archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/public/sdk/inc/ntsecpkg.h

1874 lines
53 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++ BUILD Version: 0000 Increment this if a change has global effects
  3. Copyright (c) Microsoft Corporation. All rights reserved.
  5. Module Name:
  7. ntsecpkg.h
  9. Abstract:
  11. This module defines the structures and APIs for use by a
  12. authentication or security package.
  14. Revision History:
  16. --*/
  18. #ifndef _NTSECPKG_
  19. #define _NTSECPKG_
  21. #ifdef __cplusplus
  22. extern "C" {
  23. #endif
  26. /////////////////////////////////////////////////////////////////////////
  27. // //
  28. // Data types used by authentication packages //
  29. // //
  30. /////////////////////////////////////////////////////////////////////////
  32. //
  33. // opaque data type which represents a client request
  34. //
  36. typedef PVOID *PLSA_CLIENT_REQUEST;
  39. //
  40. // When a logon of a user is requested, the authentication package
  41. // is expected to return one of the following structures indicating
  42. // the contents of a user's token.
  43. //
  45. typedef enum _LSA_TOKEN_INFORMATION_TYPE {
  46. LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
  47. LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
  48. LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
  49. } LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
  52. //
  53. // The NULL information is used in cases where a non-authenticated
  54. // system access is needed. For example, a non-authentication network
  55. // circuit (such as LAN Manager's null session) can be given NULL
  56. // information. This will result in an anonymous token being generated
  57. // for the logon that gives the user no ability to access protected system
  58. // resources, but does allow access to non-protected system resources.
  59. //
  61. typedef struct _LSA_TOKEN_INFORMATION_NULL {
  63. //
  64. // Time at which the security context becomes invalid.
  65. // Use a value in the distant future if the context
  66. // never expires.
  67. //
  69. LARGE_INTEGER ExpirationTime;
  71. //
  72. // The SID(s) of groups the user is to be made a member of. This should
  73. // not include WORLD or other system defined and assigned
  74. // SIDs. These will be added automatically by LSA.
  75. //
  76. // Each SID is expected to be in a separately allocated block
  77. // of memory. The TOKEN_GROUPS structure is also expected to
  78. // be in a separately allocated block of memory.
  79. //
  81. PTOKEN_GROUPS Groups;
  83. } LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
  86. //
  87. // The V1 token information structure is superceeded by the V2 token
  88. // information structure. The V1 strucure should only be used for
  89. // backwards compatability.
  90. // This structure contains information that an authentication package
  91. // can place in a Version 1 NT token object.
  92. //
  94. typedef struct _LSA_TOKEN_INFORMATION_V1 {
  96. //
  97. // Time at which the security context becomes invalid.
  98. // Use a value in the distant future if the context
  99. // never expires.
  100. //
  102. LARGE_INTEGER ExpirationTime;
  104. //
  105. // The SID of the user logging on. The SID value is in a
  106. // separately allocated block of memory.
  107. //
  109. TOKEN_USER User;
  111. //
  112. // The SID(s) of groups the user is a member of. This should
  113. // not include WORLD or other system defined and assigned
  114. // SIDs. These will be added automatically by LSA.
  115. //
  116. // Each SID is expected to be in a separately allocated block
  117. // of memory. The TOKEN_GROUPS structure is also expected to
  118. // be in a separately allocated block of memory.
  119. //
  121. PTOKEN_GROUPS Groups;
  123. //
  124. // This field is used to establish the primary group of the user.
  125. // This value does not have to correspond to one of the SIDs
  126. // assigned to the user.
  127. //
  128. // The SID pointed to by this structure is expected to be in
  129. // a separately allocated block of memory.
  130. //
  131. // This field is mandatory and must be filled in.
  132. //
  134. TOKEN_PRIMARY_GROUP PrimaryGroup;
  138. //
  139. // The privileges the user is assigned. This list of privileges
  140. // will be augmented or over-ridden by any local security policy
  141. // assigned privileges.
  142. //
  143. // Each privilege is expected to be in a separately allocated
  144. // block of memory. The TOKEN_PRIVILEGES structure is also
  145. // expected to be in a separately allocated block of memory.
  146. //
  147. // If there are no privileges to assign to the user, this field
  148. // may be set to NULL.
  149. //
  151. PTOKEN_PRIVILEGES Privileges;
  155. //
  156. // This field may be used to establish an explicit default
  157. // owner. Normally, the user ID is used as the default owner.
  158. // If another value is desired, it must be specified here.
  159. //
  160. // The Owner.Sid field may be set to NULL to indicate there is no
  161. // alternate default owner value.
  162. //
  164. TOKEN_OWNER Owner;
  166. //
  167. // This field may be used to establish a default
  168. // protection for the user. If no value is provided, then
  169. // a default protection that grants everyone all access will
  170. // be established.
  171. //
  172. // The DefaultDacl.DefaultDacl field may be set to NULL to indicate
  173. // there is no default protection.
  174. //
  176. TOKEN_DEFAULT_DACL DefaultDacl;
  178. } LSA_TOKEN_INFORMATION_V1, *PLSA_TOKEN_INFORMATION_V1;
  180. //
  181. // The V2 information is used in most cases of logon. The structure is identical
  182. // to the V1 token information structure, with the exception that the memory allocation
  183. // is handled differently. The LSA_TOKEN_INFORMATION_V2 structure is intended to be
  184. // allocated monolithiclly, with the privileges, DACL, sids, and group array either part of
  185. // same allocation, or allocated and freed externally.
  186. //
  188. typedef LSA_TOKEN_INFORMATION_V1 LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2;
  191. /////////////////////////////////////////////////////////////////////////
  192. // //
  193. // Interface definitions available for use by authentication packages //
  194. // //
  195. /////////////////////////////////////////////////////////////////////////
  199. typedef NTSTATUS
  200. (NTAPI LSA_CREATE_LOGON_SESSION) (
  201. IN PLUID LogonId
  202. );
  204. typedef NTSTATUS
  205. (NTAPI LSA_DELETE_LOGON_SESSION) (
  206. IN PLUID LogonId
  207. );
  209. typedef NTSTATUS
  210. (NTAPI LSA_ADD_CREDENTIAL) (
  211. IN PLUID LogonId,
  212. IN ULONG AuthenticationPackage,
  213. IN PLSA_STRING PrimaryKeyValue,
  214. IN PLSA_STRING Credentials
  215. );
  217. typedef NTSTATUS
  218. (NTAPI LSA_GET_CREDENTIALS) (
  219. IN PLUID LogonId,
  220. IN ULONG AuthenticationPackage,
  221. IN OUT PULONG QueryContext,
  222. IN BOOLEAN RetrieveAllCredentials,
  223. IN PLSA_STRING PrimaryKeyValue,
  224. OUT PULONG PrimaryKeyLength,
  225. IN PLSA_STRING Credentials
  226. );
  228. typedef NTSTATUS
  229. (NTAPI LSA_DELETE_CREDENTIAL) (
  230. IN PLUID LogonId,
  231. IN ULONG AuthenticationPackage,
  232. IN PLSA_STRING PrimaryKeyValue
  233. );
  235. typedef PVOID
  236. (NTAPI LSA_ALLOCATE_LSA_HEAP) (
  237. IN ULONG Length
  238. );
  240. typedef VOID
  241. (NTAPI LSA_FREE_LSA_HEAP) (
  242. IN PVOID Base
  243. );
  245. typedef PVOID
  246. (NTAPI LSA_ALLOCATE_PRIVATE_HEAP) (
  247. IN SIZE_T Length
  248. );
  250. typedef VOID
  251. (NTAPI LSA_FREE_PRIVATE_HEAP) (
  252. IN PVOID Base
  253. );
  255. typedef NTSTATUS
  256. (NTAPI LSA_ALLOCATE_CLIENT_BUFFER) (
  257. IN PLSA_CLIENT_REQUEST ClientRequest,
  258. IN ULONG LengthRequired,
  259. OUT PVOID *ClientBaseAddress
  260. );
  262. typedef NTSTATUS
  263. (NTAPI LSA_FREE_CLIENT_BUFFER) (
  264. IN PLSA_CLIENT_REQUEST ClientRequest,
  265. IN PVOID ClientBaseAddress
  266. );
  268. typedef NTSTATUS
  269. (NTAPI LSA_COPY_TO_CLIENT_BUFFER) (
  270. IN PLSA_CLIENT_REQUEST ClientRequest,
  271. IN ULONG Length,
  272. IN PVOID ClientBaseAddress,
  273. IN PVOID BufferToCopy
  274. );
  276. typedef NTSTATUS
  277. (NTAPI LSA_COPY_FROM_CLIENT_BUFFER) (
  278. IN PLSA_CLIENT_REQUEST ClientRequest,
  279. IN ULONG Length,
  280. IN PVOID BufferToCopy,
  281. IN PVOID ClientBaseAddress
  282. );
  284. typedef LSA_CREATE_LOGON_SESSION * PLSA_CREATE_LOGON_SESSION ;
  285. typedef LSA_DELETE_LOGON_SESSION * PLSA_DELETE_LOGON_SESSION ;
  286. typedef LSA_ADD_CREDENTIAL * PLSA_ADD_CREDENTIAL ;
  287. typedef LSA_GET_CREDENTIALS * PLSA_GET_CREDENTIALS ;
  288. typedef LSA_DELETE_CREDENTIAL * PLSA_DELETE_CREDENTIAL ;
  289. typedef LSA_ALLOCATE_LSA_HEAP * PLSA_ALLOCATE_LSA_HEAP ;
  290. typedef LSA_FREE_LSA_HEAP * PLSA_FREE_LSA_HEAP ;
  291. typedef LSA_ALLOCATE_PRIVATE_HEAP * PLSA_ALLOCATE_PRIVATE_HEAP ;
  292. typedef LSA_FREE_PRIVATE_HEAP * PLSA_FREE_PRIVATE_HEAP ;
  293. typedef LSA_ALLOCATE_CLIENT_BUFFER * PLSA_ALLOCATE_CLIENT_BUFFER ;
  294. typedef LSA_FREE_CLIENT_BUFFER * PLSA_FREE_CLIENT_BUFFER ;
  295. typedef LSA_COPY_TO_CLIENT_BUFFER * PLSA_COPY_TO_CLIENT_BUFFER ;
  296. typedef LSA_COPY_FROM_CLIENT_BUFFER * PLSA_COPY_FROM_CLIENT_BUFFER ;
  298. //
  299. // The dispatch table of LSA services which are available to
  300. // authentication packages.
