Encryption enhanced and moved to module
This commit is contained in:
parent
2f0252a33f
commit
fed1e6052a
@ -209,78 +209,6 @@ namespace eap
|
||||
|
||||
/// @}
|
||||
|
||||
/// \name Encryption
|
||||
/// @{
|
||||
|
||||
///
|
||||
/// Encrypts data
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to encrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] enc Encrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
DWORD encrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const;
|
||||
|
||||
///
|
||||
/// Decrypts data
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] enc Decrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Ty, class _Ax>
|
||||
DWORD decrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<_Ty, _Ax> &dec, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const
|
||||
{
|
||||
assert(ppEapError);
|
||||
DWORD dwResult;
|
||||
|
||||
// Import the private key.
|
||||
HRSRC res = FindResource(m_module.m_instance, MAKEINTRESOURCE(IDR_EAP_KEY_PRIVATE), RT_RCDATA);
|
||||
assert(res);
|
||||
HGLOBAL res_handle = LoadResource(m_module.m_instance, res);
|
||||
assert(res_handle);
|
||||
crypt_key key;
|
||||
unique_ptr<unsigned char[], LocalFree_delete<unsigned char[]> > keyinfo_data;
|
||||
DWORD keyinfo_size = 0;
|
||||
if (!CryptDecodeObjectEx(X509_ASN_ENCODING, PKCS_RSA_PRIVATE_KEY, (const BYTE*)::LockResource(res_handle), ::SizeofResource(m_module.m_instance, res), CRYPT_DECODE_ALLOC_FLAG, NULL, &keyinfo_data, &keyinfo_size)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptDecodeObjectEx failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
if (!key.import(hProv, keyinfo_data.get(), keyinfo_size, NULL, 0)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Private key import failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Decrypt the data using our private key.
|
||||
vector<unsigned char, sanitizing_allocator<unsigned char> > buf(size);
|
||||
memcpy(buf.data(), data, size);
|
||||
if (!CryptDecrypt(key, hHash, TRUE, 0, buf)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Decrypting password failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
dec.assign(buf.begin(), buf.end());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
/// @}
|
||||
|
||||
public:
|
||||
std::wstring m_identity; ///< Identity (username\@domain, certificate name etc.)
|
||||
};
|
||||
|
||||
@ -60,6 +60,7 @@ namespace eap
|
||||
#include <Windows.h>
|
||||
#include <eaptypes.h> // Must include after <Windows.h>
|
||||
#include <sal.h>
|
||||
#include <tchar.h>
|
||||
|
||||
#include <EventsETW.h> // Must include after <Windows.h>
|
||||
|
||||
@ -79,6 +80,9 @@ namespace eap
|
||||
///
|
||||
virtual ~module();
|
||||
|
||||
/// \name Memory management
|
||||
/// @{
|
||||
|
||||
///
|
||||
/// Allocate a EAP_ERROR and fill it according to dwErrorCode
|
||||
///
|
||||
@ -99,6 +103,341 @@ namespace eap
|
||||
///
|
||||
void free_error_memory(_In_ EAP_ERROR *err);
|
||||
|
||||
/// @}
|
||||
|
||||
|
||||
/// \name Encryption
|
||||
/// @{
|
||||
|
||||
///
|
||||
/// Encrypts data
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to encrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] enc Encrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
DWORD encrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const;
|
||||
|
||||
|
||||
///
|
||||
/// Encrypts a string
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] val String to encrypt
|
||||
/// \param[out] enc Encrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Elem, class _Traits, class _Ax>
|
||||
DWORD encrypt(_In_ HCRYPTPROV hProv, _In_ const std::basic_string<_Elem, _Traits, _Ax> &val, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const
|
||||
{
|
||||
return encrypt(hProv, val.c_str(), val.length*sizeof(_Elem), enc, ppEapError, hHash);
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Encrypts a wide string
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] val String to encrypt
|
||||
/// \param[out] enc Encrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Traits, class _Ax>
|
||||
DWORD encrypt(_In_ HCRYPTPROV hProv, _In_ const std::basic_string<wchar_t, _Traits, _Ax> &val, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const
|
||||
{
|
||||
winstd::sanitizing_string val_utf8;
|
||||
WideCharToMultiByte(CP_UTF8, 0, val.c_str(), (int)val.length(), val_utf8, NULL, NULL);
|
||||
return encrypt(hProv, val_utf8, enc, ppEapError, hHash);
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Encrypts data and add MD5 hash for integrity check
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to encrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] enc Encrypted data with 16B MD5 hash appended
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
DWORD encrypt_md5(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError) const;
|
||||
|
||||
|
||||
///
|
||||
