Credentials are no longer stored using method name (TLS/PAP/MSCHAPv2) but with level/type identifier

CredWrite/Main.cpp

@@ -40,7 +40,7 @@ static int CredWrite()
         return -1;
     }
 
-    eap::credentials_pap cred_pap(g_module);
+    eap::credentials_pass cred_pass(g_module);
 
     // Prepare identity (user name).
     {
@@ -50,7 +50,7 @@ static int CredWrite()
         bool is_last;
         dec.decode(identity_utf8, is_last, pwcArglist[1], (size_t)-1);
 
-        MultiByteToWideChar(CP_UTF8, 0, identity_utf8.data(), (int)identity_utf8.size(), cred_pap.m_identity);
+        MultiByteToWideChar(CP_UTF8, 0, identity_utf8.data(), (int)identity_utf8.size(), cred_pass.m_identity);
     }
 
     // Prepare password.
@@ -61,7 +61,7 @@ static int CredWrite()
         bool is_last;
         dec.decode(password_utf8, is_last, pwcArglist[2], (size_t)-1);
 
-        MultiByteToWideChar(CP_UTF8, 0, password_utf8.data(), (int)password_utf8.size(), cred_pap.m_password);
+        MultiByteToWideChar(CP_UTF8, 0, password_utf8.data(), (int)password_utf8.size(), cred_pass.m_password);
     }
 
     // Generate target name (aka realm).
@@ -71,7 +71,7 @@ static int CredWrite()
         target_name = pwcArglist[3];
     } else {
         // Get the realm from user name.
-        LPCWSTR _identity = cred_pap.m_identity.c_str(), domain;
+        LPCWSTR _identity = cred_pass.m_identity.c_str(), domain;
         if ((domain = wcschr(_identity, L'@')) != NULL) {
             target_name  = L"urn:RFC4282:realm:";
             target_name += domain + 1;
@@ -79,12 +79,22 @@ static int CredWrite()
             target_name = L"*";
     }
 
+    // Determine credential level.
+    unsigned int level;
+    if (nArgs > 4) {
+        // User explicitly set the level.
+        level = wcstoul(pwcArglist[4], NULL, 10);
+    } else {
+        // Set default level.
+        level = 0;
+    }
+
     // Write credentials.
 #ifdef _DEBUG
     {
-        eap::credentials_pap cred_stored(g_module);
+        eap::credentials_pass cred_stored(g_module);
         try {
-            cred_stored.retrieve(target_name.c_str());
+            cred_stored.retrieve(target_name.c_str(), level);
         } catch(win_runtime_error &err) {
             OutputDebugStr(_T("%hs (error %u)\n"), err.what(), err.number());
         } catch(...) {
@@ -93,7 +103,7 @@ static int CredWrite()
     }
 #endif
     try {
-        cred_pap.store(target_name.c_str());
+        cred_pass.store(target_name.c_str(), level);
     } catch(win_runtime_error &err) {
         OutputDebugStr(_T("%hs (error %u)\n"), err.what(), err.number());
         return 2;
@@ -102,18 +112,6 @@ static int CredWrite()
         return 2;
     }
 
-    // Store empty TLS credentials.
-    eap::credentials_tls cred_tls(g_module);
-    try {
-        cred_tls.store(target_name.c_str());
-    } catch(win_runtime_error &err) {
-        OutputDebugStr(_T("%hs (error %u)\n"), err.what(), err.number());
-        return 3;
-    } catch(...) {
-        OutputDebugStr(_T("Writing credentials failed.\n"));
-        return 3;
-    }
-
     return 0;
 }
 

CredWrite/README.md

@@ -3,12 +3,13 @@ Imports given credentials to Windows Credential Manager for G
 
 ##Usage
 ```
-CredWrite <username> <password> [<realm>]
+CredWrite <username> <password> [<realm> [level]]
 ```
 
 - `username` - Base64 encoded UTF-8 user name (usually of the form user@domain or domain\user)
 - `password` - Base64 encoded UTF-8 user password
 - `realm`    - A realm ID to allow grouping of credentials over different WLAN profiles (optional, default is domain part of `username`)
+- `level`    - Credential level (0=outer, 1=inner, 2=inner-inner..., default is 0=outer)
 
 The credentials are stored to Windows Credential Manager in invoking user's roaming profile.
 

CredWrite/StdAfx.h

@@ -20,8 +20,7 @@
 
 #pragma once
 
-#include "../lib/PAP/include/Credentials.h"
+#include "../lib/EAPBase/include/Credentials.h"
-#include "../lib/TLS/include/Credentials.h"
 #include "../lib/EAPBase/include/Module.h"
 
 #include <WinStd/Common.h>

lib/EAPBase/include/Config.h

@@ -205,9 +205,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method(_In_ module &mod);
+        config_method(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration
@@ -252,6 +253,9 @@ namespace eap
         /// Returns a string identifier of the EAP method type of this configuration
         ///
         virtual const wchar_t* get_method_str() const = 0;
+
+    public:
+        const unsigned int m_level; ///< Config level (0=outer, 1=inner, 2=inner-inner...)
     };
 
