Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

config_method split into config_method and config_method_with_cred<>

Browse Source
This commit is contained in:
Simon Rozman
2016-07-21 22:01:08 +02:00
parent ac88d55fe4
commit 6ae8029a47
20 changed files with 567 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/TTLS/include/Config.h
View File

@@ -40,7 +40,7 @@ namespace eap
namespace eap {
class config_method_ttls : public config_method_tls
class config_method_ttls : public config_method
{
public:
///
@@ -150,7 +150,14 @@ namespace eap {
///
virtual eap::type_t get_method_id() const;
///
/// Generates public identity using current configuration and given credentials
///
std::wstring get_public_identity(const credentials &cred) const;
public:
config_method_tls m_outer; ///< Outer authentication configuration
std::unique_ptr<config> m_inner; ///< Inner authentication configuration
std::wstring m_anonymous_identity; ///< Anonymous identity
};
}

3
lib/TTLS/include/Credentials.h
View File

@@ -36,7 +36,7 @@ namespace eap
namespace eap
{
class credentials_ttls : public credentials_tls
class credentials_ttls : public credentials
{
public:
///
@@ -189,6 +189,7 @@ namespace eap
/// @}
public:
credentials_tls m_outer; ///< Outer credentials
std::unique_ptr<credentials> m_inner; ///< Inner credentials
};
}

