windows-nt/Source/XPSP1/NT/net/rras/ras/ppp/eaptls/util.c
2020-09-26 16:20:57 +08:00

5316 lines
139 KiB
C

/*
Copyright (c) 1997, Microsoft Corporation, all rights reserved
Description:
History:
Nov 1997: Vijay Baliga created original version.
Sep 1998: Vijay Baliga moved functions from eaptls.c and dialog.c to util.c
*/
#include <nt.h> // Required by windows.h
#include <ntrtl.h> // Required by windows.h
#include <nturtl.h> // Required by windows.h
#include <windows.h> // Win32 base API's
#include <rasauth.h> // Required by raseapif.h
#include <rtutils.h> // For RTASSERT
#include <rasman.h> // For EAPLOGONINFO
#include <wintrust.h>
#include <softpub.h>
#include <mscat.h>
#define SECURITY_WIN32
#include <security.h> // For GetUserNameExA, CredHandle
#include <schannel.h>
#include <sspi.h> // For CredHandle
#include <wincrypt.h> // Required by sclogon.h
#include <winscard.h> // For SCardListReadersA
#include <sclogon.h> // For ScHelperGetCertFromLogonInfo
#include <cryptui.h>
#include <stdlib.h>
#include <raserror.h>
#include <commctrl.h>
#include <eaptypeid.h>
#include <eaptls.h>
#include <wincred.h>
#define STRSAFE_NO_DEPRECATE
#include <strsafe.h>
extern CRITICAL_SECTION g_csProtectCachedCredentials;
extern BOOL g_fCriticalSectionInitialized;
/*
Returns:
void
Notes:
Used for printing EAP TLS trace statements.
*/
VOID
EapTlsTrace(
IN CHAR* Format,
...
)
{
va_list arglist;
RTASSERT(NULL != Format);
va_start(arglist, Format);
TraceVprintfExA(g_dwEapTlsTraceId,
0x00010000 | TRACE_USE_MASK | TRACE_USE_MSEC,
Format,
arglist);
va_end(arglist);
}
HINSTANCE
GetResouceDLLHInstance(
VOID
)
{
static HINSTANCE hResourceModule = NULL;
EapTlsTrace("GetResouceDLLHInstance");
if ( !hResourceModule )
{
//
// Change the name of this DLL as required for each service pack
//
hResourceModule = LoadLibrary ( L"xpsp1res.dll");
if ( NULL == hResourceModule )
{
EapTlsTrace("LoadLibraryEx failed and returned %d",GetLastError());
}
}
return(hResourceModule);
}
#if WINVER > 0x0500
DWORD CheckCallerIdentity ( HANDLE hWVTStateData )
{
DWORD dwRetCode = ERROR_ACCESS_DENIED;
PCRYPT_PROVIDER_DATA pProvData = NULL;
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
PCRYPT_PROVIDER_SGNR pProvSigner = NULL;
CERT_CHAIN_POLICY_PARA chainpolicyparams;
CERT_CHAIN_POLICY_STATUS chainpolicystatus;
if (!(pProvData = WTHelperProvDataFromStateData(hWVTStateData)))
{
goto done;
}
if (!(pProvSigner = WTHelperGetProvSignerFromChain(pProvData, 0, FALSE, 0)))
{
goto done;
}
chainpolicyparams.cbSize = sizeof(CERT_CHAIN_POLICY_PARA);
//
//
// We do want to test for microsoft test root flags. and dont care
// for revocation flags...
//
chainpolicyparams.dwFlags = CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG |
CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG |
CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS;
pChainContext = pProvSigner->pChainContext;
if (!CertVerifyCertificateChainPolicy (
CERT_CHAIN_POLICY_MICROSOFT_ROOT,
pChainContext,
&chainpolicyparams,
&chainpolicystatus))
{
goto done;
}
else
{
if ( S_OK == chainpolicystatus.dwError )
{
dwRetCode = NO_ERROR;
}
else
{
//
// Check the base policy to see if this
// is a Microsoft test root
//
if (!CertVerifyCertificateChainPolicy (
CERT_CHAIN_POLICY_BASE,
pChainContext,
&chainpolicyparams,
&chainpolicystatus))
{
goto done;
}
else
{
if ( S_OK == chainpolicystatus.dwError )
{
dwRetCode = NO_ERROR;
}
}
}
}
done:
return dwRetCode;
}
/*
*/
DWORD VerifyCallerTrust ( void * callersAddress )
{
DWORD dwRetCode = NO_ERROR;
HRESULT hr = S_OK;
WINTRUST_DATA wtData;
WINTRUST_FILE_INFO wtFileInfo;
WINTRUST_CATALOG_INFO wtCatalogInfo;
BOOL fRet = FALSE;
HCATADMIN hCATAdmin = NULL;
static BOOL fOKToUseTLS = FALSE;
GUID guidPublishedSoftware = WINTRUST_ACTION_GENERIC_VERIFY_V2;
//
// Following GUID is Mirosoft's Catalog System Root
//
GUID guidCatSystemRoot = { 0xf750e6c3, 0x38ee, 0x11d1,{ 0x85, 0xe5, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee } };
HCATINFO hCATInfo = NULL;
CATALOG_INFO CatInfo;
HANDLE hFile = INVALID_HANDLE_VALUE;
BYTE bHash[40];
DWORD cbHash = 40;
MEMORY_BASIC_INFORMATION mbi;
SIZE_T nbyte;
DWORD nchar;
wchar_t callersModule[MAX_PATH + 1];
if ( fOKToUseTLS )
{
goto done;
}
EapTlsTrace("Verifying caller...");
nbyte = VirtualQuery(
callersAddress,
&mbi,
sizeof(mbi)
);
if (nbyte < sizeof(mbi))
{
dwRetCode = ERROR_ACCESS_DENIED;
EapTlsTrace("Unauthorized use of TLS attempted");
goto done;
}
nchar = GetModuleFileNameW(
(HMODULE)(mbi.AllocationBase),
callersModule,
MAX_PATH
);
if (nchar == 0)
{
dwRetCode = GetLastError();
EapTlsTrace("Unauthorized use of TLS attempted");
goto done;
}
//
//
// Try and see if WinVerifyTrust will verify
// the signature as a standalone file
//
//
ZeroMemory ( &wtData, sizeof(wtData) );
ZeroMemory ( &wtFileInfo, sizeof(wtFileInfo) );
wtData.cbStruct = sizeof(wtData);
wtData.dwUIChoice = WTD_UI_NONE;
wtData.fdwRevocationChecks = WTD_REVOKE_NONE;
wtData.dwStateAction = WTD_STATEACTION_VERIFY;
wtData.dwUnionChoice = WTD_CHOICE_FILE;
wtData.pFile = &wtFileInfo;
wtFileInfo.cbStruct = sizeof( wtFileInfo );
wtFileInfo.pcwszFilePath = callersModule;
hr = WinVerifyTrust ( NULL,
&guidPublishedSoftware,
&wtData
);
if ( ERROR_SUCCESS == hr )
{
//
// Check to see if this is indeed microsoft
// signed caller
//
dwRetCode = CheckCallerIdentity( wtData.hWVTStateData);
wtData.dwStateAction = WTD_STATEACTION_CLOSE;
WinVerifyTrust(NULL, &guidPublishedSoftware, &wtData);
goto done;
}
wtData.dwStateAction = WTD_STATEACTION_CLOSE;
WinVerifyTrust(NULL, &guidPublishedSoftware, &wtData);
//
// We did not find the file was signed.
// So check the system catalog to see if
// the file is in the catalog and the catalog
// is signed
//
//
// Open the file
//
hFile = CreateFile ( callersModule,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if ( INVALID_HANDLE_VALUE == hFile )
{
dwRetCode = GetLastError();
goto done;
}
fRet = CryptCATAdminAcquireContext( &hCATAdmin,
&guidCatSystemRoot,
0
);
if ( !fRet )
{
dwRetCode = GetLastError();
goto done;
}
//
// Get the hash of the file here
//
fRet = CryptCATAdminCalcHashFromFileHandle ( hFile,
&cbHash,
bHash,
0
);
if ( !fRet )
{
dwRetCode = GetLastError();
goto done;
}
ZeroMemory(&CatInfo, sizeof(CatInfo));
CatInfo.cbStruct = sizeof(CatInfo);
ZeroMemory( &wtCatalogInfo, sizeof(wtCatalogInfo) );
wtData.dwUnionChoice = WTD_CHOICE_CATALOG;
wtData.dwStateAction = WTD_STATEACTION_VERIFY;
wtData.pCatalog = &wtCatalogInfo;
wtCatalogInfo.cbStruct = sizeof(wtCatalogInfo);
wtCatalogInfo.hMemberFile = hFile;
wtCatalogInfo.pbCalculatedFileHash = bHash;
wtCatalogInfo.cbCalculatedFileHash = cbHash;
while ( ( hCATInfo = CryptCATAdminEnumCatalogFromHash ( hCATAdmin,
bHash,
cbHash,
0,
&hCATInfo
)
)
)
{
if (!(CryptCATCatalogInfoFromContext(hCATInfo, &CatInfo, 0)))
{
// should do something (??)
continue;
}
wtCatalogInfo.pcwszCatalogFilePath = CatInfo.wszCatalogFile;
hr = WinVerifyTrust ( NULL,
&guidPublishedSoftware,
&wtData
);
if ( ERROR_SUCCESS == hr )
{
//
// Verify that this file is trusted
//
dwRetCode = CheckCallerIdentity( wtData.hWVTStateData);
wtData.dwStateAction = WTD_STATEACTION_CLOSE;
WinVerifyTrust(NULL, &guidPublishedSoftware, &wtData);
goto done;
}
}
//
// File not found in any of the catalogs
//
dwRetCode = ERROR_ACCESS_DENIED;
done:
if ( hCATInfo )
{
CryptCATAdminReleaseCatalogContext( hCATAdmin, hCATInfo, 0 );
}
if ( hCATAdmin )
{
CryptCATAdminReleaseContext( hCATAdmin, 0 );
}
if ( hFile )
{
CloseHandle(hFile);
}
if ( NO_ERROR == dwRetCode )
fOKToUseTLS = TRUE;
return dwRetCode;
}
#endif
/*
Returns:
NO_ERROR: iff Success
Notes:
TraceRegister, RouterLogRegister, etc.
*/
extern g_CachedCreds[];
DWORD
EapTlsInitialize2(
IN BOOL fInitialize,
IN BOOL fUI
)
{
static DWORD dwRefCount = 0;
DWORD dwRetCode = NO_ERROR;
if (fInitialize)
{
if (0 == dwRefCount)
{
ZeroMemory ( &(g_CachedCreds[0]),
sizeof(g_CachedCreds[0]) );
ZeroMemory ( &(g_CachedCreds[1]),
sizeof(g_CachedCreds[0]) );
if (fUI)
{
g_dwEapTlsTraceId = TraceRegister(L"RASTLSUI");
//
// Initialize the common controls library for the controls we use.
//
{
INITCOMMONCONTROLSEX icc;
icc.dwSize = sizeof(icc);
icc.dwICC = ICC_LISTVIEW_CLASSES;
InitCommonControlsEx (&icc);
}
}
else
{
g_dwEapTlsTraceId = TraceRegister(L"RASTLS");
}
InitializeCriticalSection( &g_csProtectCachedCredentials );
g_fCriticalSectionInitialized = TRUE;
EapTlsTrace("EapTlsInitialize2");
}
dwRefCount++;
}
else
{
dwRefCount--;
if (0 == dwRefCount)
{
EapTlsTrace("EapTls[Un]Initialize2");
if (INVALID_TRACEID != g_dwEapTlsTraceId)
{
TraceDeregister(g_dwEapTlsTraceId);
g_dwEapTlsTraceId = INVALID_TRACEID;
}
if ( g_fCriticalSectionInitialized )
{
DeleteCriticalSection( &g_csProtectCachedCredentials );
g_fCriticalSectionInitialized = FALSE;
}
FreeScardDlgDll();
}
}
return(dwRetCode);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
*/
DWORD
EapTlsInitialize(
IN BOOL fInitialize
)
{
return EapTlsInitialize2(fInitialize, FALSE /* fUI */);
}
/*
Returns:
Notes:
Obfuscate PIN in place to foil memory scans for PINs.
*/
VOID
EncodePin(
IN EAPTLS_USER_PROPERTIES* pUserProp
)
{
UNICODE_STRING UnicodeString;
UCHAR ucSeed = 0;
RtlInitUnicodeString(&UnicodeString, pUserProp->pwszPin);
RtlRunEncodeUnicodeString(&ucSeed, &UnicodeString);
pUserProp->usLength = UnicodeString.Length;
pUserProp->usMaximumLength = UnicodeString.MaximumLength;
pUserProp->ucSeed = ucSeed;
}
/*
Returns:
Notes:
*/
VOID
DecodePin(
IN EAPTLS_USER_PROPERTIES* pUserProp
)
{
UNICODE_STRING UnicodeString;
UnicodeString.Length = pUserProp->usLength;
UnicodeString.MaximumLength = pUserProp->usMaximumLength;
UnicodeString.Buffer = pUserProp->pwszPin;
RtlRunDecodeUnicodeString(pUserProp->ucSeed, &UnicodeString);
}
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Converts FileTime to a printable form in *ppwszTime. If the function returns
TRUE, the caller must ultimately call LocalFree(*ppwszTime).
*/
BOOL
FFileTimeToStr(
IN FILETIME FileTime,
OUT WCHAR** ppwszTime
)
{
SYSTEMTIME SystemTime;
FILETIME LocalTime;
int nBytesDate;
int nBytesTime;
WCHAR* pwszTemp = NULL;
BOOL fRet = FALSE;
RTASSERT(NULL != ppwszTime);
if (!FileTimeToLocalFileTime(&FileTime, &LocalTime))
{
EapTlsTrace("FileTimeToLocalFileTime(%d %d) failed and returned %d",
FileTime.dwLowDateTime, FileTime.dwHighDateTime,
GetLastError());
goto LDone;
}
if (!FileTimeToSystemTime(&LocalTime, &SystemTime))
{
EapTlsTrace("FileTimeToSystemTime(%d %d) failed and returned %d",
LocalTime.dwLowDateTime, LocalTime.dwHighDateTime,
GetLastError());
goto LDone;
}
nBytesDate = GetDateFormat(LOCALE_USER_DEFAULT, 0, &SystemTime, NULL,
NULL, 0);
if (0 == nBytesDate)
{
EapTlsTrace("GetDateFormat(%d %d %d %d %d %d %d %d) failed and "
"returned %d",
SystemTime.wYear, SystemTime.wMonth, SystemTime.wDayOfWeek,
SystemTime.wDay, SystemTime.wHour, SystemTime.wMinute,
SystemTime.wSecond, SystemTime.wMilliseconds,
GetLastError());
goto LDone;
}
nBytesTime = GetTimeFormat(LOCALE_USER_DEFAULT, 0, &SystemTime, NULL,
NULL, 0);
if (0 == nBytesTime)
{
EapTlsTrace("GetTimeFormat(%d %d %d %d %d %d %d %d) failed and "
"returned %d",
SystemTime.wYear, SystemTime.wMonth, SystemTime.wDayOfWeek,
SystemTime.wDay, SystemTime.wHour, SystemTime.wMinute,
SystemTime.wSecond, SystemTime.wMilliseconds,
GetLastError());
goto LDone;
}
pwszTemp = LocalAlloc(LPTR, (nBytesDate + nBytesTime)*sizeof(WCHAR));
if (NULL == pwszTemp)
{
EapTlsTrace("LocalAlloc failed and returned %d", GetLastError());
goto LDone;
}
if (0 == GetDateFormat(LOCALE_USER_DEFAULT, 0, &SystemTime, NULL,
pwszTemp, nBytesDate))
{
EapTlsTrace("GetDateFormat(%d %d %d %d %d %d %d %d) failed and "
"returned %d",
SystemTime.wYear, SystemTime.wMonth, SystemTime.wDayOfWeek,
SystemTime.wDay, SystemTime.wHour, SystemTime.wMinute,
SystemTime.wSecond, SystemTime.wMilliseconds,
GetLastError());
goto LDone;
}
pwszTemp[nBytesDate - 1] = L' ';
if (0 == GetTimeFormat(LOCALE_USER_DEFAULT, 0, &SystemTime, NULL,
pwszTemp + nBytesDate, nBytesTime))
{
EapTlsTrace("GetTimeFormat(%d %d %d %d %d %d %d %d) failed and "
"returned %d",
SystemTime.wYear, SystemTime.wMonth, SystemTime.wDayOfWeek,
SystemTime.wDay, SystemTime.wHour, SystemTime.wMinute,
SystemTime.wSecond, SystemTime.wMilliseconds,
GetLastError());
goto LDone;
}
*ppwszTime = pwszTemp;
pwszTemp = NULL;
fRet = TRUE;
LDone:
LocalFree(pwszTemp);
return(fRet);
}
BOOL FFormatMachineIdentity1 ( LPWSTR lpszMachineNameRaw, LPWSTR * lppszMachineNameFormatted )
{
BOOL fRetVal = FALSE;
LPWSTR lpwszPrefix = L"host/";
RTASSERT(NULL != lpszMachineNameRaw );
RTASSERT(NULL != lppszMachineNameFormatted );
//
// Prepend host/ to the UPN name
//
*lppszMachineNameFormatted =
(LPWSTR)LocalAlloc ( LPTR, ( wcslen ( lpszMachineNameRaw ) + wcslen ( lpwszPrefix ) + 2 ) * sizeof(WCHAR) );
if ( NULL == *lppszMachineNameFormatted )
{
goto done;
}
wcscpy( *lppszMachineNameFormatted, lpwszPrefix );
wcscat ( *lppszMachineNameFormatted, lpszMachineNameRaw );
fRetVal = TRUE;
done:
return fRetVal;
}
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Gets the machine name from the cert as a fully qualified path hostname/path
for example, hostname.redmond.microsoft.com and reformats it in the
domain\hostname format.
