|
|
/*
Copyright (c) 1997, Microsoft Corporation, all rights reserved
File: eaptls.h
Description: PPP EAP TLS Authentication Protocol. Based on RFC xxxx.
History: Oct 9, 1997: Vijay Baliga created original version.
*/
#ifndef _EAPTLS_H_
#define _EAPTLS_H_
#define EAPTLS_KEY_13 L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP\\13"
#define EAPTLS_VAL_SERVER_CONFIG_DATA L"ServerConfigData"
#define EAPTLS_VAL_MAX_TLS_MESSAGE_LENGTH L"MaxTLSMessageLength"
#define EAPTLS_VAL_IGNORE_NO_REVOCATION_CHECK L"IgnoreNoRevocationCheck"
#define EAPTLS_VAL_IGNORE_REVOCATION_OFFLINE L"IgnoreRevocationOffline"
#define EAPTLS_VAL_NO_ROOT_REVOCATION_CHECK L"NoRootRevocationCheck"
#define EAPTLS_VAL_NO_REVOCATION_CHECK L"NoRevocationCheck"
#define EAPTLS_8021x_PIN_DATA_DESCR L"starcehvionrsf"
#define MAX_HASH_SIZE 20 // Certificate hash size
// EAPTLS_PACKET flags
#define EAPTLS_PACKET_FLAG_LENGTH_INCL 0x80
#define EAPTLS_PACKET_FLAG_MORE_FRAGMENTS 0x40
#define EAPTLS_PACKET_FLAG_TLS_START 0x20
//
// Versioning for PEAP. This will include the highest and lowest
// supported versions
//
#define EAPTLS_PACKET_HIGHEST_SUPPORTED_VERSION 0x00
#define EAPTLS_PACKET_LOWEST_SUPPORTED_VERSION 0x00
#define EAPTLS_PACKET_CURRENT_VERSION 0x00
typedef struct _EAPTLS_PACKET{ BYTE bCode; // See EAPCODE_*
BYTE bId; // Id of this packet
BYTE pbLength[2]; // Length of this packet
BYTE bType; // Should be PPP_EAP_TLS
// (only for Request, Response)
BYTE bFlags; // See EAPTLS_PACKET_FLAG_*
// (only for Request, Response)
BYTE pbData[1]; // Data
// (only for Request, Response)
} EAPTLS_PACKET;
#define EAPTLS_PACKET_HDR_LEN (sizeof(EAPTLS_PACKET) - 1)
// The largest EAP TLS header has 4 more octects for TLS blob size
#define EAPTLS_PACKET_HDR_LEN_MAX (EAPTLS_PACKET_HDR_LEN + 4)
// EAP TLS states
typedef enum EAPTLS_STATE{ EAPTLS_STATE_INITIAL, EAPTLS_STATE_SENT_START, // Server only
EAPTLS_STATE_SENT_HELLO, EAPTLS_STATE_SENT_FINISHED, EAPTLS_STATE_RECD_FINISHED, // Client only
EAPTLS_STATE_SENT_RESULT, // Server only
EAPTLS_STATE_RECD_RESULT, // Client only
EAPTLS_STATE_WAIT_FOR_USER_OK // Client only
} EAPTLS_STATE;
// Highest number we can handle
#define EAPTLS_STATE_LIMIT EAPTLS_STATE_RECD_RESULT
typedef struct _EAPTLS_HASH{ DWORD cbHash; // Number of bytes in the hash
BYTE pbHash[MAX_HASH_SIZE]; // The hash of a certificate
} EAPTLS_HASH;
// Values of the EAPTLS_CONN_PROPERTIES->fFlags field
// Use a certificate on this machine
#define EAPTLS_CONN_FLAG_REGISTRY 0x00000001
// Do not validate server cert
#define EAPTLS_CONN_FLAG_NO_VALIDATE_CERT 0x00000002
// Do not Validate server name
#define EAPTLS_CONN_FLAG_NO_VALIDATE_NAME 0x00000004
// Send a different EAP Identity
#define EAPTLS_CONN_FLAG_DIFF_USER 0x00000008
// User simple cert selection logic
#define EAPTLS_CONN_FLAG_SIMPLE_CERT_SEL 0x00000010
#define EAPTLS_CONN_PROP_WATERMARK 0xBEEFFEEB
//
// EAPTLS_CONN_PROPERTIES + EAPTLS_CONN_PROPERTIES_V1_EXTRA
// are send back to the calling application. However, internally
// EAPTLS_CONN_PROPERTIES_V1 is used.
//
typedef struct _EAPTLS_CONN_PROPERTIES{ DWORD dwVersion; //Version will be 1 for this release
DWORD dwSize; // Number of bytes in this structure
DWORD fFlags; // See EAPTLS_CONN_FLAG_*
EAPTLS_HASH Hash; // Hash of the first certificate
WCHAR awszServerName[1]; // server name of the first server
} EAPTLS_CONN_PROPERTIES;
//
// This is a very messy way of doing things
// but cannot help it because the verion
// checking on the data structure was not
// done to begin with. Hopefully some day
// we will be able to get away from this
// deal. Other part of the story is CM is
// unable to create targetted connectoids.
// So we have to carry this structure going
// ahead unless CM is smart about targetted
// connectoids.
