@@ -235,7 +235,7 @@ eap::credentials::source_t eap::credentials_tls::combine(
|
||||
if (cred_cached) {
|
||||
// Using EAP service cached credentials.
|
||||
*this = *dynamic_cast<const credentials_tls*>(cred_cached);
|
||||
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED2, event_data((unsigned int)eap_type_t::tls), event_data(credentials_tls::get_name()), event_data(pszTargetName), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED2, event_data((unsigned int)eap_type_t::tls), event_data(credentials_tls::get_name()), event_data(pszTargetName), blank_event_data);
|
||||
return source_t::cache;
|
||||
}
|
||||
|
||||
@@ -243,7 +243,7 @@ eap::credentials::source_t eap::credentials_tls::combine(
|
||||
if (cfg_with_cred && cfg_with_cred->m_use_cred) {
|
||||
// Using configured credentials.
|
||||
*this = *dynamic_cast<const credentials_tls*>(cfg_with_cred->m_cred.get());
|
||||
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CONFIG2, event_data((unsigned int)eap_type_t::tls), event_data(credentials_tls::get_name()), event_data(pszTargetName), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CONFIG2, event_data((unsigned int)eap_type_t::tls), event_data(credentials_tls::get_name()), event_data(pszTargetName), blank_event_data);
|
||||
return source_t::config;
|
||||
}
|
||||
|
||||
@@ -254,7 +254,7 @@ eap::credentials::source_t eap::credentials_tls::combine(
|
||||
|
||||
// Using stored credentials.
|
||||
*this = std::move(cred_loaded);
|
||||
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED2, event_data((unsigned int)eap_type_t::tls), event_data(credentials_tls::get_name()), event_data(pszTargetName), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED2, event_data((unsigned int)eap_type_t::tls), event_data(credentials_tls::get_name()), event_data(pszTargetName), blank_event_data);
|
||||
return source_t::storage;
|
||||
} catch (...) {
|
||||
// Not actually an error.
|
||||
|
||||
@@ -57,7 +57,7 @@ EapPeerMethodResponseAction eap::method_defrag::process_request_packet(
|
||||
m_module.log_event(&EAPMETHOD_DEFRAG_VERSION,
|
||||
event_data(m_version),
|
||||
event_data(data_version),
|
||||
event_data::blank);
|
||||
blank_event_data);
|
||||
m_phase = phase_t::established;
|
||||
} else if (data_version != m_version)
|
||||
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Protocol version mismatch.");
|
||||
@@ -272,7 +272,7 @@ EapPeerMethodResponseAction eap::method_tls::process_request_packet(
|
||||
|
||||
switch (m_phase) {
|
||||
case phase_t::handshake_init: {
|
||||
m_module.log_event(&EAPMETHOD_METHOD_HANDSHAKE_START2, event_data((unsigned int)m_cfg.get_method_id()), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_METHOD_HANDSHAKE_START2, event_data((unsigned int)m_cfg.get_method_id()), blank_event_data);
|
||||
|
||||
// Prepare input buffer(s).
|
||||
SecBuffer buf_in[] = {
|
||||
@@ -416,7 +416,7 @@ EapPeerMethodResponseAction eap::method_tls::process_request_packet(
|
||||
} else {
|
||||
SecPkgContext_Authority auth;
|
||||
if (FAILED(status = QueryContextAttributes(m_sc_ctx, SECPKG_ATTR_AUTHORITY, &auth))) {
|
||||
m_module.log_event(&EAPMETHOD_TLS_QUERY_FAILED, event_data((unsigned int)SECPKG_ATTR_AUTHORITY), event_data(status), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TLS_QUERY_FAILED, event_data((unsigned int)SECPKG_ATTR_AUTHORITY), event_data(status), blank_event_data);
|
||||
auth.sAuthorityName = _T("");
|
||||
}
|
||||
|
||||
@@ -432,9 +432,9 @@ EapPeerMethodResponseAction eap::method_tls::process_request_packet(
|
||||
event_data(info.dwHashStrength),
|
||||
event_data(info.aiExch),
|
||||
event_data(info.dwExchStrength),
|
||||
event_data::blank);
|
||||
blank_event_data);
|
||||
else
|
||||
m_module.log_event(&EAPMETHOD_TLS_QUERY_FAILED, event_data((unsigned int)SECPKG_ATTR_CONNECTION_INFO), event_data(status), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TLS_QUERY_FAILED, event_data((unsigned int)SECPKG_ATTR_CONNECTION_INFO), event_data(status), blank_event_data);
|
||||
|
||||
m_phase = phase_t::finished;
|
||||
m_cfg.m_last_status = config_method::status_t::auth_failed; // Blame protocol if we fail beyond this point.
|
||||
@@ -557,7 +557,7 @@ void eap::method_tls::get_result(
|
||||
m_eap_attr.push_back(std::move(a));
|
||||
|
||||
// Append blank EAP attribute.
|
||||
m_eap_attr.push_back(eap_attr::blank);
|
||||
m_eap_attr.push_back(blank_eap_attr);
|
||||
|
||||
m_eap_attr_desc.dwNumberOfAttributes = (DWORD)m_eap_attr.size();
|
||||
m_eap_attr_desc.pAttribs = m_eap_attr.data();
|
||||
@@ -651,7 +651,7 @@ void eap::method_tls::verify_server_trust() const
|
||||
memcmp(m_sc_cert->pbCertEncoded, (*c)->pbCertEncoded, m_sc_cert->cbCertEncoded) == 0)
|
||||
{
|
||||
// Server certificate found directly on the trusted root CA list.
