Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

"Last Authentication Failed" flag extended to support finer feedback, why last authentication failed

Browse Source
This commit is contained in:
Simon Rozman 2016-09-06 14:10:02 +02:00
parent b7ed9d076f
commit c765954c0f
15 changed files with 149 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
EAPMethods/locale/EAPMethods.pot
View File

@ -2,7 +2,7 @@
msgid "" msgid ""
msgstr "" msgstr ""
"Project-Id-Version: EAPMethods\n" "Project-Id-Version: EAPMethods\n"
"POT-Creation-Date: 2016-09-02 19:08+0200\n" "POT-Creation-Date: 2016-09-06 14:06+0200\n"
"PO-Revision-Date: 2016-06-02 12:27+0200\n" "PO-Revision-Date: 2016-06-02 12:27+0200\n"
"Last-Translator: Simon Rozman <simon.rozman@amebis.si>\n" "Last-Translator: Simon Rozman <simon.rozman@amebis.si>\n"
"Language-Team: Amebis, d. o. o., Kamnik <info@amebis.si>\n" "Language-Team: Amebis, d. o. o., Kamnik <info@amebis.si>\n"
@ -253,8 +253,24 @@ msgstr ""
msgid "Your provider" msgid "Your provider"
msgstr "" msgstr ""
#: lib/EAPBase_UI/src/EAP_UI.cpp:249 #: lib/EAPBase_UI/src/EAP_UI.cpp:250
msgid "Previous attempt to connect failed. Please, make sure your credentials are correct, or try again later." msgid "Previous attempt to connect reported invalid credentials."
msgstr ""
#: lib/EAPBase_UI/src/EAP_UI.cpp:251
msgid "Previous attempt to connect reported your credentials expired."
msgstr ""
#: lib/EAPBase_UI/src/EAP_UI.cpp:252
msgid "Previous attempt to connect reported your credentials are being changed."
msgstr ""
#: lib/EAPBase_UI/src/EAP_UI.cpp:253
msgid "Previous attempt to connect failed."
msgstr ""
#: lib/EAPBase_UI/src/EAP_UI.cpp:254
msgid "Please, make sure your credentials are correct, or try again later."
msgstr "" msgstr ""
#: lib/TLS_UI/res/wxTLS_UI.cpp:17 #: lib/TLS_UI/res/wxTLS_UI.cpp:17
@ -454,7 +470,7 @@ msgstr ""
msgid "MSCHAPv2" msgid "MSCHAPv2"
msgstr "" msgstr ""
#: lib/TTLS_UI/src/TTLS_UI.cpp:123 lib/TTLS_UI/src/TTLS_UI.cpp:256 #: lib/TTLS_UI/src/TTLS_UI.cpp:123 lib/TTLS_UI/src/TTLS_UI.cpp:262
msgid "Outer Authentication" msgid "Outer Authentication"
msgstr "" msgstr ""
@ -476,24 +492,24 @@ msgstr ""
msgid "Deleting credentials failed (error %u)." msgid "Deleting credentials failed (error %u)."
msgstr "" msgstr ""
#: lib/EAPBase_UI/include/EAP_UI.h:738 #: lib/EAPBase_UI/include/EAP_UI.h:739
#, c-format #, c-format
msgid "<error %u>" msgid "<error %u>"
msgstr "" msgstr ""
#: lib/EAPBase_UI/include/EAP_UI.h:742 #: lib/EAPBase_UI/include/EAP_UI.h:743
msgid "<error>" msgid "<error>"
msgstr "" msgstr ""
#: lib/EAPBase_UI/include/EAP_UI.h:753 lib/EAPBase_UI/include/EAP_UI.h:762 #: lib/EAPBase_UI/include/EAP_UI.h:754 lib/EAPBase_UI/include/EAP_UI.h:764
msgid "<empty>" msgid "<empty>"
msgstr "" msgstr ""
#: lib/EAPBase_UI/include/EAP_UI.h:753 lib/EAPBase_UI/include/EAP_UI.h:762 #: lib/EAPBase_UI/include/EAP_UI.h:754 lib/EAPBase_UI/include/EAP_UI.h:764
msgid "<blank ID>" msgid "<blank ID>"
msgstr "" msgstr ""
#: lib/EAPBase_UI/include/EAP_UI.h:962 #: lib/EAPBase_UI/include/EAP_UI.h:964
msgid "<Your Organization>" msgid "<Your Organization>"
msgstr "" msgstr ""

