Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

config_method_with_cred: Move anonymous identity upstream

Browse Source 
This might break BLOB backward compatibility.

Signed-off-by: Simon Rozman <simon@rozman.si>
This commit is contained in:
Simon Rozman 2020-01-14 14:55:39 +01:00
parent a2a4d75745
commit c4fc8d184a
5 changed files with 70 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/EAPBase/include/Config.h
View File

@ -304,9 +304,15 @@ namespace eap
virtual void operator>>(_Inout_ cursor_in &cursor); virtual void operator>>(_Inout_ cursor_in &cursor);
/// @} /// @}
///
/// Generates public identity using current configuration and given credentials
///
std::wstring get_public_identity(const credentials &cred) const;
public: public:
bool m_use_cred; ///< Use configured credentials bool m_use_cred; ///< Use configured credentials
std::unique_ptr<credentials> m_cred; ///< Configured credentials std::unique_ptr<credentials> m_cred; ///< Configured credentials
std::wstring m_anonymous_identity; ///< Public identity override
}; };

74
lib/EAPBase/src/Config.cpp
View File

@ -151,12 +151,12 @@ void eap::config_method::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pCon
HRESULT hr; HRESULT hr;
// <ClientSideCredential> // <ClientSideCredential>
winstd::com_obj<IXMLDOMElement> pXmlElClientSideCredential; com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, winstd::bstr(L"eap-metadata:ClientSideCredential"), winstd::bstr(L"ClientSideCredential"), namespace_eapmetadata, pXmlElClientSideCredential))) if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), bstr(L"ClientSideCredential"), namespace_eapmetadata, pXmlElClientSideCredential)))
throw com_runtime_error(hr, __FUNCTION__ " Error creating <ClientSideCredential> element."); throw com_runtime_error(hr, __FUNCTION__ " Error creating <ClientSideCredential> element.");
// <ClientSideCredential>/<allow-save> // <ClientSideCredential>/<allow-save>
if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElClientSideCredential, winstd::bstr(L"allow-save"), namespace_eapmetadata, m_allow_save))) if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElClientSideCredential, bstr(L"allow-save"), namespace_eapmetadata, m_allow_save)))
throw com_runtime_error(hr, __FUNCTION__ " Error creating <allow-save> element."); throw com_runtime_error(hr, __FUNCTION__ " Error creating <allow-save> element.");
} }
@ -170,12 +170,12 @@ void eap::config_method::load(_In_ IXMLDOMNode *pConfigRoot)
m_allow_save = true; m_allow_save = true;
// <ClientSideCredential> // <ClientSideCredential>
winstd::com_obj<IXMLDOMElement> pXmlElClientSideCredential; com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (SUCCEEDED(eapxml::select_element(pConfigRoot, winstd::bstr(L"eap-metadata:ClientSideCredential"), pXmlElClientSideCredential))) { if (SUCCEEDED(eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), pXmlElClientSideCredential))) {
std::wstring xpath(eapxml::get_xpath(pXmlElClientSideCredential)); wstring xpath(eapxml::get_xpath(pXmlElClientSideCredential));
// <allow-save> // <allow-save>
eapxml::get_element_value(pXmlElClientSideCredential, winstd::bstr(L"eap-metadata:allow-save"), m_allow_save); eapxml::get_element_value(pXmlElClientSideCredential, bstr(L"eap-metadata:allow-save"), m_allow_save);
m_module.log_config((xpath + L"/allow-save").c_str(), m_allow_save); m_module.log_config((xpath + L"/allow-save").c_str(), m_allow_save);
} }
@ -226,15 +226,17 @@ eap::config_method_with_cred::config_method_with_cred(_In_ module &mod, _In_ uns
eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_with_cred &other) : eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_with_cred &other) :
m_use_cred (other.m_use_cred ), m_use_cred (other.m_use_cred ),
m_cred (other.m_cred ? dynamic_cast<credentials*>(other.m_cred->clone()) : nullptr), m_cred (other.m_cred ? dynamic_cast<credentials*>(other.m_cred->clone()) : nullptr),
config_method(other ) m_anonymous_identity(other.m_anonymous_identity ),
config_method (other )
{ {
} }
eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with_cred &&other) noexcept : eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with_cred &&other) noexcept :
m_use_cred (std::move(other.m_use_cred)), m_use_cred (std::move(other.m_use_cred )),
m_cred (std::move(other.m_cred )), m_cred (std::move(other.m_cred )),
config_method(std::move(other )) m_anonymous_identity(std::move(other.m_anonymous_identity)),
config_method (std::move(other ))
{ {
} }
@ -245,6 +247,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_In_ const
(config_method&)*this = other; (config_method&)*this = other;
m_use_cred = other.m_use_cred; m_use_cred = other.m_use_cred;