  301. //
  302. typedef struct _LSA_DISPATCH_TABLE {
  303. PLSA_CREATE_LOGON_SESSION CreateLogonSession;
  304. PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
  305. PLSA_ADD_CREDENTIAL AddCredential;
  306. PLSA_GET_CREDENTIALS GetCredentials;
  307. PLSA_DELETE_CREDENTIAL DeleteCredential;
  308. PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
  309. PLSA_FREE_LSA_HEAP FreeLsaHeap;
  310. PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
  311. PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
  312. PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
  313. PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
  314. } LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;
  318. ////////////////////////////////////////////////////////////////////////////
  319. // //
  320. // Interface definitions of services provided by authentication packages //
  321. // //
  322. ////////////////////////////////////////////////////////////////////////////
  326. //
  327. // Routine names
  328. //
  329. // The routines provided by the DLL must be assigned the following names
  330. // so that their addresses can be retrieved when the DLL is loaded.
  331. //
  333. #define LSA_AP_NAME_INITIALIZE_PACKAGE "LsaApInitializePackage\0"
  334. #define LSA_AP_NAME_LOGON_USER "LsaApLogonUser\0"
  335. #define LSA_AP_NAME_LOGON_USER_EX "LsaApLogonUserEx\0"
  336. #define LSA_AP_NAME_CALL_PACKAGE "LsaApCallPackage\0"
  337. #define LSA_AP_NAME_LOGON_TERMINATED "LsaApLogonTerminated\0"
  338. #define LSA_AP_NAME_CALL_PACKAGE_UNTRUSTED "LsaApCallPackageUntrusted\0"
  339. #define LSA_AP_NAME_CALL_PACKAGE_PASSTHROUGH "LsaApCallPackagePassthrough\0"
  342. //
  343. // Routine templates
  344. //
  347. typedef NTSTATUS
  348. (NTAPI LSA_AP_INITIALIZE_PACKAGE) (
  349. IN ULONG AuthenticationPackageId,
  350. IN PLSA_DISPATCH_TABLE LsaDispatchTable,
  351. IN PLSA_STRING Database OPTIONAL,
  352. IN PLSA_STRING Confidentiality OPTIONAL,
  353. OUT PLSA_STRING *AuthenticationPackageName
  354. );
  356. typedef NTSTATUS
  357. (NTAPI LSA_AP_LOGON_USER) (
  358. IN PLSA_CLIENT_REQUEST ClientRequest,
  359. IN SECURITY_LOGON_TYPE LogonType,
  360. IN PVOID AuthenticationInformation,
  361. IN PVOID ClientAuthenticationBase,
  362. IN ULONG AuthenticationInformationLength,
  363. OUT PVOID *ProfileBuffer,
  364. OUT PULONG ProfileBufferLength,
  365. OUT PLUID LogonId,
  366. OUT PNTSTATUS SubStatus,
  367. OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  368. OUT PVOID *TokenInformation,
  369. OUT PLSA_UNICODE_STRING *AccountName,
  370. OUT PLSA_UNICODE_STRING *AuthenticatingAuthority
  371. );
  373. typedef NTSTATUS
  374. (NTAPI LSA_AP_LOGON_USER_EX) (
  375. IN PLSA_CLIENT_REQUEST ClientRequest,
  376. IN SECURITY_LOGON_TYPE LogonType,
  377. IN PVOID AuthenticationInformation,
  378. IN PVOID ClientAuthenticationBase,
  379. IN ULONG AuthenticationInformationLength,
  380. OUT PVOID *ProfileBuffer,
  381. OUT PULONG ProfileBufferLength,
  382. OUT PLUID LogonId,
  383. OUT PNTSTATUS SubStatus,
  384. OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  385. OUT PVOID *TokenInformation,
  386. OUT PUNICODE_STRING *AccountName,
  387. OUT PUNICODE_STRING *AuthenticatingAuthority,
  388. OUT PUNICODE_STRING *MachineName
  389. );
  391. typedef NTSTATUS
  392. (NTAPI LSA_AP_CALL_PACKAGE) (
  393. IN PLSA_CLIENT_REQUEST ClientRequest,
  394. IN PVOID ProtocolSubmitBuffer,
  395. IN PVOID ClientBufferBase,
  396. IN ULONG SubmitBufferLength,
  397. OUT PVOID *ProtocolReturnBuffer,
  398. OUT PULONG ReturnBufferLength,
  399. OUT PNTSTATUS ProtocolStatus
  400. );
  402. typedef NTSTATUS
  403. (NTAPI LSA_AP_CALL_PACKAGE_PASSTHROUGH) (
  404. IN PLSA_CLIENT_REQUEST ClientRequest,
  405. IN PVOID ProtocolSubmitBuffer,
  406. IN PVOID ClientBufferBase,
  407. IN ULONG SubmitBufferLength,
  408. OUT PVOID *ProtocolReturnBuffer,
  409. OUT PULONG ReturnBufferLength,
  410. OUT PNTSTATUS ProtocolStatus
  411. );
  413. typedef VOID
  414. (NTAPI LSA_AP_LOGON_TERMINATED) (
  415. IN PLUID LogonId
  416. );
  418. typedef LSA_AP_CALL_PACKAGE LSA_AP_CALL_PACKAGE_UNTRUSTED;
  420. typedef LSA_AP_INITIALIZE_PACKAGE * PLSA_AP_INITIALIZE_PACKAGE ;
  421. typedef LSA_AP_LOGON_USER * PLSA_AP_LOGON_USER ;
  422. typedef LSA_AP_LOGON_USER_EX * PLSA_AP_LOGON_USER_EX ;
  423. typedef LSA_AP_CALL_PACKAGE * PLSA_AP_CALL_PACKAGE ;
  424. typedef LSA_AP_CALL_PACKAGE_PASSTHROUGH * PLSA_AP_CALL_PACKAGE_PASSTHROUGH ;
  425. typedef LSA_AP_LOGON_TERMINATED * PLSA_AP_LOGON_TERMINATED ;
  426. typedef LSA_AP_CALL_PACKAGE_UNTRUSTED * PLSA_AP_CALL_PACKAGE_UNTRUSTED ;
  429. #ifndef _SAM_CREDENTIAL_UPDATE_DEFINED
  430. #define _SAM_CREDENTIAL_UPDATE_DEFINED
  432. typedef NTSTATUS (*PSAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE) (
  433. IN PUNICODE_STRING ClearPassword,
  434. IN PVOID OldCredentials,
  435. IN ULONG OldCredentialSize,
  436. IN ULONG UserAccountControl,
  437. IN PUNICODE_STRING UPN, OPTIONAL
  438. IN PUNICODE_STRING UserName,
  439. IN PUNICODE_STRING NetbiosDomainName,
  440. IN PUNICODE_STRING DnsDomainName,
  441. OUT PVOID * NewCredentials,
  442. OUT ULONG * NewCredentialSize
  443. );
  445. #define SAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE "CredentialUpdateNotify"
  447. typedef BOOLEAN (*PSAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE) (
  448. OUT PUNICODE_STRING CredentialName
  449. );
  451. #define SAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE "CredentialUpdateRegister"
  453. typedef VOID (*PSAM_CREDENTIAL_UPDATE_FREE_ROUTINE) (
  454. IN PVOID p
  455. );
  457. #define SAM_CREDENTIAL_UPDATE_FREE_ROUTINE "CredentialUpdateFree"
  459. #endif // _SAM_CREDENTIAL_UPDATE_DEFINED
  462. #ifdef SECURITY_KERNEL
  463. //
  464. // Can't use the windows.h def'ns in kernel mode.
  465. //
  466. typedef PVOID SEC_THREAD_START;
  467. typedef PVOID SEC_ATTRS;
  468. #else
  469. typedef LPTHREAD_START_ROUTINE SEC_THREAD_START;
  470. typedef LPSECURITY_ATTRIBUTES SEC_ATTRS;
  471. #endif
  474. #define SecEqualLuid(L1, L2) \
  475. ( ( ((PLUID)L1)->LowPart == ((PLUID)L2)->LowPart ) && \
  476. ( ((PLUID)L1)->HighPart == ((PLUID)L2)->HighPart ) ) \
  478. #define SecIsZeroLuid( L1 ) \
  479. ( ( L1->LowPart | L1->HighPart ) == 0 )
  481. //
  482. // The following structures are used by the helper functions
  483. //
  485. typedef struct _SECPKG_CLIENT_INFO {
  486. LUID LogonId; // Effective Logon Id
  487. ULONG ProcessID; // Process Id of caller
  488. ULONG ThreadID; // Thread Id of caller
  489. BOOLEAN HasTcbPrivilege; // Client has TCB
  490. BOOLEAN Impersonating; // Client is impersonating
  491. BOOLEAN Restricted; // Client is restricted
  493. //
  494. // NT 5.1
  495. //
  497. UCHAR ClientFlags; // Extra flags about the client
  498. SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Impersonation level of client
  500. } SECPKG_CLIENT_INFO, * PSECPKG_CLIENT_INFO;
  502. #define SECPKG_CLIENT_PROCESS_TERMINATED 0x01 // The client process has terminated
  503. #define SECPKG_CLIENT_THREAD_TERMINATED 0x02 // The client thread has terminated
  505. typedef struct _SECPKG_CALL_INFO {
  506. ULONG ProcessId ;
  507. ULONG ThreadId ;
  508. ULONG Attributes ;
  509. ULONG CallCount ;
  510. } SECPKG_CALL_INFO, * PSECPKG_CALL_INFO ;
  512. #define SECPKG_CALL_KERNEL_MODE 0x00000001 // Call originated in kernel mode
  513. #define SECPKG_CALL_ANSI 0x00000002 // Call came from ANSI stub
  514. #define SECPKG_CALL_URGENT 0x00000004 // Call designated urgent
  515. #define SECPKG_CALL_RECURSIVE 0x00000008 // Call is recursing
  516. #define SECPKG_CALL_IN_PROC 0x00000010 // Call originated in process
  517. #define SECPKG_CALL_CLEANUP 0x00000020 // Call is cleanup from a client
  518. #define SECPKG_CALL_WOWCLIENT 0x00000040 // Call is from a WOW client process
  519. #define SECPKG_CALL_THREAD_TERM 0x00000080 // Call is from a thread that has term'd
  520. #define SECPKG_CALL_PROCESS_TERM 0x00000100 // Call is from a process that has term'd
  521. #define SECPKG_CALL_IS_TCB 0x00000200 // Call is from TCB
  524. typedef struct _SECPKG_SUPPLEMENTAL_CRED {
  525. UNICODE_STRING PackageName;
  526. ULONG CredentialSize;
  527. #ifdef MIDL_PASS
  528. [size_is(CredentialSize)]
  529. #endif // MIDL_PASS
  530. PUCHAR Credentials;
  531. } SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
  533. typedef ULONG_PTR LSA_SEC_HANDLE ;
  534. typedef LSA_SEC_HANDLE * PLSA_SEC_HANDLE ;
  535. typedef struct _SECPKG_SUPPLEMENTAL_CRED_ARRAY {
  536. ULONG CredentialCount;
  537. #ifdef MIDL_PASS
  538. [size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
  539. #else // MIDL_PASS
  540. SECPKG_SUPPLEMENTAL_CRED Credentials[1];
  541. #endif // MIDL_PASS
  542. } SECPKG_SUPPLEMENTAL_CRED_ARRAY, *PSECPKG_SUPPLEMENTAL_CRED_ARRAY;
  544. //
  545. // This flag is used for to indicate which buffers in the LSA are located
  546. // in the client's address space
  547. //
  549. #define SECBUFFER_UNMAPPED 0x40000000
  551. //
  552. // This flag is used to indicate that the buffer was mapped into the LSA
  553. // from kernel mode.
