"Last Authentication Failed" flag extended to support finer feedback, why last authentication failed

lib/EAPBase/src/Config.cpp

@@ -142,18 +142,19 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
     m_allow_save(true),
     m_use_preshared(false),
-    m_auth_failed(false),
+    m_last_status(status_success),
     config_method(mod)
 {
 }
 
 
 eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_with_cred &other) :
-    m_allow_save(other.m_allow_save),
-    m_use_preshared(other.m_use_preshared),
-    m_preshared(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr),
-    m_auth_failed(other.m_auth_failed),
-    config_method(other)
+    m_allow_save   (other.m_allow_save                                                    ),
+    m_use_preshared(other.m_use_preshared                                                 ),
+    m_preshared    (other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr),
+    m_last_status  (other.m_last_status                                                   ),
+    m_last_msg     (other.m_last_msg                                                      ),
+    config_method  (other                                                                 )
 {
 }
 
@@ -162,7 +163,8 @@ eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with
     m_allow_save   (std::move(other.m_allow_save   )),
     m_use_preshared(std::move(other.m_use_preshared)),
     m_preshared    (std::move(other.m_preshared    )),
-    m_auth_failed  (std::move(other.m_auth_failed  )),
+    m_last_status  (std::move(other.m_last_status  )),
+    m_last_msg     (std::move(other.m_last_msg     )),
     config_method  (std::move(other                ))
 {
 }
@@ -175,7 +177,8 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_In_ const
         m_allow_save          = other.m_allow_save;
         m_use_preshared       = other.m_use_preshared;
         m_preshared.reset(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr);
-        m_auth_failed         = other.m_auth_failed;
+        m_last_status         = other.m_last_status;
+        m_last_msg            = other.m_last_msg;
     }
 
     return *this;
@@ -189,7 +192,8 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_Inout_ co
         m_allow_save          = std::move(other.m_allow_save   );
         m_use_preshared       = std::move(other.m_use_preshared);
         m_preshared           = std::move(other.m_preshared    );
-        m_auth_failed         = std::move(other.m_auth_failed  );
+        m_last_status         = std::move(other.m_last_status  );
+        m_last_msg            = std::move(other.m_last_msg     );
     }
 
     return *this;
@@ -241,6 +245,9 @@ void eap::config_method_with_cred::load(_In_ IXMLDOMNode *pConfigRoot)
             // This is not really an error - merely an indication pre-shared credentials are unavailable.
         }
     }
+
+    m_last_status = status_success;
+    m_last_msg.clear();
 }
 
 
@@ -250,7 +257,8 @@ void eap::config_method_with_cred::operator<<(_Inout_ cursor_out &cursor) const
     cursor << m_allow_save;
     cursor << m_use_preshared;
     cursor << *m_preshared;
-    cursor << m_auth_failed;
+    cursor << m_last_status;
+    cursor << m_last_msg;
 }
 
 
@@ -261,7 +269,8 @@ size_t eap::config_method_with_cred::get_pk_size() const
         pksizeof(m_allow_save   ) +
         pksizeof(m_use_preshared) +
         pksizeof(*m_preshared   ) +
-        pksizeof(m_auth_failed  );
+        pksizeof(m_last_status  ) +
+        pksizeof(m_last_msg     );
 }
 
 
@@ -271,7 +280,8 @@ void eap::config_method_with_cred::operator>>(_Inout_ cursor_in &cursor)
     cursor >> m_allow_save;
     cursor >> m_use_preshared;
     cursor >> *m_preshared;
-    cursor >> m_auth_failed;
+    cursor >> m_last_status;
+    cursor >> m_last_msg;
 }
 
 

lib/EAPBase/src/Method.cpp

@@ -68,6 +68,11 @@ void eap::method::begin_session(
     UNREFERENCED_PARAMETER(pAttributeArray);
     UNREFERENCED_PARAMETER(hTokenImpersonateUser);
     UNREFERENCED_PARAMETER(dwMaxSendPacketSize);
+
+    // Presume authentication will fail with generic protocol failure. (Pesimist!!!)
+    // We will reset once we get get_result(Success) call.
+    m_cfg.m_last_status = config_method_with_cred::status_auth_failed;
+    m_cfg.m_last_msg.clear();
 }
 
 
@@ -76,6 +81,34 @@ void eap::method::end_session()
 }
 
 
+void eap::method::get_result(
+    _In_    EapPeerMethodResultReason reason,
+    _Inout_ EapPeerMethodResult       *ppResult)
+{
+    assert(ppResult);
+
+    switch (reason) {
+    case EapPeerMethodResultSuccess: {
+        m_module.log_event(&EAPMETHOD_METHOD_SUCCESS, event_data((unsigned int)m_cfg.get_method_id()), event_data::blank);
+        m_cfg.m_last_status  = config_method_with_cred::status_success;
+        break;
+    }
+
+    case EapPeerMethodResultFailure:
+        m_module.log_event(&EAPMETHOD_METHOD_FAILURE_ERROR2, event_data((unsigned int)m_cfg.get_method_id()), event_data((unsigned int)m_cfg.m_last_status), event_data::blank);
+        break;
+
+    default:
+        throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
+    }
+
+    // Always ask EAP host to save the connection data. And it will save it *only* when we report "success".
+    // Don't worry. EapHost is well aware of failed authentication condition.
+    ppResult->fSaveConnectionData = TRUE;
+    ppResult->fIsSuccess          = TRUE;
+}
+
+
 //////////////////////////////////////////////////////////////////////
 // eap::method_noneap
 //////////////////////////////////////////////////////////////////////