archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/base/lsa/server/ausrvp.h

864 lines
18 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. ausrvp.h
  9. Abstract:
  11. This module contains AUTHENTICATION related data structures and
  12. API definitions that are private to the Local Security Authority
  13. (LSA) server.
  16. Author:
  18. Jim Kelly (JimK) 21-February-1991
  20. Revision History:
  22. --*/
  24. #ifndef _AUSRVP_
  25. #define _AUSRVP_
  29. //#define LSAP_AU_TRACK_CONTEXT
  30. //#define LSAP_AU_TRACK_THREADS
  31. //#define LSAP_AU_TRACK_LOGONS
  33. #include <nt.h>
  34. #include <ntrtl.h>
  35. #include <nturtl.h>
  36. #include <ntlsa.h>
  37. #include <stdlib.h>
  38. #include "lsasrvp.h"
  39. #include <aup.h>
  40. #include <samrpc.h>
  41. #include <ntdsapi.h>
  42. #include "spmgr.h"
  43. #include <secur32p.h>
  44. #include "logons.h"
  45. #include <credp.hxx>
  48. /////////////////////////////////////////////////////////////////////////
  49. // //
  50. // AU specific constants //
  51. // //
  52. /////////////////////////////////////////////////////////////////////////
  55. //
  56. // The filter/augmentor routines use the following bits in a mask
  57. // to track properties of IDs during logon. These bits have the following
  58. // meaning:
  59. //
  60. // LSAP_AU_SID_PROP_ALLOCATED - Indicates the SID was allocated within
  61. // the filter routine. If an error occurs, this allows allocated
  62. // IDs to be deallocated. Otherwise, the caller must deallocate
  63. // them.
  64. //
  65. // LSAP_AU_SID_COPY - Indicates the SID must be copied before returning.
  66. // This typically indicates that the pointed-to SID is a global
  67. // variable for use throughout LSA or that the SID is being referenced
  68. // from another structure (such as an existing TokenInformation structure).
  69. //
  70. // LSAP_AU_SID_PROP_HIGH_RATE - Indicates it is expected that the SID
  71. // will typically be used in ACLs to grant access. This is useful
  72. // to know when arranging SIDs. Placing the IDs that will have a
  73. // high chance of granting access at the front of the list of SIDs
  74. // will reduce the amount of time spent in access validation routines
  75. // after logon.
  76. //
  78. #define LSAP_AU_SID_PROP_ALLOCATED (0x00000001L)
  79. #define LSAP_AU_SID_PROP_COPY (0x00000002L)
  80. #define LSAP_AU_SID_PROP_HIGH_RATE (0x00000004L)
  86. /////////////////////////////////////////////////////////////////////////
  87. // //
  88. // Macro definitions //
  89. // //
  90. /////////////////////////////////////////////////////////////////////////
  92. //
  93. // Macros to gain exclusive access to protected global authentication
  94. // data structures
  95. //
  97. #define LsapAuLock() (RtlEnterCriticalSection(&LsapAuLock))
  98. #define LsapAuUnlock() (RtlLeaveCriticalSection(&LsapAuLock))
  102. /////////////////////////////////////////////////////////////////////////
  103. // //
  104. // Type definitions //
  105. // //
  106. /////////////////////////////////////////////////////////////////////////
  109. //
  110. // This data structure is used to house logon process information.
  111. //
  113. typedef struct _LSAP_LOGON_PROCESS {
  115. //
  116. // Links - Used to link contexts together. This must be the
  117. // first field of the context block.
  118. //
  120. LIST_ENTRY Links;
  123. //
  124. // ReferenceCount - Used to prevent this context from being
  125. // deleted prematurely.
  126. //
  128. ULONG References;
  131. //
  132. // ClientProcess - A handle to the client process. This handle is
  133. // used to perform virtual memory operations within the client
  134. // process (allocate, deallocate, read, write).
  135. //
  137. HANDLE ClientProcess;
  140. //
  141. // CommPort - A handle to the LPC communication port created to
  142. // communicate with this client. this port must be closed
  143. // when the client deregisters.