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_TRUSTED_EX1, event_data((unsigned int)m_cfg.get_method_id()), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_TRUSTED_EX1, event_data((unsigned int)m_cfg.get_method_id()), blank_event_data);
|
||||
return;
|
||||
}
|
||||
}
|
||||
@@ -700,7 +700,7 @@ void eap::method_tls::verify_server_trust() const
|
||||
if (san_info->rgAltEntry[idx_entry].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME &&
|
||||
_wcsicmp(s->c_str(), san_info->rgAltEntry[idx_entry].pwszDNSName) == 0)
|
||||
{
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED2, event_data((unsigned int)m_cfg.get_method_id()), event_data(san_info->rgAltEntry[idx_entry].pwszDNSName), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED2, event_data((unsigned int)m_cfg.get_method_id()), event_data(san_info->rgAltEntry[idx_entry].pwszDNSName), blank_event_data);
|
||||
found = true;
|
||||
}
|
||||
}
|
||||
@@ -715,7 +715,7 @@ void eap::method_tls::verify_server_trust() const
|
||||
|
||||
for (auto s = m_cfg.m_server_names.cbegin(), s_end = m_cfg.m_server_names.cend(); !found && s != s_end; ++s) {
|
||||
if (_wcsicmp(s->c_str(), subj.c_str()) == 0) {
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED2, event_data((unsigned int)m_cfg.get_method_id()), event_data(subj), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED2, event_data((unsigned int)m_cfg.get_method_id()), event_data(subj), blank_event_data);
|
||||
found = true;
|
||||
}
|
||||
}
|
||||
@@ -805,7 +805,7 @@ void eap::method_tls::verify_server_trust() const
|
||||
}
|
||||
}
|
||||
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_TRUSTED1, event_data((unsigned int)m_cfg.get_method_id()), event_data::blank);
|
||||
m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_TRUSTED1, event_data((unsigned int)m_cfg.get_method_id()), blank_event_data);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
@@ -182,7 +182,7 @@ DWORD WINAPI eap::peer_tls_base::crl_checker::verify(_In_ crl_checker *obj)
|
||||
// This "error" is expected for the root CA certificate.
|
||||
} else {
|
||||
// This really was an error, as it appeared before the root CA cerficate in the chain.
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_SKIPPED, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data::blank);
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_SKIPPED, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), blank_event_data);
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -194,12 +194,12 @@ DWORD WINAPI eap::peer_tls_base::crl_checker::verify(_In_ crl_checker *obj)
|
||||
case CRL_REASON_CESSATION_OF_OPERATION:
|
||||
case CRL_REASON_CERTIFICATE_HOLD:
|
||||
// The revocation was of administrative nature. No need to black-list.
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKED1, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data(status_rev.dwReason), event_data::blank);
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKED1, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data(status_rev.dwReason), blank_event_data);
|
||||
break;
|
||||
|
||||
default: {
|
||||
// One of the certificates in the chain was revoked as compromised. Black-list it.
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKED, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data(status_rev.dwReason), event_data::blank);
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKED, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data(status_rev.dwReason), blank_event_data);
|
||||
reg_key key;
|
||||
if (key.create(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\") _T(VENDOR_NAME_STR) _T("\\") _T(PRODUCT_NAME_STR) _T("\\TLSCRL"), NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE)) {
|
||||
vector<unsigned char> hash;
|
||||
@@ -223,7 +223,7 @@ DWORD WINAPI eap::peer_tls_base::crl_checker::verify(_In_ crl_checker *obj)
|
||||
|
||||
default:
|
||||
// Checking one of the certificates in the chain for revocation failed. Resume checking the rest.
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_FAILED, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data(status_rev.dwError), event_data::blank);
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_FAILED, event_data((unsigned int)obj->m_module.m_eap_method), event_data(subj), event_data(status_rev.dwError), blank_event_data);
|
||||
c += (size_t)status_rev.dwIndex + 1;
|
||||
}
|
||||
} else {
|
||||
@@ -233,6 +233,6 @@ DWORD WINAPI eap::peer_tls_base::crl_checker::verify(_In_ crl_checker *obj)
|
||||
}
|
||||
|
||||
// Revocation check succeeded.
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_FINISHED, event_data((unsigned int)obj->m_module.m_eap_method), event_data::blank);
|
||||
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_FINISHED, event_data((unsigned int)obj->m_module.m_eap_method), blank_event_data);
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user