//
// Additional stuff required in
// version 1 of data structure
//
typedef struct _EAPTLS_CONN_PROPERTIES_V1_EXTRA { DWORD dwNumHashes; // Number of Hashes in the
// structure including the one
// in v0 struct above
BYTE bData[1]; // Data - contains an array of
// EAPTLS_HASH structures followed by
// a string specifying server names
// minus the first server
}EAPTLS_CONN_PROPERTIES_V1_EXTRA;
//The new v1.0 structure used internally
typedef struct _EAPTLS_CONN_PROPERTIES_V1{ DWORD dwVersion; // Version will be 1 for this release
DWORD dwSize; // Number of bytes in this structure
DWORD fFlags; // See EAPTLS_CONN_FLAG_*
DWORD dwNumHashes; // Number of hash structures in the list
BYTE bData[1]; // Data - contains an array of
// EAPTLS_HASH structures followed by
// a string specifying server name
}EAPTLS_CONN_PROPERTIES_V1;
// The old 'PIN must be saved' flag
#define EAPTLS_USER_FLAG_OLD_SAVE_PIN 0x00000001
// The PIN must be saved
#define EAPTLS_USER_FLAG_SAVE_PIN 0x00000002
typedef struct _EAPTLS_USER_PROPERTIES{ DWORD reserved; // Must be 0 (compare with EAPLOGONINFO)
DWORD dwVersion; DWORD dwSize; // Number of bytes in this structure
DWORD fFlags; // See EAPTLS_USER_FLAG_*
EAPTLS_HASH Hash; // Hash for the user certificate
WCHAR* pwszDiffUser; // The EAP Identity to send
DWORD dwPinOffset; // Offset in abData
WCHAR* pwszPin; // The smartcard PIN
USHORT usLength; // Part of UnicodeString
USHORT usMaximumLength; // Part of UnicodeString
UCHAR ucSeed; // To unlock the UnicodeString
WCHAR awszString[1]; // Storage for pwszDiffUser and pwszPin
} EAPTLS_USER_PROPERTIES;
typedef struct _EAPTLS_PIN{ WCHAR *pwszPin; USHORT usLength; USHORT usMaximumLength; UCHAR ucSeed;} EAPTLS_PIN;
// Values of the EAPTLSCB->fFlags field
// We are the server
#define EAPTLSCB_FLAG_SERVER 0x00000001
// We are a router
#define EAPTLSCB_FLAG_ROUTER 0x00000002
// The call is happening during logon
#define EAPTLSCB_FLAG_LOGON 0x00000004
// Negotiation is complete, and so far appears successful. A server may get a
// TLS Alert message from the client at this point, in which case it will
// realize that the negotiation was unsuccessful. However, a client never
// changes its mind.
#define EAPTLSCB_FLAG_SUCCESS 0x00000008
// The peer has a large blob to send. So it has divided it into fragments
#define EAPTLSCB_FLAG_RECEIVING_FRAGMENTS 0x00000010
// Keeps track of whether we need to call FreeCredentialsHandle(hCredential)
#define EAPTLSCB_FLAG_HCRED_INVALID 0x00000020
// Keeps track of whether we need to call DeleteSecurityContext(hContext)
#define EAPTLSCB_FLAG_HCTXT_INVALID 0x00000040
// We are not allowed to display any UI
#define EAPTLSCB_FLAG_NON_INTERACTIVE 0x00000080
// This is the first link in a multilink bundle. This is not a callback.
#define EAPTLSCB_FLAG_FIRST_LINK 0x00000100
// The user data was obtained from Winlogon
#define EAPTLSCB_FLAG_WINLOGON_DATA 0x00000200
// We are doing Machine Authentication
#define EAPTLSCB_FLAG_MACHINE_AUTH 0x00000400
// We are providing guest access
#define EAPTLSCB_FLAG_GUEST_ACCESS 0x00000800
//We want to do something specific to 8021x auth
#define EAPTLSCB_FLAG_8021X_AUTH 0x00001000
//We are using cached credentials
#define EAPTLSCB_FLAG_USING_CACHED_CREDS 0x00002000
//We are running in PEAP context
#define EAPTLSCB_FLAG_EXECUTING_PEAP 0x00004000
// The EAP TLS work buffer
typedef struct _EAPTLS_CONTROL_BLOCK{ EAPTLS_STATE EapTlsState; DWORD fFlags; // See EAPTLSCB_FLAG_*
HANDLE hTokenImpersonateUser; // Client only
WCHAR awszIdentity[UNLEN + 1];// Server only
RAS_AUTH_ATTRIBUTE* pAttributes; // Username or MPPE key
EAPTLS_CONN_PROPERTIES_V1* pConnProp; // Client only
EAPTLS_CONN_PROPERTIES_V1 * pNewConnProp;// Client only
EAPTLS_USER_PROPERTIES* pUserProp;
// Client only, EAPTLSCB_FLAG_LOGON only
BYTE* pUserData; DWORD dwSizeOfUserData;
PCCERT_CONTEXT pCertContext; CredHandle hCredential; // The credentials handle
CtxtHandle hContext; // The context handle
ULONG fContextReq; // Required context attributes
BYTE* pbBlobIn; // TLS blob received from the peer
DWORD cbBlobIn; // Number of bytes in the TLS blob
// received from the peer
DWORD cbBlobInBuffer; // Number of bytes allocated for the
// pbBlobIn buffer
DWORD dwBlobInRemining; // We are receiving fragments from
// the peer and the peer has
// promised to send dwBlobInRemining
// more bytes
BYTE* pbBlobOut; // TLS blob created for the peer
DWORD cbBlobOut; // Number of bytes in the TLS blob
// created for the peer
DWORD cbBlobOutBuffer; // Number of bytes allocated for the
// pbBlobOut buffer
DWORD dwBlobOutOffset; // Pointer to the first byte in
// pbBlobOut that has to be sent
DWORD dwBlobOutOffsetNew; // Update dwBlobOutOffset to this
// value when the peer confirms
// receipt of the previous packet
BYTE bCode; // bCode of the last packet sent
BYTE bId; // bId of the last packet sent
DWORD dwAuthResultCode; // The error code that we get when
// the negotiation is complete
EAPTLS_PIN *pSavedPin; //
HANDLE hEventLog; BYTE* pUIContextData; BYTE bNextId; // Saved when we raise UI
EAPTLS_PACKET ReceivePacket; // Saved when we go off to get PIN
} EAPTLSCB;
typedef struct _EAPTLS_CERT_NODE EAPTLS_CERT_NODE;
struct _EAPTLS_CERT_NODE{ EAPTLS_CERT_NODE* pNext; EAPTLS_HASH Hash; WCHAR* pwszDisplayName; WCHAR* pwszFriendlyName; WCHAR* pwszIssuer; WCHAR* pwszExpiration; //
// New fields added vivekk
//
FILETIME IssueDate;#if 0
WCHAR* pwszIssuedTo; WCHAR* pwszIssuedBy;#endif
};
// Values of the EAPTLS_CONN_DIALOG->fFlags field
// We are a router
#define EAPTLS_CONN_DIALOG_FLAG_ROUTER 0x00000001
#define EAPTLS_CONN_DIALOG_FLAG_READONLY 0x00000002
typedef struct _EAPTLS_CONN_DIALOG{ DWORD fFlags; // See
// EAPTLS_CONN_DIALOG_FLAG_*
EAPTLS_CERT_NODE* pCertList; //List of all the root certificates
//from internet trusted root store
EAPTLS_CERT_NODE** ppSelCertList; //List of pointers to selected certs.
