Version set to 1.0-alpha10-owntls

Event descriptors updated
Sub-module update
2016-08-23 14:52:26 +02:00 · 2016-08-23 14:48:47 +02:00 · 2016-08-23 14:46:06 +02:00 · 2016-08-23 14:43:07 +02:00 · 2016-08-23 14:42:43 +02:00 · 2016-08-23 14:42:11 +02:00
10 changed files with 4891 additions and 4855 deletions
--- a/include/Version.h
+++ b/include/Version.h
@ -29,7 +29,7 @@
 // Product version as a single DWORD
 // Note: Used for version comparison within C/C++ code.
 //
-#define PRODUCT_VERSION          0x00ff0900
+#define PRODUCT_VERSION          0x00ff0a00

 //
 // Product version by components
@ -39,26 +39,26 @@
 //
 #define PRODUCT_VERSION_MAJ      0
 #define PRODUCT_VERSION_MIN      255
-#define PRODUCT_VERSION_REV      9
+#define PRODUCT_VERSION_REV      10
 #define PRODUCT_VERSION_BUILD    0

 //
 // Human readable product version and build year for UI
 //
-#define PRODUCT_VERSION_STR      "1.0-alpha9"
+#define PRODUCT_VERSION_STR      "1.0-alpha10-owntls"
 #define PRODUCT_BUILD_YEAR_STR   "2016"

 //
 // Numerical version presentation for ProductVersion propery in
 // MSI packages (syntax: N.N[.N[.N]])
 //
-#define PRODUCT_VERSION_INST     "0.255.9"
+#define PRODUCT_VERSION_INST     "0.255.10"

 //
 // The product code for ProductCode property in MSI packages
 // Replace with new on every version change, regardless how minor it is.
 //
-#define PRODUCT_VERSION_GUID     "{E6169375-3FA7-443A-921A-44105A94201C}"
+#define PRODUCT_VERSION_GUID     "{C3675615-0D70-47C7-9BCB-B683A77C6ED6}"

 //
 // Since the product name is not finally confirmed at the time of
--- a/lib/Events/res/EventsETW.man
+++ b/lib/Events/res/EventsETW.man
--- a/lib/TLS/include/Config.h
+++ b/lib/TLS/include/Config.h
@ -167,7 +167,7 @@ namespace eap

    public:
        std::list<winstd::cert_context> m_trusted_root_ca;  ///< Trusted root CAs
-        std::list<std::string> m_server_names;              ///< Acceptable authenticating server names
+        std::list<std::wstring> m_server_names;             ///< Acceptable authenticating server names

        // Following members are used for session resumptions. They are not exported/imported to XML.
        sanitizing_blob m_session_id;                       ///< TLS session ID
--- a/lib/TLS/src/Config.cpp
+++ b/lib/TLS/src/Config.cpp
@ -161,10 +161,8 @@ void eap::config_method_tls::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *
    }

    // <ServerName>
-    for (list<string>::const_iterator i = m_server_names.begin(), i_end = m_server_names.end(); i != i_end; ++i) {
-        wstring str;
-        MultiByteToWideChar(CP_UTF8, 0, i->c_str(), (int)i->length(), str);
-        if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElServerSideCredential, bstr(L"ServerName"), bstrNamespace, bstr(str))))
+    for (list<wstring>::const_iterator i = m_server_names.begin(), i_end = m_server_names.end(); i != i_end; ++i) {
+        if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElServerSideCredential, bstr(L"ServerName"), bstrNamespace, bstr(*i))))
            throw com_runtime_error(hr, __FUNCTION__ " Error creating <ServerName> element.");
    }
 }
@ -231,12 +229,7 @@ void eap::config_method_tls::load(_In_ IXMLDOMNode *pConfigRoot)
                pXmlListServerIDs->get_item(j, &pXmlElServerID);
                bstr bstrServerID;
                pXmlElServerID->get_text(&bstrServerID);
-
-                // Server names (FQDNs) are always ASCII. Hopefully. Convert them to UTF-8 anyway for consistent comparison. CP_ANSI varies.
-                string str;
-                WideCharToMultiByte(CP_UTF8, 0, bstrServerID, bstrServerID.length(), str, NULL, NULL);
-
-                m_server_names.push_back(str);
+                m_server_names.push_back(wstring(bstrServerID));
            }

            m_module.log_config((xpathServerSideCredential + L"/ServerName").c_str(), m_server_names);
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@ -653,7 +653,7 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
    msg.insert(msg.end(), m_session_id.begin(), m_session_id.end());

