Credential management revised

2016-08-15 17:33:10 +02:00
parent 4dc7083028
commit d8ccf7cbc0
23 changed files with 496 additions and 218 deletions
--- a/lib/TLS/include/Credentials.h
+++ b/lib/TLS/include/Credentials.h
@@ -30,6 +30,8 @@ namespace eap

 #pragma once

+#include "Config.h"
+
 #include "../../EAPBase/include/Credentials.h"

 #include <WinStd/Crypt.h>
@@ -183,7 +185,25 @@ namespace eap
        ///
        virtual winstd::tstring get_name() const;

-        /// @}
+        ///
+        /// Combine credentials in the following order:
+        ///
+        /// 1. Cached credentials
+        /// 2. Pre-configured credentials
+        /// 3. Stored credentials
+        ///
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
+        /// \param[in] cfg            Method configuration
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        ///
+        /// \returns
+        /// - \c true  if credentials were set;
+        /// - \c false otherwise
+        ///
+        bool combine(
+            _In_       const credentials_tls   *cred_cached,
+            _In_       const config_method_tls &cfg,
+            _In_opt_z_       LPCTSTR           pszTargetName);

    public:
        winstd::cert_context m_cert;    ///< Client certificate
--- a/lib/TLS/include/Method.h
+++ b/lib/TLS/include/Method.h
@@ -539,5 +539,8 @@ namespace eap
        EAP_ATTRIBUTES m_eap_attr_desc;                         ///< EAP Radius attributes descriptor
        std::vector<winstd::eap_attr> m_eap_attr;               ///< EAP Radius attributes
        BYTE *m_blob_cfg;                                       ///< Configuration BLOB
+#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
+        BYTE *m_blob_cred;                                      ///< Credentials BLOB
+#endif
    };
 }
--- a/lib/TLS/src/Credentials.cpp
+++ b/lib/TLS/src/Credentials.cpp
@@ -254,6 +254,43 @@ tstring eap::credentials_tls::get_name() const
 }


+bool eap::credentials_tls::combine(
+    _In_       const credentials_tls   *cred_cached,
+    _In_       const config_method_tls &cfg,
+    _In_opt_z_       LPCTSTR           pszTargetName)
+{
+    if (cred_cached) {
+        // Using EAP service cached credentials.
+        *this = *cred_cached;
+        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
+        return true;
+    }
+
+    if (cfg.m_use_preshared) {
+        // Using preshared credentials.
+        *this = *(credentials_tls*)cfg.m_preshared.get();
+        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
+        return true;
+    }
+
+    if (pszTargetName) {
+        try {
+            credentials_tls cred_loaded(m_module);
+            cred_loaded.retrieve(pszTargetName);
+
+            // Using stored credentials.
+            *this = std::move(cred_loaded);
+            m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
+            return true;
+        } catch (...) {
+            // Not actually an error.
+        }
+    }
+
+    return false;
+}
+
+
 const unsigned char eap::credentials_tls::s_entropy[1024] = {
    0xb9, 0xd1, 0x62, 0xd4, 0x1c, 0xe6, 0x8c, 0x25, 0x98, 0x9b, 0x1d, 0xbc, 0x40, 0x46, 0x9e, 0x6d,
    0x63, 0xba, 0xda, 0x78, 0x65, 0x56, 0x97, 0x4f, 0xa0, 0x89, 0xf4, 0xc5, 0x1b, 0xf5, 0x8d, 0x69,
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@@ -102,6 +102,9 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_provider_list &cfg,
    m_seq_num_client(0),
    m_seq_num_server(0),
    m_blob_cfg(NULL),
+#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
+    m_blob_cred(NULL),
+#endif
    method(module, cfg, cred)
 {
 }
@@ -163,6 +166,11 @@ eap::method_tls::~method_tls()
 {
    if (m_blob_cfg)
        m_module.free_memory(m_blob_cfg);
+
+#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
+    if (m_blob_cred)
+        m_module.free_memory(m_blob_cred);
+#endif
 }


@@ -538,7 +546,11 @@ void eap::method_tls::get_result(
        m_eap_attr_desc.pAttribs = m_eap_attr.data();
        ppResult->pAttribArray = &m_eap_attr_desc;

+        // Clear credentials as failed.
+        cfg_method->m_cred_failed = false;
+
        ppResult->fIsSuccess = TRUE;
+        ppResult->dwFailureReasonCode = ERROR_SUCCESS;

        // Update configuration with session resumption data and prepare BLOB.
        cfg_method->m_session_id    = m_session_id;
@@ -552,6 +564,9 @@ void eap::method_tls::get_result(
        cfg_method->m_session_id.clear();
        cfg_method->m_master_secret.clear();

+        // Mark credentials as failed, so GUI can re-prompt user.
+        cfg_method->m_cred_failed = true;
+
        ppResult->fIsSuccess = FALSE;
        ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;

@@ -567,6 +582,14 @@ void eap::method_tls::get_result(
    if (m_blob_cfg)
        m_module.free_memory(m_blob_cfg);
    m_blob_cfg = ppResult->pConnectionData;
+
+#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
+    ppResult->fSaveUserData = TRUE;
+    m_module.pack(m_cred, &ppResult->pUserData, &ppResult->dwSizeofUserData);
+    if (m_blob_cred)
+        m_module.free_memory(m_blob_cred);
+    m_blob_cred = ppResult->pUserData;
+#endif
 }