Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

method_defrag: Add support for version negotiation

Browse Source 
Signed-off-by: Simon Rozman <simon@rozman.si>
This commit is contained in:
Simon Rozman
2020-01-20 14:06:53 +01:00
parent 4af1bdc935
commit b908ff3aa9
5 changed files with 61 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
lib/Events/res/EventsETW.man
View File

Binary file not shown.

25
lib/TTLS/include/Method.h
View File

@@ -42,7 +42,7 @@ namespace eap
/// @{
///
/// EAP-(T)TLS class defragging method tunnel
/// EAP-(T)TLS/PEAP class defragging method tunnel
///
class method_defrag : public method_tunnel
{
@@ -51,7 +51,7 @@ namespace eap
#pragma warning(disable: 4480)
///
/// EAP-(T)TLS request packet flags
/// EAP-(T)TLS/PEAP request packet flags
///
/// \sa [The EAP-TLS Authentication Protocol (Chapter: 3.1 EAP-TLS Request Packet)](https://tools.ietf.org/html/rfc5216#section-3.1)
/// \sa [The EAP-TTLS Authentication Protocol Version 0 (Chapter: 9.1. Packet Format)](https://tools.ietf.org/html/rfc5281#section-9.1)
@@ -64,7 +64,7 @@ namespace eap
};
///
/// EAP-(T)TLS response packet flags
/// EAP-(T)TLS/PEAP response packet flags
///
/// \sa [The EAP-TLS Authentication Protocol (Chapter: 3.2 EAP-TLS Response Packet)](https://tools.ietf.org/html/rfc5216#section-3.2)
/// \sa [The EAP-TTLS Authentication Protocol Version 0 (Chapter: 9.1. Packet Format)](https://tools.ietf.org/html/rfc5281#section-9.1)
@@ -81,10 +81,11 @@ namespace eap
///
/// Constructs a method
///
/// \param[in] mod Module to use for global services
/// \param[in] inner Inner method
/// \param[in] mod Module to use for global services
/// \param[in] version_max Maximum protocol version supported by peer
/// \param[in] inner Inner method
///
method_defrag(_In_ module &mod, _In_ method *inner);
method_defrag(_In_ module &mod, _In_ unsigned char version_max, _In_ method *inner);
/// \name Session management
/// @{
@@ -110,10 +111,22 @@ namespace eap
/// @}
public:
unsigned char m_version; ///< Negotiated protocol version
protected:
sanitizing_blob m_data_req; ///< Data in request
sanitizing_blob m_data_res; ///< Data in response
bool m_send_res; ///< Are we sending a response?
///
/// Communication phase
///
enum class phase_t {
unknown = -1, ///< Unknown phase
init = 0, ///< Binding exchange
established, ///< Connection established
} m_phase; ///< What phase is our communication at?
};

32
lib/TTLS/src/Method.cpp
View File

@@ -1,21 +1,21 @@
/*
Copyright 2015-2020 Amebis
Copyright 2016 GÉANT
Copyright 2016 G<EFBFBD>ANT
This file is part of GÉANTLink.
This file is part of G<EFBFBD>ANTLink.
GÉANTLink is free software: you can redistribute it and/or modify it
G<EFBFBD>ANTLink is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
GÉANTLink is distributed in the hope that it will be useful, but
G<EFBFBD>ANTLink is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
along with G<EFBFBD>ANTLink. If not, see <http://www.gnu.org/licenses/>.
*/
#include "StdAfx.h"
@@ -30,7 +30,9 @@ using namespace winstd;
// eap::method_defrag
//////////////////////////////////////////////////////////////////////
eap::method_defrag::method_defrag(_In_ module &mod, _In_ method *inner) :
eap::method_defrag::method_defrag(_In_ module &mod, _In_ unsigned char version_max, _In_ method *inner) :
m_version(version_max),
m_phase(phase_t::unknown),
m_send_res(false),
method_tunnel(mod, inner)
{
@@ -49,6 +51,8 @@ void eap::method_defrag::begin_session(
// Inner method can generate packets of up to 4GB.
assert(m_inner);
m_inner->begin_session(dwFlags, pAttributeArray, hTokenImpersonateUser, MAXDWORD);
m_phase = phase_t::init;
}
@@ -59,6 +63,18 @@ EapPeerMethodResponseAction eap::method_defrag::process_request_packet(
assert(dwReceivedPacketSize >= 1); // Request packet should contain flags at least.
auto data_packet = reinterpret_cast<const unsigned char*>(pReceivedPacket);
// To prevent version downgrade attacks, negotiate protocol version on binding exchange only. Then stick to it!
unsigned char data_version = data_packet[0] & flags_req_ver_mask;
if (m_phase == phase_t::init) {
m_version = min<unsigned char>(data_version, m_version);
m_module.log_event(&EAPMETHOD_DEFRAG_VERSION,
event_data(m_version),
event_data(data_version),
event_data::blank);
m_phase = phase_t::established;
} else if (data_version != m_version)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Protocol version mismatch.");
// Get packet content pointers for more readable code later on.
auto
data_content = data_packet + (data_packet[0] & flags_req_length_incl ? 5 : 1),
@@ -124,7 +140,7 @@ void eap::method_defrag::get_response_packet(
packet.clear();
if (size_data + 1 > size_max) {
// Write one fragment.
packet.push_back(flags_res_length_incl | flags_res_more_frag);
packet.push_back(flags_res_length_incl | flags_res_more_frag | m_version);
unsigned int length = htonl((unsigned int)size_data);
packet.insert(packet.end(), reinterpret_cast<const unsigned char*>(&length), reinterpret_cast<const unsigned char*>(&length + 1));
auto data_begin = m_data_res.begin() + 0, data_end = data_begin + (size_max - 5);
@@ -133,7 +149,7 @@ void eap::method_defrag::get_response_packet(
m_send_res = true;
} else {
// Write single/last fragment.
packet.push_back(0);
packet.push_back(m_version);
packet.insert(packet.end(), m_data_res.begin(), m_data_res.end());
m_data_res.clear();
m_send_res = false;