41
lib/EAPBase/include/Config.h
View File

@ -352,10 +352,25 @@ namespace eap
virtual credentials* make_credentials() const = 0; virtual credentials* make_credentials() const = 0;
public: public:
bool m_allow_save; ///< Are credentials allowed to be saved to Windows Credential Manager? bool m_allow_save; ///< Are credentials allowed to be saved to Windows Credential Manager?
bool m_use_preshared; ///< Use pre-shared credentials bool m_use_preshared; ///< Use pre-shared credentials
std::unique_ptr<credentials> m_preshared; ///< Pre-shared credentials std::unique_ptr<credentials> m_preshared; ///< Pre-shared credentials
bool m_auth_failed; ///< Did credential fail last time?
enum status {
status_success = 0, ///< Authentication succeeded
status_auth_failed, ///< Authentication failed
status_cred_invalid, ///< Invalid credentials
status_cred_expired, ///< Credentials expired
status_cred_changing, ///< Credentials are being changed
status_account_disabled, ///< Account is disabled
status_account_logon_hours, ///< Restricted account logon hours
status_account_denied, ///< Account access is denied
// Meta statuses
status_cred_begin = status_cred_invalid, ///< First credential related problem
status_cred_end = status_cred_changing + 1, ///< First problem, that is not credential related any more
} m_last_status; ///< Status of authentication the last time
std::wstring m_last_msg; ///< Server message at the last authentication
}; };
@ -604,3 +619,21 @@ inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::config &val)
{ {
val.operator>>(cursor); val.operator>>(cursor);
} }
inline void operator<<(_Inout_ eap::cursor_out &cursor, _In_ const eap::config_method_with_cred::status &val)
{
cursor << (unsigned char)val;
}
inline size_t pksizeof(_In_ const eap::config_method_with_cred::status &val)
{
return pksizeof((unsigned char)val);
}
inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::config_method_with_cred::status &val)
{
cursor >> (unsigned char&)val;
}

2
lib/EAPBase/include/Method.h
View File

@ -124,7 +124,7 @@ namespace eap
/// ///
virtual void get_result( virtual void get_result(
_In_ EapPeerMethodResultReason reason, _In_ EapPeerMethodResultReason reason,
_Inout_ EapPeerMethodResult *ppResult) = 0; _Inout_ EapPeerMethodResult *ppResult);
/// @} /// @}