 
@@ -264,9 +268,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method_with_cred(_In_ module &mod);
+        config_method_with_cred(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration

lib/EAPBase/include/Credentials.h

@@ -179,28 +179,40 @@ namespace eap
         /// Save credentials to Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to store credentials as
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void store(_In_z_ LPCTSTR pszTargetName) const = 0;
+        virtual void store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const = 0;
 
         ///
         /// Retrieve credentials from Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void retrieve(_In_z_ LPCTSTR pszTargetName) = 0;
+        virtual void retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) = 0;
 
         ///
         /// Returns target name for Windows Credential Manager credential name
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
         /// \returns Final target name to store/retrieve credentials in Windows Credential Manager
         ///
-        inline winstd::tstring target_name(_In_z_ LPCTSTR pszTargetName) const
+        inline winstd::tstring target_name(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const
         {
+            // Start with product name and given target name (identity provider usually).
             winstd::tstring target_name(_T(PRODUCT_NAME_STR) _T("/"));
             target_name += pszTargetName;
             target_name += _T('/');
+
+            // Append level of credentials.
+            TCHAR buf[20];
+            _ultot_s(level, buf, _countof(buf), 10);
+            target_name += buf;
+            target_name += _T('/');
+
+            // Append credential type.
             target_name += target_suffix();
             assert(target_name.length() < CRED_MAX_GENERIC_TARGET_NAME_LENGTH);
             return target_name;
@@ -291,6 +303,13 @@ namespace eap
         ///
         credentials_pass& operator=(_Inout_ credentials_pass &&other);
 
+        ///
+        /// Clones credentials
+        ///
+        /// \returns Pointer to cloned credentials
+        ///
+        virtual config* clone() const;
+
         ///
         /// Resets credentials
         ///
@@ -358,18 +377,46 @@ namespace eap
         /// Save credentials to Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to store credentials as
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void store(_In_z_ LPCTSTR pszTargetName) const;
+        virtual void store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const;
 
         ///
         /// Retrieve credentials from Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void retrieve(_In_z_ LPCTSTR pszTargetName);
+        virtual void retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level);
+
+        ///
+        /// Return target suffix for Windows Credential Manager credential name
+        ///
+        virtual LPCTSTR target_suffix() const;
 
         /// @}
 
+        ///
+        /// Combine credentials in the following order:
+        ///
+        /// 1. Cached credentials
+        /// 2. Pre-configured credentials
+        /// 3. Stored credentials
+        ///
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be credentials_pass* type)
+        /// \param[in] cfg            Method configuration (must be config_method_pap type)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        ///
+        /// \returns
+        /// - \c source_cache      Credentials were obtained from EapHost cache
+        /// - \c source_preshared  Credentials were set by method configuration
+        /// - \c source_storage    Credentials were loaded from Windows Credential Manager
+        ///
+        virtual source_t combine(
+            _In_       const credentials             *cred_cached,
+            _In_       const config_method_with_cred &cfg,
+            _In_opt_z_       LPCTSTR                 pszTargetName);
+
     public:
         winstd::sanitizing_wstring m_password;  ///< Password
 

lib/EAPBase/src/Config.cpp

@@ -102,25 +102,33 @@ const bstr eap::config::namespace_eapmetadata(L"urn:ietf:params:xml:ns:yang:ietf
 // eap::config_method
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method::config_method(_In_ module &mod) : config(mod)
+eap::config_method::config_method(_In_ module &mod, _In_ unsigned int level) :
+    m_level(level),
+    config(mod)
 {
 }
 
 
-eap::config_method::config_method(_In_ const config_method &other) : config(other)
+eap::config_method::config_method(_In_ const config_method &other) :
+    m_level(other.m_level),
+    config(other)
 {
 }
 
 
-eap::config_method::config_method(_Inout_ config_method &&other) : config(std::move(other))
+eap::config_method::config_method(_Inout_ config_method &&other) :
+    m_level(other.m_level),
+    config(std::move(other))
 {
 }
 
 
 eap::config_method& eap::config_method::operator=(_In_ const config_method &other)
 {
-    if (this != &other)
+    if (this != &other) {
+        assert(m_level == other.m_level); // Allow copy within same configuration level only.
         (config&)*this = other;
+    }
 
     return *this;
 }
@@ -128,8 +136,10 @@ eap::config_method& eap::config_method::operator=(_In_ const config_method &othe
 
 eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 {
-    if (this != &other)
+    if (this != &other) {
+        assert(m_level == other.m_level); // Allow move within same configuration level only.
         (config&&)*this = std::move(other);
+    }
 
     return *this;
 }
@@ -139,11 +149,11 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 // eap::config_method_with_cred
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
+eap::config_method_with_cred::config_method_with_cred(_In_ module &mod, _In_ unsigned int level) :
     m_allow_save(true),
     m_use_preshared(false),
     m_last_status(status_success),
-    config_method(mod)
+    config_method(mod, level)
 {
 }
 

lib/EAPBase/src/Credentials.cpp

@@ -197,6 +197,12 @@ eap::credentials_pass& eap::credentials_pass::operator=(_Inout_ credentials_pass
 }
 
 
+eap::config* eap::credentials_pass::clone() const
+{
+    return new credentials_pass(*this);
+}
+
+
 void eap::credentials_pass::clear()
 {
     credentials::clear();
@@ -275,7 +281,7 @@ void eap::credentials_pass::operator>>(_Inout_ cursor_in &cursor)
 }
 