//will be as many as num hashes
//in conn prop.
EAPTLS_CONN_PROPERTIES* pConnProp; // ConfigData in phonebook
EAPTLS_CONN_PROPERTIES_V1 * pConnPropv1; // Version 1.0 config data
HWND hWndRadioUseCard; HWND hWndRadioUseRegistry; HWND hWndCheckValidateCert; HWND hWndCheckValidateName; HWND hWndEditServerName; HWND hWndStaticRootCaName; //HWND hWndComboRootCaName; //This will go away
HWND hWndListRootCaName; //This is the new list
HWND hWndCheckDiffUser; HWND hWndCheckUseSimpleSel; HWND hWndViewCertDetails;
} EAPTLS_CONN_DIALOG;
// Values of the EAPTLS_USER_DIALOG->fFlags field
// We need to send a different EAP Identity
#define EAPTLS_USER_DIALOG_FLAG_DIFF_USER 0x00000001
// We need to change the title
#define EAPTLS_USER_DIALOG_FLAG_DIFF_TITLE 0x00000002
//USe simple cert selection
#define EAPTLS_USER_DIALOG_FLAG_USE_SIMPLE_CERTSEL 0x00000004
//
// Nodes are grouped by displayname
//
typedef struct _EAPTLS_GROUPED_CERT_NODES EAPTLS_GROUPED_CERT_NODES;typedef struct _EAPTLS_GROUPED_CERT_NODES* PEAPTLS_GROUPED_CERT_NODES;
struct _EAPTLS_GROUPED_CERT_NODES{ PEAPTLS_GROUPED_CERT_NODES pNext; WCHAR* pwszDisplayName;
//Most current one in the colation...
EAPTLS_CERT_NODE* pMostRecentCert; };
typedef struct _EAPTLS_USER_DIALOG{ DWORD fFlags; // See
// EAPTLS_USER_DIALOG_FLAG_*
EAPTLS_CERT_NODE* pCertList; EAPTLS_CERT_NODE* pCert; PEAPTLS_GROUPED_CERT_NODES pGroupedList; EAPTLS_USER_PROPERTIES* pUserProp; // UserData in registry
const WCHAR* pwszEntry; const WCHAR* pwszStoreName; BOOL fIdentity; //Identity UI is being shown here
HWND hWndComboUserName; HWND hWndBtnViewCert; // These are required for the server's certificate selection
HWND hWndEditFriendlyName; HWND hWndEditIssuer; HWND hWndEditExpiration; HWND hWndStaticDiffUser; HWND hWndEditDiffUser;
} EAPTLS_USER_DIALOG;
// Values of the EAPTLS_PIN_DIALOG->fFlags field
// We need to send a different EAP Identity
#define EAPTLS_PIN_DIALOG_FLAG_DIFF_USER 0x00000001
// The UI is coming up before Logon
#define EAPTLS_PIN_DIALOG_FLAG_LOGON 0x00000002
#define EAPTLS_PIN_DIALOG_FLAG_ROUTER 0x00000004
typedef struct _EAPTLS_PIN_DIALOG{ DWORD fFlags; // See
// EAPTLS_PIN_DIALOG_FLAG_*
EAPTLS_USER_PROPERTIES* pUserProp; // UserData in registry
const WCHAR* pwszEntry; PCCERT_CONTEXT pCertContext; //Certificate Context for selected certificate.
DWORD dwRetCode; //Return Code of Validate PIN operation.
