Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

credentials::combine() methods updated with support for EAPMsg:

Browse Source 
- Additional parameters
- Additional result code
- User impersonation now mounted inside of credentials::combine() when required
This commit is contained in:
Simon Rozman 2016-10-10 14:29:54 +02:00
parent c660e2b3e6
commit e94e3bdd60
12 changed files with 113 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
lib/EAPBase/include/Credentials.h
View File

@ -68,7 +68,8 @@ namespace eap
source_unknown = -1, ///< Unknown source source_unknown = -1, ///< Unknown source
source_cache = 0, ///< Credentials were obtained from EapHost cache source_cache = 0, ///< Credentials were obtained from EapHost cache
source_config, ///< Credentials were set by method configuration source_config, ///< Credentials were set by method configuration
source_storage ///< Credentials were loaded from Windows Credential Manager source_storage, ///< Credentials were loaded from Windows Credential Manager
source_lower, ///< Credentials were set by lower EAP method
}; };
@ -242,9 +243,11 @@ namespace eap
/// 2. Configured credentials (if \p cfg is derived from config_method_with_cred) /// 2. Configured credentials (if \p cfg is derived from config_method_with_cred)
/// 3. Stored credentials /// 3. Stored credentials
/// ///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be the same type of credentials as `this`) /// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
/// \param[in] cfg Method configuration (must be the same type of configuration as `this` credentials belong to) /// \param[in] hTokenImpersonateUser Impersonation token for a logged-on user to collect user-related information
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL) /// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be the same type of credentials as `this`)
/// \param[in] cfg Method configuration (must be the same type of configuration as `this` credentials belong to)
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
/// ///
/// \returns /// \returns
/// - \c source_cache Credentials were obtained from EapHost cache /// - \c source_cache Credentials were obtained from EapHost cache
@ -252,6 +255,8 @@ namespace eap
/// - \c source_storage Credentials were loaded from Windows Credential Manager /// - \c source_storage Credentials were loaded from Windows Credential Manager
/// ///
virtual source_t combine( virtual source_t combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName) = 0; _In_opt_z_ LPCTSTR pszTargetName) = 0;
@ -414,9 +419,11 @@ namespace eap
/// 2. Configured credentials (if \p cfg is derived from config_method_with_cred) /// 2. Configured credentials (if \p cfg is derived from config_method_with_cred)
/// 3. Stored credentials /// 3. Stored credentials
/// ///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_pass* type) /// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
/// \param[in] cfg Method configuration (optional, can be \c NULL, must be config_method_pap type) /// \param[in] hTokenImpersonateUser Impersonation token for a logged-on user to collect user-related information
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL) /// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_eapmsg* type)
/// \param[in] cfg Method configuration (unused, as must be as config_method_eapmsg is not derived from config_method_with_cred)
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
/// ///
/// \returns /// \returns
/// - \c source_cache Credentials were obtained from EapHost cache /// - \c source_cache Credentials were obtained from EapHost cache
@ -424,6 +431,8 @@ namespace eap
/// - \c source_storage Credentials were loaded from Windows Credential Manager /// - \c source_storage Credentials were loaded from Windows Credential Manager
/// ///
virtual source_t combine( virtual source_t combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName); _In_opt_z_ LPCTSTR pszTargetName);

7
lib/EAPBase/src/Credentials.cpp
View File

@ -437,10 +437,14 @@ LPCTSTR eap::credentials_pass::target_suffix() const
eap::credentials::source_t eap::credentials_pass::combine( eap::credentials::source_t eap::credentials_pass::combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName) _In_opt_z_ LPCTSTR pszTargetName)
{ {
UNREFERENCED_PARAMETER(dwFlags);
if (cred_cached) { if (cred_cached) {
// Using EAP service cached credentials. // Using EAP service cached credentials.
*this = *dynamic_cast<const credentials_pass*>(cred_cached); *this = *dynamic_cast<const credentials_pass*>(cred_cached);
@ -457,6 +461,9 @@ eap::credentials::source_t eap::credentials_pass::combine(
} }
if (pszTargetName) { if (pszTargetName) {
// Switch user context.
user_impersonator impersonating(hTokenImpersonateUser);
try { try {
credentials_pass cred_loaded(m_module); credentials_pass cred_loaded(m_module);
cred_loaded.retrieve(pszTargetName, cfg.m_level); cred_loaded.retrieve(pszTargetName, cfg.m_level);