    // Cypher suite list
-    unsigned short size_cipher_suite2 = htons((unsigned short)sizeof(s_cipher_suite));
+    unsigned short size_cipher_suite2 = htons((unsigned short)sizeof(s_cipher_suite)/2);
    msg.insert(msg.end(), (unsigned char*)&size_cipher_suite2, (unsigned char*)(&size_cipher_suite2 + 1));
    msg.insert(msg.end(), s_cipher_suite, s_cipher_suite + _countof(s_cipher_suite));

@ -1166,39 +1166,82 @@ void eap::method_tls::verify_server_trust() const
    assert(!m_server_cert_chain.empty());
    const cert_context &cert = m_server_cert_chain.front();

-    string subj;
-    if (!CertGetNameStringA(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, subj))
-        throw win_runtime_error(__FUNCTION__ " Error retrieving server's certificate subject name.");
-
    const config_provider &cfg_prov(m_cfg.m_providers.front());
    const config_method_tls *cfg_method = dynamic_cast<const config_method_tls*>(cfg_prov.m_methods.front().get());
    assert(cfg_method);

+    // Check server name.
    if (!cfg_method->m_server_names.empty()) {
-        // Check server name.
-        for (list<string>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend();; ++s) {
-            if (s != s_end) {
-                const char
-                    *a = s->c_str(),
-                    *b = subj.c_str();
-                size_t
-                    len_a = s->length(),
-                    len_b = subj.length();
+        bool
+            has_san = false,
+            found   = false;

-                if (_stricmp(a, b) == 0 || // Direct match
-                    a[0] == '*' && len_b + 1 >= len_a && _stricmp(a + 1, b + len_b - (len_a - 1)) == 0) // "*..." wildchar match
-                {
-                    m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED, event_data(subj), event_data::blank);
-                    break;
+        // Search subjectAltName2 and subjectAltName.
+        for (DWORD i = 0; !found && i < cert->pCertInfo->cExtension; i++) {
+            unique_ptr<CERT_ALT_NAME_INFO, LocalFree_delete<CERT_ALT_NAME_INFO> > san_info;
+            if (strcmp(cert->pCertInfo->rgExtension[i].pszObjId, szOID_SUBJECT_ALT_NAME2) == 0) {
+                unsigned char *output = NULL;
+                DWORD size_output;
+                if (!CryptDecodeObjectEx(
+                        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                        szOID_SUBJECT_ALT_NAME2,
+                        cert->pCertInfo->rgExtension[i].Value.pbData, cert->pCertInfo->rgExtension[i].Value.cbData,
+                        CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_ENABLE_PUNYCODE_FLAG,
+                        NULL,
+                        &output, &size_output))
+                    throw win_runtime_error(__FUNCTION__ " Error decoding certificate extension.");
+                san_info.reset((CERT_ALT_NAME_INFO*)output);
+            } else if (strcmp(cert->pCertInfo->rgExtension[i].pszObjId, szOID_SUBJECT_ALT_NAME) == 0) {
+                unsigned char *output = NULL;
+                DWORD size_output;
+                if (!CryptDecodeObjectEx(
+                        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                        szOID_SUBJECT_ALT_NAME,
+                        cert->pCertInfo->rgExtension[i].Value.pbData, cert->pCertInfo->rgExtension[i].Value.cbData,
+                        CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_ENABLE_PUNYCODE_FLAG,
+                        NULL,
+                        &output, &size_output))
+                    throw win_runtime_error(__FUNCTION__ " Error decoding certificate extension.");
+                san_info.reset((CERT_ALT_NAME_INFO*)output);
+            } else {
+                // Skip this extension.
+                continue;
+            }
+            has_san = true;
+
+            for (list<wstring>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend(); !found && s != s_end; ++s) {
+                for (DWORD i = 0; !found && i < san_info->cAltEntry; i++) {
+                    if (san_info->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME &&
+                        _wcsicmp(s->c_str(), san_info->rgAltEntry[i].pwszDNSName) == 0)
+                    {
+                        m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED1, event_data(san_info->rgAltEntry[i].pwszDNSName), event_data::blank);
+                        found = true;
+                    }
                }
-            } else
-                throw win_runtime_error(ERROR_INVALID_DOMAINNAME, string_printf(__FUNCTION__ " Server name %s is not on the list of trusted server names.", subj.c_str()).c_str());
+            }
        }
+
+        if (!has_san) {
+            // Certificate has no subjectAltName. Compare against Common Name.
+            wstring subj;
+            if (!CertGetNameStringW(cert, CERT_NAME_DNS_TYPE, CERT_NAME_STR_ENABLE_PUNYCODE_FLAG, NULL, subj))
+                throw win_runtime_error(__FUNCTION__ " Error retrieving server's certificate subject name.");
+
+            for (list<wstring>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend(); !found && s != s_end; ++s) {
+                if (_wcsicmp(s->c_str(), subj.c_str()) == 0) {
+                    m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED1, event_data(subj), event_data::blank);
+                    found = true;
+                }
+            }
+        }
+
+        if (!found)
+            throw win_runtime_error(ERROR_INVALID_DOMAINNAME, __FUNCTION__ " Server name is not on the list of trusted server names.");
    }

