Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

Credential management revised

Browse Source
This commit is contained in:
Simon Rozman 2016-08-15 17:33:10 +02:00
parent 4dc7083028
commit d8ccf7cbc0
23 changed files with 496 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/EAPBase/include/Config.h
View File

@ -342,6 +342,7 @@ namespace eap
bool m_allow_save; ///< Are credentials allowed to be saved to Windows Credential Manager?
bool m_use_preshared; ///< Use pre-shared credentials
std::unique_ptr<credentials> m_preshared; ///< Pre-shared credentials
bool m_cred_failed; ///< Did credential fail last time?
};

20
lib/EAPBase/include/Credentials.h
View File

@ -158,6 +158,26 @@ namespace eap
/// Returns credential name (for GUI display).
///
virtual winstd::tstring get_name() const;
///
/// Combine credentials in the following order:
///
/// 1. Cached credentials
/// 2. Pre-configured credentials
/// 3. Stored credentials
///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL)
/// \param[in] cfg Method configuration
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
///
/// \returns
/// - \c true if credentials were set;
/// - \c false otherwise
///
virtual bool combine(
_In_ const credentials *cred_cached,
_In_ config_method_with_cred &cfg,
_In_opt_z_ LPCTSTR pszTargetName);
};

10
lib/EAPBase/src/Config.cpp
View File

@ -139,6 +139,7 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
m_allow_save(true),
m_use_preshared(false),
m_cred_failed(false),
config_method(mod)
{
}
@ -148,6 +149,7 @@ eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_w
m_allow_save(other.m_allow_save),
m_use_preshared(other.m_use_preshared),
m_preshared(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr),
m_cred_failed(other.m_cred_failed),
config_method(other)
{
}
@ -157,6 +159,7 @@ eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with
m_allow_save(std::move(other.m_allow_save)),
m_use_preshared(std::move(other.m_use_preshared)),
m_preshared(std::move(other.m_preshared)),
m_cred_failed(std::move(other.m_cred_failed)),
config_method(std::move(other))
{
}
@ -169,6 +172,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_In_ const
m_allow_save = other.m_allow_save;
m_use_preshared = other.m_use_preshared;
m_preshared.reset(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr);
m_cred_failed = other.m_cred_failed;
}
return *this;
@ -182,6 +186,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_Inout_ co
m_allow_save = std::move(other.m_allow_save );
m_use_preshared = std::move(other.m_use_preshared);
m_preshared = std::move(other.m_preshared );
m_cred_failed = std::move(other.m_cred_failed );
}
return *this;
@ -243,6 +248,7 @@ void eap::config_method_with_cred::operator<<(_Inout_ cursor_out &cursor) const
cursor << m_allow_save;
cursor << m_use_preshared;
cursor << *m_preshared;
cursor << m_cred_failed;
}
@ -252,7 +258,8 @@ size_t eap::config_method_with_cred::get_pk_size() const
config_method::get_pk_size() +
pksizeof(m_allow_save ) +
pksizeof(m_use_preshared) +
pksizeof(*m_preshared );
pksizeof(*m_preshared ) +
pksizeof(m_cred_failed );
}
@ -262,6 +269,7 @@ void eap::config_method_with_cred::operator>>(_Inout_ cursor_in &cursor)
cursor >> m_allow_save;
cursor >> m_use_preshared;
cursor >> *m_preshared;
cursor >> m_cred_failed;
}

13
lib/EAPBase/src/Credentials.cpp
View File

@ -83,6 +83,19 @@ tstring eap::credentials::get_name() const
}
bool eap::credentials::combine(
_In_ const credentials *cred_cached,
_In_ config_method_with_cred &cfg,
_In_opt_z_ LPCTSTR pszTargetName)
{
UNREFERENCED_PARAMETER(cred_cached);
UNREFERENCED_PARAMETER(cfg);
UNREFERENCED_PARAMETER(pszTargetName);
// When there's nothing to combine...
return true;
}
//////////////////////////////////////////////////////////////////////
// eap::credentials_pass
//////////////////////////////////////////////////////////////////////