  144. //
  146. HANDLE CommPort;
  148. //
  149. // TrustedClient - If TRUE, the caller has TCB privilege and may
  150. // call any API. If FALSE, the caller may only call
  151. // LookupAuthenticatePackage and CallPackage, which is converted
  152. // to LsaApCallPackageUntrusted.
  153. //
  155. BOOLEAN TrustedClient;
  157. //
  158. // Name of the logon process.
  159. //
  161. WCHAR LogonProcessName[1];
  163. } LSAP_LOGON_PROCESS, *PLSAP_LOGON_PROCESS;
  168. //
  169. // This structure should be treated as opaque by non-LSA code.
  170. // It is used to maintain client information related to individual
  171. // requests. A public data structure (LSA_CLIENT_REQUEST) is
  172. // typecast to this type by LSA code.
  173. //
  175. typedef struct _LSAP_CLIENT_REQUEST {
  177. //
  178. // Request - Points to the request message received from the
  179. // client.
  180. //
  182. PLSAP_AU_API_MESSAGE Request;
  185. } LSAP_CLIENT_REQUEST, *PLSAP_CLIENT_REQUEST;
  191. //
  192. // The dispatch table of services which are provided by
  193. // authentication packages.
  194. //
  195. typedef struct _LSAP_PACKAGE_TABLE {
  196. PLSA_AP_INITIALIZE_PACKAGE LsapApInitializePackage;
  197. PLSA_AP_LOGON_USER LsapApLogonUser;
  198. PLSA_AP_CALL_PACKAGE LsapApCallPackage;
  199. PLSA_AP_LOGON_TERMINATED LsapApLogonTerminated;
  200. PLSA_AP_CALL_PACKAGE_UNTRUSTED LsapApCallPackageUntrusted;
  201. PLSA_AP_LOGON_USER_EX LsapApLogonUserEx;
  202. } LSAP_PACKAGE_TABLE, *PLSA_PACKAGE_TABLE;
  205. //
  206. // Used to house information about each loaded authentication package
  207. //
  209. typedef struct _LSAP_PACKAGE_CONTEXT {
  210. PSTRING Name;
  211. LSAP_PACKAGE_TABLE PackageApi;
  212. } LSAP_PACKAGE_CONTEXT, *PLSAP_PACKAGE_CONTEXT;
  215. //
  216. // Rather than keep authentication package contexts in a linked list,
  217. // they are pointed to via an array of pointers. This is practical
  218. // because there will never be more than a handful of authentication
  219. // packages in any particular system, and because authentication packages
  220. // are never unloaded.
  221. //
  223. typedef struct _LSAP_PACKAGE_ARRAY {
  224. PLSAP_PACKAGE_CONTEXT Package[ANYSIZE_ARRAY];
  225. } LSAP_PACKAGE_ARRAY, *PLSAP_PACKAGE_ARRAY;
  230. //
  231. // Logon Session & Credential management data structures.
