forked from gentilkiwi/mimikatz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathschannel.h
876 lines (713 loc) · 29.6 KB
/
schannel.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992-1999.
//
// File: schannel.h
//
// Contents: Public Definitions for SCHANNEL Security Provider
//
// Classes:
//
// Functions:
//
//----------------------------------------------------------------------------
#ifndef __SCHANNEL_H__
#define __SCHANNEL_H__
#if _MSC_VER > 1000
#pragma once
#endif
#include <wincrypt.h>
//
// Security package names.
//
#define UNISP_NAME_A "Microsoft Unified Security Protocol Provider"
#define UNISP_NAME_W L"Microsoft Unified Security Protocol Provider"
#define SSL2SP_NAME_A "Microsoft SSL 2.0"
#define SSL2SP_NAME_W L"Microsoft SSL 2.0"
#define SSL3SP_NAME_A "Microsoft SSL 3.0"
#define SSL3SP_NAME_W L"Microsoft SSL 3.0"
#define TLS1SP_NAME_A "Microsoft TLS 1.0"
#define TLS1SP_NAME_W L"Microsoft TLS 1.0"
#define PCT1SP_NAME_A "Microsoft PCT 1.0"
#define PCT1SP_NAME_W L"Microsoft PCT 1.0"
#define SCHANNEL_NAME_A "Schannel"
#define SCHANNEL_NAME_W L"Schannel"
#ifdef UNICODE
#define UNISP_NAME UNISP_NAME_W
#define PCT1SP_NAME PCT1SP_NAME_W
#define SSL2SP_NAME SSL2SP_NAME_W
#define SSL3SP_NAME SSL3SP_NAME_W
#define TLS1SP_NAME TLS1SP_NAME_W
#define SCHANNEL_NAME SCHANNEL_NAME_W
#else
#define UNISP_NAME UNISP_NAME_A
#define PCT1SP_NAME PCT1SP_NAME_A
#define SSL2SP_NAME SSL2SP_NAME_A
#define SSL3SP_NAME SSL3SP_NAME_A
#define TLS1SP_NAME TLS1SP_NAME_A
#define SCHANNEL_NAME SCHANNEL_NAME_A
#endif
enum eTlsSignatureAlgorithm
{
TlsSignatureAlgorithm_Anonymous = 0,
TlsSignatureAlgorithm_Rsa = 1,
TlsSignatureAlgorithm_Dsa = 2,
TlsSignatureAlgorithm_Ecdsa = 3
};
enum eTlsHashAlgorithm
{
TlsHashAlgorithm_None = 0,
TlsHashAlgorithm_Md5 = 1,
TlsHashAlgorithm_Sha1 = 2,
TlsHashAlgorithm_Sha224 = 3,
TlsHashAlgorithm_Sha256 = 4,
TlsHashAlgorithm_Sha384 = 5,
TlsHashAlgorithm_Sha512 = 6
};
//
// RPC constants.
//
#define UNISP_RPC_ID 14
//
// QueryContextAttributes/QueryCredentialsAttribute extensions
//
#define SECPKG_ATTR_ISSUER_LIST 0x50 // (OBSOLETE) returns SecPkgContext_IssuerListInfo
#define SECPKG_ATTR_REMOTE_CRED 0x51 // (OBSOLETE) returns SecPkgContext_RemoteCredentialInfo
#define SECPKG_ATTR_LOCAL_CRED 0x52 // (OBSOLETE) returns SecPkgContext_LocalCredentialInfo
#define SECPKG_ATTR_REMOTE_CERT_CONTEXT 0x53 // returns PCCERT_CONTEXT
#define SECPKG_ATTR_LOCAL_CERT_CONTEXT 0x54 // returns PCCERT_CONTEXT
#define SECPKG_ATTR_ROOT_STORE 0x55 // returns HCERTCONTEXT to the root store
#define SECPKG_ATTR_SUPPORTED_ALGS 0x56 // returns SecPkgCred_SupportedAlgs
#define SECPKG_ATTR_CIPHER_STRENGTHS 0x57 // returns SecPkgCred_CipherStrengths
#define SECPKG_ATTR_SUPPORTED_PROTOCOLS 0x58 // returns SecPkgCred_SupportedProtocols
#define SECPKG_ATTR_ISSUER_LIST_EX 0x59 // returns SecPkgContext_IssuerListInfoEx
#define SECPKG_ATTR_CONNECTION_INFO 0x5a // returns SecPkgContext_ConnectionInfo
#define SECPKG_ATTR_EAP_KEY_BLOCK 0x5b // returns SecPkgContext_EapKeyBlock
