Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

Work continues...

Browse Source 
- More event reporting added
- unsigned long and DWORD replaced with unsigned int for code readability and (possibly) portability
- Client hello message fixed
- SSL version reverted to TLS 1.0, will catch-up later if required
This commit is contained in:
Simon Rozman 2016-08-07 12:15:45 +02:00
parent e649a86b1f
commit d199cb68bb
9 changed files with 119 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/EAPBase/include/Method.h
View File

@ -146,6 +146,20 @@ namespace eap
_Inout_ DWORD *pdwSendPacketSize,
_Out_ EAP_ERROR **ppEapError) = 0;
///
/// Obtains the result of an authentication session from the EAP method.
///
/// \sa [EapPeerGetResult function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363611.aspx)
///
/// \returns
/// - \c true if succeeded
/// - \c false otherwise. See \p ppEapError for details.
///
virtual bool get_result(
_In_ EapPeerMethodResultReason reason,
_Out_ EapPeerMethodResult *ppResult,
_Out_ EAP_ERROR **ppEapError) = 0;
/// @}
public:

4
lib/EAPBase/src/Module.cpp
View File

@ -33,7 +33,7 @@ eap::module::module(eap_type_t eap_method) :
m_instance(NULL)
{
m_ep.create(&EAPMETHOD_TRACE_EVENT_PROVIDER);
m_ep.write(&EAPMETHOD_TRACE_EVT_MODULE_LOAD, event_data((DWORD)m_eap_method), event_data::blank);
m_ep.write(&EAPMETHOD_TRACE_EVT_MODULE_LOAD, event_data((unsigned int)m_eap_method), event_data::blank);
m_heap.create(0, 0, 0);
}
@ -41,7 +41,7 @@ eap::module::module(eap_type_t eap_method) :
eap::module::~module()
{
m_ep.write(&EAPMETHOD_TRACE_EVT_MODULE_UNLOAD, event_data((DWORD)m_eap_method), event_data::blank);
m_ep.write(&EAPMETHOD_TRACE_EVT_MODULE_UNLOAD, event_data((unsigned int)m_eap_method), event_data::blank);
}

BIN
lib/Events/res/EventsETW.man
View File

Binary file not shown.

18
lib/TLS/include/Method.h
View File

@ -63,8 +63,8 @@ namespace eap
#pragma pack(push)
#pragma pack(1)
struct tls_random_t {
unsigned long time;
unsigned char data[28];
unsigned int time; ///< Unix time-stamp
unsigned char data[28]; ///< Randomness
};
#pragma pack(pop)
@ -176,6 +176,20 @@ namespace eap
_Inout_ DWORD *pdwSendPacketSize,
_Out_ EAP_ERROR **ppEapError);
///
/// Obtains the result of an authentication session from the EAP method.
///
/// \sa [EapPeerGetResult function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363611.aspx)
///
/// \returns
/// - \c true if succeeded
/// - \c false otherwise. See \p ppEapError for details.
///
virtual bool get_result(
_In_ EapPeerMethodResultReason reason,
_Out_ EapPeerMethodResult *ppResult,
_Out_ EAP_ERROR **ppEapError);
/// @}
protected:

73
lib/TLS/src/Method.cpp
View File

@ -180,7 +180,7 @@ bool eap::method_tls::begin_session(
}
// Generate client randomness.
m_random_client.time = (unsigned long)time(NULL);
m_random_client.time = (unsigned int)time(NULL);
if (!CryptGenRandom(m_cp, sizeof(m_random_client.data), m_random_client.data)) {
*ppEapError = m_module.make_error(GetLastError(), _T(__FUNCTION__) _T(" Error creating client randomness."));
return false;
@ -225,6 +225,8 @@ bool eap::method_tls::process_request_packet(
return false;
}*/
size_t size_data = dwReceivedPacketSize - ((pReceivedPacket->Data[1] & tls_req_flags_length_incl) ? 10 : 6);
if (pReceivedPacket->Data[1] & tls_req_flags_more_frag) {
if (pReceivedPacket->Data[1] & tls_req_flags_length_incl) {
// First fragment received.
@ -237,11 +239,16 @@ bool eap::method_tls::process_request_packet(
m_packet_req.m_code = (EapCode)pReceivedPacket->Code;
m_packet_req.m_id = pReceivedPacket->Id;
m_packet_req.m_flags = pReceivedPacket->Data[1];
m_packet_req.m_data.reserve(*(unsigned long*)(pReceivedPacket->Data + 2));
size_t size_tot = *(unsigned int*)(pReceivedPacket->Data + 2);
m_packet_req.m_data.reserve(size_tot);
m_packet_req.m_data.assign(pReceivedPacket->Data + 6, pReceivedPacket->Data + dwReceivedPacketSize - 4);
m_module.log_event(&EAPMETHOD_PACKET_RECV_FRAG_FIRST, event_data((unsigned int)eap_type_tls), event_data(size_tot), event_data(size_data), event_data::blank);
} else {
// Mid fragment received. Append data.
m_packet_req.m_data.insert(m_packet_req.m_data.end(), pReceivedPacket->Data + 2, pReceivedPacket->Data + dwReceivedPacketSize - 4);
m_module.log_event(&EAPMETHOD_PACKET_RECV_FRAG_MID, event_data((unsigned int)eap_type_tls), event_data(size_data), event_data(m_packet_req.m_data.size()), event_data::blank);
}
// Reply with ACK packet.
@ -257,6 +264,8 @@ bool eap::method_tls::process_request_packet(
m_packet_req.m_data.insert(m_packet_req.m_data.end(),
pReceivedPacket->Data + (!(pReceivedPacket->Data[1] & tls_req_flags_length_incl) ? 2 : 6), // Should not include "Length" field (by RFC 5281: https://tools.ietf.org/html/rfc5281#section-9.2.2). Tolerate.
pReceivedPacket->Data + dwReceivedPacketSize - 4);
m_module.log_event(&EAPMETHOD_PACKET_RECV_FRAG_LAST, event_data((unsigned int)eap_type_tls), event_data(size_data), event_data(m_packet_req.m_data.size()), event_data::blank);
} else {
// This is a complete non-fragmented packet.
m_packet_req.m_code = (EapCode)pReceivedPacket->Code;
@ -265,6 +274,8 @@ bool eap::method_tls::process_request_packet(
m_packet_req.m_data.assign(
pReceivedPacket->Data + (!(pReceivedPacket->Data[1] & tls_req_flags_length_incl) ? 2 : 6),
pReceivedPacket->Data + dwReceivedPacketSize - 4);
m_module.log_event(&EAPMETHOD_PACKET_RECV, event_data((unsigned int)eap_type_tls), event_data(size_data), event_data::blank);
}
if ( m_packet_req.m_code == EapCodeRequest &&
@ -291,6 +302,8 @@ bool eap::method_tls::process_request_packet(
return false;
}
m_module.log_event(&EAPMETHOD_HANDSHAKE_START2, event_data((unsigned int)eap_type_tls), event_data::blank);
// Build response packet.
m_packet_res.m_code = EapCodeResponse;
m_packet_res.m_id = m_packet_req.m_id;
@ -302,7 +315,7 @@ bool eap::method_tls::process_request_packet(
pEapOutput->fAllowNotifications = FALSE;
pEapOutput->action = EapPeerMethodResponseActionSend;
// Save the client_hello message.
// Hash the client_hello message.
CryptHashData(m_hash_handshake_msgs_md5 , hello.data(), (DWORD)hello.size(), 0);
CryptHashData(m_hash_handshake_msgs_sha1, hello.data(), (DWORD)hello.size(), 0);
@ -330,10 +343,10 @@ bool eap::method_tls::get_response_packet(
assert(pSendPacket);
UNREFERENCED_PARAMETER(ppEapError);
unsigned long
size_data = (unsigned long)m_packet_res.m_data.size(),
unsigned int
size_data = (unsigned int)m_packet_res.m_data.size(),
size_packet = size_data + 6;
unsigned short size_packet_limit = (unsigned short)std::min<unsigned long>(*pdwSendPacketSize, USHRT_MAX);
unsigned short size_packet_limit = (unsigned short)std::min<unsigned int>(*pdwSendPacketSize, USHRT_MAX);
unsigned char *data_dst;
if (!(m_packet_res.m_flags & tls_res_flags_more_frag)) {
@ -342,24 +355,28 @@ bool eap::method_tls::get_response_packet(
