Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity
981 Commits 3 Branches 69 Tags
96b104f0a6c8bfaa5d36586d44032e532ea0bf13
Commit Graph

195 Commits

Author SHA1 Message Date
Simon Rozman
8c2225992e TLS: Revise Schannel flags 
- SCH_USE_STRONG_CRYPTO is now declared in the Windows SDK included with
  Visual Studio 2019. No need to enter this flag numerically any more.

- m_sc_ctx.initialize() and m_sc_ctx.process() should use same flags.
  They are actually. Rather than copy&paste them, declare them in a
  single place.

- Add ISC_REQ_USE_SUPPLIED_CREDS flag. Use the client certificate we
  supply or none at all.

- Add ISC_REQ_MANUAL_CRED_VALIDATION flag. We validate the server
  certificate.

Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:59 +01:00
Simon Rozman
8d42db2f56 TLS: Use protocol version enabled on the system by default 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:58 +01:00
Simon Rozman
4dad574377 Rename StdAfx.h to PCH.h 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:58 +01:00
Simon Rozman
3bd2d1fd09 credentials_tls: Update documentation 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:57 +01:00
Simon Rozman
d4c01a5345 config_method_tls: Cleanup 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:57 +01:00
Simon Rozman
6e97a04bfe credentials_tls: Keep thumbprint rather than client certificate 
By storing the client certificate the certificate became detached from
its private key stored in user certificate store. This rendered client
certificates useless for client TLS authentication.

Now, the client certificate thumbprint is stored instead. The client
certificate is looked up in the user certificate store as required.

This breaks profile XML and BLOB backward compatibility. Since the
client certificate support was broken, nobody probably used those in
the settings before.

Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:57 +01:00
Simon Rozman
75488ba870 credentials: Move user impersonation to peer::get_identity() 
To retrieve user credentials, EapHost provides us the interactive user's
token we can use to impersonate.

By doing the impersonation early in peer::get_identity(), we don't need
to pass the token down the lower methods. This is rather a
simplification than a performance optimization.

Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:57 +01:00
Simon Rozman
e2eb41e811 credentials_tls: Use WinCrypt to get client certificate name 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:57 +01:00
Simon Rozman
6511d826a0 peer: Move all generic methods upstream from peer_tls_base 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:57 +01:00
Simon Rozman
5b02352f1a Resolve the make_...() methods 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:56 +01:00
Simon Rozman
5195b79eed method_ttls: Reintroduce 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:56 +01:00
Simon Rozman
d400901c52 Rename peer_tls to peer_tls_base 
peer_tls is actually not a complete EAP-TLS implementation.

Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:38 +01:00
Simon Rozman
570eb83558 peer_tls: Move all applicable methods upstream to make reusable 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:38 +01:00
Simon Rozman
1d558c939e Rename method_tls_tunnel to method_tls and move upstream 
CRL checking was also moved upstream as method_tls triggers it.

Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:10:37 +01:00
Simon Rozman
5c0299197b method_defrag: Move upstream to make reusable 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-07 13:09:43 +01:00
Simon Rozman
b3291ff8b1 Remove excessive UTF-8 BOM marker 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-06 11:53:41 +01:00
Simon Rozman
1cc7b1a3a0 Simplify .vcxproj and .props 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-06 11:53:39 +01:00
Simon Rozman
5a7827e85e Make enums scoped 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-06 11:53:38 +01:00
Simon Rozman
059710d83c Update Copyright year 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2020-02-05 11:45:51 +01:00
Simon Rozman
fac33ee0b1 Remove UTF-8 BOM 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2019-11-28 17:04:16 +01:00
Simon Rozman
6fb5cb88d2 Address code analysis warnings 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2019-09-04 13:11:48 +02:00
Simon Rozman
0e69fb175c Upgrade to Visual Studio 2019 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2019-06-14 10:54:41 +02:00
Simon Rozman
5a82dc2a25 Unify LPCBYTE 
Signed-off-by: Simon Rozman <simon@rozman.si>
 2019-06-14 09:57:48 +02:00
Simon Rozman
1879d00bf9 Add support for ARM64 platform 2018-09-07 10:39:20 +02:00
Simon Rozman
0602285220 Switch to Visual Studio 2017 2018-09-05 14:56:08 +02:00
Simon Rozman
4ae048fd9f Auditing of CryptProtectData() enabled 2016-11-07 11:06:20 +01:00
Simon Rozman
48ba0b3664 Typo in documentation fixed 2016-11-03 11:11:54 +01:00
Simon Rozman
b87e30bc9d Some final adjustments to EapHost inner method code before I put it to rest because of RasMan MSCHAPv2 heap corruption :( 2016-11-03 10:11:31 +01:00
Simon Rozman
d234e55ae4 - Doxygen documentation updated 
- Some minor issues stumbled upon fixed
- WIN1250 >> UTF-8
 2016-11-02 01:25:38 +01:00
Simon Rozman
52a428bb5e Various ownTLS leftover clean-up 2016-11-01 05:33:55 +01:00
Simon Rozman
c31e019cef eap::metod thorough redesign: 
- Support for method stacking introduced
- EAP-TLS method has been discontinued
- ownTLS has been discontinued
 2016-10-31 16:58:53 +01:00
Simon Rozman
af56825d39 Code clean-up 2016-10-28 13:50:30 +02:00
Simon Rozman
f5a40f7ca8 Doxygen update 2016-10-28 13:47:59 +02:00
Simon Rozman
654c965851 Support for various peer action request extended 2016-10-27 10:00:18 +02:00
Simon Rozman
d87b3d37e5 Discrete output of credentials to event log centralized 2016-10-25 13:37:39 +02:00
Simon Rozman
abf54ad342 Doxygen documentation update 2016-10-25 08:51:04 +02:00
Simon Rozman
e7e1a6735d pEapOutput Prefast specifier for process_request_packet() methods changed 2016-10-24 14:55:31 +02:00
Simon Rozman
a1f9a7bab9 ppResult >> pResult 2016-10-24 13:33:01 +02:00
Simon Rozman
7a26128c7b "auto" simplified 2016-10-10 15:00:10 +02:00
Simon Rozman
e94e3bdd60 credentials::combine() methods updated with support for EAPMsg: 
- Additional parameters
- Additional result code
- User impersonation now mounted inside of credentials::combine() when required
 2016-10-10 14:31:23 +02:00
Simon Rozman
e8eec11618 EAP-TTLS inner method no longer needs to have support for configured credentials 2016-10-04 10:13:45 +02:00
Simon Rozman
c53ed21d55 Code clean-up 2016-10-03 14:54:02 +02:00
Simon Rozman
01245d15d9 ID 8. A typo in the comment from security audit resolved 2016-10-03 14:54:02 +02:00
Simon Rozman
ff4e8c6885 ID 7. Commented out parts of the code from security audit partially resolved 2016-10-03 14:54:02 +02:00
Simon Rozman
f0af016efe ID 4. Possibility of method_tls class initialization list optimization from security audit fixed 2016-10-03 14:54:01 +02:00
Simon Rozman
559ffc5ead ID 3. C style pointer casting from security audit fixed 2016-10-03 14:53:50 +02:00
Simon Rozman
28408fcea7 ID 2. Missing functionality from security audit report partially fixed 2016-10-03 14:52:57 +02:00
Simon Rozman
a1455078e9 Explicit server certificate check introduced 2016-10-03 14:51:45 +02:00
Simon Rozman
b6adb2a850 Common members from config_method_with_cred moved to parent config_method 2016-09-29 11:23:22 +02:00
Simon Rozman
79cc1af86f Clean-up and XML handling enhancement: 
- XML helper functions always return objects by winstd::com_obj or winstd::bstr reference now to ensure proper release by caller
- get_element_value()/put_element_value() can optionally return reference to the XML object if required
- WinStd macros to simplify dplhandle<> and handle<> inherited classes reused by non-copyable classes
 2016-09-23 14:43:31 +02:00