By storing the client certificate the certificate became detached from
its private key stored in user certificate store. This rendered client
certificates useless for client TLS authentication.
Now, the client certificate thumbprint is stored instead. The client
certificate is looked up in the user certificate store as required.
This breaks profile XML and BLOB backward compatibility. Since the
client certificate support was broken, nobody probably used those in
the settings before.
Signed-off-by: Simon Rozman <simon@rozman.si>
To retrieve user credentials, EapHost provides us the interactive user's
token we can use to impersonate.
By doing the impersonation early in peer::get_identity(), we don't need
to pass the token down the lower methods. This is rather a
simplification than a performance optimization.
Signed-off-by: Simon Rozman <simon@rozman.si>
It is important to implement this method in derived classes. When we
provided default implementation returning NULL, introducing new methods
might leave this method not implemented without a compiler error.
Signed-off-by: Simon Rozman <simon@rozman.si>
wxTTLSConfigPanel is about anonymizing inner identity and was renamed to
wxEAPIdentityConfigPanel and moved upstream to make reusable.
Signed-off-by: Simon Rozman <simon@rozman.si>
When eap::config_method_eaphost::get_method_id() returns EAP-MSCHAPv2,
XML-to-BLOB gets confused and picks native EAP-MSCHAPv2 implementation.
Therefore, it was updated to always return unknown EAP type. Outer
method does not need to know the exact method implemented by EapHost
inner method.
Signed-off-by: Simon Rozman <simon@rozman.si>
Instead of delayed response packet generation, the
method_eap::process_request_packet() prepares the response packet. This
eliminates the state machine.
Signed-off-by: Simon Rozman <simon@rozman.si>
TLS methods call process_request_packet(NULL, 0) to check on the inner
method for the payload to piggyback on the final handshake response.
Signed-off-by: Simon Rozman <simon@rozman.si>
Although, EapHost takes care for EAP Success and Failure packets for us,
it does so for the outer-most method only. When using EAP inside a TLS
tunnel, we are responsible for EAP Success and Failure packets ourselves.
Signed-off-by: Simon Rozman <simon@rozman.si>
Although, EapHost takes care for EAP identity exchange for us, it does
so for the outer-most method only. When using EAP inside a TLS tunnel,
we are responsible for EAP identity exchange ourselves.
Signed-off-by: Simon Rozman <simon@rozman.si>
There should be a space between the number and a unit. Since everything
is always reported in bytes, there is no need to have a unit.
Signed-off-by: Simon Rozman <simon@rozman.si>
Modules and methods are never duplicated or moved in a memory. Moving
constructors and operators are dead code.
Signed-off-by: Simon Rozman <simon@rozman.si>