34
lib/EAPBase/src/Config.cpp
View File

@ -142,18 +142,19 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) : eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
m_allow_save(true), m_allow_save(true),
m_use_preshared(false), m_use_preshared(false),
m_auth_failed(false), m_last_status(status_success),
config_method(mod) config_method(mod)
{ {
} }
eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_with_cred &other) : eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_with_cred &other) :
m_allow_save(other.m_allow_save), m_allow_save (other.m_allow_save ),
m_use_preshared(other.m_use_preshared), m_use_preshared(other.m_use_preshared ),
m_preshared(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr), m_preshared (other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr),
m_auth_failed(other.m_auth_failed), m_last_status (other.m_last_status ),
config_method(other) m_last_msg (other.m_last_msg ),
config_method (other )
{ {
} }
@ -162,7 +163,8 @@ eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with
m_allow_save (std::move(other.m_allow_save )), m_allow_save (std::move(other.m_allow_save )),
m_use_preshared(std::move(other.m_use_preshared)), m_use_preshared(std::move(other.m_use_preshared)),
m_preshared (std::move(other.m_preshared )), m_preshared (std::move(other.m_preshared )),
m_auth_failed (std::move(other.m_auth_failed )), m_last_status (std::move(other.m_last_status )),
m_last_msg (std::move(other.m_last_msg )),
config_method (std::move(other )) config_method (std::move(other ))
{ {
} }
@ -175,7 +177,8 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_In_ const
m_allow_save = other.m_allow_save; m_allow_save = other.m_allow_save;
m_use_preshared = other.m_use_preshared; m_use_preshared = other.m_use_preshared;
m_preshared.reset(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr); m_preshared.reset(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr);
m_auth_failed = other.m_auth_failed; m_last_status = other.m_last_status;
m_last_msg = other.m_last_msg;
} }
return *this; return *this;
@ -189,7 +192,8 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_Inout_ co
m_allow_save = std::move(other.m_allow_save ); m_allow_save = std::move(other.m_allow_save );
m_use_preshared = std::move(other.m_use_preshared); m_use_preshared = std::move(other.m_use_preshared);
m_preshared = std::move(other.m_preshared ); m_preshared = std::move(other.m_preshared );
m_auth_failed = std::move(other.m_auth_failed ); m_last_status = std::move(other.m_last_status );
m_last_msg = std::move(other.m_last_msg );
} }
return *this; return *this;
@ -241,6 +245,9 @@ void eap::config_method_with_cred::load(_In_ IXMLDOMNode *pConfigRoot)
// This is not really an error - merely an indication pre-shared credentials are unavailable. // This is not really an error - merely an indication pre-shared credentials are unavailable.
} }
} }
m_last_status = status_success;
m_last_msg.clear();
} }
@ -250,7 +257,8 @@ void eap::config_method_with_cred::operator<<(_Inout_ cursor_out &cursor) const
cursor << m_allow_save; cursor << m_allow_save;
cursor << m_use_preshared; cursor << m_use_preshared;
cursor << *m_preshared; cursor << *m_preshared;
cursor << m_auth_failed; cursor << m_last_status;
cursor << m_last_msg;
} }
@ -261,7 +269,8 @@ size_t eap::config_method_with_cred::get_pk_size() const
pksizeof(m_allow_save ) + pksizeof(m_allow_save ) +
pksizeof(m_use_preshared) + pksizeof(m_use_preshared) +
pksizeof(*m_preshared ) + pksizeof(*m_preshared ) +
pksizeof(m_auth_failed ); pksizeof(m_last_status ) +
pksizeof(m_last_msg );
} }
@ -271,7 +280,8 @@ void eap::config_method_with_cred::operator>>(_Inout_ cursor_in &cursor)
cursor >> m_allow_save; cursor >> m_allow_save;
cursor >> m_use_preshared; cursor >> m_use_preshared;
cursor >> *m_preshared; cursor >> *m_preshared;
cursor >> m_auth_failed; cursor >> m_last_status;
cursor >> m_last_msg;
} }

33
lib/EAPBase/src/Method.cpp
View File

@ -68,6 +68,11 @@ void eap::method::begin_session(
UNREFERENCED_PARAMETER(pAttributeArray); UNREFERENCED_PARAMETER(pAttributeArray);
UNREFERENCED_PARAMETER(hTokenImpersonateUser); UNREFERENCED_PARAMETER(hTokenImpersonateUser);
UNREFERENCED_PARAMETER(dwMaxSendPacketSize); UNREFERENCED_PARAMETER(dwMaxSendPacketSize);
// Presume authentication will fail with generic protocol failure. (Pesimist!!!)
// We will reset once we get get_result(Success) call.
m_cfg.m_last_status = config_method_with_cred::status_auth_failed;
m_cfg.m_last_msg.clear();
} }
@ -76,6 +81,34 @@ void eap::method::end_session()
} }
void eap::method::get_result(
_In_ EapPeerMethodResultReason reason,
_Inout_ EapPeerMethodResult *ppResult)
{
assert(ppResult);
switch (reason) {
case EapPeerMethodResultSuccess: {
m_module.log_event(&EAPMETHOD_METHOD_SUCCESS, event_data((unsigned int)m_cfg.get_method_id()), event_data::blank);
m_cfg.m_last_status = config_method_with_cred::status_success;
break;
}
case EapPeerMethodResultFailure:
m_module.log_event(&EAPMETHOD_METHOD_FAILURE_ERROR2, event_data((unsigned int)m_cfg.get_method_id()), event_data((unsigned int)m_cfg.m_last_status), event_data::blank);
break;
default:
throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
}
// Always ask EAP host to save the connection data. And it will save it *only* when we report "success".
// Don't worry. EapHost is well aware of failed authentication condition.
ppResult->fSaveConnectionData = TRUE;
ppResult->fIsSuccess = TRUE;
}
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
// eap::method_noneap // eap::method_noneap
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////