    if (cert->pCertInfo->Issuer.cbData == cert->pCertInfo->Subject.cbData &&
        memcmp(cert->pCertInfo->Issuer.pbData, cert->pCertInfo->Subject.pbData, cert->pCertInfo->Issuer.cbData) == 0)
-        throw com_runtime_error(CRYPT_E_SELF_SIGNED, string_printf(__FUNCTION__ " Server is using a self-signed certificate %s. Cannot trust it.", subj.c_str()).c_str());
+        throw com_runtime_error(CRYPT_E_SELF_SIGNED, __FUNCTION__ " Server is using a self-signed certificate. Cannot trust it.");

    // Create temporary certificate store of our trusted root CAs.
    cert_store store;
@ -1207,7 +1250,7 @@ void eap::method_tls::verify_server_trust() const
    for (list<cert_context>::const_iterator c = cfg_method->m_trusted_root_ca.cbegin(), c_end = cfg_method->m_trusted_root_ca.cend(); c != c_end; ++c)
        CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);

-    // Add all certificates from the server's certificate chain, except the first one.
+    // Add all intermediate certificates from the server's certificate chain.
    for (list<cert_context>::const_iterator c = m_server_cert_chain.cbegin(), c_end = m_server_cert_chain.cend(); ++c != c_end;) {
        const cert_context &_c = *c;
        if (_c->pCertInfo->Issuer.cbData == _c->pCertInfo->Subject.cbData &&
@ -1240,7 +1283,7 @@ void eap::method_tls::verify_server_trust() const
    if (!context.create(NULL, cert, NULL, store, &chain_params, 0))
        throw win_runtime_error(__FUNCTION__ " Error creating certificate chain context.");

-    // Check chain validation error flags. Ignore CERT_TRUST_IS_UNTRUSTED_ROOT flag when we check root CA explicitly.
+    // Check chain validation error flags. Ignore CERT_TRUST_IS_UNTRUSTED_ROOT flag since we check root CA explicitly.
    if (context->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR &&
        (cfg_method->m_trusted_root_ca.empty() || (context->TrustStatus.dwErrorStatus & ~CERT_TRUST_IS_UNTRUSTED_ROOT) != CERT_TRUST_NO_ERROR))
        throw win_runtime_error(context->TrustStatus.dwErrorStatus, "Error validating certificate chain.");
--- a/lib/TLS_UI/include/TLS_UI.h
+++ b/lib/TLS_UI/include/TLS_UI.h
@ -119,7 +119,7 @@ public:
    ///
    /// Construct the validator with a value to store data
    ///
-    wxHostNameValidator(std::string *val = NULL);
+    wxHostNameValidator(std::wstring *val = NULL);

    ///
    /// Copy constructor
@ -149,10 +149,10 @@ public:
    ///
    /// Parses FQDN value
    ///
-    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out = NULL);
+    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out = NULL);

 protected:
-    std::string *m_val; ///< Pointer to variable to receive control's parsed value
+    std::wstring *m_val; ///< Pointer to variable to receive control's parsed value
 };


@ -165,7 +165,7 @@ public:
    ///
    /// Construct the validator with a value to store data
    ///
-    wxFQDNValidator(std::string *val = NULL);
+    wxFQDNValidator(std::wstring *val = NULL);