10
lib/EAPMsg/include/Credentials.h
View File

@ -189,9 +189,11 @@ namespace eap
/// 2. Configured credentials (if \p cfg is derived from config_method_with_cred) /// 2. Configured credentials (if \p cfg is derived from config_method_with_cred)
/// 3. Stored credentials /// 3. Stored credentials
/// ///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_eapmsg* type) /// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
/// \param[in] cfg Method configuration (unused, as must be as config_method_eapmsg is not derived from config_method_with_cred) /// \param[in] hTokenImpersonateUser Impersonation token for a logged-on user to collect user-related information
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL) /// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_eapmsg* type)
/// \param[in] cfg Method configuration (unused, as must be as config_method_eapmsg is not derived from config_method_with_cred)
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
/// ///
/// \returns /// \returns
/// - \c source_cache Credentials were obtained from EapHost cache /// - \c source_cache Credentials were obtained from EapHost cache
@ -199,6 +201,8 @@ namespace eap
/// - \c source_storage Credentials were loaded from Windows Credential Manager /// - \c source_storage Credentials were loaded from Windows Credential Manager
/// ///
virtual source_t combine( virtual source_t combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName); _In_opt_z_ LPCTSTR pszTargetName);

58
lib/EAPMsg/src/Credentials.cpp
View File

@ -20,6 +20,8 @@
#include "StdAfx.h" #include "StdAfx.h"
#pragma comment(lib, "Eappprxy.lib")
using namespace std; using namespace std;
using namespace winstd; using namespace winstd;
@ -242,36 +244,74 @@ std::wstring eap::credentials_eapmsg::get_identity() const
eap::credentials::source_t eap::credentials_eapmsg::combine( eap::credentials::source_t eap::credentials_eapmsg::combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName) _In_opt_z_ LPCTSTR pszTargetName)
{ {
UNREFERENCED_PARAMETER(cfg); // When cached credentials are available, EapHost calls EapPeerGetIdentity() anyway.
// This allows each peer to decide to reuse or drop cached credentials itself.
// To mimic that behaviour, we do the same:
// 1. Retrieve credentials from cache (or store)
// 2. Call EapHostPeerGetIdentity()
source_t src = source_unknown;
if (cred_cached) { if (cred_cached) {
// Using EAP service cached credentials. // Using EAP service cached credentials.
*this = *(credentials_eapmsg*)cred_cached; *this = *(credentials_eapmsg*)cred_cached;
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED2, event_data((unsigned int)eap_type_tls), event_data(credentials_eapmsg::get_name()), event_data(pszTargetName), event_data::blank); m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED2, event_data((unsigned int)cfg.get_method_id()), event_data(get_name()), event_data(pszTargetName), event_data::blank);
return source_cache; src = source_cache;
} }
// We do not store inner EAP method credentials inside configuration. if (src == source_unknown && pszTargetName) {
// Therefore, we skip configured credentials.
if (pszTargetName) {
try { try {
credentials_eapmsg cred_loaded(m_module); credentials_eapmsg cred_loaded(m_module);
cred_loaded.retrieve(pszTargetName, cfg.m_level); cred_loaded.retrieve(pszTargetName, cfg.m_level);
// Using stored credentials. // Using stored credentials.
*this = std::move(cred_loaded); *this = std::move(cred_loaded);
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED2, event_data((unsigned int)eap_type_tls), event_data(credentials_eapmsg::get_name()), event_data(pszTargetName), event_data::blank); m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED2, event_data((unsigned int)cfg.get_method_id()), event_data(get_name()), event_data(pszTargetName), event_data::blank);
return source_storage; src = source_storage;
} catch (...) { } catch (...) {
// Not actually an error. // Not actually an error.
} }
} }
auto const *cfg_eapmsg = dynamic_cast<const config_method_eapmsg*>(&cfg);
BOOL fInvokeUI = FALSE;
DWORD cred_data_size = 0;
eap_blob_runtime cred_data;
unique_ptr<WCHAR[], EapHostPeerFreeRuntimeMemory_delete> identity;
eap_error error;
DWORD dwResult = EapHostPeerGetIdentity(
0,
dwFlags,
cfg_eapmsg->m_type,
(DWORD)cfg_eapmsg->m_cfg_blob.size(), cfg_eapmsg->m_cfg_blob.data(),
src != source_unknown ? (DWORD)m_cred_blob.size() : 0, src != source_unknown ? m_cred_blob.data() : NULL,
hTokenImpersonateUser,
&fInvokeUI,
&cred_data_size, &cred_data._Myptr,
&identity._Myptr,
&error._Myptr,
NULL);
if (dwResult == ERROR_SUCCESS) {
if (identity && !fInvokeUI) {
// Inner EAP method provided identity and does not require additional UI prompt.
m_identity = identity.get();
m_cred_blob.assign(cred_data.get(), cred_data.get() + cred_data_size);
m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_EAPMSG, event_data((unsigned int)cfg.get_method_id()), event_data(get_name()), event_data(pszTargetName), event_data::blank);
return source_lower;
}
} else if (error) {
// An EAP error in inner EAP method occurred.
m_module.log_error(error.get());
} else {
// A runtime error in inner EAP method occurred.
m_module.log_event(&EAPMETHOD_TRACE_EVT_WIN_ERROR, event_data((unsigned int)dwResult), event_data(__FUNCTION__ " EapHostPeerGetIdentity failed."), event_data::blank);
}
return source_unknown; return source_unknown;
} }