HWND hWndStaticDiffUser; HWND hWndEditDiffUser; HWND hWndStaticPin; HWND hWndEditPin;
} EAPTLS_PIN_DIALOG;
#define NUM_CHARS_TITLE 100
typedef struct _EAPTLS_VALIDATE_SERVER{ DWORD dwSize; DWORD fShowCertDetails; EAPTLS_HASH Hash; //Hash of the root certificate to show details
WCHAR awszTitle[NUM_CHARS_TITLE]; WCHAR awszWarning[1];
} EAPTLS_VALIDATE_SERVER;
#ifdef ALLOC_EAPTLS_GLOBALS
DWORD g_dwEapTlsTraceId = INVALID_TRACEID;
int g_nEapTlsClientNextState[] ={ EAPTLS_STATE_SENT_HELLO, EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_SENT_FINISHED, EAPTLS_STATE_RECD_FINISHED, EAPTLS_STATE_RECD_RESULT, EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_RECD_RESULT, EAPTLS_STATE_RECD_FINISHED};
int g_nEapTlsServerNextState[] ={ EAPTLS_STATE_SENT_START, EAPTLS_STATE_SENT_HELLO, EAPTLS_STATE_SENT_FINISHED, EAPTLS_STATE_SENT_RESULT, EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_SENT_RESULT, EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_INITIAL, // Impossible
};
CHAR *g_szEapTlsState[] ={ "Initial", "SentStart", "SentHello", "SentFinished", "RecdFinished", "SentResult", "RecdResult", "WaitForUserOK",};
#else // !ALLOC_EAPTLS_GLOBALS
extern DWORD g_dwEapTlsTraceId;
#endif // ALLOC_EAPTLS_GLOBALS
// Prototypes for functions in util.c
VOID EapTlsTrace( IN CHAR* Format, ... );
DWORDEapTlsInitialize2( IN BOOL fInitialize, IN BOOL fUI);
DWORDEapTlsInitialize( IN BOOL fInitialize);
VOIDEncodePin( IN EAPTLS_USER_PROPERTIES* pUserProp);
VOIDDecodePin( IN EAPTLS_USER_PROPERTIES* pUserProp);
BOOL FFormatMachineIdentity1 ( LPWSTR lpszMachineNameRaw, LPWSTR * lppszMachineNameFormatted );
BOOL FFormatMachineIdentity ( IN LPWSTR lpszMachineNameRaw, OUT LPWSTR * lppszMachineNameFormatted );
BOOLFCertToStr( IN PCCERT_CONTEXT pCertContext, IN DWORD fFlags, IN BOOL fMachineCert, OUT WCHAR** ppwszName);
BOOLFMachineAuthCertToStr ( IN PCCERT_CONTEXT pCertContext, OUT WCHAR ** ppwszName);
BOOLFGetFriendlyName( IN PCCERT_CONTEXT pCertContext, OUT WCHAR** ppwszName);
BOOLFSmartCardReaderInstalled( VOID);
DWORD DwGetEKUUsage ( IN PCCERT_CONTEXT pCertContext, OUT PCERT_ENHKEY_USAGE * ppUsage );
BOOLFCheckUsage( IN PCCERT_CONTEXT pCertContext, IN PCERT_ENHKEY_USAGE pUsage, IN BOOL fMachine);
BOOLFCheckSCardCertAndCanOpenSilentContext ( IN PCCERT_CONTEXT pCertContext );
BOOLFCheckCSP( IN PCCERT_CONTEXT pCertContext);
BOOLFCheckTimeValidity( IN PCCERT_CONTEXT pCertContext);
DWORD DwCheckCertPolicy ( IN PCCERT_CONTEXT pCertContextUser, OUT PCCERT_CHAIN_CONTEXT * ppCertChainContext);
DWORDGetRootCertHashAndNameVerifyChain( IN PCERT_CONTEXT pCertContextServer, OUT EAPTLS_HASH* pHash, OUT WCHAR** ppwszName, IN BOOL fVerifyGP, OUT BOOL * pfRootCheckRequired);
DWORDServerConfigDataIO( IN BOOL fRead, IN WCHAR* pwszMachineName, IN OUT BYTE** ppData, IN DWORD dwNumBytes);
VOIDFreeCertList( IN EAPTLS_CERT_NODE* pNode);
VOIDCreateCertList( IN BOOL fServer, IN BOOL fRouter, IN BOOL fRoot, OUT EAPTLS_CERT_NODE** ppCertList, OUT EAPTLS_CERT_NODE** ppCert, IN DWORD dwNumHashStructs, IN EAPTLS_HASH* pHash, IN WCHAR* pwszStoreName);
DWORDGetDefaultClientMachineCert( IN HCERTSTORE hCertStore, OUT PCCERT_CONTEXT* ppCertContext);
DWORDGetDefaultMachineCert( IN HCERTSTORE hCertStore, OUT PCCERT_CONTEXT* ppCertContext);
DWORDGetCertFromLogonInfo( IN BYTE* pUserDataIn, IN DWORD dwSizeOfUserDataIn, OUT PCCERT_CONTEXT* ppCertContext);
DWORDGetIdentityFromLogonInfo( IN BYTE* pUserDataIn, IN DWORD dwSizeOfUserDataIn, OUT WCHAR** ppwszIdentity);
DWORDReadConnectionData( IN BOOL fWireless, IN BYTE* pConnectionDataIn, IN DWORD dwSizeOfConnectionDataIn, OUT EAPTLS_CONN_PROPERTIES** ppConnProp);
DWORDReadUserData( IN BYTE* pUserDataIn, IN DWORD dwSizeOfUserDataIn, OUT EAPTLS_USER_PROPERTIES** ppUserProp);
DWORDAllocUserDataWithNewIdentity( IN EAPTLS_USER_PROPERTIES* pUserProp, IN WCHAR* pwszIdentity, OUT EAPTLS_USER_PROPERTIES** ppUserProp);
DWORDAllocUserDataWithNewPin( IN EAPTLS_USER_PROPERTIES* pUserProp, IN PBYTE pbzPin, IN DWORD cbPin, OUT EAPTLS_USER_PROPERTIES** ppUserProp);
WCHAR*WszFromId( IN HINSTANCE hInstance, IN DWORD dwStringId);
// Prototypes for functions in eaptls.c
DWORDEapTlsBegin( OUT VOID** ppWorkBuffer, IN PPP_EAP_INPUT* pPppEapInput);
DWORDEapTlsEnd( IN EAPTLSCB* pEapTlsCb);
DWORDEapTlsMakeMessage( IN EAPTLSCB* pEapTlsCb, IN PPP_EAP_PACKET* pInput, OUT PPP_EAP_PACKET* pOutput, IN DWORD cbSendPacket, OUT PPP_EAP_OUTPUT* pEapOutput, IN PPP_EAP_INPUT* pEapInput);
DWORDGetCredentials( IN EAPTLSCB* pEapTlsCb);
DWORDEapTlsCMakeMessage( IN EAPTLSCB* pEapTlsCb, IN EAPTLS_PACKET* pReceivePacket, OUT EAPTLS_PACKET* pSendPacket, IN DWORD cbSendPacket, OUT PPP_EAP_OUTPUT* pEapOutput, IN PPP_EAP_INPUT* pEapInput);
DWORDEapTlsSMakeMessage( IN EAPTLSCB* pEapTlsCb, IN EAPTLS_PACKET* pReceivePacket, OUT EAPTLS_PACKET* pSendPacket, IN DWORD cbSendPacket, OUT PPP_EAP_OUTPUT* pEapOutput, IN PPP_EAP_INPUT* pEapInput);
// Prototypes for functions in scard.c
DWORDGetCertFromCard( OUT PCCERT_CONTEXT* ppCertContext);
VOIDFreeScardDlgDll( VOID);
// Prototypes for functions in eapui.cpp
HINSTANCEGetHInstance( VOID);
// Prototypes for functions in dialog.c
VOIDGetString( IN HWND hwndParent, IN UINT ID, IN OUT WCHAR** ppwszString);
//
//Prototypes in eaptls.c
//
DWORDAssociatePinWithCertificate( IN PCCERT_CONTEXT pCertContext, IN EAPTLS_USER_PROPERTIES* pUserProp, IN BOOL fErarePIN, IN BOOL fCheckNullPin);
DWORD EncryptData( IN PBYTE pbPlainData, IN DWORD cbPlainData, OUT PBYTE * ppEncData, OUT DWORD * pcbEncData);
//
// Prototypes of functions in util.c
//
DWORD GetMBytePIN ( WCHAR * pwszPIN, CHAR ** ppszPIN );
DWORD VerifyCallerTrust ( void * callersaddress );
#if 0
//
//This function get's the hash blob
//deposited by Group Policy in the registry
//
DWORDReadGPCARootHashes( DWORD *pdwSizeOfRootHashBlob, PBYTE *ppbRootHashBlob);
#endif
//
// These functions are around the cludgy
// CONN PROP structure.