94
lib/TTLS/src/Config.cpp
View File

@@ -29,21 +29,26 @@ using namespace winstd;
//////////////////////////////////////////////////////////////////////
eap::config_method_ttls::config_method_ttls(_In_ module &mod) :
config_method_tls(mod)
m_outer(mod),
config_method(mod)
{
}
eap::config_method_ttls::config_method_ttls(const _In_ config_method_ttls &other) :
m_outer(other.m_outer),
m_inner(other.m_inner ? (config_method*)other.m_inner->clone() : nullptr),
config_method_tls(other)
m_anonymous_identity(other.m_anonymous_identity),
config_method(other)
{
}
eap::config_method_ttls::config_method_ttls(_Inout_ config_method_ttls &&other) :
m_outer(std::move(other.m_outer)),
m_inner(std::move(other.m_inner)),
config_method_tls(std::move(other))
m_anonymous_identity(std::move(other.m_anonymous_identity)),
config_method(std::move(other))
{
}
@@ -51,8 +56,10 @@ eap::config_method_ttls::config_method_ttls(_Inout_ config_method_ttls &&other)
eap::config_method_ttls& eap::config_method_ttls::operator=(const _In_ config_method_ttls &other)
{
if (this != &other) {
(config_method_tls&)*this = other;
(config_method&)*this = other;
m_outer = other.m_outer;
m_inner.reset(other.m_inner ? (config_method*)other.m_inner->clone() : nullptr);
m_anonymous_identity = other.m_anonymous_identity;
}
return *this;
@@ -62,8 +69,10 @@ eap::config_method_ttls& eap::config_method_ttls::operator=(const _In_ config_me
eap::config_method_ttls& eap::config_method_ttls::operator=(_Inout_ config_method_ttls &&other)
{
if (this != &other) {
(config_method_tls&&)*this = std::move(other);
m_inner = std::move(other.m_inner);
(config_method&&)*this = std::move(other);
m_outer = std::move(other.m_outer);
m_inner = std::move(other.m_inner);
m_anonymous_identity = std::move(other.m_anonymous_identity);
}
return *this;
@@ -82,12 +91,29 @@ bool eap::config_method_ttls::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode
assert(pConfigRoot);
assert(ppEapError);
if (!config_method_tls::save(pDoc, pConfigRoot, ppEapError))
if (!config_method::save(pDoc, pConfigRoot, ppEapError))
return false;
const bstr bstrNamespace(L"urn:ietf:params:xml:ns:yang:ietf-eap-metadata");
DWORD dwResult;
// <ClientSideCredential>
com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if ((dwResult = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), bstr(L"ClientSideCredential"), bstrNamespace, &pXmlElClientSideCredential)) != ERROR_SUCCESS) {
*ppEapError = m_module.make_error(dwResult, _T(__FUNCTION__) _T(" Error creating <ClientSideCredential> element."));
return false;
}
// <ClientSideCredential>/<AnonymousIdentity>
if (!m_anonymous_identity.empty())
if ((dwResult = eapxml::put_element_value(pDoc, pXmlElClientSideCredential, bstr(L"AnonymousIdentity"), bstrNamespace, bstr(m_anonymous_identity))) != ERROR_SUCCESS) {
*ppEapError = m_module.make_error(dwResult, _T(__FUNCTION__) _T(" Error creating <AnonymousIdentity> element."));
return false;
}
if (!m_outer.save(pDoc, pConfigRoot, ppEapError))
return false;
// <InnerAuthenticationMethod>
com_obj<IXMLDOMElement> pXmlElInnerAuthenticationMethod;
if ((dwResult = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:InnerAuthenticationMethod"), bstr(L"InnerAuthenticationMethod"), bstrNamespace, &pXmlElInnerAuthenticationMethod)) != ERROR_SUCCESS) {
@@ -120,12 +146,27 @@ bool eap::config_method_ttls::load(_In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERRO
assert(ppEapError);
DWORD dwResult;
if (!config_method_tls::load(pConfigRoot, ppEapError))
if (!config_method::load(pConfigRoot, ppEapError))
return false;
std::wstring xpath(eapxml::get_xpath(pConfigRoot));
// Load inner authentication configuration (<InnerAuthenticationMethod>).
m_anonymous_identity.clear();
// <ClientSideCredential>
com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), &pXmlElClientSideCredential) == ERROR_SUCCESS) {
wstring xpathClientSideCredential(xpath + L"/ClientSideCredential");
// <AnonymousIdentity>
eapxml::get_element_value(pXmlElClientSideCredential, bstr(L"eap-metadata:AnonymousIdentity"), m_anonymous_identity);
m_module.log_config((xpathClientSideCredential + L"/AnonymousIdentity").c_str(), m_anonymous_identity.c_str());
}
if (!m_outer.load(pConfigRoot, ppEapError))
return false;
// <InnerAuthenticationMethod>
com_obj<IXMLDOMElement> pXmlElInnerAuthenticationMethod;
if ((dwResult = eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:InnerAuthenticationMethod"), &pXmlElInnerAuthenticationMethod)) != ERROR_SUCCESS) {
*ppEapError = m_module.make_error(dwResult, _T(__FUNCTION__) _T(" Error selecting <InnerAuthenticationMethod> element."), _T("Please make sure profile XML is a valid ") _T(PRODUCT_NAME_STR) _T(" profile XML document."));
@@ -160,7 +201,9 @@ bool eap::config_method_ttls::load(_In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERRO
void eap::config_method_ttls::operator<<(_Inout_ cursor_out &cursor) const
{
config_method_tls::operator<<(cursor);
config_method::operator<<(cursor);
cursor << m_outer;
if (m_inner) {
if (dynamic_cast<config_method_pap*>(m_inner.get())) {
cursor << type_pap;
@@ -171,6 +214,8 @@ void eap::config_method_ttls::operator<<(_Inout_ cursor_out &cursor) const
}
} else
cursor << type_undefined;
cursor << m_anonymous_identity;
}
@@ -190,14 +235,17 @@ size_t eap::config_method_ttls::get_pk_size() const
size_inner = pksizeof(type_undefined);
return
config_method_tls::get_pk_size() +
size_inner;
config_method::get_pk_size() +
pksizeof(m_outer) +
size_inner +
pksizeof(m_anonymous_identity);
}
void eap::config_method_ttls::operator>>(_Inout_ cursor_in &cursor)
{
config_method_tls::operator>>(cursor);
config_method::operator>>(cursor);
cursor >> m_outer;
type_t eap_type;
cursor >> eap_type;
@@ -210,6 +258,8 @@ void eap::config_method_ttls::operator>>(_Inout_ cursor_in &cursor)
assert(0); // Unsupported inner authentication method type.
m_inner.reset(nullptr);
}
cursor >> m_anonymous_identity;
}
@@ -217,3 +267,21 @@ eap::type_t eap::config_method_ttls::get_method_id() const
{
return type_ttls;
}
wstring eap::config_method_ttls::get_public_identity(const credentials &cred) const
{
if (m_anonymous_identity.empty()) {
// Use the true identity. Outer has the right-of-way.
return cred.get_identity();
} else if (m_anonymous_identity.compare(L"@") == 0) {
// Strip username part from identity (RFC 4822).
wstring identity(std::move(cred.get_identity()));
wstring::size_type offset = identity.find(L'@');
if (offset != wstring::npos) identity.erase(0, offset);
return identity;
} else {
// Use configured identity.
return m_anonymous_identity;
}
}