    ///
    /// Copy constructor
@ -195,10 +195,10 @@ public:
    ///
    /// Parses FQDN value
    ///
-    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out = NULL);
+    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out = NULL);

 protected:
-    std::string *m_val; ///< Pointer to variable to receive control's parsed value
+    std::wstring *m_val; ///< Pointer to variable to receive control's parsed value
 };


@ -211,7 +211,7 @@ public:
    ///
    /// Construct the validator with a value to store data
    ///
-    wxFQDNListValidator(std::list<std::string> *val = NULL);
+    wxFQDNListValidator(std::list<std::wstring> *val = NULL);

    ///
    /// Copy constructor
@ -241,10 +241,10 @@ public:
    ///
    /// Parses FQDN list value
    ///
-    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::string> *val_out = NULL);
+    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::wstring> *val_out = NULL);

 protected:
-    std::list<std::string> *m_val;  ///< Pointer to variable to receive control's parsed value
+    std::list<std::wstring> *m_val;  ///< Pointer to variable to receive control's parsed value
 };


@ -311,7 +311,7 @@ protected:
    eap::config_method_tls &m_cfg;              ///< TLS configuration
    winstd::library m_certmgr;                  ///< certmgr.dll resource library reference
    wxIcon m_icon;                              ///< Panel icon
-    std::list<std::string> m_server_names_val;  ///< Acceptable authenticating server names
+    std::list<std::wstring> m_server_names_val; ///< Acceptable authenticating server names
 };


--- a/lib/TLS_UI/res/wxTLS_UI.cpp
+++ b/lib/TLS_UI/res/wxTLS_UI.cpp
@ -74,11 +74,11 @@ wxEAPTLSServerTrustConfigPanelBase::wxEAPTLSServerTrustConfigPanelBase( wxWindow
 	sb_server_names->Add( m_server_names_label, 0, wxBOTTOM, 5 );
 	
 	m_server_names = new wxTextCtrl( sb_server_trust->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
-	m_server_names->SetToolTip( _("A semicolon delimited list of acceptable server FQDN names; blank to skip name check; \"*\" wildchar allowed") );
+	m_server_names->SetToolTip( _("A semicolon delimited list of acceptable server FQDN names; blank to skip name check; Unicode characters allowed") );
 	
 	sb_server_names->Add( m_server_names, 0, wxEXPAND|wxBOTTOM, 5 );
 	
-	m_server_names_note = new wxStaticText( sb_server_trust->GetStaticBox(), wxID_ANY, _("(Example: foo.bar.com;*.domain.org)"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_server_names_note = new wxStaticText( sb_server_trust->GetStaticBox(), wxID_ANY, _("(Example: foo.bar.com;server2.bar.com)"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_server_names_note->Wrap( -1 );
 	sb_server_names->Add( m_server_names_note, 0, wxALIGN_RIGHT, 5 );
 	
--- a/lib/TLS_UI/res/wxTLS_UI.fbp
+++ b/lib/TLS_UI/res/wxTLS_UI.fbp
@ -870,7 +870,7 @@
                                                <property name="style"></property>
                                                <property name="subclass"></property>
                                                <property name="toolbar_pane">0</property>
-                                                <property name="tooltip">A semicolon delimited list of acceptable server FQDN names; blank to skip name check; &quot;*&quot; wildchar allowed</property>
+                                                <property name="tooltip">A semicolon delimited list of acceptable server FQDN names; blank to skip name check; Unicode characters allowed</property>
                                                <property name="validator_data_type"></property>
                                                <property name="validator_style">wxFILTER_NONE</property>
                                                <property name="validator_type">wxDefaultValidator</property>
@ -940,7 +940,7 @@
                                                <property name="gripper">0</property>
                                                <property name="hidden">0</property>
                                                <property name="id">wxID_ANY</property>
-                                                <property name="label">(Example: foo.bar.com;*.domain.org)</property>
+                                                <property name="label">(Example: foo.bar.com;server2.bar.com)</property>
                                                <property name="max_size"></property>
                                                <property name="maximize_button">0</property>
                                                <property name="maximum_size"></property>
--- a/lib/TLS_UI/src/TLS_UI.cpp
+++ b/lib/TLS_UI/src/TLS_UI.cpp
@ -46,7 +46,7 @@ wxCertificateClientData::~wxCertificateClientData()
 wxIMPLEMENT_DYNAMIC_CLASS(wxHostNameValidator, wxValidator);