//
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * ConnPropGetExtraPointer (EAPTLS_CONN_PROPERTIES * pConnProp);
DWORD ConnPropGetNumHashes(EAPTLS_CONN_PROPERTIES * pConnProp );
void ConnPropSetNumHashes(EAPTLS_CONN_PROPERTIES * pConnProp, DWORD dwNumHashes );
DWORD ConnPropGetV1Struct ( EAPTLS_CONN_PROPERTIES * pConnProp, EAPTLS_CONN_PROPERTIES_V1 ** ppConnPropv1 );
DWORD ConnPropGetV0Struct ( EAPTLS_CONN_PROPERTIES_V1 * pConnPropv1, EAPTLS_CONN_PROPERTIES ** ppConnProp );
void ShowCertDetails ( HWND hWnd, HCERTSTORE hStore, PCCERT_CONTEXT pCertContext);
//////////////////////////All Peap Related Declarations /////////////////////
//
// PEAP Message Types
//
//
//TBD: Check with IANA ( ashwinp ) what the type will be.
#define PEAP_TYPE_AVP 0x21
//
// TLV Format is:
// Flags - 2bits
// Type - 14 bits
// Length - 2 octets
// Value - Variable
//
// TLV Flags
//
#define PEAP_AVP_FLAG_MANDATORY 0x80
//
// TLV types are of following types
//
// Status TLV. Tell's if the outcome of the EAP is success
// or failure.
//
#define MS_PEAP_AVP_LANGUAGE_NEGOTIATE 0x01
#define MS_PEAP_AVP_CIPHERSUITE_NEGOTIATE 0x02
#define MS_PEAP_AVP_TYPE_STATUS 0x03
//
// Values possible in Status AVP
//
#define MS_PEAP_AVP_VALUE_SUCCESS 0x1
#define MS_PEAP_AVP_VALUE_FAILURE 0x2
// PEAP Reg Keys
#define PEAP_KEY_25 L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP\\25"
#define PEAP_VAL_SERVER_CONFIG_DATA L"ServerConfigData"
//
// This key is required for include only MSCHAPv2. IF this is missing all protocols will be included in PEAP
// except PEAP itself
//
#define PEAP_KEY_PEAP L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP\\25"
#define PEAP_CRIPPLE_VALUE L"EAPMschapv2Only"
#define PEAP_KEY_EAP L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP"
#define PEAP_REGVAL_PATH L"Path"
#define PEAP_REGVAL_FRIENDLYNAME L"FriendlyName"
#define PEAP_REGVAL_CONFIGDLL L"ConfigUIPath"
#define PEAP_REGVAL_IDENTITYDLL L"IdentityPath"
#define PEAP_REGVAL_INTERACTIVEUIDLL L"InteractiveUIPath"
#define PEAP_REGVAL_CONFIGCLSID L"ConfigCLSID"
#define PEAP_REGVAL_ROLESSUPPORTED L"RolesSupported"
#define PEAP_EAPTYPE_IDENTITY 1
#define PEAP_EAPTYPE_NAK 3
typedef DWORD (APIENTRY * RASEAPFREE)( PBYTE );typedef DWORD (APIENTRY * RASEAPINVOKECONFIGUI)( DWORD, HWND, DWORD, PBYTE, DWORD, PBYTE*, DWORD*);typedef DWORD (APIENTRY * RASEAPGETIDENTITY)( DWORD, HWND, DWORD, const WCHAR*, const WCHAR*, PBYTE, DWORD, PBYTE, DWORD, PBYTE*, DWORD*, WCHAR** );typedef DWORD (APIENTRY * RASEAPINVOKEINTERACTIVEUI)( DWORD, HWND, PBYTE, DWORD, PBYTE *, DWORD *);
//List of all EAP types allowed in PEAP
typedef struct _PEAP_EAP_INFO PEAP_EAP_INFO;typedef struct _PEAP_EAP_INFO* PPEAP_EAP_INFO;
struct _PEAP_EAP_INFO{ //Next one in the list
PPEAP_EAP_INFO pNext; //Type
DWORD dwTypeId; // Path of the protocol DLL
LPWSTR lpwszPath; //Friendly Name
LPWSTR lpwszFriendlyName; //Configuration UI path for client
LPWSTR lpwszConfigUIPath; //Identity UI path
LPWSTR lpwszIdentityUIPath; //Interactive UI path
LPWSTR lpwszInteractiveUIPath; //Configuration GUID
LPWSTR lpwszConfigClsId; //Library HAndle
HMODULE hEAPModule; //Eap Info for each EAP Type
PPP_EAP_INFO PppEapInfo; //Work buffer for each eap type
PBYTE pWorkBuf; // Original Client Config from PEAP blob
PBYTE pbClientConfigOrig; // Client Config Length
DWORD dwClientConfigOrigSize; // New client config
PBYTE pbNewClientConfig; // New client config length
DWORD dwNewClientConfigSize; // Original User Config information
PBYTE pbUserConfigOrig; // Original size of user configuration
DWORD dwUserConfigOrigSize; // New user config
PBYTE pbUserConfigNew; // New user config size
DWORD dwNewUserConfigSize; //
DWORD (APIENTRY *RasEapGetCredentials)( IN DWORD dwTypeId, IN VOID * pWorkBuf, OUT VOID ** pInfo);
//There will be more items in this node...