/// Encrypts a string and add MD5 hash for integrity check
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] val String to encrypt
|
||||
/// \param[out] enc Encrypted data with 16B MD5 hash appended
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Elem, class _Traits, class _Ax>
|
||||
DWORD encrypt_md5(_In_ HCRYPTPROV hProv, _In_ const std::basic_string<_Elem, _Traits, _Ax> &val, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError) const
|
||||
{
|
||||
return encrypt_md5(hProv, val.c_str(), val.length()*sizeof(_Elem), enc, ppEapError);
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Encrypts a wide string and add MD5 hash for integrity check
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] val String to encrypt
|
||||
/// \param[out] enc Encrypted data with 16B MD5 hash appended
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Traits, class _Ax>
|
||||
DWORD encrypt_md5(_In_ HCRYPTPROV hProv, _In_ const std::basic_string<wchar_t, _Traits, _Ax> &val, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError) const
|
||||
{
|
||||
winstd::sanitizing_string val_utf8;
|
||||
WideCharToMultiByte(CP_UTF8, 0, val.c_str(), (int)val.length(), val_utf8, NULL, NULL);
|
||||
return encrypt_md5(hProv, val_utf8, enc, ppEapError);
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Decrypts data
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] dec Decrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Ty, class _Ax>
|
||||
DWORD decrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<_Ty, _Ax> &dec, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const
|
||||
{
|
||||
assert(ppEapError);
|
||||
DWORD dwResult;
|
||||
|
||||
// Import the private key.
|
||||
HRSRC res = FindResource(m_instance, MAKEINTRESOURCE(IDR_EAP_KEY_PRIVATE), RT_RCDATA);
|
||||
assert(res);
|
||||
HGLOBAL res_handle = LoadResource(m_instance, res);
|
||||
assert(res_handle);
|
||||
crypt_key key;
|
||||
unique_ptr<unsigned char[], LocalFree_delete<unsigned char[]> > keyinfo_data;
|
||||
DWORD keyinfo_size = 0;
|
||||
if (!CryptDecodeObjectEx(X509_ASN_ENCODING, PKCS_RSA_PRIVATE_KEY, (const BYTE*)::LockResource(res_handle), ::SizeofResource(m_instance, res), CRYPT_DECODE_ALLOC_FLAG, NULL, &keyinfo_data, &keyinfo_size)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptDecodeObjectEx failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
if (!key.import(hProv, keyinfo_data.get(), keyinfo_size, NULL, 0)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Private key import failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Decrypt the data using our private key.
|
||||
vector<unsigned char, sanitizing_allocator<unsigned char> > buf(size);
|
||||
memcpy(buf.data(), data, size);
|
||||
if (!CryptDecrypt(key, hHash, TRUE, 0, buf)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Decrypting password failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
dec.assign(buf.begin(), buf.end());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Decrypts a string
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] dec Decrypted string
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Elem, class _Traits, class _Ax>
|
||||
DWORD decrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::basic_string<_Elem, _Traits, _Ax> &dec, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const
|
||||
{
|
||||
DWORD dwResult;
|
||||
|
||||
std::vector<_Elem, sanitizing_allocator<_Elem> > buf;
|
||||
if ((dwResult = decrypt(hProv, data, size, buf, ppEapError, hHash)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
dec.assign((const _Elem*)buf.begin(), (const _Elem*)buf.end());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Decrypts a wide string
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] dec Decrypted string
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
/// \param[out] hHash Handle of hashing object
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Traits, class _Ax>
|
||||
DWORD decrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::basic_string<wchar_t, _Traits, _Ax> &dec, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash = NULL) const
|
||||
{
|
||||
DWORD dwResult;
|
||||
|
||||
winstd::sanitizing_string buf;
|
||||
if ((dwResult = decrypt(hProv, data, size, buf, ppEapError, hHash)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
MultiByteToWideChar(CP_UTF8, 0, buf.data(), (int)buf.size(), dec);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Decrypts data with MD5 integrity check
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data with 16B MD5 hash appended to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] dec Decrypted data
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Ty, class _Ax>
|
||||
DWORD decrypt_md5(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<_Ty, _Ax> &dec, _Out_ EAP_ERROR **ppEapError) const
|
||||
{
|
||||
DWORD dwResult;
|
||||
|
||||
// Create hash.