 
-void eap::credentials_pass::store(_In_z_ LPCTSTR pszTargetName) const
+void eap::credentials_pass::store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const
 {
     assert(pszTargetName);
 
@@ -290,7 +296,7 @@ void eap::credentials_pass::store(_In_z_ LPCTSTR pszTargetName) const
     if (!CryptProtectData(&cred_blob, NULL, &entropy_blob, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &cred_enc))
         throw win_runtime_error(__FUNCTION__ " CryptProtectData failed.");
 
-    tstring target(target_name(pszTargetName));
+    tstring target(target_name(pszTargetName, level));
 
     // Write credentials.
     assert(cred_enc.cbData     < CRED_MAX_CREDENTIAL_BLOB_SIZE);
@@ -314,13 +320,13 @@ void eap::credentials_pass::store(_In_z_ LPCTSTR pszTargetName) const
 }
 
 
-void eap::credentials_pass::retrieve(_In_z_ LPCTSTR pszTargetName)
+void eap::credentials_pass::retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level)
 {
     assert(pszTargetName);
 
     // Read credentials.
     unique_ptr<CREDENTIAL, CredFree_delete<CREDENTIAL> > cred;
-    if (!CredRead(target_name(pszTargetName).c_str(), CRED_TYPE_GENERIC, 0, (PCREDENTIAL*)&cred))
+    if (!CredRead(target_name(pszTargetName, level).c_str(), CRED_TYPE_GENERIC, 0, (PCREDENTIAL*)&cred))
         throw win_runtime_error(__FUNCTION__ " CredRead failed.");
 
     // Decrypt the password using user's key.
@@ -351,6 +357,49 @@ void eap::credentials_pass::retrieve(_In_z_ LPCTSTR pszTargetName)
 }
 
 
+LPCTSTR eap::credentials_pass::target_suffix() const
+{
+    return _T("pass");
+}
+
+
+eap::credentials::source_t eap::credentials_pass::combine(
+    _In_       const credentials             *cred_cached,
+    _In_       const config_method_with_cred &cfg,
+    _In_opt_z_       LPCTSTR                 pszTargetName)
+{
+    if (cred_cached) {
+        // Using EAP service cached credentials.
+        *this = *(credentials_pass*)cred_cached;
+        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)cfg.get_method_id()), event_data(credentials_pass::get_name()), event_data::blank);
+        return source_cache;
+    }
+
+    if (cfg.m_use_preshared) {
+        // Using preshared credentials.
+        *this = *(credentials_pass*)cfg.m_preshared.get();
+        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)cfg.get_method_id()), event_data(credentials_pass::get_name()), event_data::blank);
+        return source_preshared;
+    }
+
+    if (pszTargetName) {
+        try {
+            credentials_pass cred_loaded(m_module);
+            cred_loaded.retrieve(pszTargetName, cfg.m_level);
+
+            // Using stored credentials.
+            *this = std::move(cred_loaded);
+            m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)cfg.get_method_id()), event_data(credentials_pass::get_name()), event_data::blank);
+            return source_storage;
+        } catch (...) {
+            // Not actually an error.
+        }
+    }
+
+    return source_unknown;
+}
+
+
 const unsigned char eap::credentials_pass::s_entropy[1024] = {
     0x40, 0x88, 0xd3, 0x13, 0x81, 0x8a, 0xf6, 0x74, 0x55, 0x8e, 0xcc, 0x73, 0x2c, 0xf8, 0x93, 0x37,
     0x4f, 0xeb, 0x1d, 0x66, 0xb7, 0xfb, 0x47, 0x75, 0xb4, 0xfd, 0x07, 0xbb, 0xf6, 0xb3, 0x05, 0x30,

lib/EAPBase_UI/include/EAP_UI.h

@@ -199,7 +199,6 @@ public:
         this->SetIcon(wxIcon(wxICON(product.ico)));
 #endif
 
-        wstring target_name;
         for (eap::config_connection::provider_list::iterator provider = m_cfg.m_providers.begin(), provider_end = m_cfg.m_providers.end(); provider != provider_end; ++provider) {
             bool is_single = provider->m_methods.size() == 1;
             std::vector<std::unique_ptr<eap::config_method> >::size_type count = 0;
@@ -682,7 +681,7 @@ protected:
         if (dlg.ShowModal() == wxID_OK && panel->GetRemember()) {
             // Write credentials to credential manager.
             try {
-                m_cred_own.store(m_prov.get_id().c_str());
+                m_cred_own.store(m_prov.get_id().c_str(), m_cfg.m_level);
                 m_has_own = TRUE;
                 UpdateOwnIdentity();
             } catch (winstd::win_runtime_error &err) {
@@ -698,7 +697,7 @@ protected:
 
     virtual void OnClearOwn(wxCommandEvent& /*event*/)
     {
-        if (CredDelete(m_cred_own.target_name(m_prov.get_id().c_str()).c_str(), CRED_TYPE_GENERIC, 0)) {
+        if (CredDelete(m_cred_own.target_name(m_prov.get_id().c_str(), m_cfg.m_level).c_str(), CRED_TYPE_GENERIC, 0)) {
             m_own_identity->Clear();
             m_has_own = false;
         } else
@@ -728,7 +727,7 @@ protected:
     void RetrieveOwnCredentials()
     {
         try {
-            m_cred_own.retrieve(m_prov.get_id().c_str());
+            m_cred_own.retrieve(m_prov.get_id().c_str(), m_cfg.m_level);
             m_has_own = true;
             UpdateOwnIdentity();
         } catch (winstd::win_runtime_error &err) {