34
lib/TTLS/src/Module.cpp
View File

@@ -1,21 +1,21 @@
/*
Copyright 2015-2020 Amebis
Copyright 2016 GÉANT
Copyright 2016 G<EFBFBD>ANT
This file is part of GÉANTLink.
This file is part of G<EFBFBD>ANTLink.
GÉANTLink is free software: you can redistribute it and/or modify it
G<EFBFBD>ANTLink is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
GÉANTLink is distributed in the hope that it will be useful, but
G<EFBFBD>ANTLink is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
along with G<EFBFBD>ANTLink. If not, see <http://www.gnu.org/licenses/>.
*/
#include "StdAfx.h"
@@ -121,7 +121,7 @@ void eap::peer_ttls::get_identity(
} else {
// Per-machine authentication, cannot use UI.
throw win_runtime_error(ERROR_NO_SUCH_USER, __FUNCTION__ " Credentials for per-machine authentication not available.");
}
}
}
// Build our identity. ;)
@@ -138,7 +138,7 @@ void eap::peer_ttls::get_identity(
void eap::peer_ttls::get_method_properties(
_In_ DWORD dwVersion,
_In_ DWORD dwFlags,
_In_ DWORD dwFlags,
_In_ HANDLE hUserImpersonationToken,
_In_count_(dwConnectionDataSize) const BYTE *pConnectionData,
_In_ DWORD dwConnectionDataSize,
@@ -278,7 +278,7 @@ EAP_SESSION_HANDLE eap::peer_ttls::begin_session(
#endif
s->m_method.reset(
new method_eap (*this, eap_type_t::ttls,
new method_defrag(*this,
new method_defrag(*this, 0, /* Schannel supports retrieving keying material for EAP-TTLSv0 only. */
new method_ttls (*this, *cfg_method, *dynamic_cast<credentials_ttls*>(s->m_cred.m_cred.get()), meth_inner.release()))));
// Initialize method.
@@ -596,7 +596,7 @@ DWORD WINAPI eap::peer_ttls::crl_checker::verify(_In_ crl_checker *obj)
if (WaitForSingleObject(obj->m_abort, 5000) == WAIT_OBJECT_0) {
// Aborted.
return 1;
}
}
// Prepare a list of certificates forming certificate chain.
list<cert_context> context_data;
@@ -605,7 +605,7 @@ DWORD WINAPI eap::peer_ttls::crl_checker::verify(_In_ crl_checker *obj)
DWORD flags = 0;
c = CertGetIssuerCertificateFromStore(obj->m_cert->hCertStore, context_data.back(), NULL, &flags);
if (!c) break;
}
}
// Create an array of pointers to CERT_CONTEXT required by CertVerifyRevocation().
vector<PCERT_CONTEXT> context;
@@ -623,7 +623,7 @@ DWORD WINAPI eap::peer_ttls::crl_checker::verify(_In_ crl_checker *obj)
if (!CertVerifyRevocation(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
(DWORD)(c_end - c), reinterpret_cast<PVOID*>(&*c),
CERT_VERIFY_REV_CHAIN_FLAG, NULL, &status_rev))
{
{
PCCERT_CONTEXT cert = *(c + status_rev.dwIndex);
wstring subj;
if (!CertGetNameStringW(cert, CERT_NAME_DNS_TYPE, CERT_NAME_STR_ENABLE_PUNYCODE_FLAG, NULL, subj))
@@ -639,7 +639,7 @@ DWORD WINAPI eap::peer_ttls::crl_checker::verify(_In_ crl_checker *obj)
// This really was an error, as it appeared before the root CA cerficate in the chain.
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_SKIPPED, event_data((unsigned int)eap_type_t::ttls), event_data(subj), event_data::blank);
}
break;
break;
case CRYPT_E_REVOKED:
// One of the certificates in the chain was revoked.
@@ -650,7 +650,7 @@ DWORD WINAPI eap::peer_ttls::crl_checker::verify(_In_ crl_checker *obj)
case CRL_REASON_CERTIFICATE_HOLD:
// The revocation was of administrative nature. No need to black-list.
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKED1, event_data((unsigned int)eap_type_t::ttls), event_data(subj), event_data(status_rev.dwReason), event_data::blank);
break;
break;
default: {
// One of the certificates in the chain was revoked as compromised. Black-list it.
@@ -669,18 +669,18 @@ DWORD WINAPI eap::peer_ttls::crl_checker::verify(_In_ crl_checker *obj)
// Resume checking the rest of the chain.
c += (size_t)status_rev.dwIndex + 1;
break;
break;
case ERROR_SUCCESS:
// Odd. CertVerifyRevocation() should return TRUE then. Nevertheless, we take this as a "yes".
c = c_end;
break;
break;
default:
default:
// Checking one of the certificates in the chain for revocation failed. Resume checking the rest.
obj->m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_REVOKE_FAILED, event_data((unsigned int)eap_type_t::ttls), event_data(subj), event_data(status_rev.dwError), event_data::blank);
c += (size_t)status_rev.dwIndex + 1;
}
}
} else {
// Revocation check finished.
break;

2
lib/WinStd

Submodule lib/WinStd updated: e776e5a473...973890b11b