};
typedef enum _PEAP_STATE{ PEAP_STATE_INITIAL, PEAP_STATE_TLS_INPROGRESS, // PEAP-Part 1 (TLS) is being executed
PEAP_WAITING_FOR_IDENTITY, // Client should expect and identity request
// server should send identity request
PEAP_STATE_IDENTITY_REQUEST_SENT, // identity request send by server
PEAP_STATE_IDENTITY_RESPONSE_SENT, // identity response send to server
PEAP_STATE_EAP_TYPE_INPROGRESS, // PEAP-Part 2 (Embedded EAP) is being
// executed
PEAP_STATE_EAP_TYPE_FINISHED, // sever should send identity request
PEAP_STATE_PEAP_SUCCESS_SEND, // server send PEAP success request
PEAP_STATE_PEAP_FAIL_SEND, // server send PEAP fail request
PEAP_STATE_FAST_ROAMING_IDENTITY_REQUEST// client is not setup to do fast roaming
// and the server send a roaming success
// we replied with fail and are now expecting
// an identity request from server.
} PEAP_STATE;
//
// connection properties for
// each of the peap entries
//
typedef struct _PEAP_ENTRY_CONN_PROPERTIES{ DWORD dwVersion; //Version will be 1 for this release
DWORD dwSize; //Number of bytes in this structure
DWORD dwEapTypeId; //TypeId for this Entry Properties
BYTE bData[1]; //Actual conn properties for the given
//Type Id
}PEAP_ENTRY_CONN_PROPERTIES, *PPEAP_ENTRY_CONN_PROPERTIES;
//
// This structure holds EapTlsConn Prop along with
// each configured eap type.
//
// Allow fast roaming
#define PEAP_CONN_FLAG_FAST_ROAMING 0x00000001
typedef struct _PEAP_CONN_PROPERTIES{ //Version will be 1 for this release
DWORD dwVersion;
//
//Number of bytes in this structure
//
DWORD dwSize;
//Number of types configured in this PEAP
//For now there is only one.
DWORD dwNumPeapTypes;
//Flags
DWORD dwFlags; //Tls Connection Properties to start with - This is a variable length structure
EAPTLS_CONN_PROPERTIES_V1 EapTlsConnProp;
//Array of PPEAP_ENTRY_CONN_PROPERTIES follows here
}PEAP_CONN_PROP, *PPEAP_CONN_PROP;
//
// Default credentials for eaptypes that dont expose
// identity UI
//
typedef struct _PEAP_DEFAULT_CREDENTIALS{ WCHAR wszUserName[UNLEN+1]; WCHAR wszPassword[PWLEN+1]; WCHAR wszDomain[DNLEN+1];}PEAP_DEFAULT_CREDENTIALS, *PPEAP_DEFAULT_CREDENTIALS;//
// user properties for
// each of the peap entries
//
typedef struct _PEAP_ENTRY_USER_PROPERTIES{ DWORD dwVersion; //Version will be 1 for this release
DWORD dwSize; //Number of bytes in this structure
DWORD dwEapTypeId; //TypeId for this Entry Properties
BOOL fUsingPeapDefault; //Default Identity provided by PEAP is being used.
BYTE bData[1]; //Actual User properties for the given
//Type Id
}PEAP_ENTRY_USER_PROPERTIES, *PPEAP_ENTRY_USER_PROPERTIES;
// Allow fast roaming
#define PEAP_USER_FLAG_FAST_ROAMING 0x00000001
typedef struct _PEAP_USER_PROPERTIES{ //Version will be 1 for this release
DWORD dwVersion;
//Number of bytes in this structure
DWORD dwSize; //Flags
DWORD dwFlags;
//Hash for user certificate
EAPTLS_HASH CertHash;
// User properties for an entry
PEAP_ENTRY_USER_PROPERTIES UserProperties; //
// Array of PEAP_ENTRY_USER_PROPERTIES for each eap type.
// should be as many as dwNumPeapTypes in PEAP_CONN_PROP
// structure
// For now there is only one element...
}PEAP_USER_PROP, *PPEAP_USER_PROP;
// We are a router
#define PEAP_CONN_DIALOG_FLAG_ROUTER 0x00000001
#define PEAP_CONN_DIALOG_FLAG_8021x 0x00000002
typedef struct _PEAP_CONN_DIALOG{ DWORD fFlags; // See
// PEAP_CONN_DIALOG_FLAG_*
EAPTLS_CERT_NODE* pCertList; //List of all the root certificates
//from internet trusted root store
EAPTLS_CERT_NODE** ppSelCertList; //List of pointers to selected certs.
//will be as many as num hashes
//in conn prop.