*/
BOOL FFormatMachineIdentity ( LPWSTR lpszMachineNameRaw, LPWSTR * lppszMachineNameFormatted )
{
BOOL fRetVal = TRUE;
LPTSTR s1 = lpszMachineNameRaw;
LPTSTR s2 = NULL;
RTASSERT(NULL != lpszMachineNameRaw );
RTASSERT(NULL != lppszMachineNameFormatted );
//Need to add 2 more chars. One for NULL and other for $ sign
*lppszMachineNameFormatted = (LPTSTR )LocalAlloc ( LPTR, (wcslen(lpszMachineNameRaw) + 2)* sizeof(WCHAR) );
if ( NULL == *lppszMachineNameFormatted )
{
return FALSE;
}
//find the first "." and that is the identity of the machine.
//the second "." is the domain.
//check to see if there at least 2 dots. If not the raw string is
//the output string
while ( *s1 )
{
if ( *s1 == '.' )
{
if ( !s2 ) //First dot
s2 = s1;
else //second dot
break;
}
s1++;
}
//can perform several additional checks here
if ( *s1 != '.' ) //there are no 2 dots so raw = formatted
{
wcscpy ( *lppszMachineNameFormatted, lpszMachineNameRaw );
goto done;
}
if ( s1-s2 < 2 )
{
wcscpy ( *lppszMachineNameFormatted, lpszMachineNameRaw );
goto done;
}
memcpy ( *lppszMachineNameFormatted, s2+1, ( s1-s2-1) * sizeof(WCHAR));
memcpy ( (*lppszMachineNameFormatted) + (s1-s2-1) , L"\\", sizeof(WCHAR));
wcsncpy ( (*lppszMachineNameFormatted) + (s1-s2), lpszMachineNameRaw, s2-lpszMachineNameRaw );
done:
//Append the $ sign no matter what...
wcscat ( *lppszMachineNameFormatted, L"$" );
return fRetVal;
}
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Gets the name in the cert pointed to by pCertContext, and converts it to a
printable form in *ppwszName. If the function returns TRUE, the caller must
ultimately call LocalFree(*ppwszName).
*/
BOOL
FUserCertToStr(
IN PCCERT_CONTEXT pCertContext,
OUT WCHAR** ppwszName
)
{
DWORD dwExtensionIndex;
DWORD dwAltEntryIndex;
CERT_EXTENSION* pCertExtension;
CERT_ALT_NAME_INFO* pCertAltNameInfo;
CERT_ALT_NAME_ENTRY* pCertAltNameEntry;
CERT_NAME_VALUE* pCertNameValue;
DWORD dwCertAltNameInfoSize;
DWORD dwCertNameValueSize;
WCHAR* pwszName = NULL;
BOOL fExitOuterFor;
BOOL fExitInnerFor;
BOOL fRet = FALSE;
// See if cert has UPN in AltSubjectName->otherName
fExitOuterFor = FALSE;
for (dwExtensionIndex = 0;
dwExtensionIndex < pCertContext->pCertInfo->cExtension;
dwExtensionIndex++)
{
pCertAltNameInfo = NULL;
pCertExtension = pCertContext->pCertInfo->rgExtension+dwExtensionIndex;
if (strcmp(pCertExtension->pszObjId, szOID_SUBJECT_ALT_NAME2) != 0)
{
goto LOuterForEnd;
}
dwCertAltNameInfoSize = 0;
if (!CryptDecodeObjectEx(
pCertContext->dwCertEncodingType,
X509_ALTERNATE_NAME,
pCertExtension->Value.pbData,
pCertExtension->Value.cbData,
CRYPT_DECODE_ALLOC_FLAG,
NULL,
(VOID*)&pCertAltNameInfo,
&dwCertAltNameInfoSize))
{
goto LOuterForEnd;
}
fExitInnerFor = FALSE;
for (dwAltEntryIndex = 0;
dwAltEntryIndex < pCertAltNameInfo->cAltEntry;
dwAltEntryIndex++)
{
pCertNameValue = NULL;
pCertAltNameEntry = pCertAltNameInfo->rgAltEntry + dwAltEntryIndex;
if ( (CERT_ALT_NAME_OTHER_NAME !=
pCertAltNameEntry->dwAltNameChoice)
|| (NULL == pCertAltNameEntry->pOtherName)
|| (0 != strcmp(szOID_NT_PRINCIPAL_NAME,
pCertAltNameEntry->pOtherName->pszObjId)))
{
goto LInnerForEnd;
}
// We found a UPN!
dwCertNameValueSize = 0;
if (!CryptDecodeObjectEx(
pCertContext->dwCertEncodingType,
X509_UNICODE_ANY_STRING,
pCertAltNameEntry->pOtherName->Value.pbData,
pCertAltNameEntry->pOtherName->Value.cbData,
CRYPT_DECODE_ALLOC_FLAG,
NULL,
(VOID*)&pCertNameValue,
&dwCertNameValueSize))
{
goto LInnerForEnd;
}
// One extra char for the terminating NULL.
pwszName = LocalAlloc(LPTR, pCertNameValue->Value.cbData +
sizeof(WCHAR));
if (NULL == pwszName)
{
EapTlsTrace("LocalAlloc failed and returned %d",
GetLastError());
fExitInnerFor = TRUE;
fExitOuterFor = TRUE;
goto LInnerForEnd;
}
CopyMemory(pwszName, pCertNameValue->Value.pbData,
pCertNameValue->Value.cbData);
*ppwszName = pwszName;
pwszName = NULL;
fRet = TRUE;
fExitInnerFor = TRUE;
fExitOuterFor = TRUE;
LInnerForEnd:
LocalFree(pCertNameValue);
if (fExitInnerFor)
{
break;
}
}
LOuterForEnd:
LocalFree(pCertAltNameInfo);
if (fExitOuterFor)
{
break;
}
}
LocalFree(pwszName);
return(fRet);
}
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Gets the name in the cert pointed to by pCertContext, and converts it to a
printable form in *ppwszName. If the function returns TRUE, the caller must
ultimately call LocalFree(*ppwszName).
*/
BOOL
FOtherCertToStr(
IN PCCERT_CONTEXT pCertContext,
IN DWORD fFlags,
OUT WCHAR** ppwszName
)
{
WCHAR* pwszTemp = NULL;
DWORD dwSize;
BOOL fRet = FALSE;
DWORD dwType = 0;
RTASSERT(NULL != ppwszName);
dwType = CERT_NAME_SIMPLE_DISPLAY_TYPE;
dwSize = CertGetNameString(pCertContext,dwType ,
fFlags, NULL, NULL, 0);
// dwSize is the number of characters, including the terminating NULL.
if (dwSize <= 1)
{
EapTlsTrace("CertGetNameString for CERT_NAME_SIMPLE_DISPLAY_TYPE failed.");
goto LDone;
}
pwszTemp = LocalAlloc(LPTR, dwSize*sizeof(WCHAR));
if (NULL == pwszTemp)
{
EapTlsTrace("LocalAlloc failed and returned %d", GetLastError());
goto LDone;
}
dwSize = CertGetNameString(pCertContext, dwType,
fFlags, NULL, pwszTemp, dwSize);
if (dwSize <= 1)
{
EapTlsTrace("CertGetNameString failed.");
goto LDone;
}
*ppwszName = pwszTemp;
pwszTemp = NULL;
fRet = TRUE;
LDone:
LocalFree(pwszTemp);
return(fRet);
}
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Special function for getting the DNS machine name
from the machine auth certificate
*/
BOOL
FMachineAuthCertToStr
(
IN PCCERT_CONTEXT pCertContext,
OUT WCHAR ** ppwszName
)
{
DWORD dwExtensionIndex;
DWORD dwAltEntryIndex;
CERT_EXTENSION* pCertExtension;
CERT_ALT_NAME_INFO* pCertAltNameInfo;
CERT_ALT_NAME_ENTRY* pCertAltNameEntry;
DWORD dwCertAltNameInfoSize;
WCHAR* pwszName = NULL;
BOOL fExitOuterFor;
BOOL fExitInnerFor;
BOOL fRet = FALSE;
// See if cert has UPN in AltSubjectName->otherName
fExitOuterFor = FALSE;
for (dwExtensionIndex = 0;
dwExtensionIndex < pCertContext->pCertInfo->cExtension;
dwExtensionIndex++)
{
pCertAltNameInfo = NULL;
pCertExtension = pCertContext->pCertInfo->rgExtension+dwExtensionIndex;
if (strcmp(pCertExtension->pszObjId, szOID_SUBJECT_ALT_NAME2) != 0)
{
goto LOuterForEnd;
}
dwCertAltNameInfoSize = 0;
if (!CryptDecodeObjectEx(
pCertContext->dwCertEncodingType,
X509_ALTERNATE_NAME,
pCertExtension->Value.pbData,
pCertExtension->Value.cbData,
CRYPT_DECODE_ALLOC_FLAG,
NULL,
(VOID*)&pCertAltNameInfo,
&dwCertAltNameInfoSize))
{
goto LOuterForEnd;
}
fExitInnerFor = FALSE;
for (dwAltEntryIndex = 0;
dwAltEntryIndex < pCertAltNameInfo->cAltEntry;
dwAltEntryIndex++)
{
pCertAltNameEntry = pCertAltNameInfo->rgAltEntry + dwAltEntryIndex;
if ( (CERT_ALT_NAME_DNS_NAME !=
pCertAltNameEntry->dwAltNameChoice)
|| (NULL == pCertAltNameEntry->pwszDNSName)
)
{
goto LInnerForEnd;
}
// We found the DNS Name!
// One extra char for the terminating NULL.
pwszName = LocalAlloc(LPTR, wcslen( pCertAltNameEntry->pwszDNSName ) * sizeof(WCHAR) +
sizeof(WCHAR));
if (NULL == pwszName)
{
EapTlsTrace("LocalAlloc failed and returned %d",
GetLastError());
fExitInnerFor = TRUE;
fExitOuterFor = TRUE;
goto LInnerForEnd;
}
wcscpy (pwszName, pCertAltNameEntry->pwszDNSName );
*ppwszName = pwszName;
pwszName = NULL;
fRet = TRUE;
fExitInnerFor = TRUE;
fExitOuterFor = TRUE;
LInnerForEnd:
if (fExitInnerFor)
{
break;
}
}
LOuterForEnd:
LocalFree(pCertAltNameInfo);
if (fExitOuterFor)
{
break;
}
}
LocalFree(pwszName);
return(fRet);
}
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Gets the name in the cert pointed to by pCertContext, and converts it to a
printable form in *ppwszName. If the function returns TRUE, the caller must
ultimately call LocalFree(*ppwszName).
*/
BOOL
FCertToStr(
IN PCCERT_CONTEXT pCertContext,
IN DWORD fFlags,
IN BOOL fMachineCert,
OUT WCHAR** ppwszName
)
{
if (!fMachineCert)
{
if (FUserCertToStr(pCertContext, ppwszName))
{
return(TRUE);
}
}
return(FOtherCertToStr(pCertContext, fFlags, ppwszName));
}
#if 0
BOOL
FGetIssuerOrSubject ( IN PCCERT_CONTEXT pCertContext,
IN DWORD dwFlags,
OUT WCHAR ** ppszNameString
)
{
BOOL fRet = TRUE;
DWORD cbNameString =0;
LPWSTR lpwszNameString = NULL;
//
// Get the issued to field here
//
cbNameString = CertGetNameString(pCertContext,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
dwFlags,
NULL,
lpwszNameString,
0
);
if ( 0 == cbNameString )
{
EapTlsTrace("Name String Item not found");
fRet = FALSE;
goto LDone;
}
lpwszNameString = (LPWSTR)LocalAlloc(LPTR, cbNameString );
if ( NULL == lpwszNameString )
{
EapTlsTrace("Error allocing memory for name string");
fRet = FALSE;
goto LDone;
}
cbNameString = CertGetNameString(pCertContext,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
dwFlags,
NULL,
lpwszNameString,
cbNameString
);
*ppszNameString = lpwszNameString;
lpwszNameString = NULL;
LDone:
LocalFree(lpwszNameString);
return fRet;
}
#endif
/*
Returns:
TRUE: Success
FALSE: Failure
Notes:
Stores the friendly name of the cert pointed to by pCertContext in
*ppwszName. If the function returns TRUE, the caller must ultimately call
LocalFree(*ppwszName).
*/
BOOL
FGetFriendlyName(
IN PCCERT_CONTEXT pCertContext,
OUT WCHAR** ppwszName
)
{
WCHAR* pwszName = NULL;
DWORD dwBytes;
BOOL fRet = FALSE;
RTASSERT(NULL != ppwszName);
if (!CertGetCertificateContextProperty(pCertContext,
CERT_FRIENDLY_NAME_PROP_ID, NULL, &dwBytes))
{
// If there is no Friendly Name property, don't print an error stmt.
goto LDone;
}
pwszName = LocalAlloc(LPTR, dwBytes);
if (NULL == pwszName)
{
EapTlsTrace("LocalAlloc failed and returned %d", GetLastError());
goto LDone;
}
if (!CertGetCertificateContextProperty(pCertContext,
CERT_FRIENDLY_NAME_PROP_ID, pwszName, &dwBytes))
{
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x", GetLastError());
goto LDone;
}
*ppwszName = pwszName;
pwszName = NULL;
fRet = TRUE;
LDone:
LocalFree(pwszName);
return(fRet);
}
/*
Returns:
TRUE iff there is a smart card reader installed.
Notes:
This function was provided by Doug Barlow.
If 0 is used as the SCARDCONTEXT parameter, it just looks in the registry
for defined readers. This will return a list of all readers ever installed
on the system. To actually detect the current state of the system, we have
to use a valid SCARDCONTEXT handle.
*/
BOOL
FSmartCardReaderInstalled(
VOID
)
{
LONG lErr;
DWORD dwLen = 0;
SCARDCONTEXT hCtx = 0;
BOOL fReturn = FALSE;
lErr = SCardListReadersA(0, NULL, NULL, &dwLen);
fReturn = ( (NO_ERROR == lErr)
&& (2 * sizeof(CHAR) < dwLen));
if (!fReturn)
{
goto LDone;
}
fReturn = FALSE;
lErr = SCardEstablishContext(SCARD_SCOPE_USER, 0, 0, &hCtx);
if (SCARD_S_SUCCESS != lErr)
{
goto LDone;
}
lErr = SCardListReadersA(hCtx, NULL, NULL, &dwLen);
fReturn = ( (NO_ERROR == lErr)
&& (2 * sizeof(CHAR) < dwLen));
LDone:
if (0 != hCtx)
{
SCardReleaseContext(hCtx);
}
return(fReturn);
}
//Get EKU Usage Blob out of the certificate Context
DWORD DwGetEKUUsage (
IN PCCERT_CONTEXT pCertContext,
OUT PCERT_ENHKEY_USAGE * ppUsage
)
{
DWORD dwBytes = 0;
DWORD dwErr = ERROR_SUCCESS;
PCERT_ENHKEY_USAGE pUsage = NULL;
EapTlsTrace("FGetEKUUsage");
if (!CertGetEnhancedKeyUsage(pCertContext, 0, NULL, &dwBytes))
{
dwErr = GetLastError();
if (CRYPT_E_NOT_FOUND == dwErr)
{
EapTlsTrace("No usage in cert");
goto LDone;
}
EapTlsTrace("FGetEKUUsage failed and returned 0x%x", dwErr);
goto LDone;
}
pUsage = LocalAlloc(LPTR, dwBytes);
if (NULL == pUsage)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
if (!CertGetEnhancedKeyUsage(pCertContext, 0, pUsage, &dwBytes))
{
dwErr = GetLastError();
EapTlsTrace("FGetEKUUsage failed and returned 0x%x", dwErr);
goto LDone;
}
*ppUsage = pUsage;
LDone:
return dwErr;
}
/*
* This functionw will check to see if the registry based cert is
* a smart card cert and if the context can be opened in silent
* mode.
*/
BOOL
FCheckSCardCertAndCanOpenSilentContext ( IN PCCERT_CONTEXT pCertContext )
{
PCERT_ENHKEY_USAGE pUsageInternal = NULL;
BOOL fRet = TRUE;
DWORD dwIndex = 0;
CRYPT_KEY_PROV_INFO * pCryptKeyProvInfo = NULL;
HCRYPTPROV hProv = 0;
DWORD dwParam = 0;
DWORD dwDataLen = 0;
#if 0
//
// This is not required anymore. We use CertFindChainInStore
// which will make sure if private key exists...
