Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

688 lines
21 KiB

  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992-1999.
  5. //
  6. // File: schannel.h
  7. //
  8. // Contents: Public Definitions for SCHANNEL Security Provider
  9. //
  10. // Classes:
  11. //
  12. // Functions:
  13. //
  14. //----------------------------------------------------------------------------
  15. #ifndef __SCHANNEL_H__
  16. #define __SCHANNEL_H__
  17. #if _MSC_VER > 1000
  18. #pragma once
  19. #endif
  20. #include <wincrypt.h>
  21. //
  22. // Security package names.
  23. //
  24. #define UNISP_NAME_A "Microsoft Unified Security Protocol Provider"
  25. #define UNISP_NAME_W L"Microsoft Unified Security Protocol Provider"
  26. #define SSL2SP_NAME_A "Microsoft SSL 2.0"
  27. #define SSL2SP_NAME_W L"Microsoft SSL 2.0"
  28. #define SSL3SP_NAME_A "Microsoft SSL 3.0"
  29. #define SSL3SP_NAME_W L"Microsoft SSL 3.0"
  30. #define TLS1SP_NAME_A "Microsoft TLS 1.0"
  31. #define TLS1SP_NAME_W L"Microsoft TLS 1.0"
  32. #define PCT1SP_NAME_A "Microsoft PCT 1.0"
  33. #define PCT1SP_NAME_W L"Microsoft PCT 1.0"
  34. #define SCHANNEL_NAME_A "Schannel"
  35. #define SCHANNEL_NAME_W L"Schannel"
  36. #ifdef UNICODE
  37. #define UNISP_NAME UNISP_NAME_W
  38. #define PCT1SP_NAME PCT1SP_NAME_W
  39. #define SSL2SP_NAME SSL2SP_NAME_W
  40. #define SSL3SP_NAME SSL3SP_NAME_W
  41. #define TLS1SP_NAME TLS1SP_NAME_W
  42. #define SCHANNEL_NAME SCHANNEL_NAME_W
  43. #else
  44. #define UNISP_NAME UNISP_NAME_A
  45. #define PCT1SP_NAME PCT1SP_NAME_A
  46. #define SSL2SP_NAME SSL2SP_NAME_A
  47. #define SSL3SP_NAME SSL3SP_NAME_A
  48. #define TLS1SP_NAME TLS1SP_NAME_A
  49. #define SCHANNEL_NAME SCHANNEL_NAME_A
  50. #endif
  51. //
  52. // RPC constants.
  53. //
  54. #define UNISP_RPC_ID 14
  55. //
  56. // QueryContextAttributes/QueryCredentialsAttribute extensions
  57. //
  58. #define SECPKG_ATTR_ISSUER_LIST 0x50 // (OBSOLETE) returns SecPkgContext_IssuerListInfo
  59. #define SECPKG_ATTR_REMOTE_CRED 0x51 // (OBSOLETE) returns SecPkgContext_RemoteCredentialInfo
  60. #define SECPKG_ATTR_LOCAL_CRED 0x52 // (OBSOLETE) returns SecPkgContext_LocalCredentialInfo
  61. #define SECPKG_ATTR_REMOTE_CERT_CONTEXT 0x53 // returns PCCERT_CONTEXT
  62. #define SECPKG_ATTR_LOCAL_CERT_CONTEXT 0x54 // returns PCCERT_CONTEXT
  63. #define SECPKG_ATTR_ROOT_STORE 0x55 // returns HCERTCONTEXT to the root store
  64. #define SECPKG_ATTR_SUPPORTED_ALGS 0x56 // returns SecPkgCred_SupportedAlgs
  65. #define SECPKG_ATTR_CIPHER_STRENGTHS 0x57 // returns SecPkgCred_CipherStrengths
  66. #define SECPKG_ATTR_SUPPORTED_PROTOCOLS 0x58 // returns SecPkgCred_SupportedProtocols
  67. #define SECPKG_ATTR_ISSUER_LIST_EX 0x59 // returns SecPkgContext_IssuerListInfoEx
  68. #define SECPKG_ATTR_CONNECTION_INFO 0x5a // returns SecPkgContext_ConnectionInfo
  69. #define SECPKG_ATTR_EAP_KEY_BLOCK 0x5b // returns SecPkgContext_EapKeyBlock
  70. #define SECPKG_ATTR_MAPPED_CRED_ATTR 0x5c // returns SecPkgContext_MappedCredAttr
  71. #define SECPKG_ATTR_SESSION_INFO 0x5d // returns SecPkgContext_SessionInfo
  72. #define SECPKG_ATTR_APP_DATA 0x5e // sets/returns SecPkgContext_SessionAppData
  73. // OBSOLETE - included here for backward compatibility only
  74. typedef struct _SecPkgContext_IssuerListInfo