  232. //
  233. // Credentials are kept in a structure that looks like:
  234. //
  235. // +------+ +------+
  236. // LsapLogonSessions->| Logon|---->| Logon|------> o o o
  237. // | Id | | Id |
  238. // | * | | * |
  239. // +---|--+ +---|--+
  240. // |
  241. // | +-----+ +-----+
  242. // +-->| Auth|------>| Auth|
  243. // | Cred| | Cred|
  244. // |- - -| |- - -|
  245. // | Cred| | . |
  246. // | List| | . |
  247. // | * | | . |
  248. // +--|--+ +-----+
  249. // |
  250. // +------> +------------+
  251. // | NextCred | -----> o o o
  252. // |- - - - - - |
  253. // | Primary Key|--->(PrimaryKeyvalue)
  254. // |- - - - - - |
  255. // | Credential |
  256. // | Value |--->(CredentialValue)
  257. // +------------+
  258. //
  259. //
  260. //
  262. typedef struct _LSAP_CREDENTIALS {
  264. struct _LSAP_CREDENTIALS *NextCredentials;
  265. STRING PrimaryKey;
  266. STRING Credentials;
  268. } LSAP_CREDENTIALS, *PLSAP_CREDENTIALS;
  272. typedef struct _LSAP_PACKAGE_CREDENTIALS {
  274. struct _LSAP_PACKAGE_CREDENTIALS *NextPackage;
  276. //
  277. // Package that created (and owns) these credentials
  278. //
  280. ULONG PackageId;
  282. //
  283. // List of credentials associated with this package
  284. //
  286. PLSAP_CREDENTIALS Credentials;
  288. } LSAP_PACKAGE_CREDENTIALS, *PLSAP_PACKAGE_CREDENTIALS;
  291. #define LSAP_MAX_DS_NAMES (DS_DNS_DOMAIN_NAME + 1)
  293. typedef struct _LSAP_DS_NAME_MAP {
  294. LARGE_INTEGER ExpirationTime ;
  295. ULONG RefCount ;
  296. UNICODE_STRING Name ;
  297. } LSAP_DS_NAME_MAP, * PLSAP_DS_NAME_MAP ;
  299. typedef struct _LSAP_LOGON_SESSION {
  301. //
  302. // List maintained for enumeration
  303. //
  305. LIST_ENTRY List ;
  307. //
  308. // Each record represents just one logon session
  309. //
  311. LUID LogonId;
  314. //
  315. // For audit purposes, we keep an account name, authenticating
  316. // authority name, and User SID for each logon session.
  317. //
  319. UNICODE_STRING AccountName;
  320. UNICODE_STRING AuthorityName;
  321. UNICODE_STRING ProfilePath;
  322. PSID UserSid;
  323. SECURITY_LOGON_TYPE LogonType;
  325. //
  326. // Session ID
  327. //
  329. ULONG Session ;
  331. //
  332. // Logon Time
  333. //
  335. LARGE_INTEGER LogonTime ;
  337. //
  338. // purported logon server.
  339. //
  341. UNICODE_STRING LogonServer;
  343. //
  344. // The authentication packages that have credentials associated
  345. // with this logon session each have their own record in the following
  346. // linked list.
  347. //
  348. // Access serialized by AuCredLock
  349. //
  351. PLSAP_PACKAGE_CREDENTIALS Packages;
  353. //
  354. // License Server Handle.
  355. //
  356. // Null if the license server need not be notified upon logoff.
  357. //
  359. HANDLE LicenseHandle;
  361. //
  362. // Handle to the token associated with this session.
  363. //
  364. // Access serialized by LogonSessionListLock
  365. //
  367. HANDLE TokenHandle;
  369. //
  370. // Creating Package
  371. //
  373. ULONG_PTR CreatingPackage;
  375. //
  376. // Create trace info:
  377. //
  379. ULONG Process ;
  380. ULONG ContextAttr ;
  382. //
  383. // Credential Sets for this logon session.
  384. //
  386. CREDENTIAL_SETS CredentialSets;
  389. //
  390. // Access serialized by LogonSessionListLock
  391. //
  392. PLSAP_DS_NAME_MAP DsNames[ LSAP_MAX_DS_NAMES ];
  394. //
  395. // Logon GUID
  396. //
  397. // This is used by Kerberos package for auditing.
