6e97a04bfe
credentials_tls: Keep thumbprint rather than client certificate
...
By storing the client certificate the certificate became detached from
its private key stored in user certificate store. This rendered client
certificates useless for client TLS authentication.
Now, the client certificate thumbprint is stored instead. The client
certificate is looked up in the user certificate store as required.
This breaks profile XML and BLOB backward compatibility. Since the
client certificate support was broken, nobody probably used those in
the settings before.
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:57 +01:00
5195b79eed
method_ttls: Reintroduce
...
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:56 +01:00
1d558c939e
Rename method_tls_tunnel to method_tls and move upstream
...
CRL checking was also moved upstream as method_tls triggers it.
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:37 +01:00
5c0299197b
method_defrag: Move upstream to make reusable
...
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:09:43 +01:00
c31e019cef
eap::metod thorough redesign:
...
- Support for method stacking introduced
- EAP-TLS method has been discontinued
- ownTLS has been discontinued
2016-10-31 16:58:53 +01:00
f5a40f7ca8
Doxygen update
2016-10-28 13:47:59 +02:00
654c965851
Support for various peer action request extended
2016-10-27 10:00:18 +02:00
e7e1a6735d
pEapOutput Prefast specifier for process_request_packet() methods changed
2016-10-24 14:55:31 +02:00
a1f9a7bab9
ppResult >> pResult
2016-10-24 13:33:01 +02:00
01245d15d9
ID 8. A typo in the comment from security audit resolved
2016-10-03 14:54:02 +02:00
f0af016efe
ID 4. Possibility of method_tls class initialization list optimization from security audit fixed
2016-10-03 14:54:01 +02:00
79cc1af86f
Clean-up and XML handling enhancement:
...
- XML helper functions always return objects by winstd::com_obj or winstd::bstr reference now to ensure proper release by caller
- get_element_value()/put_element_value() can optionally return reference to the XML object if required
- WinStd macros to simplify dplhandle<> and handle<> inherited classes reused by non-copyable classes
2016-09-23 14:43:31 +02:00
c765954c0f
"Last Authentication Failed" flag extended to support finer feedback, why last authentication failed
2016-09-06 14:10:02 +02:00
d83f5422d7
MSCHAPv2 almost finished...
2016-09-05 16:44:18 +02:00
c33c8b551b
Clean-up
2016-09-04 17:57:04 +02:00
621669828b
Schannel and ownTLS MSK derivation unified
2016-09-02 14:03:34 +02:00
00aee5bb78
ownTLS updated
2016-09-02 11:38:28 +02:00
198b9a576e
Maximum packet size parameter is now optional
2016-09-02 10:19:39 +02:00
566785192a
Requirement that eap::method processes EAP packets only dropped, work with non-EAP methods simplified
2016-09-02 09:50:21 +02:00
1e60d21860
On session reconnect skip inner re-authentication now
2016-09-01 12:49:20 +02:00
844b185887
EAP packet classes organized in hierarchy now
2016-09-01 10:25:33 +02:00
cafd786e19
Own TLS updated to keep it alive (now that the fuss around outer/inner methods settled)
2016-08-29 20:40:37 +02:00
a7c8052ee2
eap::method revised to support nesting, so the PAP method was made a stand-alone method
2016-08-29 20:05:58 +02:00
9daa5b52a4
Incorrect letter case referencing EapHost service fixed
2016-08-27 06:58:57 +02:00
6077063599
The credentials are marked "invalid" at transition from handshake to application data phase only to prevent initial handshake problems from popping-up credential prompt when credentials have nothing to do with the connection failure.
2016-08-25 13:08:11 +02:00
d1c24efcf0
config_method_with_cred renamed to config_connection to describe it better
2016-08-24 11:39:37 +02:00
5332b538aa
Our own TLS merged back to master and compiles conditionally
2016-08-23 22:46:00 +02:00
9b997408a1
Switched to Schannel to do the TLS
2016-08-23 13:53:23 +02:00
df1d431bd0
- TLS revised (again)
...
- TLS Session resumption issues resolved
- Credential prompt has "Remember" checkbox initially selected when credentials originate from Windows Credential Manager
- Last authentication attempt failure notice is more general and no longer insinuate user credentials are the likely cause of the failure
- Additional log messages added
2016-08-17 11:50:34 +02:00
078636eb14
make_change_chiper_spec() removed as this message can simply be created using make_message()
2016-08-17 09:09:42 +02:00
cabae26e0b
Flags describing handshake messages received assembled in a boolean table of flags
2016-08-17 09:01:11 +02:00
e9839706b6
TLS clean-up
2016-08-16 16:44:19 +02:00
f5b03bc0bf
Annotation update
2016-08-16 10:39:42 +02:00
85d7c3d4ec
Support for TLS 1.2 added
2016-08-16 00:47:47 +02:00
de802b7a28
Byte-enums redefined & code clean-up
2016-08-15 21:01:38 +02:00
c8cfe4da42
TLS version no longer static, thou still fixed to TLS 1.0
2016-08-15 19:04:21 +02:00
d8ccf7cbc0
Credential management revised
2016-08-15 17:33:10 +02:00
3d6849a523
Peer correctly returns providers configuration instead of method configuration in method_tls::get_result()
2016-08-15 14:13:14 +02:00
e807336e7b
The TLS phase can be determined from flags alone, therefore m_phase member eliminated
2016-08-15 10:40:27 +02:00
95426cde7c
Clean-up
2016-08-15 10:09:01 +02:00
99aa53726d
- PPP authentication EAP response packet is correctly formed now
...
- MS-MPPE-Send-Key/MS-MPPE-Recv-Key sorted out
2016-08-14 21:04:19 +02:00
95e2f7e01b
Encryption/decryption revised
...
- Number of memory copying reduced
- HMAC verification of server packets added
- Handshake hashing simplified
2016-08-14 18:51:18 +02:00
47653492a2
Session key importing honours MSDN recommendation about exponent-one key usage
2016-08-14 12:44:49 +02:00
d1925a0704
method_tls::prf() simplified
2016-08-14 12:41:19 +02:00
ae37c9aa6c
TLS and TTLS distinction
2016-08-13 18:55:33 +02:00
eb918f3141
Processing of vendor specific TLS messages introduced
2016-08-13 18:48:02 +02:00
c749753c68
State constants renamed more systematically
2016-08-13 18:45:40 +02:00
9f92a73aa1
make_handshake() renamed to make_message() and made more general
2016-08-13 18:42:52 +02:00
6d54d45512
Pre-master secret encryption moved to make_client_key_exchange()
2016-08-13 18:39:22 +02:00
c7a41d891a
TLS work continues...
2016-08-12 21:09:50 +02:00