2
lib/EAPBase_UI/include/EAP_UI.h
View File

@ -433,7 +433,7 @@ public:
/// ///
/// Constructs a notice pannel and set the title text /// Constructs a notice pannel and set the title text
/// ///
wxEAPCredentialWarningPanel(const eap::config_provider &prov, wxWindow* parent); wxEAPCredentialWarningPanel(const eap::config_provider &prov, eap::config_method_with_cred::status status, wxWindow* parent);
}; };

9
lib/EAPBase_UI/src/EAP_UI.cpp
View File

@ -239,14 +239,19 @@ wxEAPProviderLockedPanel::wxEAPProviderLockedPanel(const eap::config_provider &p
// wxEAPCredentialWarningPanel // wxEAPCredentialWarningPanel
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
wxEAPCredentialWarningPanel::wxEAPCredentialWarningPanel(const eap::config_provider &prov, wxWindow* parent) : wxEAPNotePanel(parent) wxEAPCredentialWarningPanel::wxEAPCredentialWarningPanel(const eap::config_provider &prov, eap::config_method_with_cred::status status, wxWindow* parent) : wxEAPNotePanel(parent)
{ {
// Load and set icon. // Load and set icon.
winstd::library lib_shell32; winstd::library lib_shell32;
if (lib_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)) if (lib_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
m_note_icon->SetIcon(wxLoadIconFromResource(lib_shell32, MAKEINTRESOURCE(161))); m_note_icon->SetIcon(wxLoadIconFromResource(lib_shell32, MAKEINTRESOURCE(161)));
m_note_label->SetLabel(_("Previous attempt to connect failed. Please, make sure your credentials are correct, or try again later.")); m_note_label->SetLabel((
status == eap::config_method_with_cred::status_cred_invalid ? _("Previous attempt to connect reported invalid credentials.") :
status == eap::config_method_with_cred::status_cred_expired ? _("Previous attempt to connect reported your credentials expired.") :
status == eap::config_method_with_cred::status_cred_changing ? _("Previous attempt to connect reported your credentials are being changed.") :
_("Previous attempt to connect failed.")) + " " +
_("Please, make sure your credentials are correct, or try again later."));
m_note_label->Wrap(449); m_note_label->Wrap(449);
CreateContactFields(prov); CreateContactFields(prov);

BIN
lib/Events/res/EventsETW.man
View File

Binary file not shown.

19
lib/PAP/include/Method.h
View File

@ -89,24 +89,15 @@ namespace eap
_In_ DWORD dwReceivedPacketSize, _In_ DWORD dwReceivedPacketSize,
_Inout_ EapPeerMethodOutput *pEapOutput); _Inout_ EapPeerMethodOutput *pEapOutput);
///
/// Obtains the result of an authentication session from the EAP method.
///
/// \sa [EapPeerGetResult function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363611.aspx)
///
virtual void get_result(
_In_ EapPeerMethodResultReason reason,
_Inout_ EapPeerMethodResult *ppResult);
/// @} /// @}
protected: protected:
credentials_pap &m_cred; ///< EAP-TLS user credentials credentials_pap &m_cred; ///< EAP-TLS user credentials
enum { enum {
phase_unknown = -1, ///< Unknown phase phase_unknown = -1, ///< Unknown phase
phase_init = 0, ///< Handshake initialize phase_init = 0, ///< Handshake initialize
phase_finished, ///< Connection shut down phase_finished, ///< Connection shut down
} m_phase, m_phase_prev; ///< What phase is our communication at? } m_phase; ///< What phase is our communication at?
}; };
} }