lib/MSCHAPv2/build/MSCHAPv2.vcxproj

@@ -80,14 +80,12 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
   <ItemGroup>
     <ClInclude Include="..\include\Config.h" />
-    <ClInclude Include="..\include\Credentials.h" />
     <ClInclude Include="..\include\Method.h" />
     <ClInclude Include="..\include\MSCHAPv2.h" />
     <ClInclude Include="..\src\StdAfx.h" />
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\src\Config.cpp" />
-    <ClCompile Include="..\src\Credentials.cpp" />
     <ClCompile Include="..\src\Method.cpp" />
     <ClCompile Include="..\src\MSCHAPv2.cpp" />
     <ClCompile Include="..\src\StdAfx.cpp">

lib/MSCHAPv2/build/MSCHAPv2.vcxproj.filters

@@ -17,9 +17,6 @@
     <ClInclude Include="..\include\Config.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="..\include\Credentials.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="..\include\Method.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -34,9 +31,6 @@
     <ClCompile Include="..\src\Config.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="..\src\Credentials.cpp">
-      <Filter>Source Files</Filter>
-    </ClCompile>
     <ClCompile Include="..\src\Method.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>

lib/MSCHAPv2/include/Config.h

@@ -30,7 +30,6 @@ namespace eap
 
 #pragma once
 
-#include "Credentials.h"
 #include "../../EAPBase/include/Config.h"
 
 #include <Windows.h>
@@ -46,9 +45,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method_mschapv2(_In_ module &mod);
+        config_method_mschapv2(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration

lib/MSCHAPv2/include/Credentials.h

@@ -1,122 +0,0 @@
-/*
-    Copyright 2015-2016 Amebis
-    Copyright 2016 GÉANT
-
-    This file is part of GÉANTLink.
-
-    GÉANTLink is free software: you can redistribute it and/or modify it
-    under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    GÉANTLink is distributed in the hope that it will be useful, but
-    WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-namespace eap
-{
-    ///
-    /// MSCHAPv2 credentials
-    ///
-    class credentials_mschapv2;
-}
-
-#pragma once
-
-#include "Config.h"
-
-#include "../../EAPBase/include/Credentials.h"
-
-#include <Windows.h>
-#include <sal.h>
-#include <tchar.h>
-
-
-namespace eap
-{
-    class credentials_mschapv2 : public credentials_pass
-    {
-    public:
-        ///
-        /// Constructs credentials
-        ///
-        /// \param[in] mod  EAP module to use for global services
-        ///
-        credentials_mschapv2(_In_ module &mod);
-
-        ///
-        /// Copies credentials
-        ///
-        /// \param[in] other  Credentials to copy from
-        ///
-        credentials_mschapv2(_In_ const credentials_mschapv2 &other);
-
-        ///
-        /// Moves credentials
-        ///
-        /// \param[in] other  Credentials to move from
-        ///
-        credentials_mschapv2(_Inout_ credentials_mschapv2 &&other);
-
-        ///
-        /// Copies credentials
-        ///
-        /// \param[in] other  Credentials to copy from
-        ///
-        /// \returns Reference to this object
-        ///
-        credentials_mschapv2& operator=(_In_ const credentials_mschapv2 &other);
-
-        ///
-        /// Moves credentials
-        ///
-        /// \param[in] other  Credentials to move from
-        ///
-        /// \returns Reference to this object
-        ///
-        credentials_mschapv2& operator=(_Inout_ credentials_mschapv2 &&other);
-
-        ///
-        /// Clones credentials
-        ///
-        /// \returns Pointer to cloned credentials
-        ///
-        virtual config* clone() const;
-
-        /// \name Storage
-        /// @{
-
-        ///
-        /// Return target suffix for Windows Credential Manager credential name
-        ///
-        virtual LPCTSTR target_suffix() const;
-
-        /// @}
-
-        ///
-        /// Combine credentials in the following order:
-        ///
-        /// 1. Cached credentials
-        /// 2. Pre-configured credentials
-        /// 3. Stored credentials
-        ///
-        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be credentials_mschapv2* type)
-        /// \param[in] cfg            Method configuration (must be config_method_mschapv2 type)
-        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
-        ///
-        /// \returns
-        /// - \c source_cache      Credentials were obtained from EapHost cache
-        /// - \c source_preshared  Credentials were set by method configuration
-        /// - \c source_storage    Credentials were loaded from Windows Credential Manager
-        ///
-        virtual source_t combine(
-            _In_       const credentials             *cred_cached,
-            _In_       const config_method_with_cred &cfg,
-            _In_opt_z_       LPCTSTR                 pszTargetName);
-    };
-}

lib/MSCHAPv2/include/Method.h

@@ -29,7 +29,6 @@ namespace eap
 #pragma once
 
 #include "Config.h"
-#include "Credentials.h"
 #include "MSCHAPv2.h"
 
