Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1474 lines
44 KiB

/*
Copyright (c) 1997, Microsoft Corporation, all rights reserved
File:
eaptls.h
Description:
PPP EAP TLS Authentication Protocol. Based on RFC xxxx.
History:
Oct 9, 1997: Vijay Baliga created original version.
*/
#ifndef _EAPTLS_H_
#define _EAPTLS_H_
#define EAPTLS_KEY_13 L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP\\13"
#define EAPTLS_VAL_SERVER_CONFIG_DATA L"ServerConfigData"
#define EAPTLS_VAL_MAX_TLS_MESSAGE_LENGTH L"MaxTLSMessageLength"
#define EAPTLS_VAL_IGNORE_NO_REVOCATION_CHECK L"IgnoreNoRevocationCheck"
#define EAPTLS_VAL_IGNORE_REVOCATION_OFFLINE L"IgnoreRevocationOffline"
#define EAPTLS_VAL_NO_ROOT_REVOCATION_CHECK L"NoRootRevocationCheck"
#define EAPTLS_VAL_NO_REVOCATION_CHECK L"NoRevocationCheck"
#define EAPTLS_8021x_PIN_DATA_DESCR L"starcehvionrsf"
#define MAX_HASH_SIZE 20 // Certificate hash size
// EAPTLS_PACKET flags
#define EAPTLS_PACKET_FLAG_LENGTH_INCL 0x80
#define EAPTLS_PACKET_FLAG_MORE_FRAGMENTS 0x40
#define EAPTLS_PACKET_FLAG_TLS_START 0x20
//
// Versioning for PEAP. This will include the highest and lowest
// supported versions
//
#define EAPTLS_PACKET_HIGHEST_SUPPORTED_VERSION 0x00
#define EAPTLS_PACKET_LOWEST_SUPPORTED_VERSION 0x00
#define EAPTLS_PACKET_CURRENT_VERSION 0x00
typedef struct _EAPTLS_PACKET
{
BYTE bCode; // See EAPCODE_*
BYTE bId; // Id of this packet
BYTE pbLength[2]; // Length of this packet
BYTE bType; // Should be PPP_EAP_TLS
// (only for Request, Response)
BYTE bFlags; // See EAPTLS_PACKET_FLAG_*
// (only for Request, Response)
BYTE pbData[1]; // Data
// (only for Request, Response)
} EAPTLS_PACKET;
#define EAPTLS_PACKET_HDR_LEN (sizeof(EAPTLS_PACKET) - 1)
// The largest EAP TLS header has 4 more octects for TLS blob size
#define EAPTLS_PACKET_HDR_LEN_MAX (EAPTLS_PACKET_HDR_LEN + 4)
// EAP TLS states
typedef enum EAPTLS_STATE
{
EAPTLS_STATE_INITIAL,
EAPTLS_STATE_SENT_START, // Server only
EAPTLS_STATE_SENT_HELLO,
EAPTLS_STATE_SENT_FINISHED,
EAPTLS_STATE_RECD_FINISHED, // Client only
EAPTLS_STATE_SENT_RESULT, // Server only
EAPTLS_STATE_RECD_RESULT, // Client only
EAPTLS_STATE_WAIT_FOR_USER_OK // Client only
} EAPTLS_STATE;
// Highest number we can handle
#define EAPTLS_STATE_LIMIT EAPTLS_STATE_RECD_RESULT
typedef struct _EAPTLS_HASH
{
DWORD cbHash; // Number of bytes in the hash
BYTE pbHash[MAX_HASH_SIZE]; // The hash of a certificate
} EAPTLS_HASH;
// Values of the EAPTLS_CONN_PROPERTIES->fFlags field
// Use a certificate on this machine
#define EAPTLS_CONN_FLAG_REGISTRY 0x00000001
// Do not validate server cert
#define EAPTLS_CONN_FLAG_NO_VALIDATE_CERT 0x00000002
// Do not Validate server name
#define EAPTLS_CONN_FLAG_NO_VALIDATE_NAME 0x00000004
// Send a different EAP Identity
#define EAPTLS_CONN_FLAG_DIFF_USER 0x00000008
// User simple cert selection logic
#define EAPTLS_CONN_FLAG_SIMPLE_CERT_SEL 0x00000010
#define EAPTLS_CONN_PROP_WATERMARK 0xBEEFFEEB
//
// EAPTLS_CONN_PROPERTIES + EAPTLS_CONN_PROPERTIES_V1_EXTRA
// are send back to the calling application. However, internally
// EAPTLS_CONN_PROPERTIES_V1 is used.
//
typedef struct _EAPTLS_CONN_PROPERTIES
{
DWORD dwVersion; //Version will be 1 for this release
DWORD dwSize; // Number of bytes in this structure
DWORD fFlags; // See EAPTLS_CONN_FLAG_*
EAPTLS_HASH Hash; // Hash of the first certificate
WCHAR awszServerName[1]; // server name of the first server
} EAPTLS_CONN_PROPERTIES;
//
// This is a very messy way of doing things
// but cannot help it because the verion
// checking on the data structure was not
// done to begin with. Hopefully some day
// we will be able to get away from this
// deal. Other part of the story is CM is
// unable to create targetted connectoids.
// So we have to carry this structure going
// ahead unless CM is smart about targetted
// connectoids.