2
lib/EAPMsg/src/StdAfx.h
View File

@ -26,3 +26,5 @@
#include <Windows.h> #include <Windows.h>
#include <EapHostError.h> // include after Windows.h #include <EapHostError.h> // include after Windows.h
#include <EapHostPeerTypes.h>
#include <eappapis.h>

BIN
lib/Events/res/EventsETW.man
View File

Binary file not shown.

10
lib/TLS/include/Credentials.h
View File

@ -189,9 +189,11 @@ namespace eap
/// 2. Configured credentials (if \p cfg is derived from config_method_with_cred) /// 2. Configured credentials (if \p cfg is derived from config_method_with_cred)
/// 3. Stored credentials /// 3. Stored credentials
/// ///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_tls* type) /// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
/// \param[in] cfg Method configuration (must be config_method_tls type) /// \param[in] hTokenImpersonateUser Impersonation token for a logged-on user to collect user-related information
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL) /// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_eapmsg* type)
/// \param[in] cfg Method configuration (unused, as must be as config_method_eapmsg is not derived from config_method_with_cred)
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
/// ///
/// \returns /// \returns
/// - \c source_cache Credentials were obtained from EapHost cache /// - \c source_cache Credentials were obtained from EapHost cache
@ -199,6 +201,8 @@ namespace eap
/// - \c source_storage Credentials were loaded from Windows Credential Manager /// - \c source_storage Credentials were loaded from Windows Credential Manager
/// ///
virtual source_t combine( virtual source_t combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName); _In_opt_z_ LPCTSTR pszTargetName);

7
lib/TLS/src/Credentials.cpp
View File

@ -292,10 +292,14 @@ std::wstring eap::credentials_tls::get_identity() const
eap::credentials::source_t eap::credentials_tls::combine( eap::credentials::source_t eap::credentials_tls::combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName) _In_opt_z_ LPCTSTR pszTargetName)
{ {
UNREFERENCED_PARAMETER(dwFlags);
if (cred_cached) { if (cred_cached) {
// Using EAP service cached credentials. // Using EAP service cached credentials.
*this = *dynamic_cast<const credentials_tls*>(cred_cached); *this = *dynamic_cast<const credentials_tls*>(cred_cached);
@ -312,6 +316,9 @@ eap::credentials::source_t eap::credentials_tls::combine(
} }
if (pszTargetName) { if (pszTargetName) {
// Switch user context.
user_impersonator impersonating(hTokenImpersonateUser);
try { try {
credentials_tls cred_loaded(m_module); credentials_tls cred_loaded(m_module);
cred_loaded.retrieve(pszTargetName, cfg.m_level); cred_loaded.retrieve(pszTargetName, cfg.m_level);