#define SECPKG_ATTR_MAPPED_CRED_ATTR 0x5c // returns SecPkgContext_MappedCredAttr
#define SECPKG_ATTR_SESSION_INFO 0x5d // returns SecPkgContext_SessionInfo
#define SECPKG_ATTR_APP_DATA 0x5e // sets/returns SecPkgContext_SessionAppData
#define SECPKG_ATTR_REMOTE_CERTIFICATES 0x5F // returns SecPkgContext_Certificates
#define SECPKG_ATTR_CLIENT_CERT_POLICY 0x60 // sets SecPkgCred_ClientCertCtlPolicy
#define SECPKG_ATTR_CC_POLICY_RESULT 0x61 // returns SecPkgContext_ClientCertPolicyResult
#define SECPKG_ATTR_USE_NCRYPT 0x62 // Sets the CRED_FLAG_USE_NCRYPT_PROVIDER FLAG on cred group
#define SECPKG_ATTR_LOCAL_CERT_INFO 0x63 // returns SecPkgContext_CertInfo
#define SECPKG_ATTR_CIPHER_INFO 0x64 // returns new CNG SecPkgContext_CipherInfo
#define SECPKG_ATTR_EAP_PRF_INFO 0x65 // sets SecPkgContext_EapPrfInfo
#define SECPKG_ATTR_SUPPORTED_SIGNATURES 0x66 // returns SecPkgContext_SupportedSignatures
// OBSOLETE - included here for backward compatibility only
typedef struct _SecPkgContext_RemoteCredentialInfo
{
DWORD cbCertificateChain;
PBYTE pbCertificateChain;
DWORD cCertificates;
DWORD fFlags;
DWORD dwBits;
} SecPkgContext_RemoteCredentialInfo, *PSecPkgContext_RemoteCredentialInfo;
typedef SecPkgContext_RemoteCredentialInfo SecPkgContext_RemoteCredenitalInfo, *PSecPkgContext_RemoteCredenitalInfo;
#define RCRED_STATUS_NOCRED 0x00000000
#define RCRED_CRED_EXISTS 0x00000001
#define RCRED_STATUS_UNKNOWN_ISSUER 0x00000002
// OBSOLETE - included here for backward compatibility only
typedef struct _SecPkgContext_LocalCredentialInfo
{
DWORD cbCertificateChain;
PBYTE pbCertificateChain;
DWORD cCertificates;
DWORD fFlags;
DWORD dwBits;
} SecPkgContext_LocalCredentialInfo, *PSecPkgContext_LocalCredentialInfo;
typedef SecPkgContext_LocalCredentialInfo SecPkgContext_LocalCredenitalInfo, *PSecPkgContext_LocalCredenitalInfo;
#define LCRED_STATUS_NOCRED 0x00000000
#define LCRED_CRED_EXISTS 0x00000001
#define LCRED_STATUS_UNKNOWN_ISSUER 0x00000002
typedef struct _SecPkgCred_SupportedAlgs
{
DWORD cSupportedAlgs;
ALG_ID *palgSupportedAlgs;
} SecPkgCred_SupportedAlgs, *PSecPkgCred_SupportedAlgs;
typedef struct _SecPkgCred_CipherStrengths
{
DWORD dwMinimumCipherStrength;
DWORD dwMaximumCipherStrength;
} SecPkgCred_CipherStrengths, *PSecPkgCred_CipherStrengths;
typedef struct _SecPkgCred_SupportedProtocols
{
DWORD grbitProtocol;
} SecPkgCred_SupportedProtocols, *PSecPkgCred_SupportedProtocols;
typedef struct _SecPkgCred_ClientCertPolicy
{
DWORD dwFlags;
GUID guidPolicyId;
DWORD dwCertFlags;
DWORD dwUrlRetrievalTimeout;
BOOL fCheckRevocationFreshnessTime;
DWORD dwRevocationFreshnessTime;
BOOL fOmitUsageCheck;
LPWSTR pwszSslCtlStoreName;
LPWSTR pwszSslCtlIdentifier;
} SecPkgCred_ClientCertPolicy, *PSecPkgCred_ClientCertPolicy;
typedef struct _SecPkgContext_ClientCertPolicyResult
{
HRESULT dwPolicyResult;
GUID guidPolicyId;
} SecPkgContext_ClientCertPolicyResult, *PSecPkgContext_ClientCertPolicyResult;
typedef struct _SecPkgContext_IssuerListInfoEx
{
PCERT_NAME_BLOB aIssuers;
DWORD cIssuers;
} SecPkgContext_IssuerListInfoEx, *PSecPkgContext_IssuerListInfoEx;