  554. //
  556. #define SECBUFFER_KERNEL_MAP 0x20000000
  558. typedef NTSTATUS
  559. (NTAPI LSA_CALLBACK_FUNCTION)(
  560. ULONG_PTR Argument1,
  561. ULONG_PTR Argument2,
  562. PSecBuffer InputBuffer,
  563. PSecBuffer OutputBuffer
  564. );
  566. typedef LSA_CALLBACK_FUNCTION * PLSA_CALLBACK_FUNCTION ;
  570. #define PRIMARY_CRED_CLEAR_PASSWORD 0x1
  571. #define PRIMARY_CRED_OWF_PASSWORD 0x2
  572. #define PRIMARY_CRED_UPDATE 0x4 // this is a change of existing creds
  573. #define PRIMARY_CRED_CACHED_LOGON 0x8
  575. #define PRIMARY_CRED_LOGON_PACKAGE_SHIFT 24
  576. #define PRIMARY_CRED_PACKAGE_MASK 0xff000000
  578. //
  579. // For cached logons, the RPC id of the package doing the logon is identified
  580. // by shifting the flags to the right by the PRIMARY_CRED_LOGON_PACKAGE_SHIFT.
  581. //
  583. typedef struct _SECPKG_PRIMARY_CRED {
  584. LUID LogonId;
  585. UNICODE_STRING DownlevelName; // Sam Account Name
  586. UNICODE_STRING DomainName; // Netbios domain name where account is located
  587. UNICODE_STRING Password;
  588. UNICODE_STRING OldPassword;
  589. PSID UserSid;
  590. ULONG Flags;
  591. UNICODE_STRING DnsDomainName; // DNS domain name where account is located (if known)
  592. UNICODE_STRING Upn; // UPN of account (if known)
  594. UNICODE_STRING LogonServer;
  595. UNICODE_STRING Spare1;
  596. UNICODE_STRING Spare2;
  597. UNICODE_STRING Spare3;
  598. UNICODE_STRING Spare4;
  599. } SECPKG_PRIMARY_CRED, *PSECPKG_PRIMARY_CRED;
  601. //
  602. // Maximum size of stored credentials.
  603. //
  605. #define MAX_CRED_SIZE 1024
  607. // Values for MachineState
  609. #define SECPKG_STATE_ENCRYPTION_PERMITTED 0x01
  610. #define SECPKG_STATE_STRONG_ENCRYPTION_PERMITTED 0x02
  611. #define SECPKG_STATE_DOMAIN_CONTROLLER 0x04
  612. #define SECPKG_STATE_WORKSTATION 0x08
  613. #define SECPKG_STATE_STANDALONE 0x10
  615. typedef struct _SECPKG_PARAMETERS {
  616. ULONG Version;
  617. ULONG MachineState;
  618. ULONG SetupMode;
  619. PSID DomainSid;
  620. UNICODE_STRING DomainName;
  621. UNICODE_STRING DnsDomainName;
  622. GUID DomainGuid;
  623. } SECPKG_PARAMETERS, *PSECPKG_PARAMETERS;
  626. //
  627. // Extended Package information structures
  628. //
  630. typedef enum _SECPKG_EXTENDED_INFORMATION_CLASS {
  631. SecpkgGssInfo = 1,
  632. SecpkgContextThunks,
  633. SecpkgMutualAuthLevel,
  634. SecpkgWowClientDll,
  635. SecpkgExtraOids,
  636. SecpkgMaxInfo
  637. } SECPKG_EXTENDED_INFORMATION_CLASS ;
  639. typedef struct _SECPKG_GSS_INFO {
  640. ULONG EncodedIdLength ;
  641. UCHAR EncodedId[4] ;
  642. } SECPKG_GSS_INFO, * PSECPKG_GSS_INFO ;
  644. typedef struct _SECPKG_CONTEXT_THUNKS {
  645. ULONG InfoLevelCount ;
  646. ULONG Levels[1] ;
  647. } SECPKG_CONTEXT_THUNKS, *PSECPKG_CONTEXT_THUNKS ;
  649. typedef struct _SECPKG_MUTUAL_AUTH_LEVEL {
  650. ULONG MutualAuthLevel ;
  651. } SECPKG_MUTUAL_AUTH_LEVEL, * PSECPKG_MUTUAL_AUTH_LEVEL ;
  653. typedef struct _SECPKG_WOW_CLIENT_DLL {
  654. SECURITY_STRING WowClientDllPath;
  655. } SECPKG_WOW_CLIENT_DLL, * PSECPKG_WOW_CLIENT_DLL ;
  657. #define SECPKG_MAX_OID_LENGTH 32
  659. typedef struct _SECPKG_SERIALIZED_OID {
  660. ULONG OidLength ;
  661. ULONG OidAttributes ;
  662. UCHAR OidValue[ SECPKG_MAX_OID_LENGTH ];
  663. } SECPKG_SERIALIZED_OID, * PSECPKG_SERIALIZED_OID ;
  665. typedef struct _SECPKG_EXTRA_OIDS {
  666. ULONG OidCount ;
  667. SECPKG_SERIALIZED_OID Oids[ 1 ];
  668. } SECPKG_EXTRA_OIDS, * PSECPKG_EXTRA_OIDS;
  671. typedef struct _SECPKG_EXTENDED_INFORMATION {
  672. SECPKG_EXTENDED_INFORMATION_CLASS Class ;
  673. union {
  674. SECPKG_GSS_INFO GssInfo ;
  675. SECPKG_CONTEXT_THUNKS ContextThunks ;
  676. SECPKG_MUTUAL_AUTH_LEVEL MutualAuthLevel ;
  677. SECPKG_WOW_CLIENT_DLL WowClientDll ;
  678. SECPKG_EXTRA_OIDS ExtraOids ;
  679. } Info ;
  680. } SECPKG_EXTENDED_INFORMATION, * PSECPKG_EXTENDED_INFORMATION ;
  683. #define SECPKG_ATTR_SASL_CONTEXT 0x00010000
  685. typedef struct _SecPkgContext_SaslContext {
  686. PVOID SaslContext ;
  687. } SecPkgContext_SaslContext, * PSecPkgContext_SaslContext ;
  689. //
  690. // Setting this value as the first context thunk value will cause all
  691. // calls to go to the LSA:
  692. //
  694. #define SECPKG_ATTR_THUNK_ALL 0x00010000
  697. #ifndef SECURITY_USER_DATA_DEFINED
  698. #define SECURITY_USER_DATA_DEFINED
  700. typedef struct _SECURITY_USER_DATA {
  701. SECURITY_STRING UserName; // User name
  702. SECURITY_STRING LogonDomainName; // Domain the user logged on to
  703. SECURITY_STRING LogonServer; // Server that logged the user on
  704. PSID pSid; // SID of user
  705. } SECURITY_USER_DATA, *PSECURITY_USER_DATA;
  707. typedef SECURITY_USER_DATA SecurityUserData, * PSecurityUserData;
  710. #define UNDERSTANDS_LONG_NAMES 1
  711. #define NO_LONG_NAMES 2
  713. #endif // SECURITY_USER_DATA_DEFINED
  715. //////////////////////////////////////////////////////////////////////////
  716. //
  717. // The following prototypes are to functions that are provided by the SPMgr
  718. // to security packages.
