Credentials are no longer stored using method name (TLS/PAP/MSCHAPv2) but with level/type identifier

Author: rozmansi

CredWrite/Main.cpp

@@ -40,7 +40,7 @@ static int CredWrite()
         return -1;
     }
 
-    eap::credentials_pap cred_pap(g_module);
+    eap::credentials_pass cred_pass(g_module);
 
     // Prepare identity (user name).
     {
@@ -50,7 +50,7 @@ static int CredWrite()
         bool is_last;
         dec.decode(identity_utf8, is_last, pwcArglist[1], (size_t)-1);
 
-        MultiByteToWideChar(CP_UTF8, 0, identity_utf8.data(), (int)identity_utf8.size(), cred_pap.m_identity);
+        MultiByteToWideChar(CP_UTF8, 0, identity_utf8.data(), (int)identity_utf8.size(), cred_pass.m_identity);
     }
 
     // Prepare password.
@@ -61,7 +61,7 @@ static int CredWrite()
         bool is_last;
         dec.decode(password_utf8, is_last, pwcArglist[2], (size_t)-1);
 
-        MultiByteToWideChar(CP_UTF8, 0, password_utf8.data(), (int)password_utf8.size(), cred_pap.m_password);
+        MultiByteToWideChar(CP_UTF8, 0, password_utf8.data(), (int)password_utf8.size(), cred_pass.m_password);
     }
 
     // Generate target name (aka realm).
@@ -71,20 +71,30 @@ static int CredWrite()
         target_name = pwcArglist[3];
     } else {
         // Get the realm from user name.
-        LPCWSTR _identity = cred_pap.m_identity.c_str(), domain;
+        LPCWSTR _identity = cred_pass.m_identity.c_str(), domain;
         if ((domain = wcschr(_identity, L'@')) != NULL) {
             target_name  = L"urn:RFC4282:realm:";
             target_name += domain + 1;
         } else
             target_name = L"*";
     }
 
+    // Determine credential level.
+    unsigned int level;
+    if (nArgs > 4) {
+        // User explicitly set the level.
+        level = wcstoul(pwcArglist[4], NULL, 10);
+    } else {
+        // Set default level.
+        level = 0;
+    }
+
     // Write credentials.
 #ifdef _DEBUG
     {
-        eap::credentials_pap cred_stored(g_module);
+        eap::credentials_pass cred_stored(g_module);
         try {
-            cred_stored.retrieve(target_name.c_str());
+            cred_stored.retrieve(target_name.c_str(), level);
         } catch(win_runtime_error &err) {
             OutputDebugStr(_T("%hs (error %u)\n"), err.what(), err.number());
         } catch(...) {
@@ -93,7 +103,7 @@ static int CredWrite()
     }
 #endif
     try {
-        cred_pap.store(target_name.c_str());
+        cred_pass.store(target_name.c_str(), level);
     } catch(win_runtime_error &err) {
         OutputDebugStr(_T("%hs (error %u)\n"), err.what(), err.number());
         return 2;
@@ -102,18 +112,6 @@ static int CredWrite()
         return 2;
     }
 
-    // Store empty TLS credentials.
-    eap::credentials_tls cred_tls(g_module);
-    try {
-        cred_tls.store(target_name.c_str());
-    } catch(win_runtime_error &err) {
-        OutputDebugStr(_T("%hs (error %u)\n"), err.what(), err.number());
-        return 3;
-    } catch(...) {
-        OutputDebugStr(_T("Writing credentials failed.\n"));
-        return 3;
-    }
-
     return 0;
 }
 

CredWrite/README.md

@@ -3,12 +3,13 @@ Imports given credentials to Windows Credential Manager for G
 
 ##Usage
 ```
-CredWrite <username> <password> [<realm>]
+CredWrite <username> <password> [<realm> [level]]
 ```
 
 - `username` - Base64 encoded UTF-8 user name (usually of the form user@domain or domain\user)
 - `password` - Base64 encoded UTF-8 user password
 - `realm`    - A realm ID to allow grouping of credentials over different WLAN profiles (optional, default is domain part of `username`)
+- `level`    - Credential level (0=outer, 1=inner, 2=inner-inner..., default is 0=outer)
 
 The credentials are stored to Windows Credential Manager in invoking user's roaming profile.
 