129
lib/EAPBase_UI/include/EAP_UI.h
View File

@ -39,11 +39,23 @@ template <class _wxT> class wxEAPConfigDialog;
///
class wxEAPCredentialsDialog;
///
/// EAP Provider-locked congifuration note
/// EAP general note
///
class wxEAPNotePanel;
///
/// EAP provider-locked congifuration note
///
class wxEAPProviderLockedPanel;
///
/// EAP credential warning note
///
class wxEAPCredentialWarningPanel;
///
/// Base template for credential configuration panel
///
@ -176,13 +188,13 @@ protected:
};
class wxEAPProviderLockedPanel : public wxEAPGeneralNotePanel
class wxEAPNotePanel : public wxEAPNotePanelBase
{
public:
///
/// Constructs a notice pannel and set the title text
/// Constructs an empty notice pannel
///
wxEAPProviderLockedPanel(const eap::config_provider &prov, wxWindow* parent);
wxEAPNotePanel(wxWindow* parent);
protected:
/// \cond internal
@ -210,12 +222,46 @@ protected:
return GetPhoneNumber<_Elem, std::char_traits<_Elem>, std::allocator<_Elem> >(num);
}
void CreateContactFields(const eap::config_provider &prov);
/// \endcond
protected:
const eap::config_provider &m_prov; ///< EAP provider
winstd::library m_shell32; ///< shell32.dll resource library reference
wxIcon m_icon; ///< Panel icon
wxStaticText *m_provider_notice;
wxStaticText *m_help_web_label;
wxHyperlinkCtrl *m_help_web_value;
wxStaticText *m_help_email_label;
wxHyperlinkCtrl *m_help_email_value;
wxStaticText *m_help_phone_label;
wxHyperlinkCtrl *m_help_phone_value;
};
class wxEAPProviderLockedPanel : public wxEAPNotePanel
{
public:
///
/// Constructs a notice pannel and set the title text
///
wxEAPProviderLockedPanel(const eap::config_provider &prov, wxWindow* parent);
protected:
winstd::library m_shell32; ///< shell32.dll resource library reference
wxIcon m_icon; ///< Panel icon
};
class wxEAPCredentialWarningPanel : public wxEAPNotePanel
{
public:
///
/// Constructs a notice pannel and set the title text
///
wxEAPCredentialWarningPanel(const eap::config_provider &prov, wxWindow* parent);
protected:
winstd::library m_shell32; ///< shell32.dll resource library reference
wxIcon m_icon; ///< Panel icon
};
@ -342,13 +388,31 @@ protected:
{
UNREFERENCED_PARAMETER(event);
wxEAPCredentialsDialog dlg(m_prov, this);
// Read credentials from Credential Manager
_Tcred cred(m_cfg.m_module);
_wxT *panel = new _wxT(m_prov, m_cfg, cred, m_target.c_str(), &dlg, true);
try {
cred.retrieve(m_target.c_str());
} catch (winstd::win_runtime_error &err) {
if (err.number() != ERROR_NOT_FOUND)
wxLogError(winstd::tstring_printf(_("Error reading credentials from Credential Manager: %hs (error %u)"), err.what(), err.number()).c_str());
} catch (...) {
wxLogError(_("Reading credentials failed."));
}
// Display credential prompt.
wxEAPCredentialsDialog dlg(m_prov, this);
_wxT *panel = new _wxT(m_prov, m_cfg, cred, m_target.c_str(), &dlg, true);
dlg.AddContents((wxPanel**)&panel, 1);
dlg.ShowModal();
if (dlg.ShowModal() == wxID_OK && panel->GetRememberValue()) {
// Write credentials to credential manager.
try {
cred.store(m_target.c_str());
} catch (winstd::win_runtime_error &err) {
wxLogError(winstd::tstring_printf(_("Error writing credentials to Credential Manager: %hs (error %u)"), err.what(), err.number()).c_str());
} catch (...) {
wxLogError(_("Writing credentials failed."));
}
}
}
@ -422,47 +486,14 @@ public:
this->Disconnect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(_Tthis::OnUpdateUI));
}
inline bool GetRememberValue() const
{
return m_remember->GetValue();
}
protected:
/// \cond internal
virtual bool TransferDataToWindow()
{
if (!m_target.empty() && m_is_config) {
// Read credentials from Credential Manager
try {
m_cred.retrieve(m_target.c_str());
} catch (winstd::win_runtime_error &err) {
if (err.number() != ERROR_NOT_FOUND)
wxLogError(winstd::tstring_printf(_("Error reading credentials from Credential Manager: %hs (error %u)"), err.what(), err.number()).c_str());
} catch (...) {
wxLogError(_("Reading credentials failed."));
}
}
return _Tbase::TransferDataToWindow();
}
virtual bool TransferDataFromWindow()
{
wxCHECK(_Tbase::TransferDataFromWindow(), false);
if (!m_target.empty()) {
if (m_remember->GetValue()) {
// Write credentials to credential manager.
try {
m_cred.store(m_target.c_str());
} catch (winstd::win_runtime_error &err) {
wxLogError(winstd::tstring_printf(_("Error writing credentials to Credential Manager: %hs (error %u)"), err.what(), err.number()).c_str());
} catch (...) {
wxLogError(_("Writing credentials failed."));
}
}
}
return true;
}
virtual void OnUpdateUI(wxUpdateUIEvent& event)
{
UNREFERENCED_PARAMETER(event);

6
lib/EAPBase_UI/res/wxEAP_UI.cpp
View File

@ -119,7 +119,7 @@ wxEAPBannerPanelBase::~wxEAPBannerPanelBase()
{
}
wxEAPGeneralNotePanel::wxEAPGeneralNotePanel( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
wxEAPNotePanelBase::wxEAPNotePanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
{
this->SetBackgroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_INFOBK ) );
@ -132,7 +132,7 @@ wxEAPGeneralNotePanel::wxEAPGeneralNotePanel( wxWindow* parent, wxWindowID id, c
m_note_vert = new wxBoxSizer( wxVERTICAL );
m_note_label = new wxStaticText( this, wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
m_note_label->Wrap( 452 );
m_note_label->Wrap( 449 );
m_note_vert->Add( m_note_label, 0, wxALL|wxEXPAND, 5 );
@ -143,7 +143,7 @@ wxEAPGeneralNotePanel::wxEAPGeneralNotePanel( wxWindow* parent, wxWindowID id, c
this->Layout();
}
wxEAPGeneralNotePanel::~wxEAPGeneralNotePanel()
wxEAPNotePanelBase::~wxEAPNotePanelBase()
{
}