//
HCRYPTPROV hProv1 = 0;
#endif
EapTlsTrace("FCheckSCardCertAndCanOpenSilentContext");
if ( DwGetEKUUsage ( pCertContext,
&pUsageInternal) != ERROR_SUCCESS
)
{
goto LDone;
}
for (dwIndex = 0; dwIndex < pUsageInternal->cUsageIdentifier; dwIndex++)
{
if ( !strcmp(pUsageInternal->rgpszUsageIdentifier[dwIndex],
szOID_KP_SMARTCARD_LOGON))
{
EapTlsTrace("Found SCard Cert in registey. Skipping...");
goto LDone;
}
}
//
//there is no scard logon oid in the cert
//So, now check to see if the csp is mixed mode
//
if (!CertGetCertificateContextProperty(
pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
NULL,
&dwDataLen))
{
EapTlsTrace("CertGetCertificateContextProperty failed: 0x%x", GetLastError());
goto LDone;
}
pCryptKeyProvInfo = LocalAlloc(LPTR, dwDataLen);
if (NULL == pCryptKeyProvInfo)
{
EapTlsTrace("Out of memory: 0x%x", GetLastError());
goto LDone;
}
if (!CertGetCertificateContextProperty(
pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
pCryptKeyProvInfo,
&dwDataLen))
{
EapTlsTrace("CertGetCertificateContextProperty failed: 0x%x", GetLastError());
goto LDone;
}
EapTlsTrace( "Acquiring Context for Container Name: %ws, ProvName: %ws, ProvType 0x%x",
pCryptKeyProvInfo->pwszContainerName,
pCryptKeyProvInfo->pwszProvName,
pCryptKeyProvInfo->dwProvType
);
if (!CryptAcquireContext(
&hProv,
pCryptKeyProvInfo->pwszContainerName,
pCryptKeyProvInfo->pwszProvName,
pCryptKeyProvInfo->dwProvType,
(pCryptKeyProvInfo->dwFlags &
~CERT_SET_KEY_PROV_HANDLE_PROP_ID) |
CRYPT_SILENT))
{
DWORD dwErr = GetLastError();
/*
if ( SCARD_E_NO_SMARTCARD == dwErr )
{
//This CSP requires a smart card do this is a smart
//card cert in registry
fRet = TRUE;
}
*/
EapTlsTrace("CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x%x", dwErr);
goto LDone;
}
dwDataLen = sizeof(dwParam);
if ( !CryptGetProvParam ( hProv,
PP_IMPTYPE,
(BYTE *)&dwParam,
&dwDataLen,
0
))
{
EapTlsTrace("CryptGetProvParam failed: 0x%x", GetLastError());
goto LDone;
}
//now check to see if CSP is MIXED
if ( ( dwParam & (CRYPT_IMPL_MIXED | CRYPT_IMPL_REMOVABLE) ) ==
(CRYPT_IMPL_MIXED | CRYPT_IMPL_REMOVABLE)
)
{
EapTlsTrace("Found SCard Cert in registey. Skipping...");
goto LDone;
}
#if 0
//
// This is not required anymore. We use CertFindChainInStore
// which will make sure that private key exists...
//
//
// Check to see if we have the private
// key corresponding to this cert
// if not drop this cert.
if (!CryptAcquireCertificatePrivateKey(
pCertContext,
CRYPT_ACQUIRE_COMPARE_KEY_FLAG | CRYPT_SILENT,
NULL,
&hProv1,
NULL,
NULL
))
{
EapTlsTrace("Found a certificate without private key. Skipping. Error 0x%x",GetLastError());
goto LDone;
}
CryptReleaseContext(hProv1, 0);
#endif
fRet = FALSE;
LDone:
if ( pUsageInternal )
LocalFree(pUsageInternal);
if ( pCryptKeyProvInfo )
LocalFree(pCryptKeyProvInfo);
if (0 != hProv)
{
CryptReleaseContext(hProv, 0);
}
return fRet;
}
/*
Add selected certs to the
*/
VOID AddCertNodeToSelList ( EAPTLS_HASH * pHash,
DWORD dwNumHashes,
EAPTLS_CERT_NODE * pNode,
EAPTLS_CERT_NODE ** ppSelCertList, //This is an array of pointers
DWORD * pdwNextSelCert
)
{
DWORD dw = 0;
DWORD dw1 = 0;
RTASSERT(NULL != pNode);
EapTlsTrace("Add Selected Cert to List");
//No selected certificates
if ( 0 == dwNumHashes || !ppSelCertList )
goto done;
while ( dw < dwNumHashes )
{
if (!memcmp(&(pNode->Hash), (pHash+ dw), sizeof(EAPTLS_HASH)))
{
//
//check to see if the node's already in the list.
//iff not then add it. Looks like there is some
//problem with possible dup certs in the cert store
//
while ( dw1 < *pdwNextSelCert )
{
if ( ! memcmp( &(*(ppSelCertList+dw1))->Hash, &(pNode->Hash), sizeof(EAPTLS_HASH) ) )
{
//This is a dup node in mmc. So Skip it...
goto done;
}
dw1++;
}
*( ppSelCertList + *pdwNextSelCert ) = pNode;
*pdwNextSelCert = *pdwNextSelCert + 1;
break;
}
dw++;
}
done:
return;
}
/*
Returns:
TRUE if no enhanced key usages exist, or pCertContext has the
szOID_PKIX_KP_SERVER_AUTH or szOID_PKIX_KP_CLIENT_AUTH usage depending on
whether fMachine is TRUE or FALSE.
Notes:
*/
BOOL
FCheckUsage(
IN PCCERT_CONTEXT pCertContext,
IN PCERT_ENHKEY_USAGE pUsage,
IN BOOL fMachine
)
{
DWORD dwIndex;
DWORD dwErr;
BOOL fRet = FALSE;
PCERT_ENHKEY_USAGE pUsageInternal = pUsage;
EapTlsTrace("FCheckUsage");
if ( NULL == pUsageInternal )
{
dwErr = DwGetEKUUsage ( pCertContext,
&pUsageInternal);
if ( dwErr != ERROR_SUCCESS )
goto LDone;
}
for (dwIndex = 0; dwIndex < pUsageInternal->cUsageIdentifier; dwIndex++)
{
if ( ( fMachine
&& !strcmp(pUsageInternal->rgpszUsageIdentifier[dwIndex],
szOID_PKIX_KP_SERVER_AUTH))
|| ( !fMachine
&& !strcmp(pUsageInternal->rgpszUsageIdentifier[dwIndex],
szOID_PKIX_KP_CLIENT_AUTH)))
{
fRet = TRUE;
break;
}
}
LDone:
if ( NULL == pUsage )
{
if ( pUsageInternal )
LocalFree(pUsageInternal);
}
return(fRet);
}
DWORD DwCheckCertPolicy
(
IN PCCERT_CONTEXT pCertContext,
OUT PCCERT_CHAIN_CONTEXT * ppCertChainContext
)
{
DWORD dwRetCode = ERROR_SUCCESS;
LPSTR lpszEnhUsage = szOID_PKIX_KP_CLIENT_AUTH;
CERT_CHAIN_PARA ChainPara;
CERT_ENHKEY_USAGE EnhKeyUsage;
CERT_USAGE_MATCH CertUsage;
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
CERT_CHAIN_POLICY_PARA PolicyPara;
CERT_CHAIN_POLICY_STATUS PolicyStatus;
EapTlsTrace("FCheckPolicy");
*ppCertChainContext = NULL;
ZeroMemory ( &ChainPara, sizeof(ChainPara) );
ZeroMemory ( &EnhKeyUsage, sizeof(EnhKeyUsage) );
ZeroMemory ( &CertUsage, sizeof(CertUsage) );
EnhKeyUsage.rgpszUsageIdentifier = &lpszEnhUsage;
EnhKeyUsage.cUsageIdentifier = 1;
EnhKeyUsage.rgpszUsageIdentifier = &lpszEnhUsage;
CertUsage.dwType = USAGE_MATCH_TYPE_AND;
CertUsage.Usage = EnhKeyUsage;
ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
ChainPara.RequestedUsage = CertUsage;
if(!CertGetCertificateChain(
NULL,
pCertContext,
NULL,
pCertContext->hCertStore,
&ChainPara,
0,
NULL,
&pChainContext))
{
dwRetCode = GetLastError();
EapTlsTrace("CertGetCertificateChain failed and returned 0x%x", dwRetCode );
pChainContext = NULL;
goto LDone;
}
ZeroMemory( &PolicyPara, sizeof(PolicyPara) );
PolicyPara.cbSize = sizeof(PolicyPara);
PolicyPara.dwFlags = BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG;
ZeroMemory( &PolicyStatus, sizeof(PolicyStatus) );
//
// The chain already has verified the policy.
// Chain context will have several bits set.
// To get one error out of it, call CErtVerifyCertificateChainPolicy
//
if ( !CertVerifyCertificateChainPolicy( CERT_CHAIN_POLICY_NT_AUTH,
pChainContext,
&PolicyPara,
&PolicyStatus
)
)
{
dwRetCode = GetLastError();
EapTlsTrace( "CertVerifyCertificateChainPolicy failed. Continuing with root hash matching"
"GetLastError = 0x%x.", dwRetCode);
}
else
{
//
//Check to see if the policy status is good. If so,
//there is no need to check for connectoid hashes any more...
//
if ( PolicyStatus.dwError != 0 )
{
dwRetCode = PolicyStatus.dwError;
EapTlsTrace( "CertVerifyCertificateChainPolicy succeeded but policy check failed 0x%x."
, dwRetCode );
}
else
{
*ppCertChainContext = pChainContext;
}
}
LDone:
if ( dwRetCode != ERROR_SUCCESS && pChainContext )
{
CertFreeCertificateChain ( pChainContext );
}
EapTlsTrace("FCheckPolicy done.");
return dwRetCode;
}
/*
Returns:
TRUE iff the certificate is time valid.
Notes:
*/
BOOL FCheckTimeValidity (
IN PCCERT_CONTEXT pCertContext
)
{
BOOL fRet = FALSE;
SYSTEMTIME SysTime;
FILETIME FileTime;
EapTlsTrace("FCheckTimeValidity");
GetSystemTime(&SysTime);
if ( !SystemTimeToFileTime ( &SysTime, &FileTime ) )
{
EapTlsTrace ("Error converting from system time to file time %ld", GetLastError());
goto done;
}
if ( CertVerifyTimeValidity ( &FileTime, pCertContext->pCertInfo ) )
{
//should return a 0 if the certificate is time valid.
EapTlsTrace ( "Non Time Valid Certificate was encountered");
goto done;
}
fRet = TRUE;
done:
return fRet;
}
/*
Returns:
TRUE iff the CSP is Microsoft RSA SChannel Cryptographic Provider.
Notes:
*/
BOOL
FCheckCSP(
IN PCCERT_CONTEXT pCertContext
)
{
DWORD dwBytes;
CRYPT_KEY_PROV_INFO* pCryptKeyProvInfo = NULL;
BOOL fRet = FALSE;
EapTlsTrace("FCheckCSP");
if (!CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID, NULL, &dwBytes))
{
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x", GetLastError());
goto LDone;
}
pCryptKeyProvInfo = LocalAlloc(LPTR, dwBytes);
if (NULL == pCryptKeyProvInfo)
{
EapTlsTrace("LocalAlloc failed and returned %d", GetLastError());
goto LDone;
}
if (!CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID, pCryptKeyProvInfo, &dwBytes))
{
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x", GetLastError());
goto LDone;
}
fRet = (PROV_RSA_SCHANNEL == pCryptKeyProvInfo->dwProvType);
if ( !fRet )
{
EapTlsTrace("Did not find a cert with a provider RSA_SCHANNEL or RSA_FULL");
}
LDone:
LocalFree(pCryptKeyProvInfo);
return(fRet);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
Gets the root cert hash of the cert represented by pCertContextServer.
*/
DWORD
GetRootCertHashAndNameVerifyChain(
IN PCERT_CONTEXT pCertContextServer,
OUT EAPTLS_HASH* pHash,
OUT WCHAR** ppwszName,
IN BOOL fVerifyGP,
OUT BOOL * pfRootCheckRequired
)
{
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
CERT_CHAIN_PARA ChainPara;
PCERT_SIMPLE_CHAIN pSimpleChain;
PCCERT_CONTEXT pCurrentCert;
DWORD dwIndex;
BOOL fRootCertFound = FALSE;
WCHAR* pwszName = NULL;
DWORD dwErr = NO_ERROR;
CERT_CHAIN_POLICY_PARA PolicyPara;
CERT_CHAIN_POLICY_STATUS PolicyStatus;
ZeroMemory(&ChainPara, sizeof(ChainPara));
ChainPara.cbSize = sizeof(ChainPara);
*pfRootCheckRequired = TRUE;
if(!CertGetCertificateChain(
NULL,
pCertContextServer,
NULL,
pCertContextServer->hCertStore,
&ChainPara,
0,
NULL,
&pChainContext))
{
dwErr = GetLastError();
EapTlsTrace("CertGetCertificateChain failed and returned 0x%x", dwErr);
pChainContext = NULL;
goto LDone;
}
//Get the hash and root cert name etc anyways...
pSimpleChain = pChainContext->rgpChain[0];
for (dwIndex = 0; dwIndex < pSimpleChain->cElement; dwIndex++)
{
pCurrentCert = pSimpleChain->rgpElement[dwIndex]->pCertContext;
if (CertCompareCertificateName(pCurrentCert->dwCertEncodingType,
&pCurrentCert->pCertInfo->Issuer,
&pCurrentCert->pCertInfo->Subject))
{
fRootCertFound = TRUE;
break;
}
}
if (!fRootCertFound)
{
dwErr = ERROR_NOT_FOUND;
goto LDone;
}
pHash->cbHash = MAX_HASH_SIZE;
if (!CertGetCertificateContextProperty(pCurrentCert, CERT_HASH_PROP_ID,
pHash->pbHash, &(pHash->cbHash)))
{
dwErr = GetLastError();
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x", dwErr);
goto LDone;
}
if (!FCertToStr(pCurrentCert, 0, TRUE, &pwszName))
{
dwErr = E_FAIL;
goto LDone;
}
*ppwszName = pwszName;
pwszName = NULL;
if ( fVerifyGP )
{
EapTlsTrace( "Checking against the NTAuth store to verify the certificate chain.");
ZeroMemory( &PolicyPara, sizeof(PolicyPara) );
PolicyPara.cbSize = sizeof(PolicyPara);
PolicyPara.dwFlags = BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG;
ZeroMemory( &PolicyStatus, sizeof(PolicyStatus) );
//Authnticate against the NTAuth store and see if all's cool.
if ( !CertVerifyCertificateChainPolicy( CERT_CHAIN_POLICY_NT_AUTH,
pChainContext,
&PolicyPara,
&PolicyStatus
)
)
{
EapTlsTrace( "CertVerifyCertificateChainPolicy failed. Continuing with root hash matching"
"GetLastError = 0x%x.", GetLastError());
}
else
{
//
//Check to see if the policy status is good. If so,
//there is no need to check for connectoid hashes any more...
//
if ( PolicyStatus.dwError != 0 )
{
EapTlsTrace( "CertVerifyCertificateChainPolicy succeeded but returned 0x%x."
"Continuing with root hash matching.", PolicyStatus.dwError);
}
else
{
*pfRootCheckRequired = FALSE;
}
}
}
LDone:
if (pChainContext)
{
CertFreeCertificateChain(pChainContext);
}
LocalFree(pwszName);
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
Opens the EAP-TLS registry key, and returns the result in *phKeyEapTls. If
the function returns NO_ERROR, the caller must ultimately call
RegCloseKey(*phKeyEapTls).
*/
DWORD
OpenEapTlsRegistryKey(
IN WCHAR* pwszMachineName,
IN REGSAM samDesired,
OUT HKEY* phKeyEapTls
)
{
HKEY hKeyLocalMachine = NULL;
BOOL fHKeyLocalMachineOpened = FALSE;
BOOL fHKeyEapTlsOpened = FALSE;
LONG lRet;
DWORD dwErr = NO_ERROR;
RTASSERT(NULL != phKeyEapTls);
lRet = RegConnectRegistry(pwszMachineName, HKEY_LOCAL_MACHINE,
&hKeyLocalMachine);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegConnectRegistry(%ws) failed and returned %d",
pwszMachineName ? pwszMachineName : L"NULL", dwErr);
goto LDone;
}
fHKeyLocalMachineOpened = TRUE;
lRet = RegOpenKeyEx(hKeyLocalMachine, EAPTLS_KEY_13, 0, samDesired,
phKeyEapTls);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegOpenKeyEx(%ws) failed and returned %d",
EAPTLS_KEY_13, dwErr);
goto LDone;
}
fHKeyEapTlsOpened = TRUE;
LDone:
if ( fHKeyEapTlsOpened
&& (ERROR_SUCCESS != dwErr))
{
RegCloseKey(*phKeyEapTls);
}
if (fHKeyLocalMachineOpened)
{
RegCloseKey(hKeyLocalMachine);
}
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
Reads/writes the server's config data.
If fRead is TRUE, and the function returns NO_ERROR, LocalFree(*ppUserProp)
must be called.