PPEAP_CONN_PROP pConnProp;
PPEAP_EAP_INFO pEapInfo; //List of all the PEAP Eap Types
PPEAP_EAP_INFO pSelEapInfo; //Selected Peap Type
HWND hWndCheckValidateCert; HWND hWndCheckValidateName; HWND hWndEditServerName; HWND hWndStaticRootCaName; HWND hWndListRootCaName; HWND hWndComboPeapType; HWND hWndButtonConfigure; HWND hWndCheckEnableFastReconnect;
} PEAP_CONN_DIALOG, *PPEAP_CONN_DIALOG;
typedef struct _PEAP_SERVER_CONFIG_DIALOG{ EAPTLS_CERT_NODE* pCertList; //List of all certificates in MY machine
//store
EAPTLS_CERT_NODE* pSelCertList; //List of selected cert.
PPEAP_USER_PROP pUserProp; //User properties
PPEAP_USER_PROP pNewUserProp; //New USer Properties
PPEAP_EAP_INFO pEapInfo; //List of all the PEAP Eap Types
PPEAP_EAP_INFO pSelEapInfo; //Selected Peap Type
LPWSTR pwszMachineName;
HWND hWndComboServerName; HWND hWndEditFriendlyName; HWND hWndEditIssuer; HWND hWndEditExpiration; HWND hWndComboPeapType; HWND hWndBtnConfigure; HWND hEndEnableFastReconnect;}PEAP_SERVER_CONFIG_DIALOG, *PPEAP_SERVER_CONFIG_DIALOG;
typedef struct _PEAP_DEFAULT_CRED_DIALOG{ PEAP_DEFAULT_CREDENTIALS PeapDefaultCredentials;
HWND hWndUserName; HWND hWndPassword; HWND hWndDomain;}PEAP_DEFAULT_CRED_DIALOG, *PPEAP_DEFAULT_CRED_DIALOG;
typedef struct _PEAP_INTERACTIVE_UI{ DWORD dwEapTypeId; // Embedded Eap Type Id requesting
// interactive UI
DWORD dwSizeofUIContextData; BYTE bUIContextData[1];}PEAP_INTERACTIVE_UI, *PPEAP_INTERACTIVE_UI;
typedef struct _PEAP_COOKIE_ATTRIBUTE{ RAS_AUTH_ATTRIBUTE_TYPE raaType; DWORD dwLength; BYTE Data[1];}PEAP_COOKIE_ATTRIBUTE, *PPEAP_COOKIE_ATTRIBUTE;
typedef struct _PEAP_COOKIE{ WCHAR awszIdentity[DNLEN+UNLEN+1]; // Outer Identity that was used for
// authentication.
DWORD dwNumAuthAttribs; // Number of Ras Auth Attributes
// other than MPPE keys
// returned when auth succeeded
// with full handshake
BYTE Data[1]; // Data Conn Props + RAS Auth Attribs
}PEAP_COOKIE, *PPEAP_COOKIE;
//PEAP Flags
#define PEAPCB_FLAG_SERVER 0x00000001 // This is a server
#define PEAPCB_FLAG_ROUTER 0x00000002 // This is a router
#define PEAPCB_FLAG_NON_INTERACTIVE 0x00000004 // No UI should be displayed
#define PEAPCB_FLAG_LOGON 0x00000008 // The user data was
// obtained from Winlogon
#define PEAPCB_FLAG_PREVIEW 0x00000010 // User has checked
// "Prompt for information
// before dialing"
#define PEAPCB_FLAG_FIRST_LINK 0x00000020 // This is the first link
#define PEAPCB_FLAG_MACHINE_AUTH 0x00000040 // Use the default machine cert
// or user cert based on the
// application logon context
#define PEAPCB_FLAG_GUEST_ACCESS 0x00000080 // Request to provide guest
// access.
#define PEAPCB_FLAG_8021X_AUTH 0x00000100 // Anything specific to 8021x
// to be done in TLS
#define PEAPCB_VERSION_OK 0x00000200 // version negotiation took place
// and all's ok.
#define PEAPCB_FAST_ROAMING 0x00000400 // Allow fast roaming
typedef struct _PEAP_CONTROL_BLOCK{ PEAP_STATE PeapState; //Current Peap State
DWORD dwFlags; //Peap Flags
HANDLE hTokenImpersonateUser; //Impersonation token.
BYTE bId; //Peap Packet Id
WCHAR awszIdentity[DNLEN+ UNLEN + 1]; WCHAR awszTypeIdentity[DNLEN+ UNLEN + 1]; WCHAR awszPassword[PWLEN+1]; //Type's password if
//send in.
BOOL fTlsConnPropDirty; //Need to save the TLS Conn prop
EAPTLS_CONN_PROPERTIES_V1 * pNewTlsConnProp; BOOL fEntryConnPropDirty; PPEAP_CONN_PROP pConnProp; //Peap Connection Prop
BOOL fTlsUserPropDirty; //Need to saveTLS user prop
BOOL fEntryUserPropDirty; DWORD dwAuthResultCode; //Result of authentication
BOOL fReceivedTLVSuccessFail; //Received a TLV instead of
//a real success or failure
BOOL fSendTLVSuccessforFastRoaming; PPP_EAP_PACKET * pPrevReceivePacket; //Previously received packet
WORD cbPrevReceivePacket; //Number of bytes in previously
//received packet
PBYTE pPrevDecData; //Previously Decrypted packet data
WORD cbPrevDecData; //Data size
//
// Encryption related entries in the control block
//
HCRYPTPROV hProv; //CryptoProvider
//
// following info is used if we use TLS to do encryption
// This is the desired way of doing things since the cipher suite
// is negotiated within TLS
SecPkgContext_StreamSizes PkgStreamSizes; SecPkgContext_ConnectionInfo PkgConnInfo; PBYTE pbIoBuffer; DWORD dwIoBufferLen; //Enc or Dec Data Length
PPEAP_USER_PROP pUserProp; //Peap User Prop
RAS_AUTH_ATTRIBUTE * pTlsUserAttributes; //User Attributes send
//back by EAPTLS
PPEAP_INTERACTIVE_UI pUIContextData; //UI context Data for an eap type
BOOL fInvokedInteractiveUI; //PEAP has invoked interactive UI
BOOL fExecutingInteractiveUI; EAPTLSCB * pEapTlsCB; //Tls Control Block
PPEAP_EAP_INFO pEapInfo; //Eap info - contains all data reqd for
//eap type to function well.