38
lib/PAP/src/Method.cpp
View File

@ -31,7 +31,6 @@ using namespace winstd;
eap::method_pap::method_pap(_In_ module &module, _In_ config_method_pap &cfg, _In_ credentials_pap &cred) : eap::method_pap::method_pap(_In_ module &module, _In_ config_method_pap &cfg, _In_ credentials_pap &cred) :
m_cred(cred), m_cred(cred),
m_phase(phase_unknown), m_phase(phase_unknown),
m_phase_prev(phase_unknown),
method_noneap(module, cfg, cred) method_noneap(module, cfg, cred)
{ {
} }
@ -40,7 +39,6 @@ eap::method_pap::method_pap(_In_ module &module, _In_ config_method_pap &cfg, _I
eap::method_pap::method_pap(_Inout_ method_pap &&other) : eap::method_pap::method_pap(_Inout_ method_pap &&other) :
m_cred ( other.m_cred ), m_cred ( other.m_cred ),
m_phase (std::move(other.m_phase )), m_phase (std::move(other.m_phase )),
m_phase_prev (std::move(other.m_phase_prev)),
method_noneap(std::move(other )) method_noneap(std::move(other ))
{ {
} }
@ -52,7 +50,6 @@ eap::method_pap& eap::method_pap::operator=(_Inout_ method_pap &&other)
assert(std::addressof(m_cred) == std::addressof(other.m_cred)); // Move method with same credentials only! assert(std::addressof(m_cred) == std::addressof(other.m_cred)); // Move method with same credentials only!
(method_noneap&)*this = std::move(other ); (method_noneap&)*this = std::move(other );
m_phase = std::move(other.m_phase ); m_phase = std::move(other.m_phase );
m_phase_prev = std::move(other.m_phase_prev);
} }
return *this; return *this;
@ -82,7 +79,6 @@ void eap::method_pap::process_request_packet(
m_module.log_event(&EAPMETHOD_PACKET_RECV, event_data((unsigned int)eap_type_legacy_pap), event_data((unsigned int)dwReceivedPacketSize), event_data::blank); m_module.log_event(&EAPMETHOD_PACKET_RECV, event_data((unsigned int)eap_type_legacy_pap), event_data((unsigned int)dwReceivedPacketSize), event_data::blank);
m_phase_prev = m_phase;
switch (m_phase) { switch (m_phase) {
case phase_init: { case phase_init: {
// Convert username and password to UTF-8. // Convert username and password to UTF-8.
@ -101,6 +97,7 @@ void eap::method_pap::process_request_packet(
append_avp(2, diameter_avp_flag_mandatory, password_utf8.data(), (unsigned int)password_utf8.size()); append_avp(2, diameter_avp_flag_mandatory, password_utf8.data(), (unsigned int)password_utf8.size());
m_phase = phase_finished; m_phase = phase_finished;
m_cfg.m_last_status = config_method_with_cred::status_cred_invalid; // Blame credentials if we fail beyond this point.
break; break;
} }
@ -111,36 +108,3 @@ void eap::method_pap::process_request_packet(
pEapOutput->fAllowNotifications = TRUE; pEapOutput->fAllowNotifications = TRUE;
pEapOutput->action = EapPeerMethodResponseActionSend; pEapOutput->action = EapPeerMethodResponseActionSend;
} }
void eap::method_pap::get_result(
_In_ EapPeerMethodResultReason reason,
_Inout_ EapPeerMethodResult *ppResult)
{
assert(ppResult);
switch (reason) {
case EapPeerMethodResultSuccess: {
m_module.log_event(&EAPMETHOD_METHOD_SUCCESS, event_data((unsigned int)eap_type_legacy_pap), event_data::blank);
m_cfg.m_auth_failed = false;
break;
}
case EapPeerMethodResultFailure:
m_module.log_event(
m_phase_prev < phase_finished ? &EAPMETHOD_METHOD_FAILURE_INIT : &EAPMETHOD_METHOD_FAILURE,
event_data((unsigned int)eap_type_legacy_pap), event_data::blank);
// Mark credentials as failed, so GUI can re-prompt user.
// But be careful: do so only after credentials were actually tried.
m_cfg.m_auth_failed = m_phase_prev < phase_finished && m_phase >= phase_finished;
break;
default:
throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
}
// Always ask EAP host to save the connection data.
ppResult->fSaveConnectionData = TRUE;
}