4
lib/EAPBase_UI/res/wxEAP_UI.fbp
View File

@ -637,7 +637,7 @@
<property name="id">wxID_ANY</property>
<property name="maximum_size"></property>
<property name="minimum_size"></property>
<property name="name">wxEAPGeneralNotePanel</property>
<property name="name">wxEAPNotePanelBase</property>
<property name="pos"></property>
<property name="size">500,-1</property>
<property name="subclass"></property>
@ -827,7 +827,7 @@
<property name="window_extra_style"></property>
<property name="window_name"></property>
<property name="window_style"></property>
<property name="wrap">452</property>
<property name="wrap">449</property>
<event name="OnChar"></event>
<event name="OnEnterWindow"></event>
<event name="OnEraseBackground"></event>

8
lib/EAPBase_UI/res/wxEAP_UI.h
View File

@ -102,9 +102,9 @@ class wxEAPBannerPanelBase : public wxPanel
};
///////////////////////////////////////////////////////////////////////////////
/// Class wxEAPGeneralNotePanel
/// Class wxEAPNotePanelBase
///////////////////////////////////////////////////////////////////////////////
class wxEAPGeneralNotePanel : public wxPanel
class wxEAPNotePanelBase : public wxPanel
{
private:
@ -115,8 +115,8 @@ class wxEAPGeneralNotePanel : public wxPanel
public:
wxEAPGeneralNotePanel( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxSIMPLE_BORDER|wxTAB_TRAVERSAL );
~wxEAPGeneralNotePanel();
wxEAPNotePanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxSIMPLE_BORDER|wxTAB_TRAVERSAL );
~wxEAPNotePanelBase();
};

