EAP-TLS method moved to standalone .h/.c file & some minor modifications

2016-06-02 09:28:28 +02:00 · 2016-06-02 09:28:28 +02:00 · 7dbe76d4f4
commit 7dbe76d4f4
parent 3d69a343c7
10 changed files with 398 additions and 0 deletions
--- a/EAPMethods/build/EAPTTLS.vcxproj
+++ b/EAPMethods/build/EAPTTLS.vcxproj
@ -81,6 +81,7 @@
  <ItemGroup>
    <ClInclude Include="..\include\EAPMethods.h" />
    <ClInclude Include="..\include\EAPSerialize.h" />
+    <ClInclude Include="..\include\EAPTLS.h" />
    <ClInclude Include="..\include\EAPTTLS.h" />
    <ClInclude Include="..\include\EAPXML.h" />
    <ClInclude Include="..\include\PAP.h" />
@ -88,6 +89,7 @@
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="..\src\EAPMethods.cpp" />
+    <ClCompile Include="..\src\EAPTLS.cpp" />
    <ClCompile Include="..\src\EAPTTLS.cpp" />
    <ClCompile Include="..\src\Main.cpp" />
    <ClCompile Include="..\src\PAP.cpp" />
--- a/EAPMethods/build/EAPTTLS.vcxproj.filters
+++ b/EAPMethods/build/EAPTTLS.vcxproj.filters
@ -33,6 +33,9 @@
    <ClInclude Include="..\include\EAPSerialize.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="..\include\EAPTLS.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="..\src\StdAfx.cpp">
@ -50,6 +53,9 @@
    <ClCompile Include="..\src\PAP.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="..\src\EAPTLS.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="EAPTTLS.rc">
--- a/EAPMethods/build/EAPTTLSUI.vcxproj
+++ b/EAPMethods/build/EAPTTLSUI.vcxproj
@ -80,11 +80,13 @@
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
  <ItemGroup>
    <ClInclude Include="..\include\EAPMethods.h" />
+    <ClInclude Include="..\include\EAPTLS.h" />
    <ClInclude Include="..\include\EAPTTLS.h" />
    <ClInclude Include="..\include\StdAfx.h" />
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="..\src\EAPMethods.cpp" />
+    <ClCompile Include="..\src\EAPTLS.cpp" />
    <ClCompile Include="..\src\EAPTTLS.cpp" />
    <ClCompile Include="..\src\MainUI.cpp" />
    <ClCompile Include="..\src\PAP.cpp" />
--- a/EAPMethods/build/EAPTTLSUI.vcxproj.filters
+++ b/EAPMethods/build/EAPTTLSUI.vcxproj.filters
@ -24,6 +24,9 @@
    <ClInclude Include="..\include\EAPTTLS.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="..\include\EAPTLS.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="..\src\StdAfx.cpp">
@ -41,6 +44,9 @@
    <ClCompile Include="..\src\PAP.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="..\src\EAPTLS.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="EAPTTLSUI.rc">
--- a/EAPMethods/include/EAPMethods.h
+++ b/EAPMethods/include/EAPMethods.h
--- a/EAPMethods/include/EAPTLS.h
+++ b/EAPMethods/include/EAPTLS.h
@ -0,0 +1,181 @@
+/*
+    Copyright 2015-2016 Amebis
+    Copyright 2016 GÉANT
+
+    This file is part of GÉANTLink.