 #include "../../EAPBase/include/Method.h"
@@ -49,7 +48,7 @@ namespace eap
         /// \param[in] cfg   Method configuration
         /// \param[in] cred  User credentials
         ///
-        method_mschapv2(_In_ module &module, _In_ config_method_mschapv2 &cfg, _In_ credentials_mschapv2 &cred);
+        method_mschapv2(_In_ module &module, _In_ config_method_mschapv2 &cfg, _In_ credentials_pass &cred);
 
         ///
         /// Moves an EAP method
@@ -133,7 +132,7 @@ namespace eap
         static std::list<std::string> parse_response(_In_count_(count) const char *resp, _In_ size_t count);
 
     protected:
-        credentials_mschapv2 &m_cred;           ///< EAP-TLS user credentials
+        credentials_pass &m_cred;           ///< EAP-TLS user credentials
         winstd::crypt_prov m_cp;                ///< Cryptography provider for general services
 
         challenge_mschapv2 m_challenge_server;  ///< MSCHAP server challenge

lib/MSCHAPv2/src/Config.cpp

@@ -28,9 +28,9 @@ using namespace winstd;
 // eap::config_method_mschapv2
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method_mschapv2::config_method_mschapv2(_In_ module &mod) : config_method_with_cred(mod)
+eap::config_method_mschapv2::config_method_mschapv2(_In_ module &mod, _In_ unsigned int level) : config_method_with_cred(mod, level)
 {
-    m_preshared.reset(new credentials_mschapv2(mod));
+    m_preshared.reset(new credentials_pass(mod));
 }
 
 
@@ -84,5 +84,5 @@ const wchar_t* eap::config_method_mschapv2::get_method_str() const
 
 eap::credentials* eap::config_method_mschapv2::make_credentials() const
 {
-    return new credentials_mschapv2(m_module);
+    return new credentials_pass(m_module);
 }

lib/MSCHAPv2/src/Credentials.cpp

@@ -1,112 +0,0 @@
-/*
-    Copyright 2015-2016 Amebis
-    Copyright 2016 GÉANT
-
-    This file is part of GÉANTLink.
-
-    GÉANTLink is free software: you can redistribute it and/or modify it
-    under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    GÉANTLink is distributed in the hope that it will be useful, but
-    WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "StdAfx.h"
-
-using namespace std;
-using namespace winstd;
-
-
-//////////////////////////////////////////////////////////////////////
-// eap::credentials_mschapv2
-//////////////////////////////////////////////////////////////////////
-
-eap::credentials_mschapv2::credentials_mschapv2(_In_ module &mod) : credentials_pass(mod)
-{
-}
-
-
-eap::credentials_mschapv2::credentials_mschapv2(_In_ const credentials_mschapv2 &other) :
-    credentials_pass(other)
-{
-}
-
-
-eap::credentials_mschapv2::credentials_mschapv2(_Inout_ credentials_mschapv2 &&other) :
-    credentials_pass(std::move(other))
-{
-}
-
-
-eap::credentials_mschapv2& eap::credentials_mschapv2::operator=(_In_ const credentials_mschapv2 &other)
-{
-    if (this != &other)
-        (credentials_pass&)*this = other;
-
-    return *this;
-}
-
-
-eap::credentials_mschapv2& eap::credentials_mschapv2::operator=(_Inout_ credentials_mschapv2 &&other)
-{
-    if (this != &other)
-        (credentials_pass&&)*this = std::move(other);
-
-    return *this;
-}
-
-
-eap::config* eap::credentials_mschapv2::clone() const
-{
-    return new credentials_mschapv2(*this);
-}
-
-
-LPCTSTR eap::credentials_mschapv2::target_suffix() const
-{
-    return _T("MSCHAPv2");
-}
-
-
-eap::credentials::source_t eap::credentials_mschapv2::combine(
-    _In_       const credentials             *cred_cached,
-    _In_       const config_method_with_cred &cfg,
-    _In_opt_z_       LPCTSTR                 pszTargetName)
-{
-    if (cred_cached) {
-        // Using EAP service cached credentials.
-        *this = *(credentials_mschapv2*)cred_cached;
-        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_legacy_mschapv2), event_data(credentials_mschapv2::get_name()), event_data::blank);
-        return source_cache;
-    }
-
-    if (cfg.m_use_preshared) {
-        // Using preshared credentials.
-        *this = *(credentials_mschapv2*)cfg.m_preshared.get();
-        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_legacy_mschapv2), event_data(credentials_mschapv2::get_name()), event_data::blank);
-        return source_preshared;
-    }
-
-    if (pszTargetName) {
-        try {
-            credentials_mschapv2 cred_loaded(m_module);
-            cred_loaded.retrieve(pszTargetName);
-
-            // Using stored credentials.
-            *this = std::move(cred_loaded);
-            m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_legacy_mschapv2), event_data(credentials_mschapv2::get_name()), event_data::blank);
-            return source_storage;
-        } catch (...) {
-            // Not actually an error.
-        }
-    }
-
-    return source_unknown;
-}

lib/MSCHAPv2/src/Method.cpp

@@ -28,7 +28,7 @@ using namespace winstd;
 // eap::method_mschapv2
 //////////////////////////////////////////////////////////////////////
 