  398. // (please see function header for LsaIGetLogonGuid for more info)
  399. //
  400. GUID LogonGuid;
  402. } LSAP_LOGON_SESSION, *PLSAP_LOGON_SESSION;
  406. /////////////////////////////////////////////////////////////////////////
  407. // //
  408. // Internal API definitions //
  409. // //
  410. /////////////////////////////////////////////////////////////////////////
  414. //
  415. // Logon process context management services
  416. //
  418. NTSTATUS
  419. LsapAuInitializeContextMgr(
  420. VOID
  421. );
  423. VOID
  424. LsapAuAddClientContext(
  425. PLSAP_LOGON_PROCESS Context
  426. );
  428. BOOLEAN
  429. LsapAuReferenceClientContext(
  430. PLSAP_CLIENT_REQUEST ClientRequest,
  431. BOOLEAN RemoveContext,
  432. PBOOLEAN TrustedClient
  433. );
  435. VOID
  436. LsapAuDereferenceClientContext(
  437. PLSAP_LOGON_PROCESS Context
  438. );
  440. //
  441. // Authentication client loop and dispatch routines
  442. //
  445. NTSTATUS
  446. LsapAuListenLoop( // Listen for connections from logon processes
  447. IN PVOID ThreadParameter
  448. );
  450. NTSTATUS
  451. LsapAuServerLoop( // Wait for logon process calls & dispatch them
  452. IN PVOID ThreadParameter
  453. );
  456. BOOLEAN
  457. LsapAuLoopInitialize(
  458. VOID
  459. );
  463. typedef
  464. NTSTATUS // Template dispatch routine
  465. (* PLSAP_AU_API_DISPATCH)(
  466. IN OUT PLSAP_CLIENT_REQUEST ClientRequest
  467. );
  470. NTSTATUS
  471. LsapAuApiDispatchLogonUser( // LsaLogonUser() dispatch routine
  472. IN OUT PLSAP_CLIENT_REQUEST ClientRequest
  473. );
  475. NTSTATUS
  476. LsapAuApiDispatchCallPackage( // LsaCallAuthenticationPackage() dispatch routine
  477. IN OUT PLSAP_CLIENT_REQUEST ClientRequest
  478. );
  483. //
  484. // Client process virtual memory routines
  485. //
  488. NTSTATUS
  489. LsapAllocateClientBuffer (
  490. IN PLSA_CLIENT_REQUEST ClientRequest,
  491. IN ULONG LengthRequired,
  492. OUT PVOID *ClientBaseAddress
  493. );
  495. NTSTATUS
  496. LsapFreeClientBuffer (
  497. IN PLSA_CLIENT_REQUEST ClientRequest,
  498. IN PVOID ClientBaseAddress OPTIONAL
  499. );
  501. NTSTATUS
  502. LsapCopyToClientBuffer (
  503. IN PLSA_CLIENT_REQUEST ClientRequest,
  504. IN ULONG Length,
  505. IN PVOID ClientBaseAddress,
  506. IN PVOID BufferToCopy
  507. );
  509. NTSTATUS
  510. LsapCopyFromClientBuffer (
  511. IN PLSA_CLIENT_REQUEST ClientRequest,
  512. IN ULONG Length,
  513. IN PVOID BufferToCopy,
  514. IN PVOID ClientBaseAddress
  515. );
  518. //
  519. // Logon session routines
  520. //
  522. BOOLEAN
  523. LsapLogonSessionInitialize();
  525. NTSTATUS
  526. LsapCreateLogonSession(
  527. IN PLUID LogonId
  528. );
  530. NTSTATUS
  531. LsapDeleteLogonSession (
  532. IN PLUID LogonId
  533. );
  535. PLSAP_LOGON_SESSION
  536. LsapLocateLogonSession(
  537. PLUID LogonId
  538. );
  540. VOID
  541. LsapReleaseLogonSession(
  542. PLSAP_LOGON_SESSION LogonSession
  543. );
  545. NTSTATUS
  546. LsapSetLogonSessionAccountInfo(
  547. IN PLUID LogonId,
  548. IN PUNICODE_STRING AccountName,
  549. IN PUNICODE_STRING AuthorityName,
  550. IN OPTIONAL PUNICODE_STRING ProfilePath,
  551. IN PSID * UserSid,