2
lib/TLS/include/Method.h
View File

@ -483,7 +483,7 @@ namespace eap
phase_handshake_cont, ///< Handshake continue phase_handshake_cont, ///< Handshake continue
phase_application_data, ///< Exchange application data phase_application_data, ///< Exchange application data
phase_shutdown, ///< Connection shut down phase_shutdown, ///< Connection shut down
} m_phase, m_phase_prev; ///< What phase is our communication at? } m_phase; ///< What phase is our communication at?
#endif #endif
}; };
} }

40
lib/TLS/src/Method.cpp
View File

@ -71,7 +71,6 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _I
m_seq_num_server(0), m_seq_num_server(0),
#else #else
m_phase(phase_unknown), m_phase(phase_unknown),
m_phase_prev(phase_unknown),
#endif #endif
method(module, cfg, cred) method(module, cfg, cred)
{ {
@ -121,7 +120,6 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
m_sc_queue (std::move(other.m_sc_queue )), m_sc_queue (std::move(other.m_sc_queue )),
m_sc_ctx (std::move(other.m_sc_ctx )), m_sc_ctx (std::move(other.m_sc_ctx )),
m_phase (std::move(other.m_phase )), m_phase (std::move(other.m_phase )),
m_phase_prev (std::move(other.m_phase_prev )),
#endif #endif
method (std::move(other )) method (std::move(other ))
{ {
@ -178,7 +176,6 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
m_sc_queue = std::move(other.m_sc_queue ); m_sc_queue = std::move(other.m_sc_queue );
m_sc_ctx = std::move(other.m_sc_ctx ); m_sc_ctx = std::move(other.m_sc_ctx );
m_phase = std::move(other.m_phase ); m_phase = std::move(other.m_phase );
m_phase_prev = std::move(other.m_phase_prev );
#endif #endif
} }
@ -446,6 +443,7 @@ void eap::method_tls::process_request_packet(
} else { } else {
m_session_resumed = false; m_session_resumed = false;
m_phase = phase_change_cipher_spec; m_phase = phase_change_cipher_spec;
m_cfg.m_last_status = config_method_with_cred::status_cred_invalid; // Blame credentials if we fail beyond this point.
} }
break; break;
} }
@ -473,7 +471,6 @@ void eap::method_tls::process_request_packet(
} else } else
m_sc_queue.insert(m_sc_queue.end(), m_packet_req.m_data.begin(), m_packet_req.m_data.end()); m_sc_queue.insert(m_sc_queue.end(), m_packet_req.m_data.begin(), m_packet_req.m_data.end());
m_phase_prev = m_phase;
switch (m_phase) { switch (m_phase) {
case phase_handshake_init: case phase_handshake_init:
case phase_handshake_cont: case phase_handshake_cont:
@ -511,10 +508,10 @@ void eap::method_tls::get_result(
{ {
assert(ppResult); assert(ppResult);
method::get_result(reason, ppResult);
switch (reason) { switch (reason) {
case EapPeerMethodResultSuccess: { case EapPeerMethodResultSuccess: {
m_module.log_event(&EAPMETHOD_METHOD_SUCCESS, event_data((unsigned int)eap_type_tls), event_data::blank);
// Derive MSK/EMSK for line encryption. // Derive MSK/EMSK for line encryption.
derive_msk(); derive_msk();
@ -527,9 +524,6 @@ void eap::method_tls::get_result(