-eap::method_mschapv2::method_mschapv2(_In_ module &module, _In_ config_method_mschapv2 &cfg, _In_ credentials_mschapv2 &cred) :
+eap::method_mschapv2::method_mschapv2(_In_ module &module, _In_ config_method_mschapv2 &cfg, _In_ credentials_pass &cred) :
     m_cred(cred),
     m_ident(0),
     m_success(false),

lib/MSCHAPv2/src/StdAfx.h

@@ -21,7 +21,6 @@
 #pragma once
 
 #include "../include/Config.h"
-#include "../include/Credentials.h"
 #include "../include/Method.h"
 #include "../include/MSCHAPv2.h"
 

lib/MSCHAPv2_UI/include/MSCHAPv2_UI.h

@@ -20,12 +20,11 @@
 
 #include "../../EAPBase_UI/include/EAP_UI.h"
 #include "../../MSCHAPv2/include/Config.h"
-#include "../../MSCHAPv2/include/Credentials.h"
 
 ///
 /// MSCHAPv2 credential configuration panel
 ///
-typedef wxEAPCredentialsConfigPanel<eap::credentials_mschapv2, wxPasswordCredentialsPanel<eap::credentials_mschapv2, wxEAPCredentialsPassPanelBase> > wxMSCHAPv2CredentialsConfigPanel;
+typedef wxEAPCredentialsConfigPanel<eap::credentials_pass, wxPasswordCredentialsPanel<eap::credentials_pass, wxEAPCredentialsPassPanelBase> > wxMSCHAPv2CredentialsConfigPanel;
 
 ///
 /// MSCHAPv2 configuration panel
@@ -35,7 +34,7 @@ class wxMSCHAPv2ConfigPanel;
 ///
 /// MSCHAPv2 credential entry panel
 ///
-typedef wxPasswordCredentialsPanel<eap::credentials_mschapv2, wxEAPCredentialsPassPanelBase> wxMSCHAPv2CredentialsPanel;
+typedef wxPasswordCredentialsPanel<eap::credentials_pass, wxEAPCredentialsPassPanelBase> wxMSCHAPv2CredentialsPanel;
 
 #pragma once
 

lib/PAP/build/PAP.vcxproj

@@ -80,13 +80,11 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
   <ItemGroup>
     <ClInclude Include="..\include\Config.h" />
-    <ClInclude Include="..\include\Credentials.h" />
     <ClInclude Include="..\include\Method.h" />
     <ClInclude Include="..\src\StdAfx.h" />
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\src\Config.cpp" />
-    <ClCompile Include="..\src\Credentials.cpp" />
     <ClCompile Include="..\src\Method.cpp" />
     <ClCompile Include="..\src\StdAfx.cpp">
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>

lib/PAP/build/PAP.vcxproj.filters

@@ -17,9 +17,6 @@
     <ClInclude Include="..\include\Config.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="..\include\Credentials.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="..\include\Method.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -31,9 +28,6 @@
     <ClCompile Include="..\src\Config.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="..\src\Credentials.cpp">
-      <Filter>Source Files</Filter>
-    </ClCompile>
     <ClCompile Include="..\src\Method.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>

lib/PAP/include/Config.h

@@ -30,7 +30,6 @@ namespace eap
 
 #pragma once
 
-#include "Credentials.h"
 #include "../../EAPBase/include/Config.h"
 
 #include <Windows.h>
@@ -46,9 +45,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method_pap(_In_ module &mod);
+        config_method_pap(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration

lib/PAP/include/Credentials.h

@@ -1,122 +0,0 @@
-/*
-    Copyright 2015-2016 Amebis
-    Copyright 2016 GÉANT
-
-    This file is part of GÉANTLink.
-
-    GÉANTLink is free software: you can redistribute it and/or modify it
-    under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    GÉANTLink is distributed in the hope that it will be useful, but
-    WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-namespace eap
-{
-    ///
-    /// PAP credentials
-    ///
-    class credentials_pap;
-}
-
-#pragma once
-
-#include "Config.h"
-
-#include "../../EAPBase/include/Credentials.h"
-
-#include <Windows.h>
-#include <sal.h>
-#include <tchar.h>
-
-
-namespace eap
-{
-    class credentials_pap : public credentials_pass
-    {
-    public:
-        ///
-        /// Constructs credentials
-        ///
-        /// \param[in] mod  EAP module to use for global services
-        ///
-        credentials_pap(_In_ module &mod);
-
-        ///
-        /// Copies credentials
-        ///
-        /// \param[in] other  Credentials to copy from
-        ///
-        credentials_pap(_In_ const credentials_pap &other);
-
-        ///
-        /// Moves credentials
-        ///
-        /// \param[in] other  Credentials to move from
-        ///
-        credentials_pap(_Inout_ credentials_pap &&other);
-
-        ///
-        /// Copies credentials
-        ///
-        /// \param[in] other  Credentials to copy from
-        ///
-        /// \returns Reference to this object
-        ///
-        credentials_pap& operator=(_In_ const credentials_pap &other);
-
-        ///
-        /// Moves credentials
-        ///
-        /// \param[in] other  Credentials to move from
-        ///
-        /// \returns Reference to this object
-        ///
-        credentials_pap& operator=(_Inout_ credentials_pap &&other);
-
-        ///
-        /// Clones credentials
-        ///
-        /// \returns Pointer to cloned credentials
-        ///
-        virtual config* clone() const;
-
-        /// \name Storage
-        /// @{
-
-        ///
-        /// Return target suffix for Windows Credential Manager credential name
-        ///
-        virtual LPCTSTR target_suffix() const;
-
-        /// @}
-
-        ///
-        /// Combine credentials in the following order:
-        ///
-        /// 1. Cached credentials
-        /// 2. Pre-configured credentials
-        /// 3. Stored credentials
-        ///
-        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be credentials_pap* type)
-        /// \param[in] cfg            Method configuration (must be config_method_pap type)
-        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
-        ///
-        /// \returns
-        /// - \c source_cache      Credentials were obtained from EapHost cache
-        /// - \c source_preshared  Credentials were set by method configuration
-        /// - \c source_storage    Credentials were loaded from Windows Credential Manager
-        ///
-        virtual source_t combine(
-            _In_       const credentials             *cred_cached,
-            _In_       const config_method_with_cred &cfg,
-            _In_opt_z_       LPCTSTR                 pszTargetName);
-    };
-}