|
||||
crypt_hash hash;
|
||||
if (!hash.create(hProv, CALG_MD5)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Creating MD5 hash failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
DWORD dwHashSize, dwHashSizeSize = sizeof(dwHashSize);
|
||||
CryptGetHashParam(hash, HP_HASHSIZE, (LPBYTE)&dwHashSize, &dwHashSizeSize, 0);
|
||||
if (size < dwHashSize) {
|
||||
*ppEapError = make_error(dwResult = ERROR_INVALID_DATA, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Encrypted data too short."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
size_t enc_size = size - dwHashSize;
|
||||
|
||||
// Decrypt data.
|
||||
if ((dwResult = decrypt(hProv, data, enc_size, dec, ppEapError, hash)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
|
||||
// Calculate MD5 hash and verify it.
|
||||
vector<unsigned char> hash_bin;
|
||||
if (!CryptGetHashParam(hash, HP_HASHVAL, hash_bin, 0)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Calculating MD5 hash failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
if (memcmp((unsigned char*)data + enc_size, hash_bin.data(), dwHashSize) != 0) {
|
||||
*ppEapError = make_error(dwResult = ERROR_INVALID_DATA, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Invalid encrypted data."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Decrypts a string with MD5 integrity check
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data with 16B MD5 hash appended to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] dec Decrypted string
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Elem, class _Traits, class _Ax>
|
||||
DWORD decrypt_md5(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::basic_string<_Elem, _Traits, _Ax> &dec, _Out_ EAP_ERROR **ppEapError) const
|
||||
{
|
||||
DWORD dwResult;
|
||||
|
||||
std::vector<_Elem, sanitizing_allocator<_Elem> > buf;
|
||||
if ((dwResult = decrypt_md5(hProv, data, size, buf, ppEapError)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
dec.assign(buf.data(), buf.size());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
///
|
||||
/// Decrypts a wide string with MD5 integrity check
|
||||
///
|
||||
/// \param[in ] hProv Handle of cryptographics provider
|
||||
/// \param[in ] data Pointer to data with 16B MD5 hash appended to decrypt
|
||||
/// \param[in ] size Size of \p data in bytes
|
||||
/// \param[out] dec Decrypted string
|
||||
/// \param[out] ppEapError Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
|
||||
///
|
||||
/// \returns
|
||||
/// - \c ERROR_SUCCESS if succeeded
|
||||
/// - error code otherwise
|
||||
///
|
||||
template<class _Traits, class _Ax>
|
||||
DWORD decrypt_md5(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::basic_string<wchar_t, _Traits, _Ax> &dec, _Out_ EAP_ERROR **ppEapError) const
|
||||
{
|
||||
DWORD dwResult;
|
||||
|
||||
winstd::sanitizing_string buf;
|
||||
if ((dwResult = decrypt_md5(hProv, data, size, buf, ppEapError)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
MultiByteToWideChar(CP_UTF8, 0, buf.data(), (int)buf.size(), dec);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
/// @}
|
||||
|
||||
public:
|
||||
HINSTANCE m_instance; ///< Windows module instance
|
||||
const type_t m_eap_method; ///< EAP method type
|
||||
|
||||
@ -83,49 +83,6 @@ bool eap::credentials::empty() const
|
||||
}
|
||||
|
||||
|
||||
DWORD eap::credentials::encrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash) const
|
||||
{
|
||||
assert(ppEapError);
|
||||
DWORD dwResult;
|
||||
|
||||
// Import the public key.
