From 2868fd3848e0c5db4ae2d895861f37dda0652226 Mon Sep 17 00:00:00 2001 From: Simon Rozman Date: Wed, 3 Aug 2016 10:17:40 +0200 Subject: [PATCH] Cached credentials have priority now --- lib/EAPBase_UI/include/EAP_UI.h | 2 +- lib/TTLS/src/Module.cpp | 79 ++++++++++++++++++--------------- 2 files changed, 44 insertions(+), 37 deletions(-) diff --git a/lib/EAPBase_UI/include/EAP_UI.h b/lib/EAPBase_UI/include/EAP_UI.h index e15e063..16e54f0 100644 --- a/lib/EAPBase_UI/include/EAP_UI.h +++ b/lib/EAPBase_UI/include/EAP_UI.h @@ -434,8 +434,8 @@ protected: wxCHECK(_Tbase::TransferDataFromWindow(), false); if (!m_target.empty()) { - // Write credentials to credential manager. if (m_remember->GetValue()) { + // Write credentials to credential manager. EAP_ERROR *pEapError; if (!m_cred.store(m_target.c_str(), &pEapError)) { if (pEapError) { diff --git a/lib/TTLS/src/Module.cpp b/lib/TTLS/src/Module.cpp index 3c086e9..f89769c 100644 --- a/lib/TTLS/src/Module.cpp +++ b/lib/TTLS/src/Module.cpp @@ -77,35 +77,60 @@ bool eap::peer_ttls::get_identity( return false; } + // Get method configuration. const config_provider &cfg_prov(cfg.m_providers.front()); const config_method_ttls *cfg_method = dynamic_cast(cfg_prov.m_methods.front().get()); assert(cfg_method); + const config_method_pap *cfg_inner_pap = dynamic_cast(cfg_method->m_inner.get()); + + // Determine credential storage target(s). Also used as user-friendly method name for logging. wstring target_outer(std::move(cred_out.m_outer.target_suffix())); wstring target_inner; - bool is_outer_set = false; - if (cfg_method->m_outer.m_use_preshared) { - // Outer TLS: Preshared credentials. + bool + is_outer_set = false, + is_inner_set = false; + + if (cred_in) { + // Try cached credentials. + + if (!is_outer_set) { + // Outer TLS: Using EAP service cached credentials. + cred_out.m_outer = cred_in->m_outer; + log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank); + is_outer_set = true; + } + + if (!is_inner_set && cred_in->m_inner) { + // Inner PAP: Using EAP service cached credentials. + cred_out.m_inner.reset((credentials*)cred_in->m_inner->clone()); + log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED, event_data(target_inner), event_data(cred_out.m_inner->get_name()), event_data::blank); + is_inner_set = true; + } + } + + if (!is_outer_set && cfg_method->m_outer.m_use_preshared) { + // Outer TLS: Using preshared credentials. cred_out.m_outer = (credentials_tls&)cfg_method->m_outer.m_preshared; log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank); is_outer_set = true; } - bool is_inner_set = false; - const config_method_pap *cfg_inner_pap = dynamic_cast(cfg_method->m_inner.get()); - if (cfg_inner_pap) { - target_inner = L"PAP"; - if (cfg_inner_pap->m_use_preshared) { - // Inner PAP: Preshared credentials. - cred_out.m_inner.reset((credentials*)cfg_inner_pap->m_preshared.clone()); - log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED, event_data(target_inner), event_data(cred_out.m_inner->get_name()), event_data::blank); - is_inner_set = true; - } - } else - assert(0); // Unsupported inner authentication method type. + if (!is_inner_set) { + if (cfg_inner_pap) { + target_inner = L"PAP"; + if (cfg_inner_pap->m_use_preshared) { + // Inner PAP: Using preshared credentials. + cred_out.m_inner.reset((credentials*)cfg_inner_pap->m_preshared.clone()); + log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED, event_data(target_inner), event_data(cred_out.m_inner->get_name()), event_data::blank); + is_inner_set = true; + } + } else + assert(0); // Unsupported inner authentication method type. + } if ((dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 && (!is_outer_set || !is_inner_set)) { - // Not a guest && some credentials may be missing: Try to load credentials from Windows Credential Manager. + // Not a guest & some credentials may be missing: Try to load credentials from Windows Credential Manager. // Change user context. When applicable. bool user_ctx_changed = hTokenImpersonateUser && ImpersonateLoggedOnUser(hTokenImpersonateUser); @@ -113,7 +138,7 @@ bool eap::peer_ttls::get_identity( if (!is_outer_set) { credentials_tls cred_loaded(*this); if (cred_loaded.retrieve(cfg_prov.m_id.c_str(), ppEapError)) { - // Outer TLS: Stored credentials. + // Outer TLS: Using stored credentials. cred_out.m_outer = std::move(cred_loaded); log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank); is_outer_set = true; @@ -128,7 +153,7 @@ bool eap::peer_ttls::get_identity( if (cfg_inner_pap) cred_loaded.reset(new credentials_pap(*this)); else assert(0); // Unsupported inner authentication method type. if (cred_loaded->retrieve(cfg_prov.m_id.c_str(), ppEapError)) { - // Inner PAP: Stored credentials. + // Inner PAP: Using stored credentials. cred_out.m_inner = std::move(cred_loaded); log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED, event_data(target_inner), event_data(cred_out.m_inner->get_name()), event_data::blank); is_inner_set = true; @@ -142,24 +167,6 @@ bool eap::peer_ttls::get_identity( if (user_ctx_changed) RevertToSelf(); } - if (cred_in) { - // Try cached credentials. - - if (!is_outer_set) { - // Outer TLS: EAP service cached credentials. - cred_out.m_outer = cred_in->m_outer; - log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank); - is_outer_set = true; - } - - if (!is_inner_set && cred_in->m_inner) { - // Inner PAP: EAP service cached credentials. - cred_out.m_inner.reset((credentials*)cred_in->m_inner->clone()); - log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED, event_data(target_inner), event_data(cred_out.m_inner->get_name()), event_data::blank); - is_inner_set = true; - } - } - *pfInvokeUI = FALSE; if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) { // Per-user authentication