EAP-MSCHAPv2 support finished

2016-11-04 09:16:43 +01:00
parent fa3e7c0e6d
commit 88651e4ffe
10 changed files with 508 additions and 213 deletions
--- a/lib/MSCHAPv2/include/MSCHAPv2.h
+++ b/lib/MSCHAPv2/include/MSCHAPv2.h
@@ -23,6 +23,8 @@

 namespace eap
 {
+    enum chap_packet_code_t;
+    struct WINSTD_NOVTABLE chap_header;
    struct WINSTD_NOVTABLE challenge_mschapv2;
    struct WINSTD_NOVTABLE challenge_hash;
    struct WINSTD_NOVTABLE nt_password_hash;
@@ -59,9 +61,34 @@ namespace eap
    /// \addtogroup MSCHAPv2
    /// @{

+    ///
+    /// CHAP packet codes
+    ///
+    #pragma warning(suppress: 4480)
+    enum chap_packet_code_t : unsigned char {
+        chap_packet_code_challenge            = 1, ///< Challenge
+        chap_packet_code_response             = 2, ///< Response
+        chap_packet_code_success              = 3, ///< Success
+        chap_packet_code_failure              = 4, ///< Failure
+
+        mschapv2_packet_code_change_password  = 7, ///< Change password
+    };
+
+
 #pragma pack(push)
 #pragma pack(1)

+    ///
+    /// CHAP packet header base class
+    ///
+    struct WINSTD_NOVTABLE chap_header
+    {
+        chap_packet_code_t code;    ///< CHAP packet code
+        unsigned char ident;        ///< CHAP identifier
+        unsigned char length[2];    ///< CHAP packet length
+    };
+
+
    ///
    /// MSCHAPv2 Challenge
    ///
@@ -98,7 +125,7 @@ namespace eap
        ///
        challenge_hash(
            _In_         HCRYPTPROV         cp,
-            _In_   const challenge_mschapv2 &challenge_server,
+            _In_   const sanitizing_blob    &challenge_server,
            _In_   const challenge_mschapv2 &challenge_client,
            _In_z_ const char               *username);

@@ -195,7 +222,7 @@ namespace eap
        ///
        nt_response(
            _In_         HCRYPTPROV         cp,
-            _In_   const challenge_mschapv2 &challenge_server,
+            _In_   const sanitizing_blob    &challenge_server,
            _In_   const challenge_mschapv2 &challenge_client,
            _In_z_ const char               *username,
            _In_z_ const wchar_t            *password);
@@ -242,7 +269,7 @@ namespace eap
        ///
        authenticator_response(
            _In_         HCRYPTPROV         cp,
-            _In_   const challenge_mschapv2 &challenge_server,
+            _In_   const sanitizing_blob    &challenge_server,
            _In_   const challenge_mschapv2 &challenge_client,
            _In_z_ const char               *username,
            _In_z_ const wchar_t            *password,
--- a/lib/MSCHAPv2/include/Method.h
+++ b/lib/MSCHAPv2/include/Method.h
@@ -20,7 +20,9 @@

 namespace eap
 {
+    class method_mschapv2_base;
    class method_mschapv2;
+    class method_mschapv2_diameter;
 }

 #pragma once
@@ -38,10 +40,111 @@ namespace eap
    /// \addtogroup EAPBaseMethod
    /// @{