*/
DWORD
ServerConfigDataIO(
IN BOOL fRead,
IN WCHAR* pwszMachineName,
IN OUT BYTE** ppData,
IN DWORD dwNumBytes
)
{
HKEY hKeyEapTls;
EAPTLS_USER_PROPERTIES* pUserProp;
BOOL fHKeyEapTlsOpened = FALSE;
BYTE* pData = NULL;
DWORD dwSize = 0;
LONG lRet;
DWORD dwType;
DWORD dwErr = NO_ERROR;
RTASSERT(NULL != ppData);
dwErr = OpenEapTlsRegistryKey(pwszMachineName,
fRead ? KEY_READ : KEY_WRITE, &hKeyEapTls);
if (ERROR_SUCCESS != dwErr)
{
goto LDone;
}
fHKeyEapTlsOpened = TRUE;
if (fRead)
{
lRet = RegQueryValueEx(hKeyEapTls, EAPTLS_VAL_SERVER_CONFIG_DATA, NULL,
&dwType, NULL, &dwSize);
if ( (ERROR_SUCCESS != lRet)
|| (REG_BINARY != dwType)
|| (sizeof(EAPTLS_USER_PROPERTIES) != dwSize))
{
pData = LocalAlloc(LPTR, sizeof(EAPTLS_USER_PROPERTIES));
if (NULL == pData)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
pUserProp = (EAPTLS_USER_PROPERTIES*)pData;
pUserProp->dwVersion = 0;
}
else
{
pData = LocalAlloc(LPTR, dwSize);
if (NULL == pData)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
lRet = RegQueryValueEx(hKeyEapTls, EAPTLS_VAL_SERVER_CONFIG_DATA,
NULL, &dwType, pData, &dwSize);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegQueryValueEx(%ws) failed and returned %d",
EAPTLS_VAL_SERVER_CONFIG_DATA, dwErr);
goto LDone;
}
}
pUserProp = (EAPTLS_USER_PROPERTIES*)pData;
pUserProp->dwSize = sizeof(EAPTLS_USER_PROPERTIES);
pUserProp->awszString[0] = 0;
*ppData = pData;
pData = NULL;
}
else
{
lRet = RegSetValueEx(hKeyEapTls, EAPTLS_VAL_SERVER_CONFIG_DATA, 0,
REG_BINARY, *ppData, dwNumBytes);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegSetValueEx(%ws) failed and returned %d",
EAPTLS_VAL_SERVER_CONFIG_DATA, dwErr);
goto LDone;
}
}
LDone:
if (fHKeyEapTlsOpened)
{
RegCloseKey(hKeyEapTls);
}
LocalFree(pData);
return(dwErr);
}
/*
Returns:
VOID
Notes:
*/
VOID
FreeCertList(
IN EAPTLS_CERT_NODE* pNode
)
{
while (NULL != pNode)
{
LocalFree(pNode->pwszDisplayName);
LocalFree(pNode->pwszFriendlyName);
LocalFree(pNode->pwszIssuer);
LocalFree(pNode->pwszExpiration);
pNode = pNode->pNext;
}
}
/*
Returns:
VOID
Notes:
Creates a linked list of certs from the pwszStoreName store. This list is
created in *ppCertList. *ppCert is made to point to the cert whose hash is
the same as the hash in *pHash. The linked list must eventually be freed by
calling FreeCertList.
*/
VOID
CreateCertList(
IN BOOL fServer,
IN BOOL fRouter,
IN BOOL fRoot,
OUT EAPTLS_CERT_NODE** ppCertList,
OUT EAPTLS_CERT_NODE** ppCert, //This is an array of pointers...
IN DWORD dwNumHashes,
IN EAPTLS_HASH* pHash, //This is an array of hashes...
IN WCHAR* pwszStoreName
)
{
HCERTSTORE hCertStore = NULL;
EAPTLS_CERT_NODE* pCertList = NULL;
EAPTLS_CERT_NODE* pCert = NULL;
EAPTLS_CERT_NODE* pLastNode = NULL;
PCCERT_CONTEXT pCertContext;
BOOL fExitWhile;
EAPTLS_CERT_NODE* pNode;
DWORD dwErr = NO_ERROR;
DWORD dwNextSelCert = 0;
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
CERT_CHAIN_FIND_BY_ISSUER_PARA FindPara;
RTASSERT(NULL != ppCertList);
hCertStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM,
0,
0,
CERT_STORE_READONLY_FLAG |
((fServer || fRouter) ?
CERT_SYSTEM_STORE_LOCAL_MACHINE :
CERT_SYSTEM_STORE_CURRENT_USER),
pwszStoreName);
if (NULL == hCertStore)
{
dwErr = GetLastError();
EapTlsTrace("CertOpenSystemStore failed and returned 0x%x", dwErr);
goto LDone;
}
//Changed from fRoot||fServer to fRoot only.
if (fRoot)
{
pCertList = LocalAlloc(LPTR, sizeof(EAPTLS_CERT_NODE));
if (NULL == pCertList)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
pLastNode = pCertList;
}
fExitWhile = FALSE;
pCertContext = NULL;
ZeroMemory ( &FindPara, sizeof(FindPara) );
FindPara.cbSize = sizeof(FindPara);
FindPara.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
while (!fExitWhile)
{
dwErr = NO_ERROR;
pNode = NULL;
/*
The returned pointer is freed when passed as the pPrevCertContext on a
subsequent call. Otherwise, the pointer must be freed by calling
CertFreeCertificateContext. A pPrevCertContext that is not NULL is
always freed by this function (through a call to
CertFreeCertificateContext), even for an error.
*/
if ( fRoot || fRouter || fServer )
{
pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext);
if (NULL == pCertContext)
{
fExitWhile = TRUE;
goto LWhileEnd;
}
if ( !fRoot
&& !FCheckUsage(pCertContext, NULL, fServer))
{
goto LWhileEnd;
}
}
else
{
//
// Use CertFindChainInStore to get to the certificate
//
pChainContext = CertFindChainInStore ( hCertStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_CHAIN_FIND_BY_ISSUER,
&FindPara,
pChainContext
);
if ( NULL == pChainContext )
{
fExitWhile = TRUE;
goto LWhileEnd;
}
//Set the cert context to appropriate value
pCertContext = pChainContext->rgpChain[0]->rgpElement[0]->pCertContext;
}
//
//Skip if it is smart card cached certificate
//or we cannot open this csp in silent mode
//This is done iff it is not root certs and server
//
if ( !fRoot
&& !fServer
&& FCheckSCardCertAndCanOpenSilentContext ( pCertContext ) )
{
goto LWhileEnd;
}
if ( !FCheckTimeValidity(pCertContext ) )
{
goto LWhileEnd;
}
if ( fServer
&& !FCheckCSP(pCertContext))
{
goto LWhileEnd;
}
pNode = LocalAlloc(LPTR, sizeof(EAPTLS_CERT_NODE));
if (NULL == pNode)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
fExitWhile = TRUE;
goto LWhileEnd;
}
FGetFriendlyName(pCertContext, &(pNode->pwszFriendlyName));
//
// If there is no UPN name, this cert will be skipped here
//
if ( !FCertToStr(pCertContext, 0, fServer || fRouter,
&(pNode->pwszDisplayName))
|| !FCertToStr(pCertContext, CERT_NAME_ISSUER_FLAG, TRUE,
&(pNode->pwszIssuer))
|| !FFileTimeToStr(pCertContext->pCertInfo->NotAfter,
&(pNode->pwszExpiration)))
{
goto LWhileEnd;
}
pNode->Hash.cbHash = MAX_HASH_SIZE;
if (!CertGetCertificateContextProperty(
pCertContext, CERT_HASH_PROP_ID, pNode->Hash.pbHash,
&(pNode->Hash.cbHash)))
{
dwErr = GetLastError();
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x", dwErr);
fExitWhile = TRUE;
goto LWhileEnd;
}
#if 0
// This is not being used anywhere. So dont worry about it.
//
// Get Issuer and subject information
//
FGetIssuerOrSubject ( pCertContext,
0,
&(pNode->pwszIssuedTo)
);
FGetIssuerOrSubject ( pCertContext,
CERT_NAME_ISSUER_FLAG,
&(pNode->pwszIssuedBy)
);
#endif
//
// Finally copy the issued date into the structure
//
CopyMemory( &pNode->IssueDate,
&pCertContext->pCertInfo->NotBefore,
sizeof(FILETIME)
);
if (NULL == pLastNode)
{
pCertList = pLastNode = pNode;
}
else
{
pLastNode->pNext = pNode;
pLastNode = pNode;
}
//Check if the hash for current node is in the list
//that has been passed to us
AddCertNodeToSelList ( pHash,
dwNumHashes,
pNode,
ppCert, //This is an array of pointers
&dwNextSelCert
);
pNode = NULL;
LWhileEnd:
if (NULL != pNode)
{
LocalFree(pNode->pwszDisplayName);
LocalFree(pNode->pwszFriendlyName);
LocalFree(pNode->pwszIssuer);
LocalFree(pNode->pwszExpiration);
LocalFree(pNode);
pNode = NULL;
}
if ( fRoot || fRouter )
{
if ( fExitWhile
&& (NULL != pCertContext))
{
CertFreeCertificateContext(pCertContext);
// Always returns TRUE;
}
}
else
{
if ( fExitWhile
&& ( NULL != pChainContext )
)
{
CertFreeCertificateChain(pChainContext);
}
}
}
// If we couldn't find an appropriate default cert, make the first
// cert (if there is one) the default
if (NULL == pCert)
{
pCert = pCertList;
}
LDone:
if (NO_ERROR != dwErr)
{
FreeCertList(pCertList);
}
else
{
*ppCertList = pCertList;
}
if (NULL != hCertStore)
{
if (!CertCloseStore(hCertStore, 0))
{
EapTlsTrace("CertCloseStore failed and returned 0x%x",
GetLastError());
}
}
}
DWORD
GetLocalMachineName (
OUT WCHAR ** ppLocalMachineName
)
{
DWORD dwRetCode = NO_ERROR;
WCHAR * pLocalMachineName = NULL;
DWORD dwLocalMachineNameLen = 0;
if ( !GetComputerNameEx ( ComputerNameDnsFullyQualified,
pLocalMachineName,
&dwLocalMachineNameLen
)
)
{
dwRetCode = GetLastError();
if ( ERROR_MORE_DATA != dwRetCode )
goto LDone;
dwRetCode = NO_ERROR;
}
pLocalMachineName = (WCHAR *)LocalAlloc( LPTR, (dwLocalMachineNameLen * sizeof(WCHAR)) + sizeof(WCHAR) );
if ( NULL == pLocalMachineName )
{
dwRetCode = GetLastError();
goto LDone;
}
if ( !GetComputerNameEx ( ComputerNameDnsFullyQualified,
pLocalMachineName,
&dwLocalMachineNameLen
)
)
{
dwRetCode = GetLastError();
goto LDone;
}
*ppLocalMachineName = pLocalMachineName;
pLocalMachineName = NULL;
LDone:
LocalFree(pLocalMachineName);
return dwRetCode;
}
/*
Returns:
NO_ERROR: iff Success
Notes:
If this function returns NO_ERROR,
CertFreeCertificateContext(*ppCertContext) must be called.
*/
DWORD
GetDefaultClientMachineCert(
IN HCERTSTORE hCertStore,
OUT PCCERT_CONTEXT* ppCertContext
)
{
CTL_USAGE CtlUsage;
CHAR* szUsageIdentifier;
PCCERT_CONTEXT pCertContext = NULL;
EAPTLS_HASH FirstCertHash; //This is the hash of first cert
//with client auth found in the store
PCCERT_CONTEXT pCertContextPrev = NULL; //Previous context in the search
EAPTLS_HASH SelectedCertHash; //Hash of the certificate last selected
FILETIME SelectedCertNotBefore; //Not Before date of last selected
EAPTLS_HASH TempHash; //Scratch variable
WCHAR * pwszIdentity = NULL; //Machine Name in the cert
WCHAR * pLocalMachineName = NULL; //Local Machine Name
DWORD dwErr = NO_ERROR;
BOOL fGotIdentity;
CRYPT_HASH_BLOB HashBlob;
EapTlsTrace("GetDefaultClientMachineCert");
RTASSERT(NULL != ppCertContext);
ZeroMemory( &SelectedCertHash, sizeof(SelectedCertHash) );
ZeroMemory( &SelectedCertNotBefore, sizeof(SelectedCertNotBefore) );
*ppCertContext = NULL;
dwErr = GetLocalMachineName ( &pLocalMachineName );
if ( NO_ERROR != dwErr )
{
EapTlsTrace("Error getting LocalMachine Name 0x%x",
dwErr);
goto LDone;
}
szUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
CtlUsage.cUsageIdentifier = 1;
CtlUsage.rgpszUsageIdentifier = &szUsageIdentifier;
pCertContext = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING,
0,
CERT_FIND_ENHKEY_USAGE,
&CtlUsage,
NULL);
if ( NULL == pCertContext )
{
dwErr = GetLastError();
EapTlsTrace("CertFindCertificateInStore failed and returned 0x%x",
dwErr);
if ( CRYPT_E_NOT_FOUND == dwErr )
{
dwErr = ERROR_NO_EAPTLS_CERTIFICATE;
}
goto LDone;
}
FirstCertHash.cbHash = MAX_HASH_SIZE;
//
//Store the hash of first cert. In case we dont find any cert that exactly matches
//the filtering, we need to use this.
if (!CertGetCertificateContextProperty( pCertContext,
CERT_HASH_PROP_ID,
FirstCertHash.pbHash,
&(FirstCertHash.cbHash)
)
)
{
dwErr = GetLastError();
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x", dwErr);
goto LDone;
}
do
{
//Check time validity of the cert.
if ( !FCheckTimeValidity( pCertContext) )
{
//cert expired. So skip it
EapTlsTrace("Found expired Cert. Skipping this cert.");
goto LWhileEnd;
}
fGotIdentity = FALSE;
//
//Get the subject Alt Name
//
if ( FMachineAuthCertToStr(pCertContext, &pwszIdentity) )
{
fGotIdentity = TRUE;
}
else
{
EapTlsTrace("Could not get identity from subject alt name.");
if ( FCertToStr(pCertContext, 0, TRUE, &pwszIdentity))
{
fGotIdentity = TRUE;
}
}
if ( fGotIdentity )
{
//
//Check to see if this is the same identity as this machine
//
if ( !_wcsicmp ( pwszIdentity, pLocalMachineName ) )
{
//
//Store the hash of cert.
TempHash.cbHash = MAX_HASH_SIZE;
if (!CertGetCertificateContextProperty( pCertContext,
CERT_HASH_PROP_ID,
TempHash.pbHash,
&(TempHash.cbHash)
)
)
{
EapTlsTrace("CertGetCertificateContextProperty failed and "
"returned 0x%x. Skipping this certificate", GetLastError());
goto LWhileEnd;
}
//
//Got a cert so if there is already a cert selected,
//compare the file time of this cert with the one
//already selected. If this is more recent, use this
//one.
//
if ( SelectedCertHash.cbHash )
{
if ( CompareFileTime( &SelectedCertNotBefore,
&(pCertContext->pCertInfo->NotBefore)
) < 0
)
{
//Got a newer cert so replace the old cert with new one
CopyMemory ( &SelectedCertHash,
&TempHash,
sizeof(SelectedCertHash)
);
CopyMemory ( &SelectedCertNotBefore,
&(pCertContext->pCertInfo->NotBefore),
sizeof( SelectedCertNotBefore )
);
}
}
else
{
//
//This is the first cert. So copy over the hash and
//file time.
CopyMemory ( &SelectedCertHash,
&TempHash,
sizeof(SelectedCertHash)
);
CopyMemory ( &SelectedCertNotBefore,
&(pCertContext->pCertInfo->NotBefore),
sizeof( SelectedCertNotBefore )
);
}
}
else
{
EapTlsTrace("Could not get identity from the cert. skipping this cert.");
}
}
else
{
EapTlsTrace("Could not get identity from the cert. skipping this cert.");
}
LWhileEnd:
pCertContextPrev = pCertContext;
if ( pwszIdentity )
{
LocalFree ( pwszIdentity );
pwszIdentity = NULL;
}
//Get the next certificate.
pCertContext = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING,
0,
CERT_FIND_ENHKEY_USAGE,
&CtlUsage,
pCertContextPrev );
}while ( pCertContext );
//
//Now that we have enumerated all the certs,
//check to see if we have a selected cert. If no selected
//cert is present, send back the first cert.
//
if ( SelectedCertHash.cbHash )
{
EapTlsTrace("Found Machine Cert based on machinename, client auth, time validity.");
HashBlob.cbData = SelectedCertHash.cbHash;
HashBlob.pbData = SelectedCertHash.pbHash;
}
else
{
EapTlsTrace("Did not find Machine Cert based on the given machinename, client auth, time validity. Using the first cert with Client Auth OID.");
HashBlob.cbData = FirstCertHash.cbHash;
HashBlob.pbData = FirstCertHash.pbHash;
}
*ppCertContext = CertFindCertificateInStore(hCertStore, X509_ASN_ENCODING,
0, CERT_FIND_HASH, &HashBlob, NULL);
if (NULL == *ppCertContext)
{
dwErr = GetLastError();
EapTlsTrace("CertFindCertificateInStore failed with 0x%x.", dwErr);
if ( CRYPT_E_NOT_FOUND == dwErr )
{
dwErr = ERROR_NO_EAPTLS_CERTIFICATE;
}
}
LDone:
LocalFree (pLocalMachineName);
LocalFree (pwszIdentity);
if ( NO_ERROR != dwErr )
{
if ( pCertContext )
{
CertFreeCertificateContext( pCertContext );
}
}
EapTlsTrace("GetDefaultClientMachineCert done.");
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
If this function returns NO_ERROR,
CertFreeCertificateContext(*ppCertContext) must be called.