  719. //
  720. //////////////////////////////////////////////////////////////////////////
  722. typedef NTSTATUS
  723. (NTAPI LSA_IMPERSONATE_CLIENT) (
  724. VOID
  725. );
  728. typedef NTSTATUS
  729. (NTAPI LSA_UNLOAD_PACKAGE)(
  730. VOID
  731. );
  733. typedef NTSTATUS
  734. (NTAPI LSA_DUPLICATE_HANDLE)(
  735. IN HANDLE SourceHandle,
  736. OUT PHANDLE DestionationHandle);
  739. typedef NTSTATUS
  740. (NTAPI LSA_SAVE_SUPPLEMENTAL_CREDENTIALS)(
  741. IN PLUID LogonId,
  742. IN ULONG SupplementalCredSize,
  743. IN PVOID SupplementalCreds,
  744. IN BOOLEAN Synchronous
  745. );
  748. typedef HANDLE
  749. (NTAPI LSA_CREATE_THREAD)(
  750. IN SEC_ATTRS SecurityAttributes,
  751. IN ULONG StackSize,
  752. IN SEC_THREAD_START StartFunction,
  753. IN PVOID ThreadParameter,
  754. IN ULONG CreationFlags,
  755. OUT PULONG ThreadId
  756. );
  759. typedef NTSTATUS
  760. (NTAPI LSA_GET_CLIENT_INFO)(
  761. OUT PSECPKG_CLIENT_INFO ClientInfo
  762. );
  765. typedef HANDLE
  766. (NTAPI LSA_REGISTER_NOTIFICATION)(
  767. IN SEC_THREAD_START StartFunction,
  768. IN PVOID Parameter,
  769. IN ULONG NotificationType,
  770. IN ULONG NotificationClass,
  771. IN ULONG NotificationFlags,
  772. IN ULONG IntervalMinutes,
  773. IN OPTIONAL HANDLE WaitEvent
  774. );
  777. typedef NTSTATUS
  778. (NTAPI LSA_CANCEL_NOTIFICATION)(
  779. IN HANDLE NotifyHandle
  780. );
  782. typedef NTSTATUS
  783. (NTAPI LSA_MAP_BUFFER)(
  784. IN PSecBuffer InputBuffer,
  785. OUT PSecBuffer OutputBuffer
  786. );
  788. typedef NTSTATUS
  789. (NTAPI LSA_CREATE_TOKEN) (
  790. IN PLUID LogonId,
  791. IN PTOKEN_SOURCE TokenSource,
  792. IN SECURITY_LOGON_TYPE LogonType,
  793. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  794. IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  795. IN PVOID TokenInformation,
  796. IN PTOKEN_GROUPS TokenGroups,
  797. IN PUNICODE_STRING AccountName,
  798. IN PUNICODE_STRING AuthorityName,
  799. IN PUNICODE_STRING Workstation,
  800. IN PUNICODE_STRING ProfilePath,
  801. OUT PHANDLE Token,
  802. OUT PNTSTATUS SubStatus
  803. );
  805. typedef enum _SECPKG_SESSIONINFO_TYPE {
  806. SecSessionPrimaryCred // SessionInformation is SECPKG_PRIMARY_CRED
  807. } SECPKG_SESSIONINFO_TYPE ;
  809. typedef NTSTATUS
  810. (NTAPI LSA_CREATE_TOKEN_EX) (
  811. IN PLUID LogonId,
  812. IN PTOKEN_SOURCE TokenSource,
  813. IN SECURITY_LOGON_TYPE LogonType,
  814. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  815. IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  816. IN PVOID TokenInformation,
  817. IN PTOKEN_GROUPS TokenGroups,
  818. IN PUNICODE_STRING Workstation,
  819. IN PUNICODE_STRING ProfilePath,
  820. IN PVOID SessionInformation,
  821. IN SECPKG_SESSIONINFO_TYPE SessionInformationType,
  822. OUT PHANDLE Token,
  823. OUT PNTSTATUS SubStatus
  824. );
  826. typedef VOID
  827. (NTAPI LSA_AUDIT_LOGON) (
  828. IN NTSTATUS Status,
  829. IN NTSTATUS SubStatus,
  830. IN PUNICODE_STRING AccountName,
  831. IN PUNICODE_STRING AuthenticatingAuthority,
  832. IN PUNICODE_STRING WorkstationName,
  833. IN OPTIONAL PSID UserSid,
  834. IN SECURITY_LOGON_TYPE LogonType,
  835. IN PTOKEN_SOURCE TokenSource,
  836. IN PLUID LogonId
  837. );
  839. typedef NTSTATUS
  840. (NTAPI LSA_CALL_PACKAGE) (
  841. IN PUNICODE_STRING AuthenticationPackage,
  842. IN PVOID ProtocolSubmitBuffer,
  843. IN ULONG SubmitBufferLength,
  844. OUT PVOID *ProtocolReturnBuffer,
  845. OUT PULONG ReturnBufferLength,
  846. OUT PNTSTATUS ProtocolStatus
  847. );
  849. typedef NTSTATUS
  850. (NTAPI LSA_CALL_PACKAGEEX) (
  851. IN PUNICODE_STRING AuthenticationPackage,
  852. IN PVOID ClientBufferBase,
  853. IN PVOID ProtocolSubmitBuffer,
  854. IN ULONG SubmitBufferLength,
  855. OUT PVOID *ProtocolReturnBuffer,
  856. OUT PULONG ReturnBufferLength,
  857. OUT PNTSTATUS ProtocolStatus
  858. );
  860. typedef NTSTATUS
  861. (NTAPI LSA_CALL_PACKAGE_PASSTHROUGH) (
  862. IN PUNICODE_STRING AuthenticationPackage,
  863. IN PVOID ClientBufferBase,
  864. IN PVOID ProtocolSubmitBuffer,
  865. IN ULONG SubmitBufferLength,
  866. OUT PVOID *ProtocolReturnBuffer,
  867. OUT PULONG ReturnBufferLength,
  868. OUT PNTSTATUS ProtocolStatus
  869. );
  871. typedef BOOLEAN
  872. (NTAPI LSA_GET_CALL_INFO) (
  873. OUT PSECPKG_CALL_INFO Info
  874. );
  876. typedef PVOID
  877. (NTAPI LSA_CREATE_SHARED_MEMORY)(
  878. ULONG MaxSize,
  879. ULONG InitialSize
  880. );
  882. typedef PVOID
  883. (NTAPI LSA_ALLOCATE_SHARED_MEMORY)(
  884. PVOID SharedMem,
  885. ULONG Size
  886. );
  888. typedef VOID
  889. (NTAPI LSA_FREE_SHARED_MEMORY)(
  890. PVOID SharedMem,
  891. PVOID Memory
  892. );
  894. typedef BOOLEAN
  895. (NTAPI LSA_DELETE_SHARED_MEMORY)(
  896. PVOID SharedMem
  897. );
  899. //
  900. // Account Access
  901. //
  903. typedef enum _SECPKG_NAME_TYPE {
  904. SecNameSamCompatible,
  905. SecNameAlternateId,
  906. SecNameFlat,
  907. SecNameDN
  908. } SECPKG_NAME_TYPE ;
  910. typedef NTSTATUS
  911. (NTAPI LSA_OPEN_SAM_USER)(
  912. PSECURITY_STRING Name,
  913. SECPKG_NAME_TYPE NameType,
  914. PSECURITY_STRING Prefix,
  915. BOOLEAN AllowGuest,
  916. ULONG Reserved,
  917. PVOID * UserHandle
  918. );
  920. typedef NTSTATUS
  921. (NTAPI LSA_GET_USER_CREDENTIALS)(
  922. PVOID UserHandle,
  923. PVOID * PrimaryCreds,
  924. PULONG PrimaryCredsSize,
  925. PVOID * SupplementalCreds,
  926. PULONG SupplementalCredsSize
  927. );
  929. typedef NTSTATUS
  930. (NTAPI LSA_GET_USER_AUTH_DATA)(
  931. PVOID UserHandle,
  932. PUCHAR * UserAuthData,
  933. PULONG UserAuthDataSize
  934. );
  936. typedef NTSTATUS
  937. (NTAPI LSA_CLOSE_SAM_USER)(
  938. PVOID UserHandle
  939. );
  941. typedef NTSTATUS
  942. (NTAPI LSA_GET_AUTH_DATA_FOR_USER)(
  943. PSECURITY_STRING Name,
  944. SECPKG_NAME_TYPE NameType,
  945. PSECURITY_STRING Prefix,
  946. PUCHAR * UserAuthData,
  947. PULONG UserAuthDataSize,
  948. PUNICODE_STRING UserFlatName
  949. );
  951. typedef NTSTATUS
  952. (NTAPI LSA_CONVERT_AUTH_DATA_TO_TOKEN)(
  953. IN PVOID UserAuthData,
  954. IN ULONG UserAuthDataSize,
  955. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  956. IN PTOKEN_SOURCE TokenSource,
  957. IN SECURITY_LOGON_TYPE LogonType,
  958. IN PUNICODE_STRING AuthorityName,
  959. OUT PHANDLE Token,
  960. OUT PLUID LogonId,
  961. OUT PUNICODE_STRING AccountName,
  962. OUT PNTSTATUS SubStatus
  963. );
  965. typedef NTSTATUS
  966. (NTAPI LSA_CRACK_SINGLE_NAME)(
  967. IN ULONG FormatOffered,
  968. IN BOOLEAN PerformAtGC,
  969. IN PUNICODE_STRING NameInput,
  970. IN PUNICODE_STRING Prefix OPTIONAL,
  971. IN ULONG RequestedFormat,
  972. OUT PUNICODE_STRING CrackedName,
  973. OUT PUNICODE_STRING DnsDomainName,
  974. OUT PULONG SubStatus
  975. );
  977. typedef NTSTATUS
  978. (NTAPI LSA_AUDIT_ACCOUNT_LOGON)(
  979. IN ULONG AuditId,
  980. IN BOOLEAN Success,
  981. IN PUNICODE_STRING Source,
  982. IN PUNICODE_STRING ClientName,
  983. IN PUNICODE_STRING MappedName,
  984. IN NTSTATUS Status
  985. );
  988. typedef NTSTATUS
  989. (NTAPI LSA_CLIENT_CALLBACK)(
  990. PCHAR Callback,
  991. ULONG_PTR Argument1,
  992. ULONG_PTR Argument2,
  993. PSecBuffer Input,
  994. PSecBuffer Output
  995. );
  997. typedef
  998. NTSTATUS
  999. (NTAPI LSA_REGISTER_CALLBACK)(
  1000. ULONG CallbackId,
  1001. PLSA_CALLBACK_FUNCTION Callback
  1002. );
  1004. #define NOTIFIER_FLAG_NEW_THREAD 0x00000001
  1005. #define NOTIFIER_FLAG_ONE_SHOT 0x00000002
