EAP-GTC authentication now split into two modes: Challenge/Response and Password
This commit is contained in:
@@ -44,6 +44,15 @@ namespace eap
|
||||
///
|
||||
class config_method_eapgtc : public config_method_with_cred
|
||||
{
|
||||
public:
|
||||
///
|
||||
/// Authentication mode
|
||||
///
|
||||
enum auth_mode_t {
|
||||
auth_mode_response = 0, ///< Challenge/Response
|
||||
auth_mode_password, ///< Password
|
||||
};
|
||||
|
||||
public:
|
||||
///
|
||||
/// Constructs configuration
|
||||
@@ -87,6 +96,19 @@ namespace eap
|
||||
|
||||
virtual config* clone() const;
|
||||
|
||||
/// \name XML management
|
||||
/// @{
|
||||
virtual void save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pConfigRoot) const;
|
||||
virtual void load(_In_ IXMLDOMNode *pConfigRoot);
|
||||
/// @}
|
||||
|
||||
/// \name BLOB management
|
||||
/// @{
|
||||
virtual void operator<<(_Inout_ cursor_out &cursor) const;
|
||||
virtual size_t get_pk_size() const;
|
||||
virtual void operator>>(_Inout_ cursor_in &cursor);
|
||||
/// @}
|
||||
|
||||
///
|
||||
/// @copydoc eap::config_method::get_method_id()
|
||||
/// \returns This implementation always returns `winstd::eap_type_gtc`
|
||||
@@ -101,10 +123,53 @@ namespace eap
|
||||
|
||||
///
|
||||
/// @copydoc eap::config_method::make_credentials()
|
||||
/// \returns This implementation always returns `eap::credentials_identity` type of credentials
|
||||
/// \returns This implementation returns `eap::credentials_identity` or `eap::credentials_pass` type of credentials, depending on authentication mode.
|
||||
///
|
||||
virtual credentials* make_credentials() const;
|
||||
};
|
||||
|
||||
/// @}
|
||||
}
|
||||
|
||||
|
||||
/// \addtogroup EAPBaseStream
|
||||
/// @{
|
||||
|
||||
///
|
||||
/// Packs an EAP-GTC method authentication mode
|
||||
///
|
||||
/// \param[inout] cursor Memory cursor
|
||||
/// \param[in] val Authentication mode to pack
|
||||
///
|
||||
inline void operator<<(_Inout_ eap::cursor_out &cursor, _In_ const eap::config_method_eapgtc::auth_mode_t &val)
|
||||
{
|
||||
cursor << (unsigned char)val;
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Returns packed size of an EAP-GTC method authentication mode
|
||||
///
|
||||
/// \param[in] val Authentication mode to pack
|
||||
///
|
||||
/// \returns Size of data when packed (in bytes)
|
||||
///
|
||||
inline size_t pksizeof(_In_ const eap::config_method_eapgtc::auth_mode_t &val)
|
||||
{
|
||||
return pksizeof((unsigned char)val);
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Unpacks an EAP-GTC method authentication mode
|
||||
///
|
||||
/// \param[inout] cursor Memory cursor
|
||||
/// \param[out] val Authentication mode to unpack to
|
||||
///
|
||||
inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::config_method_eapgtc::auth_mode_t &val)
|
||||
{
|
||||
val = (eap::config_method_eapgtc::auth_mode_t)0; // Reset higher bytes to zero before reading to lower byte.
|
||||
cursor >> (unsigned char&)val;
|
||||
}
|
||||
|
||||
/// @}
|
||||
|
||||
@@ -50,7 +50,7 @@ namespace eap
|
||||
/// \param[in] cfg Method configuration
|
||||
/// \param[in] cred User credentials
|
||||
///
|
||||
method_gtc(_In_ module &mod, _In_ config_method_eapgtc &cfg, _In_ credentials_identity &cred);
|
||||
method_gtc(_In_ module &mod, _In_ config_method_eapgtc &cfg, _In_ credentials &cred);
|
||||
|
||||
///
|
||||
/// Moves a GTC method
|
||||
@@ -109,7 +109,7 @@ namespace eap
|
||||
|
||||
protected:
|
||||
config_method_eapgtc &m_cfg; ///< Method configuration
|
||||
credentials_identity &m_cred; ///< Method user credentials
|
||||
credentials &m_cred; ///< Method user credentials
|
||||
winstd::sanitizing_wstring m_challenge; ///< GTC challenge
|
||||
winstd::sanitizing_wstring m_response; ///< GTC response
|
||||
};
|
||||
|
||||
@@ -30,6 +30,7 @@ using namespace winstd;
|
||||
|
||||
eap::config_method_eapgtc::config_method_eapgtc(_In_ module &mod, _In_ unsigned int level) : config_method_with_cred(mod, level)
|
||||
{
|
||||
// Default to Challenge/Response authentication mode.