126
lib/EAPBase_UI/src/EAP_UI.cpp
View File

@ -74,28 +74,36 @@ void wxEAPCredentialsDialog::OnInitDialog(wxInitDialogEvent& event)
//////////////////////////////////////////////////////////////////////
// wxEAPProviderLockedPanel
// wxEAPNotePanel
//////////////////////////////////////////////////////////////////////
wxEAPProviderLockedPanel::wxEAPProviderLockedPanel(const eap::config_provider &prov, wxWindow* parent) :
m_prov(prov),
wxEAPGeneralNotePanel(parent)
wxEAPNotePanel::wxEAPNotePanel(wxWindow* parent) :
m_provider_notice(NULL),
m_help_web_label(NULL),
m_help_web_value(NULL),
m_help_email_label(NULL),
m_help_email_value(NULL),
m_help_phone_label(NULL),
m_help_phone_value(NULL),
wxEAPNotePanelBase(parent)
{
// Load and set icon.
if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
wxSetIconFromResource(m_note_icon, m_icon, m_shell32, MAKEINTRESOURCE(48));
}
m_note_label->SetLabel(wxString::Format(_("%s has pre-set parts of this configuration. Those parts are locked to prevent accidental modification."),
!m_prov.m_name.empty() ? m_prov.m_name.c_str() :
!m_prov.m_id .empty() ? winstd::tstring_printf(_("Your %ls provider"), m_prov.m_id.c_str()).c_str() : _("Your provider")));
m_note_label->Wrap(452);
if (!m_prov.m_help_email.empty() || !m_prov.m_help_web.empty() || !m_prov.m_help_phone.empty()) {
wxStaticText *provider_notice = new wxStaticText(this, wxID_ANY, wxString::Format(_("For additional help and instructions, please contact %s at:"),
!m_prov.m_name.empty() ? m_prov.m_name.c_str() :
!m_prov.m_id .empty() ? winstd::tstring_printf(_("your %ls provider"), m_prov.m_id.c_str()).c_str() : _("your provider")), wxDefaultPosition, wxDefaultSize, 0);
provider_notice->Wrap(452);
m_note_vert->Add(provider_notice, 0, wxUP|wxLEFT|wxRIGHT|wxEXPAND, 5);
bool wxEAPNotePanel::AcceptsFocusFromKeyboard() const
{
return m_help_web_value || m_help_email_value || m_help_phone_label;
}
void wxEAPNotePanel::CreateContactFields(const eap::config_provider &prov)
{
if (!prov.m_help_email.empty() || !prov.m_help_web.empty() || !prov.m_help_phone.empty()) {
m_provider_notice = new wxStaticText(this, wxID_ANY, wxString::Format(_("For additional help and instructions, please contact %s at:"),
!prov.m_name.empty() ? prov.m_name.c_str() :
!prov.m_id .empty() ? winstd::tstring_printf(_("your %ls provider"), prov.m_id.c_str()).c_str() : _("your provider")), wxDefaultPosition, wxDefaultSize, 0);
m_provider_notice->Wrap(449);
m_note_vert->Add(m_provider_notice, 0, wxUP|wxLEFT|wxRIGHT|wxEXPAND, 5);
wxFlexGridSizer* sb_contact_tbl;
sb_contact_tbl = new wxFlexGridSizer(0, 2, 5, 5);
@ -105,47 +113,79 @@ wxEAPProviderLockedPanel::wxEAPProviderLockedPanel(const eap::config_provider &p
wxFont font_wingdings(-1, wxFONTFAMILY_DEFAULT, wxFONTSTYLE_NORMAL, wxFONTWEIGHT_NORMAL, false, wxT("Wingdings"));
if (!m_prov.m_help_web.empty()) {
wxStaticText *label = new wxStaticText(this, wxID_ANY, wxT("\xb6"), wxDefaultPosition, wxDefaultSize, 0);
label->Wrap(-1);
label->SetFont(font_wingdings);
sb_contact_tbl->Add(label, 0, wxEXPAND|wxALIGN_TOP, 5);
if (!prov.m_help_web.empty()) {
m_help_web_label = new wxStaticText(this, wxID_ANY, wxT("\xb6"), wxDefaultPosition, wxDefaultSize, 0);
m_help_web_label->Wrap(-1);
m_help_web_label->SetFont(font_wingdings);
sb_contact_tbl->Add(m_help_web_label, 0, wxEXPAND|wxALIGN_TOP, 5);
wxHyperlinkCtrl *value = new wxHyperlinkCtrl(this, wxID_ANY, m_prov.m_help_web, m_prov.m_help_web, wxDefaultPosition, wxDefaultSize, wxHL_DEFAULT_STYLE);
value->SetToolTip(_("Open the default web browser"));
sb_contact_tbl->Add(value, 0, wxEXPAND|wxALIGN_TOP, 5);
m_help_web_value = new wxHyperlinkCtrl(this, wxID_ANY, prov.m_help_web, prov.m_help_web, wxDefaultPosition, wxDefaultSize, wxHL_DEFAULT_STYLE);
m_help_web_value->SetToolTip(_("Open the default web browser"));
sb_contact_tbl->Add(m_help_web_value, 0, wxEXPAND|wxALIGN_TOP, 5);
}
if (!m_prov.m_help_email.empty()) {
wxStaticText *label = new wxStaticText(this, wxID_ANY, wxT("\x2a"), wxDefaultPosition, wxDefaultSize, 0);
label->Wrap(-1);
label->SetFont(font_wingdings);
sb_contact_tbl->Add(label, 0, wxEXPAND|wxALIGN_TOP, 5);
if (!prov.m_help_email.empty()) {
m_help_email_label = new wxStaticText(this, wxID_ANY, wxT("\x2a"), wxDefaultPosition, wxDefaultSize, 0);
m_help_email_label->Wrap(-1);
m_help_email_label->SetFont(font_wingdings);
sb_contact_tbl->Add(m_help_email_label, 0, wxEXPAND|wxALIGN_TOP, 5);
wxHyperlinkCtrl *value = new wxHyperlinkCtrl(this, wxID_ANY, m_prov.m_help_email, wxString(wxT("mailto:")) + m_prov.m_help_email, wxDefaultPosition, wxDefaultSize, wxHL_DEFAULT_STYLE);
value->SetToolTip(_("Open your e-mail program"));
sb_contact_tbl->Add(value, 0, wxEXPAND|wxALIGN_TOP, 5);
m_help_email_value = new wxHyperlinkCtrl(this, wxID_ANY, prov.m_help_email, wxString(wxT("mailto:")) + prov.m_help_email, wxDefaultPosition, wxDefaultSize, wxHL_DEFAULT_STYLE);
m_help_email_value->SetToolTip(_("Open your e-mail program"));
sb_contact_tbl->Add(m_help_email_value, 0, wxEXPAND|wxALIGN_TOP, 5);
}
if (!m_prov.m_help_phone.empty()) {
wxStaticText *label = new wxStaticText(this, wxID_ANY, wxT("\x29"), wxDefaultPosition, wxDefaultSize, 0);
label->Wrap(-1);
label->SetFont(font_wingdings);
sb_contact_tbl->Add(label, 0, wxEXPAND|wxALIGN_TOP, 5);
if (!prov.m_help_phone.empty()) {
m_help_phone_label = new wxStaticText(this, wxID_ANY, wxT("\x29"), wxDefaultPosition, wxDefaultSize, 0);
m_help_phone_label->Wrap(-1);
m_help_phone_label->SetFont(font_wingdings);
sb_contact_tbl->Add(m_help_phone_label, 0, wxEXPAND|wxALIGN_TOP, 5);
wxHyperlinkCtrl *value = new wxHyperlinkCtrl(this, wxID_ANY, m_prov.m_help_phone, wxString(wxT("tel:")) + GetPhoneNumber(m_prov.m_help_phone.c_str()), wxDefaultPosition, wxDefaultSize, wxHL_DEFAULT_STYLE);
value->SetToolTip(_("Dial the phone number"));
sb_contact_tbl->Add(value, 0, wxEXPAND|wxALIGN_TOP, 5);
m_help_phone_value = new wxHyperlinkCtrl(this, wxID_ANY, prov.m_help_phone, wxString(wxT("tel:")) + GetPhoneNumber(prov.m_help_phone.c_str()), wxDefaultPosition, wxDefaultSize, wxHL_DEFAULT_STYLE);
m_help_phone_value->SetToolTip(_("Dial the phone number"));
sb_contact_tbl->Add(m_help_phone_value, 0, wxEXPAND|wxALIGN_TOP, 5);
}
m_note_vert->Add(sb_contact_tbl, 0, wxLEFT|wxRIGHT|wxDOWN|wxEXPAND, 5);
}
}
//////////////////////////////////////////////////////////////////////
// wxEAPProviderLockedPanel
//////////////////////////////////////////////////////////////////////
wxEAPProviderLockedPanel::wxEAPProviderLockedPanel(const eap::config_provider &prov, wxWindow* parent) : wxEAPNotePanel(parent)
{
// Load and set icon.
if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
wxSetIconFromResource(m_note_icon, m_icon, m_shell32, MAKEINTRESOURCE(48));
m_note_label->SetLabel(wxString::Format(_("%s has pre-set parts of this configuration. Those parts are locked to prevent accidental modification."),
!prov.m_name.empty() ? prov.m_name.c_str() :
!prov.m_id .empty() ? winstd::tstring_printf(_("Your %ls provider"), prov.m_id.c_str()).c_str() : _("Your provider")));
m_note_label->Wrap(449);
CreateContactFields(prov);
this->Layout();
}
bool wxEAPProviderLockedPanel::AcceptsFocusFromKeyboard() const
//////////////////////////////////////////////////////////////////////
// wxEAPCredentialWarningPanel
//////////////////////////////////////////////////////////////////////
wxEAPCredentialWarningPanel::wxEAPCredentialWarningPanel(const eap::config_provider &prov, wxWindow* parent) : wxEAPNotePanel(parent)
{
return !m_prov.m_help_email.empty() || !m_prov.m_help_web.empty() || !m_prov.m_help_phone.empty();
// Load and set icon.
if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
wxSetIconFromResource(m_note_icon, m_icon, m_shell32, MAKEINTRESOURCE(161));
m_note_label->SetLabel(_("Previous attempt to connect using provided credentials failed. Please, make sure your credentials are correct, or try again later."));
m_note_label->Wrap(449);
CreateContactFields(prov);
this->Layout();
}