typedef struct _SecPkgContext_ConnectionInfo
{
DWORD dwProtocol;
ALG_ID aiCipher;
DWORD dwCipherStrength;
ALG_ID aiHash;
DWORD dwHashStrength;
ALG_ID aiExch;
DWORD dwExchStrength;
} SecPkgContext_ConnectionInfo, *PSecPkgContext_ConnectionInfo;
#define SZ_ALG_MAX_SIZE 64
#define SECPKGCONTEXT_CIPHERINFO_V1 1
typedef struct _SecPkgContext_CipherInfo
{
DWORD dwVersion;
DWORD dwProtocol;
DWORD dwCipherSuite;
DWORD dwBaseCipherSuite;
WCHAR szCipherSuite[SZ_ALG_MAX_SIZE];
WCHAR szCipher[SZ_ALG_MAX_SIZE];
DWORD dwCipherLen;
DWORD dwCipherBlockLen; // in bytes
WCHAR szHash[SZ_ALG_MAX_SIZE];
DWORD dwHashLen;
WCHAR szExchange[SZ_ALG_MAX_SIZE];
DWORD dwMinExchangeLen;
DWORD dwMaxExchangeLen;
WCHAR szCertificate[SZ_ALG_MAX_SIZE];
DWORD dwKeyType;
} SecPkgContext_CipherInfo, *PSecPkgContext_CipherInfo;
typedef struct _SecPkgContext_EapKeyBlock
{
BYTE rgbKeys[128];
BYTE rgbIVs[64];
} SecPkgContext_EapKeyBlock, *PSecPkgContext_EapKeyBlock;
typedef struct _SecPkgContext_MappedCredAttr
{
DWORD dwAttribute;
PVOID pvBuffer;
} SecPkgContext_MappedCredAttr, *PSecPkgContext_MappedCredAttr;
// Flag values for SecPkgContext_SessionInfo
#define SSL_SESSION_RECONNECT 1
typedef struct _SecPkgContext_SessionInfo
{
DWORD dwFlags;
DWORD cbSessionId;
BYTE rgbSessionId[32];
} SecPkgContext_SessionInfo, *PSecPkgContext_SessionInfo;
typedef struct _SecPkgContext_SessionAppData
{
DWORD dwFlags;
DWORD cbAppData;
__field_bcount(cbAppData) PBYTE pbAppData;
} SecPkgContext_SessionAppData, *PSecPkgContext_SessionAppData;
typedef struct _SecPkgContext_EapPrfInfo
{
DWORD dwVersion;
DWORD cbPrfData;
__field_bcount(cbPrfData) PBYTE pbPrfData;
} SecPkgContext_EapPrfInfo, *PSecPkgContext_EapPrfInfo;
typedef struct _SecPkgContext_SupportedSignatures
{
WORD cSignatureAndHashAlgorithms;
//
// Upper byte (from TLS 1.2, RFC 4346):
// enum {
// anonymous(0), rsa(1), dsa(2), ecdsa(3), (255)
// } SignatureAlgorithm;
//
// enum eTlsSignatureAlgorithm
//
// Lower byte (from TLS 1.2, RFC 4346):
// enum {
// none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
// sha512(6), (255)
// } HashAlgorithm;
//
//
// enum eTlsHashAlgorithm
__field_ecount(cSignatureAndHashAlgorithms)
WORD *pSignatureAndHashAlgorithms;
} SecPkgContext_SupportedSignatures, *PSecPkgContext_SupportedSignatures;
//
// This property returns the raw binary certificates that were received
// from the remote party. The format of the buffer that's returned is as
// follows.
//
// <4 bytes> length of certificate #1
// <n bytes> certificate #1
// <4 bytes> length of certificate #2
// <n bytes> certificate #2
// ...
//
// After this data is processed, the caller of QueryContextAttributes
// must free the pbCertificateChain buffer using FreeContextBuffer.
//
typedef struct _SecPkgContext_Certificates
{
DWORD cCertificates;
DWORD cbCertificateChain;
PBYTE pbCertificateChain;
} SecPkgContext_Certificates, *PSecPkgContext_Certificates;
//
// This property returns information about a certificate. In particular
// it is useful (and only available) in the kernel where CAPI2 is not
// available.