+
+    GÉANTLink is free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    GÉANTLink is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "EAPMethods.h"
+#include "EAPSerialize.h"
+
+namespace eap
+{
+    class config_tls;
+}
+
+namespace eapserial
+{
+    inline void pack(_Inout_ unsigned char *&cursor, _In_ const eap::config_tls &val);
+    inline size_t get_pk_size(const eap::config_tls &val);
+    inline void unpack(_Inout_ const unsigned char *&cursor, _Out_ eap::config_tls &val);
+}
+
+#pragma once
+
+
+namespace eap
+{
+    ///
+    /// TLS configuration
+    ///
+    class config_tls : public config_method
+    {
+    public:
+        ///
+        /// Constructs configuration
+        ///
+        /// \param[in] mod  Reference of the EAP module to use for global services
+        ///
+        config_tls(_In_ module &mod);
+
+        ///
+        /// Copies configuration
+        ///
+        /// \param[in] other  Configuration to copy from
+        ///
+        config_tls(_In_ const config_tls &other);
+
+        ///
+        /// Moves configuration
+        ///
+        /// \param[in] other  Configuration to move from
+        ///
+        config_tls(_Inout_ config_tls &&other);
+
+        ///
+        /// Copies configuration
+        ///
+        /// \param[in] other  Configuration to copy from
+        ///
+        /// \returns Reference to this object
+        ///
+        config_tls& operator=(_In_ const config_tls &other);
+
+        ///
+        /// Moves configuration
+        ///
+        /// \param[in] other  Configuration to move from
+        ///
+        /// \returns Reference to this object
+        ///
+        config_tls& operator=(_Inout_ config_tls &&other);
+
+        /// \name XML configuration management
+        /// @{
+
+        ///
+        /// Save configuration to XML document
+        ///
+        /// \param[in]  pDoc         XML document
+        /// \param[in]  pConfigRoot  Suggested root element for saving configuration
+        /// \param[out] ppEapError   Pointer to error descriptor in case of failure. Free using `module::free_memory()`.
+        ///
+        /// \returns
+        /// - \c ERROR_SUCCESS if succeeded
+        /// - error code otherwise
+        ///
+        virtual DWORD save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERROR **ppEapError) const;
+
+        ///
+        /// Load configuration from XML document
+        ///
+        /// \param[in]  pConfigRoot  Root element for loading configuration
+        /// \param[out] ppEapError   Pointer to error descriptor in case of failure. Free using `module::free_memory()`.
+        ///
+        /// \returns
+        /// - \c ERROR_SUCCESS if succeeded
+        /// - error code otherwise
+        ///
+        virtual DWORD load(_In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERROR **ppEapError);
+
+        /// @}
+
+        ///
+        /// Returns EAP method type of this configuration
+        ///
+        /// \returns `eap::type_tls`
+        ///
+        virtual eap::type_t get_method_id() { return eap::type_tls; }
+
+        ///
+        /// Adds CA to the list of trusted root CA's
+        ///
+        /// \sa [CertCreateCertificateContext function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa376033.aspx)
+        ///
+        bool add_trusted_ca(_In_ DWORD dwCertEncodingType, _In_ const BYTE *pbCertEncoded, _In_ DWORD cbCertEncoded);
+
+    public:
+        std::list<winstd::cert_context> m_trusted_root_ca;    ///< Trusted root CAs
+        std::list<std::string> m_server_names;                ///< Acceptable authenticating server names
+    };
+}
+
+
+namespace eapserial
+{
+    ///
+    /// Packs a TLS method configuration
+    ///
+    /// \param[inout] cursor  Memory cursor
+    /// \param[in]    val     Configuration to pack
+    ///
+    inline void pack(_Inout_ unsigned char *&cursor, _In_ const eap::config_tls &val)
+    {
+        pack(cursor, (const eap::config_method&)val);
+        pack(cursor, val.m_trusted_root_ca  );
+        pack(cursor, val.m_server_names     );
+    }
+
+
+    ///
+    /// Returns packed size of a TLS method configuration
+    ///
+    /// \param[in] val  Configuration to pack
+    ///
+    /// \returns Size of data when packed (in bytes)
+    ///
+    inline size_t get_pk_size(const eap::config_tls &val)
+    {
+        return
+            get_pk_size((const eap::config_method&)val) +
+            get_pk_size(val.m_trusted_root_ca  ) +
+            get_pk_size(val.m_server_names     );
+    }
+
+
+    ///
+    /// Unpacks a TLS method configuration
+    ///
+    /// \param[inout] cursor  Memory cursor
+    /// \param[out]   val     Configuration to unpack to
+    ///
+    inline void unpack(_Inout_ const unsigned char *&cursor, _Out_ eap::config_tls &val)
+    {
+        unpack(cursor, (eap::config_method&)val    );
+        unpack(cursor, val.m_trusted_root_ca);
+        unpack(cursor, val.m_server_names   );
+    }
+}
--- a/EAPMethods/include/EAPTTLS.h
+++ b/EAPMethods/include/EAPTTLS.h
--- a/EAPMethods/include/StdAfx.h
+++ b/EAPMethods/include/StdAfx.h
--- a/EAPMethods/src/EAPMethods.cpp
+++ b/EAPMethods/src/EAPMethods.cpp
--- a/EAPMethods/src/EAPTLS.cpp
+++ b/EAPMethods/src/EAPTLS.cpp
@ -0,0 +1,201 @@
+/*
+    Copyright 2015-2016 Amebis
+    Copyright 2016 GÉANT
+
+    This file is part of GÉANTLink.