|
||||
HRSRC res = FindResource(m_module.m_instance, MAKEINTRESOURCE(IDR_EAP_KEY_PUBLIC), RT_RCDATA);
|
||||
assert(res);
|
||||
HGLOBAL res_handle = LoadResource(m_module.m_instance, res);
|
||||
assert(res_handle);
|
||||
crypt_key key;
|
||||
unique_ptr<CERT_PUBLIC_KEY_INFO, LocalFree_delete<CERT_PUBLIC_KEY_INFO> > keyinfo_data;
|
||||
DWORD keyinfo_size = 0;
|
||||
if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, (const BYTE*)::LockResource(res_handle), ::SizeofResource(m_module.m_instance, res), CRYPT_DECODE_ALLOC_FLAG, NULL, &keyinfo_data, &keyinfo_size)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptDecodeObjectEx failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
if (!key.import_public(hProv, X509_ASN_ENCODING, keyinfo_data.get())) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Public key import failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Pre-allocate memory to allow space, as encryption will grow the data.
|
||||
DWORD dwBlockLen;
|
||||
vector<unsigned char, sanitizing_allocator<unsigned char> > buf(size);
|
||||
memcpy(buf.data(), data, size);
|
||||
if (!CryptGetKeyParam(key, KP_BLOCKLEN, dwBlockLen, 0)) dwBlockLen = 0;
|
||||
buf.reserve((size + dwBlockLen - 1) / dwBlockLen * dwBlockLen);
|
||||
|
||||
// Encrypt the data using our public key.
|
||||
if (!CryptEncrypt(key, hHash, TRUE, 0, buf)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Encrypting data failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Copy encrypted data.
|
||||
enc.assign(buf.begin(), buf.end());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// eap::credentials_pass
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
@ -241,27 +198,11 @@ DWORD eap::credentials_pass::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR *
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Convert password to UTF-8.
|
||||
sanitizing_string password_utf8;
|
||||
WideCharToMultiByte(CP_UTF8, 0, m_password.c_str(), (int)m_password.length(), password_utf8, NULL, NULL);
|
||||
|
||||
// Create hash.
|
||||
crypt_hash hash;
|
||||
if (!hash.create(cp, CALG_MD5)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Creating MD5 hash failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Encrypt password.
|
||||
vector<unsigned char> password;
|
||||
if ((dwResult = encrypt(cp, password_utf8.c_str(), password_utf8.length(), password, ppEapError, hash)) != ERROR_SUCCESS)
|
||||
if ((dwResult = m_module.encrypt_md5(cp, m_password, password, ppEapError)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
|
||||
// Calculate MD5 hash and append it.
|
||||
vector<char> hash_bin;
|
||||
CryptGetHashParam(hash, HP_HASHVAL, hash_bin, 0);
|
||||
password.insert(password.end(), hash_bin.begin(), hash_bin.end());
|
||||
|
||||
// Convert encrypted password to Base64, since CredProtectA() fail for binary strings.
|
||||
string password_base64;
|
||||
base64_enc enc;
|
||||
@ -336,38 +277,9 @@ DWORD eap::credentials_pass::retrieve(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERRO
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Create hash.
|
||||
crypt_hash hash;
|
||||
if (!hash.create(cp, CALG_MD5)) {
|
||||
*ppEapError = m_module.make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Creating MD5 hash failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
DWORD dwHashSize, dwHashSizeSize = sizeof(dwHashSize);
|
||||
CryptGetHashParam(hash, HP_HASHSIZE, (LPBYTE)&dwHashSize, &dwHashSizeSize, 0);
|
||||
if (password.size() < dwHashSize) {
|
||||
*ppEapError = m_module.make_error(dwResult = ERROR_INVALID_DATA, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Encrypted password too short."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Extract hash from encrypted password.
|
||||
vector<char> hash_bin;
|
||||
size_t enc_size = password.size() - dwHashSize;
|
||||
hash_bin.assign(password.begin() + enc_size, password.end());
|
||||
|
||||
// Decrypt password.
|
||||
if ((dwResult = decrypt(cp, password.data(), enc_size, password, ppEapError, hash)) != ERROR_SUCCESS)
|
||||
if ((dwResult = m_module.decrypt_md5(cp, password.data(), password.size(), m_password, ppEapError)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
|
||||
// Calculate MD5 hash and verify it.