// No need to fragment the packet.
m_packet_res.m_flags &= ~tls_res_flags_length_incl; // No need to explicitly include the Length field either.
data_dst = pSendPacket->Data + 2;
m_module.log_event(&EAPMETHOD_PACKET_SEND, event_data((unsigned int)eap_type_tls), event_data(size_data), event_data::blank);
} else {
// But it should be fragmented.
m_packet_res.m_flags |= tls_res_flags_length_incl | tls_res_flags_more_frag;
*(unsigned long*)(pSendPacket->Data + 2) = (unsigned long)size_packet;
*(unsigned int*)(pSendPacket->Data + 2) = (unsigned int)size_packet;
data_dst = pSendPacket->Data + 6;
size_data = size_packet_limit - 10;
size_packet = size_packet_limit;
m_module.log_event(&EAPMETHOD_PACKET_SEND_FRAG_FIRST, event_data((unsigned int)eap_type_tls), event_data(m_packet_res.m_data.size() - size_data), event_data(size_data), event_data::blank);
}
} else {
// Continuing the fragmented packet...
if (size_packet <= size_packet_limit) {
// This is the last fragment.
m_packet_res.m_flags &= ~(tls_res_flags_length_incl | tls_res_flags_more_frag);
} else {
if (size_packet > size_packet_limit) {
// This is a mid fragment.
m_packet_res.m_flags &= ~tls_res_flags_length_incl;
size_data = size_packet_limit - 6;
size_packet = size_packet_limit;
m_module.log_event(&EAPMETHOD_PACKET_SEND_FRAG_MID, event_data((unsigned int)eap_type_tls), event_data(m_packet_res.m_data.size() - size_data), event_data(size_data), event_data::blank);
} else {
// This is the last fragment.
m_packet_res.m_flags &= ~(tls_res_flags_length_incl | tls_res_flags_more_frag);
m_module.log_event(&EAPMETHOD_PACKET_SEND_FRAG_LAST, event_data((unsigned int)eap_type_tls), event_data(m_packet_res.m_data.size() - size_data), event_data(size_data), event_data::blank);
}
data_dst = pSendPacket->Data + 2;
}
@ -376,6 +393,20 @@ bool eap::method_tls::get_response_packet(
}
bool eap::method_tls::get_result(
_In_ EapPeerMethodResultReason reason,
_Out_ EapPeerMethodResult *ppResult,
_Out_ EAP_ERROR **ppEapError)
{
UNREFERENCED_PARAMETER(reason);
UNREFERENCED_PARAMETER(ppResult);
assert(ppEapError);
*ppEapError = m_module.make_error(ERROR_NOT_SUPPORTED, _T(__FUNCTION__) _T(" Not supported."));
return false;
}
eap::sanitizing_blob eap::method_tls::make_client_hello() const
{
size_t size_data;
@ -386,23 +417,23 @@ eap::sanitizing_blob eap::method_tls::make_client_hello() const
2 + // SSL version
sizeof(tls_random_t) + // Client random
1 + // Session ID size
m_session_id.size()) + // Session ID
m_session_id.size() + // Session ID
2 + // Length of cypher suite list
2 + // Cyper suite list
1 + // Length of compression suite
1); // Compression suite
1)); // Compression suite
// SSL header
assert(size_data <= 0xffffff);
unsigned long ssl_header = htonl(0x01000000 | (unsigned long)size_data); // client_hello (0x01)
unsigned int ssl_header = htonl(0x01000000 | (unsigned int)size_data); // client_hello (0x01)
msg.insert(msg.end(), (unsigned char*)&ssl_header, (unsigned char*)(&ssl_header + 1));
// SSL version
// SSL version: TLS 1.0
msg.push_back(3); // SSL major version
msg.push_back(3); // SSL minor version
msg.push_back(1); // SSL minor version
// Client random
unsigned long time = htonl(m_random_client.time);
unsigned int time = htonl(m_random_client.time);
msg.insert(msg.end(), (unsigned char*)&time, (unsigned char*)(&time + 1));
msg.insert(msg.end(), m_random_client.data, m_random_client.data + _countof(m_random_client.data)); // TODO: Check if byte order should be changed!
@ -439,11 +470,11 @@ bool eap::method_tls::make_handshake(_In_ const sanitizing_blob &msg, _In_ bool
// Encrypt it.
if (!encrypt_message(msg_h_unenc, msg_enc, ppEapError)) return false;
size_msg = msg_enc.size();
msg_ptr = msg_enc.data();
size_msg = msg_enc.size();
} else {
size_msg = msg.size();
msg_ptr = msg.data();
size_msg = msg.size();
}
// Create a handshake.
@ -457,9 +488,9 @@ bool eap::method_tls::make_handshake(_In_ const sanitizing_blob &msg, _In_ bool
// SSL record type
msg_h.push_back(22); // handshake (22)
// SSL version
// SSL version: TLS 1.0
msg_h.push_back(3); // SSL major version
msg_h.push_back(3); // SSL minor version
msg_h.push_back(1); // SSL minor version
// Message
assert(size_msg <= 0xffff);

