samba-mirror/librpc/idl/schannel.idl

#include "idl_types.h"

/*
  schannel structures
*/

import "netlogon.idl", "nbt.idl", "misc.idl", "security.idl";

[
	pointer_default(unique),
	helper("../librpc/ndr/ndr_schannel.h", "../librpc/ndr/ndr_nbt.h")
]
interface schannel
{
	/* this structure is used internally in the NETLOGON server */

	typedef [flag(NDR_PAHEX)] struct {
		/*
		 * These were only used on the server part
		 * with a single dom_sid for the client_sid.
		 *
		 * On the server we use CLEAR_IF_FIRST,
		 * so db layout changes don't matter there,
		 * but on the client side we need to handle
		 * the ctdb case were CLEAR_IF_FIRST only
		 * works if all cluster nodes are restarted.
		 *
		 * As this was a single dom_sid before,
		 * we add some magic in order to let
		 * old code (on other nodes to parse the new layout).
		 *
		 * We have basically this definition of dom_sid:
		 *
		 * typedef struct {
		 *    uint8 sid_rev_num;
		 *    [range(0,15)] int8 num_auths;
		 *    uint8  id_auth[6];
		 *    uint32 sub_auths[num_auths];
		 * } dom_sid;
		 *
		 * It means it consumes at least 8 bytes while
		 * and it's also 4 byte aligned (before sid_rev_num).
		 * The largest sid would have 68 bytes.
		 *
		 * The old client side code would see a sid like
		 * this: S-1-RSV-CRF-ATL-ATH-257-0-RID
		 *
		 * RSV => reserved (the last 4 bytes of id_auth)
		 *
		 * CRF => client_requested_flags (sub_auths[0]
		 *
		 * Note NTTIME used ndr_pull_udlong, it's not NTTIME_hyper!
		 * ATL => low 4 bytes of auth_time (sub_auths[1])
		 * ATH => high 4 bytes of auth_time (sub_auths[2])
		 *
		 * From client_sid (S-1-0-RID): sub_auth[3-5]
		 *
		 * 257 => 0x01 0x01 0x00 0x00 =
		 *        (sid_rev_num = 1, num_auths =1,
		 *         id_auth[0] = 0, id_auth[1] = 0)
		 * 0   => id_auth[2-6]
		 *
		 * RID => the RID of the client
		 *
		 * It means the magic needs to simulate
		 * num_auths = 6
		 */
		[value(0x00000601)] uint32 magic;
		[value(0)] uint32 reserved;
		netr_NegotiateFlags client_requested_flags;
		NTTIME auth_time;
		dom_sid client_sid;
	} netlogon_creds_CredentialState_extra_info;

	typedef [public,flag(NDR_PAHEX)] struct {
		netr_NegotiateFlags negotiate_flags;
		uint8 session_key[16];
		uint32 sequence;
		netr_Credential seed;
		netr_Credential client;
		netr_Credential server;
		netr_SchannelType secure_channel_type;
		[string,charset(UTF8)] uint8 computer_name[];
		[string,charset(UTF8)] uint8 account_name[];
		netlogon_creds_CredentialState_extra_info *ex;
	} netlogon_creds_CredentialState;

	typedef [public,flag(NDR_PAHEX)] struct {
		netr_NegotiateFlags negotiate_flags;
		uint8 session_key[16];
		uint32 sequence;
		netr_Credential seed;
		netr_Credential client;
		netr_Credential server;
		netr_SchannelType secure_channel_type;
		[string,charset(UTF8)] uint8 computer_name[];
		[string,charset(UTF8)] uint8 account_name[];
		dom_sid *sid;
	} netlogon_creds_CredentialState_legacy;

	/* This is used in the schannel_store.tdb */
	typedef [public] struct {
		[string,charset(UTF16)] uint16 *computer_name;
		netr_Credential server_challenge;
		netr_Credential client_challenge;
	} netlogon_cache_entry;