//
// Additional stuff required in
// version 1 of data structure
//
typedef struct _EAPTLS_CONN_PROPERTIES_V1_EXTRA
{
DWORD dwNumHashes; // Number of Hashes in the
// structure including the one
// in v0 struct above
BYTE bData[1]; // Data - contains an array of
// EAPTLS_HASH structures followed by
// a string specifying server names
// minus the first server
}EAPTLS_CONN_PROPERTIES_V1_EXTRA;
//The new v1.0 structure used internally
typedef struct _EAPTLS_CONN_PROPERTIES_V1
{
DWORD dwVersion; // Version will be 1 for this release
DWORD dwSize; // Number of bytes in this structure
DWORD fFlags; // See EAPTLS_CONN_FLAG_*
DWORD dwNumHashes; // Number of hash structures in the list
BYTE bData[1]; // Data - contains an array of
// EAPTLS_HASH structures followed by
// a string specifying server name
}EAPTLS_CONN_PROPERTIES_V1;
// The old 'PIN must be saved' flag
#define EAPTLS_USER_FLAG_OLD_SAVE_PIN 0x00000001
// The PIN must be saved
#define EAPTLS_USER_FLAG_SAVE_PIN 0x00000002
typedef struct _EAPTLS_USER_PROPERTIES
{
DWORD reserved; // Must be 0 (compare with EAPLOGONINFO)
DWORD dwVersion;
DWORD dwSize; // Number of bytes in this structure
DWORD fFlags; // See EAPTLS_USER_FLAG_*
EAPTLS_HASH Hash; // Hash for the user certificate
WCHAR* pwszDiffUser; // The EAP Identity to send
DWORD dwPinOffset; // Offset in abData
WCHAR* pwszPin; // The smartcard PIN
USHORT usLength; // Part of UnicodeString
USHORT usMaximumLength; // Part of UnicodeString
UCHAR ucSeed; // To unlock the UnicodeString
WCHAR awszString[1]; // Storage for pwszDiffUser and pwszPin
} EAPTLS_USER_PROPERTIES;
typedef struct _EAPTLS_PIN
{
WCHAR *pwszPin;
USHORT usLength;
USHORT usMaximumLength;
UCHAR ucSeed;
} EAPTLS_PIN;
// Values of the EAPTLSCB->fFlags field
// We are the server
#define EAPTLSCB_FLAG_SERVER 0x00000001
// We are a router
#define EAPTLSCB_FLAG_ROUTER 0x00000002
// The call is happening during logon
#define EAPTLSCB_FLAG_LOGON 0x00000004
// Negotiation is complete, and so far appears successful. A server may get a
// TLS Alert message from the client at this point, in which case it will
// realize that the negotiation was unsuccessful. However, a client never
// changes its mind.
#define EAPTLSCB_FLAG_SUCCESS 0x00000008
// The peer has a large blob to send. So it has divided it into fragments
#define EAPTLSCB_FLAG_RECEIVING_FRAGMENTS 0x00000010
// Keeps track of whether we need to call FreeCredentialsHandle(hCredential)
#define EAPTLSCB_FLAG_HCRED_INVALID 0x00000020
// Keeps track of whether we need to call DeleteSecurityContext(hContext)
#define EAPTLSCB_FLAG_HCTXT_INVALID 0x00000040
// We are not allowed to display any UI
#define EAPTLSCB_FLAG_NON_INTERACTIVE 0x00000080
// This is the first link in a multilink bundle. This is not a callback.
#define EAPTLSCB_FLAG_FIRST_LINK 0x00000100
// The user data was obtained from Winlogon
#define EAPTLSCB_FLAG_WINLOGON_DATA 0x00000200
// We are doing Machine Authentication
#define EAPTLSCB_FLAG_MACHINE_AUTH 0x00000400
// We are providing guest access
#define EAPTLSCB_FLAG_GUEST_ACCESS 0x00000800
//We want to do something specific to 8021x auth
#define EAPTLSCB_FLAG_8021X_AUTH 0x00001000
//We are using cached credentials
#define EAPTLSCB_FLAG_USING_CACHED_CREDS 0x00002000
//We are running in PEAP context
#define EAPTLSCB_FLAG_EXECUTING_PEAP 0x00004000
// The EAP TLS work buffer
typedef struct _EAPTLS_CONTROL_BLOCK
{
EAPTLS_STATE EapTlsState;
DWORD fFlags; // See EAPTLSCB_FLAG_*
HANDLE hTokenImpersonateUser; // Client only
WCHAR awszIdentity[UNLEN + 1];// Server only
RAS_AUTH_ATTRIBUTE* pAttributes; // Username or MPPE key
EAPTLS_CONN_PROPERTIES_V1* pConnProp; // Client only
EAPTLS_CONN_PROPERTIES_V1 * pNewConnProp;// Client only
EAPTLS_USER_PROPERTIES* pUserProp;
// Client only, EAPTLSCB_FLAG_LOGON only
BYTE* pUserData;
DWORD dwSizeOfUserData;
PCCERT_CONTEXT pCertContext;
CredHandle hCredential; // The credentials handle
CtxtHandle hContext; // The context handle
ULONG fContextReq; // Required context attributes
BYTE* pbBlobIn; // TLS blob received from the peer
DWORD cbBlobIn; // Number of bytes in the TLS blob
// received from the peer
DWORD cbBlobInBuffer; // Number of bytes allocated for the
// pbBlobIn buffer
DWORD dwBlobInRemining; // We are receiving fragments from
// the peer and the peer has
// promised to send dwBlobInRemining
// more bytes
BYTE* pbBlobOut; // TLS blob created for the peer
DWORD cbBlobOut; // Number of bytes in the TLS blob
// created for the peer
DWORD cbBlobOutBuffer; // Number of bytes allocated for the
// pbBlobOut buffer
DWORD dwBlobOutOffset; // Pointer to the first byte in
// pbBlobOut that has to be sent
DWORD dwBlobOutOffsetNew; // Update dwBlobOutOffset to this
// value when the peer confirms
// receipt of the previous packet
BYTE bCode; // bCode of the last packet sent
BYTE bId; // bId of the last packet sent
DWORD dwAuthResultCode; // The error code that we get when
// the negotiation is complete
EAPTLS_PIN *pSavedPin; //
HANDLE hEventLog;
BYTE* pUIContextData;
BYTE bNextId; // Saved when we raise UI
EAPTLS_PACKET ReceivePacket; // Saved when we go off to get PIN
} EAPTLSCB;
typedef struct _EAPTLS_CERT_NODE EAPTLS_CERT_NODE;
struct _EAPTLS_CERT_NODE
{
EAPTLS_CERT_NODE* pNext;
EAPTLS_HASH Hash;
WCHAR* pwszDisplayName;
WCHAR* pwszFriendlyName;
WCHAR* pwszIssuer;
WCHAR* pwszExpiration;
//
// New fields added vivekk
//
FILETIME IssueDate;
#if 0
WCHAR* pwszIssuedTo;
WCHAR* pwszIssuedBy;
#endif
};
// Values of the EAPTLS_CONN_DIALOG->fFlags field
// We are a router
#define EAPTLS_CONN_DIALOG_FLAG_ROUTER 0x00000001
#define EAPTLS_CONN_DIALOG_FLAG_READONLY 0x00000002
typedef struct _EAPTLS_CONN_DIALOG
{
DWORD fFlags; // See
// EAPTLS_CONN_DIALOG_FLAG_*
EAPTLS_CERT_NODE* pCertList; //List of all the root certificates
//from internet trusted root store
EAPTLS_CERT_NODE** ppSelCertList; //List of pointers to selected certs.