-wxHostNameValidator::wxHostNameValidator(std::string *val) :
+wxHostNameValidator::wxHostNameValidator(std::wstring *val) :
    m_val(val),
    wxValidator()
 {
@ -98,7 +98,7 @@ bool wxHostNameValidator::TransferFromWindow()
 }


-bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out)
+bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out)
 {
    const wxStringCharType *buf = val_in;

@ -108,7 +108,7 @@ bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i
            // End of host name found.
            if (val_out) val_out->assign(val_in.c_str() + i_start, i - i_start);
            return true;
-        } else if (_tcschr(wxT("abcdefghijklmnopqrstuvwxyz0123456789-*"), buf[i])) {
+        } else if (buf[i] == _T('-') || buf[i] == _T('_') || _istalnum(buf[i])) {
            // Valid character found.
            i++;
        } else {
@ -129,7 +129,7 @@ bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i
 wxIMPLEMENT_DYNAMIC_CLASS(wxFQDNValidator, wxValidator);


-wxFQDNValidator::wxFQDNValidator(std::string *val) :
+wxFQDNValidator::wxFQDNValidator(std::wstring *val) :
    m_val(val),
    wxValidator()
 {
@ -181,7 +181,7 @@ bool wxFQDNValidator::TransferFromWindow()
 }


-bool wxFQDNValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out)
+bool wxFQDNValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out)
 {
    const wxStringCharType *buf = val_in;

@ -210,7 +210,7 @@ bool wxFQDNValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end
 wxIMPLEMENT_DYNAMIC_CLASS(wxFQDNListValidator, wxValidator);


-wxFQDNListValidator::wxFQDNListValidator(std::list<std::string> *val) :
+wxFQDNListValidator::wxFQDNListValidator(std::list<std::wstring> *val) :
    m_val(val),
    wxValidator()
 {
@ -246,7 +246,7 @@ bool wxFQDNListValidator::TransferToWindow()

    if (m_val) {
        wxString str;
-        for (std::list<std::string>::const_iterator name = m_val->cbegin(), name_end = m_val->cend(); name != name_end; ++name) {
+        for (std::list<std::wstring>::const_iterator name = m_val->cbegin(), name_end = m_val->cend(); name != name_end; ++name) {
            if (!str.IsEmpty()) str += wxT("; ");
            str += *name;
        }
@ -267,11 +267,11 @@ bool wxFQDNListValidator::TransferFromWindow()
 }


-bool wxFQDNListValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::string> *val_out)
+bool wxFQDNListValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::wstring> *val_out)
 {
    const wxStringCharType *buf = val_in;
-    std::string _fqdn, *fqdn = val_out ? &_fqdn : NULL;
-    std::list<std::string> _val_out;
+    std::wstring _fqdn, *fqdn = val_out ? &_fqdn : NULL;
+    std::list<std::wstring> _val_out;

    size_t i = i_start;
    for (;;) {
--- a/lib/WinStd
+++ b/lib/WinStd
@ -1 +1 @@
-Subproject commit 8a0799c2b75ebb783a6b777121e1e9ddc89a5549
+Subproject commit f94b72379ec67fad89a99336048890c4e7ddda34
Author	SHA1	Message	Date
Simon Rozman	e4c3f5cbd8	Version set to 1.0-alpha10-owntls	2016-08-23 14:52:26 +02:00
Simon Rozman	1df98af5a1	Event descriptors updated	2016-08-23 14:48:47 +02:00
Simon Rozman	3cbd749966	Sub-module update	2016-08-23 14:46:06 +02:00
Simon Rozman	2125679385	Server certificate name check extended to search for the name in the subjectAltName(2) extension first; only when none present, compares against Common Name	2016-08-23 14:43:07 +02:00
Simon Rozman	fb5d969c2b	Support for the wild-char certificate names dropped	2016-08-23 14:42:43 +02:00
Simon Rozman	f39cb94ee5	Server names can be Unicode now	2016-08-23 14:42:11 +02:00
Simon Rozman	59768e8097	Cipher suite list size is now in number of elements, not bytes	2016-08-23 14:41:25 +02:00