}PEAPCB, * PPEAPCB;
DWORDEapPeapInitialize( IN BOOL fInitialize);
DWORDEapPeapBegin( OUT VOID** ppWorkBuffer, IN PPP_EAP_INPUT* pPppEapInput);
DWORDEapPeapEnd( IN PPEAPCB pPeapCb);
DWORDEapPeapMakeMessage( IN PPEAPCB pPeapCb, IN PPP_EAP_PACKET* pInput, OUT PPP_EAP_PACKET* pOutput, IN DWORD cbSendPacket, OUT PPP_EAP_OUTPUT* pEapOutput, IN PPP_EAP_INPUT* pEapInput);
DWORDEapPeapCMakeMessage( IN PPEAPCB pPeapCb, IN PPP_EAP_PACKET* pReceivePacket, OUT PPP_EAP_PACKET* pSendPacket, IN DWORD cbSendPacket, OUT PPP_EAP_OUTPUT* pEapOutput, IN PPP_EAP_INPUT* pEapInput);
DWORDEapPeapSMakeMessage( IN PPEAPCB pPeapCb, IN PPP_EAP_PACKET* pReceivePacket, OUT PPP_EAP_PACKET* pSendPacket, IN DWORD cbSendPacket, OUT PPP_EAP_OUTPUT* pEapOutput, IN PPP_EAP_INPUT* pEapInput);
//Peap functions from util.c
DWORDPeapReadConnectionData( IN BOOL fWireless, IN BYTE* pConnectionDataIn, IN DWORD dwSizeOfConnectionDataIn, OUT PPEAP_CONN_PROP* ppConnProp);
DWORDPeapReadUserData( IN BYTE* pUserDataIn, IN DWORD dwSizeOfUserDataIn, OUT PPEAP_USER_PROP* ppUserProp);
DWORDPeapReDoUserData ( IN DWORD dwNewTypeId, OUT PPEAP_USER_PROP* ppNewUserProp);
DWORD PeapEapInfoAddListNode (PPEAP_EAP_INFO * ppEapInfo);
VOIDPeapEapInfoFreeList ( PPEAP_EAP_INFO pEapInfo );
DWORDPeapEapInfoExpandSZ (HKEY hkeyPeapType, LPWSTR pwszValue, LPWSTR * ppValueData );
DWORDPeapEapInfoGetList ( LPWSTR lpwszMachineName, PPEAP_EAP_INFO * ppEapInfo);
DWORDPeapEapInfoSetConnData ( PPEAP_EAP_INFO pEapInfo, PPEAP_CONN_PROP pPeapConnProp );
DWORD PeapEapInfoInvokeClientConfigUI ( HWND hWndParent, PPEAP_EAP_INFO pEapInfo, DWORD fFlags);
DWORDPeapGetFirstEntryConnProp ( PPEAP_CONN_PROP pConnProp, PEAP_ENTRY_CONN_PROPERTIES UNALIGNED ** ppEntryProp );
DWORDPeapGetFirstEntryUserProp ( PPEAP_USER_PROP pUserProp, PEAP_ENTRY_USER_PROPERTIES UNALIGNED ** ppEntryProp );
DWORD PeapEapInfoCopyListNode ( DWORD dwTypeId, PPEAP_EAP_INFO pEapInfoList, PPEAP_EAP_INFO * ppEapInfo );
DWORDPeapEapInfoFindListNode ( DWORD dwTypeId, PPEAP_EAP_INFO pEapInfoList, PPEAP_EAP_INFO * ppEapInfo );
DWORD PeapEapInfoInvokeIdentityUI ( HWND hWndParent, PPEAP_EAP_INFO pEapInfo, const WCHAR * pwszPhoneBook, const WCHAR * pwszEntry, PBYTE pbUserDataIn, DWORD cbUserDataIn, WCHAR** ppwszIdentityOut, DWORD fFlags);
#ifdef __cplusplus
extern "C"#endif
DWORD PeapEapInfoInvokeServerConfigUI ( HWND hWndParent, LPWSTR lpwszMachineName, PPEAP_EAP_INFO pEapInfo );
DWORDOpenPeapRegistryKey( IN WCHAR* pwszMachineName, IN REGSAM samDesired, OUT HKEY* phKeyPeap);
DWORDPeapServerConfigDataIO( IN BOOL fRead, IN WCHAR* pwszMachineName, IN OUT BYTE** ppData, IN DWORD dwNumBytes);
INT_PTR CALLBACKPeapConnDialogProc( IN HWND hWnd, IN UINT unMsg, IN WPARAM wParam, IN LPARAM lParam);
INT_PTR CALLBACKPeapServerDialogProc( IN HWND hWnd, IN UINT unMsg, IN WPARAM wParam, IN LPARAM lParam);
INT_PTR CALLBACKDefaultCredDialogProc( IN HWND hWnd, IN UINT unMsg, IN WPARAM wParam, IN LPARAM lParam);
DWORDGetIdentityFromUserName ( LPWSTR lpszUserName,LPWSTR lpszDomain,LPWSTR * ppwszIdentity);
BOOL FFormatUserIdentity ( LPWSTR lpszUserNameRaw, LPWSTR * lppszUserNameFormatted );
DWORDGetLocalMachineName ( OUT WCHAR ** ppLocalMachineName);BOOLIsPeapCrippled(HKEY hKeyLM);
/////////////////////////////////////////////////////////
// XPSP1 related stuff
/////////////////////////////////////////////////////////
HINSTANCEGetResouceDLLHInstance( VOID);
#endif // #ifndef _EAPTLS_H_
|