  1006. #define NOTIFIER_FLAG_SECONDS 0x80000000
  1008. #define NOTIFIER_TYPE_INTERVAL 1
  1009. #define NOTIFIER_TYPE_HANDLE_WAIT 2
  1010. #define NOTIFIER_TYPE_STATE_CHANGE 3
  1011. #define NOTIFIER_TYPE_NOTIFY_EVENT 4
  1012. #define NOTIFIER_TYPE_IMMEDIATE 16
  1014. #define NOTIFY_CLASS_PACKAGE_CHANGE 1
  1015. #define NOTIFY_CLASS_ROLE_CHANGE 2
  1016. #define NOTIFY_CLASS_DOMAIN_CHANGE 3
  1017. #define NOTIFY_CLASS_REGISTRY_CHANGE 4
  1019. typedef struct _SECPKG_EVENT_PACKAGE_CHANGE {
  1020. ULONG ChangeType;
  1021. LSA_SEC_HANDLE PackageId;
  1022. SECURITY_STRING PackageName;
  1023. } SECPKG_EVENT_PACKAGE_CHANGE, * PSECPKG_EVENT_PACKAGE_CHANGE ;
  1025. #define SECPKG_PACKAGE_CHANGE_LOAD 0
  1026. #define SECPKG_PACKAGE_CHANGE_UNLOAD 1
  1027. #define SECPKG_PACKAGE_CHANGE_SELECT 2
  1029. typedef struct _SECPKG_EVENT_ROLE_CHANGE {
  1030. ULONG PreviousRole ;
  1031. ULONG NewRole ;
  1032. } SECPKG_EVENT_ROLE_CHANGE, * PSECPKG_EVENT_ROLE_CHANGE ;
  1034. typedef struct _SECPKG_PARAMETERS SECPKG_EVENT_DOMAIN_CHANGE ;
  1035. typedef struct _SECPKG_PARAMETERS * PSECPKG_EVENT_DOMAIN_CHANGE ;
  1038. typedef struct _SECPKG_EVENT_NOTIFY {
  1039. ULONG EventClass;
  1040. ULONG Reserved;
  1041. ULONG EventDataSize;
  1042. PVOID EventData;
  1043. PVOID PackageParameter;
  1044. } SECPKG_EVENT_NOTIFY, *PSECPKG_EVENT_NOTIFY ;
  1047. typedef
  1048. NTSTATUS
  1049. (NTAPI LSA_UPDATE_PRIMARY_CREDENTIALS)(
  1050. IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
  1051. IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials
  1052. );
  1054. typedef
  1055. VOID
  1056. (NTAPI LSA_PROTECT_MEMORY)(
  1057. IN PVOID Buffer,
  1058. IN ULONG BufferSize
  1059. );
  1061. typedef
  1062. NTSTATUS
  1063. (NTAPI LSA_OPEN_TOKEN_BY_LOGON_ID)(
  1064. IN PLUID LogonId,
  1065. OUT HANDLE *RetTokenHandle
  1066. );
  1068. typedef
  1069. NTSTATUS
  1070. (NTAPI LSA_EXPAND_AUTH_DATA_FOR_DOMAIN)(
  1071. IN PUCHAR UserAuthData,
  1072. IN ULONG UserAuthDataSize,
  1073. IN PVOID Reserved,
  1074. OUT PUCHAR * ExpandedAuthData,
  1075. OUT PULONG ExpandedAuthDataSize
  1076. );
  1078. typedef LSA_IMPERSONATE_CLIENT * PLSA_IMPERSONATE_CLIENT;
  1079. typedef LSA_UNLOAD_PACKAGE * PLSA_UNLOAD_PACKAGE;
  1080. typedef LSA_DUPLICATE_HANDLE * PLSA_DUPLICATE_HANDLE ;
  1081. typedef LSA_SAVE_SUPPLEMENTAL_CREDENTIALS * PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS;
  1082. typedef LSA_CREATE_THREAD * PLSA_CREATE_THREAD;
  1083. typedef LSA_GET_CLIENT_INFO * PLSA_GET_CLIENT_INFO;
  1084. typedef LSA_REGISTER_NOTIFICATION * PLSA_REGISTER_NOTIFICATION;
  1085. typedef LSA_CANCEL_NOTIFICATION * PLSA_CANCEL_NOTIFICATION;
  1086. typedef LSA_MAP_BUFFER * PLSA_MAP_BUFFER;
  1087. typedef LSA_CREATE_TOKEN * PLSA_CREATE_TOKEN;
  1088. typedef LSA_AUDIT_LOGON * PLSA_AUDIT_LOGON;
  1089. typedef LSA_CALL_PACKAGE * PLSA_CALL_PACKAGE;
  1090. typedef LSA_CALL_PACKAGEEX * PLSA_CALL_PACKAGEEX;
  1091. typedef LSA_GET_CALL_INFO * PLSA_GET_CALL_INFO ;
  1092. typedef LSA_CREATE_SHARED_MEMORY * PLSA_CREATE_SHARED_MEMORY ;
  1093. typedef LSA_ALLOCATE_SHARED_MEMORY * PLSA_ALLOCATE_SHARED_MEMORY ;
  1094. typedef LSA_FREE_SHARED_MEMORY * PLSA_FREE_SHARED_MEMORY ;
  1095. typedef LSA_DELETE_SHARED_MEMORY * PLSA_DELETE_SHARED_MEMORY ;
  1096. typedef LSA_OPEN_SAM_USER * PLSA_OPEN_SAM_USER ;
  1097. typedef LSA_GET_USER_CREDENTIALS * PLSA_GET_USER_CREDENTIALS ;
  1098. typedef LSA_GET_USER_AUTH_DATA * PLSA_GET_USER_AUTH_DATA ;
  1099. typedef LSA_CLOSE_SAM_USER * PLSA_CLOSE_SAM_USER ;
  1100. typedef LSA_CONVERT_AUTH_DATA_TO_TOKEN * PLSA_CONVERT_AUTH_DATA_TO_TOKEN ;
  1101. typedef LSA_CLIENT_CALLBACK * PLSA_CLIENT_CALLBACK ;
  1102. typedef LSA_REGISTER_CALLBACK * PLSA_REGISTER_CALLBACK ;
  1103. typedef LSA_UPDATE_PRIMARY_CREDENTIALS * PLSA_UPDATE_PRIMARY_CREDENTIALS;
  1104. typedef LSA_GET_AUTH_DATA_FOR_USER * PLSA_GET_AUTH_DATA_FOR_USER ;
  1105. typedef LSA_CRACK_SINGLE_NAME * PLSA_CRACK_SINGLE_NAME ;
  1106. typedef LSA_AUDIT_ACCOUNT_LOGON * PLSA_AUDIT_ACCOUNT_LOGON ;
  1107. typedef LSA_CALL_PACKAGE_PASSTHROUGH * PLSA_CALL_PACKAGE_PASSTHROUGH;
  1108. typedef LSA_PROTECT_MEMORY * PLSA_PROTECT_MEMORY;
  1109. typedef LSA_OPEN_TOKEN_BY_LOGON_ID * PLSA_OPEN_TOKEN_BY_LOGON_ID;
  1110. typedef LSA_EXPAND_AUTH_DATA_FOR_DOMAIN * PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN;
  1111. typedef LSA_CREATE_TOKEN_EX * PLSA_CREATE_TOKEN_EX;
  1113. #ifdef _WINCRED_H_
  1115. //
  1116. // When passing a credential around, the CredentialBlob field is encrypted.
  1117. // This structure describes this encrypted form.
  1118. //
  1119. //
  1120. #ifndef _ENCRYPTED_CREDENTIAL_DEFINED
  1121. #define _ENCRYPTED_CREDENTIAL_DEFINED
  1123. typedef struct _ENCRYPTED_CREDENTIALW {
  1125. //
  1126. // The credential
  1127. //
  1128. // The CredentialBlob field points to the encrypted credential
  1129. // The CredentialBlobSize field is the length (in bytes) of the encrypted credential
  1130. //
  1132. CREDENTIALW Cred;
  1134. //
  1135. // The size in bytes of the clear text credential blob
  1136. //
  1138. ULONG ClearCredentialBlobSize;
  1139. } ENCRYPTED_CREDENTIALW, *PENCRYPTED_CREDENTIALW;
  1140. #endif // _ENCRYPTED_CREDENTIAL_DEFINED
  1142. //
  1143. // Values for CredFlags parameter
  1144. //
  1146. #define CREDP_FLAGS_IN_PROCESS 0x01 // Caller is in-process. Password data may be returned
  1147. #define CREDP_FLAGS_USE_MIDL_HEAP 0x02 // Allocated buffer should use MIDL_user_allocte
  1148. #define CREDP_FLAGS_DONT_CACHE_TI 0x04 // TargetInformation shouldn't be cached for CredGetTargetInfo
  1149. #define CREDP_FLAGS_CLEAR_PASSWORD 0x08 // Credential blob is passed in in-the-clear
  1151. typedef NTSTATUS
  1152. (NTAPI CredReadFn) (
  1153. IN PLUID LogonId,
  1154. IN ULONG CredFlags,
  1155. IN LPWSTR TargetName,
  1156. IN ULONG Type,
  1157. IN ULONG Flags,
  1158. OUT PENCRYPTED_CREDENTIALW *Credential
  1159. );
  1161. typedef NTSTATUS
  1162. (NTAPI CredReadDomainCredentialsFn) (
  1163. IN PLUID LogonId,
  1164. IN ULONG CredFlags,
  1165. IN PCREDENTIAL_TARGET_INFORMATIONW TargetInfo,
  1166. IN ULONG Flags,
  1167. OUT PULONG Count,
  1168. OUT PENCRYPTED_CREDENTIALW **Credential
  1169. );
  1171. typedef VOID
  1172. (NTAPI CredFreeCredentialsFn) (
  1173. IN ULONG Count,
  1174. IN PENCRYPTED_CREDENTIALW *Credentials OPTIONAL
  1175. );
  1177. NTSTATUS
  1178. CredMarshalTargetInfo (
  1179. IN PCREDENTIAL_TARGET_INFORMATIONW InTargetInfo,
  1180. OUT PUSHORT *Buffer,
  1181. OUT PULONG BufferSize
  1182. );
  1184. NTSTATUS
  1185. CredUnmarshalTargetInfo (
  1186. IN PUSHORT Buffer,
  1187. IN ULONG BufferSize,
  1188. OUT PCREDENTIAL_TARGET_INFORMATIONW *RetTargetInfo
  1189. );
  1191. #endif // _WINCRED_H_
  1194. //
  1195. // Pure 32-bit versions of credential structures for packages
  1196. // running wow64:
  1197. //
  1199. typedef struct _SEC_WINNT_AUTH_IDENTITY32 {
  1200. ULONG User ;
  1201. ULONG UserLength ;
  1202. ULONG Domain ;
  1203. ULONG DomainLength ;
  1204. ULONG Password ;
  1205. ULONG PasswordLength ;
  1206. ULONG Flags ;
  1207. } SEC_WINNT_AUTH_IDENTITY32, * PSEC_WINNT_AUTH_IDENTITY32 ;
  1209. typedef struct _SEC_WINNT_AUTH_IDENTITY_EX32 {
  1210. ULONG Version ;
  1211. ULONG Length ;
  1212. ULONG User ;
  1213. ULONG UserLength ;
  1214. ULONG Domain ;
  1215. ULONG DomainLength ;
  1216. ULONG Password ;
  1217. ULONG PasswordLength ;
  1218. ULONG Flags ;
  1219. ULONG PackageList ;