  75. {
  76. DWORD cbIssuerList;
  77. PBYTE pIssuerList;
  78. } SecPkgContext_IssuerListInfo, *PSecPkgContext_IssuerListInfo;
  79. // OBSOLETE - included here for backward compatibility only
  80. typedef struct _SecPkgContext_RemoteCredentialInfo
  81. {
  82. DWORD cbCertificateChain;
  83. PBYTE pbCertificateChain;
  84. DWORD cCertificates;
  85. DWORD fFlags;
  86. DWORD dwBits;
  87. } SecPkgContext_RemoteCredentialInfo, *PSecPkgContext_RemoteCredentialInfo;
  88. typedef SecPkgContext_RemoteCredentialInfo SecPkgContext_RemoteCredenitalInfo, *PSecPkgContext_RemoteCredenitalInfo;
  89. #define RCRED_STATUS_NOCRED 0x00000000
  90. #define RCRED_CRED_EXISTS 0x00000001
  91. #define RCRED_STATUS_UNKNOWN_ISSUER 0x00000002
  92. // OBSOLETE - included here for backward compatibility only
  93. typedef struct _SecPkgContext_LocalCredentialInfo
  94. {
  95. DWORD cbCertificateChain;
  96. PBYTE pbCertificateChain;
  97. DWORD cCertificates;
  98. DWORD fFlags;
  99. DWORD dwBits;
  100. } SecPkgContext_LocalCredentialInfo, *PSecPkgContext_LocalCredentialInfo;
  101. typedef SecPkgContext_LocalCredentialInfo SecPkgContext_LocalCredenitalInfo, *PSecPkgContext_LocalCredenitalInfo;
  102. #define LCRED_STATUS_NOCRED 0x00000000
  103. #define LCRED_CRED_EXISTS 0x00000001
  104. #define LCRED_STATUS_UNKNOWN_ISSUER 0x00000002
  105. typedef struct _SecPkgCred_SupportedAlgs
  106. {
  107. DWORD cSupportedAlgs;
  108. ALG_ID *palgSupportedAlgs;
  109. } SecPkgCred_SupportedAlgs, *PSecPkgCred_SupportedAlgs;
  110. typedef struct _SecPkgCred_CipherStrengths
  111. {
  112. DWORD dwMinimumCipherStrength;
  113. DWORD dwMaximumCipherStrength;
  114. } SecPkgCred_CipherStrengths, *PSecPkgCred_CipherStrengths;
  115. typedef struct _SecPkgCred_SupportedProtocols
  116. {
  117. DWORD grbitProtocol;
  118. } SecPkgCred_SupportedProtocols, *PSecPkgCred_SupportedProtocols;
  119. typedef struct _SecPkgContext_IssuerListInfoEx
  120. {
  121. PCERT_NAME_BLOB aIssuers;
  122. DWORD cIssuers;
  123. } SecPkgContext_IssuerListInfoEx, *PSecPkgContext_IssuerListInfoEx;
  124. typedef struct _SecPkgContext_ConnectionInfo
  125. {
  126. DWORD dwProtocol;
  127. ALG_ID aiCipher;
  128. DWORD dwCipherStrength;
  129. ALG_ID aiHash;
  130. DWORD dwHashStrength;
  131. ALG_ID aiExch;
  132. DWORD dwExchStrength;
  133. } SecPkgContext_ConnectionInfo, *PSecPkgContext_ConnectionInfo;
  134. typedef struct _SecPkgContext_EapKeyBlock
  135. {
  136. BYTE rgbKeys[128];
  137. BYTE rgbIVs[64];
  138. } SecPkgContext_EapKeyBlock, *PSecPkgContext_EapKeyBlock;
  139. typedef struct _SecPkgContext_MappedCredAttr
  140. {
  141. DWORD dwAttribute;
  142. PVOID pvBuffer;
  143. } SecPkgContext_MappedCredAttr, *PSecPkgContext_MappedCredAttr;
  144. // Flag values for SecPkgContext_SessionInfo
  145. #define SSL_SESSION_RECONNECT 1
  146. typedef struct _SecPkgContext_SessionInfo
  147. {
  148. DWORD dwFlags;
  149. DWORD cbSessionId;
  150. BYTE rgbSessionId[32];
  151. } SecPkgContext_SessionInfo, *PSecPkgContext_SessionInfo;
  152. typedef struct _SecPkgContext_SessionAppData
  153. {
  154. DWORD dwFlags;
  155. DWORD cbAppData;
  156. PBYTE pbAppData;
  157. } SecPkgContext_SessionAppData, *PSecPkgContext_SessionAppData;
  158. //
  159. // Schannel credentials data structure.