m_eap_attr.push_back(std::move(a)); m_eap_attr.push_back(std::move(a));
m_eap_attr.push_back(eap_attr::blank); m_eap_attr.push_back(eap_attr::blank);
// Clear credentials as failed.
m_cfg.m_auth_failed = false;
#if EAP_TLS < EAP_TLS_SCHANNEL #if EAP_TLS < EAP_TLS_SCHANNEL
// Update configuration with session resumption data. // Update configuration with session resumption data.
m_cfg.m_session_id = m_session_id; m_cfg.m_session_id = m_session_id;
@ -567,39 +561,15 @@ void eap::method_tls::get_result(
case EapPeerMethodResultFailure: case EapPeerMethodResultFailure:
#if EAP_TLS < EAP_TLS_SCHANNEL #if EAP_TLS < EAP_TLS_SCHANNEL
m_module.log_event(
m_phase < phase_change_cipher_spec ? &EAPMETHOD_METHOD_FAILURE_INIT :
m_phase < phase_application_data ? &EAPMETHOD_METHOD_FAILURE_HANDSHAKE : &EAPMETHOD_METHOD_FAILURE,
event_data((unsigned int)eap_type_tls), event_data::blank);
// Mark credentials as failed, so GUI can re-prompt user.
// But be careful: do so only if this happened after transition from handshake to application data phase.
m_cfg.m_auth_failed = m_phase_prev < phase_application_data && m_phase >= phase_application_data;
// Clear session resumption data. // Clear session resumption data.
m_cfg.m_session_id.clear(); m_cfg.m_session_id.clear();
m_cfg.m_master_secret.clear(); m_cfg.m_master_secret.clear();
#else #else
m_module.log_event(
m_phase_prev < phase_handshake_cont ? &EAPMETHOD_METHOD_FAILURE_INIT :
m_phase_prev < phase_application_data ? &EAPMETHOD_METHOD_FAILURE_HANDSHAKE : &EAPMETHOD_METHOD_FAILURE,
event_data((unsigned int)eap_type_tls), event_data::blank);
// Mark credentials as failed, so GUI can re-prompt user.
// But be careful: do so only if this happened after transition from handshake to application data phase.
m_cfg.m_auth_failed = m_phase_prev < phase_application_data && m_phase >= phase_application_data;
// TODO: Research how a Schannel session context can be cleared not to resume. // TODO: Research how a Schannel session context can be cleared not to resume.
#endif #endif
break; break;
default:
throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
} }
// Always ask EAP host to save the connection data.
ppResult->fSaveConnectionData = TRUE;
} }
@ -1236,8 +1206,10 @@ void eap::method_tls::process_handshake()
m_phase = phase_application_data; m_phase = phase_application_data;
process_application_data(m_sc_queue.data(), m_sc_queue.size()); process_application_data(m_sc_queue.data(), m_sc_queue.size());
} else } else {
m_phase = phase_handshake_cont; m_phase = phase_handshake_cont;
m_cfg.m_last_status = config_method_with_cred::status_cred_invalid; // Blame credentials if we fail beyond this point.
}
} else if (status == SEC_E_INCOMPLETE_MESSAGE) { } else if (status == SEC_E_INCOMPLETE_MESSAGE) {
// Schannel neeeds more data. Send ACK packet to server to send more. // Schannel neeeds more data. Send ACK packet to server to send more.
} else if (FAILED(status)) { } else if (FAILED(status)) {