14
lib/TTLS/include/Method.h
View File

@ -143,6 +143,20 @@ namespace eap
_Inout_ DWORD *pdwSendPacketSize,
_Out_ EAP_ERROR **ppEapError);
///
/// Obtains the result of an authentication session from the EAP method.
///
/// \sa [EapPeerGetResult function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363611.aspx)
///
/// \returns
/// - \c true if succeeded
/// - \c false otherwise. See \p ppEapError for details.
///
virtual bool get_result(
_In_ EapPeerMethodResultReason reason,
_Out_ EapPeerMethodResult *ppResult,
_Out_ EAP_ERROR **ppEapError);
/// @}
public:

11
lib/TTLS/src/Method.cpp
View File

@ -106,7 +106,7 @@ bool eap::method_ttls::process_request_packet(
// Determine minimum EAP-TTLS version supported by server and us.
version_t ver_remote = (version_t)(pReceivedPacket->Data[1] & ttls_flags_ver_mask);
m_version = std::min<version_t>(ver_remote, version_0);
m_module.log_event(&EAPMETHOD_HANDSHAKE_START1, event_data((DWORD)eap_type_ttls), event_data((unsigned char)m_version), event_data((unsigned char)ver_remote), event_data::blank);
m_module.log_event(&EAPMETHOD_HANDSHAKE_START1, event_data((unsigned int)eap_type_ttls), event_data((unsigned char)m_version), event_data((unsigned char)ver_remote), event_data::blank);
}
return m_outer.process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput, ppEapError);
@ -128,3 +128,12 @@ bool eap::method_ttls::get_response_packet(
return true;
}
bool eap::method_ttls::get_result(
_In_ EapPeerMethodResultReason reason,
_Out_ EapPeerMethodResult *ppResult,
_Out_ EAP_ERROR **ppEapError)
{
return m_outer.get_result(reason, ppResult, ppEapError);
}