  160. //
  161. #define SCH_CRED_V1 0x00000001
  162. #define SCH_CRED_V2 0x00000002 // for legacy code
  163. #define SCH_CRED_VERSION 0x00000002 // for legacy code
  164. #define SCH_CRED_V3 0x00000003 // for legacy code
  165. #define SCHANNEL_CRED_VERSION 0x00000004
  166. struct _HMAPPER;
  167. typedef struct _SCHANNEL_CRED
  168. {
  169. DWORD dwVersion; // always SCHANNEL_CRED_VERSION
  170. DWORD cCreds;
  171. PCCERT_CONTEXT *paCred;
  172. HCERTSTORE hRootStore;
  173. DWORD cMappers;
  174. struct _HMAPPER **aphMappers;
  175. DWORD cSupportedAlgs;
  176. ALG_ID * palgSupportedAlgs;
  177. DWORD grbitEnabledProtocols;
  178. DWORD dwMinimumCipherStrength;
  179. DWORD dwMaximumCipherStrength;
  180. DWORD dwSessionLifespan;
  181. DWORD dwFlags;
  182. DWORD reserved;
  183. } SCHANNEL_CRED, *PSCHANNEL_CRED;
  184. //+-------------------------------------------------------------------------
  185. // Flags for use with SCHANNEL_CRED
  186. //
  187. // SCH_CRED_NO_SYSTEM_MAPPER
  188. // This flag is intended for use by server applications only. If this
  189. // flag is set, then schannel does *not* attempt to map received client
  190. // certificate chains to an NT user account using the built-in system
  191. // certificate mapper.This flag is ignored by non-NT5 versions of
  192. // schannel.
  193. //
  194. // SCH_CRED_NO_SERVERNAME_CHECK
  195. // This flag is intended for use by client applications only. If this
  196. // flag is set, then when schannel validates the received server
  197. // certificate chain, is does *not* compare the passed in target name
  198. // with the subject name embedded in the certificate. This flag is
  199. // ignored by non-NT5 versions of schannel. This flag is also ignored
  200. // if the SCH_CRED_MANUAL_CRED_VALIDATION flag is set.
  201. //
  202. // SCH_CRED_MANUAL_CRED_VALIDATION
  203. // This flag is intended for use by client applications only. If this
  204. // flag is set, then schannel will *not* automatically attempt to
  205. // validate the received server certificate chain. This flag is
  206. // ignored by non-NT5 versions of schannel, but all client applications
  207. // that wish to validate the certificate chain themselves should
  208. // specify this flag, so that there's at least a chance they'll run
  209. // correctly on NT5.
  210. //
  211. // SCH_CRED_NO_DEFAULT_CREDS
  212. // This flag is intended for use by client applications only. If this
  213. // flag is set, and the server requests client authentication, then
  214. // schannel will *not* attempt to automatically acquire a suitable
  215. // default client certificate chain. This flag is ignored by non-NT5
  216. // versions of schannel, but all client applications that wish to
  217. // manually specify their certicate chains should specify this flag,
  218. // so that there's at least a chance they'll run correctly on NT5.
  219. //
  220. // SCH_CRED_AUTO_CRED_VALIDATION
  221. // This flag is the opposite of SCH_CRED_MANUAL_CRED_VALIDATION.
  222. // Conservatively written client applications will always specify one
  223. // flag or the other.
  224. //
  225. // SCH_CRED_USE_DEFAULT_CREDS
  226. // This flag is the opposite of SCH_CRED_NO_DEFAULT_CREDS.
  227. // Conservatively written client applications will always specify one
  228. // flag or the other.