49
lib/TTLS/src/Credentials.cpp
View File

@@ -29,21 +29,24 @@ using namespace winstd;
//////////////////////////////////////////////////////////////////////
eap::credentials_ttls::credentials_ttls(_In_ module &mod) :
credentials_tls(mod)
m_outer(mod),
credentials(mod)
{
}
eap::credentials_ttls::credentials_ttls(_In_ const credentials_ttls &other) :
m_outer(other.m_outer),
m_inner(other.m_inner ? (credentials*)other.m_inner->clone() : nullptr),
credentials_tls(other)
credentials(other)
{
}
eap::credentials_ttls::credentials_ttls(_Inout_ credentials_ttls &&other) :
m_outer(std::move(other.m_outer)),
m_inner(std::move(other.m_inner)),
credentials_tls(std::move(other))
credentials(std::move(other))
{
}
@@ -51,7 +54,8 @@ eap::credentials_ttls::credentials_ttls(_Inout_ credentials_ttls &&other) :
eap::credentials_ttls& eap::credentials_ttls::operator=(_In_ const credentials_ttls &other)
{
if (this != &other) {
(credentials_tls&)*this = other;
(credentials&)*this = other;
m_outer = other.m_outer;
m_inner.reset(other.m_inner ? (credentials*)other.m_inner->clone() : nullptr);
}
@@ -62,8 +66,9 @@ eap::credentials_ttls& eap::credentials_ttls::operator=(_In_ const credentials_t
eap::credentials_ttls& eap::credentials_ttls::operator=(_Inout_ credentials_ttls &&other)
{
if (this != &other) {
(credentials_tls&)*this = std::move(other);
m_inner = std::move(other.m_inner);
(credentials&)*this = std::move(other);
m_outer = std::move(other.m_outer);
m_inner = std::move(other.m_inner);
}
return *this;
@@ -78,7 +83,8 @@ eap::config* eap::credentials_ttls::clone() const
void eap::credentials_ttls::clear()
{
credentials_tls::clear();
credentials::clear();
m_outer.clear();
if (m_inner)
m_inner->clear();
}
@@ -86,7 +92,7 @@ void eap::credentials_ttls::clear()
bool eap::credentials_ttls::empty() const
{
return credentials_tls::empty() && (!m_inner || m_inner->empty());
return credentials::empty() && m_outer.empty() && (!m_inner || m_inner->empty());
}
@@ -96,7 +102,10 @@ bool eap::credentials_ttls::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *p
assert(pConfigRoot);
assert(ppEapError);
if (!credentials_tls::save(pDoc, pConfigRoot, ppEapError))
if (!credentials::save(pDoc, pConfigRoot, ppEapError))
return false;
if (!m_outer.save(pDoc, pConfigRoot, ppEapError))
return false;
const bstr bstrNamespace(L"urn:ietf:params:xml:ns:yang:ietf-eap-metadata");
@@ -130,7 +139,10 @@ bool eap::credentials_ttls::load(_In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERROR
assert(ppEapError);
DWORD dwResult;
if (!credentials_tls::load(pConfigRoot, ppEapError))
if (!credentials::load(pConfigRoot, ppEapError))
return false;
if (!m_outer.load(pConfigRoot, ppEapError))
return false;
// TODO: For the time being, there is no detection what type is inner method. Introduce one!
@@ -151,7 +163,8 @@ bool eap::credentials_ttls::load(_In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERROR
void eap::credentials_ttls::operator<<(_Inout_ cursor_out &cursor) const
{
credentials_tls::operator<<(cursor);
credentials::operator<<(cursor);
cursor << m_outer;
if (m_inner) {
if (dynamic_cast<credentials_pap*>(m_inner.get())) {
cursor << type_pap;
@@ -181,14 +194,16 @@ size_t eap::credentials_ttls::get_pk_size() const
size_inner = pksizeof(type_undefined);
return
credentials_tls::get_pk_size() +
credentials::get_pk_size() +
pksizeof(m_outer) +
size_inner;
}
void eap::credentials_ttls::operator>>(_Inout_ cursor_in &cursor)
{
credentials_tls::operator>>(cursor);
credentials::operator>>(cursor);
cursor >> m_outer;
type_t eap_type;
cursor >> eap_type;
@@ -206,7 +221,7 @@ void eap::credentials_ttls::operator>>(_Inout_ cursor_in &cursor)
bool eap::credentials_ttls::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR **ppEapError) const
{
if (!credentials_tls::store(pszTargetName, ppEapError))
if (!m_outer.store(pszTargetName, ppEapError))
return false;
if (m_inner) {
@@ -220,7 +235,7 @@ bool eap::credentials_ttls::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR **
bool eap::credentials_ttls::retrieve(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR **ppEapError)
{
if (!credentials_tls::retrieve(pszTargetName, ppEapError))
if (!m_outer.retrieve(pszTargetName, ppEapError))
return false;
if (m_inner) {
@@ -242,8 +257,8 @@ LPCTSTR eap::credentials_ttls::target_suffix() const
std::wstring eap::credentials_ttls::get_identity() const
{
// Outer identity has the right-of-way.
if (!credentials_tls::empty())
return credentials_tls::get_identity();
if (!m_outer.empty())
return m_outer.get_identity();
// Inner identity.
if (m_inner)