BIN
lib/Events/res/EventsETW.man
View File

Binary file not shown.

22
lib/PAP/include/Credentials.h
View File

@ -28,6 +28,8 @@ namespace eap
#pragma once
#include "Config.h"
#include "../../EAPBase/include/Credentials.h"
#include <Windows.h>
@ -95,5 +97,25 @@ namespace eap
virtual LPCTSTR target_suffix() const;
/// @}
///
/// Combine credentials in the following order:
///
/// 1. Cached credentials
/// 2. Pre-configured credentials
/// 3. Stored credentials
///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL)
/// \param[in] cfg Method configuration
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
///
/// \returns
/// - \c true if credentials were set;
/// - \c false otherwise
///
bool combine(
_In_ const credentials_pap *cred_cached,
_In_ const config_method_pap &cfg,
_In_opt_z_ LPCTSTR pszTargetName);
};
}

40
lib/PAP/src/Credentials.cpp
View File

@ -20,6 +20,9 @@
#include "StdAfx.h"
using namespace std;
using namespace winstd;
//////////////////////////////////////////////////////////////////////
// eap::credentials_pap
@ -70,3 +73,40 @@ LPCTSTR eap::credentials_pap::target_suffix() const
{
return _T("PAP");
}
bool eap::credentials_pap::combine(
_In_ const credentials_pap *cred_cached,
_In_ const config_method_pap &cfg,
_In_opt_z_ LPCTSTR pszTargetName)
{
if (cred_cached) {
// Using EAP service cached credentials.
*this = *cred_cached;
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
return true;
}
if (cfg.m_use_preshared) {
// Using preshared credentials.
*this = *(credentials_pap*)cfg.m_preshared.get();
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
return true;
}
if (pszTargetName) {
try {
credentials_pap cred_loaded(m_module);
cred_loaded.retrieve(pszTargetName);
// Using stored credentials.
*this = std::move(cred_loaded);
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
return true;
} catch (...) {
// Not actually an error.
}
}
return false;
}

22
lib/TLS/include/Credentials.h
View File

@ -30,6 +30,8 @@ namespace eap
#pragma once
#include "Config.h"
#include "../../EAPBase/include/Credentials.h"
#include <WinStd/Crypt.h>
@ -183,7 +185,25 @@ namespace eap
///
virtual winstd::tstring get_name() const;
/// @}
///
/// Combine credentials in the following order:
///
/// 1. Cached credentials
/// 2. Pre-configured credentials
/// 3. Stored credentials
///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL)
/// \param[in] cfg Method configuration
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
///
/// \returns
/// - \c true if credentials were set;
/// - \c false otherwise
///
bool combine(
_In_ const credentials_tls *cred_cached,
_In_ const config_method_tls &cfg,
_In_opt_z_ LPCTSTR pszTargetName);
public:
winstd::cert_context m_cert; ///< Client certificate

3
lib/TLS/include/Method.h
View File

@ -539,5 +539,8 @@ namespace eap
EAP_ATTRIBUTES m_eap_attr_desc; ///< EAP Radius attributes descriptor
std::vector<winstd::eap_attr> m_eap_attr; ///< EAP Radius attributes
BYTE *m_blob_cfg; ///< Configuration BLOB
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
BYTE *m_blob_cred; ///< Credentials BLOB
#endif
};
}