*/
DWORD
GetDefaultMachineCert(
IN HCERTSTORE hCertStore,
OUT PCCERT_CONTEXT* ppCertContext
)
{
CTL_USAGE CtlUsage;
CHAR* szUsageIdentifier;
PCCERT_CONTEXT pCertContext;
DWORD dwErr = NO_ERROR;
EapTlsTrace("GetDefaultMachineCert");
RTASSERT(NULL != ppCertContext);
*ppCertContext = NULL;
szUsageIdentifier = szOID_PKIX_KP_SERVER_AUTH;
CtlUsage.cUsageIdentifier = 1;
CtlUsage.rgpszUsageIdentifier = &szUsageIdentifier;
pCertContext = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING, 0, CERT_FIND_ENHKEY_USAGE,
&CtlUsage, NULL);
if (NULL == pCertContext)
{
dwErr = GetLastError();
EapTlsTrace("CertFindCertificateInStore failed and returned 0x%x",
dwErr);
goto LDone;
}
*ppCertContext = pCertContext;
LDone:
return(dwErr);
}
/*
Returns:
Notes:
Stolen from \private\windows\gina\msgina\wlsec.c
*/
VOID
RevealPassword(
IN UNICODE_STRING* pHiddenPassword
)
{
SECURITY_SEED_AND_LENGTH* SeedAndLength;
UCHAR Seed;
SeedAndLength = (SECURITY_SEED_AND_LENGTH*)&pHiddenPassword->Length;
Seed = SeedAndLength->Seed;
SeedAndLength->Seed = 0;
RtlRunDecodeUnicodeString(Seed, pHiddenPassword);
}
DWORD GetMBytePIN ( WCHAR * pwszPIN, CHAR ** ppszPIN )
{
DWORD count = 0;
CHAR * pszPin = NULL;
DWORD dwErr = NO_ERROR;
count = WideCharToMultiByte(
CP_UTF8,
0,
pwszPIN,
-1,
NULL,
0,
NULL,
NULL);
if (0 == count)
{
dwErr = GetLastError();
EapTlsTrace("WideCharToMultiByte failed: %d", dwErr);
goto LDone;
}
pszPin = LocalAlloc(LPTR, count);
if (NULL == pszPin)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed: 0x%x", dwErr);
goto LDone;
}
count = WideCharToMultiByte(
CP_UTF8,
0,
pwszPIN,
-1,
pszPin,
count,
NULL,
NULL);
if (0 == count)
{
dwErr = GetLastError();
EapTlsTrace("WideCharToMultiByte failed: %d", dwErr);
goto LDone;
}
*ppszPIN = pszPin;
LDone:
if ( NO_ERROR != dwErr )
{
if ( pszPin )
LocalFree(pszPin);
}
return dwErr;
}
/*
Returns:
NO_ERROR: iff Success
Notes:
*/
DWORD
GetCertFromLogonInfo(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT PCCERT_CONTEXT* ppCertContext
)
{
EAPLOGONINFO* pEapLogonInfo = (EAPLOGONINFO*)pUserDataIn;
BYTE* pbLogonInfo = NULL;
BYTE* pbPinInfo;
WCHAR* wszPassword = NULL;
CHAR* pszPIN = NULL; //Multibyte Version of the PIN
UNICODE_STRING UnicodeString;
PCCERT_CONTEXT pCertContext = NULL;
BOOL fInitialized = FALSE;
NTSTATUS Status;
DWORD dwErr = NO_ERROR;
CERT_KEY_CONTEXT stckContext;
DWORD cbstckContext= sizeof(CERT_KEY_CONTEXT);
EapTlsTrace("GetCertFromLogonInfo");
RTASSERT(NULL != ppCertContext);
*ppCertContext = NULL;
if ( 0 == pEapLogonInfo->dwLogonInfoSize
|| 0 == pEapLogonInfo->dwPINInfoSize
|| 0 == dwSizeOfUserDataIn)
{
dwErr = E_FAIL;
goto LDone;
}
pbLogonInfo = LocalAlloc(LPTR, pEapLogonInfo->dwLogonInfoSize);
if (NULL == pbLogonInfo)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
CopyMemory(pbLogonInfo,
(BYTE*)pEapLogonInfo + pEapLogonInfo->dwOffsetLogonInfo,
pEapLogonInfo->dwLogonInfoSize);
pbPinInfo = (BYTE*)pEapLogonInfo + pEapLogonInfo->dwOffsetPINInfo;
wszPassword = LocalAlloc(LPTR, pEapLogonInfo->dwPINInfoSize);
if (NULL == wszPassword)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
CopyMemory(wszPassword, pbPinInfo + 2 * sizeof(USHORT),
pEapLogonInfo->dwPINInfoSize - 2 * sizeof(USHORT));
UnicodeString.Length = *((USHORT*)pbPinInfo);
UnicodeString.MaximumLength = *((USHORT*)pbPinInfo + 1);
UnicodeString.Buffer = wszPassword;
Status = ScHelperInitializeContext(pbLogonInfo,
pEapLogonInfo->dwLogonInfoSize);
if (STATUS_SUCCESS != Status)
{
dwErr = Status;
EapTlsTrace("ScHelperInitializeContext failed and returned 0x%x",
dwErr);
goto LDone;
}
fInitialized = TRUE;
RevealPassword(&UnicodeString);
Status = ScHelperGetCertFromLogonInfo(pbLogonInfo, &UnicodeString,
&pCertContext);
if (STATUS_SUCCESS != Status)
{
dwErr = Status;
EapTlsTrace("ScHelperGetCertFromLogonInfo failed and returned 0x%x",
dwErr);
goto LDone;
}
//BUGID: 260728 - ScHelperGetCertFromLogonInfo does not associate the PIN
// with certificate context. Hence the following lines of code are needed
// to do the needful.
if ( ! CertGetCertificateContextProperty ( pCertContext,
CERT_KEY_CONTEXT_PROP_ID,
&stckContext,
&cbstckContext
)
)
{
dwErr = Status = GetLastError();
EapTlsTrace ("CertGetCertificateContextProperty failed and returned 0x%x",
dwErr
);
goto LDone;
}
dwErr = GetMBytePIN ( wszPassword, &pszPIN );
if ( dwErr != NO_ERROR )
{
goto LDone;
}
if (!CryptSetProvParam(
stckContext.hCryptProv,
PP_KEYEXCHANGE_PIN,
pszPIN,
0))
{
dwErr = GetLastError();
EapTlsTrace("CryptSetProvParam failed: 0x%x", dwErr);
ZeroMemory(pszPIN, strlen(pszPIN));
goto LDone;
}
// Zero the entire allocated buffer.
ZeroMemory(wszPassword, pEapLogonInfo->dwPINInfoSize);
ZeroMemory(pszPIN, strlen(pszPIN));
*ppCertContext = pCertContext;
pCertContext = NULL;
LDone:
if (fInitialized)
{
ScHelperRelease(pbLogonInfo);
}
if (NULL != pCertContext)
{
CertFreeCertificateContext(pCertContext);
// Always returns TRUE;
}
LocalFree(wszPassword);
LocalFree(pbLogonInfo);
if ( pszPIN )
LocalFree ( pszPIN );
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
If this function returns TRUE, LocalFree(*ppwszIdentity) must be called.
*/
DWORD
GetIdentityFromLogonInfo(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT WCHAR** ppwszIdentity
)
{
WCHAR* pwszIdentity = NULL;
PCCERT_CONTEXT pCertContext = NULL;
DWORD dwErr = NO_ERROR;
RTASSERT(NULL != pUserDataIn);
RTASSERT(NULL != ppwszIdentity);
*ppwszIdentity = NULL;
dwErr = GetCertFromLogonInfo(pUserDataIn, dwSizeOfUserDataIn,
&pCertContext);
if (NO_ERROR != dwErr)
{
goto LDone;
}
if (FCertToStr(pCertContext, 0, FALSE, &pwszIdentity))
{
EapTlsTrace("(logon info) The name in the certificate is: %ws",
pwszIdentity);
*ppwszIdentity = pwszIdentity;
pwszIdentity = NULL;
}
LDone:
LocalFree(pwszIdentity);
if (NULL != pCertContext)
{
CertFreeCertificateContext(pCertContext);
// Always returns TRUE;
}
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
There are two types of structures that can come in:
1. Version 0 structure which comes in as a a part of
CM profile created on w2k or as a part of a
connectoid that gor upgraded from w2k
We change the data structure to new v1
data structure here
2. Get a version 1 structure and it is all cool.
Note that the first x bytes of version 1 data structure
are exactly the same as version 0.
*/
DWORD
ReadConnectionData(
IN BOOL fWireless,
IN BYTE* pConnectionDataIn,
IN DWORD dwSizeOfConnectionDataIn,
OUT EAPTLS_CONN_PROPERTIES** ppConnProp
)
{
DWORD dwErr = NO_ERROR;
EAPTLS_CONN_PROPERTIES* pConnProp = NULL;
EAPTLS_CONN_PROPERTIES* pConnPropv1 = NULL;
RTASSERT(NULL != ppConnProp);
if ( dwSizeOfConnectionDataIn < sizeof(EAPTLS_CONN_PROPERTIES) )
{
pConnProp = LocalAlloc(LPTR, sizeof(EAPTLS_CONN_PROPERTIES) + sizeof(EAPTLS_CONN_PROPERTIES_V1_EXTRA));
if (NULL == pConnProp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
//This is a new structure
pConnProp->dwVersion = 2;
pConnProp->dwSize = sizeof(EAPTLS_CONN_PROPERTIES);
if ( fWireless )
{
//
// Set the defaults appropriately
//
pConnProp->fFlags |= EAPTLS_CONN_FLAG_REGISTRY;
pConnProp->fFlags |= EAPTLS_CONN_FLAG_SIMPLE_CERT_SEL;
pConnProp->fFlags |= EAPTLS_CONN_FLAG_NO_VALIDATE_NAME;
}
}
else
{
RTASSERT(NULL != pConnectionDataIn);
//
//Check to see if this is a version 0 structure
//If it is a version 0 structure then we migrate it to version1
//
pConnProp = LocalAlloc(LPTR, dwSizeOfConnectionDataIn);
if (NULL == pConnProp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
// If the user has mucked with the phonebook, we mustn't be affected.
// The size must be correct.
CopyMemory(pConnProp, pConnectionDataIn, dwSizeOfConnectionDataIn);
pConnProp->dwSize = dwSizeOfConnectionDataIn;
//
// The Unicode string must be NULL terminated.
//
/*
((BYTE*)pConnProp)[dwSizeOfConnectionDataIn - 2] = 0;
((BYTE*)pConnProp)[dwSizeOfConnectionDataIn - 1] = 0;
*/
pConnPropv1 = LocalAlloc(LPTR,
dwSizeOfConnectionDataIn +
sizeof(EAPTLS_CONN_PROPERTIES_V1_EXTRA)
);
if ( NULL == pConnPropv1 )
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed while allocating v1 structure and returned %d", dwErr );
goto LDone;
}
CopyMemory ( pConnPropv1, pConnProp, dwSizeOfConnectionDataIn);
//
//Check to see if the original struct has hash set
//
/*
if ( pConnProp->Hash.cbHash )
{
ConnPropSetNumHashes( pConnPropv1, 1 );
}
*/
if ( 2 != pConnPropv1->dwVersion )
{
if ( pConnPropv1->fFlags & EAPTLS_CONN_FLAG_REGISTRY )
{
pConnPropv1->fFlags |= EAPTLS_CONN_FLAG_SIMPLE_CERT_SEL;
}
pConnPropv1->dwVersion = 2;
}
LocalFree ( pConnProp );
pConnProp = pConnPropv1;
pConnPropv1 = NULL;
}
*ppConnProp = pConnProp;
pConnProp = NULL;
LDone:
LocalFree(pConnProp);
LocalFree(pConnPropv1);
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
*/
DWORD
ReadUserData(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT EAPTLS_USER_PROPERTIES** ppUserProp
)
{
DWORD dwErr = NO_ERROR;
EAPTLS_USER_PROPERTIES* pUserProp = NULL;
RTASSERT(NULL != ppUserProp);
if (dwSizeOfUserDataIn < sizeof(EAPTLS_USER_PROPERTIES))
{
pUserProp = LocalAlloc(LPTR, sizeof(EAPTLS_USER_PROPERTIES));
if (NULL == pUserProp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
pUserProp->dwVersion = 0;
pUserProp->dwSize = sizeof(EAPTLS_USER_PROPERTIES);
pUserProp->pwszDiffUser = pUserProp->awszString;
pUserProp->dwPinOffset = 0;
pUserProp->pwszPin = pUserProp->awszString + pUserProp->dwPinOffset;
}
else
{
RTASSERT(NULL != pUserDataIn);
pUserProp = LocalAlloc(LPTR, dwSizeOfUserDataIn);
if (NULL == pUserProp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
CopyMemory(pUserProp, pUserDataIn, dwSizeOfUserDataIn);
// If someone has mucked with the registry, we mustn't
// be affected.
pUserProp->dwSize = dwSizeOfUserDataIn;
pUserProp->pwszDiffUser = pUserProp->awszString;
pUserProp->pwszPin = pUserProp->awszString + pUserProp->dwPinOffset;
}
*ppUserProp = pUserProp;
pUserProp = NULL;
LDone:
LocalFree(pUserProp);
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
*/
DWORD
AllocUserDataWithNewIdentity(
IN EAPTLS_USER_PROPERTIES* pUserProp,
IN WCHAR* pwszIdentity,
OUT EAPTLS_USER_PROPERTIES** ppUserProp
)
{
DWORD dwNumChars;
EAPTLS_USER_PROPERTIES* pUserPropTemp = NULL;
DWORD dwSize;
DWORD dwErr = NO_ERROR;
*ppUserProp = NULL;
dwNumChars = wcslen(pwszIdentity);
dwSize = sizeof(EAPTLS_USER_PROPERTIES) +
(dwNumChars + wcslen(pUserProp->pwszPin) + 1) * sizeof(WCHAR);
pUserPropTemp = LocalAlloc(LPTR, dwSize);
if (NULL == pUserPropTemp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
CopyMemory(pUserPropTemp, pUserProp, sizeof(EAPTLS_USER_PROPERTIES));
pUserPropTemp->dwSize = dwSize;
pUserPropTemp->pwszDiffUser = pUserPropTemp->awszString;
wcscpy(pUserPropTemp->pwszDiffUser, pwszIdentity);
pUserPropTemp->dwPinOffset = dwNumChars + 1;
pUserPropTemp->pwszPin = pUserPropTemp->awszString +
pUserPropTemp->dwPinOffset;
wcscpy(pUserPropTemp->pwszPin, pUserProp->pwszPin);
*ppUserProp = pUserPropTemp;
pUserPropTemp = NULL;
ZeroMemory(pUserProp, pUserProp->dwSize);
LDone:
LocalFree(pUserPropTemp);
return(dwErr);
}
/*
Returns:
NO_ERROR: iff Success
Notes:
*/
DWORD
AllocUserDataWithNewPin(
IN EAPTLS_USER_PROPERTIES* pUserProp,
IN PBYTE pbPin,
IN DWORD cbPin,
OUT EAPTLS_USER_PROPERTIES** ppUserProp
)
{
DWORD dwNumChars;
EAPTLS_USER_PROPERTIES* pUserPropTemp = NULL;
DWORD dwSize;
DWORD dwErr = NO_ERROR;
*ppUserProp = NULL;
dwNumChars = wcslen(pUserProp->pwszDiffUser);
dwSize = sizeof(EAPTLS_USER_PROPERTIES) +
(dwNumChars + 1 ) * sizeof(WCHAR) + cbPin;
pUserPropTemp = LocalAlloc(LPTR, dwSize);
if (NULL == pUserPropTemp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
CopyMemory(pUserPropTemp, pUserProp, sizeof(EAPTLS_USER_PROPERTIES));
pUserPropTemp->dwSize = dwSize;
pUserPropTemp->pwszDiffUser = pUserPropTemp->awszString;
wcscpy(pUserPropTemp->pwszDiffUser, pUserProp->pwszDiffUser);
pUserPropTemp->dwPinOffset = dwNumChars + 1;
pUserPropTemp->pwszPin = pUserPropTemp->awszString +
pUserPropTemp->dwPinOffset;
CopyMemory(pUserPropTemp->pwszPin, pbPin, cbPin);
*ppUserProp = pUserPropTemp;
pUserPropTemp = NULL;
ZeroMemory(pUserProp, pUserProp->dwSize);
LDone:
LocalFree(pUserPropTemp);
return(dwErr);
}
/*
Returns:
Notes:
String resource message loader routine. Returns the address of a string
corresponding to string resource dwStringId or NULL if error. It is caller's
responsibility to LocalFree the returned string.