|
||||
m_cred.reset(new credentials_identity(mod));
|
||||
}
|
||||
|
||||
@@ -70,6 +71,95 @@ eap::config* eap::config_method_eapgtc::clone() const
|
||||
}
|
||||
|
||||
|
||||
void eap::config_method_eapgtc::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pConfigRoot) const
|
||||
{
|
||||
assert(pDoc);
|
||||
assert(pConfigRoot);
|
||||
|
||||
config_method_with_cred::save(pDoc, pConfigRoot);
|
||||
|
||||
HRESULT hr;
|
||||
|
||||
if (dynamic_cast<credentials_identity*>(m_cred.get()))
|
||||
hr = eapxml::put_element_value(pDoc, pConfigRoot, bstr(L"AuthMode"), namespace_eapmetadata, bstr(L"Challenge/Response"));
|
||||
else if (dynamic_cast<credentials_pass*>(m_cred.get()))
|
||||
hr = eapxml::put_element_value(pDoc, pConfigRoot, bstr(L"AuthMode"), namespace_eapmetadata, bstr(L"Password"));
|
||||
else
|
||||
throw invalid_argument(__FUNCTION__ " Unsupported authentication mode.");
|
||||
if (FAILED(hr))
|
||||
throw com_runtime_error(hr, __FUNCTION__ " Error creating <AuthMode> element.");
|
||||
}
|
||||
|
||||
|
||||
void eap::config_method_eapgtc::load(_In_ IXMLDOMNode *pConfigRoot)
|
||||
{
|
||||
assert(pConfigRoot);
|
||||
HRESULT hr;
|
||||
wstring xpath(eapxml::get_xpath(pConfigRoot));
|
||||
|
||||
// Load authentication mode first, then (re)create credentials to match the authentication mode.
|
||||
bstr auth_mode;
|
||||
if (FAILED(hr = eapxml::get_element_value(pConfigRoot, bstr(L"eap-metadata:AuthMode"), auth_mode)) ||
|
||||
CompareStringEx(LOCALE_NAME_INVARIANT, NORM_IGNORECASE, auth_mode, auth_mode.length(), _L("Challenge/Response"), -1, NULL, NULL, 0) == CSTR_EQUAL)
|
||||
{
|
||||
m_cred.reset(new eap::credentials_identity(m_module));
|
||||
} else if (CompareStringEx(LOCALE_NAME_INVARIANT, NORM_IGNORECASE, auth_mode, auth_mode.length(), _L("Password"), -1, NULL, NULL, 0) == CSTR_EQUAL) {
|
||||
m_cred.reset(new eap::credentials_pass(m_module));
|
||||
} else
|
||||
throw invalid_argument(string_printf(__FUNCTION__ " Unsupported authentication mode (%ls).", (BSTR)auth_mode));
|
||||
|
||||
// Load method configuration.
|
||||
config_method_with_cred::load(pConfigRoot);
|
||||
|
||||
m_module.log_config((xpath + L"/AuthMode").c_str(), auth_mode);
|
||||
}
|
||||
|
||||
|
||||
void eap::config_method_eapgtc::operator<<(_Inout_ cursor_out &cursor) const
|
||||
{
|
||||
// Save authentication mode first, as credential loading will require this information.
|
||||
if (dynamic_cast<credentials_identity*>(m_cred.get()))
|
||||
cursor << auth_mode_response;
|
||||
else if (dynamic_cast<credentials_pass*>(m_cred.get()))
|
||||
cursor << auth_mode_password;
|
||||
else
|
||||
throw invalid_argument(__FUNCTION__ " Unsupported authentication mode.");
|
||||
|
||||
config_method_with_cred::operator<<(cursor);
|
||||
}
|
||||
|
||||
|
||||
size_t eap::config_method_eapgtc::get_pk_size() const
|
||||
{
|
||||
auth_mode_t auth_mode;
|
||||
if (dynamic_cast<credentials_identity*>(m_cred.get()))
|
||||
auth_mode = auth_mode_response;
|
||||
else if (dynamic_cast<credentials_pass*>(m_cred.get()))
|
||||
auth_mode = auth_mode_password;
|
||||
else
|
||||
throw invalid_argument(__FUNCTION__ " Unsupported authentication mode.");
|
||||
|
||||
return
|
||||
pksizeof(auth_mode) +
|
||||
config_method_with_cred::get_pk_size();
|
||||
}
|
||||
|
||||
|
||||
void eap::config_method_eapgtc::operator>>(_Inout_ cursor_in &cursor)
|
||||
{
|
||||
// (Re)create credentials to match the authentication mode.