37
lib/TLS/src/Credentials.cpp
View File

@ -254,6 +254,43 @@ tstring eap::credentials_tls::get_name() const
}
bool eap::credentials_tls::combine(
_In_ const credentials_tls *cred_cached,
_In_ const config_method_tls &cfg,
_In_opt_z_ LPCTSTR pszTargetName)
{
if (cred_cached) {
// Using EAP service cached credentials.
*this = *cred_cached;
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
return true;
}
if (cfg.m_use_preshared) {
// Using preshared credentials.
*this = *(credentials_tls*)cfg.m_preshared.get();
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
return true;
}
if (pszTargetName) {
try {
credentials_tls cred_loaded(m_module);
cred_loaded.retrieve(pszTargetName);
// Using stored credentials.
*this = std::move(cred_loaded);
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
return true;
} catch (...) {
// Not actually an error.
}
}
return false;
}
const unsigned char eap::credentials_tls::s_entropy[1024] = {
0xb9, 0xd1, 0x62, 0xd4, 0x1c, 0xe6, 0x8c, 0x25, 0x98, 0x9b, 0x1d, 0xbc, 0x40, 0x46, 0x9e, 0x6d,
0x63, 0xba, 0xda, 0x78, 0x65, 0x56, 0x97, 0x4f, 0xa0, 0x89, 0xf4, 0xc5, 0x1b, 0xf5, 0x8d, 0x69,

23
lib/TLS/src/Method.cpp
View File

@ -102,6 +102,9 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_provider_list &cfg,
m_seq_num_client(0),
m_seq_num_server(0),
m_blob_cfg(NULL),
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
m_blob_cred(NULL),
#endif
method(module, cfg, cred)
{
}
@ -163,6 +166,11 @@ eap::method_tls::~method_tls()
{
if (m_blob_cfg)
m_module.free_memory(m_blob_cfg);
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
if (m_blob_cred)
m_module.free_memory(m_blob_cred);
#endif
}
@ -538,7 +546,11 @@ void eap::method_tls::get_result(
m_eap_attr_desc.pAttribs = m_eap_attr.data();
ppResult->pAttribArray = &m_eap_attr_desc;
// Clear credentials as failed.
cfg_method->m_cred_failed = false;
ppResult->fIsSuccess = TRUE;
ppResult->dwFailureReasonCode = ERROR_SUCCESS;
// Update configuration with session resumption data and prepare BLOB.
cfg_method->m_session_id = m_session_id;
@ -552,6 +564,9 @@ void eap::method_tls::get_result(
cfg_method->m_session_id.clear();
cfg_method->m_master_secret.clear();
// Mark credentials as failed, so GUI can re-prompt user.
cfg_method->m_cred_failed = true;
ppResult->fIsSuccess = FALSE;
ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
@ -567,6 +582,14 @@ void eap::method_tls::get_result(
if (m_blob_cfg)
m_module.free_memory(m_blob_cfg);
m_blob_cfg = ppResult->pConnectionData;
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
ppResult->fSaveUserData = TRUE;
m_module.pack(m_cred, &ppResult->pUserData, &ppResult->dwSizeofUserData);
if (m_blob_cred)
m_module.free_memory(m_blob_cred);
m_blob_cred = ppResult->pUserData;
#endif
}

20
lib/TTLS/include/Credentials.h
View File

@ -172,6 +172,26 @@ namespace eap
/// @}
///
/// Combine credentials in the following order:
///
/// 1. Cached credentials
/// 2. Pre-configured credentials
/// 3. Stored credentials
///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL)
/// \param[in] cfg Method configuration
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
///
/// \returns
/// - \c true if credentials were set;
/// - \c false otherwise
///
bool combine(
_In_ const credentials_ttls *cred_cached,
_In_ const config_method_ttls &cfg,
_In_opt_z_ LPCTSTR pszTargetName);
public:
std::unique_ptr<credentials> m_inner; ///< Inner credentials
};

14
lib/TTLS/src/Credentials.cpp
View File

@ -224,3 +224,17 @@ std::wstring eap::credentials_ttls::get_identity() const
return L"";
}
bool eap::credentials_ttls::combine(
_In_ const credentials_ttls *cred_cached,
_In_ const config_method_ttls &cfg,
_In_opt_z_ LPCTSTR pszTargetName)
{
bool
is_outer_set = credentials_tls::combine(cred_cached, cfg, pszTargetName),
is_inner_set =
dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : false;
return is_outer_set && is_inner_set;
}

15
lib/TTLS/src/Method.cpp
View File

@ -135,13 +135,20 @@ void eap::method_ttls::get_result(
// Do the TLS.
method_tls::get_result(reason, ppResult);
} else {
config_provider &cfg_prov(m_cfg.m_providers.front());
config_method_ttls *cfg_method = dynamic_cast<config_method_ttls*>(cfg_prov.m_methods.front().get());
assert(cfg_method);
// Mark credentials appropriately, so GUI can re-prompt user.
cfg_method->m_inner->m_cred_failed = reason == EapPeerMethodResultFailure;
// The TLS was OK.
method_tls::get_result(EapPeerMethodResultSuccess, ppResult);
if (reason == EapPeerMethodResultFailure) {
ppResult->fIsSuccess = FALSE;
ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
}
//if (reason == EapPeerMethodResultFailure) {
// ppResult->fIsSuccess = FALSE;
// ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
//}
}
}

