method_tls_tunnel: Cleanup

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-01-30 15:16:37 +01:00 · 2020-01-30 15:16:37 +01:00 · 737f51b815
commit 737f51b815
parent 7706e54294
2 changed files with 51 additions and 78 deletions
--- a/lib/TTLS/include/Method.h
+++ b/lib/TTLS/include/Method.h
@ -219,6 +219,11 @@ namespace eap
            _Inout_ EapPeerMethodResult       *pResult);
    protected:
        ///
        /// Decrypts data and forwards it to the inner method.
        ///
        EapPeerMethodResponseAction decrypt_request_data();
 #if EAP_TLS < EAP_TLS_SCHANNEL_FULL
        ///
        /// Verifies server certificate if trusted by configuration
--- a/lib/TTLS/src/Method.cpp
+++ b/lib/TTLS/src/Method.cpp
@ -572,44 +572,7 @@ EapPeerMethodResponseAction eap::method_tls_tunnel::process_request_packet(
                }
                // Piggyback initial inner response.
-                if (!(m_sc_ctx.m_attrib & ISC_RET_CONFIDENTIALITY))
+                decrypt_request_data();
                    throw runtime_error(__FUNCTION__ " Connection is not encrypted.");
                EapPeerMethodResponseAction action = EapPeerMethodResponseActionDiscard;
                if (m_sc_queue.empty()) {
                    // No extra initial data for inner authentication avaliable.
                    action = method_tunnel::process_request_packet(NULL, 0);
                } else {
                    // Authenticator sent some data for inner authentication. Decrypt it.
                    // Decrypt the message.
                    SecBuffer buf[] = {
                        { (unsigned long)m_sc_queue.size(), SECBUFFER_DATA, m_sc_queue.data() },
                        { 0, SECBUFFER_EMPTY, NULL },
                        { 0, SECBUFFER_EMPTY, NULL },
                        { 0, SECBUFFER_EMPTY, NULL },
                    };
                    SecBufferDesc buf_desc = { SECBUFFER_VERSION, _countof(buf), buf };
                    status = DecryptMessage(m_sc_ctx, &buf_desc, 0, NULL);
                    if (status == SEC_E_OK) {
                        // Process data (only the first SECBUFFER_DATA found).
                        for (size_t i = 0; i < _countof(buf); i++)
                            if (buf[i].BufferType == SECBUFFER_DATA) {
                                action = method_tunnel::process_request_packet(buf[i].pvBuffer, buf[i].cbBuffer);
                                break;
                            }
                        // Queue remaining data for the next time.
                        m_sc_queue.clear();
                        for (size_t i = 0; i < _countof(buf); i++)
                            if (buf[i].BufferType == SECBUFFER_EXTRA)
                                m_sc_queue.insert(m_sc_queue.end(), reinterpret_cast<const unsigned char*>(buf[i].pvBuffer), reinterpret_cast<const unsigned char*>(buf[i].pvBuffer) + buf[i].cbBuffer);
                    } else if (FAILED(status))
                        throw sec_runtime_error(status, __FUNCTION__ " Schannel error.");
                    else
                        throw sec_runtime_error(status, __FUNCTION__ " Unexpected Schannel result.");
                }
                m_packet_res_inner = action == EapPeerMethodResponseActionSend;
            }
            return EapPeerMethodResponseActionSend;
        } else if (FAILED(status)) {
@ -629,46 +592,7 @@ EapPeerMethodResponseAction eap::method_tls_tunnel::process_request_packet(
    case phase_t::finished: {
        m_packet_res.clear();
        m_sc_queue.insert(m_sc_queue.end(), reinterpret_cast<const unsigned char*>(pReceivedPacket), reinterpret_cast<const unsigned char*>(pReceivedPacket) + dwReceivedPacketSize);
-
+        return decrypt_request_data();
        if (!(m_sc_ctx.m_attrib & ISC_RET_CONFIDENTIALITY))
            throw runtime_error(__FUNCTION__ " Connection is not encrypted.");
        EapPeerMethodResponseAction action = EapPeerMethodResponseActionDiscard;
        if (m_sc_queue.empty()) {
            // No extra data for inner authentication.
            action = method_tunnel::process_request_packet(NULL, 0);
        } else {
            // Authenticator sent data for inner authentication. Decrypt it.