|
||||
auth_mode_t auth_mode;
|
||||
cursor >> auth_mode;
|
||||
switch (auth_mode) {
|
||||
case auth_mode_response: m_cred.reset(new eap::credentials_identity(m_module)); break;
|
||||
case auth_mode_password: m_cred.reset(new eap::credentials_pass (m_module)); break;
|
||||
default : throw invalid_argument(string_printf(__FUNCTION__ " Unsupported authentication mode (%u).", auth_mode));
|
||||
}
|
||||
|
||||
config_method_with_cred::operator>>(cursor);
|
||||
}
|
||||
|
||||
|
||||
eap_type_t eap::config_method_eapgtc::get_method_id() const
|
||||
{
|
||||
return eap_type_gtc;
|
||||
@@ -84,5 +174,10 @@ const wchar_t* eap::config_method_eapgtc::get_method_str() const
|
||||
|
||||
eap::credentials* eap::config_method_eapgtc::make_credentials() const
|
||||
{
|
||||
return new eap::credentials_identity(m_module);
|
||||
if (dynamic_cast<credentials_identity*>(m_cred.get()))
|
||||
return new eap::credentials_identity(m_module);
|
||||
else if (dynamic_cast<credentials_pass*>(m_cred.get()))
|
||||
return new eap::credentials_pass (m_module);
|
||||
else
|
||||
throw invalid_argument(__FUNCTION__ " Unsupported authentication mode.");
|
||||
}
|
||||
|
||||
@@ -28,7 +28,7 @@ using namespace winstd;
|
||||
// eap::method_gtc
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
|
||||
eap::method_gtc::method_gtc(_In_ module &mod, _In_ config_method_eapgtc &cfg, _In_ credentials_identity &cred) :
|
||||
eap::method_gtc::method_gtc(_In_ module &mod, _In_ config_method_eapgtc &cfg, _In_ credentials &cred) :
|
||||
m_cfg(cfg),
|
||||
m_cred(cred),
|
||||
method(mod)
|
||||
@@ -83,13 +83,24 @@ EapPeerMethodResponseAction eap::method_gtc::process_request_packet(
|
||||
|
||||
m_module.log_event(&EAPMETHOD_METHOD_HANDSHAKE_START2, event_data((unsigned int)eap_type_gtc), event_data::blank);
|
||||
|
||||
// Read authenticator challenge as UTF-8 encoded string.
|
||||
MultiByteToWideChar(CP_UTF8, 0, (LPCSTR)pReceivedPacket, dwReceivedPacketSize, m_challenge);
|
||||
credentials_pass *cred_pass;
|
||||
if (dynamic_cast<credentials_identity*>(&m_cred)) {
|
||||
// Read authenticator challenge as UTF-8 encoded string.
|
||||
MultiByteToWideChar(CP_UTF8, 0, (LPCSTR)pReceivedPacket, dwReceivedPacketSize, m_challenge);
|
||||
|
||||
m_module.log_event(&EAPMETHOD_GTC_RESPONSE_REQ, event_data((unsigned int)eap_type_gtc), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_GTC_RESPONSE_REQ, event_data((unsigned int)eap_type_gtc), event_data::blank);
|
||||
|
||||
// User must respond to the challenge.
|
||||
return EapPeerMethodResponseActionInvokeUI;
|
||||
// User must respond to the challenge.
|
||||
return EapPeerMethodResponseActionInvokeUI;
|
||||
} else if ((cred_pass = dynamic_cast<credentials_pass*>(&m_cred)) != NULL) {
|
||||
// Ignore authenticator challenge and save password as GTC response.
|
||||
m_response = cred_pass->m_password;
|
||||
|
||||
// Send the response.
|
||||
m_cfg.m_last_status = config_method::status_cred_invalid; // Blame "credentials" if we fail beyond this point.
|
||||
return EapPeerMethodResponseActionSend;
|
||||
} else
|
||||
throw invalid_argument(__FUNCTION__ " Unsupported authentication mode.");
|
||||
}
|
||||
|
||||
|
||||
@@ -98,13 +109,13 @@ void eap::method_gtc::get_response_packet(
|
||||
_In_opt_ DWORD size_max)
|
||||
{
|
||||
// Encode GTC response as UTF-8.
|
||||
sanitizing_string reply_utf8;
|
||||
WideCharToMultiByte(CP_UTF8, 0, m_response, reply_utf8, NULL, NULL);
|
||||
sanitizing_string response_utf8;
|
||||
WideCharToMultiByte(CP_UTF8, 0, m_response, response_utf8, NULL, NULL);
|
||||
|
||||
if (sizeof(sanitizing_string::value_type)*reply_utf8.length() > size_max)
|
||||
throw invalid_argument(string_printf(__FUNCTION__ " This method does not support packet fragmentation, but the data size is too big to fit in one packet (packet: %u, maximum: %u).", sizeof(sanitizing_string::value_type)*reply_utf8.length(), size_max));
|
||||
if (sizeof(sanitizing_string::value_type)*response_utf8.length() > size_max)
|
||||
throw invalid_argument(string_printf(__FUNCTION__ " This method does not support packet fragmentation, but the data size is too big to fit in one packet (packet: %u, maximum: %u).", sizeof(sanitizing_string::value_type)*response_utf8.length(), size_max));
|
||||
|
||||
packet.assign(reply_utf8.begin(), reply_utf8.end());
|
||||
packet.assign(response_utf8.begin(), response_utf8.end());
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user