CredWrite/StdAfx.h

@@ -20,8 +20,7 @@
 
 #pragma once
 
-#include "../lib/PAP/include/Credentials.h"
-#include "../lib/TLS/include/Credentials.h"
+#include "../lib/EAPBase/include/Credentials.h"
 #include "../lib/EAPBase/include/Module.h"
 
 #include <WinStd/Common.h>

lib/EAPBase/include/Config.h

@@ -205,9 +205,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method(_In_ module &mod);
+        config_method(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration
@@ -252,6 +253,9 @@ namespace eap
         /// Returns a string identifier of the EAP method type of this configuration
         ///
         virtual const wchar_t* get_method_str() const = 0;
+
+    public:
+        const unsigned int m_level; ///< Config level (0=outer, 1=inner, 2=inner-inner...)
     };
 
 
@@ -264,9 +268,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method_with_cred(_In_ module &mod);
+        config_method_with_cred(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration

lib/EAPBase/include/Credentials.h

@@ -179,28 +179,40 @@ namespace eap
         /// Save credentials to Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to store credentials as
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void store(_In_z_ LPCTSTR pszTargetName) const = 0;
+        virtual void store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const = 0;
 
         ///
         /// Retrieve credentials from Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void retrieve(_In_z_ LPCTSTR pszTargetName) = 0;
+        virtual void retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) = 0;
 
         ///
         /// Returns target name for Windows Credential Manager credential name
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
         /// \returns Final target name to store/retrieve credentials in Windows Credential Manager
         ///
-        inline winstd::tstring target_name(_In_z_ LPCTSTR pszTargetName) const
+        inline winstd::tstring target_name(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const
         {
+            // Start with product name and given target name (identity provider usually).
             winstd::tstring target_name(_T(PRODUCT_NAME_STR) _T("/"));
             target_name += pszTargetName;
             target_name += _T('/');
+
+            // Append level of credentials.
+            TCHAR buf[20];
+            _ultot_s(level, buf, _countof(buf), 10);
+            target_name += buf;
+            target_name += _T('/');
+
+            // Append credential type.
             target_name += target_suffix();
             assert(target_name.length() < CRED_MAX_GENERIC_TARGET_NAME_LENGTH);
             return target_name;
@@ -291,6 +303,13 @@ namespace eap
         ///
         credentials_pass& operator=(_Inout_ credentials_pass &&other);
 
+        ///
+        /// Clones credentials
+        ///
+        /// \returns Pointer to cloned credentials
+        ///
+        virtual config* clone() const;
+
         ///
         /// Resets credentials
         ///
@@ -358,18 +377,46 @@ namespace eap
         /// Save credentials to Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to store credentials as
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void store(_In_z_ LPCTSTR pszTargetName) const;
+        virtual void store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const;
 
         ///
         /// Retrieve credentials from Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void retrieve(_In_z_ LPCTSTR pszTargetName);
+        virtual void retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level);
+
+        ///
+        /// Return target suffix for Windows Credential Manager credential name
+        ///
+        virtual LPCTSTR target_suffix() const;
 
         /// @}
 
+        ///
+        /// Combine credentials in the following order:
+        ///
+        /// 1. Cached credentials
+        /// 2. Pre-configured credentials
+        /// 3. Stored credentials
+        ///
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be credentials_pass* type)
+        /// \param[in] cfg            Method configuration (must be config_method_pap type)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        ///
+        /// \returns
+        /// - \c source_cache      Credentials were obtained from EapHost cache
+        /// - \c source_preshared  Credentials were set by method configuration
+        /// - \c source_storage    Credentials were loaded from Windows Credential Manager
+        ///
+        virtual source_t combine(
+            _In_       const credentials             *cred_cached,
+            _In_       const config_method_with_cred &cfg,
+            _In_opt_z_       LPCTSTR                 pszTargetName);
+
     public:
         winstd::sanitizing_wstring m_password;  ///< Password
 

lib/EAPBase/src/Config.cpp

@@ -102,34 +102,44 @@ const bstr eap::config::namespace_eapmetadata(L"urn:ietf:params:xml:ns:yang:ietf
 // eap::config_method
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method::config_method(_In_ module &mod) : config(mod)
+eap::config_method::config_method(_In_ module &mod, _In_ unsigned int level) :
+    m_level(level),
+    config(mod)
 {
 }
 
 
-eap::config_method::config_method(_In_ const config_method &other) : config(other)
+eap::config_method::config_method(_In_ const config_method &other) :
+    m_level(other.m_level),
+    config(other)
 {
 }
 
 
-eap::config_method::config_method(_Inout_ config_method &&other) : config(std::move(other))
+eap::config_method::config_method(_Inout_ config_method &&other) :
+    m_level(other.m_level),
+    config(std::move(other))
 {
 }
 
 
 eap::config_method& eap::config_method::operator=(_In_ const config_method &other)
 {
-    if (this != &other)
+    if (this != &other) {
+        assert(m_level == other.m_level); // Allow copy within same configuration level only.
         (config&)*this = other;
+    }
 
     return *this;
 }
 
 
 eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 {
-    if (this != &other)
+    if (this != &other) {
+        assert(m_level == other.m_level); // Allow move within same configuration level only.
         (config&&)*this = std::move(other);
+    }
 
     return *this;
 }
@@ -139,11 +149,11 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 // eap::config_method_with_cred
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
+eap::config_method_with_cred::config_method_with_cred(_In_ module &mod, _In_ unsigned int level) :
     m_allow_save(true),
     m_use_preshared(false),
     m_last_status(status_success),
-    config_method(mod)
+    config_method(mod, level)
 {
 }