140
lib/TTLS/src/Module.cpp
View File

@ -84,123 +84,67 @@ void eap::peer_ttls::get_identity(
const config_method_ttls *cfg_method = dynamic_cast<const config_method_ttls*>(cfg_prov.m_methods.front().get());
assert(cfg_method);
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
// Unpack cached credentials.
credentials_ttls cred_in(*this);
if (dwUserDataSize)
unpack(cred_in, pUserData, dwUserDataSize);
#else
UNREFERENCED_PARAMETER(pUserData);
UNREFERENCED_PARAMETER(dwUserDataSize);
#endif
credentials_ttls cred_out(*this);
// Determine credential storage target(s).
// Determine inner credential type.
eap_type_t type_inner;
if (dynamic_cast<const config_method_pap*>(cfg_method->m_inner.get()))
if (dynamic_cast<const config_method_pap*>(cfg_method->m_inner.get())) {
cred_out.m_inner.reset(new credentials_pap(*this));
type_inner = eap_type_pap;
else {
} else {
assert(0); // Unsupported inner authentication method type.
type_inner = eap_type_undefined;
}
bool
is_outer_set = false,
is_inner_set = false;
if (dwUserDataSize) {
// Try cached credentials.
if (!is_outer_set) {
// Outer TLS: Using EAP service cached credentials.
(credentials_tls&)cred_out = (const credentials_tls&)cred_in;
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_tls), event_data(((credentials_tls&)cred_out).get_name()), event_data::blank);
is_outer_set = true;
}
if (!is_inner_set && cred_in.m_inner) {
// Inner: Using EAP service cached credentials.
cred_out.m_inner.reset((credentials*)cred_in.m_inner->clone());
log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
}
{
// Combine credentials.
user_impersonator impersonating(hTokenImpersonateUser);
*pfInvokeUI = cred_out.combine(
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
&cred_in,
#else
NULL,
#endif
*cfg_method,
(dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL) ? FALSE : TRUE;
}
if (!is_outer_set && cfg_method->m_use_preshared) {
// Outer TLS: Using preshared credentials.
(credentials_tls&)cred_out = *(credentials_tls*)cfg_method->m_preshared.get();
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_tls), event_data(((credentials_tls&)cred_out).get_name()), event_data::blank);
is_outer_set = true;
}
if (!is_inner_set) {
if (cfg_method->m_inner->m_use_preshared) {
// Inner: Using preshared credentials.
cred_out.m_inner.reset((credentials*)cfg_method->m_inner->m_preshared->clone());
log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
}
}
if ((dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 && (!is_outer_set || !is_inner_set)) {
// Not a guest & some credentials may be missing: Try to load credentials from Windows Credential Manager.
// Change user context. When applicable.
bool user_ctx_changed = hTokenImpersonateUser && ImpersonateLoggedOnUser(hTokenImpersonateUser);
if (!is_outer_set) {
try {
credentials_tls cred_loaded(*this);
cred_loaded.retrieve(cfg_prov.m_id.c_str());
// Outer TLS: Using stored credentials.
(credentials_tls&)cred_out = std::move(cred_loaded);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_tls), event_data(((credentials_tls&)cred_out).get_name()), event_data::blank);
is_outer_set = true;
} catch (...) {
// Not actually an error.
}
}
if (!is_inner_set) {
unique_ptr<credentials> cred_loaded;
switch (type_inner) {
case eap_type_pap: cred_loaded.reset(new credentials_pap(*this)); break;
default : assert(0); // Unsupported inner authentication method type.
}
try {
cred_loaded->retrieve(cfg_prov.m_id.c_str());
// Inner: Using stored credentials.
cred_out.m_inner = std::move(cred_loaded);
log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)type_inner), event_data(cred_out.m_inner->get_name()), event_data::blank);
is_inner_set = true;
} catch(...) {
// Not actually an error.
}
}
// Restore user context.
if (user_ctx_changed) RevertToSelf();
}
*pfInvokeUI = FALSE;
if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) {
// Per-user authentication
if (!is_outer_set) {
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI1, event_data((unsigned int)eap_type_tls), event_data::blank);
*pfInvokeUI = TRUE;
if (*pfInvokeUI) {
if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) {
// Per-user authentication
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI2);
return;
}
if (!is_inner_set) {
log_event(&EAPMETHOD_TRACE_EVT_CRED_INVOKE_UI1, event_data((unsigned int)type_inner), event_data::blank);
*pfInvokeUI = TRUE;
return;
}
} else {
// Per-machine authentication
if (!is_outer_set || !is_inner_set)
} else {
// Per-machine authentication
throw win_runtime_error(ERROR_NO_SUCH_USER, __FUNCTION__ " Credentials for per-machine authentication not available.");
}
}
// If we got here, we have all credentials we need.
// If we got here, we have all credentials we need. But, wait!
if (cfg_method->m_cred_failed) {
// Outer TLS: Credentials failed on last connection attempt.
log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)eap_type_tls), event_data::blank);
*pfInvokeUI = TRUE;
return;
}
if (cfg_method->m_inner->m_cred_failed) {
// Inner: Credentials failed on last connection attempt.
log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)type_inner), event_data::blank);
*pfInvokeUI = TRUE;
return;
}
// Build our identity. ;)
wstring identity(std::move(cfg_method->get_public_identity(cred_out)));