//
typedef struct _SecPkgContext_CertInfo
{
DWORD dwVersion;
DWORD cbSubjectName;
LPWSTR pwszSubjectName;
DWORD cbIssuerName;
LPWSTR pwszIssuerName;
DWORD dwKeySize;
} SecPkgContext_CertInfo, *PSecPkgContext_CertInfo;
#define KERN_CONTEXT_CERT_INFO_V1 0x00000000
//
// Schannel credentials data structure.
//
#define SCH_CRED_V1 0x00000001
#define SCH_CRED_V2 0x00000002 // for legacy code
#define SCH_CRED_VERSION 0x00000002 // for legacy code
#define SCH_CRED_V3 0x00000003 // for legacy code
#define SCHANNEL_CRED_VERSION 0x00000004
struct _HMAPPER;
typedef struct _SCHANNEL_CRED
{
DWORD dwVersion; // always SCHANNEL_CRED_VERSION
DWORD cCreds;
PCCERT_CONTEXT *paCred;
HCERTSTORE hRootStore;
DWORD cMappers;
struct _HMAPPER **aphMappers;
DWORD cSupportedAlgs;
ALG_ID * palgSupportedAlgs;
DWORD grbitEnabledProtocols;
DWORD dwMinimumCipherStrength;
DWORD dwMaximumCipherStrength;
DWORD dwSessionLifespan;
DWORD dwFlags;
DWORD dwCredFormat;
} SCHANNEL_CRED, *PSCHANNEL_CRED;
// Values for SCHANNEL_CRED dwCredFormat field.
#define SCH_CRED_FORMAT_CERT_CONTEXT 0x00000000
#define SCH_CRED_FORMAT_CERT_HASH 0x00000001
#define SCH_CRED_FORMAT_CERT_HASH_STORE 0x00000002
#define SCH_CRED_MAX_STORE_NAME_SIZE 128
#define SCH_CRED_MAX_SUPPORTED_ALGS 256
#define SCH_CRED_MAX_SUPPORTED_CERTS 100
typedef struct _SCHANNEL_CERT_HASH
{
DWORD dwLength;
DWORD dwFlags;
HCRYPTPROV hProv;
BYTE ShaHash[20];
} SCHANNEL_CERT_HASH, *PSCHANNEL_CERT_HASH;
typedef struct _SCHANNEL_CERT_HASH_STORE
{
DWORD dwLength;
DWORD dwFlags;
HCRYPTPROV hProv;
BYTE ShaHash[20];
WCHAR pwszStoreName[SCH_CRED_MAX_STORE_NAME_SIZE];
} SCHANNEL_CERT_HASH_STORE, *PSCHANNEL_CERT_HASH_STORE;
// Values for SCHANNEL_CERT_HASH dwFlags field.
#define SCH_MACHINE_CERT_HASH 0x00000001
//+-------------------------------------------------------------------------
// Flags for use with SCHANNEL_CRED
//
// SCH_CRED_NO_SYSTEM_MAPPER
// This flag is intended for use by server applications only. If this
// flag is set, then schannel does *not* attempt to map received client
// certificate chains to an NT user account using the built-in system
// certificate mapper.This flag is ignored by non-NT5 versions of
// schannel.
//
// SCH_CRED_NO_SERVERNAME_CHECK
// This flag is intended for use by client applications only. If this
// flag is set, then when schannel validates the received server
// certificate chain, is does *not* compare the passed in target name
// with the subject name embedded in the certificate. This flag is
// ignored by non-NT5 versions of schannel. This flag is also ignored
// if the SCH_CRED_MANUAL_CRED_VALIDATION flag is set.
//
// SCH_CRED_MANUAL_CRED_VALIDATION
// This flag is intended for use by client applications only. If this
// flag is set, then schannel will *not* automatically attempt to
// validate the received server certificate chain. This flag is
// ignored by non-NT5 versions of schannel, but all client applications
// that wish to validate the certificate chain themselves should
// specify this flag, so that there's at least a chance they'll run
// correctly on NT5.
//
// SCH_CRED_NO_DEFAULT_CREDS
// This flag is intended for use by client applications only. If this
// flag is set, and the server requests client authentication, then
// schannel will *not* attempt to automatically acquire a suitable
// default client certificate chain. This flag is ignored by non-NT5
// versions of schannel, but all client applications that wish to
// manually specify their certicate chains should specify this flag,
// so that there's at least a chance they'll run correctly on NT5.