lib/PAP/include/Method.h

@@ -30,7 +30,6 @@ namespace eap
 #pragma once
 
 #include "Config.h"
-#include "Credentials.h"
 
 #include "../../EAPBase/include/Method.h"
 
@@ -47,7 +46,7 @@ namespace eap
         /// \param[in] cfg   Method configuration
         /// \param[in] cred  User credentials
         ///
-        method_pap(_In_ module &module, _In_ config_method_pap &cfg, _In_ credentials_pap &cred);
+        method_pap(_In_ module &module, _In_ config_method_pap &cfg, _In_ credentials_pass &cred);
 
         ///
         /// Moves an EAP method
@@ -92,7 +91,7 @@ namespace eap
         /// @}
 
     protected:
-        credentials_pap &m_cred;    ///< EAP-TLS user credentials
+        credentials_pass &m_cred;    ///< EAP-TLS user credentials
 
         enum {
             phase_unknown = -1,     ///< Unknown phase

lib/PAP/src/Config.cpp

@@ -28,9 +28,9 @@ using namespace winstd;
 // eap::config_method_pap
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method_pap::config_method_pap(_In_ module &mod) : config_method_with_cred(mod)
+eap::config_method_pap::config_method_pap(_In_ module &mod, _In_ unsigned int level) : config_method_with_cred(mod, level)
 {
-    m_preshared.reset(new credentials_pap(mod));
+    m_preshared.reset(new credentials_pass(mod));
 }
 
 
@@ -84,5 +84,5 @@ const wchar_t* eap::config_method_pap::get_method_str() const
 
 eap::credentials* eap::config_method_pap::make_credentials() const
 {
-    return new credentials_pap(m_module);
+    return new credentials_pass(m_module);
 }

lib/PAP/src/Credentials.cpp

@@ -1,112 +0,0 @@
-/*
-    Copyright 2015-2016 Amebis
-    Copyright 2016 GÉANT
-
-    This file is part of GÉANTLink.
-
-    GÉANTLink is free software: you can redistribute it and/or modify it
-    under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    GÉANTLink is distributed in the hope that it will be useful, but
-    WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with GÉANTLink. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "StdAfx.h"
-
-using namespace std;
-using namespace winstd;
-
-
-//////////////////////////////////////////////////////////////////////
-// eap::credentials_pap
-//////////////////////////////////////////////////////////////////////
-
-eap::credentials_pap::credentials_pap(_In_ module &mod) : credentials_pass(mod)
-{
-}
-
-
-eap::credentials_pap::credentials_pap(_In_ const credentials_pap &other) :
-    credentials_pass(other)
-{
-}
-
-
-eap::credentials_pap::credentials_pap(_Inout_ credentials_pap &&other) :
-    credentials_pass(std::move(other))
-{
-}
-
-
-eap::credentials_pap& eap::credentials_pap::operator=(_In_ const credentials_pap &other)
-{
-    if (this != &other)
-        (credentials_pass&)*this = other;
-
-    return *this;
-}
-
-
-eap::credentials_pap& eap::credentials_pap::operator=(_Inout_ credentials_pap &&other)
-{
-    if (this != &other)
-        (credentials_pass&&)*this = std::move(other);
-
-    return *this;
-}
-
-
-eap::config* eap::credentials_pap::clone() const
-{
-    return new credentials_pap(*this);
-}
-
-
-LPCTSTR eap::credentials_pap::target_suffix() const
-{
-    return _T("PAP");
-}
-
-
-eap::credentials::source_t eap::credentials_pap::combine(
-    _In_       const credentials             *cred_cached,
-    _In_       const config_method_with_cred &cfg,
-    _In_opt_z_       LPCTSTR                 pszTargetName)
-{
-    if (cred_cached) {
-        // Using EAP service cached credentials.
-        *this = *(credentials_pap*)cred_cached;
-        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_legacy_pap), event_data(credentials_pap::get_name()), event_data::blank);
-        return source_cache;
-    }
-
-    if (cfg.m_use_preshared) {
-        // Using preshared credentials.
-        *this = *(credentials_pap*)cfg.m_preshared.get();
-        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_legacy_pap), event_data(credentials_pap::get_name()), event_data::blank);
-        return source_preshared;
-    }
-
-    if (pszTargetName) {
-        try {
-            credentials_pap cred_loaded(m_module);
-            cred_loaded.retrieve(pszTargetName);
-
-            // Using stored credentials.
-            *this = std::move(cred_loaded);
-            m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_legacy_pap), event_data(credentials_pap::get_name()), event_data::blank);
-            return source_storage;
-        } catch (...) {
-            // Not actually an error.
-        }
-    }
-
-    return source_unknown;
-}