//will be as many as num hashes
//in conn prop.
EAPTLS_CONN_PROPERTIES* pConnProp; // ConfigData in phonebook
EAPTLS_CONN_PROPERTIES_V1 * pConnPropv1; // Version 1.0 config data
HWND hWndRadioUseCard;
HWND hWndRadioUseRegistry;
HWND hWndCheckValidateCert;
HWND hWndCheckValidateName;
HWND hWndEditServerName;
HWND hWndStaticRootCaName;
//HWND hWndComboRootCaName; //This will go away
HWND hWndListRootCaName; //This is the new list
HWND hWndCheckDiffUser;
HWND hWndCheckUseSimpleSel;
HWND hWndViewCertDetails;
} EAPTLS_CONN_DIALOG;
// Values of the EAPTLS_USER_DIALOG->fFlags field
// We need to send a different EAP Identity
#define EAPTLS_USER_DIALOG_FLAG_DIFF_USER 0x00000001
// We need to change the title
#define EAPTLS_USER_DIALOG_FLAG_DIFF_TITLE 0x00000002
//USe simple cert selection
#define EAPTLS_USER_DIALOG_FLAG_USE_SIMPLE_CERTSEL 0x00000004
//
// Nodes are grouped by displayname
//
typedef struct _EAPTLS_GROUPED_CERT_NODES EAPTLS_GROUPED_CERT_NODES;
typedef struct _EAPTLS_GROUPED_CERT_NODES* PEAPTLS_GROUPED_CERT_NODES;
struct _EAPTLS_GROUPED_CERT_NODES
{
PEAPTLS_GROUPED_CERT_NODES pNext;
WCHAR* pwszDisplayName;
//Most current one in the colation...
EAPTLS_CERT_NODE* pMostRecentCert;
};
typedef struct _EAPTLS_USER_DIALOG
{
DWORD fFlags; // See
// EAPTLS_USER_DIALOG_FLAG_*
EAPTLS_CERT_NODE* pCertList;
EAPTLS_CERT_NODE* pCert;
PEAPTLS_GROUPED_CERT_NODES pGroupedList;
EAPTLS_USER_PROPERTIES* pUserProp; // UserData in registry
const WCHAR* pwszEntry;
const WCHAR* pwszStoreName;
BOOL fIdentity; //Identity UI is being shown here
HWND hWndComboUserName;
HWND hWndBtnViewCert;
// These are required for the server's certificate selection
HWND hWndEditFriendlyName;
HWND hWndEditIssuer;
HWND hWndEditExpiration;
HWND hWndStaticDiffUser;
HWND hWndEditDiffUser;
} EAPTLS_USER_DIALOG;
// Values of the EAPTLS_PIN_DIALOG->fFlags field
// We need to send a different EAP Identity
#define EAPTLS_PIN_DIALOG_FLAG_DIFF_USER 0x00000001
// The UI is coming up before Logon
#define EAPTLS_PIN_DIALOG_FLAG_LOGON 0x00000002
#define EAPTLS_PIN_DIALOG_FLAG_ROUTER 0x00000004
typedef struct _EAPTLS_PIN_DIALOG
{
DWORD fFlags; // See
// EAPTLS_PIN_DIALOG_FLAG_*
EAPTLS_USER_PROPERTIES* pUserProp; // UserData in registry
const WCHAR* pwszEntry;
PCCERT_CONTEXT pCertContext; //Certificate Context for selected certificate.
DWORD dwRetCode; //Return Code of Validate PIN operation.
HWND hWndStaticDiffUser;
HWND hWndEditDiffUser;
HWND hWndStaticPin;
HWND hWndEditPin;
} EAPTLS_PIN_DIALOG;
#define NUM_CHARS_TITLE 100
typedef struct _EAPTLS_VALIDATE_SERVER
{
DWORD dwSize;
DWORD fShowCertDetails;
EAPTLS_HASH Hash; //Hash of the root certificate to show details
WCHAR awszTitle[NUM_CHARS_TITLE];
WCHAR awszWarning[1];
} EAPTLS_VALIDATE_SERVER;
#ifdef ALLOC_EAPTLS_GLOBALS
DWORD g_dwEapTlsTraceId = INVALID_TRACEID;
int g_nEapTlsClientNextState[] =
{
EAPTLS_STATE_SENT_HELLO,
EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_SENT_FINISHED,
EAPTLS_STATE_RECD_FINISHED,
EAPTLS_STATE_RECD_RESULT,
EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_RECD_RESULT,
EAPTLS_STATE_RECD_FINISHED
};
int g_nEapTlsServerNextState[] =
{
EAPTLS_STATE_SENT_START,
EAPTLS_STATE_SENT_HELLO,
EAPTLS_STATE_SENT_FINISHED,
EAPTLS_STATE_SENT_RESULT,
EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_SENT_RESULT,
EAPTLS_STATE_INITIAL, // Impossible
EAPTLS_STATE_INITIAL, // Impossible
};
CHAR *g_szEapTlsState[] =
{
"Initial",
"SentStart",
"SentHello",
"SentFinished",
"RecdFinished",
"SentResult",
"RecdResult",
"WaitForUserOK",
};
#else // !ALLOC_EAPTLS_GLOBALS
extern DWORD g_dwEapTlsTraceId;
#endif // ALLOC_EAPTLS_GLOBALS
// Prototypes for functions in util.c
VOID
EapTlsTrace(
IN CHAR* Format,
...