m_cred.reset(other.m_cred ? dynamic_cast<credentials*>(other.m_cred->clone()) : nullptr); m_cred.reset(other.m_cred ? dynamic_cast<credentials*>(other.m_cred->clone()) : nullptr);
m_anonymous_identity = other.m_anonymous_identity;
} }
return *this; return *this;
@ -255,8 +258,9 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_Inout_ co
{ {
if (this != &other) { if (this != &other) {
(config_method&)*this = std::move(other ); (config_method&)*this = std::move(other );
m_use_cred = std::move(other.m_use_cred); m_use_cred = std::move(other.m_use_cred );
m_cred = std::move(other.m_cred ); m_cred = std::move(other.m_cred );
m_anonymous_identity = std::move(other.m_anonymous_identity);
} }
return *this; return *this;
@ -272,14 +276,18 @@ void eap::config_method_with_cred::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOM
HRESULT hr; HRESULT hr;
if (m_use_cred) {
// <ClientSideCredential> // <ClientSideCredential>
winstd::com_obj<IXMLDOMElement> pXmlElClientSideCredential; com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, winstd::bstr(L"eap-metadata:ClientSideCredential"), winstd::bstr(L"ClientSideCredential"), namespace_eapmetadata, pXmlElClientSideCredential))) if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), bstr(L"ClientSideCredential"), namespace_eapmetadata, pXmlElClientSideCredential)))
throw com_runtime_error(hr, __FUNCTION__ " Error creating <ClientSideCredential> element."); throw com_runtime_error(hr, __FUNCTION__ " Error creating <ClientSideCredential> element.");
if (m_use_cred)
m_cred->save(pDoc, pXmlElClientSideCredential); m_cred->save(pDoc, pXmlElClientSideCredential);
}
// <ClientSideCredential>/<AnonymousIdentity>
if (!m_anonymous_identity.empty())
if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElClientSideCredential, bstr(L"AnonymousIdentity"), namespace_eapmetadata, bstr(m_anonymous_identity))))
throw com_runtime_error(hr, __FUNCTION__ " Error creating <AnonymousIdentity> element.");
} }
@ -291,11 +299,12 @@ void eap::config_method_with_cred::load(_In_ IXMLDOMNode *pConfigRoot)
m_use_cred = false; m_use_cred = false;
m_cred->clear(); m_cred->clear();
m_anonymous_identity.clear();
// <ClientSideCredential> // <ClientSideCredential>
winstd::com_obj<IXMLDOMElement> pXmlElClientSideCredential; com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (SUCCEEDED(eapxml::select_element(pConfigRoot, winstd::bstr(L"eap-metadata:ClientSideCredential"), pXmlElClientSideCredential))) { if (SUCCEEDED(eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), pXmlElClientSideCredential))) {
std::wstring xpath(eapxml::get_xpath(pXmlElClientSideCredential)); wstring xpath(eapxml::get_xpath(pXmlElClientSideCredential));
try { try {
m_cred->load(pXmlElClientSideCredential); m_cred->load(pXmlElClientSideCredential);
@ -303,6 +312,10 @@ void eap::config_method_with_cred::load(_In_ IXMLDOMNode *pConfigRoot)
} catch (...) { } catch (...) {
// This is not really an error - merely an indication configured credentials are unavailable. // This is not really an error - merely an indication configured credentials are unavailable.
} }
// <AnonymousIdentity>
eapxml::get_element_value(pXmlElClientSideCredential, bstr(L"eap-metadata:AnonymousIdentity"), m_anonymous_identity);
m_module.log_config((xpath + L"/AnonymousIdentity").c_str(), m_anonymous_identity.c_str());
} }
} }
@ -312,6 +325,7 @@ void eap::config_method_with_cred::operator<<(_Inout_ cursor_out &cursor) const
config_method::operator<<(cursor); config_method::operator<<(cursor);
cursor << m_use_cred; cursor << m_use_cred;
cursor << *m_cred; cursor << *m_cred;
cursor << m_anonymous_identity;
} }
@ -319,8 +333,9 @@ size_t eap::config_method_with_cred::get_pk_size() const
{ {
return return
config_method::get_pk_size() + config_method::get_pk_size() +
pksizeof(m_use_cred) + pksizeof(m_use_cred ) +
pksizeof(*m_cred ); pksizeof(*m_cred ) +
pksizeof(m_anonymous_identity);
} }
@ -329,6 +344,25 @@ void eap::config_method_with_cred::operator>>(_Inout_ cursor_in &cursor)
config_method::operator>>(cursor); config_method::operator>>(cursor);
cursor >> m_use_cred; cursor >> m_use_cred;
cursor >> *m_cred; cursor >> *m_cred;
cursor >> m_anonymous_identity;
}
wstring eap::config_method_with_cred::get_public_identity(const credentials &cred) const
{
if (m_anonymous_identity.empty()) {
// Use the true identity.
return cred.get_identity();
} else if (m_anonymous_identity.compare(L"@") == 0) {
// Strip username part from identity.
wstring identity(std::move(cred.get_identity()));
auto offset = identity.find(L'@');
if (offset != wstring::npos) identity.erase(0, offset);
return identity;
} else {
// Use configured identity.
return m_anonymous_identity;
}
} }