//
// SCH_CRED_AUTO_CRED_VALIDATION
// This flag is the opposite of SCH_CRED_MANUAL_CRED_VALIDATION.
// Conservatively written client applications will always specify one
// flag or the other.
//
// SCH_CRED_USE_DEFAULT_CREDS
// This flag is the opposite of SCH_CRED_NO_DEFAULT_CREDS.
// Conservatively written client applications will always specify one
// flag or the other.
//
// SCH_CRED_DISABLE_RECONNECTS
// This flag is intended for use by server applications only. If this
// flag is set, then full handshakes performed with this credential
// will not be marked suitable for reconnects. A cache entry will still
// be created, however, so the session can be made resumable later
// via a call to ApplyControlToken.
//
//
// SCH_CRED_REVOCATION_CHECK_END_CERT
// SCH_CRED_REVOCATION_CHECK_CHAIN
// SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
// These flags specify that when schannel automatically validates a
// received certificate chain, some or all of the certificates are to
// be checked for revocation. Only one of these flags may be specified.
// See the CertGetCertificateChain function. These flags are ignored by
// non-NT5 versions of schannel.
//
// SCH_CRED_IGNORE_NO_REVOCATION_CHECK
// SCH_CRED_IGNORE_REVOCATION_OFFLINE
// These flags instruct schannel to ignore the
// CRYPT_E_NO_REVOCATION_CHECK and CRYPT_E_REVOCATION_OFFLINE errors
// respectively if they are encountered when attempting to check the
// revocation status of a received certificate chain. These flags are
// ignored if none of the above flags are set.
//
// SCH_CRED_CACHE_ONLY_URL_RETRIEVAL_ON_CREATE
// This flag instructs schannel to pass CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL
// flags to CertGetCertificateChain when validating the specified
// credentials during a call to AcquireCredentialsHandle. The default for
// vista is to not specify CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL. Use
// SCH_CRED_CACHE_ONLY_URL_RETRIEVAL_ON_CREATE to override this behavior.
// NOTE: Prior to Vista, this flag(CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL) was
// specified by default.
//
// SCH_SEND_ROOT_CERT
// This flag instructs schannel to send the root cert as part of the
// certificate message.
//+-------------------------------------------------------------------------
#define SCH_CRED_NO_SYSTEM_MAPPER 0x00000002
#define SCH_CRED_NO_SERVERNAME_CHECK 0x00000004
#define SCH_CRED_MANUAL_CRED_VALIDATION 0x00000008
#define SCH_CRED_NO_DEFAULT_CREDS 0x00000010
#define SCH_CRED_AUTO_CRED_VALIDATION 0x00000020
#define SCH_CRED_USE_DEFAULT_CREDS 0x00000040
#define SCH_CRED_DISABLE_RECONNECTS 0x00000080
#define SCH_CRED_REVOCATION_CHECK_END_CERT 0x00000100
#define SCH_CRED_REVOCATION_CHECK_CHAIN 0x00000200
#define SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x00000400
#define SCH_CRED_IGNORE_NO_REVOCATION_CHECK 0x00000800
#define SCH_CRED_IGNORE_REVOCATION_OFFLINE 0x00001000
#define SCH_CRED_RESTRICTED_ROOTS 0x00002000
#define SCH_CRED_REVOCATION_CHECK_CACHE_ONLY 0x00004000
#define SCH_CRED_CACHE_ONLY_URL_RETRIEVAL 0x00008000
#define SCH_CRED_MEMORY_STORE_CERT 0x00010000
#define SCH_CRED_CACHE_ONLY_URL_RETRIEVAL_ON_CREATE 0x00020000
#define SCH_SEND_ROOT_CERT 0x00040000
//
//
// ApplyControlToken PkgParams types
//
// These identifiers are the DWORD types
// to be passed into ApplyControlToken
// through a PkgParams buffer.
#define SCHANNEL_RENEGOTIATE 0 // renegotiate a connection
#define SCHANNEL_SHUTDOWN 1 // gracefully close down a connection
#define SCHANNEL_ALERT 2 // build an error message
#define SCHANNEL_SESSION 3 // session control
// Alert token structure.
typedef struct _SCHANNEL_ALERT_TOKEN
{
DWORD dwTokenType; // SCHANNEL_ALERT
DWORD dwAlertType;
DWORD dwAlertNumber;
} SCHANNEL_ALERT_TOKEN;
// Alert types.
#define TLS1_ALERT_WARNING 1
#define TLS1_ALERT_FATAL 2
// Alert messages.