);
DWORD
EapTlsInitialize2(
IN BOOL fInitialize,
IN BOOL fUI
);
DWORD
EapTlsInitialize(
IN BOOL fInitialize
);
VOID
EncodePin(
IN EAPTLS_USER_PROPERTIES* pUserProp
);
VOID
DecodePin(
IN EAPTLS_USER_PROPERTIES* pUserProp
);
BOOL
FFormatMachineIdentity1 (
LPWSTR lpszMachineNameRaw,
LPWSTR * lppszMachineNameFormatted );
BOOL
FFormatMachineIdentity (
IN LPWSTR lpszMachineNameRaw,
OUT LPWSTR * lppszMachineNameFormatted );
BOOL
FCertToStr(
IN PCCERT_CONTEXT pCertContext,
IN DWORD fFlags,
IN BOOL fMachineCert,
OUT WCHAR** ppwszName
);
BOOL
FMachineAuthCertToStr (
IN PCCERT_CONTEXT pCertContext,
OUT WCHAR ** ppwszName
);
BOOL
FGetFriendlyName(
IN PCCERT_CONTEXT pCertContext,
OUT WCHAR** ppwszName
);
BOOL
FSmartCardReaderInstalled(
VOID
);
DWORD DwGetEKUUsage (
IN PCCERT_CONTEXT pCertContext,
OUT PCERT_ENHKEY_USAGE * ppUsage
);
BOOL
FCheckUsage(
IN PCCERT_CONTEXT pCertContext,
IN PCERT_ENHKEY_USAGE pUsage,
IN BOOL fMachine
);
BOOL
FCheckSCardCertAndCanOpenSilentContext (
IN PCCERT_CONTEXT pCertContext
);
BOOL
FCheckCSP(
IN PCCERT_CONTEXT pCertContext
);
BOOL
FCheckTimeValidity(
IN PCCERT_CONTEXT pCertContext
);
DWORD DwCheckCertPolicy (
IN PCCERT_CONTEXT pCertContextUser,
OUT PCCERT_CHAIN_CONTEXT * ppCertChainContext
);
DWORD
GetRootCertHashAndNameVerifyChain(
IN PCERT_CONTEXT pCertContextServer,
OUT EAPTLS_HASH* pHash,
OUT WCHAR** ppwszName,
IN BOOL fVerifyGP,
OUT BOOL * pfRootCheckRequired
);
DWORD
ServerConfigDataIO(
IN BOOL fRead,
IN WCHAR* pwszMachineName,
IN OUT BYTE** ppData,
IN DWORD dwNumBytes
);
VOID
FreeCertList(
IN EAPTLS_CERT_NODE* pNode
);
VOID
CreateCertList(
IN BOOL fServer,
IN BOOL fRouter,
IN BOOL fRoot,
OUT EAPTLS_CERT_NODE** ppCertList,
OUT EAPTLS_CERT_NODE** ppCert,
IN DWORD dwNumHashStructs,
IN EAPTLS_HASH* pHash,
IN WCHAR* pwszStoreName
);
DWORD
GetDefaultClientMachineCert(
IN HCERTSTORE hCertStore,
OUT PCCERT_CONTEXT* ppCertContext
);
DWORD
GetDefaultMachineCert(
IN HCERTSTORE hCertStore,
OUT PCCERT_CONTEXT* ppCertContext
);
DWORD
GetCertFromLogonInfo(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT PCCERT_CONTEXT* ppCertContext
);
DWORD
GetIdentityFromLogonInfo(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT WCHAR** ppwszIdentity
);
DWORD
ReadConnectionData(
IN BOOL fWireless,
IN BYTE* pConnectionDataIn,
IN DWORD dwSizeOfConnectionDataIn,
OUT EAPTLS_CONN_PROPERTIES** ppConnProp
);
DWORD
ReadUserData(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT EAPTLS_USER_PROPERTIES** ppUserProp
);
DWORD
AllocUserDataWithNewIdentity(
IN EAPTLS_USER_PROPERTIES* pUserProp,
IN WCHAR* pwszIdentity,
OUT EAPTLS_USER_PROPERTIES** ppUserProp
);
DWORD
AllocUserDataWithNewPin(
IN EAPTLS_USER_PROPERTIES* pUserProp,
IN PBYTE pbzPin,
IN DWORD cbPin,
OUT EAPTLS_USER_PROPERTIES** ppUserProp
);
WCHAR*
WszFromId(
IN HINSTANCE hInstance,
IN DWORD dwStringId
);
// Prototypes for functions in eaptls.c
DWORD
EapTlsBegin(
OUT VOID** ppWorkBuffer,
IN PPP_EAP_INPUT* pPppEapInput
);
DWORD
EapTlsEnd(
IN EAPTLSCB* pEapTlsCb
);
DWORD
EapTlsMakeMessage(
IN EAPTLSCB* pEapTlsCb,
IN PPP_EAP_PACKET* pInput,
OUT PPP_EAP_PACKET* pOutput,
IN DWORD cbSendPacket,
OUT PPP_EAP_OUTPUT* pEapOutput,
IN PPP_EAP_INPUT* pEapInput
);
DWORD
GetCredentials(
IN EAPTLSCB* pEapTlsCb
);
DWORD
EapTlsCMakeMessage(
IN EAPTLSCB* pEapTlsCb,
IN EAPTLS_PACKET* pReceivePacket,
OUT EAPTLS_PACKET* pSendPacket,
IN DWORD cbSendPacket,
OUT PPP_EAP_OUTPUT* pEapOutput,
IN PPP_EAP_INPUT* pEapInput
);
DWORD
EapTlsSMakeMessage(
IN EAPTLSCB* pEapTlsCb,
IN EAPTLS_PACKET* pReceivePacket,
OUT EAPTLS_PACKET* pSendPacket,
IN DWORD cbSendPacket,
OUT PPP_EAP_OUTPUT* pEapOutput,
IN PPP_EAP_INPUT* pEapInput
);
// Prototypes for functions in scard.c
DWORD
GetCertFromCard(
OUT PCCERT_CONTEXT* ppCertContext
);
VOID
FreeScardDlgDll(
VOID
);
// Prototypes for functions in eapui.cpp
HINSTANCE
GetHInstance(
VOID
);
// Prototypes for functions in dialog.c
VOID
GetString(
IN HWND hwndParent,
IN UINT ID,
IN OUT WCHAR** ppwszString
);
//
//Prototypes in eaptls.c
//
DWORD
AssociatePinWithCertificate(
IN PCCERT_CONTEXT pCertContext,
IN EAPTLS_USER_PROPERTIES* pUserProp,
IN BOOL fErarePIN,
IN BOOL fCheckNullPin
);
DWORD EncryptData
(
IN PBYTE pbPlainData,
IN DWORD cbPlainData,
OUT PBYTE * ppEncData,
OUT DWORD * pcbEncData
);
//
// Prototypes of functions in util.c
//
DWORD GetMBytePIN ( WCHAR * pwszPIN, CHAR ** ppszPIN );
DWORD VerifyCallerTrust ( void * callersaddress );
#if 0
//
//This function get's the hash blob
//deposited by Group Policy in the registry
//
DWORD
ReadGPCARootHashes(
DWORD *pdwSizeOfRootHashBlob,
PBYTE *ppbRootHashBlob
);
#endif
//
// These functions are around the cludgy
// CONN PROP structure.