26
lib/TTLS/src/Module.cpp
View File

@ -122,14 +122,14 @@ bool eap::peer_ttls::get_identity(
if (!is_outer_set) {
// Outer TLS: Using EAP service cached credentials.
cred_out.m_outer = cred_in.m_outer;
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((DWORD)eap_type_tls), event_data(cred_out.m_outer.get_name()), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_tls), event_data(cred_out.m_outer.get_name()), event_data::blank);
is_outer_set = true;
}
if (!is_inner_set && cred_in.m_inner) {
// Inner PAP: Using EAP service cached credentials.
cred_out.m_inner.reset((credentials*)cred_in.m_inner->clone());
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((DWORD)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
}
}
@ -137,7 +137,7 @@ bool eap::peer_ttls::get_identity(
if (!is_outer_set && cfg_method->m_outer.m_use_preshared) {
// Outer TLS: Using preshared credentials.
cred_out.m_outer = *(credentials_tls*)cfg_method->m_outer.m_preshared.get();
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((DWORD)eap_type_tls), event_data(cred_out.m_outer.get_name()), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_tls), event_data(cred_out.m_outer.get_name()), event_data::blank);
is_outer_set = true;
}
@ -146,7 +146,7 @@ bool eap::peer_ttls::get_identity(
if (cfg_inner_pap->m_use_preshared) {
// Inner PAP: Using preshared credentials.
cred_out.m_inner.reset((credentials*)cfg_inner_pap->m_preshared->clone());
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((DWORD)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
}
} else
@ -164,7 +164,7 @@ bool eap::peer_ttls::get_identity(
if (cred_loaded.retrieve(cfg_prov.m_id.c_str(), ppEapError)) {
// Outer TLS: Using stored credentials.
cred_out.m_outer = std::move(cred_loaded);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((DWORD)eap_type_tls), event_data(cred_out.m_outer.get_name()), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_tls), event_data(cred_out.m_outer.get_name()), event_data::blank);
is_outer_set = true;
} else {
// Not actually an error.
@ -179,7 +179,7 @@ bool eap::peer_ttls::get_identity(
if (cred_loaded->retrieve(cfg_prov.m_id.c_str(), ppEapError)) {
// Inner PAP: Using stored credentials.
cred_out.m_inner = std::move(cred_loaded);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((DWORD)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
} else {
// Not actually an error.
@ -195,13 +195,13 @@ bool eap::peer_ttls::get_identity(
if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) {
// Per-user authentication
if (!is_outer_set) {
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI1, event_data((DWORD)eap_type_tls), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI1, event_data((unsigned int)eap_type_tls), event_data::blank);
*pfInvokeUI = TRUE;
return true;
}
if (!is_inner_set) {
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI1, event_data((DWORD)type_inner), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI1, event_data((unsigned int)type_inner), event_data::blank);
*pfInvokeUI = TRUE;
return true;
}
@ -217,7 +217,7 @@ bool eap::peer_ttls::get_identity(
// Build our identity. ;)
wstring identity(std::move(cfg_method->get_public_identity(cred_out)));
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((DWORD)eap_type_ttls), event_data(identity), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((unsigned int)eap_type_ttls), event_data(identity), event_data::blank);
size_t size = sizeof(WCHAR)*(identity.length() + 1);
*ppwszIdentity = (WCHAR*)alloc_memory(size);
memcpy(*ppwszIdentity, identity.c_str(), size);
@ -400,13 +400,7 @@ bool eap::peer_ttls::get_result(
_Out_ EapPeerMethodResult *ppResult,
_Out_ EAP_ERROR **ppEapError)
{
UNREFERENCED_PARAMETER(hSession);
UNREFERENCED_PARAMETER(reason);
UNREFERENCED_PARAMETER(ppResult);
assert(ppEapError);
*ppEapError = make_error(ERROR_NOT_SUPPORTED, _T(__FUNCTION__) _T(" Not supported."));
return false;
return static_cast<session*>(hSession)->m_method.get_result(reason, ppResult, ppEapError);
}

2
lib/TTLS_UI/src/Module.cpp
View File

@ -193,7 +193,7 @@ bool eap::peer_ttls_ui::invoke_identity_ui(
// Build our identity. ;)
wstring identity(move(cfg_method->get_public_identity(cred)));
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((DWORD)eap_type_ttls), event_data(identity), event_data::blank);
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((unsigned int)eap_type_ttls), event_data(identity), event_data::blank);
size_t size = sizeof(WCHAR)*(identity.length() + 1);
*ppwszIdentity = (WCHAR*)alloc_memory(size);
memcpy(*ppwszIdentity, identity.c_str(), size);