#define TLS1_ALERT_CLOSE_NOTIFY 0 // warning
#define TLS1_ALERT_UNEXPECTED_MESSAGE 10 // error
#define TLS1_ALERT_BAD_RECORD_MAC 20 // error
#define TLS1_ALERT_DECRYPTION_FAILED 21 // reserved
#define TLS1_ALERT_RECORD_OVERFLOW 22 // error
#define TLS1_ALERT_DECOMPRESSION_FAIL 30 // error
#define TLS1_ALERT_HANDSHAKE_FAILURE 40 // error
#define TLS1_ALERT_BAD_CERTIFICATE 42 // warning or error
#define TLS1_ALERT_UNSUPPORTED_CERT 43 // warning or error
#define TLS1_ALERT_CERTIFICATE_REVOKED 44 // warning or error
#define TLS1_ALERT_CERTIFICATE_EXPIRED 45 // warning or error
#define TLS1_ALERT_CERTIFICATE_UNKNOWN 46 // warning or error
#define TLS1_ALERT_ILLEGAL_PARAMETER 47 // error
#define TLS1_ALERT_UNKNOWN_CA 48 // error
#define TLS1_ALERT_ACCESS_DENIED 49 // error
#define TLS1_ALERT_DECODE_ERROR 50 // error
#define TLS1_ALERT_DECRYPT_ERROR 51 // error
#define TLS1_ALERT_EXPORT_RESTRICTION 60 // reserved
#define TLS1_ALERT_PROTOCOL_VERSION 70 // error
#define TLS1_ALERT_INSUFFIENT_SECURITY 71 // error
#define TLS1_ALERT_INTERNAL_ERROR 80 // error
#define TLS1_ALERT_USER_CANCELED 90 // warning or error
#define TLS1_ALERT_NO_RENEGOTIATION 100 // warning
#define TLS1_ALERT_UNSUPPORTED_EXT 110 // error
// Session control flags
#define SSL_SESSION_ENABLE_RECONNECTS 1
#define SSL_SESSION_DISABLE_RECONNECTS 2
// Session control token structure.
typedef struct _SCHANNEL_SESSION_TOKEN
{
DWORD dwTokenType; // SCHANNEL_SESSION
DWORD dwFlags;
} SCHANNEL_SESSION_TOKEN;
typedef struct _SCHANNEL_CLIENT_SIGNATURE
{
DWORD cbLength;
ALG_ID aiHash;
DWORD cbHash;
BYTE HashValue[36];
BYTE CertThumbprint[20];
} SCHANNEL_CLIENT_SIGNATURE, *PSCHANNEL_CLIENT_SIGNATURE;
//
// Flags for identifying the various different protocols.
//
/* flag/identifiers for protocols we support */
#define SP_PROT_PCT1_SERVER 0x00000001
#define SP_PROT_PCT1_CLIENT 0x00000002
#define SP_PROT_PCT1 (SP_PROT_PCT1_SERVER | SP_PROT_PCT1_CLIENT)
#define SP_PROT_SSL2_SERVER 0x00000004
#define SP_PROT_SSL2_CLIENT 0x00000008
#define SP_PROT_SSL2 (SP_PROT_SSL2_SERVER | SP_PROT_SSL2_CLIENT)
#define SP_PROT_SSL3_SERVER 0x00000010
#define SP_PROT_SSL3_CLIENT 0x00000020
#define SP_PROT_SSL3 (SP_PROT_SSL3_SERVER | SP_PROT_SSL3_CLIENT)
#define SP_PROT_TLS1_SERVER 0x00000040
#define SP_PROT_TLS1_CLIENT 0x00000080
#define SP_PROT_TLS1 (SP_PROT_TLS1_SERVER | SP_PROT_TLS1_CLIENT)
#define SP_PROT_SSL3TLS1_CLIENTS (SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT)
#define SP_PROT_SSL3TLS1_SERVERS (SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER)
#define SP_PROT_SSL3TLS1 (SP_PROT_SSL3 | SP_PROT_TLS1)
#define SP_PROT_UNI_SERVER 0x40000000
#define SP_PROT_UNI_CLIENT 0x80000000