39
lib/TTLS/src/Module.cpp
View File

@@ -79,15 +79,15 @@ bool eap::peer_ttls::get_identity(
const config_provider &cfg_prov(cfg.m_providers.front());
const config_method_ttls *cfg_method = dynamic_cast<const config_method_ttls*>(cfg_prov.m_methods.front().get());
wstring target_outer(std::move(cred_out.credentials_tls::target_suffix()));
assert(cfg_method);
wstring target_outer(std::move(cred_out.m_outer.target_suffix()));
wstring target_inner;
bool is_outer_set = false;
assert(cfg_method);
if (cfg_method->m_preshared) {
if (cfg_method->m_outer.m_use_preshared) {
// Outer TLS: Preshared credentials.
(credentials_tls&)cred_out = (credentials_tls&)*cfg_method->m_preshared;
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED, event_data(target_outer), event_data(cred_out.credentials_tls::get_name()), event_data::blank);
cred_out.m_outer = (credentials_tls&)cfg_method->m_outer.m_preshared;
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank);
is_outer_set = true;
}
@@ -95,9 +95,9 @@ bool eap::peer_ttls::get_identity(
const config_method_pap *cfg_inner_pap = dynamic_cast<const config_method_pap*>(cfg_method->m_inner.get());
if (cfg_inner_pap) {
target_inner = L"PAP";
if (cfg_inner_pap->m_preshared) {
if (cfg_inner_pap->m_use_preshared) {
// Inner PAP: Preshared credentials.
cred_out.m_inner.reset((credentials*)cfg_inner_pap->m_preshared->clone());
cred_out.m_inner.reset((credentials*)cfg_inner_pap->m_preshared.clone());
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED, event_data(target_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
}
@@ -114,8 +114,8 @@ bool eap::peer_ttls::get_identity(
credentials_tls cred_loaded(*this);
if (cred_loaded.retrieve(cfg_prov.m_id.c_str(), ppEapError)) {
// Outer TLS: Stored credentials.
(credentials_tls&&)cred_out = std::move(cred_loaded);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED, event_data(target_outer), event_data(cred_out.credentials_tls::get_name()), event_data::blank);
cred_out.m_outer = std::move(cred_loaded);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank);
is_outer_set = true;
} else {
// Not actually an error.
@@ -147,8 +147,8 @@ bool eap::peer_ttls::get_identity(
if (!is_outer_set) {
// Outer TLS: EAP service cached credentials.
(credentials_tls&)cred_out = (const credentials_tls&)cred_in;
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED, event_data(target_outer), event_data(cred_out.credentials_tls::get_name()), event_data::blank);
cred_out.m_outer = cred_in->m_outer;
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED, event_data(target_outer), event_data(cred_out.m_outer.get_name()), event_data::blank);
is_outer_set = true;
}
@@ -185,23 +185,8 @@ bool eap::peer_ttls::get_identity(
// If we got here, we have all credentials we need.
// Build our identity. ;)
wstring identity;
if (cfg_method->m_anonymous_identity.empty()) {
// Use the true identity. Outer has the right-of-way.
identity = std::move(cred_out.get_identity());
} else if (cfg_method->m_anonymous_identity.compare(L"@") == 0) {
// Strip username part from identity (RFC 4822).
identity = std::move(cred_out.get_identity());
wstring::size_type offset = identity.find(L'@');
if (offset != wstring::npos) identity.erase(0, offset);
} else {
// Use configured identity.
identity = cfg_method->m_anonymous_identity;
}
wstring identity(std::move(cfg_method->get_public_identity(cred_out)));
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID, event_data(L"TTLS"), event_data(identity), event_data::blank);
// Save the identity for EAPHost.
size_t size = sizeof(WCHAR)*(identity.length() + 1);
*ppwszIdentity = (WCHAR*)alloc_memory(size);
memcpy(*ppwszIdentity, identity.c_str(), size);