  1220. ULONG PackageListLength ;
  1221. } SEC_WINNT_AUTH_IDENTITY_EX32, * PSEC_WINNT_AUTH_IDENTITY_EX32 ;
  1223. // Functions provided by the SPM to the packages:
  1224. typedef struct _LSA_SECPKG_FUNCTION_TABLE {
  1225. PLSA_CREATE_LOGON_SESSION CreateLogonSession;
  1226. PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
  1227. PLSA_ADD_CREDENTIAL AddCredential;
  1228. PLSA_GET_CREDENTIALS GetCredentials;
  1229. PLSA_DELETE_CREDENTIAL DeleteCredential;
  1230. PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
  1231. PLSA_FREE_LSA_HEAP FreeLsaHeap;
  1232. PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
  1233. PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
  1234. PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
  1235. PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
  1236. PLSA_IMPERSONATE_CLIENT ImpersonateClient;
  1237. PLSA_UNLOAD_PACKAGE UnloadPackage;
  1238. PLSA_DUPLICATE_HANDLE DuplicateHandle;
  1239. PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS SaveSupplementalCredentials;
  1240. PLSA_CREATE_THREAD CreateThread;
  1241. PLSA_GET_CLIENT_INFO GetClientInfo;
  1242. PLSA_REGISTER_NOTIFICATION RegisterNotification;
  1243. PLSA_CANCEL_NOTIFICATION CancelNotification;
  1244. PLSA_MAP_BUFFER MapBuffer;
  1245. PLSA_CREATE_TOKEN CreateToken;
  1246. PLSA_AUDIT_LOGON AuditLogon;
  1247. PLSA_CALL_PACKAGE CallPackage;
  1248. PLSA_FREE_LSA_HEAP FreeReturnBuffer;
  1249. PLSA_GET_CALL_INFO GetCallInfo;
  1250. PLSA_CALL_PACKAGEEX CallPackageEx;
  1251. PLSA_CREATE_SHARED_MEMORY CreateSharedMemory;
  1252. PLSA_ALLOCATE_SHARED_MEMORY AllocateSharedMemory;
  1253. PLSA_FREE_SHARED_MEMORY FreeSharedMemory;
  1254. PLSA_DELETE_SHARED_MEMORY DeleteSharedMemory;
  1255. PLSA_OPEN_SAM_USER OpenSamUser ;
  1256. PLSA_GET_USER_CREDENTIALS GetUserCredentials ;
  1257. PLSA_GET_USER_AUTH_DATA GetUserAuthData ;
  1258. PLSA_CLOSE_SAM_USER CloseSamUser ;
  1259. PLSA_CONVERT_AUTH_DATA_TO_TOKEN ConvertAuthDataToToken ;
  1260. PLSA_CLIENT_CALLBACK ClientCallback ;
  1261. PLSA_UPDATE_PRIMARY_CREDENTIALS UpdateCredentials ;
  1262. PLSA_GET_AUTH_DATA_FOR_USER GetAuthDataForUser ;
  1263. PLSA_CRACK_SINGLE_NAME CrackSingleName ;
  1264. PLSA_AUDIT_ACCOUNT_LOGON AuditAccountLogon ;
  1265. PLSA_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough ;
  1266. #ifdef _WINCRED_H_
  1267. CredReadFn *CrediRead;
  1268. CredReadDomainCredentialsFn *CrediReadDomainCredentials;
  1269. CredFreeCredentialsFn *CrediFreeCredentials;
  1270. #else // _WINCRED_H_
  1271. PLSA_PROTECT_MEMORY DummyFunction1;
  1272. PLSA_PROTECT_MEMORY DummyFunction2;
  1273. PLSA_PROTECT_MEMORY DummyFunction3;
  1274. #endif // _WINCRED_H_
  1275. PLSA_PROTECT_MEMORY LsaProtectMemory;
  1276. PLSA_PROTECT_MEMORY LsaUnprotectMemory;
  1277. PLSA_OPEN_TOKEN_BY_LOGON_ID OpenTokenByLogonId;
  1278. PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN ExpandAuthDataForDomain;
  1279. PLSA_ALLOCATE_PRIVATE_HEAP AllocatePrivateHeap;
  1280. PLSA_FREE_PRIVATE_HEAP FreePrivateHeap;
  1281. PLSA_CREATE_TOKEN_EX CreateTokenEx;
  1282. } LSA_SECPKG_FUNCTION_TABLE, *PLSA_SECPKG_FUNCTION_TABLE;
  1284. typedef struct _SECPKG_DLL_FUNCTIONS {
  1285. PLSA_ALLOCATE_LSA_HEAP AllocateHeap;
  1286. PLSA_FREE_LSA_HEAP FreeHeap;
  1287. PLSA_REGISTER_CALLBACK RegisterCallback ;
  1288. } SECPKG_DLL_FUNCTIONS, * PSECPKG_DLL_FUNCTIONS;
  1293. //
  1294. // The following prototypes are to functions that will be called only while
  1295. // in the Security Package Manager context.
  1296. //
  1298. typedef NTSTATUS
  1299. (NTAPI SpInitializeFn)(
  1300. IN ULONG_PTR PackageId,
  1301. IN PSECPKG_PARAMETERS Parameters,
  1302. IN PLSA_SECPKG_FUNCTION_TABLE FunctionTable
  1303. );
  1305. typedef NTSTATUS
  1306. (NTAPI SpShutdownFn)(
  1307. VOID
  1308. );
  1310. typedef NTSTATUS
  1311. (NTAPI SpGetInfoFn)(
  1312. OUT PSecPkgInfo PackageInfo
  1313. );
  1315. typedef NTSTATUS
  1316. (NTAPI SpGetExtendedInformationFn)(
  1317. IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
  1318. OUT PSECPKG_EXTENDED_INFORMATION * ppInformation
  1319. );
  1321. typedef NTSTATUS
  1322. (NTAPI SpSetExtendedInformationFn)(
  1323. IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
  1324. IN PSECPKG_EXTENDED_INFORMATION Info
  1325. );
  1327. typedef NTSTATUS
  1328. (LSA_AP_LOGON_USER_EX2) (
  1329. IN PLSA_CLIENT_REQUEST ClientRequest,
  1330. IN SECURITY_LOGON_TYPE LogonType,
  1331. IN PVOID AuthenticationInformation,
  1332. IN PVOID ClientAuthenticationBase,
  1333. IN ULONG AuthenticationInformationLength,
  1334. OUT PVOID *ProfileBuffer,
  1335. OUT PULONG ProfileBufferLength,
  1336. OUT PLUID LogonId,
  1337. OUT PNTSTATUS SubStatus,
  1338. OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  1339. OUT PVOID *TokenInformation,
  1340. OUT PUNICODE_STRING *AccountName,
  1341. OUT PUNICODE_STRING *AuthenticatingAuthority,
  1342. OUT PUNICODE_STRING *MachineName,
  1343. OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
  1344. OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
  1345. );
  1347. typedef LSA_AP_LOGON_USER_EX2 *PLSA_AP_LOGON_USER_EX2;
  1348. #define LSA_AP_NAME_LOGON_USER_EX2 "LsaApLogonUserEx2\0"
  1350. typedef NTSTATUS
  1351. (NTAPI SpAcceptCredentialsFn)(
  1352. IN SECURITY_LOGON_TYPE LogonType,
  1353. IN PUNICODE_STRING AccountName,
  1354. IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
  1355. IN PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials
  1356. );
  1357. #define SP_ACCEPT_CREDENTIALS_NAME "SpAcceptCredentials\0"
  1359. typedef NTSTATUS
  1360. (NTAPI SpAcquireCredentialsHandleFn)(
  1361. IN OPTIONAL PUNICODE_STRING PrincipalName,
  1362. IN ULONG CredentialUseFlags,
  1363. IN OPTIONAL PLUID LogonId,
  1364. IN PVOID AuthorizationData,
  1365. IN PVOID GetKeyFunciton,
  1366. IN PVOID GetKeyArgument,
  1367. OUT PLSA_SEC_HANDLE CredentialHandle,
  1368. OUT PTimeStamp ExpirationTime
  1369. );
  1371. typedef NTSTATUS
  1372. (NTAPI SpFreeCredentialsHandleFn)(
  1373. IN LSA_SEC_HANDLE CredentialHandle
  1374. );
  1376. typedef NTSTATUS
  1377. (NTAPI SpQueryCredentialsAttributesFn)(
  1378. IN LSA_SEC_HANDLE CredentialHandle,
  1379. IN ULONG CredentialAttribute,
  1380. IN OUT PVOID Buffer
  1381. );
  1383. typedef NTSTATUS
  1384. (NTAPI SpAddCredentialsFn)(
  1385. IN LSA_SEC_HANDLE CredentialHandle,
  1386. IN OPTIONAL PUNICODE_STRING PrincipalName,
  1387. IN PUNICODE_STRING Package,
  1388. IN ULONG CredentialUseFlags,
  1389. IN PVOID AuthorizationData,
  1390. IN PVOID GetKeyFunciton,
  1391. IN PVOID GetKeyArgument,
  1392. OUT PTimeStamp ExpirationTime
  1393. );
  1395. typedef NTSTATUS
  1396. (NTAPI SpSaveCredentialsFn)(
  1397. IN LSA_SEC_HANDLE CredentialHandle,
  1398. IN PSecBuffer Credentials);
  1400. typedef NTSTATUS
  1401. (NTAPI SpGetCredentialsFn)(
  1402. IN LSA_SEC_HANDLE CredentialHandle,
  1403. IN OUT PSecBuffer Credentials
  1404. );
  1406. typedef NTSTATUS
  1407. (NTAPI SpDeleteCredentialsFn)(
  1408. IN LSA_SEC_HANDLE CredentialHandle,
  1409. IN PSecBuffer Key
  1410. );
  1412. typedef NTSTATUS
  1413. (NTAPI SpInitLsaModeContextFn)(
  1414. IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
  1415. IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
  1416. IN OPTIONAL PUNICODE_STRING TargetName,
  1417. IN ULONG ContextRequirements,
  1418. IN ULONG TargetDataRep,
  1419. IN PSecBufferDesc InputBuffers,
  1420. OUT PLSA_SEC_HANDLE NewContextHandle,