|
||||
vector<char> hash2_bin;
|
||||
CryptGetHashParam(hash, HP_HASHVAL, hash2_bin, 0);
|
||||
if (hash_bin != hash2_bin) {
|
||||
*ppEapError = m_module.make_error(dwResult = ERROR_INVALID_DATA, 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Invalid password data."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Convert password from UTF-8.
|
||||
MultiByteToWideChar(CP_UTF8, 0, password.data(), (int)password.size(), m_password);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
@ -121,3 +121,73 @@ void eap::module::free_error_memory(_In_ EAP_ERROR *err)
|
||||
// pRootCauseString and pRepairString always trail the ppEapError to reduce number of (de)allocations.
|
||||
HeapFree(m_heap, 0, err);
|
||||
}
|
||||
|
||||
|
||||
DWORD eap::module::encrypt(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError, _Out_opt_ HCRYPTHASH hHash) const
|
||||
{
|
||||
assert(ppEapError);
|
||||
DWORD dwResult;
|
||||
|
||||
// Import the public key.
|
||||
HRSRC res = FindResource(m_instance, MAKEINTRESOURCE(IDR_EAP_KEY_PUBLIC), RT_RCDATA);
|
||||
assert(res);
|
||||
HGLOBAL res_handle = LoadResource(m_instance, res);
|
||||
assert(res_handle);
|
||||
crypt_key key;
|
||||
unique_ptr<CERT_PUBLIC_KEY_INFO, LocalFree_delete<CERT_PUBLIC_KEY_INFO> > keyinfo_data;
|
||||
DWORD keyinfo_size = 0;
|
||||
if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, (const BYTE*)::LockResource(res_handle), ::SizeofResource(m_instance, res), CRYPT_DECODE_ALLOC_FLAG, NULL, &keyinfo_data, &keyinfo_size)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptDecodeObjectEx failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
if (!key.import_public(hProv, X509_ASN_ENCODING, keyinfo_data.get())) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Public key import failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Pre-allocate memory to allow space, as encryption will grow the data.
|
||||
DWORD dwBlockLen;
|
||||
vector<unsigned char, sanitizing_allocator<unsigned char> > buf(size);
|
||||
memcpy(buf.data(), data, size);
|
||||
if (!CryptGetKeyParam(key, KP_BLOCKLEN, dwBlockLen, 0)) dwBlockLen = 0;
|
||||
buf.reserve((size + dwBlockLen - 1) / dwBlockLen * dwBlockLen);
|
||||
|
||||
// Encrypt the data using our public key.
|
||||
if (!CryptEncrypt(key, hHash, TRUE, 0, buf)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Encrypting data failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Copy encrypted data.
|
||||
enc.assign(buf.begin(), buf.end());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
DWORD eap::module::encrypt_md5(_In_ HCRYPTPROV hProv, _In_bytecount_(size) const void *data, _In_ size_t size, _Out_ std::vector<unsigned char> &enc, _Out_ EAP_ERROR **ppEapError) const
|
||||
{
|
||||
DWORD dwResult;
|
||||
|
||||
// Create hash.
|
||||
crypt_hash hash;
|
||||
if (!hash.create(hProv, CALG_MD5)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Creating MD5 hash failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
// Encrypt data.
|
||||
if ((dwResult = encrypt(hProv, data, size, enc, ppEapError, hash)) != ERROR_SUCCESS)
|
||||
return dwResult;
|
||||
|
||||
// Calculate MD5 hash and append it.
|
||||
vector<unsigned char> hash_bin;
|
||||
if (!CryptGetHashParam(hash, HP_HASHVAL, hash_bin, 0)) {
|
||||
*ppEapError = make_error(dwResult = GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" Calculating MD5 hash failed."), NULL);
|
||||
return dwResult;
|
||||
}
|
||||
enc.insert(enc.end(), hash_bin.begin(), hash_bin.end());
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
@ -1 +1 @@
|
||||
Subproject commit e4f5b63a85bba6364327b2b7161f934b0f80287a
|
||||
Subproject commit 385986f704e96025cc7111b74094579ceb0b7380
|
||||
Loading…
x
Reference in New Issue
Block a user