//
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * ConnPropGetExtraPointer (EAPTLS_CONN_PROPERTIES * pConnProp);
DWORD ConnPropGetNumHashes(EAPTLS_CONN_PROPERTIES * pConnProp );
void ConnPropSetNumHashes(EAPTLS_CONN_PROPERTIES * pConnProp, DWORD dwNumHashes );
DWORD ConnPropGetV1Struct ( EAPTLS_CONN_PROPERTIES * pConnProp, EAPTLS_CONN_PROPERTIES_V1 ** ppConnPropv1 );
DWORD ConnPropGetV0Struct ( EAPTLS_CONN_PROPERTIES_V1 * pConnPropv1, EAPTLS_CONN_PROPERTIES ** ppConnProp );
void ShowCertDetails ( HWND hWnd, HCERTSTORE hStore, PCCERT_CONTEXT pCertContext);
//////////////////////////All Peap Related Declarations /////////////////////
//
// PEAP Message Types
//
//
//TBD: Check with IANA ( ashwinp ) what the type will be.
#define PEAP_TYPE_AVP 0x21
//
// TLV Format is:
// Flags - 2bits
// Type - 14 bits
// Length - 2 octets
// Value - Variable
//
// TLV Flags
//
#define PEAP_AVP_FLAG_MANDATORY 0x80
//
// TLV types are of following types
//
// Status TLV. Tell's if the outcome of the EAP is success
// or failure.
//
#define MS_PEAP_AVP_LANGUAGE_NEGOTIATE 0x01
#define MS_PEAP_AVP_CIPHERSUITE_NEGOTIATE 0x02
#define MS_PEAP_AVP_TYPE_STATUS 0x03
//
// Values possible in Status AVP
//
#define MS_PEAP_AVP_VALUE_SUCCESS 0x1
#define MS_PEAP_AVP_VALUE_FAILURE 0x2
// PEAP Reg Keys
#define PEAP_KEY_25 L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP\\25"
#define PEAP_VAL_SERVER_CONFIG_DATA L"ServerConfigData"
//
// This key is required for include only MSCHAPv2. IF this is missing all protocols will be included in PEAP
// except PEAP itself
//
#define PEAP_KEY_PEAP L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP\\25"
#define PEAP_CRIPPLE_VALUE L"EAPMschapv2Only"
#define PEAP_KEY_EAP L"System\\CurrentControlSet\\Services\\Rasman\\PPP\\EAP"
#define PEAP_REGVAL_PATH L"Path"
#define PEAP_REGVAL_FRIENDLYNAME L"FriendlyName"
#define PEAP_REGVAL_CONFIGDLL L"ConfigUIPath"
#define PEAP_REGVAL_IDENTITYDLL L"IdentityPath"
#define PEAP_REGVAL_INTERACTIVEUIDLL L"InteractiveUIPath"
#define PEAP_REGVAL_CONFIGCLSID L"ConfigCLSID"
#define PEAP_REGVAL_ROLESSUPPORTED L"RolesSupported"
#define PEAP_EAPTYPE_IDENTITY 1
#define PEAP_EAPTYPE_NAK 3
typedef DWORD (APIENTRY * RASEAPFREE)( PBYTE );
typedef DWORD (APIENTRY * RASEAPINVOKECONFIGUI)( DWORD, HWND, DWORD, PBYTE, DWORD, PBYTE*, DWORD*);
typedef DWORD (APIENTRY * RASEAPGETIDENTITY)( DWORD, HWND, DWORD, const WCHAR*, const WCHAR*, PBYTE, DWORD, PBYTE, DWORD, PBYTE*, DWORD*, WCHAR** );
typedef DWORD (APIENTRY * RASEAPINVOKEINTERACTIVEUI)(
DWORD,
HWND,
PBYTE,
DWORD,
PBYTE *,
DWORD *);
//List of all EAP types allowed in PEAP
typedef struct _PEAP_EAP_INFO PEAP_EAP_INFO;
typedef struct _PEAP_EAP_INFO* PPEAP_EAP_INFO;
struct _PEAP_EAP_INFO
{
//Next one in the list
PPEAP_EAP_INFO pNext;
//Type
DWORD dwTypeId;
// Path of the protocol DLL
LPWSTR lpwszPath;
//Friendly Name
LPWSTR lpwszFriendlyName;
//Configuration UI path for client
LPWSTR lpwszConfigUIPath;
//Identity UI path
LPWSTR lpwszIdentityUIPath;
//Interactive UI path
LPWSTR lpwszInteractiveUIPath;
//Configuration GUID
LPWSTR lpwszConfigClsId;
//Library HAndle
HMODULE hEAPModule;
//Eap Info for each EAP Type
PPP_EAP_INFO PppEapInfo;
//Work buffer for each eap type
PBYTE pWorkBuf;
// Original Client Config from PEAP blob
PBYTE pbClientConfigOrig;
// Client Config Length
DWORD dwClientConfigOrigSize;
// New client config
PBYTE pbNewClientConfig;
// New client config length
DWORD dwNewClientConfigSize;
// Original User Config information
PBYTE pbUserConfigOrig;
// Original size of user configuration
DWORD dwUserConfigOrigSize;
// New user config
PBYTE pbUserConfigNew;
// New user config size
DWORD dwNewUserConfigSize;
//
DWORD (APIENTRY *RasEapGetCredentials)(
IN DWORD dwTypeId,
IN VOID * pWorkBuf,
OUT VOID ** pInfo);
//There will be more items in this node...