  229. //
  230. // SCH_CRED_DISABLE_RECONNECTS
  231. // This flag is intended for use by server applications only. If this
  232. // flag is set, then full handshakes performed with this credential
  233. // will not be marked suitable for reconnects. A cache entry will still
  234. // be created, however, so the session can be made resumable later
  235. // via a call to ApplyControlToken.
  236. //
  237. //
  238. // SCH_CRED_REVOCATION_CHECK_END_CERT
  239. // SCH_CRED_REVOCATION_CHECK_CHAIN
  240. // SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
  241. // These flags specify that when schannel automatically validates a
  242. // received certificate chain, some or all of the certificates are to
  243. // be checked for revocation. Only one of these flags may be specified.
  244. // See the CertGetCertificateChain function. These flags are ignored by
  245. // non-NT5 versions of schannel.
  246. //
  247. // SCH_CRED_IGNORE_NO_REVOCATION_CHECK
  248. // SCH_CRED_IGNORE_REVOCATION_OFFLINE
  249. // These flags instruct schannel to ignore the
  250. // CRYPT_E_NO_REVOCATION_CHECK and CRYPT_E_REVOCATION_OFFLINE errors
  251. // respectively if they are encountered when attempting to check the
  252. // revocation status of a received certificate chain. These flags are
  253. // ignored if none of the above flags are set.
  254. //
  255. //+-------------------------------------------------------------------------
  256. #define SCH_CRED_NO_SYSTEM_MAPPER 0x00000002
  257. #define SCH_CRED_NO_SERVERNAME_CHECK 0x00000004
  258. #define SCH_CRED_MANUAL_CRED_VALIDATION 0x00000008
  259. #define SCH_CRED_NO_DEFAULT_CREDS 0x00000010
  260. #define SCH_CRED_AUTO_CRED_VALIDATION 0x00000020
  261. #define SCH_CRED_USE_DEFAULT_CREDS 0x00000040
  262. #define SCH_CRED_DISABLE_RECONNECTS 0x00000080
  263. #define SCH_CRED_REVOCATION_CHECK_END_CERT 0x00000100
  264. #define SCH_CRED_REVOCATION_CHECK_CHAIN 0x00000200
  265. #define SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x00000400
  266. #define SCH_CRED_IGNORE_NO_REVOCATION_CHECK 0x00000800
  267. #define SCH_CRED_IGNORE_REVOCATION_OFFLINE 0x00001000
  268. //
  269. //
  270. // ApplyControlToken PkgParams types
  271. //
  272. // These identifiers are the DWORD types
  273. // to be passed into ApplyControlToken
  274. // through a PkgParams buffer.
  275. #define SCHANNEL_RENEGOTIATE 0 // renegotiate a connection
  276. #define SCHANNEL_SHUTDOWN 1 // gracefully close down a connection
  277. #define SCHANNEL_ALERT 2 // build an error message
  278. #define SCHANNEL_SESSION 3 // session control
  279. // Alert token structure.
  280. typedef struct _SCHANNEL_ALERT_TOKEN
  281. {
  282. DWORD dwTokenType; // SCHANNEL_ALERT
  283. DWORD dwAlertType;
  284. DWORD dwAlertNumber;
  285. } SCHANNEL_ALERT_TOKEN;
  286. // Alert types.
  287. #define TLS1_ALERT_WARNING 1
  288. #define TLS1_ALERT_FATAL 2
  289. // Alert messages.