            // Decrypt the message.
            SecBuffer buf[] = {
                { (unsigned long)m_sc_queue.size(), SECBUFFER_DATA, m_sc_queue.data() },
                { 0, SECBUFFER_EMPTY, NULL },
                { 0, SECBUFFER_EMPTY, NULL },
                { 0, SECBUFFER_EMPTY, NULL },
            };
            SecBufferDesc buf_desc = { SECBUFFER_VERSION, _countof(buf), buf };
            SECURITY_STATUS status = DecryptMessage(m_sc_ctx, &buf_desc, 0, NULL);
            if (status == SEC_E_OK) {
                // Process data (only the first SECBUFFER_DATA found).
                for (size_t i = 0; i < _countof(buf); i++)
                    if (buf[i].BufferType == SECBUFFER_DATA) {
                        action = method_tunnel::process_request_packet(buf[i].pvBuffer, buf[i].cbBuffer);
                        break;
                    }
                // Queue remaining data for the next time.
                m_sc_queue.clear();
                for (size_t i = 0; i < _countof(buf); i++)
                    if (buf[i].BufferType == SECBUFFER_EXTRA)
                        m_sc_queue.insert(m_sc_queue.end(), reinterpret_cast<const unsigned char*>(buf[i].pvBuffer), reinterpret_cast<const unsigned char*>(buf[i].pvBuffer) + buf[i].cbBuffer);
            } else if (FAILED(status))
                throw sec_runtime_error(status, __FUNCTION__ " Schannel error.");
            else
                throw sec_runtime_error(status, __FUNCTION__ " Unexpected Schannel result.");
        }
        m_packet_res_inner = action == EapPeerMethodResponseActionSend;
        return action;
    }
    default:
@ -794,6 +718,50 @@ void eap::method_tls_tunnel::get_result(
 }
 EapPeerMethodResponseAction eap::method_tls_tunnel::decrypt_request_data()
 {
    if (!(m_sc_ctx.m_attrib & ISC_RET_CONFIDENTIALITY))
        throw runtime_error(__FUNCTION__ " Connection is not encrypted.");
    EapPeerMethodResponseAction action = EapPeerMethodResponseActionDiscard;
    if (m_sc_queue.empty()) {
        // No data for inner authentication avaliable.
        action = method_tunnel::process_request_packet(NULL, 0);
    } else {
        // Authenticator sent data for inner authentication. Decrypt it.
        // Decrypt the message.
        SecBuffer buf[] = {
            { (unsigned long)m_sc_queue.size(), SECBUFFER_DATA, m_sc_queue.data() },
            { 0, SECBUFFER_EMPTY, NULL },
            { 0, SECBUFFER_EMPTY, NULL },
            { 0, SECBUFFER_EMPTY, NULL },
        };
        SecBufferDesc buf_desc = { SECBUFFER_VERSION, _countof(buf), buf };
        SECURITY_STATUS status = DecryptMessage(m_sc_ctx, &buf_desc, 0, NULL);
        if (status == SEC_E_OK) {
            // Process data (only the first SECBUFFER_DATA found).
            for (size_t i = 0; i < _countof(buf); i++)
                if (buf[i].BufferType == SECBUFFER_DATA) {
                    action = method_tunnel::process_request_packet(buf[i].pvBuffer, buf[i].cbBuffer);
                    break;
                }
            // Queue remaining data for the next time.
            m_sc_queue.clear();
            for (size_t i = 0; i < _countof(buf); i++)
                if (buf[i].BufferType == SECBUFFER_EXTRA)
                    m_sc_queue.insert(m_sc_queue.end(), reinterpret_cast<const unsigned char*>(buf[i].pvBuffer), reinterpret_cast<const unsigned char*>(buf[i].pvBuffer) + buf[i].cbBuffer);
        } else if (FAILED(status))
            throw sec_runtime_error(status, __FUNCTION__ " Schannel error.");
        else
            throw sec_runtime_error(status, __FUNCTION__ " Unexpected Schannel result.");
    }
    m_packet_res_inner = action == EapPeerMethodResponseActionSend;
    return action;
 }
 #if EAP_TLS < EAP_TLS_SCHANNEL_FULL
 void eap::method_tls_tunnel::verify_server_trust() const