};
typedef enum _PEAP_STATE
{
PEAP_STATE_INITIAL,
PEAP_STATE_TLS_INPROGRESS, // PEAP-Part 1 (TLS) is being executed
PEAP_WAITING_FOR_IDENTITY, // Client should expect and identity request
// server should send identity request
PEAP_STATE_IDENTITY_REQUEST_SENT, // identity request send by server
PEAP_STATE_IDENTITY_RESPONSE_SENT, // identity response send to server
PEAP_STATE_EAP_TYPE_INPROGRESS, // PEAP-Part 2 (Embedded EAP) is being
// executed
PEAP_STATE_EAP_TYPE_FINISHED, // sever should send identity request
PEAP_STATE_PEAP_SUCCESS_SEND, // server send PEAP success request
PEAP_STATE_PEAP_FAIL_SEND, // server send PEAP fail request
PEAP_STATE_FAST_ROAMING_IDENTITY_REQUEST// client is not setup to do fast roaming
// and the server send a roaming success
// we replied with fail and are now expecting
// an identity request from server.
} PEAP_STATE;
//
// connection properties for
// each of the peap entries
//
typedef struct _PEAP_ENTRY_CONN_PROPERTIES
{
DWORD dwVersion; //Version will be 1 for this release
DWORD dwSize; //Number of bytes in this structure
DWORD dwEapTypeId; //TypeId for this Entry Properties
BYTE bData[1]; //Actual conn properties for the given
//Type Id
}PEAP_ENTRY_CONN_PROPERTIES, *PPEAP_ENTRY_CONN_PROPERTIES;
//
// This structure holds EapTlsConn Prop along with
// each configured eap type.
//
// Allow fast roaming
#define PEAP_CONN_FLAG_FAST_ROAMING 0x00000001
typedef struct _PEAP_CONN_PROPERTIES
{
//Version will be 1 for this release
DWORD dwVersion;
//
//Number of bytes in this structure
//
DWORD dwSize;
//Number of types configured in this PEAP
//For now there is only one.
DWORD dwNumPeapTypes;
//Flags
DWORD dwFlags;
//Tls Connection Properties to start with - This is a variable length structure
EAPTLS_CONN_PROPERTIES_V1 EapTlsConnProp;
//Array of PPEAP_ENTRY_CONN_PROPERTIES follows here
}PEAP_CONN_PROP, *PPEAP_CONN_PROP;
//
// Default credentials for eaptypes that dont expose
// identity UI
//
typedef struct _PEAP_DEFAULT_CREDENTIALS
{
WCHAR wszUserName[UNLEN+1];
WCHAR wszPassword[PWLEN+1];
WCHAR wszDomain[DNLEN+1];
}PEAP_DEFAULT_CREDENTIALS, *PPEAP_DEFAULT_CREDENTIALS;
//
// user properties for
// each of the peap entries
//
typedef struct _PEAP_ENTRY_USER_PROPERTIES
{
DWORD dwVersion; //Version will be 1 for this release
DWORD dwSize; //Number of bytes in this structure
DWORD dwEapTypeId; //TypeId for this Entry Properties
BOOL fUsingPeapDefault; //Default Identity provided by PEAP is being used.
BYTE bData[1]; //Actual User properties for the given
//Type Id
}PEAP_ENTRY_USER_PROPERTIES, *PPEAP_ENTRY_USER_PROPERTIES;
// Allow fast roaming
#define PEAP_USER_FLAG_FAST_ROAMING 0x00000001
typedef struct _PEAP_USER_PROPERTIES
{
//Version will be 1 for this release
DWORD dwVersion;
//Number of bytes in this structure
DWORD dwSize;
//Flags
DWORD dwFlags;
//Hash for user certificate
EAPTLS_HASH CertHash;
// User properties for an entry
PEAP_ENTRY_USER_PROPERTIES UserProperties;
//
// Array of PEAP_ENTRY_USER_PROPERTIES for each eap type.
// should be as many as dwNumPeapTypes in PEAP_CONN_PROP
// structure
// For now there is only one element...
}PEAP_USER_PROP, *PPEAP_USER_PROP;
// We are a router
#define PEAP_CONN_DIALOG_FLAG_ROUTER 0x00000001
#define PEAP_CONN_DIALOG_FLAG_8021x 0x00000002
typedef struct _PEAP_CONN_DIALOG
{
DWORD fFlags; // See
// PEAP_CONN_DIALOG_FLAG_*
EAPTLS_CERT_NODE* pCertList; //List of all the root certificates
//from internet trusted root store
EAPTLS_CERT_NODE** ppSelCertList; //List of pointers to selected certs.
//will be as many as num hashes
//in conn prop.