10
lib/TTLS/include/Credentials.h
View File

@ -175,9 +175,11 @@ namespace eap
/// 2. Configured credentials (if \p cfg is derived from config_method_with_cred) /// 2. Configured credentials (if \p cfg is derived from config_method_with_cred)
/// 3. Stored credentials /// 3. Stored credentials
/// ///
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_ttls* type) /// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
/// \param[in] cfg Method configuration (must be config_method_ttls type) /// \param[in] hTokenImpersonateUser Impersonation token for a logged-on user to collect user-related information
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL) /// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be credentials_eapmsg* type)
/// \param[in] cfg Method configuration (unused, as must be as config_method_eapmsg is not derived from config_method_with_cred)
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
/// ///
/// \returns /// \returns
/// - \c source_cache Credentials were obtained from EapHost cache /// - \c source_cache Credentials were obtained from EapHost cache
@ -185,6 +187,8 @@ namespace eap
/// - \c source_storage Credentials were loaded from Windows Credential Manager /// - \c source_storage Credentials were loaded from Windows Credential Manager
/// ///
virtual source_t combine( virtual source_t combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName); _In_opt_z_ LPCTSTR pszTargetName);

6
lib/TTLS/src/Credentials.cpp
View File

@ -179,18 +179,24 @@ wstring eap::credentials_ttls::get_identity() const
eap::credentials::source_t eap::credentials_ttls::combine( eap::credentials::source_t eap::credentials_ttls::combine(
_In_ DWORD dwFlags,
_In_ HANDLE hTokenImpersonateUser,
_In_opt_ const credentials *cred_cached, _In_opt_ const credentials *cred_cached,
_In_ const config_method &cfg, _In_ const config_method &cfg,
_In_opt_z_ LPCTSTR pszTargetName) _In_opt_z_ LPCTSTR pszTargetName)
{ {
// Combine outer credentials. // Combine outer credentials.
source_t src_outer = credentials_tls::combine( source_t src_outer = credentials_tls::combine(
dwFlags,
hTokenImpersonateUser,
cred_cached, cred_cached,
cfg, cfg,
pszTargetName); pszTargetName);
// Combine inner credentials. // Combine inner credentials.
source_t src_inner = m_inner->combine( source_t src_inner = m_inner->combine(
dwFlags,
hTokenImpersonateUser,
cred_cached ? dynamic_cast<const credentials_ttls*>(cred_cached)->m_inner.get() : NULL, cred_cached ? dynamic_cast<const credentials_ttls*>(cred_cached)->m_inner.get() : NULL,
*dynamic_cast<const config_method_ttls&>(cfg).m_inner, *dynamic_cast<const config_method_ttls&>(cfg).m_inner,
pszTargetName); pszTargetName);

4
lib/TTLS_UI/src/Module.cpp
View File

@ -213,6 +213,8 @@ void eap::peer_ttls_ui::invoke_identity_ui(
// Combine outer credentials. // Combine outer credentials.
eap::credentials::source_t src_outer = _cred_method->credentials_tls::combine( eap::credentials::source_t src_outer = _cred_method->credentials_tls::combine(
dwFlags,
NULL,
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
has_cached ? cred_in.m_cred.get() : NULL, has_cached ? cred_in.m_cred.get() : NULL,
#else #else
@ -223,6 +225,8 @@ void eap::peer_ttls_ui::invoke_identity_ui(
// Combine inner credentials. // Combine inner credentials.
eap::credentials::source_t src_inner = _cred_method->m_inner->combine( eap::credentials::source_t src_inner = _cred_method->m_inner->combine(
dwFlags,
NULL,
#ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
has_cached ? dynamic_cast<credentials_ttls*>(cred_in.m_cred.get())->m_inner.get() : NULL, has_cached ? dynamic_cast<credentials_ttls*>(cred_in.m_cred.get())->m_inner.get() : NULL,
#else #else

2
lib/WinStd

@ -1 +1 @@
Subproject commit 7b1863d8b2734e77796b0526f1cc6f58a8ad0b54 Subproject commit 1c7092347c1306d55cfc2b800c669dcfeb5c449b