54 Commits

Author SHA1 Message Date
4dad574377 Rename StdAfx.h to PCH.h
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:58 +01:00
6e97a04bfe credentials_tls: Keep thumbprint rather than client certificate
By storing the client certificate the certificate became detached from
its private key stored in user certificate store. This rendered client
certificates useless for client TLS authentication.

Now, the client certificate thumbprint is stored instead. The client
certificate is looked up in the user certificate store as required.

This breaks profile XML and BLOB backward compatibility. Since the
client certificate support was broken, nobody probably used those in
the settings before.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:57 +01:00
75488ba870 credentials: Move user impersonation to peer::get_identity()
To retrieve user credentials, EapHost provides us the interactive user's
token we can use to impersonate.

By doing the impersonation early in peer::get_identity(), we don't need
to pass the token down the lower methods. This is rather a
simplification than a performance optimization.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:57 +01:00
e2eb41e811 credentials_tls: Use WinCrypt to get client certificate name
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-07 13:10:57 +01:00
5a7827e85e Make enums scoped
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-06 11:53:38 +01:00
059710d83c Update Copyright year
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-05 11:45:51 +01:00
fac33ee0b1 Remove UTF-8 BOM
Signed-off-by: Simon Rozman <simon@rozman.si>
2019-11-28 17:04:16 +01:00
6fb5cb88d2 Address code analysis warnings
Signed-off-by: Simon Rozman <simon@rozman.si>
2019-09-04 13:11:48 +02:00
4ae048fd9f Auditing of CryptProtectData() enabled 2016-11-07 11:06:20 +01:00
b87e30bc9d Some final adjustments to EapHost inner method code before I put it to rest because of RasMan MSCHAPv2 heap corruption :( 2016-11-03 10:11:31 +01:00
d234e55ae4 - Doxygen documentation updated
- Some minor issues stumbled upon fixed
- WIN1250 >> UTF-8
2016-11-02 01:25:38 +01:00
d87b3d37e5 Discrete output of credentials to event log centralized 2016-10-25 13:37:39 +02:00
7a26128c7b "auto" simplified 2016-10-10 15:00:10 +02:00
e94e3bdd60 credentials::combine() methods updated with support for EAPMsg:
- Additional parameters
- Additional result code
- User impersonation now mounted inside of credentials::combine() when required
2016-10-10 14:31:23 +02:00
e8eec11618 EAP-TTLS inner method no longer needs to have support for configured credentials 2016-10-04 10:13:45 +02:00
559ffc5ead ID 3. C style pointer casting from security audit fixed 2016-10-03 14:53:50 +02:00
79cc1af86f Clean-up and XML handling enhancement:
- XML helper functions always return objects by winstd::com_obj or winstd::bstr reference now to ensure proper release by caller
- get_element_value()/put_element_value() can optionally return reference to the XML object if required
- WinStd macros to simplify dplhandle<> and handle<> inherited classes reused by non-copyable classes
2016-09-23 14:43:31 +02:00
0ab18017cd Pre-shared >> Configured credentials, Own >> Stored credentials 2016-09-21 09:43:02 +02:00
641c9b6932 Credentials are no longer stored using method name (TLS/PAP/MSCHAPv2) but with level/type identifier 2016-09-06 15:39:41 +02:00
c9be6f4f7b Support for multiple identity providers of draft-winter-opsawg-eap-metadata XML configuration added 2016-08-31 14:39:27 +02:00
452fa4b9dc Inserting single-occurrence XML elements with children simplified 2016-08-31 09:48:11 +02:00
68aec5dfb4 Namespace name is static member now 2016-08-31 08:43:03 +02:00
b6ae394eaf User identity derived from certificate is using sAN2 and sAN extensions only now 2016-08-29 13:51:19 +02:00
df680e74f6 TLS credentials are considered empty regardless the state of custom identity setting now 2016-08-28 20:05:41 +02:00
fc5e54db05 Inner configuration/credential management virtualized to reduce cluttering code 2016-08-28 17:20:24 +02:00
6835f5279c Certificate (TLS) credentials support custom identity now 2016-08-24 11:03:18 +02:00
df1d431bd0 - TLS revised (again)
- TLS Session resumption issues resolved
- Credential prompt has "Remember" checkbox initially selected when credentials originate from Windows Credential Manager
- Last authentication attempt failure notice is more general and no longer insinuate user credentials are the likely cause of the failure
- Additional log messages added
2016-08-17 11:50:34 +02:00
d8ccf7cbc0 Credential management revised 2016-08-15 17:33:10 +02:00
e34d2ba275 Prefast declaration update 2016-08-15 15:10:42 +02:00
1bf51fda25 win_runtime_error moved to WinStd; eapxml functions return HRESULT now 2016-08-09 01:05:00 +02:00
b71e30f642 EAP_ERROR replaced with C++ exceptions for increased code readability 2016-08-08 22:59:17 +02:00
2aa4bce8cc eap::config::m_module reference again 2016-08-06 07:01:12 +02:00
460adb9858 m_module is now a pointer instead of reference 2016-08-05 11:23:59 +02:00
35034789d2 String typing fixed 2016-07-21 12:34:49 +02:00
ee8410bdb9 credentials::target_suffix() is public now, as it can be reused to provide GUI method identifier 2016-07-21 12:33:32 +02:00
627b20aabc pack() => operator <<, unpack() => operator >>, get_pk_size() => pksizeof() 2016-07-21 09:20:09 +02:00
51428d290f Memory overflow detection when packing/unpacking BLOB added 2016-07-20 19:29:21 +02:00
ce0bbc5b45 config_method::m_preshared moved to heap, which in turn required shift to virtual methods for packing/unpacking BLOBs 2016-07-20 14:59:12 +02:00
3e82e988d4 Identity of digital certificates is correctly resolved now 2016-07-20 12:59:58 +02:00
512f46f014 pack/unpack & load/save nesting arranged all the way up to eap::config 2016-07-20 10:31:34 +02:00
a92cafea36 eap::credentials::get_name() method introduced to allow more detailed display of certificate names 2016-07-20 10:05:36 +02:00
4f6943044f eap::credentials::m_identity replaced with virtual method get_identity() 2016-07-20 09:54:26 +02:00
4630b32f77 target_suffix() method is private now 2016-07-19 13:39:41 +02:00
4acabbca4e Configuration and credentials logging introduced 2016-07-19 12:53:54 +02:00
922d0ac3d0 Additional RSA credential encryption replaced with product-specific entropy in user-specific encryption pass, to circumvent RSA data length limitation 2016-06-22 23:32:28 +02:00
a2ca2fd850 Logging and error reporting simplified 2016-06-21 13:15:50 +02:00
0c8492ccd1 CredProtect() replaced with CryptProtectData() << the former didn't work between normal and UAC-elevated processes: stored credentials are no longer valid and should be reentered 2016-06-20 16:37:48 +02:00
d430b63829 (Pre-shared) client certificates are no longer maintained by hash only 2016-06-16 00:29:56 +02:00
ec0b283540 Functions using EAP_ERROR descriptor return bool now for code simplicity 2016-06-15 22:59:52 +02:00
a9fdd1d71d Support for pre-shared credentials introduced 2016-06-15 20:00:04 +02:00