*/
WCHAR*
WszFromId(
IN HINSTANCE hInstance,
IN DWORD dwStringId
)
{
WCHAR* wszBuf = NULL;
int cchBuf = 256;
int cchGot;
for (;;)
{
wszBuf = LocalAlloc(LPTR, cchBuf * sizeof(WCHAR));
if (NULL == wszBuf)
{
break;
}
/*
LoadString wants to deal with character-counts rather than
byte-counts...weird. Oh, and if you're thinking I could FindResource
then SizeofResource to figure out the string size, be advised it
doesn't work. From perusing the LoadString source, it appears the
RT_STRING resource type requests a segment of 16 strings not an
individual string.
*/
cchGot = LoadStringW(hInstance, (UINT)dwStringId, wszBuf, cchBuf);
if (cchGot < cchBuf - 1)
{
// Good, got the whole string.
break;
}
// Uh oh, LoadStringW filled the buffer entirely which could mean the
// string was truncated. Try again with a larger buffer to be sure it
// wasn't.
LocalFree(wszBuf);
cchBuf += 256;
}
return(wszBuf);
}
/*
Following functions are required around the
messy CONN_PROP structure to support v1/v0 etc.
This is really bad.
All the functions assume that version 1.0 format
is passed in.
*/
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * ConnPropGetExtraPointer (EAPTLS_CONN_PROPERTIES * pConnProp)
{
return (EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED *)
( pConnProp->awszServerName + wcslen(pConnProp->awszServerName) + 1);
}
DWORD ConnPropGetNumHashes(EAPTLS_CONN_PROPERTIES * pConnProp )
{
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * pExtra = ConnPropGetExtraPointer(pConnProp);
return pExtra->dwNumHashes;
}
void ConnPropSetNumHashes(EAPTLS_CONN_PROPERTIES * pConnProp, DWORD dwNumHashes )
{
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * pExtra = ConnPropGetExtraPointer(pConnProp);
pExtra->dwNumHashes = dwNumHashes;
return;
}
DWORD ConnPropGetV1Struct ( EAPTLS_CONN_PROPERTIES * pConnProp, EAPTLS_CONN_PROPERTIES_V1 ** ppConnPropv1 )
{
DWORD dwRetCode = NO_ERROR;
EAPTLS_CONN_PROPERTIES_V1 * pConnPropv1 = NULL;
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * pExtra = ConnPropGetExtraPointer(pConnProp);
//
//This function assumes that the struct that comes in is at
//version 1. Which means at least sizeof(EAPTLS_CONN_PROPERTIES) +
//EAPTLS_CONN_PROPERTIES_V1_EXTRA in size.
//
//
//First get the amount of memory required to be allocated
//
pConnPropv1 = LocalAlloc ( LPTR,
sizeof( EAPTLS_CONN_PROPERTIES_V1 ) + //sizeof the basic struct
pExtra->dwNumHashes * sizeof( EAPTLS_HASH ) + //num hashes
wcslen( pConnProp->awszServerName ) * sizeof(WCHAR) + sizeof(WCHAR)//sizeof the string
);
if ( NULL == pConnPropv1 )
{
dwRetCode = GetLastError();
goto LDone;
}
//
//Convert the structure
//
if ( pConnProp->dwVersion <= 1 )
pConnPropv1->dwVersion = 1;
else
pConnPropv1->dwVersion = 2;
pConnPropv1->dwSize = sizeof( EAPTLS_CONN_PROPERTIES_V1 ) +
pExtra->dwNumHashes * sizeof( EAPTLS_HASH ) +
wcslen( pConnProp->awszServerName ) * sizeof(WCHAR) + sizeof(WCHAR);
pConnPropv1->fFlags = pConnProp->fFlags;
pConnPropv1->dwNumHashes = pExtra->dwNumHashes;
if ( pExtra->dwNumHashes )
{
CopyMemory( pConnPropv1->bData, &(pConnProp->Hash), sizeof(EAPTLS_HASH) );
if ( pExtra->dwNumHashes >1 )
{
CopyMemory ( pConnPropv1->bData + sizeof(EAPTLS_HASH),
pExtra->bData,
(pExtra->dwNumHashes -1 ) * sizeof(EAPTLS_HASH)
);
}
}
//Copy the server name
wcscpy( (WCHAR *)( pConnPropv1->bData + (pExtra->dwNumHashes * sizeof(EAPTLS_HASH) ) ),
pConnProp->awszServerName
);
*ppConnPropv1 = pConnPropv1;
pConnPropv1 = NULL;
LDone:
LocalFree(pConnPropv1);
return dwRetCode;
}
DWORD ConnPropGetV0Struct ( EAPTLS_CONN_PROPERTIES_V1 * pConnPropv1, EAPTLS_CONN_PROPERTIES ** ppConnProp )
{
DWORD dwRetCode = NO_ERROR;
EAPTLS_CONN_PROPERTIES * pConnProp = NULL;
DWORD dwSize = 0;
EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED * pExtrav1 = NULL;
//
//First calulate the amount of memory to allocate
//
dwSize = sizeof(EAPTLS_CONN_PROPERTIES) +
(pConnPropv1->dwNumHashes?( pConnPropv1->dwNumHashes - 1 ) * sizeof(EAPTLS_HASH):0) +
( wcslen( (LPWSTR) (pConnPropv1->bData + (pConnPropv1->dwNumHashes * sizeof(EAPTLS_HASH)) ) ) * sizeof(WCHAR) ) + sizeof(WCHAR);
pConnProp = LocalAlloc ( LPTR, dwSize );
if ( NULL == pConnProp )
{
dwRetCode = GetLastError();
goto LDone;
}
if ( pConnPropv1->dwVersion <= 1 )
pConnProp->dwVersion = 1;
else
pConnProp->dwVersion = 2;
pConnProp->dwSize = dwSize;
pConnProp->fFlags = pConnPropv1->fFlags;
if ( pConnPropv1->dwNumHashes > 0 )
{
CopyMemory( &(pConnProp->Hash), pConnPropv1->bData, sizeof(EAPTLS_HASH));
}
if ( pConnPropv1->bData )
{
wcscpy ( pConnProp->awszServerName,
(LPWSTR )(pConnPropv1->bData + sizeof( EAPTLS_HASH ) * pConnPropv1->dwNumHashes)
);
}
pExtrav1 = (EAPTLS_CONN_PROPERTIES_V1_EXTRA UNALIGNED *)(pConnProp->awszServerName +
wcslen( pConnProp->awszServerName) + 1);
pExtrav1->dwNumHashes = pConnPropv1->dwNumHashes;
if ( pExtrav1->dwNumHashes > 1 )
{
CopyMemory( pExtrav1->bData,
pConnPropv1->bData + sizeof(EAPTLS_HASH),
( pConnPropv1->dwNumHashes - 1 ) * sizeof(EAPTLS_HASH)
);
}
*ppConnProp = pConnProp;
pConnProp = NULL;
LDone:
LocalFree(pConnProp);
return dwRetCode;
}
void ShowCertDetails ( HWND hWnd, HCERTSTORE hStore, PCCERT_CONTEXT pCertContext)
{
CRYPTUI_VIEWCERTIFICATE_STRUCT vcs;
BOOL fPropertiesChanged = FALSE;
ZeroMemory (&vcs, sizeof (vcs));
vcs.dwSize = sizeof (vcs);
vcs.hwndParent = hWnd;
vcs.pCertContext = pCertContext;
vcs.cStores = 1;
vcs.rghStores = &hStore;
vcs.dwFlags |= (CRYPTUI_DISABLE_EDITPROPERTIES|CRYPTUI_DISABLE_ADDTOSTORE);
CryptUIDlgViewCertificate (&vcs, &fPropertiesChanged);
return;
}
#if 0
// Location of policy parameters
#define cwszEAPOLPolicyParams L"Software\\Policies\\Microsoft\\Windows\\Network Connections\\8021X"
#define cszCARootHash "8021XCARootHash"
#define SIZE_OF_CA_CONV_STR 3
#define SIZE_OF_HASH 20
//
// ReadGPCARootHashes
//
// Description:
//
// Function to read parameters created by policy downloads
// Currently, 8021XCARootHash will be downloaded to the HKLM
//
// Arguments:
// pdwSizeOfRootHashBlob - Size of hash blob in bytes. Each root CA hash
// will be of SIZE_OF_HASH bytes
// ppbRootHashBlob - Pointer to hash blob. Caller should free it using
// LocalFree
//
// Return values:
// ERROR_SUCCESS - success
// !ERROR_SUCCESS - error
//
DWORD
ReadGPCARootHashes(
DWORD *pdwSizeOfRootHashBlob,
PBYTE *ppbRootHashBlob
)
{
HKEY hKey = NULL;
DWORD dwType = 0;
DWORD dwSize = 0;
CHAR *pszCARootHash = NULL;
DWORD i = 0;
CHAR cszCharConv[SIZE_OF_CA_CONV_STR];
BYTE *pbRootHashBlob = NULL;
DWORD dwSizeOfHashBlob = 0;
LONG lError = ERROR_SUCCESS;
lError = RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
cwszEAPOLPolicyParams,
0,
KEY_READ,
&hKey
);
if (lError != ERROR_SUCCESS)
{
EapTlsTrace("ReadCARootHashes: RegOpenKeyEx failed with error %ld",
lError);
goto LDone;
}
lError = RegQueryValueExA(
hKey,
cszCARootHash,
0,
&dwType,
NULL,
&dwSize
);
if (lError == ERROR_SUCCESS)
{
// Each SHA1 hash will be 2*SIZE_OF_HASH chars
// Each BYTE in the hash will be represented by 2 CHARs,
// 1 for each nibble
// The hashblob should contain an integral number of hashes
if ((dwSize-1*sizeof(CHAR))%(2*SIZE_OF_HASH*sizeof(CHAR)))
{
EapTlsTrace("ReadCARootHashes: Invalid hash length (%ld)",
dwSize);
goto LDone;
}
pszCARootHash = (CHAR *)LocalAlloc(LPTR, dwSize);
if (pszCARootHash == NULL)
{
lError = GetLastError();
EapTlsTrace("ReadCARootHashes: LocalAlloc failed for pwszCARootHash");
goto LDone;
}
lError = RegQueryValueExA(
hKey,
cszCARootHash,
0,
&dwType,
(BYTE *)pszCARootHash,
&dwSize
);
if (lError != ERROR_SUCCESS)
{
EapTlsTrace("ReadCARootHashes: RegQueryValueEx 2 failed with error (%ld)",
lError);
goto LDone;
}
dwSizeOfHashBlob = (dwSize-1*sizeof(CHAR))/(2*sizeof(CHAR));
if ((pbRootHashBlob = LocalAlloc ( LPTR, dwSizeOfHashBlob*sizeof(BYTE))) == NULL)
{
lError = GetLastError();
EapTlsTrace("ReadCARootHashes: LocalAlloc failed for pbRootHashBlob");
goto LDone;
}
for (i=0; i<dwSizeOfHashBlob; i++)
{
ZeroMemory(cszCharConv, SIZE_OF_CA_CONV_STR);
cszCharConv[0]=pszCARootHash[2*i];
cszCharConv[1]=pszCARootHash[2*i+1];
pbRootHashBlob[i] = (BYTE)strtol(cszCharConv, NULL, 16);
}
}
else
{
EapTlsTrace("ReadCARootHashes: 802.1X Policy Parameters RegQueryValueEx 1 failed with error (%ld)",
lError);
goto LDone;
}
LDone:
if (lError != ERROR_SUCCESS)
{
if (pbRootHashBlob != NULL)
{
LocalFree(pbRootHashBlob);
}
}
else
{
*ppbRootHashBlob = pbRootHashBlob;
*pdwSizeOfRootHashBlob = dwSizeOfHashBlob;
}
if (hKey != NULL)
{
RegCloseKey(hKey);
}
if (pszCARootHash != NULL)
{
LocalFree(pszCARootHash);
}
return lError;
}
#endif
/////////////////////// ALL PEAP related utils go here ///////////////////////////
DWORD
PeapGetFirstEntryUserProp ( PPEAP_USER_PROP pUserProp,
PEAP_ENTRY_USER_PROPERTIES UNALIGNED ** ppEntryProp
)
{
* ppEntryProp = &( pUserProp->UserProperties );
return NO_ERROR;
}
DWORD
PeapGetFirstEntryConnProp ( PPEAP_CONN_PROP pConnProp,
PEAP_ENTRY_CONN_PROPERTIES UNALIGNED ** ppEntryProp
)
{
DWORD dwRetCode = NO_ERROR;
PEAP_ENTRY_CONN_PROPERTIES UNALIGNED *pFirstEntryConnProp = NULL;
LPWSTR lpwszServerName;
RTASSERT ( NULL != pConnProp );
RTASSERT ( NULL != ppEntryProp );
lpwszServerName =
(LPWSTR )(pConnProp->EapTlsConnProp.bData +
sizeof( EAPTLS_HASH ) * pConnProp->EapTlsConnProp.dwNumHashes);
//Get the first entry in connprop
pFirstEntryConnProp = ( PEAP_ENTRY_CONN_PROPERTIES UNALIGNED *)
( pConnProp->EapTlsConnProp.bData
+ pConnProp->EapTlsConnProp.dwNumHashes * sizeof(EAPTLS_HASH) +
(lpwszServerName? wcslen(lpwszServerName) * sizeof(WCHAR):0) +
sizeof(WCHAR)
);
if (NULL == pFirstEntryConnProp )
{
dwRetCode = ERROR_NOT_FOUND;
goto LDone;
}
*ppEntryProp = pFirstEntryConnProp;
LDone:
return dwRetCode;
}
DWORD
PeapReadConnectionData(
IN BOOL fWireless,
IN BYTE* pConnectionDataIn,
IN DWORD dwSizeOfConnectionDataIn,
OUT PPEAP_CONN_PROP* ppConnProp
)
{
DWORD dwRetCode = NO_ERROR;
PPEAP_CONN_PROP pConnProp = NULL;
PEAP_ENTRY_CONN_PROPERTIES UNALIGNED * pEntryProp = NULL;
EapTlsTrace("PeapReadConnectionData");
RTASSERT(NULL != ppConnProp);
if ( dwSizeOfConnectionDataIn < sizeof(PEAP_CONN_PROP) )
{
pConnProp = LocalAlloc(LPTR, sizeof(PEAP_CONN_PROP) + sizeof(PEAP_ENTRY_CONN_PROPERTIES)+ sizeof(WCHAR));
if (NULL == pConnProp)
{
dwRetCode = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwRetCode);
goto LDone;
}
//This is a new structure
pConnProp->dwVersion = 1;
pConnProp->dwSize = sizeof(PEAP_CONN_PROP) + sizeof(PEAP_ENTRY_CONN_PROPERTIES);
pConnProp->EapTlsConnProp.dwVersion = 1;
pConnProp->EapTlsConnProp.dwSize = sizeof(EAPTLS_CONN_PROPERTIES_V1);
pConnProp->EapTlsConnProp.fFlags |= EAPTLS_CONN_FLAG_REGISTRY;
pConnProp->EapTlsConnProp.fFlags |= EAPTLS_CONN_FLAG_SIMPLE_CERT_SEL;
pConnProp->dwNumPeapTypes = 1;
//pEntryProp = (PPEAP_ENTRY_CONN_PROPERTIES)(((PBYTE)(pConnProp)) + sizeof(PEAP_CONN_PROP) + sizeof(WCHAR));
pEntryProp = ( PEAP_ENTRY_CONN_PROPERTIES UNALIGNED *)
( pConnProp->EapTlsConnProp.bData
+ pConnProp->EapTlsConnProp.dwNumHashes * sizeof(EAPTLS_HASH) +
sizeof(WCHAR)
);
//
// Also setup the first peap entry conn prop and set it to
// eapmschapv2
//
if ( fWireless )
{
pConnProp->EapTlsConnProp.fFlags |= EAPTLS_CONN_FLAG_NO_VALIDATE_NAME;
}
pEntryProp->dwVersion = 1;
pEntryProp->dwSize = sizeof(PEAP_ENTRY_CONN_PROPERTIES);
pEntryProp->dwEapTypeId = PPP_EAP_MSCHAPv2;
}
else
{
RTASSERT(NULL != pConnectionDataIn);
//
//Check to see if this is a version 0 structure
//If it is a version 0 structure then we migrate it to version1
//
pConnProp = LocalAlloc(LPTR, dwSizeOfConnectionDataIn);
if (NULL == pConnProp)
{
dwRetCode = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwRetCode);
goto LDone;
}
// If the user has mucked with the phonebook, we mustn't be affected.
// The size must be correct.