PPEAP_CONN_PROP pConnProp;
PPEAP_EAP_INFO pEapInfo; //List of all the PEAP Eap Types
PPEAP_EAP_INFO pSelEapInfo; //Selected Peap Type
HWND hWndCheckValidateCert;
HWND hWndCheckValidateName;
HWND hWndEditServerName;
HWND hWndStaticRootCaName;
HWND hWndListRootCaName;
HWND hWndComboPeapType;
HWND hWndButtonConfigure;
HWND hWndCheckEnableFastReconnect;
} PEAP_CONN_DIALOG, *PPEAP_CONN_DIALOG;
typedef struct _PEAP_SERVER_CONFIG_DIALOG
{
EAPTLS_CERT_NODE* pCertList; //List of all certificates in MY machine
//store
EAPTLS_CERT_NODE* pSelCertList; //List of selected cert.
PPEAP_USER_PROP pUserProp; //User properties
PPEAP_USER_PROP pNewUserProp; //New USer Properties
PPEAP_EAP_INFO pEapInfo; //List of all the PEAP Eap Types
PPEAP_EAP_INFO pSelEapInfo; //Selected Peap Type
LPWSTR pwszMachineName;
HWND hWndComboServerName;
HWND hWndEditFriendlyName;
HWND hWndEditIssuer;
HWND hWndEditExpiration;
HWND hWndComboPeapType;
HWND hWndBtnConfigure;
HWND hEndEnableFastReconnect;
}PEAP_SERVER_CONFIG_DIALOG, *PPEAP_SERVER_CONFIG_DIALOG;
typedef struct _PEAP_DEFAULT_CRED_DIALOG
{
PEAP_DEFAULT_CREDENTIALS PeapDefaultCredentials;
HWND hWndUserName;
HWND hWndPassword;
HWND hWndDomain;
}PEAP_DEFAULT_CRED_DIALOG, *PPEAP_DEFAULT_CRED_DIALOG;
typedef struct _PEAP_INTERACTIVE_UI
{
DWORD dwEapTypeId; // Embedded Eap Type Id requesting
// interactive UI
DWORD dwSizeofUIContextData;
BYTE bUIContextData[1];
}PEAP_INTERACTIVE_UI, *PPEAP_INTERACTIVE_UI;
typedef struct _PEAP_COOKIE_ATTRIBUTE
{
RAS_AUTH_ATTRIBUTE_TYPE raaType;
DWORD dwLength;
BYTE Data[1];
}PEAP_COOKIE_ATTRIBUTE, *PPEAP_COOKIE_ATTRIBUTE;
typedef struct _PEAP_COOKIE
{
WCHAR awszIdentity[DNLEN+UNLEN+1]; // Outer Identity that was used for
// authentication.
DWORD dwNumAuthAttribs; // Number of Ras Auth Attributes
// other than MPPE keys
// returned when auth succeeded
// with full handshake
BYTE Data[1]; // Data Conn Props + RAS Auth Attribs
}PEAP_COOKIE, *PPEAP_COOKIE;
//PEAP Flags
#define PEAPCB_FLAG_SERVER 0x00000001 // This is a server
#define PEAPCB_FLAG_ROUTER 0x00000002 // This is a router
#define PEAPCB_FLAG_NON_INTERACTIVE 0x00000004 // No UI should be displayed
#define PEAPCB_FLAG_LOGON 0x00000008 // The user data was
// obtained from Winlogon
#define PEAPCB_FLAG_PREVIEW 0x00000010 // User has checked
// "Prompt for information
// before dialing"
#define PEAPCB_FLAG_FIRST_LINK 0x00000020 // This is the first link
#define PEAPCB_FLAG_MACHINE_AUTH 0x00000040 // Use the default machine cert
// or user cert based on the
// application logon context
#define PEAPCB_FLAG_GUEST_ACCESS 0x00000080 // Request to provide guest
// access.
#define PEAPCB_FLAG_8021X_AUTH 0x00000100 // Anything specific to 8021x
// to be done in TLS
#define PEAPCB_VERSION_OK 0x00000200 // version negotiation took place
// and all's ok.
#define PEAPCB_FAST_ROAMING 0x00000400 // Allow fast roaming
typedef struct _PEAP_CONTROL_BLOCK
{
PEAP_STATE PeapState; //Current Peap State
DWORD dwFlags; //Peap Flags
HANDLE hTokenImpersonateUser; //Impersonation token.
BYTE bId; //Peap Packet Id
WCHAR awszIdentity[DNLEN+ UNLEN + 1];
WCHAR awszTypeIdentity[DNLEN+ UNLEN + 1];
WCHAR awszPassword[PWLEN+1]; //Type's password if
//send in.
BOOL fTlsConnPropDirty; //Need to save the TLS Conn prop
EAPTLS_CONN_PROPERTIES_V1 * pNewTlsConnProp;
BOOL fEntryConnPropDirty;
PPEAP_CONN_PROP pConnProp; //Peap Connection Prop
BOOL fTlsUserPropDirty; //Need to saveTLS user prop
BOOL fEntryUserPropDirty;
DWORD dwAuthResultCode; //Result of authentication
BOOL fReceivedTLVSuccessFail; //Received a TLV instead of
//a real success or failure
BOOL fSendTLVSuccessforFastRoaming;
PPP_EAP_PACKET * pPrevReceivePacket; //Previously received packet
WORD cbPrevReceivePacket; //Number of bytes in previously
//received packet
PBYTE pPrevDecData; //Previously Decrypted packet data
WORD cbPrevDecData; //Data size
//
// Encryption related entries in the control block
//
HCRYPTPROV hProv; //CryptoProvider
//
// following info is used if we use TLS to do encryption
// This is the desired way of doing things since the cipher suite
// is negotiated within TLS
SecPkgContext_StreamSizes PkgStreamSizes;
SecPkgContext_ConnectionInfo PkgConnInfo;
PBYTE pbIoBuffer;
DWORD dwIoBufferLen; //Enc or Dec Data Length
PPEAP_USER_PROP pUserProp; //Peap User Prop
RAS_AUTH_ATTRIBUTE * pTlsUserAttributes; //User Attributes send
//back by EAPTLS
PPEAP_INTERACTIVE_UI pUIContextData; //UI context Data for an eap type
BOOL fInvokedInteractiveUI; //PEAP has invoked interactive UI
BOOL fExecutingInteractiveUI;
EAPTLSCB * pEapTlsCB; //Tls Control Block
PPEAP_EAP_INFO pEapInfo; //Eap info - contains all data reqd for
//eap type to function well.