  1421. IN OUT PSecBufferDesc OutputBuffers,
  1422. OUT PULONG ContextAttributes,
  1423. OUT PTimeStamp ExpirationTime,
  1424. OUT PBOOLEAN MappedContext,
  1425. OUT PSecBuffer ContextData
  1426. );
  1431. typedef NTSTATUS
  1432. (NTAPI SpDeleteContextFn)(
  1433. IN LSA_SEC_HANDLE ContextHandle
  1434. );
  1436. typedef NTSTATUS
  1437. (NTAPI SpApplyControlTokenFn)(
  1438. IN LSA_SEC_HANDLE ContextHandle,
  1439. IN PSecBufferDesc ControlToken);
  1442. typedef NTSTATUS
  1443. (NTAPI SpAcceptLsaModeContextFn)(
  1444. IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
  1445. IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
  1446. IN PSecBufferDesc InputBuffer,
  1447. IN ULONG ContextRequirements,
  1448. IN ULONG TargetDataRep,
  1449. OUT PLSA_SEC_HANDLE NewContextHandle,
  1450. OUT PSecBufferDesc OutputBuffer,
  1451. OUT PULONG ContextAttributes,
  1452. OUT PTimeStamp ExpirationTime,
  1453. OUT PBOOLEAN MappedContext,
  1454. OUT PSecBuffer ContextData
  1455. );
  1460. typedef NTSTATUS
  1461. (NTAPI SpGetUserInfoFn)(
  1462. IN PLUID LogonId,
  1463. IN ULONG Flags,
  1464. OUT PSecurityUserData * UserData
  1465. );
  1467. typedef NTSTATUS
  1468. (NTAPI SpQueryContextAttributesFn)(
  1469. IN LSA_SEC_HANDLE ContextHandle,
  1470. IN ULONG ContextAttribute,
  1471. IN OUT PVOID Buffer);
  1473. typedef NTSTATUS
  1474. (NTAPI SpSetContextAttributesFn)(
  1475. IN LSA_SEC_HANDLE ContextHandle,
  1476. IN ULONG ContextAttribute,
  1477. IN PVOID Buffer,
  1478. IN ULONG BufferSize );
  1482. typedef struct _SECPKG_FUNCTION_TABLE {
  1483. PLSA_AP_INITIALIZE_PACKAGE InitializePackage;
  1484. PLSA_AP_LOGON_USER LogonUser;
  1485. PLSA_AP_CALL_PACKAGE CallPackage;
  1486. PLSA_AP_LOGON_TERMINATED LogonTerminated;
  1487. PLSA_AP_CALL_PACKAGE_UNTRUSTED CallPackageUntrusted;
  1488. PLSA_AP_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough;
  1489. PLSA_AP_LOGON_USER_EX LogonUserEx;
  1490. PLSA_AP_LOGON_USER_EX2 LogonUserEx2;
  1491. SpInitializeFn * Initialize;
  1492. SpShutdownFn * Shutdown;
  1493. SpGetInfoFn * GetInfo;
  1494. SpAcceptCredentialsFn * AcceptCredentials;
  1495. SpAcquireCredentialsHandleFn * AcquireCredentialsHandle;
  1496. SpQueryCredentialsAttributesFn * QueryCredentialsAttributes;
  1497. SpFreeCredentialsHandleFn * FreeCredentialsHandle;
  1498. SpSaveCredentialsFn * SaveCredentials;
  1499. SpGetCredentialsFn * GetCredentials;
  1500. SpDeleteCredentialsFn * DeleteCredentials;
  1501. SpInitLsaModeContextFn * InitLsaModeContext;
  1502. SpAcceptLsaModeContextFn * AcceptLsaModeContext;
  1503. SpDeleteContextFn * DeleteContext;
  1504. SpApplyControlTokenFn * ApplyControlToken;
  1505. SpGetUserInfoFn * GetUserInfo;
  1506. SpGetExtendedInformationFn * GetExtendedInformation ;
  1507. SpQueryContextAttributesFn * QueryContextAttributes ;
  1508. SpAddCredentialsFn * AddCredentials ;
  1509. SpSetExtendedInformationFn * SetExtendedInformation ;
  1510. SpSetContextAttributesFn * SetContextAttributes ;
  1511. } SECPKG_FUNCTION_TABLE, *PSECPKG_FUNCTION_TABLE;
  1513. //
  1514. // The following prototypes are to functions that will be called while in the
  1515. // context of a user process that is using the functions through the security
  1516. // DLL.
  1517. //
  1519. typedef NTSTATUS
  1520. (NTAPI SpInstanceInitFn)(
  1521. IN ULONG Version,
  1522. IN PSECPKG_DLL_FUNCTIONS FunctionTable,
  1523. OUT PVOID * UserFunctions
  1524. );
  1527. typedef NTSTATUS
  1528. (NTAPI SpInitUserModeContextFn)(
  1529. IN LSA_SEC_HANDLE ContextHandle,
  1530. IN PSecBuffer PackedContext
  1531. );
  1533. typedef NTSTATUS
  1534. (NTAPI SpMakeSignatureFn)(
  1535. IN LSA_SEC_HANDLE ContextHandle,
  1536. IN ULONG QualityOfProtection,
  1537. IN PSecBufferDesc MessageBuffers,
  1538. IN ULONG MessageSequenceNumber
  1539. );
  1541. typedef NTSTATUS
  1542. (NTAPI SpVerifySignatureFn)(
  1543. IN LSA_SEC_HANDLE ContextHandle,
  1544. IN PSecBufferDesc MessageBuffers,
  1545. IN ULONG MessageSequenceNumber,
  1546. OUT PULONG QualityOfProtection
  1547. );
  1549. typedef NTSTATUS
  1550. (NTAPI SpSealMessageFn)(
  1551. IN LSA_SEC_HANDLE ContextHandle,
  1552. IN ULONG QualityOfProtection,
  1553. IN PSecBufferDesc MessageBuffers,
  1554. IN ULONG MessageSequenceNumber
  1555. );
  1557. typedef NTSTATUS
  1558. (NTAPI SpUnsealMessageFn)(
  1559. IN LSA_SEC_HANDLE ContextHandle,
  1560. IN PSecBufferDesc MessageBuffers,
  1561. IN ULONG MessageSequenceNumber,
  1562. OUT PULONG QualityOfProtection
  1563. );
  1566. typedef NTSTATUS
  1567. (NTAPI SpGetContextTokenFn)(
  1568. IN LSA_SEC_HANDLE ContextHandle,
  1569. OUT PHANDLE ImpersonationToken
  1570. );
  1573. typedef NTSTATUS
  1574. (NTAPI SpExportSecurityContextFn)(
  1575. LSA_SEC_HANDLE phContext, // (in) context to export
  1576. ULONG fFlags, // (in) option flags
  1577. PSecBuffer pPackedContext, // (out) marshalled context
  1578. PHANDLE pToken // (out, optional) token handle for impersonation
  1579. );
  1581. typedef NTSTATUS
  1582. (NTAPI SpImportSecurityContextFn)(
  1583. PSecBuffer pPackedContext, // (in) marshalled context
  1584. HANDLE Token, // (in, optional) handle to token for context
  1585. PLSA_SEC_HANDLE phContext // (out) new context handle
  1586. );
  1589. typedef NTSTATUS
  1590. (NTAPI SpCompleteAuthTokenFn)(
  1591. IN LSA_SEC_HANDLE ContextHandle,
  1592. IN PSecBufferDesc InputBuffer
  1593. );
  1596. typedef NTSTATUS
  1597. (NTAPI SpFormatCredentialsFn)(
  1598. IN PSecBuffer Credentials,
  1599. OUT PSecBuffer FormattedCredentials
  1600. );
  1602. typedef NTSTATUS
  1603. (NTAPI SpMarshallSupplementalCredsFn)(
  1604. IN ULONG CredentialSize,
  1605. IN PUCHAR Credentials,
  1606. OUT PULONG MarshalledCredSize,
  1607. OUT PVOID * MarshalledCreds);
  1610. typedef struct _SECPKG_USER_FUNCTION_TABLE {
  1611. SpInstanceInitFn * InstanceInit;
  1612. SpInitUserModeContextFn * InitUserModeContext;
  1613. SpMakeSignatureFn * MakeSignature;
  1614. SpVerifySignatureFn * VerifySignature;
  1615. SpSealMessageFn * SealMessage;
  1616. SpUnsealMessageFn * UnsealMessage;
  1617. SpGetContextTokenFn * GetContextToken;
  1618. SpQueryContextAttributesFn * QueryContextAttributes;
  1619. SpCompleteAuthTokenFn * CompleteAuthToken;
  1620. SpDeleteContextFn * DeleteUserModeContext;
  1621. SpFormatCredentialsFn * FormatCredentials;
  1622. SpMarshallSupplementalCredsFn * MarshallSupplementalCreds;
  1623. SpExportSecurityContextFn * ExportContext;
  1624. SpImportSecurityContextFn * ImportContext;
  1625. } SECPKG_USER_FUNCTION_TABLE, *PSECPKG_USER_FUNCTION_TABLE;
  1627. typedef NTSTATUS
  1628. (SEC_ENTRY * SpLsaModeInitializeFn)(
  1629. IN ULONG LsaVersion,
  1630. OUT PULONG PackageVersion,
  1631. OUT PSECPKG_FUNCTION_TABLE * ppTables,
  1632. OUT PULONG pcTables);
  1634. typedef NTSTATUS
  1635. (SEC_ENTRY * SpUserModeInitializeFn)(
  1636. IN ULONG LsaVersion,
  1637. OUT PULONG PackageVersion,
  1638. OUT PSECPKG_USER_FUNCTION_TABLE *ppTables,
  1639. OUT PULONG pcTables
  1640. );
  1644. #define SECPKG_LSAMODEINIT_NAME "SpLsaModeInitialize"
  1645. #define SECPKG_USERMODEINIT_NAME "SpUserModeInitialize"
  1647. //
  1648. // Version of the security package interface.
  1649. //
  1650. // These define are used for all of the following:
  1651. // * Passed by the LSA to SpLsaModeInitializeFn to indicate the version of the LSA.
  1652. // All packages currently expect the LSA to pass SECPKG_INTERFACE_VERSION.