8
lib/TTLS/src/Method.cpp
View File

@ -130,10 +130,10 @@ void eap::method_ttls::get_result(
if (result.fSaveConnectionData) if (result.fSaveConnectionData)
ppResult->fSaveConnectionData = TRUE; ppResult->fSaveConnectionData = TRUE;
if (m_inner->m_cfg.m_auth_failed) { if (m_inner->m_cfg.m_last_status != config_method_with_cred::status_success) {
// Inner method admitted its credentials failed, so autentication must have proceeded to inner authentication already. // Inner method admitted problems, so autentication must have proceeded to inner authentication already.
// Therefore, outer credentials must have been OK. // Therefore, outer authentication must have been OK.
m_cfg.m_auth_failed = false; m_cfg.m_last_status = config_method_with_cred::status_success;
} }
} }
} }

4
lib/TTLS/src/Module.cpp
View File

@ -416,13 +416,13 @@ const eap::config_method_ttls* eap::peer_ttls::combine_credentials(
// If we got here, we have all credentials we need. But, wait! // If we got here, we have all credentials we need. But, wait!
if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) { if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) {
if (cfg_method->m_auth_failed) { if (config_method_with_cred::status_cred_begin <= cfg_method->m_last_status && cfg_method->m_last_status < config_method_with_cred::status_cred_end) {
// Outer: Credentials failed on last connection attempt. // Outer: Credentials failed on last connection attempt.
log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM1, event_data(target_name), event_data((unsigned int)eap_type_tls), event_data::blank); log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM1, event_data(target_name), event_data((unsigned int)eap_type_tls), event_data::blank);
continue; continue;
} }
if (cfg_method->m_inner->m_auth_failed) { if (config_method_with_cred::status_cred_begin <= cfg_method->m_inner->m_last_status && cfg_method->m_inner->m_last_status < config_method_with_cred::status_cred_end) {
// Inner: Credentials failed on last connection attempt. // Inner: Credentials failed on last connection attempt.
log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM1, event_data(target_name), event_data((unsigned int)cfg_method->m_inner->get_method_id()), event_data::blank); log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM1, event_data(target_name), event_data((unsigned int)cfg_method->m_inner->get_method_id()), event_data::blank);
continue; continue;

8
lib/TTLS_UI/src/TTLS_UI.cpp
View File

@ -239,8 +239,8 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
assert(m_cfg.m_inner); assert(m_cfg.m_inner);
if (m_cfg.m_inner->m_auth_failed) if (eap::config_method_with_cred::status_cred_begin <= m_cfg.m_inner->m_last_status && m_cfg.m_inner->m_last_status < eap::config_method_with_cred::status_cred_end)
sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5); sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, m_cfg.m_inner->m_last_status, this), 0, wxALL|wxEXPAND, 5);
const eap::config_method_pap *cfg_inner_pap = dynamic_cast<const eap::config_method_pap*>(m_cfg.m_inner.get()); const eap::config_method_pap *cfg_inner_pap = dynamic_cast<const eap::config_method_pap*>(m_cfg.m_inner.get());
if (cfg_inner_pap) { if (cfg_inner_pap) {
@ -258,8 +258,8 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
m_outer_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_INACTIVECAPTION ) ); m_outer_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_INACTIVECAPTION ) );
sb_content->Add(m_outer_title, 0, wxALL|wxALIGN_RIGHT, 5); sb_content->Add(m_outer_title, 0, wxALL|wxALIGN_RIGHT, 5);
if (m_cfg.m_auth_failed) if (eap::config_method_with_cred::status_cred_begin <= m_cfg.m_last_status && m_cfg.m_last_status < eap::config_method_with_cred::status_cred_end)
sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5); sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, m_cfg.m_last_status, this), 0, wxALL|wxEXPAND, 5);
m_outer_cred = new wxTLSCredentialsPanel(m_prov, (const eap::config_method_tls&)m_cfg, (eap::credentials_tls&)cred, this, is_config); m_outer_cred = new wxTLSCredentialsPanel(m_prov, (const eap::config_method_tls&)m_cfg, (eap::credentials_tls&)cred, this, is_config);
sb_content->Add(m_outer_cred, 0, wxALL|wxEXPAND, 5); sb_content->Add(m_outer_cred, 0, wxALL|wxEXPAND, 5);