  290. #define TLS1_ALERT_CLOSE_NOTIFY 0 // warning
  291. #define TLS1_ALERT_UNEXPECTED_MESSAGE 10 // error
  292. #define TLS1_ALERT_BAD_RECORD_MAC 20 // error
  293. #define TLS1_ALERT_DECRYPTION_FAILED 21 // error
  294. #define TLS1_ALERT_RECORD_OVERFLOW 22 // error
  295. #define TLS1_ALERT_DECOMPRESSION_FAIL 30 // error
  296. #define TLS1_ALERT_HANDSHAKE_FAILURE 40 // error
  297. #define TLS1_ALERT_BAD_CERTIFICATE 42 // warning or error
  298. #define TLS1_ALERT_UNSUPPORTED_CERT 43 // warning or error
  299. #define TLS1_ALERT_CERTIFICATE_REVOKED 44 // warning or error
  300. #define TLS1_ALERT_CERTIFICATE_EXPIRED 45 // warning or error
  301. #define TLS1_ALERT_CERTIFICATE_UNKNOWN 46 // warning or error
  302. #define TLS1_ALERT_ILLEGAL_PARAMETER 47 // error
  303. #define TLS1_ALERT_UNKNOWN_CA 48 // error
  304. #define TLS1_ALERT_ACCESS_DENIED 49 // error
  305. #define TLS1_ALERT_DECODE_ERROR 50 // error
  306. #define TLS1_ALERT_DECRYPT_ERROR 51 // error
  307. #define TLS1_ALERT_EXPORT_RESTRICTION 60 // error
  308. #define TLS1_ALERT_PROTOCOL_VERSION 70 // error
  309. #define TLS1_ALERT_INSUFFIENT_SECURITY 71 // error
  310. #define TLS1_ALERT_INTERNAL_ERROR 80 // error
  311. #define TLS1_ALERT_USER_CANCELED 90 // warning or error
  312. #define TLS1_ALERT_NO_RENEGOTIATATION 100 // warning
  313. // Session control flags
  314. #define SSL_SESSION_ENABLE_RECONNECTS 1
  315. #define SSL_SESSION_DISABLE_RECONNECTS 2
  316. // Session control token structure.
  317. typedef struct _SCHANNEL_SESSION_TOKEN
  318. {
  319. DWORD dwTokenType; // SCHANNEL_SESSION
  320. DWORD dwFlags;
  321. } SCHANNEL_SESSION_TOKEN;
  322. //
  323. //
  324. // ADDITIONAL SCHANNEL CERTIFICATE PROPERTIES
  325. //
  326. //
  327. // This property specifies the DER private key data associated with this
  328. // certificate. It is for use with legacy IIS style private keys.
  329. //
  330. // PBYTE
  331. //
  332. #define CERT_SCHANNEL_IIS_PRIVATE_KEY_PROP_ID (CERT_FIRST_USER_PROP_ID + 0)
  333. // The password used to crack the private key associated with the certificate.
  334. // It is for use with legacy IIS style private keys.
  335. //
  336. // PBYTE
  337. #define CERT_SCHANNEL_IIS_PASSWORD_PROP_ID (CERT_FIRST_USER_PROP_ID + 1)
  338. // This is the unique ID of a Server Gated Cryptography certificate associated
  339. // with this certificate.
  340. //
  341. // CRYPT_BIT_BLOB
  342. #define CERT_SCHANNEL_SGC_CERTIFICATE_PROP_ID (CERT_FIRST_USER_PROP_ID + 2)
  343. //
  344. // Flags for identifying the various different protocols.
  345. //
  346. /* flag/identifiers for protocols we support */
  347. #define SP_PROT_PCT1_SERVER 0x00000001
  348. #define SP_PROT_PCT1_CLIENT 0x00000002
  349. #define SP_PROT_PCT1 (SP_PROT_PCT1_SERVER | SP_PROT_PCT1_CLIENT)
  350. #define SP_PROT_SSL2_SERVER 0x00000004
  351. #define SP_PROT_SSL2_CLIENT 0x00000008
  352. #define SP_PROT_SSL2 (SP_PROT_SSL2_SERVER | SP_PROT_SSL2_CLIENT)
  353. #define SP_PROT_SSL3_SERVER 0x00000010
  354. #define SP_PROT_SSL3_CLIENT 0x00000020
  355. #define SP_PROT_SSL3 (SP_PROT_SSL3_SERVER | SP_PROT_SSL3_CLIENT)
  356. #define SP_PROT_TLS1_SERVER 0x00000040
  357. #define SP_PROT_TLS1_CLIENT 0x00000080
  358. #define SP_PROT_TLS1 (SP_PROT_TLS1_SERVER | SP_PROT_TLS1_CLIENT)
  359. #define SP_PROT_SSL3TLS1_CLIENTS (SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT)
  360. #define SP_PROT_SSL3TLS1_SERVERS (SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER)
  361. #define SP_PROT_SSL3TLS1 (SP_PROT_SSL3 | SP_PROT_TLS1)
  362. #define SP_PROT_UNI_SERVER 0x40000000
  363. #define SP_PROT_UNI_CLIENT 0x80000000
  364. #define SP_PROT_UNI (SP_PROT_UNI_SERVER | SP_PROT_UNI_CLIENT)
  365. #define SP_PROT_ALL 0xffffffff
  366. #define SP_PROT_NONE 0
  367. #define SP_PROT_CLIENTS (SP_PROT_PCT1_CLIENT | SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_UNI_CLIENT | SP_PROT_TLS1_CLIENT)
  368. #define SP_PROT_SERVERS (SP_PROT_PCT1_SERVER | SP_PROT_SSL2_SERVER | SP_PROT_SSL3_SERVER | SP_PROT_UNI_SERVER | SP_PROT_TLS1_SERVER)
  369. //
  370. // Helper function used to flush the SSL session cache.