6
lib/TTLS/include/Config.h
View File

@ -140,14 +140,8 @@ namespace eap
/// ///
config_method* make_config_method(_In_ const wchar_t *eap_type) const; config_method* make_config_method(_In_ const wchar_t *eap_type) const;
///
/// Generates public identity using current configuration and given credentials
///
std::wstring get_public_identity(const credentials_ttls &cred) const;
public: public:
std::unique_ptr<config_method> m_inner; ///< Inner authentication configuration std::unique_ptr<config_method> m_inner; ///< Inner authentication configuration
std::wstring m_anonymous_identity; ///< Anonymous identity
}; };
/// @} /// @}

53
lib/TTLS/src/Config.cpp
View File

@ -39,7 +39,6 @@ eap::config_method_ttls::config_method_ttls(_In_ module &mod, _In_ unsigned int
eap::config_method_ttls::config_method_ttls(const _In_ config_method_ttls &other) : eap::config_method_ttls::config_method_ttls(const _In_ config_method_ttls &other) :
m_inner(other.m_inner ? dynamic_cast<config_method*>(other.m_inner->clone()) : nullptr), m_inner(other.m_inner ? dynamic_cast<config_method*>(other.m_inner->clone()) : nullptr),
m_anonymous_identity(other.m_anonymous_identity),
config_method_tls(other) config_method_tls(other)
{ {
} }
@ -47,7 +46,6 @@ eap::config_method_ttls::config_method_ttls(const _In_ config_method_ttls &other
eap::config_method_ttls::config_method_ttls(_Inout_ config_method_ttls &&other) noexcept : eap::config_method_ttls::config_method_ttls(_Inout_ config_method_ttls &&other) noexcept :
m_inner(std::move(other.m_inner)), m_inner(std::move(other.m_inner)),
m_anonymous_identity(std::move(other.m_anonymous_identity)),
config_method_tls(std::move(other)) config_method_tls(std::move(other))
{ {
} }
@ -58,7 +56,6 @@ eap::config_method_ttls& eap::config_method_ttls::operator=(const _In_ config_me
if (this != &other) { if (this != &other) {
(config_method_tls&)*this = other; (config_method_tls&)*this = other;
m_inner.reset(other.m_inner ? dynamic_cast<config_method*>(other.m_inner->clone()) : nullptr); m_inner.reset(other.m_inner ? dynamic_cast<config_method*>(other.m_inner->clone()) : nullptr);
m_anonymous_identity = other.m_anonymous_identity;
} }
return *this; return *this;
@ -70,7 +67,6 @@ eap::config_method_ttls& eap::config_method_ttls::operator=(_Inout_ config_metho
if (this != &other) { if (this != &other) {
(config_method_tls&&)*this = std::move(other); (config_method_tls&&)*this = std::move(other);
m_inner = std::move(other.m_inner); m_inner = std::move(other.m_inner);
m_anonymous_identity = std::move(other.m_anonymous_identity);
} }
return *this; return *this;
@ -92,18 +88,6 @@ void eap::config_method_ttls::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode
HRESULT hr; HRESULT hr;
{
// <ClientSideCredential>
com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), bstr(L"ClientSideCredential"), namespace_eapmetadata, pXmlElClientSideCredential)))
throw com_runtime_error(hr, __FUNCTION__ " Error creating <ClientSideCredential> element.");
// <ClientSideCredential>/<AnonymousIdentity>
if (!m_anonymous_identity.empty())
if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElClientSideCredential, bstr(L"AnonymousIdentity"), namespace_eapmetadata, bstr(m_anonymous_identity))))
throw com_runtime_error(hr, __FUNCTION__ " Error creating <AnonymousIdentity> element.");
}
// <InnerAuthenticationMethod> // <InnerAuthenticationMethod>
com_obj<IXMLDOMElement> pXmlElInnerAuthenticationMethod; com_obj<IXMLDOMElement> pXmlElInnerAuthenticationMethod;
if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:InnerAuthenticationMethod"), bstr(L"InnerAuthenticationMethod"), namespace_eapmetadata, pXmlElInnerAuthenticationMethod))) if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:InnerAuthenticationMethod"), bstr(L"InnerAuthenticationMethod"), namespace_eapmetadata, pXmlElInnerAuthenticationMethod)))