+    ///
+    /// MSCHAPv2 method base class
+    ///
+    class method_mschapv2_base : public method
+    {
+        WINSTD_NONCOPYABLE(method_mschapv2_base)
+
+    public:
+        ///
+        /// Constructs a MSCHAPv2 method
+        ///
+        /// \param[in] mod   MSCHAPv2 module to use for global services
+        /// \param[in] cfg   Method configuration
+        /// \param[in] cred  User credentials
+        ///
+        method_mschapv2_base(_In_ module &mod, _In_ config_method_mschapv2 &cfg, _In_ credentials_pass &cred);
+
+        ///
+        /// Moves a MSCHAPv2 method
+        ///
+        /// \param[in] other  MSCHAPv2 method to move from
+        ///
+        method_mschapv2_base(_Inout_ method_mschapv2_base &&other);
+
+        ///
+        /// Moves a MSCHAPv2 method
+        ///
+        /// \param[in] other  MSCHAPv2 method to move from
+        ///
+        /// \returns Reference to this object
+        ///
+        method_mschapv2_base& operator=(_Inout_ method_mschapv2_base &&other);
+
+        /// \name Session management
+        /// @{
+
+        virtual void begin_session(
+            _In_        DWORD         dwFlags,
+            _In_  const EapAttributes *pAttributeArray,
+            _In_        HANDLE        hTokenImpersonateUser,
+            _In_opt_    DWORD         dwMaxSendPacketSize = MAXDWORD);
+
+        /// @}
+
+        /// \name Packet processing
+        /// @{
+
+        virtual void get_response_packet(
+            _Out_    sanitizing_blob &packet,
+            _In_opt_ DWORD           size_max = MAXDWORD);
+
+        /// @}
+
+        virtual void get_result(
+            _In_  EapPeerMethodResultReason reason,
+            _Out_ EapPeerMethodResult       *pResult);
+
+    protected:
+        ///
+        /// Processes MSCHAPv2 success message
+        ///
+        /// \sa [Microsoft PPP CHAP Extensions, Version 2 (Chapter 5. Success Packet)](https://tools.ietf.org/html/rfc2759#section-5)
+        ///
+        /// \param[in] argv  List of message values
+        ///
+        void process_success(_In_ const std::list<std::string> &argv);
+
+        ///
+        /// Processes MSCHAPv2 error message
+        ///
+        /// \sa [Microsoft PPP CHAP Extensions, Version 2 (Chapter 6. Failure Packet)](https://tools.ietf.org/html/rfc2759#section-6)
+        ///
+        /// \param[in] argv  List of message values
+        ///
+        void process_error(_In_ const std::list<std::string> &argv);
+
+        ///
+        /// Splits MSCHAPv2 success or error messages
+        ///
+        /// \param[in] resp   MSCHAPv2 success or error message (i.e. "E=648 R=1 C=d86e0aa6cb5539e5fb31dd5dc5f6898c V=3 M=Password Expired")
+        /// \param[in] count  Number of characters in \p resp
+        ///
+        /// \returns A list of individual parts of \p resp message (i.e. ("E=648", "R=1", "C=d86e0aa6cb5539e5fb31dd5dc5f6898c", "V=3", "M=Password Expired"))
+        ///
+        static std::list<std::string> parse_response(_In_count_(count) const char *resp, _In_ size_t count);
+
+    protected:
+        config_method_mschapv2 &m_cfg;          ///< Method configuration
+        credentials_pass &m_cred;               ///< Method user credentials
+        winstd::crypt_prov m_cp;                ///< Cryptography provider for general services
+
+        sanitizing_blob m_challenge_server;     ///< MSCHAP server challenge
+        challenge_mschapv2 m_challenge_client;  ///< MSCHAP client challenge
+        unsigned char m_ident;                  ///< Ident
+        nt_response m_nt_resp;                  ///< NT-Response
+        bool m_success;                         ///< Did we receive MS-CHAP2-Success?
+
+        sanitizing_blob m_packet_res;           ///< Response packet
+    };
+
+
    ///
    /// MSCHAPv2 method
    ///
-    class method_mschapv2 : public method
+    class method_mschapv2 : public method_mschapv2_base
    {
        WINSTD_NONCOPYABLE(method_mschapv2)

@@ -71,6 +174,52 @@ namespace eap
        ///
        method_mschapv2& operator=(_Inout_ method_mschapv2 &&other);