  371. //
  372. typedef BOOL
  373. (* SSL_EMPTY_CACHE_FN_A)(
  374. LPSTR pszTargetName,
  375. DWORD dwFlags);
  376. BOOL
  377. SslEmptyCacheA(LPSTR pszTargetName,
  378. DWORD dwFlags);
  379. typedef BOOL
  380. (* SSL_EMPTY_CACHE_FN_W)(
  381. LPWSTR pszTargetName,
  382. DWORD dwFlags);
  383. BOOL
  384. SslEmptyCacheW(LPWSTR pszTargetName,
  385. DWORD dwFlags);
  386. #ifdef UNICODE
  387. #define SSL_EMPTY_CACHE_FN SSL_EMPTY_CACHE_FN_W
  388. #define SslEmptyCache SslEmptyCacheW
  389. #else
  390. #define SSL_EMPTY_CACHE_FN SSL_EMPTY_CACHE_FN_A
  391. #define SslEmptyCache SslEmptyCacheA
  392. #endif
  393. //
  394. //
  395. // Support for legacy applications
  396. // NOTE: Do not use the following
  397. // API's and structures for new code.
  398. //
  399. #define SSLOLD_NAME_A "Microsoft SSL"
  400. #define SSLOLD_NAME_W L"Microsoft SSL"
  401. #define PCTOLD_NAME_A "Microsoft PCT"
  402. #define PCTOLD_NAME_W L"Microsoft PCT"
  403. #ifdef UNICODE
  404. #define SSLOLD_NAME SSLOLD_NAME_W
  405. #define PCTOLD_NAME PCTOLD_NAME_W
  406. #else
  407. #define SSLOLD_NAME SSLOLD_NAME_A
  408. #define PCTOLD_NAME PCTOLD_NAME_A
  409. #endif
  410. #define NETWORK_DREP 0x00000000
  411. // Structures for compatability with the
  412. // NT 4.0 SP2 / IE 3.0 schannel interface, do
  413. // not use.
  414. typedef struct _SSL_CREDENTIAL_CERTIFICATE {
  415. DWORD cbPrivateKey;
  416. PBYTE pPrivateKey;
  417. DWORD cbCertificate;
  418. PBYTE pCertificate;
  419. PSTR pszPassword;
  420. } SSL_CREDENTIAL_CERTIFICATE, * PSSL_CREDENTIAL_CERTIFICATE;
  421. // Structures for use with the
  422. // NT 4.0 SP3 Schannel interface,
  423. // do not use.
  424. #define SCHANNEL_SECRET_TYPE_CAPI 0x00000001
  425. #define SCHANNEL_SECRET_PRIVKEY 0x00000002
  426. #define SCH_CRED_X509_CERTCHAIN 0x00000001
  427. #define SCH_CRED_X509_CAPI 0x00000002
  428. #define SCH_CRED_CERT_CONTEXT 0x00000003
  429. struct _HMAPPER;
  430. typedef struct _SCH_CRED
  431. {
  432. DWORD dwVersion; // always SCH_CRED_VERSION.
  433. DWORD cCreds; // Number of credentials.
  434. PVOID *paSecret; // Array of SCH_CRED_SECRET_* pointers
  435. PVOID *paPublic; // Array of SCH_CRED_PUBLIC_* pointers
  436. DWORD cMappers; // Number of credential mappers.
  437. struct _HMAPPER **aphMappers; // pointer to an array of pointers to credential mappers
  438. } SCH_CRED, * PSCH_CRED;
  439. // Structures for use with the
  440. // NT 4.0 SP3 Schannel interface,
  441. // do not use.