  552. IN SECURITY_LOGON_TYPE LogonType,
  553. IN PSECPKG_PRIMARY_CRED PrimaryCredentials OPTIONAL
  554. );
  556. NTSTATUS
  557. LsapGetLogonSessionAccountInfo(
  558. IN PLUID LogonId,
  559. OUT PUNICODE_STRING AccountName,
  560. OUT PUNICODE_STRING AuthorityName
  561. );
  563. VOID
  564. LsapDerefDsNameMap(
  565. PLSAP_DS_NAME_MAP Map
  566. );
  568. NTSTATUS
  569. LsapGetNameForLogonSession(
  570. PLSAP_LOGON_SESSION LogonSession,
  571. ULONG NameType,
  572. PLSAP_DS_NAME_MAP * Map,
  573. BOOL LocalOnly
  574. );
  576. NTSTATUS
  577. LsapSetSessionToken(
  578. IN HANDLE InputTokenHandle,
  579. IN PLUID LogonId
  580. );
  582. NTSTATUS
  583. LsapOpenTokenByLogonId(
  584. IN PLUID LogonId,
  585. OUT HANDLE *RetTokenHandle
  586. );
  588. PLSAP_DS_NAME_MAP
  589. LsapGetNameForLocalSystem(
  590. VOID
  591. );
  593. //
  594. // Credentials routines
  595. //
  598. NTSTATUS
  599. LsapAddCredential(
  600. IN PLUID LogonId,
  601. IN ULONG AuthenticationPackage,
  602. IN PSTRING PrimaryKeyValue,
  603. IN PSTRING Credentials
  604. );
  607. NTSTATUS
  608. LsapGetCredentials(
  609. IN PLUID LogonId,
  610. IN ULONG AuthenticationPackage,
  611. IN OUT PULONG QueryContext,
  612. IN BOOLEAN RetrieveAllCredentials,
  613. IN PSTRING PrimaryKeyValue,
  614. OUT PULONG PrimaryKeyLength,
  615. IN PSTRING Credentials
  616. );
  618. NTSTATUS
  619. LsapDeleteCredential(
  620. IN PLUID LogonId,
  621. IN ULONG AuthenticationPackage,
  622. IN PSTRING PrimaryKeyValue
  623. );
  626. PLSAP_PACKAGE_CREDENTIALS
  627. LsapGetPackageCredentials(
  628. IN PLSAP_LOGON_SESSION LogonSession,
  629. IN ULONG PackageId,
  630. IN BOOLEAN CreateIfNecessary
  631. );
  635. VOID
  636. LsapFreePackageCredentialList(
  637. IN PLSAP_PACKAGE_CREDENTIALS PackageCredentialList
  638. );
  642. VOID
  643. LsapFreeCredentialList(
  644. IN PLSAP_CREDENTIALS CredentialList
  645. );
  648. NTSTATUS
  649. LsapReturnCredential(
  650. IN PLSAP_CREDENTIALS SourceCredentials,
  651. IN PSTRING TargetCredentials,
  652. IN BOOLEAN ReturnPrimaryKey,
  653. IN PSTRING PrimaryKeyValue OPTIONAL,
  654. OUT PULONG PrimaryKeyLength OPTIONAL
  655. );
  659. //
  660. // Logon process related services
  661. //
  664. NTSTATUS
  665. LsapValidLogonProcess(
  666. IN PVOID ConnectionRequest,
  667. IN ULONG RequestLength,
  668. IN PCLIENT_ID ClientId,
  669. OUT PLUID LogonId,
  670. OUT PULONG Flags
  671. );
  676. //
  677. // Authentication package routines
  678. //
  682. VOID
  683. LsapAuLogonTerminatedPackages(
  684. IN PLUID LogonId
  685. );
  687. NTSTATUS
  688. LsaCallLicenseServer(
  689. IN PWCHAR LogonProcessName,
  690. IN PUNICODE_STRING AccountName,
  691. IN PUNICODE_STRING DomainName OPTIONAL,
  692. IN BOOLEAN IsAdmin,
  693. OUT HANDLE *LicenseHandle
  694. );
  696. VOID
  697. LsaFreeLicenseHandle(
  698. IN HANDLE LicenseHandle
  699. );
  702. //
  703. // Miscellaneous other routines
  704. // (LsapAuInit() is the link to the rest of LSA and resides in lsap.h)
  705. //
  711. BOOLEAN
  712. LsapWellKnownValueInit(
  713. VOID
  714. );
  716. BOOLEAN
  717. LsapEnableCreateTokenPrivilege(
  718. VOID
  719. );
  724. NTSTATUS
  725. LsapCreateNullToken(