@ -178,20 +162,6 @@ void eap::config_method_ttls::load(_In_ IXMLDOMNode *pConfigRoot)
std::wstring xpath(eapxml::get_xpath(pConfigRoot)); std::wstring xpath(eapxml::get_xpath(pConfigRoot));
m_anonymous_identity.clear();
{
// <ClientSideCredential>
com_obj<IXMLDOMElement> pXmlElClientSideCredential;
if (SUCCEEDED(eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:ClientSideCredential"), pXmlElClientSideCredential))) {
wstring xpathClientSideCredential(xpath + L"/ClientSideCredential");
// <AnonymousIdentity>
eapxml::get_element_value(pXmlElClientSideCredential, bstr(L"eap-metadata:AnonymousIdentity"), m_anonymous_identity);
m_module.log_config((xpathClientSideCredential + L"/AnonymousIdentity").c_str(), m_anonymous_identity.c_str());
}
}
// <InnerAuthenticationMethod> // <InnerAuthenticationMethod>
com_obj<IXMLDOMElement> pXmlElInnerAuthenticationMethod; com_obj<IXMLDOMElement> pXmlElInnerAuthenticationMethod;
if (FAILED(hr = eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:InnerAuthenticationMethod"), pXmlElInnerAuthenticationMethod))) if (FAILED(hr = eapxml::select_element(pConfigRoot, bstr(L"eap-metadata:InnerAuthenticationMethod"), pXmlElInnerAuthenticationMethod)))
@ -220,7 +190,6 @@ void eap::config_method_ttls::operator<<(_Inout_ cursor_out &cursor) const
config_method_tls::operator<<(cursor); config_method_tls::operator<<(cursor);
cursor << m_inner->get_method_id(); cursor << m_inner->get_method_id();
cursor << *m_inner; cursor << *m_inner;
cursor << m_anonymous_identity;
} }
@ -229,8 +198,7 @@ size_t eap::config_method_ttls::get_pk_size() const
return return
config_method_tls::get_pk_size() + config_method_tls::get_pk_size() +
pksizeof(m_inner->get_method_id()) + pksizeof(m_inner->get_method_id()) +
pksizeof(*m_inner) + pksizeof(*m_inner);
pksizeof(m_anonymous_identity);
} }
@ -242,7 +210,6 @@ void eap::config_method_ttls::operator>>(_Inout_ cursor_in &cursor)
cursor >> eap_type; cursor >> eap_type;
m_inner.reset(make_config_method(eap_type)); m_inner.reset(make_config_method(eap_type));
cursor >> *m_inner; cursor >> *m_inner;
cursor >> m_anonymous_identity;
} }
@ -293,21 +260,3 @@ eap::config_method* eap::config_method_ttls::make_config_method(_In_ const wchar
#endif #endif
else throw invalid_argument(string_printf(__FUNCTION__ " Unsupported inner authentication method (%ls).", eap_type)); else throw invalid_argument(string_printf(__FUNCTION__ " Unsupported inner authentication method (%ls).", eap_type));
} }
wstring eap::config_method_ttls::get_public_identity(const credentials_ttls &cred) const
{
if (m_anonymous_identity.empty()) {
// Use the true identity.
return cred.get_identity();
} else if (m_anonymous_identity.compare(L"@") == 0) {
// Strip username part from identity.
wstring identity(std::move(cred.get_identity()));
auto offset = identity.find(L'@');
if (offset != wstring::npos) identity.erase(0, offset);
return identity;
} else {
// Use configured identity.
return m_anonymous_identity;
}
}

2
lib/TTLS_UI/src/Module.cpp
View File

@ -396,7 +396,7 @@ void eap::peer_ttls_ui::invoke_identity_ui(
} }
// Build our identity. ;) // Build our identity. ;)
wstring identity(std::move(cfg_method->get_public_identity(*dynamic_cast<const credentials_ttls*>(cred_out.m_cred.get())))); wstring identity(std::move(cfg_method->get_public_identity(*cred_out.m_cred.get())));
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((unsigned int)eap_type_t::ttls), event_data(identity), event_data::blank); log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((unsigned int)eap_type_t::ttls), event_data(identity), event_data::blank);
size_t size = sizeof(WCHAR)*(identity.length() + 1); size_t size = sizeof(WCHAR)*(identity.length() + 1);
*ppwszIdentity = (WCHAR*)alloc_memory(size); *ppwszIdentity = (WCHAR*)alloc_memory(size);