#define SP_PROT_UNI (SP_PROT_UNI_SERVER | SP_PROT_UNI_CLIENT)
#define SP_PROT_ALL 0xffffffff
#define SP_PROT_NONE 0
#define SP_PROT_CLIENTS (SP_PROT_PCT1_CLIENT | SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_UNI_CLIENT | SP_PROT_TLS1_CLIENT)
#define SP_PROT_SERVERS (SP_PROT_PCT1_SERVER | SP_PROT_SSL2_SERVER | SP_PROT_SSL3_SERVER | SP_PROT_UNI_SERVER | SP_PROT_TLS1_SERVER)
#define SP_PROT_TLS1_0_SERVER SP_PROT_TLS1_SERVER
#define SP_PROT_TLS1_0_CLIENT SP_PROT_TLS1_CLIENT
#define SP_PROT_TLS1_0 (SP_PROT_TLS1_0_SERVER | \
SP_PROT_TLS1_0_CLIENT)
#define SP_PROT_TLS1_1_SERVER 0x00000100
#define SP_PROT_TLS1_1_CLIENT 0x00000200
#define SP_PROT_TLS1_1 (SP_PROT_TLS1_1_SERVER | \
SP_PROT_TLS1_1_CLIENT)
#define SP_PROT_TLS1_2_SERVER 0x00000400
#define SP_PROT_TLS1_2_CLIENT 0x00000800
#define SP_PROT_TLS1_2 (SP_PROT_TLS1_2_SERVER | \
SP_PROT_TLS1_2_CLIENT)
#define SP_PROT_TLS1_1PLUS_SERVER (SP_PROT_TLS1_1_SERVER | \
SP_PROT_TLS1_2_SERVER)
#define SP_PROT_TLS1_1PLUS_CLIENT (SP_PROT_TLS1_1_CLIENT | \
SP_PROT_TLS1_2_CLIENT)
#define SP_PROT_TLS1_1PLUS (SP_PROT_TLS1_1PLUS_SERVER | \
SP_PROT_TLS1_1PLUS_CLIENT)
#define SP_PROT_TLS1_X_SERVER (SP_PROT_TLS1_0_SERVER | \
SP_PROT_TLS1_1_SERVER | \
SP_PROT_TLS1_2_SERVER)
#define SP_PROT_TLS1_X_CLIENT (SP_PROT_TLS1_0_CLIENT | \
SP_PROT_TLS1_1_CLIENT | \
SP_PROT_TLS1_2_CLIENT)
#define SP_PROT_TLS1_X (SP_PROT_TLS1_X_SERVER | \
SP_PROT_TLS1_X_CLIENT)
#define SP_PROT_SSL3TLS1_X_CLIENTS (SP_PROT_TLS1_X_CLIENT | \
SP_PROT_SSL3_CLIENT)
#define SP_PROT_SSL3TLS1_X_SERVERS (SP_PROT_TLS1_X_SERVER | \
SP_PROT_SSL3_SERVER)
#define SP_PROT_SSL3TLS1_X (SP_PROT_SSL3 | SP_PROT_TLS1_X)
#define SP_PROT_X_CLIENTS (SP_PROT_CLIENTS | \
SP_PROT_TLS1_X_CLIENT)
#define SP_PROT_X_SERVERS (SP_PROT_SERVERS | \
SP_PROT_TLS1_X_SERVER)
//
// Helper function used to flush the SSL session cache.
//
typedef BOOL
(WINAPI * SSL_EMPTY_CACHE_FN_A)(
LPSTR pszTargetName,
DWORD dwFlags);
BOOL
WINAPI
SslEmptyCacheA(__in LPSTR pszTargetName,
__in DWORD dwFlags);
typedef BOOL
(WINAPI * SSL_EMPTY_CACHE_FN_W)(
LPWSTR pszTargetName,
DWORD dwFlags);
BOOL
WINAPI
SslEmptyCacheW(__in LPWSTR pszTargetName,
__in DWORD dwFlags);
#ifdef UNICODE
#define SSL_EMPTY_CACHE_FN SSL_EMPTY_CACHE_FN_W
#define SslEmptyCache SslEmptyCacheW
#else
#define SSL_EMPTY_CACHE_FN SSL_EMPTY_CACHE_FN_A
#define SslEmptyCache SslEmptyCacheA
#endif
// Structures for compatability with the
// NT 4.0 SP2 / IE 3.0 schannel interface, do
// not use.
typedef struct _SSL_CREDENTIAL_CERTIFICATE {
DWORD cbPrivateKey;
PBYTE pPrivateKey;
DWORD cbCertificate;
PBYTE pCertificate;
PSTR pszPassword;
} SSL_CREDENTIAL_CERTIFICATE, * PSSL_CREDENTIAL_CERTIFICATE;
// Structures for use with the
// NT 4.0 SP3 Schannel interface,
// do not use.