  442. typedef struct _SCH_CRED_SECRET_CAPI
  443. {
  444. DWORD dwType; // SCHANNEL_SECRET_TYPE_CAPI
  445. HCRYPTPROV hProv; // credential secret information.
  446. } SCH_CRED_SECRET_CAPI, * PSCH_CRED_SECRET_CAPI;
  447. // Structures for use with the
  448. // NT 4.0 SP3 Schannel interface,
  449. // do not use.
  450. typedef struct _SCH_CRED_SECRET_PRIVKEY
  451. {
  452. DWORD dwType; // SCHANNEL_SECRET_PRIVKEY
  453. PBYTE pPrivateKey; // Der encoded private key
  454. DWORD cbPrivateKey;
  455. PSTR pszPassword; // Password to crack the private key.
  456. } SCH_CRED_SECRET_PRIVKEY, * PSCH_CRED_SECRET_PRIVKEY;
  457. // Structures for use with the
  458. // NT 4.0 SP3 Schannel interface,
  459. // do not use.
  460. typedef struct _SCH_CRED_PUBLIC_CERTCHAIN
  461. {
  462. DWORD dwType;
  463. DWORD cbCertChain;
  464. PBYTE pCertChain;
  465. } SCH_CRED_PUBLIC_CERTCHAIN, *PSCH_CRED_PUBLIC_CERTCHAIN;
  466. // Structures for use with the
  467. // NT 4.0 SP3 Schannel interface,
  468. // do not use.
  469. typedef struct _SCH_CRED_PUBLIC_CAPI
  470. {
  471. DWORD dwType; // SCH_CRED_X509_CAPI
  472. HCRYPTPROV hProv; // CryptoAPI handle (usually a token CSP)
  473. } SCH_CRED_PUBLIC_CAPI, * PSCH_CRED_PUBLIC_CAPI;
  474. // Structures needed for Pre NT4.0 SP2 calls.
  475. typedef struct _PctPublicKey
  476. {
  477. DWORD Type;
  478. DWORD cbKey;
  479. UCHAR pKey[1];
  480. } PctPublicKey;
  481. typedef struct _X509Certificate {
  482. DWORD Version;
  483. DWORD SerialNumber[4];
  484. ALG_ID SignatureAlgorithm;
  485. FILETIME ValidFrom;
  486. FILETIME ValidUntil;
  487. PSTR pszIssuer;
  488. PSTR pszSubject;
  489. PctPublicKey *pPublicKey;
  490. } X509Certificate, * PX509Certificate;
  491. // Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
  492. // to get the same functionality instead.
  493. BOOL
  494. SslGenerateKeyPair(
  495. PSSL_CREDENTIAL_CERTIFICATE pCerts,
  496. PSTR pszDN,
  497. PSTR pszPassword,
  498. DWORD Bits );
  499. // Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
  500. // to get the same functionality instead.
  501. VOID
  502. SslGenerateRandomBits(
  503. PUCHAR pRandomData,
  504. LONG cRandomData
  505. );
  506. // Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
  507. // to get the same functionality instead.
  508. BOOL
  509. SslCrackCertificate(
  510. PUCHAR pbCertificate,
  511. DWORD cbCertificate,
  512. DWORD dwFlags,
  513. PX509Certificate * ppCertificate
  514. );
  515. // Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
  516. // to get the same functionality instead.
  517. VOID
  518. SslFreeCertificate(
  519. PX509Certificate pCertificate
  520. );
  521. DWORD
  522. WINAPI
  523. SslGetMaximumKeySize(
  524. DWORD Reserved );
  525. BOOL
  526. SslGetDefaultIssuers(
  527. PBYTE pbIssuers,
  528. DWORD *pcbIssuers);
  529. #define SSL_CRACK_CERTIFICATE_NAME TEXT("SslCrackCertificate")
  530. #define SSL_FREE_CERTIFICATE_NAME TEXT("SslFreeCertificate")
  531. // Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
  532. // to get the same functionality instead.
  533. typedef BOOL
  534. (WINAPI * SSL_CRACK_CERTIFICATE_FN)
  535. (
  536. PUCHAR pbCertificate,
  537. DWORD cbCertificate,
  538. BOOL VerifySignature,
  539. PX509Certificate * ppCertificate
  540. );
  541. // Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
  542. // to get the same functionality instead.
  543. typedef VOID
  544. (WINAPI * SSL_FREE_CERTIFICATE_FN)
  545. (
  546. PX509Certificate pCertificate
  547. );
  548. #endif //__SCHANNEL_H__