	/* MS-NRPC 2.2.1.3.1 NL_AUTH_MESSAGE */

	typedef [v1_enum] enum {
		NL_NEGOTIATE_REQUEST	= 0x00000000,
		NL_NEGOTIATE_RESPONSE	= 0x00000001
	} NL_AUTH_MESSAGE_TYPE;

	typedef [bitmap32bit] bitmap {
		NL_FLAG_OEM_NETBIOS_DOMAIN_NAME		= 0x00000001,
		NL_FLAG_OEM_NETBIOS_COMPUTER_NAME	= 0x00000002,
		NL_FLAG_UTF8_DNS_DOMAIN_NAME		= 0x00000004,
		NL_FLAG_UTF8_DNS_HOST_NAME		= 0x00000008,
		NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME	= 0x00000010
	} NL_AUTH_MESSAGE_FLAGS;

	typedef [public,nodiscriminant,noprint] union {
		[case (NL_FLAG_OEM_NETBIOS_DOMAIN_NAME)]	astring	 a;
		[case (NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)]	astring	 a;
		[case (NL_FLAG_UTF8_DNS_DOMAIN_NAME)]		nbt_string u;
		[case (NL_FLAG_UTF8_DNS_HOST_NAME)]		nbt_string u;
		[case (NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME)]	nbt_string u;
		[default]					;
	} NL_AUTH_MESSAGE_BUFFER;

	typedef [public,nodiscriminant,noprint] union {
		[case (NL_NEGOTIATE_RESPONSE)]			uint32 dummy;
		[default]					;
	} NL_AUTH_MESSAGE_BUFFER_REPLY;

	typedef [public,flag(NDR_PAHEX)] struct {
		NL_AUTH_MESSAGE_TYPE MessageType;
		NL_AUTH_MESSAGE_FLAGS Flags;
		[switch_is(Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME)]	NL_AUTH_MESSAGE_BUFFER oem_netbios_domain;
		[switch_is(Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)]	NL_AUTH_MESSAGE_BUFFER oem_netbios_computer;
		[switch_is(Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME)]	NL_AUTH_MESSAGE_BUFFER utf8_dns_domain;
		[switch_is(Flags & NL_FLAG_UTF8_DNS_HOST_NAME)]		NL_AUTH_MESSAGE_BUFFER utf8_dns_host;
		[switch_is(Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME)]	NL_AUTH_MESSAGE_BUFFER utf8_netbios_computer;
		[switch_is(MessageType & NL_NEGOTIATE_RESPONSE)]	NL_AUTH_MESSAGE_BUFFER_REPLY Buffer;
	} NL_AUTH_MESSAGE;

	/* MS-NRPC 2.2.1.3.2 NL_AUTH_SIGNATURE */

	typedef enum {
		NL_SIGN_HMAC_SHA256	= 0x0013,
		NL_SIGN_HMAC_MD5	= 0x0077
	} NL_SIGNATURE_ALGORITHM;

	typedef enum {
		NL_SEAL_AES128		= 0x001A,
		NL_SEAL_RC4		= 0x007A,
		NL_SEAL_NONE		= 0xFFFF
	} NL_SEAL_ALGORITHM;

	typedef [public,flag(NDR_PAHEX)] struct {
		[value(NL_SIGN_HMAC_MD5)] NL_SIGNATURE_ALGORITHM SignatureAlgorithm;
		NL_SEAL_ALGORITHM SealAlgorithm;
		uint16 Pad;
		uint16 Flags;
		uint8 SequenceNumber[8];
		uint8 Checksum[8];
		uint8 Confounder[8];
	} NL_AUTH_SIGNATURE;

	const int NL_AUTH_SIGNATURE_SIZE = 0x20;

	/* MS-NRPC 2.2.1.3.3 NL_AUTH_SHA2_SIGNATURE */

	typedef [public,flag(NDR_PAHEX)] struct {
		[value(NL_SIGN_HMAC_SHA256)] NL_SIGNATURE_ALGORITHM SignatureAlgorithm;
		NL_SEAL_ALGORITHM SealAlgorithm;
		uint16 Pad;
		uint16 Flags;
		uint8 SequenceNumber[8];
		uint8 Checksum[32];
		uint8 Confounder[8];
	} NL_AUTH_SHA2_SIGNATURE;
}