/*
Copyright 2015-2020 Amebis
Copyright 2016 GÉANT
This file is part of GÉANTLink.
GÉANTLink is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
GÉANTLink is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GÉANTLink. If not, see .
*/
namespace eap
{
class peer_tls_base;
}
#pragma once
#include "Config.h"
#include "Credentials.h"
#include "Method.h"
namespace eap
{
/// \addtogroup EAPBaseModule
/// @{
///
/// TLS tunnel peer
///
class peer_tls_base : public peer
{
public:
///
/// Constructs a TLS tunnel peer module
///
/// \param[in] eap_method EAP method type ID
///
peer_tls_base(_In_ winstd::eap_type_t eap_method = winstd::eap_type_t::tls);
virtual void shutdown();
virtual void get_identity(
_In_ DWORD dwFlags,
_In_count_(dwConnectionDataSize) const BYTE *pConnectionData,
_In_ DWORD dwConnectionDataSize,
_In_count_(dwUserDataSize) const BYTE *pUserData,
_In_ DWORD dwUserDataSize,
_Out_ BYTE **ppUserDataOut,
_Out_ DWORD *pdwUserDataOutSize,
_In_ HANDLE hTokenImpersonateUser,
_Out_ BOOL *pfInvokeUI,
_Out_ WCHAR **ppwszIdentity);
virtual void get_method_properties(
_In_ DWORD dwVersion,
_In_ DWORD dwFlags,
_In_ HANDLE hUserImpersonationToken,
_In_count_(dwConnectionDataSize) const BYTE *pConnectionData,
_In_ DWORD dwConnectionDataSize,
_In_count_(dwUserDataSize) const BYTE *pUserData,
_In_ DWORD dwUserDataSize,
_Out_ EAP_METHOD_PROPERTY_ARRAY *pMethodPropertyArray);
virtual void credentials_xml2blob(
_In_ DWORD dwFlags,
_In_ IXMLDOMNode *pConfigRoot,
_In_count_(dwConnectionDataSize) const BYTE *pConnectionData,
_In_ DWORD dwConnectionDataSize,
_Out_ BYTE **ppCredentialsOut,
_Out_ DWORD *pdwCredentialsOutSize);
/// \name Session management
/// @{
virtual EAP_SESSION_HANDLE begin_session(
_In_ DWORD dwFlags,
_In_ const EapAttributes *pAttributeArray,
_In_ HANDLE hTokenImpersonateUser,
_In_count_(dwConnectionDataSize) const BYTE *pConnectionData,
_In_ DWORD dwConnectionDataSize,
_In_count_(dwUserDataSize) const BYTE *pUserData,
_In_ DWORD dwUserDataSize,
_In_ DWORD dwMaxSendPacketSize);
virtual void end_session(_In_ EAP_SESSION_HANDLE hSession);
/// @}
/// \name Packet processing
/// @{
virtual void process_request_packet(
_In_ EAP_SESSION_HANDLE hSession,
_In_bytecount_(dwReceivedPacketSize) const EapPacket *pReceivedPacket,
_In_ DWORD dwReceivedPacketSize,
_Out_ EapPeerMethodOutput *pEapOutput);
virtual void get_response_packet(
_In_ EAP_SESSION_HANDLE hSession,
_Out_bytecapcount_(*pdwSendPacketSize) EapPacket *pSendPacket,
_Inout_ DWORD *pdwSendPacketSize);
/// @}
virtual void get_result(
_In_ EAP_SESSION_HANDLE hSession,
_In_ EapPeerMethodResultReason reason,
_Inout_ EapPeerMethodResult *pResult);
/// \name User Interaction
/// @{
virtual void get_ui_context(
_In_ EAP_SESSION_HANDLE hSession,
_Out_ BYTE **ppUIContextData,
_Out_ DWORD *pdwUIContextDataSize);
virtual void set_ui_context(
_In_ EAP_SESSION_HANDLE hSession,
_In_count_(dwUIContextDataSize) const BYTE *pUIContextData,
_In_ DWORD dwUIContextDataSize,
_Out_ EapPeerMethodOutput *pEapOutput);
/// @}
/// \name EAP Response Attributes
/// @{
virtual void get_response_attributes(
_In_ EAP_SESSION_HANDLE hSession,
_Out_ EapAttributes *pAttribs);
virtual void set_response_attributes(
_In_ EAP_SESSION_HANDLE hSession,
_In_ const EapAttributes *pAttribs,
_Out_ EapPeerMethodOutput *pEapOutput);
/// @}
///
/// Spawns a new certificate revocation check thread
///
/// \param[inout] cert Certificate context to check for revocation. `hCertStore` member should contain all certificates in chain up to and including root CA to test them for revocation too.
///
void spawn_crl_check(_Inout_ winstd::cert_context &&cert);
protected:
///
/// Makes a new inner method
///
/// \param[in] cfg Method configuration
/// \param[in] cred Credentials
///
/// \returns A new inner method of given type
///
virtual method* make_method(_In_ config_method_tls &cfg, _In_ credentials_tls &cred) = 0;
///
/// Checks all configured providers and tries to combine credentials.
///
_Success_(return != 0) virtual const config_method_with_cred* combine_credentials(
_In_ DWORD dwFlags,
_In_ const config_connection &cfg,
_In_count_(dwUserDataSize) const BYTE *pUserData,
_In_ DWORD dwUserDataSize,
_Inout_ credentials_connection& cred_out,
_In_ HANDLE hTokenImpersonateUser) = 0;
protected:
///
/// TTL tunnel session
///
class session {
public:
///
/// Constructs a session
///
session(_In_ module &mod);
///
/// Destructs the session
///
virtual ~session();
public:
module &m_module; ///< Module
config_connection m_cfg; ///< Connection configuration
credentials_connection m_cred; ///< Connection credentials
std::unique_ptr m_method; ///< EAP method
// The following members are required to avoid memory leakage in get_result() and get_ui_context().
BYTE *m_blob_cfg; ///< Configuration BLOB
#if EAP_USE_NATIVE_CREDENTIAL_CACHE
BYTE *m_blob_cred; ///< Credentials BLOB
#endif
BYTE *m_blob_ui_ctx; ///< User Interface context data
};
///
///< Post-festum server certificate revocation verify thread
///
class crl_checker {
public:
///
/// Constructs a thread
///
/// \param[in ] mod EAP module to use for global services
/// \param[inout] cert Certificate context to check for revocation. `hCertStore` member should contain all certificates in chain up to and including root CA to test them for revocation too.
///
crl_checker(_In_ module &mod, _Inout_ winstd::cert_context &&cert);
///
/// Moves a thread
///
/// \param[in] other Thread to move from
///
crl_checker(_Inout_ crl_checker &&other) noexcept;
///
/// Moves a thread
///
/// \param[in] other Thread to move from
///
/// \returns Reference to this object
///
crl_checker& operator=(_Inout_ crl_checker &&other) noexcept;
///
/// Verifies server's certificate if it has been revoked
///
/// \param[in] obj Pointer to the instance of this object
///
/// \returns Thread exit code
///
static DWORD WINAPI verify(_In_ crl_checker *obj);
public:
module &m_module; ///< Module
winstd::win_handle m_thread; ///< Thread
winstd::win_handle m_abort; ///< Thread abort event
winstd::cert_context m_cert; ///< Server certificate
};
std::list m_crl_checkers; ///< List of certificate revocation check threads
};
/// @}
}