#define SCHANNEL_SECRET_TYPE_CAPI 0x00000001
#define SCHANNEL_SECRET_PRIVKEY 0x00000002
#define SCH_CRED_X509_CERTCHAIN 0x00000001
#define SCH_CRED_X509_CAPI 0x00000002
#define SCH_CRED_CERT_CONTEXT 0x00000003
struct _HMAPPER;
typedef struct _SCH_CRED
{
DWORD dwVersion; // always SCH_CRED_VERSION.
DWORD cCreds; // Number of credentials.
PVOID *paSecret; // Array of SCH_CRED_SECRET_* pointers
PVOID *paPublic; // Array of SCH_CRED_PUBLIC_* pointers
DWORD cMappers; // Number of credential mappers.
struct _HMAPPER **aphMappers; // pointer to an array of pointers to credential mappers
} SCH_CRED, * PSCH_CRED;
// Structures for use with the
// NT 4.0 SP3 Schannel interface,
// do not use.
typedef struct _SCH_CRED_SECRET_CAPI
{
DWORD dwType; // SCHANNEL_SECRET_TYPE_CAPI
HCRYPTPROV hProv; // credential secret information.
} SCH_CRED_SECRET_CAPI, * PSCH_CRED_SECRET_CAPI;
// Structures for use with the
// NT 4.0 SP3 Schannel interface,
// do not use.
typedef struct _SCH_CRED_SECRET_PRIVKEY
{
DWORD dwType; // SCHANNEL_SECRET_PRIVKEY
PBYTE pPrivateKey; // Der encoded private key
DWORD cbPrivateKey;
PSTR pszPassword; // Password to crack the private key.
} SCH_CRED_SECRET_PRIVKEY, * PSCH_CRED_SECRET_PRIVKEY;
// Structures for use with the
// NT 4.0 SP3 Schannel interface,
// do not use.
typedef struct _SCH_CRED_PUBLIC_CERTCHAIN
{
DWORD dwType;
DWORD cbCertChain;
PBYTE pCertChain;
} SCH_CRED_PUBLIC_CERTCHAIN, *PSCH_CRED_PUBLIC_CERTCHAIN;
// Structures needed for Pre NT4.0 SP2 calls.
typedef struct _PctPublicKey
{
DWORD Type;
DWORD cbKey;
UCHAR pKey[1];
} PctPublicKey;
typedef struct _X509Certificate {
DWORD Version;
DWORD SerialNumber[4];
ALG_ID SignatureAlgorithm;
FILETIME ValidFrom;
FILETIME ValidUntil;
PSTR pszIssuer;
PSTR pszSubject;
PctPublicKey *pPublicKey;
} X509Certificate, * PX509Certificate;
// Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
// to get the same functionality instead.
BOOL
WINAPI
SslGenerateKeyPair(
PSSL_CREDENTIAL_CERTIFICATE pCerts,
__in PSTR pszDN,
__in PSTR pszPassword,
DWORD Bits );
// Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
// to get the same functionality instead.
VOID
WINAPI
SslGenerateRandomBits(
PUCHAR pRandomData,
LONG cRandomData
);
// Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
// to get the same functionality instead.
BOOL
WINAPI
SslCrackCertificate(
PUCHAR pbCertificate,
DWORD cbCertificate,
DWORD dwFlags,
PX509Certificate * ppCertificate
);
// Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
// to get the same functionality instead.
VOID
WINAPI
SslFreeCertificate(
PX509Certificate pCertificate
);
DWORD
WINAPI
SslGetMaximumKeySize(
DWORD Reserved );
BOOL
WINAPI
SslGetDefaultIssuers(
PBYTE pbIssuers,
DWORD *pcbIssuers);
#define SSL_CRACK_CERTIFICATE_NAME TEXT("SslCrackCertificate")
#define SSL_FREE_CERTIFICATE_NAME TEXT("SslFreeCertificate")
// Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
// to get the same functionality instead.
typedef BOOL
(WINAPI * SSL_CRACK_CERTIFICATE_FN)
(
PUCHAR pbCertificate,
DWORD cbCertificate,
BOOL VerifySignature,
PX509Certificate * ppCertificate
);
// Pre NT4.0 SP2 calls. Call CAPI1 or CAPI2
// to get the same functionality instead.
typedef VOID
(WINAPI * SSL_FREE_CERTIFICATE_FN)
(
PX509Certificate pCertificate
);
#endif //__SCHANNEL_H__