52
lib/TTLS_UI/src/Module.cpp
View File

@ -127,27 +127,55 @@ void eap::peer_ttls_ui::invoke_identity_ui(
_Inout_ DWORD *pdwUserDataOutSize,
_Inout_ LPWSTR *ppwszIdentity)
{
assert(ppwszIdentity);
// Unpack configuration.
config_provider_list cfg(*this);
unpack(cfg, pConnectionData, dwConnectionDataSize);
if (cfg.m_providers.empty() || cfg.m_providers.front().m_methods.empty())
throw invalid_argument(__FUNCTION__ " Configuration has no providers and/or methods.");
credentials_ttls cred(*this);
if (dwUserDataSize)
unpack(cred, pUserData, dwUserDataSize);
// Get method configuration.
const config_provider &cfg_prov(cfg.m_providers.front());
config_method_ttls *cfg_method = dynamic_cast<config_method_ttls*>(cfg_prov.m_methods.front().get());
assert(cfg_method);
config_method_with_cred *cfg_inner = dynamic_cast<config_method_with_cred*>(cfg_method->m_inner.get());
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
// Unpack cached credentials.
credentials_ttls cred_in(*this);
if (dwUserDataSize)
unpack(cred_in, pUserData, dwUserDataSize);
#else
UNREFERENCED_PARAMETER(pUserData);
UNREFERENCED_PARAMETER(dwUserDataSize);
#endif
credentials_ttls cred_out(*this);
// Determine inner credential type.
eap_type_t type_inner;
if (dynamic_cast<const config_method_pap*>(cfg_method->m_inner.get())) {
cred_out.m_inner.reset(new credentials_pap(*this));
type_inner = eap_type_pap;
} else {
assert(0); // Unsupported inner authentication method type.
type_inner = eap_type_undefined;
}
// Combine credentials.
cred_out.combine(
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
&cred_in,
#else
NULL,
#endif
*cfg_method,
(dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL);
if (dwFlags & EAP_FLAG_GUEST_ACCESS) {
// Disable credential saving for guests.
cfg_method->m_allow_save = false;
if (cfg_inner)
cfg_inner->m_allow_save = false;
else
assert(0); // Missing inner configuration.
cfg_method->m_inner->m_allow_save = false;
}
// Initialize application.
@ -164,7 +192,7 @@ void eap::peer_ttls_ui::invoke_identity_ui(
// Create and launch credentials dialog.
wxEAPCredentialsDialog dlg(cfg_prov, &parent);
wxTTLSCredentialsPanel *panel = new wxTTLSCredentialsPanel(cfg_prov, *cfg_method, cred, cfg_prov.m_id.c_str(), &dlg);
wxTTLSCredentialsPanel *panel = new wxTTLSCredentialsPanel(cfg_prov, *cfg_method, cred_out, cfg_prov.m_id.c_str(), &dlg);
dlg.AddContents((wxPanel**)&panel, 1);
dlg.Centre(wxBOTH);
result = dlg.ShowModal();
@ -179,14 +207,14 @@ void eap::peer_ttls_ui::invoke_identity_ui(
throw win_runtime_error(ERROR_CANCELLED, __FUNCTION__ " Cancelled.");
// Build our identity. ;)
wstring identity(move(cfg_method->get_public_identity(cred)));
wstring identity(move(cfg_method->get_public_identity(cred_out)));
log_event(&EAPMETHOD_TRACE_EVT_CRED_OUTER_ID1, event_data((unsigned int)eap_type_ttls), event_data(identity), event_data::blank);
size_t size = sizeof(WCHAR)*(identity.length() + 1);
*ppwszIdentity = (WCHAR*)alloc_memory(size);
memcpy(*ppwszIdentity, identity.c_str(), size);
// Pack credentials.
pack(cred, ppUserDataOut, pdwUserDataOutSize);
pack(cred_out, ppUserDataOut, pdwUserDataOutSize);
}

7
lib/TTLS_UI/src/TTLS_UI.cpp
View File

@ -225,6 +225,10 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
sb_content->Add(m_inner_title, 0, wxALL|wxALIGN_RIGHT, 5);
assert(m_cfg.m_inner);
if (m_cfg.m_inner->m_cred_failed)
sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5);
const eap::config_method_pap *cfg_inner_pap = dynamic_cast<const eap::config_method_pap*>(m_cfg.m_inner.get());
if (cfg_inner_pap) {
eap::credentials_ttls &cred_ttls = (eap::credentials_ttls&)cred;
@ -241,6 +245,9 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
m_outer_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_INACTIVECAPTION ) );
sb_content->Add(m_outer_title, 0, wxALL|wxALIGN_RIGHT, 5);
if (m_cfg.m_cred_failed)
sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5);
m_outer_cred = new wxTLSCredentialsPanel(m_prov, (const eap::config_method_tls&)m_cfg, (eap::credentials_tls&)cred, pszCredTarget, this, is_config);
sb_content->Add(m_outer_cred, 0, wxALL|wxEXPAND, 5);

2
lib/WinStd

@ -1 +1 @@
Subproject commit 028979524a6c944549b4adda490e48c91d998361
Subproject commit 37d768dabfc09557c316d2a64ccfecc336054ff4