+
+    GÉANTLink is free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    GÉANTLink is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <StdAfx.h>
+
+using namespace std;
+using namespace winstd;
+
+
+//////////////////////////////////////////////////////////////////////
+// eap::config_tls
+//////////////////////////////////////////////////////////////////////
+
+eap::config_tls::config_tls(_In_ module &mod) : config_method(mod)
+{
+}
+
+
+eap::config_tls::config_tls(_In_ const config_tls &other) :
+    m_trusted_root_ca(other.m_trusted_root_ca),
+    m_server_names(other.m_server_names),
+    config_method(other)
+{
+}
+
+
+eap::config_tls::config_tls(_Inout_ config_tls &&other) :
+    m_trusted_root_ca(std::move(other.m_trusted_root_ca)),
+    m_server_names(std::move(other.m_server_names)),
+    config_method(std::move(other))
+{
+}
+
+
+eap::config_tls& eap::config_tls::operator=(_In_ const eap::config_tls &other)
+{
+    if (this != &other) {
+        (config_method&)*this = other;
+        m_trusted_root_ca     = other.m_trusted_root_ca;
+        m_server_names        = other.m_server_names;
+    }
+
+    return *this;
+}
+
+
+eap::config_tls& eap::config_tls::operator=(_Inout_ eap::config_tls &&other)
+{
+    if (this != &other) {
+        (config_method&&)*this = std::move(other);
+        m_trusted_root_ca      = std::move(other.m_trusted_root_ca);
+        m_server_names         = std::move(other.m_server_names);
+    }
+
+    return *this;
+}
+
+
+DWORD eap::config_tls::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERROR **ppEapError) const
+{
+    const bstr bstrNamespace(L"urn:ietf:params:xml:ns:yang:ietf-eap-metadata");
+    DWORD dwResult;
+    HRESULT hr;
+
+    // <ServerSideCredential>
+    com_obj<IXMLDOMElement> pXmlElServerSideCredential;
+    if ((dwResult = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:ServerSideCredential"), bstr(L"ServerSideCredential"), bstrNamespace, &pXmlElServerSideCredential)) != ERROR_SUCCESS) {
+        *ppEapError = m_module.make_error(dwResult, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Error creating <ServerSideCredential> element."), NULL);
+        return dwResult;
+    }
+
+    for (list<cert_context>::const_iterator i = m_trusted_root_ca.begin(), i_end = m_trusted_root_ca.end(); i != i_end; ++i) {
+        // <CA>
+        com_obj<IXMLDOMElement> pXmlElCA;
+        if ((dwResult = eapxml::create_element(pDoc, bstr(L"CA"), bstrNamespace, &pXmlElCA))) {
+            *ppEapError = m_module.make_error(dwResult, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Error creating <CA> element."), NULL);
+            return dwResult;
+        }
+
+        // <CA>/<format>
+        if ((dwResult = eapxml::put_element_value(pDoc, pXmlElCA, bstr(L"format"), bstrNamespace, bstr(L"PEM"))) != ERROR_SUCCESS) {
+            *ppEapError = m_module.make_error(dwResult, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Error creating <format> element."), NULL);
+            return dwResult;
+        }
+
+        // <CA>/<cert-data>
+        const cert_context &cc = *i;
+        if ((dwResult = eapxml::put_element_base64(pDoc, pXmlElCA, bstr(L"cert-data"), bstrNamespace, cc->pbCertEncoded, cc->cbCertEncoded)) != ERROR_SUCCESS) {
+            *ppEapError = m_module.make_error(dwResult, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Error creating <cert-data> element."), NULL);
+            return dwResult;
+        }
+
+        if (FAILED(hr = pXmlElServerSideCredential->appendChild(pXmlElCA, NULL))) {
+            *ppEapError = m_module.make_error(dwResult = HRESULT_CODE(hr), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Error appending <CA> element."), NULL);
+            return dwResult;
+        }
+    }
+
+    // <ServerName>
+    for (list<string>::const_iterator i = m_server_names.begin(), i_end = m_server_names.end(); i != i_end; ++i) {