CopyMemory(pConnProp, pConnectionDataIn, dwSizeOfConnectionDataIn);
pConnProp->dwSize = dwSizeOfConnectionDataIn;
pConnProp->EapTlsConnProp.fFlags |= EAPTLS_CONN_FLAG_REGISTRY;
}
*ppConnProp = pConnProp;
pConnProp = NULL;
LDone:
LocalFree(pConnProp);
return dwRetCode;
}
DWORD
PeapReDoUserData (
IN DWORD dwNewTypeId,
OUT PPEAP_USER_PROP* ppNewUserProp
)
{
DWORD dwRetCode = NO_ERROR;
PPEAP_USER_PROP pUserProp = NULL;
EapTlsTrace("PeapReDoUserData");
pUserProp = LocalAlloc(LPTR, sizeof(PEAP_USER_PROP));
if (NULL == pUserProp)
{
dwRetCode = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwRetCode);
goto LDone;
}
pUserProp->dwVersion = 1;
pUserProp->dwSize = sizeof(PEAP_USER_PROP);
//
// Setup the default user prop...
//
pUserProp->UserProperties.dwVersion = 1;
pUserProp->UserProperties.dwSize = sizeof(PEAP_ENTRY_USER_PROPERTIES);
pUserProp->UserProperties.dwEapTypeId = dwNewTypeId;
*ppNewUserProp = pUserProp;
LDone:
return dwRetCode;
}
DWORD
PeapReadUserData(
IN BYTE* pUserDataIn,
IN DWORD dwSizeOfUserDataIn,
OUT PPEAP_USER_PROP* ppUserProp
)
{
DWORD dwErr = NO_ERROR;
PPEAP_USER_PROP pUserProp;
EapTlsTrace("PeapReadUserData");
if (dwSizeOfUserDataIn < sizeof(PEAP_USER_PROP))
{
pUserProp = LocalAlloc(LPTR, sizeof(PEAP_USER_PROP));
if (NULL == pUserProp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
pUserProp->dwVersion = 1;
pUserProp->dwSize = sizeof(PEAP_USER_PROP);
//
// Setup the default user prop...
//
pUserProp->UserProperties.dwVersion = 1;
pUserProp->UserProperties.dwSize = sizeof(PEAP_ENTRY_USER_PROPERTIES);
pUserProp->UserProperties.dwEapTypeId = PPP_EAP_MSCHAPv2;
}
else
{
RTASSERT(NULL != pUserDataIn);
pUserProp = LocalAlloc(LPTR, dwSizeOfUserDataIn);
if (NULL == pUserProp)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
CopyMemory(pUserProp, pUserDataIn, dwSizeOfUserDataIn);
pUserProp->dwVersion = 1;
pUserProp->dwSize = dwSizeOfUserDataIn;
}
*ppUserProp = pUserProp;
pUserProp = NULL;
LDone:
LocalFree(pUserProp);
return dwErr;
}
//
// Add node at the head
//
DWORD
PeapEapInfoAddListNode (PPEAP_EAP_INFO * ppEapInfo)
{
PPEAP_EAP_INFO pEapInfo = NULL;
DWORD dwRetCode = NO_ERROR;
pEapInfo = (PPEAP_EAP_INFO)LocalAlloc(LPTR, sizeof(PEAP_EAP_INFO));
if ( NULL == pEapInfo )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
if ( NULL == *ppEapInfo )
{
*ppEapInfo = pEapInfo;
}
else
{
pEapInfo->pNext = *ppEapInfo;
*ppEapInfo = pEapInfo;
}
LDone:
return dwRetCode;
}
DWORD
PeapEapInfoCopyListNode ( DWORD dwTypeId,
PPEAP_EAP_INFO pEapInfoList,
PPEAP_EAP_INFO * ppEapInfo )
{
DWORD dwRetCode = ERROR_NOT_FOUND;
PPEAP_EAP_INFO pEapInfoListInternal = pEapInfoList;
while ( pEapInfoListInternal )
{
if ( pEapInfoListInternal->dwTypeId == dwTypeId )
{
*ppEapInfo = LocalAlloc( LPTR, sizeof(PEAP_EAP_INFO) );
if ( NULL == *ppEapInfo )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
CopyMemory ( *ppEapInfo, pEapInfoListInternal, sizeof(PEAP_EAP_INFO) );
dwRetCode = NO_ERROR;
goto LDone;
}
pEapInfoListInternal = pEapInfoListInternal->pNext;
}
LDone:
return dwRetCode;
}
DWORD
PeapEapInfoFindListNode ( DWORD dwTypeId,
PPEAP_EAP_INFO pEapInfoList,
PPEAP_EAP_INFO * ppEapInfo )
{
DWORD dwRetCode = ERROR_NOT_FOUND;
PPEAP_EAP_INFO pEapInfoListInternal = pEapInfoList;
while ( pEapInfoListInternal )
{
if ( pEapInfoListInternal->dwTypeId == dwTypeId )
{
*ppEapInfo = pEapInfoListInternal;
dwRetCode = NO_ERROR;
goto LDone;
}
pEapInfoListInternal = pEapInfoListInternal->pNext;
}
LDone:
return dwRetCode;
}
VOID
PeapEapInfoFreeNodeData ( PPEAP_EAP_INFO pEapInfo )
{
LocalFree ( pEapInfo->lpwszFriendlyName );
LocalFree ( pEapInfo->lpwszConfigUIPath );
LocalFree ( pEapInfo->lpwszIdentityUIPath );
LocalFree ( pEapInfo->lpwszConfigClsId );
LocalFree ( pEapInfo->pbNewClientConfig );
LocalFree ( pEapInfo->lpwszInteractiveUIPath );
LocalFree ( pEapInfo->lpwszPath);
if ( pEapInfo->hEAPModule )
{
FreeLibrary(pEapInfo->hEAPModule);
}
}
VOID
PeapEapInfoRemoveHeadNode(PPEAP_EAP_INFO * ppEapInfo)
{
PPEAP_EAP_INFO pEapInfo = *ppEapInfo;
if ( pEapInfo )
{
*ppEapInfo = pEapInfo->pNext;
PeapEapInfoFreeNodeData(pEapInfo);
LocalFree ( pEapInfo );
}
}
VOID
PeapEapInfoFreeList ( PPEAP_EAP_INFO pEapInfo )
{
PPEAP_EAP_INFO pNext;
while ( pEapInfo )
{
pNext = pEapInfo->pNext;
PeapEapInfoFreeNodeData(pEapInfo);
LocalFree ( pEapInfo );
pEapInfo = pNext;
}
}
DWORD
PeapEapInfoReadSZ (HKEY hkeyPeapType,
LPWSTR pwszValue,
LPWSTR * ppValueData )
{
DWORD dwRetCode = NO_ERROR;
DWORD dwType = 0;
DWORD cbValueDataSize =0;
PBYTE pbValue = NULL;
dwRetCode = RegQueryValueEx(
hkeyPeapType,
pwszValue,
NULL,
&dwType,
pbValue,
&cbValueDataSize );
if ( dwRetCode != NO_ERROR )
{
goto LDone;
}
pbValue = (PBYTE)LocalAlloc ( LPTR, cbValueDataSize );
if ( NULL == pbValue )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
dwRetCode = RegQueryValueEx(
hkeyPeapType,
pwszValue,
NULL,
&dwType,
pbValue,
&cbValueDataSize );
if ( dwRetCode != NO_ERROR )
{
goto LDone;
}
*ppValueData = (LPWSTR)pbValue;
pbValue = NULL;
LDone:
LocalFree ( pbValue );
return dwRetCode;
}
DWORD
PeapEapInfoExpandSZ (HKEY hkeyPeapType,
LPWSTR pwszValue,
LPWSTR * ppValueData )
{
DWORD dwRetCode = NO_ERROR;
DWORD dwType = 0;
DWORD cbValueDataSize =0;
PBYTE pbValue = NULL;
PBYTE pbExpandedValue = NULL;
dwRetCode = RegQueryValueEx(
hkeyPeapType,
pwszValue,
NULL,
&dwType,
pbValue,
&cbValueDataSize );
if ( dwRetCode != NO_ERROR )
{
goto LDone;
}
pbValue = (PBYTE)LocalAlloc ( LPTR, cbValueDataSize );
if ( NULL == pbValue )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
dwRetCode = RegQueryValueEx(
hkeyPeapType,
pwszValue,
NULL,
&dwType,
pbValue,
&cbValueDataSize );
if ( dwRetCode != NO_ERROR )
{
goto LDone;
}
//now Expand the exvironment string
cbValueDataSize = ExpandEnvironmentStrings( (LPWSTR)pbValue, NULL, 0 );
pbExpandedValue = (PBYTE)LocalAlloc ( LPTR, cbValueDataSize * sizeof(WCHAR) );
if ( NULL == pbExpandedValue )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
cbValueDataSize = ExpandEnvironmentStrings( (LPWSTR)pbValue,
(LPWSTR)pbExpandedValue, sizeof(WCHAR) * cbValueDataSize );
if ( cbValueDataSize == 0 )
{
dwRetCode = GetLastError();
goto LDone;
}
*ppValueData = (LPWSTR)pbExpandedValue;
pbExpandedValue = NULL;
LDone:
LocalFree ( pbValue );
LocalFree ( pbExpandedValue );
return dwRetCode;
}
BOOL
IsPeapCrippled(HKEY hKeyLM)
{
BOOL fRetCode = FALSE;
DWORD dwRetCode = NO_ERROR;
HKEY hCripple = 0;
DWORD dwValue = 0;
DWORD dwType = 0;
DWORD cbValueDataSize = sizeof(DWORD);
dwRetCode = RegOpenKeyEx( hKeyLM,
PEAP_KEY_PEAP,
0,
KEY_READ,
&hCripple
);
if (NO_ERROR != dwRetCode)
{
goto LDone;
}
dwRetCode = RegQueryValueEx(
hCripple,
PEAP_CRIPPLE_VALUE,
NULL,
&dwType,
(PBYTE)&dwValue,
&cbValueDataSize );
if ( dwRetCode != NO_ERROR )
{
goto LDone;
}
if ( dwValue != 0 )
{
fRetCode = TRUE;
}
LDone:
if ( hCripple )
RegCloseKey ( hCripple );
return fRetCode;
}
//
// Get a list of all EAP types configured for PEAP.
//
DWORD
PeapEapInfoGetList ( LPWSTR lpwszMachineName, PPEAP_EAP_INFO * ppEapInfo)
{
DWORD dwRetCode = NO_ERROR;
HKEY hKeyLM =0;
HKEY hKeyPeap = 0;
HKEY hkeyPeapType = 0;
DWORD dwIndex;
DWORD cb;
WCHAR wszPeapType[200];
DWORD dwEapTypeId = 0;
FARPROC pRasEapGetInfo;
dwRetCode = RegConnectRegistry ( lpwszMachineName,
HKEY_LOCAL_MACHINE,
&hKeyLM
);
if ( NO_ERROR != dwRetCode )
{
goto LDone;
}
dwRetCode = RegOpenKeyEx( hKeyLM,
PEAP_KEY_EAP,
0,
KEY_READ,
&hKeyPeap
);
if (NO_ERROR != dwRetCode)
{
goto LDone;
}
for (dwIndex = 0; TRUE; ++dwIndex)
{
cb = sizeof(wszPeapType) / sizeof(WCHAR);
dwRetCode = RegEnumKeyEx( hKeyPeap,
dwIndex,
wszPeapType,
&cb,
NULL,
NULL,
NULL,
NULL
);
if (dwRetCode != NO_ERROR)
{
// Includes "out of items", the normal loop termination.
//
dwRetCode = NO_ERROR;
break;
}
dwRetCode = RegOpenKeyEx( hKeyPeap,
wszPeapType,
0,
KEY_READ,
&hkeyPeapType
);
if (dwRetCode != NO_ERROR)
{
dwRetCode = NO_ERROR;
continue;
}
dwEapTypeId = _wtol(wszPeapType);
if ( dwEapTypeId == PPP_EAP_PEAP )
{
dwRetCode = NO_ERROR;
continue;
}
{
//
// Check to see if we support this in peap
// By default we do.
DWORD dwRolesSupported = 0;
DWORD cbValueSize = sizeof(dwRolesSupported);
DWORD dwType = 0;
dwRetCode = RegQueryValueEx(
hkeyPeapType,
PEAP_REGVAL_ROLESSUPPORTED,
NULL,
&dwType,
(PBYTE)&dwRolesSupported,
&cbValueSize );
if ( dwRetCode == NO_ERROR )
{
//
// We dont allow this method in PEAP.
//
if ( RAS_EAP_ROLE_EXCLUDE_IN_PEAP & dwRolesSupported )
{
continue;
}
}
}
//
// Read the required information and setup the node here
//
dwRetCode = PeapEapInfoAddListNode (ppEapInfo);
if ( NO_ERROR != dwRetCode )
{
goto LDone;
}
//
// Setup the list node - if any of these entries are not
// found skip the entry
//
(*ppEapInfo)->dwTypeId = dwEapTypeId;
dwRetCode = PeapEapInfoReadSZ ( hkeyPeapType,
PEAP_REGVAL_FRIENDLYNAME,
&((*ppEapInfo)->lpwszFriendlyName )
);
if ( NO_ERROR != dwRetCode )
{
if ( ERROR_FILE_NOT_FOUND == dwRetCode )
{
PeapEapInfoRemoveHeadNode(ppEapInfo);
dwRetCode = NO_ERROR;
continue;
}
goto LDone;
}
dwRetCode = PeapEapInfoExpandSZ ( hkeyPeapType,
PEAP_REGVAL_CONFIGDLL,
&((*ppEapInfo)->lpwszConfigUIPath )
);
if ( NO_ERROR != dwRetCode )
{
if ( ERROR_FILE_NOT_FOUND == dwRetCode )
{
// it is fine to have no config stuff any more.
// We show the default identity
dwRetCode = NO_ERROR;
}
else
{
goto LDone;
}
}
dwRetCode = PeapEapInfoExpandSZ ( hkeyPeapType,
PEAP_REGVAL_IDENTITYDLL,
&((*ppEapInfo)->lpwszIdentityUIPath )
);
if ( NO_ERROR != dwRetCode )
{
if ( ERROR_FILE_NOT_FOUND == dwRetCode )
{
//
// It is fine if we dont have any identity UI. Peap
// will provide a default identity UI
//
dwRetCode = NO_ERROR;
}
else
{
goto LDone;
}
}
dwRetCode = PeapEapInfoExpandSZ ( hkeyPeapType,
PEAP_REGVAL_INTERACTIVEUIDLL,
&((*ppEapInfo)->lpwszInteractiveUIPath )
);
if ( NO_ERROR != dwRetCode )
{
if ( ERROR_FILE_NOT_FOUND == dwRetCode )
{
//It is fine if we dont have interactive UI
//
dwRetCode = NO_ERROR;
}
else
{
goto LDone;
}
}
dwRetCode = PeapEapInfoReadSZ ( hkeyPeapType,
PEAP_REGVAL_CONFIGCLSID,
&((*ppEapInfo)->lpwszConfigClsId )
);
if ( NO_ERROR != dwRetCode )
{
if ( ERROR_FILE_NOT_FOUND == dwRetCode )
{
//
// Missing config clsid is also fine
dwRetCode = NO_ERROR;
}
else
{
goto LDone;
}
}
dwRetCode = PeapEapInfoExpandSZ ( hkeyPeapType,
PEAP_REGVAL_PATH,
&((*ppEapInfo)->lpwszPath )
);
if ( NO_ERROR != dwRetCode )
{
//
// This is not acceptable. So this is a problem.
//
if ( ERROR_FILE_NOT_FOUND == dwRetCode )
{
PeapEapInfoRemoveHeadNode(ppEapInfo);
dwRetCode = NO_ERROR;
continue;
}
goto LDone;
}
//
// Now get the EAP INFO from the DLL.