+        /// \name Packet processing
+        /// @{
+
+        virtual EapPeerMethodResponseAction process_request_packet(
+            _In_bytecount_(dwReceivedPacketSize) const void  *pReceivedPacket,
+            _In_                                       DWORD dwReceivedPacketSize);
+
+        /// @}
+    };
+
+    /// @}
+
+
+    ///
+    /// MSCHAPv2 method over Diameter AVP (for use as inner EAP-TTLS)
+    ///
+    class method_mschapv2_diameter : public method_mschapv2_base
+    {
+        WINSTD_NONCOPYABLE(method_mschapv2_diameter)
+
+    public:
+        ///
+        /// Constructs a MSCHAPv2 method
+        ///
+        /// \param[in] mod   MSCHAPv2 module to use for global services
+        /// \param[in] cfg   Method configuration
+        /// \param[in] cred  User credentials
+        ///
+        method_mschapv2_diameter(_In_ module &mod, _In_ config_method_mschapv2 &cfg, _In_ credentials_pass &cred);
+
+        ///
+        /// Moves a MSCHAPv2 method
+        ///
+        /// \param[in] other  MSCHAPv2 method to move from
+        ///
+        method_mschapv2_diameter(_Inout_ method_mschapv2_diameter &&other);
+
+        ///
+        /// Moves a MSCHAPv2 method
+        ///
+        /// \param[in] other  MSCHAPv2 method to move from
+        ///
+        /// \returns Reference to this object
+        ///
+        method_mschapv2_diameter& operator=(_Inout_ method_mschapv2_diameter &&other);
+
        /// \name Session management
        /// @{

@@ -89,16 +238,8 @@ namespace eap
            _In_bytecount_(dwReceivedPacketSize) const void  *pReceivedPacket,
            _In_                                       DWORD dwReceivedPacketSize);

-        virtual void get_response_packet(
-            _Out_    sanitizing_blob &packet,
-            _In_opt_ DWORD           size_max = MAXDWORD);
-
        /// @}

-        virtual void get_result(
-            _In_  EapPeerMethodResultReason reason,
-            _Out_ EapPeerMethodResult       *pResult);
-
        friend class method_ttls;               // Setting of initial challenge derived from TLS PRF

    protected:
@@ -110,45 +251,7 @@ namespace eap
        ///
        void process_packet(_In_bytecount_(size_pck) const void *pck, _In_ size_t size_pck);

-        ///
-        /// Processes MS-CHAP2-Success AVP
-        ///
-        /// \sa [Microsoft PPP CHAP Extensions, Version 2 (Chapter 5. Success Packet)](https://tools.ietf.org/html/rfc2759#section-5)
-        ///
-        /// \param[in] argv  List of message values
-        ///
-        void process_success(_In_ const std::list<std::string> &argv);
-
-        ///
-        /// Processes MS-CHAP-Error AVP
-        ///
-        /// \sa [Microsoft PPP CHAP Extensions, Version 2 (Chapter 6. Failure Packet)](https://tools.ietf.org/html/rfc2759#section-6)
-        ///
-        /// \param[in] argv  List of message values
-        ///
-        void process_error(_In_ const std::list<std::string> &argv);
-
-        ///
-        /// Splits MS-CHAP2-Success or MS-CHAP-Error messages
-        ///
-        /// \param[in] resp   MS-CHAP2-Success or MS-CHAP-Error message (i.e. "E=648 R=1 C=d86e0aa6cb5539e5fb31dd5dc5f6898c V=3 M=Password Expired")
-        /// \param[in] count  Number of characters in \p resp
-        ///
-        /// \returns A list of individual parts of \p resp message (i.e. ("E=648", "R=1", "C=d86e0aa6cb5539e5fb31dd5dc5f6898c", "V=3", "M=Password Expired"))
-        ///
-        static std::list<std::string> parse_response(_In_count_(count) const char *resp, _In_ size_t count);
-
    protected:
-        config_method_mschapv2 &m_cfg;          ///< Method configuration
-        credentials_pass &m_cred;               ///< Method user credentials
-        winstd::crypt_prov m_cp;                ///< Cryptography provider for general services
-
-        challenge_mschapv2 m_challenge_server;  ///< MSCHAP server challenge
-        challenge_mschapv2 m_challenge_client;  ///< MSCHAP client challenge
-        unsigned char m_ident;                  ///< Ident
-        nt_response m_nt_resp;                  ///< NT-Response
-        bool m_success;                         ///< Did we receive MS-CHAP2-Success?
-
        ///
        /// Communication phase
        ///
@@ -158,8 +261,6 @@ namespace eap
            phase_challenge_server,             ///< Verify server challenge
            phase_finished,                     ///< Connection shut down
        } m_phase;                              ///< What phase is our communication at?
-
-        sanitizing_blob m_packet_res;           ///< Response packet
    };

    /// @}