+        wstring str;
+        MultiByteToWideChar(CP_UTF8, 0, i->c_str(), (int)i->length(), str);
+        if ((dwResult = eapxml::put_element_value(pDoc, pXmlElServerSideCredential, bstr(L"ServerName"), bstrNamespace, bstr(str))) != ERROR_SUCCESS) {
+            *ppEapError = m_module.make_error(dwResult, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Error creating <ServerName> element."), NULL);
+            return dwResult;
+        }
+    }
+
+    return config_method::save(pDoc, pConfigRoot, ppEapError);
+}
+
+
+DWORD eap::config_tls::load(_In_ IXMLDOMNode *pConfigRoot, _Out_ EAP_ERROR **ppEapError)
+{
+    m_trusted_root_ca.clear();
+    m_server_names.clear();
+
+    // <ServerSideCredential>
+    com_obj<IXMLDOMElement> pXmlElServerSideCredential;
+    if (eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:ServerSideCredential"), &pXmlElServerSideCredential) == ERROR_SUCCESS) {
+        // <CA>
+        com_obj<IXMLDOMNodeList> pXmlListCAs;
+        long lCACount = 0;
+        if (eapxml::select_nodes(pXmlElServerSideCredential, bstr(L"eap-metadata:CA"), &pXmlListCAs) == ERROR_SUCCESS && SUCCEEDED(pXmlListCAs->get_length(&lCACount))) {
+            for (long j = 0; j < lCACount; j++) {
+                // Load CA certificate.
+                com_obj<IXMLDOMNode> pXmlElCA;
+                pXmlListCAs->get_item(j, &pXmlElCA);
+                bstr bstrFormat;
+                if (eapxml::get_element_value(pXmlElCA, bstr(L"eap-metadata:format"), &bstrFormat) == ERROR_SUCCESS) {
+                    if (CompareStringEx(LOCALE_NAME_INVARIANT, NORM_IGNORECASE, bstrFormat, bstrFormat.length(), L"PEM", -1, NULL, NULL, 0) == CSTR_EQUAL) {
+                        vector<unsigned char> aData;
+                        if (eapxml::get_element_base64(pXmlElCA, bstr(L"eap-metadata:cert-data"), aData) == ERROR_SUCCESS)
+                            add_trusted_ca(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, aData.data(), (DWORD)aData.size());
+                    }
+                }
+            }
+        }
+
+        // <ServerName>
+        com_obj<IXMLDOMNodeList> pXmlListServerIDs;
+        long lServerIDCount = 0;
+        if (eapxml::select_nodes(pXmlElServerSideCredential, bstr(L"eap-metadata:ServerName"), &pXmlListServerIDs) == ERROR_SUCCESS && SUCCEEDED(pXmlListServerIDs->get_length(&lServerIDCount))) {
+            for (long j = 0; j < lServerIDCount; j++) {
+                // Load server name (<ServerName>).
+                com_obj<IXMLDOMNode> pXmlElServerID;
+                pXmlListServerIDs->get_item(j, &pXmlElServerID);
+                bstr bstrServerID;
+                pXmlElServerID->get_text(&bstrServerID);
+
+                // Server names (FQDNs) are always ASCII. Hopefully. Convert them to UTF-8 anyway for consistent comparison. CP_ANSI varies.
+                string str;
+                WideCharToMultiByte(CP_UTF8, 0, bstrServerID, bstrServerID.length(), str, NULL, NULL);
+
+                m_server_names.push_back(str);
+            }
+        }
+    }
+
+    return config_method::load(pConfigRoot, ppEapError);
+}
+
+
+bool eap::config_tls::add_trusted_ca(_In_  DWORD dwCertEncodingType, _In_  const BYTE *pbCertEncoded, _In_  DWORD cbCertEncoded)
+{
+    cert_context cert;
+    if (!cert.create(dwCertEncodingType, pbCertEncoded, cbCertEncoded)) {
+        // Invalid or unsupported certificate.
+        return false;
+    }
+
+    for (list<cert_context>::const_iterator i = m_trusted_root_ca.cbegin(), i_end = m_trusted_root_ca.cend();; ++i) {
+        if (i != i_end) {
+            if (*i == cert) {
+                // This certificate is already on the list.
+                return false;
+            }
+        } else {
+            // End of list reached. Append certificate.
+            m_trusted_root_ca.push_back(std::move(cert));
+            return true;
+        }
+    }
+}