//
(*ppEapInfo)->hEAPModule = LoadLibrary( ( (*ppEapInfo)->lpwszPath ) );
if ( NULL == (*ppEapInfo)->hEAPModule )
{
dwRetCode = GetLastError();
goto LDone;
}
pRasEapGetInfo = GetProcAddress( (*ppEapInfo)->hEAPModule ,
"RasEapGetInfo"
);
if ( pRasEapGetInfo == (FARPROC)NULL )
{
dwRetCode = GetLastError();
goto LDone;
}
(*ppEapInfo)->RasEapGetCredentials = (DWORD (*) (
DWORD,VOID *, VOID **))
GetProcAddress((*ppEapInfo)->hEAPModule,
"RasEapGetCredentials");
(*ppEapInfo)->PppEapInfo.dwSizeInBytes = sizeof( PPP_EAP_INFO );
dwRetCode = (DWORD) (*pRasEapGetInfo)( dwEapTypeId,
&((*ppEapInfo)->PppEapInfo) );
if ( dwRetCode != NO_ERROR )
{
goto LDone;
}
//
// Call initialize function here
//
if ( (*ppEapInfo)->PppEapInfo.RasEapInitialize )
{
(*ppEapInfo)->PppEapInfo.RasEapInitialize(TRUE);
}
RegCloseKey(hkeyPeapType);
hkeyPeapType = 0;
}
LDone:
if ( hkeyPeapType )
RegCloseKey(hkeyPeapType);
if ( hKeyPeap )
RegCloseKey(hKeyPeap);
if ( hKeyLM )
RegCloseKey(hKeyLM);
if ( NO_ERROR != dwRetCode )
{
PeapEapInfoFreeList( *ppEapInfo );
}
return dwRetCode;
}
DWORD
PeapEapInfoSetConnData ( PPEAP_EAP_INFO pEapInfo, PPEAP_CONN_PROP pPeapConnProp )
{
DWORD dwRetCode = NO_ERROR;
PEAP_ENTRY_CONN_PROPERTIES UNALIGNED *pEntryProp = NULL;
PPEAP_EAP_INFO pEapInfoLocal;
DWORD dwCount;
RTASSERT(NULL != pPeapConnProp);
RTASSERT(NULL != pEapInfo);
if ( !pPeapConnProp->dwNumPeapTypes )
{
goto LDone;
}
//
// Right now there is only one EAP Type in the list
// So it should not be a problem with this stuff now
pEntryProp = ( PEAP_ENTRY_CONN_PROPERTIES*)
( pPeapConnProp->EapTlsConnProp.bData
+ pPeapConnProp->EapTlsConnProp.dwNumHashes * sizeof(EAPTLS_HASH) +
sizeof(WCHAR)
);
pEapInfoLocal = pEapInfo;
while( pEapInfoLocal )
{
if ( pEapInfoLocal->dwTypeId == pEntryProp->dwEapTypeId )
{
if ( pEntryProp->dwSize > sizeof(PEAP_ENTRY_CONN_PROPERTIES))
{
pEapInfoLocal->pbClientConfigOrig = pEntryProp->bData;
pEapInfoLocal->dwClientConfigOrigSize = pEntryProp->dwSize -
sizeof(PEAP_ENTRY_CONN_PROPERTIES) + 1;
}
else
{
pEapInfoLocal->pbClientConfigOrig = NULL;
pEapInfoLocal->dwClientConfigOrigSize = 0;
}
break;
}
pEapInfoLocal = pEapInfoLocal->pNext;
}
#if 0
for ( dwCount = 0; dwCount < pPeapConnProp->dwNumPeapTypes; dwCount ++ )
{
pEntryProp = (PEAP_ENTRY_CONN_PROPERTIES UNALIGNED * )(((BYTE UNALIGNED *)&(pPeapConnProp->EapTlsConnProp)) +
pPeapConnProp->EapTlsConnProp.dwSize +
sizeof(PEAP_ENTRY_CONN_PROPERTIES) * dwCount);
pEapInfoLocal = pEapInfo;
while( pEapInfoLocal )
{
if ( pEapInfoLocal->dwTypeId == pEntryProp->dwEapTypeId )
{
if ( pEntryProp->dwSize > sizeof(PEAP_ENTRY_CONN_PROPERTIES))
{
pEapInfoLocal->pbClientConfigOrig = pEntryProp->bData;
pEapInfoLocal->dwClientConfigOrigSize = pEntryProp->dwSize -
sizeof(PEAP_ENTRY_CONN_PROPERTIES) + 1;
}
else
{
pEapInfoLocal->pbClientConfigOrig = NULL;
pEapInfoLocal->dwClientConfigOrigSize = 0;
}
break;
}
pEapInfoLocal = pEapInfoLocal->pNext;
}
}
#endif
LDone:
return dwRetCode;
}
DWORD PeapEapInfoInvokeIdentityUI ( HWND hWndParent,
PPEAP_EAP_INFO pEapInfo,
const WCHAR * pwszPhoneBook,
const WCHAR * pwszEntry,
PBYTE pbUserDataIn, // Got when using Winlogon
DWORD cbUserDataIn, // Got when using Winlogon
WCHAR** ppwszIdentityOut,
DWORD fFlags)
{
DWORD dwRetCode = NO_ERROR;
PBYTE pbUserDataNew = NULL;
DWORD dwSizeOfUserDataNew = 0;
RASEAPGETIDENTITY pIdenFunc = NULL;
RASEAPFREE pFreeFunc = NULL;
RTASSERT ( NULL != pEapInfo );
RTASSERT ( NULL != pEapInfo->lpwszIdentityUIPath );
pIdenFunc = (RASEAPGETIDENTITY)
GetProcAddress(pEapInfo->hEAPModule, "RasEapGetIdentity");
if ( pIdenFunc == NULL)
{
dwRetCode = GetLastError();
goto LDone;
}
pFreeFunc = (RASEAPFREE) GetProcAddress(pEapInfo->hEAPModule, "RasEapFreeMemory");
if ( pFreeFunc == NULL )
{
dwRetCode = GetLastError();
goto LDone;
}
dwRetCode = pIdenFunc ( pEapInfo->dwTypeId,
hWndParent,
fFlags,
pwszPhoneBook,
pwszEntry,
pEapInfo->pbClientConfigOrig,
pEapInfo->dwClientConfigOrigSize,
( fFlags & RAS_EAP_FLAG_LOGON ?
pbUserDataIn:
pEapInfo->pbUserConfigOrig
),
( fFlags & RAS_EAP_FLAG_LOGON ?
cbUserDataIn:
pEapInfo->dwUserConfigOrigSize
),
&pbUserDataNew,
&dwSizeOfUserDataNew,
ppwszIdentityOut
);
if ( NO_ERROR != dwRetCode )
{
goto LDone;
}
if ( pbUserDataNew &&
dwSizeOfUserDataNew
)
{
//
// we have new user data
//
pEapInfo->pbUserConfigNew = (PBYTE)LocalAlloc (LPTR, dwSizeOfUserDataNew );
if ( NULL == pEapInfo->pbUserConfigNew )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
CopyMemory ( pEapInfo->pbUserConfigNew,
pbUserDataNew,
dwSizeOfUserDataNew
);
pEapInfo->dwNewUserConfigSize = dwSizeOfUserDataNew;
}
LDone:
pFreeFunc( pbUserDataNew );
return dwRetCode;
}
DWORD PeapEapInfoInvokeClientConfigUI ( HWND hWndParent,
PPEAP_EAP_INFO pEapInfo,
DWORD fFlags)
{
DWORD dwRetCode = NO_ERROR;
RASEAPINVOKECONFIGUI pInvokeConfigUI;
RASEAPFREE pFreeConfigUIData;
PBYTE pConnDataOut = NULL;
DWORD dwConnDataOut = 0;
RTASSERT ( NULL != pEapInfo );
RTASSERT ( NULL != pEapInfo->lpwszConfigUIPath );
if ( !(pInvokeConfigUI =
(RASEAPINVOKECONFIGUI )GetProcAddress(
pEapInfo->hEAPModule, "RasEapInvokeConfigUI" ))
|| !(pFreeConfigUIData =
(RASEAPFREE) GetProcAddress(
pEapInfo->hEAPModule, "RasEapFreeMemory" ))
)
{
dwRetCode = GetLastError();
goto LDone;
}
dwRetCode = pInvokeConfigUI ( pEapInfo->dwTypeId,
hWndParent,
fFlags,
(pEapInfo->pbNewClientConfig?
pEapInfo->pbNewClientConfig:
pEapInfo->pbClientConfigOrig
),
(pEapInfo->pbNewClientConfig?
pEapInfo->dwNewClientConfigSize:
pEapInfo->dwClientConfigOrigSize
),
&pConnDataOut,
&dwConnDataOut
);
if ( NO_ERROR != dwRetCode )
{
goto LDone;
}
if ( pConnDataOut && dwConnDataOut )
{
if ( pEapInfo->pbNewClientConfig )
{
LocalFree(pEapInfo->pbNewClientConfig );
pEapInfo->pbNewClientConfig = NULL;
pEapInfo->dwNewClientConfigSize = 0;
}
pEapInfo->pbNewClientConfig = (PBYTE)LocalAlloc ( LPTR, dwConnDataOut );
if ( NULL == pEapInfo->pbNewClientConfig )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
CopyMemory( pEapInfo->pbNewClientConfig,
pConnDataOut,
dwConnDataOut
);
pEapInfo->dwNewClientConfigSize = dwConnDataOut;
}
LDone:
if ( pConnDataOut )
pFreeConfigUIData(pConnDataOut);
return dwRetCode;
}
DWORD
OpenPeapRegistryKey(
IN WCHAR* pwszMachineName,
IN REGSAM samDesired,
OUT HKEY* phKeyPeap
)
{
HKEY hKeyLocalMachine = NULL;
BOOL fHKeyLocalMachineOpened = FALSE;
BOOL fHKeyPeapOpened = FALSE;
LONG lRet;
DWORD dwErr = NO_ERROR;
RTASSERT(NULL != phKeyPeap);
lRet = RegConnectRegistry(pwszMachineName, HKEY_LOCAL_MACHINE,
&hKeyLocalMachine);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegConnectRegistry(%ws) failed and returned %d",
pwszMachineName ? pwszMachineName : L"NULL", dwErr);
goto LDone;
}
fHKeyLocalMachineOpened = TRUE;
lRet = RegOpenKeyEx(hKeyLocalMachine, PEAP_KEY_25, 0, samDesired,
phKeyPeap);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegOpenKeyEx(%ws) failed and returned %d",
PEAP_KEY_25, dwErr);
goto LDone;
}
fHKeyPeapOpened = TRUE;
LDone:
if ( fHKeyPeapOpened
&& (ERROR_SUCCESS != dwErr))
{
RegCloseKey(*phKeyPeap);
}
if (fHKeyLocalMachineOpened)
{
RegCloseKey(hKeyLocalMachine);
}
return(dwErr);
}
DWORD
PeapServerConfigDataIO(
IN BOOL fRead,
IN WCHAR* pwszMachineName,
IN OUT BYTE** ppData,
IN DWORD dwNumBytes
)
{
HKEY hKeyPeap;
PEAP_USER_PROP* pUserProp;
BOOL fHKeyPeapOpened = FALSE;
BYTE* pData = NULL;
DWORD dwSize = 0;
LONG lRet;
DWORD dwType;
DWORD dwErr = NO_ERROR;
RTASSERT(NULL != ppData);
dwErr = OpenPeapRegistryKey(pwszMachineName,
fRead ? KEY_READ : KEY_WRITE, &hKeyPeap);
if (ERROR_SUCCESS != dwErr)
{
goto LDone;
}
fHKeyPeapOpened = TRUE;
if (fRead)
{
lRet = RegQueryValueEx(hKeyPeap, PEAP_VAL_SERVER_CONFIG_DATA, NULL,
&dwType, NULL, &dwSize);
if ( (ERROR_SUCCESS != lRet)
|| (REG_BINARY != dwType)
|| (sizeof(PEAP_USER_PROP) != dwSize))
{
pData = LocalAlloc(LPTR, sizeof(PEAP_USER_PROP));
if (NULL == pData)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
pUserProp = (PEAP_USER_PROP*)pData;
pUserProp->dwVersion = 0;
}
else
{
pData = LocalAlloc(LPTR, dwSize);
if (NULL == pData)
{
dwErr = GetLastError();
EapTlsTrace("LocalAlloc failed and returned %d", dwErr);
goto LDone;
}
lRet = RegQueryValueEx(hKeyPeap, PEAP_VAL_SERVER_CONFIG_DATA,
NULL, &dwType, pData, &dwSize);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegQueryValueEx(%ws) failed and returned %d",
EAPTLS_VAL_SERVER_CONFIG_DATA, dwErr);
goto LDone;
}
}
pUserProp = (PEAP_USER_PROP*)pData;
pUserProp->dwSize = sizeof(PEAP_USER_PROP);
*ppData = pData;
pData = NULL;
}
else
{
lRet = RegSetValueEx(hKeyPeap, PEAP_VAL_SERVER_CONFIG_DATA, 0,
REG_BINARY, *ppData, dwNumBytes);
if (ERROR_SUCCESS != lRet)
{
dwErr = lRet;
EapTlsTrace("RegSetValueEx(%ws) failed and returned %d",
PEAP_VAL_SERVER_CONFIG_DATA, dwErr);
goto LDone;
}
}
LDone:
if (fHKeyPeapOpened)
{
RegCloseKey(hKeyPeap);
}
LocalFree(pData);
return(dwErr);
}
DWORD
GetIdentityFromUserName (
LPWSTR lpszUserName,
LPWSTR lpszDomain,
LPWSTR * ppwszIdentity
)
{
DWORD dwRetCode = NO_ERROR;
DWORD dwNumBytes;
//domain+ user + '\' + null
dwNumBytes = (wcslen(lpszUserName) + wcslen(lpszDomain) + 1 + 1) * sizeof(WCHAR);
*ppwszIdentity = LocalAlloc ( LPTR, dwNumBytes);
if ( NULL == *ppwszIdentity )
{
dwRetCode = ERROR_OUTOFMEMORY;
goto LDone;
}
if ( *lpszDomain )
{
wcsncpy ( *ppwszIdentity, lpszDomain, DNLEN );
wcscat( *ppwszIdentity, L"\\");
}
wcscat ( *ppwszIdentity, lpszUserName );
LDone:
return dwRetCode;
}
//
// Format identity as domain\user. this is ok because our identity inside has not been
// tampered with
//
BOOL FFormatUserIdentity ( LPWSTR lpszUserNameRaw, LPWSTR * lppszUserNameFormatted )
{
BOOL fRetVal = TRUE;
LPTSTR s1 = NULL;
LPTSTR s2 = NULL;
RTASSERT(NULL != lpszUserNameRaw );
RTASSERT(NULL != lppszUserNameFormatted );
//Need to add 2 more chars. One for NULL and other for $ sign
*lppszUserNameFormatted = (LPTSTR )LocalAlloc ( LPTR, (wcslen(lpszUserNameRaw ) + 2)* sizeof(WCHAR) );
if ( NULL == *lppszUserNameFormatted )
{
return FALSE;
}
//find the first "@" and that is the identity of the machine.
//the second "." is the domain.
//check to see if there at least 2 dots. If not the raw string is
//the output string
s1 = wcschr ( lpszUserNameRaw, '@' );
if ( s1 )
{
//
// get the first .
//
s2 = wcschr ( s1, '.');
}
if ( s1 && s2 )
{
memcpy ( *lppszUserNameFormatted, s1+1, (s2-s1-1) * sizeof(WCHAR)) ;
memcpy ( (*lppszUserNameFormatted) + (s2-s1-1), L"\\", sizeof(WCHAR));
memcpy ( (*lppszUserNameFormatted)+ (s2-s1), lpszUserNameRaw, (s1-lpszUserNameRaw) * sizeof(WCHAR) );
}
else
{
wcscpy ( *lppszUserNameFormatted, lpszUserNameRaw );
}
return fRetVal;
}
VOID
GetMarshalledCredFromHash(
PBYTE pbHash,
DWORD cbHash,
CHAR *pszMarshalledCred,
DWORD cchCredSize)
{
CERT_CREDENTIAL_INFO CertCredInfo;
CHAR *pszMarshalledCredLocal = NULL;
CertCredInfo.cbSize = sizeof(CertCredInfo);
memcpy (CertCredInfo.rgbHashOfCert,
pbHash,
cbHash
);
if (CredMarshalCredentialA(CertCredential,
(PVOID) &CertCredInfo,
&pszMarshalledCredLocal
))
{
//
// Got Marshalled Credential from the cert
// Set it in the username field
//
ASSERT( NULL != pszMarshalledCredLocal );
(VOID) StringCchCopyA (pszMarshalledCred,
cchCredSize,
pszMarshalledCredLocal );
CredFree ( pszMarshalledCredLocal );
}
else
{
EapTlsTrace("CredMarshalCredential Failed with Error:0x%x",
GetLastError());
}
}
DWORD
GetCredentialsFromUserProperties(
EAPTLSCB *pEapTlsCb,
VOID **ppCredentials)
{
DWORD dwRetCode = ERROR_SUCCESS;
RASMAN_CREDENTIALS *pCreds = NULL;
//
// Note: Its important that this allocation is made from
// the process heap. Ppp engine needs to change otherwise.
//
pCreds = LocalAlloc(LPTR, sizeof(RASMAN_CREDENTIALS));
if(NULL == pCreds)
{
dwRetCode = GetLastError();
goto done;
}
if( (NULL != pEapTlsCb->pSavedPin)
&& (NULL != pEapTlsCb->pSavedPin->pwszPin))
{
UNICODE_STRING UnicodeString;
//
// Decode the saved pin
//
UnicodeString.Length = pEapTlsCb->pSavedPin->usLength;
UnicodeString.MaximumLength = pEapTlsCb->pSavedPin->usMaximumLength;
UnicodeString.Buffer = pEapTlsCb->pSavedPin->pwszPin;
RtlRunDecodeUnicodeString(pEapTlsCb->pSavedPin->ucSeed,
&UnicodeString);
(VOID)StringCchCopyW(pCreds->wszPassword,
PWLEN,
pEapTlsCb->pSavedPin->pwszPin);
ZeroMemory(pEapTlsCb->pSavedPin->pwszPin,
wcslen(pEapTlsCb->pSavedPin->pwszPin) * sizeof(WCHAR));
LocalFree(pEapTlsCb->pSavedPin->pwszPin);
LocalFree(pEapTlsCb->pSavedPin);
pEapTlsCb->pSavedPin = NULL;
}
if(NULL != pEapTlsCb->pUserProp)
{
GetMarshalledCredFromHash(
pEapTlsCb->pUserProp->Hash.pbHash,
pEapTlsCb->pUserProp->Hash.cbHash,
pCreds->szUserName,
UNLEN);
}
pCreds->dwFlags = RASCRED_EAP;
done:
*ppCredentials = (VOID *) pCreds;
return dwRetCode;
}