TLS start packet processing logic made more robust
This commit is contained in:
parent
8f4c177d49
commit
ce9e636840
@ -211,8 +211,9 @@ namespace eap
|
|||||||
|
|
||||||
public:
|
public:
|
||||||
enum phase_t {
|
enum phase_t {
|
||||||
phase_client_hello = 0,
|
phase_unknown = -1,
|
||||||
phase_server_hello = 1,
|
phase_client_hello = 0,
|
||||||
|
phase_server_hello = 1,
|
||||||
} m_phase; ///< Session phase
|
} m_phase; ///< Session phase
|
||||||
|
|
||||||
struct packet
|
struct packet
|
||||||
@ -258,6 +259,11 @@ namespace eap
|
|||||||
/// \returns Reference to this object
|
/// \returns Reference to this object
|
||||||
///
|
///
|
||||||
packet& operator=(_Inout_ packet &&other);
|
packet& operator=(_Inout_ packet &&other);
|
||||||
|
|
||||||
|
///
|
||||||
|
/// Empty the packet
|
||||||
|
///
|
||||||
|
void clear();
|
||||||
}
|
}
|
||||||
m_packet_req, ///< Request packet
|
m_packet_req, ///< Request packet
|
||||||
m_packet_res; ///< Response packet
|
m_packet_res; ///< Response packet
|
||||||
|
@ -29,7 +29,7 @@ using namespace winstd;
|
|||||||
//////////////////////////////////////////////////////////////////////
|
//////////////////////////////////////////////////////////////////////
|
||||||
|
|
||||||
eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _In_ credentials_tls &cred) :
|
eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _In_ credentials_tls &cred) :
|
||||||
m_phase(phase_client_hello),
|
m_phase(phase_unknown),
|
||||||
m_seq_num(0),
|
m_seq_num(0),
|
||||||
method(module, cfg, cred)
|
method(module, cfg, cred)
|
||||||
{
|
{
|
||||||
@ -120,23 +120,6 @@ bool eap::method_tls::begin_session(
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate client randomness.
|
|
||||||
m_random_client.time = (unsigned int)time(NULL);
|
|
||||||
if (!CryptGenRandom(m_cp, sizeof(m_random_client.data), m_random_client.data)) {
|
|
||||||
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating client randomness."));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!m_hash_handshake_msgs_md5.create(m_cp, CALG_MD5, NULL, 0)) {
|
|
||||||
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating MD5 hashing object."));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!m_hash_handshake_msgs_sha1.create(m_cp, CALG_SHA1, NULL, 0)) {
|
|
||||||
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating SHA-1 hashing object."));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
// HMAC symmetric key generation sample. To be used later...
|
// HMAC symmetric key generation sample. To be used later...
|
||||||
//crypt_hash hash_key;
|
//crypt_hash hash_key;
|
||||||
//hash_key.create(m_cp, CALG_SHA1, 0, 0);
|
//hash_key.create(m_cp, CALG_SHA1, 0, 0);
|
||||||
@ -215,6 +198,34 @@ bool eap::method_tls::process_request_packet(
|
|||||||
m_packet_req.m_data.assign(packet_data_ptr, packet_data_ptr + packet_data_size);
|
m_packet_req.m_data.assign(packet_data_ptr, packet_data_ptr + packet_data_size);
|
||||||
m_module.log_event(&EAPMETHOD_PACKET_RECV, event_data((unsigned int)eap_type_tls), event_data((unsigned int)packet_data_size), event_data::blank);
|
m_module.log_event(&EAPMETHOD_PACKET_RECV, event_data((unsigned int)eap_type_tls), event_data((unsigned int)packet_data_size), event_data::blank);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (pReceivedPacket->Code == EapCodeRequest && pReceivedPacket->Data[1] & flags_req_start) {
|
||||||
|
// This is the TLS start message: initialize method.
|
||||||
|
m_phase = phase_client_hello;
|
||||||
|
m_packet_res.clear();
|
||||||
|
|
||||||
|
// Generate client randomness.
|
||||||
|
m_random_client.time = (unsigned int)time(NULL);
|
||||||
|
if (!CryptGenRandom(m_cp, sizeof(m_random_client.data), m_random_client.data)) {
|
||||||
|
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating client randomness."));
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create MD5 hash object.
|
||||||
|
if (!m_hash_handshake_msgs_md5.create(m_cp, CALG_MD5, NULL, 0)) {
|
||||||
|
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating MD5 hashing object."));
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create SHA-1 hash object.
|
||||||
|
if (!m_hash_handshake_msgs_sha1.create(m_cp, CALG_SHA1, NULL, 0)) {
|
||||||
|
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating SHA-1 hashing object."));
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
m_seq_num = 0;
|
||||||
|
}
|
||||||
|
|
||||||
m_packet_req.m_code = (EapCode)pReceivedPacket->Code;
|
m_packet_req.m_code = (EapCode)pReceivedPacket->Code;
|
||||||
m_packet_req.m_id = pReceivedPacket->Id;
|
m_packet_req.m_id = pReceivedPacket->Id;
|
||||||
m_packet_req.m_flags = pReceivedPacket->Data[1];
|
m_packet_req.m_flags = pReceivedPacket->Data[1];
|
||||||
@ -239,15 +250,6 @@ bool eap::method_tls::process_request_packet(
|
|||||||
|
|
||||||
switch (m_phase) {
|
switch (m_phase) {
|
||||||
case phase_client_hello: {
|
case phase_client_hello: {
|
||||||
// Is this an EAP-TLS Start packet?
|
|
||||||
if (m_packet_req.m_code != EapCodeRequest) {
|
|
||||||
*ppEapError = m_module.make_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, wstring_printf(_T(__FUNCTION__) _T(" Packet is not a request (expected: %x, received: %x)."), EapCodeRequest, m_packet_req.m_code).c_str());
|
|
||||||
return false;
|
|
||||||
} else if (!(m_packet_req.m_flags & flags_req_start)) {
|
|
||||||
*ppEapError = m_module.make_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, wstring_printf(_T(__FUNCTION__) _T(" Packet is not EAP-TLS Start (expected: %x, received: %x)."), flags_req_start, m_packet_req.m_flags).c_str());
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
m_module.log_event(&EAPMETHOD_HANDSHAKE_START2, event_data((unsigned int)eap_type_tls), event_data::blank);
|
m_module.log_event(&EAPMETHOD_HANDSHAKE_START2, event_data((unsigned int)eap_type_tls), event_data::blank);
|
||||||
|
|
||||||
// Build response packet.
|
// Build response packet.
|
||||||
@ -581,6 +583,15 @@ eap::method_tls::packet& eap::method_tls::packet::operator=(_Inout_ packet &&oth
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void eap::method_tls::packet::clear()
|
||||||
|
{
|
||||||
|
m_code = (EapCode)0;
|
||||||
|
m_id = 0;
|
||||||
|
m_flags = 0;
|
||||||
|
m_data.clear();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
//////////////////////////////////////////////////////////////////////
|
//////////////////////////////////////////////////////////////////////
|
||||||
// eap::method_tls::random
|
// eap::method_tls::random
|
||||||
//////////////////////////////////////////////////////////////////////
|
//////////////////////////////////////////////////////////////////////
|
||||||
|
Loading…
x
Reference in New Issue
Block a user