  1653. // * Passed by secur32.dll to SpUserModeInitialzeFn to indicate the version of the secur32 DLL.
  1654. // All packages currently expect secur32 to pass SECPKG_INTERFACE_VERSION.
  1655. // * Returned from SpLsaModeInitializeFn to indicate the version of SECPKG_FUNCTION_TABLE.
  1656. // SECPKG_INTERFACE_VERSION indicates all fields through SetExtendedInformation are defined (potentially to NULL)
  1657. // SECPKG_INTERFACE_VERSION_2 indicates all fields through SetContextAttributes are defined (potentially to NULL)
  1658. // * Returned from SpUserModeInitializeFn to indicate the version of the auth package.
  1659. // All packages currently return SECPKG_INTERFACE_VERSION
  1660. //
  1662. #define SECPKG_INTERFACE_VERSION 0x00010000
  1663. #define SECPKG_INTERFACE_VERSION_2 0x00020000
  1667. typedef enum _KSEC_CONTEXT_TYPE {
  1668. KSecPaged,
  1669. KSecNonPaged
  1670. } KSEC_CONTEXT_TYPE ;
  1672. typedef struct _KSEC_LIST_ENTRY {
  1673. LIST_ENTRY List ;
  1674. LONG RefCount ;
  1675. ULONG Signature ;
  1676. PVOID OwningList ;
  1677. PVOID Reserved ;
  1678. } KSEC_LIST_ENTRY, * PKSEC_LIST_ENTRY ;
  1680. #define KsecInitializeListEntry( Entry, SigValue ) \
  1681. ((PKSEC_LIST_ENTRY) Entry)->List.Flink = ((PKSEC_LIST_ENTRY) Entry)->List.Blink = NULL ; \
  1682. ((PKSEC_LIST_ENTRY) Entry)->RefCount = 1 ; \
  1683. ((PKSEC_LIST_ENTRY) Entry)->Signature = SigValue ; \
  1684. ((PKSEC_LIST_ENTRY) Entry)->OwningList = NULL ; \
  1685. ((PKSEC_LIST_ENTRY) Entry)->Reserved = NULL ;
  1689. typedef PVOID
  1690. (SEC_ENTRY KSEC_CREATE_CONTEXT_LIST)(
  1691. IN KSEC_CONTEXT_TYPE Type
  1692. );
  1694. typedef VOID
  1695. (SEC_ENTRY KSEC_INSERT_LIST_ENTRY)(
  1696. IN PVOID List,
  1697. IN PKSEC_LIST_ENTRY Entry
  1698. );
  1700. typedef NTSTATUS
  1701. (SEC_ENTRY KSEC_REFERENCE_LIST_ENTRY)(
  1702. IN PKSEC_LIST_ENTRY Entry,
  1703. IN ULONG Signature,
  1704. IN BOOLEAN RemoveNoRef
  1705. );
  1707. typedef VOID
  1708. (SEC_ENTRY KSEC_DEREFERENCE_LIST_ENTRY)(
  1709. IN PKSEC_LIST_ENTRY Entry,
  1710. OUT BOOLEAN * Delete OPTIONAL
  1711. );
  1713. typedef NTSTATUS
  1714. (SEC_ENTRY KSEC_SERIALIZE_WINNT_AUTH_DATA)(
  1715. IN PVOID pvAuthData,
  1716. OUT PULONG Size,
  1717. OUT PVOID * SerializedData );
  1719. #ifndef MIDL_PASS
  1721. KSEC_CREATE_CONTEXT_LIST KSecCreateContextList ;
  1722. KSEC_INSERT_LIST_ENTRY KSecInsertListEntry ;
  1723. KSEC_REFERENCE_LIST_ENTRY KSecReferenceListEntry ;
  1724. KSEC_DEREFERENCE_LIST_ENTRY KSecDereferenceListEntry ;
  1725. KSEC_SERIALIZE_WINNT_AUTH_DATA KSecSerializeWinntAuthData ;
  1727. #endif // not valid for MIDL_PASS
  1729. typedef KSEC_CREATE_CONTEXT_LIST * PKSEC_CREATE_CONTEXT_LIST ;
  1730. typedef KSEC_INSERT_LIST_ENTRY * PKSEC_INSERT_LIST_ENTRY ;
  1731. typedef KSEC_REFERENCE_LIST_ENTRY * PKSEC_REFERENCE_LIST_ENTRY ;
  1732. typedef KSEC_DEREFERENCE_LIST_ENTRY * PKSEC_DEREFERENCE_LIST_ENTRY ;
  1733. typedef KSEC_SERIALIZE_WINNT_AUTH_DATA * PKSEC_SERIALIZE_WINNT_AUTH_DATA ;
  1736. typedef struct _SECPKG_KERNEL_FUNCTIONS {
  1737. PLSA_ALLOCATE_LSA_HEAP AllocateHeap;
  1738. PLSA_FREE_LSA_HEAP FreeHeap;
  1739. PKSEC_CREATE_CONTEXT_LIST CreateContextList ;
  1740. PKSEC_INSERT_LIST_ENTRY InsertListEntry ;
  1741. PKSEC_REFERENCE_LIST_ENTRY ReferenceListEntry ;
  1742. PKSEC_DEREFERENCE_LIST_ENTRY DereferenceListEntry ;
  1743. PKSEC_SERIALIZE_WINNT_AUTH_DATA SerializeWinntAuthData ;
  1744. } SECPKG_KERNEL_FUNCTIONS, *PSECPKG_KERNEL_FUNCTIONS;
  1747. typedef NTSTATUS
  1748. (NTAPI KspInitPackageFn)(
  1749. PSECPKG_KERNEL_FUNCTIONS FunctionTable
  1750. );
  1753. typedef NTSTATUS
  1754. (NTAPI KspDeleteContextFn)(
  1755. IN LSA_SEC_HANDLE ContextId,
  1756. OUT PLSA_SEC_HANDLE LsaContextId
  1757. );
  1759. typedef NTSTATUS
  1760. (NTAPI KspInitContextFn)(
  1761. IN LSA_SEC_HANDLE ContextId,
  1762. IN PSecBuffer ContextData,
  1763. OUT PLSA_SEC_HANDLE NewContextId
  1764. );
  1766. typedef NTSTATUS
  1767. (NTAPI KspMakeSignatureFn)(
  1768. IN LSA_SEC_HANDLE ContextId,
  1769. IN ULONG fQOP,
  1770. IN OUT PSecBufferDesc Message,
  1771. IN ULONG MessageSeqNo
  1772. );
  1774. typedef NTSTATUS
  1775. (NTAPI KspVerifySignatureFn)(
  1776. IN LSA_SEC_HANDLE ContextId,
  1777. IN OUT PSecBufferDesc Message,
  1778. IN ULONG MessageSeqNo,
  1779. OUT PULONG pfQOP
  1780. );
  1783. typedef NTSTATUS
  1784. (NTAPI KspSealMessageFn)(
  1785. IN LSA_SEC_HANDLE ContextId,
  1786. IN ULONG fQOP,
  1787. IN OUT PSecBufferDesc Message,
  1788. IN ULONG MessageSeqNo
  1789. );
  1791. typedef NTSTATUS
  1792. (NTAPI KspUnsealMessageFn)(
  1793. IN LSA_SEC_HANDLE ContextId,
  1794. IN OUT PSecBufferDesc Message,
  1795. IN ULONG MessageSeqNo,
  1796. OUT PULONG pfQOP
  1797. );
  1799. typedef NTSTATUS
  1800. (NTAPI KspGetTokenFn)(
  1801. IN LSA_SEC_HANDLE ContextId,
  1802. OUT PHANDLE ImpersonationToken,
  1803. OUT OPTIONAL PACCESS_TOKEN * RawToken
  1804. );
  1806. typedef NTSTATUS
  1807. (NTAPI KspQueryAttributesFn)(
  1808. IN LSA_SEC_HANDLE ContextId,
  1809. IN ULONG Attribute,
  1810. IN OUT PVOID Buffer
  1811. );
  1813. typedef NTSTATUS
  1814. (NTAPI KspCompleteTokenFn)(
  1815. IN LSA_SEC_HANDLE ContextId,
  1816. IN PSecBufferDesc Token
  1817. );
  1820. typedef NTSTATUS
  1821. (NTAPI KspMapHandleFn)(
  1822. IN LSA_SEC_HANDLE ContextId,
  1823. OUT PLSA_SEC_HANDLE LsaContextId
  1824. );
  1826. typedef NTSTATUS
  1827. (NTAPI KspSetPagingModeFn)(
  1828. IN BOOLEAN PagingMode
  1829. );
  1831. typedef NTSTATUS
  1832. (NTAPI KspSerializeAuthDataFn)(
  1833. IN PVOID pvAuthData,
  1834. OUT PULONG Size,
  1835. OUT PVOID * SerializedData
  1836. );
  1838. typedef struct _SECPKG_KERNEL_FUNCTION_TABLE {
  1839. KspInitPackageFn * Initialize;
  1840. KspDeleteContextFn * DeleteContext;
  1841. KspInitContextFn * InitContext;
  1842. KspMapHandleFn * MapHandle;
  1843. KspMakeSignatureFn * Sign;
  1844. KspVerifySignatureFn * Verify;
  1845. KspSealMessageFn * Seal;
  1846. KspUnsealMessageFn * Unseal;
  1847. KspGetTokenFn * GetToken;
  1848. KspQueryAttributesFn * QueryAttributes;
  1849. KspCompleteTokenFn * CompleteToken;
  1850. SpExportSecurityContextFn * ExportContext;
  1851. SpImportSecurityContextFn * ImportContext;
  1852. KspSetPagingModeFn * SetPackagePagingMode ;
  1853. KspSerializeAuthDataFn * SerializeAuthData ;
  1854. } SECPKG_KERNEL_FUNCTION_TABLE, *PSECPKG_KERNEL_FUNCTION_TABLE;
  1856. SECURITY_STATUS
  1857. SEC_ENTRY
  1858. KSecRegisterSecurityProvider(
  1859. PSECURITY_STRING ProviderName,
  1860. PSECPKG_KERNEL_FUNCTION_TABLE Table
  1861. );
  1865. extern SECPKG_KERNEL_FUNCTIONS KspKernelFunctions;
  1869. #ifdef __cplusplus
  1870. }
  1871. #endif
  1873. #endif /* _NTSECPKG_ */