATE_CONTEXT_LIST)(
IN KSEC_CONTEXT_TYPE Type
);
typedef VOID
(SEC_ENTRY KSEC_INSERT_LIST_ENTRY)(
IN PVOID List,
IN PKSEC_LIST_ENTRY Entry
);
typedef NTSTATUS
(SEC_ENTRY KSEC_REFERENCE_LIST_ENTRY)(
IN PKSEC_LIST_ENTRY Entry,
IN ULONG Signature,
IN BOOLEAN RemoveNoRef
);
typedef VOID
(SEC_ENTRY KSEC_DEREFERENCE_LIST_ENTRY)(
IN PKSEC_LIST_ENTRY Entry,
OUT BOOLEAN * Delete OPTIONAL
);
typedef NTSTATUS
(SEC_ENTRY KSEC_SERIALIZE_WINNT_AUTH_DATA)(
IN PVOID pvAuthData,
OUT PULONG Size,
OUT PVOID * SerializedData );
#ifndef MIDL_PASS
KSEC_CREATE_CONTEXT_LIST KSecCreateContextList ;
KSEC_INSERT_LIST_ENTRY KSecInsertListEntry ;
KSEC_REFERENCE_LIST_ENTRY KSecReferenceListEntry ;
KSEC_DEREFERENCE_LIST_ENTRY KSecDereferenceListEntry ;
KSEC_SERIALIZE_WINNT_AUTH_DATA KSecSerializeWinntAuthData ;
#endif // not valid for MIDL_PASS
typedef KSEC_CREATE_CONTEXT_LIST * PKSEC_CREATE_CONTEXT_LIST ;
typedef KSEC_INSERT_LIST_ENTRY * PKSEC_INSERT_LIST_ENTRY ;
typedef KSEC_REFERENCE_LIST_ENTRY * PKSEC_REFERENCE_LIST_ENTRY ;
typedef KSEC_DEREFERENCE_LIST_ENTRY * PKSEC_DEREFERENCE_LIST_ENTRY ;
typedef KSEC_SERIALIZE_WINNT_AUTH_DATA * PKSEC_SERIALIZE_WINNT_AUTH_DATA ;
typedef struct _SECPKG_KERNEL_FUNCTIONS {
PLSA_ALLOCATE_LSA_HEAP AllocateHeap;
PLSA_FREE_LSA_HEAP FreeHeap;
PKSEC_CREATE_CONTEXT_LIST CreateContextList ;
PKSEC_INSERT_LIST_ENTRY InsertListEntry ;
PKSEC_REFERENCE_LIST_ENTRY ReferenceListEntry ;
PKSEC_DEREFERENCE_LIST_ENTRY DereferenceListEntry ;
PKSEC_SERIALIZE_WINNT_AUTH_DATA SerializeWinntAuthData ;
} SECPKG_KERNEL_FUNCTIONS, *PSECPKG_KERNEL_FUNCTIONS;
typedef NTSTATUS
(NTAPI KspInitPackageFn)(
PSECPKG_KERNEL_FUNCTIONS FunctionTable
);
typedef NTSTATUS
(NTAPI KspDeleteContextFn)(
IN LSA_SEC_HANDLE ContextId,
OUT PLSA_SEC_HANDLE LsaContextId
);
typedef NTSTATUS
(NTAPI KspInitContextFn)(
IN LSA_SEC_HANDLE ContextId,
IN PSecBuffer ContextData,
OUT PLSA_SEC_HANDLE NewContextId
);
typedef NTSTATUS
(NTAPI KspMakeSignatureFn)(
IN LSA_SEC_HANDLE ContextId,
IN ULONG fQOP,
IN OUT PSecBufferDesc Message,
IN ULONG MessageSeqNo
);
typedef NTSTATUS
(NTAPI KspVerifySignatureFn)(
IN LSA_SEC_HANDLE ContextId,
IN OUT PSecBufferDesc Message,
IN ULONG MessageSeqNo,
OUT PULONG pfQOP
);
typedef NTSTATUS
(NTAPI KspSealMessageFn)(
IN LSA_SEC_HANDLE ContextId,
IN ULONG fQOP,
IN OUT PSecBufferDesc Message,
IN ULONG MessageSeqNo
);
typedef NTSTATUS
(NTAPI KspUnsealMessageFn)(
IN LSA_SEC_HANDLE ContextId,
IN OUT PSecBufferDesc Message,
IN ULONG MessageSeqNo,
OUT PULONG pfQOP
);
typedef NTSTATUS
(NTAPI KspGetTokenFn)(
IN LSA_SEC_HANDLE ContextId,
OUT PHANDLE ImpersonationToken,
OUT OPTIONAL PACCESS_TOKEN * RawToken
);
typedef NTSTATUS
(NTAPI KspQueryAttributesFn)(
IN LSA_SEC_HANDLE ContextId,
IN ULONG Attribute,
IN OUT PVOID Buffer
);
typedef NTSTATUS
(NTAPI KspCompleteTokenFn)(
IN LSA_SEC_HANDLE ContextId,
IN PSecBufferDesc Token
);
typedef NTSTATUS
(NTAPI KspMapHandleFn)(
IN LSA_SEC_HANDLE ContextId,
OUT PLSA_SEC_HANDLE LsaContextId
);
typedef NTSTATUS
(NTAPI KspSetPagingModeFn)(
IN BOOLEAN PagingMode
);
typedef NTSTATUS
(NTAPI KspSerializeAuthDataFn)(
IN PVOID pvAuthData,
OUT PULONG Size,
OUT PVOID * SerializedData
);
typedef struct _SECPKG_KERNEL_FUNCTION_TABLE {
KspInitPackageFn * Initialize;
KspDeleteContextFn * DeleteContext;
KspInitContextFn * InitContext;
KspMapHandleFn * MapHandle;
KspMakeSignatureFn * Sign;
KspVerifySignatureFn * Verify;
KspSealMessageFn * Seal;
KspUnsealMessageFn * Unseal;
KspGetTokenFn * GetToken;
KspQueryAttributesFn * QueryAttributes;
KspCompleteTokenFn * CompleteToken;
SpExportSecurityContextFn * ExportContext;
SpImportSecurityContextFn * ImportContext;
KspSetPagingModeFn * SetPackagePagingMode ;
KspSerializeAuthDataFn * SerializeAuthData ;
} SECPKG_KERNEL_FUNCTION_TABLE, *PSECPKG_KERNEL_FUNCTION_TABLE;
SECURITY_STATUS
SEC_ENTRY
KSecRegisterSecurityProvider(
PSECURITY_STRING ProviderName,
PSECPKG_KERNEL_FUNCTION_TABLE Table
);
extern SECPKG_KERNEL_FUNCTIONS KspKernelFunctions;
#ifdef __cplusplus
}
#endif
#endif /* _NTSECPKG_ */