}PEAPCB, * PPEAPCB;
DWORD
EapPeapInitialize(
IN BOOL fInitialize
);
DWORD
EapPeapBegin(
OUT VOID** ppWorkBuffer,
IN PPP_EAP_INPUT* pPppEapInput
);
DWORD
EapPeapEnd(
IN PPEAPCB pPeapCb
);
DWORD
EapPeapMakeMessage(
IN PPEAPCB pPeapCb,
IN PPP_EAP_PACKET* pInput,
OUT PPP_EAP_PACKET* pOutput,
IN DWORD cbSendPacket,
OUT PPP_EAP_OUTPUT* pEapOutput,
IN PPP_EAP_INPUT* pEapInput
);
DWORD
EapPeapCMakeMessage(
IN PPEAPCB pPeapCb,
IN PPP_EAP_PACKET* pReceivePacket,
OUT PPP_EAP_PACKET* pSendPacket,
IN DWORD cbSendPacket,
OUT PPP_EAP_OUTPUT* pEapOutput,
IN PPP_EAP_INPUT* pEapInput
);
DWORD
EapPeapSMakeMessage(
IN PPEAPCB pPeapCb,
IN PPP_EAP_PACKET* pReceivePacket,
OUT PPP_EAP_PACKET* pSendPacket,
IN DWORD cbSendPacket,
OUT PPP_EAP_OUTPUT* pEapOutput,
IN PPP_EAP_INPUT* pEapInput
);
//Peap functions from util.c
DWORD
PeapReadConnectionData(
IN BOOL fWireless,
IN BYTE* pConnectionDataIn,
IN DWORD dwSizeOfConnectionDataIn,
OUT PPEAP_CONN_PROP* ppConnProp
);
DWORD
PeapReadUserData(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT PPEAP_USER_PROP* ppUserProp
);
DWORD
PeapReDoUserData (
IN DWORD dwNewTypeId,
OUT PPEAP_USER_PROP* ppNewUserProp
);
DWORD
PeapEapInfoAddListNode (PPEAP_EAP_INFO * ppEapInfo);
VOID
PeapEapInfoFreeList ( PPEAP_EAP_INFO pEapInfo );
DWORD
PeapEapInfoExpandSZ (HKEY hkeyPeapType,
LPWSTR pwszValue,
LPWSTR * ppValueData );
DWORD
PeapEapInfoGetList ( LPWSTR lpwszMachineName, PPEAP_EAP_INFO * ppEapInfo);
DWORD
PeapEapInfoSetConnData ( PPEAP_EAP_INFO pEapInfo, PPEAP_CONN_PROP pPeapConnProp );
DWORD PeapEapInfoInvokeClientConfigUI ( HWND hWndParent,
PPEAP_EAP_INFO pEapInfo,
DWORD fFlags);
DWORD
PeapGetFirstEntryConnProp ( PPEAP_CONN_PROP pConnProp,
PEAP_ENTRY_CONN_PROPERTIES UNALIGNED ** ppEntryProp
);
DWORD
PeapGetFirstEntryUserProp ( PPEAP_USER_PROP pUserProp,
PEAP_ENTRY_USER_PROPERTIES UNALIGNED ** ppEntryProp
);
DWORD
PeapEapInfoCopyListNode ( DWORD dwTypeId,
PPEAP_EAP_INFO pEapInfoList,
PPEAP_EAP_INFO * ppEapInfo );
DWORD
PeapEapInfoFindListNode ( DWORD dwTypeId,
PPEAP_EAP_INFO pEapInfoList,
PPEAP_EAP_INFO * ppEapInfo );
DWORD PeapEapInfoInvokeIdentityUI ( HWND hWndParent,
PPEAP_EAP_INFO pEapInfo,
const WCHAR * pwszPhoneBook,
const WCHAR * pwszEntry,
PBYTE pbUserDataIn,
DWORD cbUserDataIn,
WCHAR** ppwszIdentityOut,
DWORD fFlags);
#ifdef __cplusplus
extern "C"
#endif
DWORD PeapEapInfoInvokeServerConfigUI ( HWND hWndParent,
LPWSTR lpwszMachineName,
PPEAP_EAP_INFO pEapInfo
);
DWORD
OpenPeapRegistryKey(
IN WCHAR* pwszMachineName,
IN REGSAM samDesired,
OUT HKEY* phKeyPeap
);
DWORD
PeapServerConfigDataIO(
IN BOOL fRead,
IN WCHAR* pwszMachineName,
IN OUT BYTE** ppData,
IN DWORD dwNumBytes
);
INT_PTR CALLBACK
PeapConnDialogProc(
IN HWND hWnd,
IN UINT unMsg,
IN WPARAM wParam,
IN LPARAM lParam
);
INT_PTR CALLBACK
PeapServerDialogProc(
IN HWND hWnd,
IN UINT unMsg,
IN WPARAM wParam,
IN LPARAM lParam
);
INT_PTR CALLBACK
DefaultCredDialogProc(
IN HWND hWnd,
IN UINT unMsg,
IN WPARAM wParam,
IN LPARAM lParam
);
DWORD
GetIdentityFromUserName (
LPWSTR lpszUserName,
LPWSTR lpszDomain,
LPWSTR * ppwszIdentity
);
BOOL FFormatUserIdentity (
LPWSTR lpszUserNameRaw,
LPWSTR * lppszUserNameFormatted
);
DWORD
GetLocalMachineName (
OUT WCHAR ** ppLocalMachineName
);
BOOL
IsPeapCrippled(HKEY hKeyLM);
/////////////////////////////////////////////////////////
// XPSP1 related stuff
/////////////////////////////////////////////////////////
HINSTANCE
GetResouceDLLHInstance(
VOID
);
#endif // #ifndef _EAPTLS_H_