  726. IN PLUID LogonId,
  727. IN PTOKEN_SOURCE TokenSource,
  728. IN PLSA_TOKEN_INFORMATION_NULL TokenInformationNull,
  729. OUT PHANDLE Token
  730. );
  732. NTSTATUS
  733. LsapCreateV2Token(
  734. IN PLUID LogonId,
  735. IN PTOKEN_SOURCE TokenSource,
  736. IN PLSA_TOKEN_INFORMATION_V2 TokenInformationV2,
  737. IN TOKEN_TYPE TokenType,
  738. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  739. OUT PHANDLE Token
  740. );
  743. NTSTATUS
  744. LsapCaptureClientTokenGroups(
  745. IN PLSAP_CLIENT_REQUEST ClientRequest,
  746. IN ULONG GroupCount,
  747. IN PTOKEN_GROUPS ClientTokenGroups,
  748. IN PTOKEN_GROUPS *CapturedTokenGroups
  749. );
  752. NTSTATUS
  753. LsapBuildDefaultTokenGroups(
  754. PLSAP_LOGON_USER_ARGS Arguments
  755. );
  757. VOID
  758. LsapFreeTokenGroups(
  759. IN PTOKEN_GROUPS TokenGroups
  760. );
  762. VOID
  763. LsapFreeTokenPrivileges(
  764. IN PTOKEN_PRIVILEGES TokenPrivileges OPTIONAL
  765. );
  767. VOID
  768. LsapFreeTokenInformationNull(
  769. IN PLSA_TOKEN_INFORMATION_NULL TokenInformationNull
  770. );
  774. VOID
  775. LsapFreeTokenInformationV1(
  776. IN PLSA_TOKEN_INFORMATION_V1 TokenInformationV1
  777. );
  779. VOID
  780. LsapFreeTokenInformationV2(
  781. IN PLSA_TOKEN_INFORMATION_V2 TokenInformationV2
  782. );
  785. NTSTATUS
  786. LsapAuUserLogonPolicyFilter(
  787. IN SECURITY_LOGON_TYPE LogonType,
  788. IN PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  789. IN PVOID *TokenInformation,
  790. IN PTOKEN_GROUPS LocalGroups,
  791. OUT PQUOTA_LIMITS QuotaLimits,
  792. OUT PPRIVILEGE_SET *PrivilegesAssigned
  793. );
  798. /////////////////////////////////////////////////////////////////////////
  799. // //
  800. // Global variables of the LSA server //
  801. // //
  802. /////////////////////////////////////////////////////////////////////////
  808. //
  809. // Well known LUIDs
  810. //
  812. extern LUID LsapSystemLogonId;
  813. extern LUID LsapAnonymousLogonId;
  816. //
  817. // Well known privilege values
  818. //
  821. extern LUID LsapCreateTokenPrivilege;
  822. extern LUID LsapAssignPrimaryTokenPrivilege;
  823. extern LUID LsapLockMemoryPrivilege;
  824. extern LUID LsapIncreaseQuotaPrivilege;
  825. extern LUID LsapUnsolicitedInputPrivilege;
  826. extern LUID LsapTcbPrivilege;
  827. extern LUID LsapSecurityPrivilege;
  828. extern LUID LsapTakeOwnershipPrivilege;
  830. //
  831. // Strings needed for auditing.
  832. //
  834. extern UNICODE_STRING LsapLsaAuName;
  835. extern UNICODE_STRING LsapRegisterLogonServiceName;
  839. //
  840. // The following information pertains to the use of the local SAM
  841. // for authentication.
  842. //
  845. // Length of typical Sids of members of the Account or Built-In Domains
  847. extern ULONG LsapAccountDomainMemberSidLength,
  848. LsapBuiltinDomainMemberSidLength;
  850. // Sub-Authority Counts for members of the Account or Built-In Domains
  852. extern UCHAR LsapAccountDomainSubCount,
  853. LsapBuiltinDomainSubCount;
  855. // Typical Sids for members of Account or Built-in Domains
  857. extern PSID LsapAccountDomainMemberSid,
  858. LsapBuiltinDomainMemberSid;
  864. #endif // _AUSRVP_