lib/PAP/src/Method.cpp

@@ -28,7 +28,7 @@ using namespace winstd;
 // eap::method_pap
 //////////////////////////////////////////////////////////////////////
 
-eap::method_pap::method_pap(_In_ module &module, _In_ config_method_pap &cfg, _In_ credentials_pap &cred) :
+eap::method_pap::method_pap(_In_ module &module, _In_ config_method_pap &cfg, _In_ credentials_pass &cred) :
     m_cred(cred),
     m_phase(phase_unknown),
     method_noneap(module, cfg, cred)

lib/PAP/src/StdAfx.h

@@ -21,7 +21,6 @@
 #pragma once
 
 #include "../include/Config.h"
-#include "../include/Credentials.h"
 #include "../include/Method.h"
 
 #include <Windows.h>

lib/PAP_UI/include/PAP_UI.h

@@ -20,12 +20,11 @@
 
 #include "../../EAPBase_UI/include/EAP_UI.h"
 #include "../../PAP/include/Config.h"
-#include "../../PAP/include/Credentials.h"
 
 ///
 /// PAP credential configuration panel
 ///
-typedef wxEAPCredentialsConfigPanel<eap::credentials_pap, wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPassPanelBase> > wxPAPCredentialsConfigPanel;
+typedef wxEAPCredentialsConfigPanel<eap::credentials_pass, wxPasswordCredentialsPanel<eap::credentials_pass, wxEAPCredentialsPassPanelBase> > wxPAPCredentialsConfigPanel;
 
 ///
 /// PAP configuration panel
@@ -35,7 +34,7 @@ class wxPAPConfigPanel;
 ///
 /// PAP credential entry panel
 ///
-typedef wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPassPanelBase> wxPAPCredentialsPanel;
+typedef wxPasswordCredentialsPanel<eap::credentials_pass, wxEAPCredentialsPassPanelBase> wxPAPCredentialsPanel;
 
 #pragma once
 

lib/TLS/include/Config.h

@@ -66,9 +66,10 @@ namespace eap
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method_tls(_In_ module &mod);
+        config_method_tls(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration

lib/TLS/include/Credentials.h

@@ -158,15 +158,17 @@ namespace eap
         /// Save credentials to Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to store credentials as
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void store(_In_z_ LPCTSTR pszTargetName) const;
+        virtual void store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const;
 
         ///
         /// Retrieve credentials from Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void retrieve(_In_z_ LPCTSTR pszTargetName);
+        virtual void retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level);
 
         ///
         /// Return target suffix for Windows Credential Manager credential name

lib/TLS/src/Config.cpp

@@ -66,7 +66,7 @@ tstring eap::get_cert_title(PCCERT_CONTEXT cert)
 // eap::config_method_tls
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method_tls::config_method_tls(_In_ module &mod) : config_method_with_cred(mod)
+eap::config_method_tls::config_method_tls(_In_ module &mod, _In_ unsigned int level) : config_method_with_cred(mod, level)
 {
     m_preshared.reset(new credentials_tls(mod));
 }

lib/TLS/src/Credentials.cpp

@@ -166,7 +166,7 @@ void eap::credentials_tls::operator>>(_Inout_ cursor_in &cursor)
 }
 
 
-void eap::credentials_tls::store(_In_z_ LPCTSTR pszTargetName) const
+void eap::credentials_tls::store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const
 {
     assert(pszTargetName);
 
@@ -179,7 +179,7 @@ void eap::credentials_tls::store(_In_z_ LPCTSTR pszTargetName) const
             throw win_runtime_error(__FUNCTION__ " CryptProtectData failed.");
     }
 
-    tstring target(target_name(pszTargetName));
+    tstring target(target_name(pszTargetName, level));
 
     // Write credentials.
     assert(cred_enc.cbData     < CRED_MAX_CREDENTIAL_BLOB_SIZE);
@@ -203,13 +203,13 @@ void eap::credentials_tls::store(_In_z_ LPCTSTR pszTargetName) const
 }
 
 
-void eap::credentials_tls::retrieve(_In_z_ LPCTSTR pszTargetName)
+void eap::credentials_tls::retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level)
 {
     assert(pszTargetName);
 
     // Read credentials.
     unique_ptr<CREDENTIAL, CredFree_delete<CREDENTIAL> > cred;
-    if (!CredRead(target_name(pszTargetName).c_str(), CRED_TYPE_GENERIC, 0, (PCREDENTIAL*)&cred))
+    if (!CredRead(target_name(pszTargetName, level).c_str(), CRED_TYPE_GENERIC, 0, (PCREDENTIAL*)&cred))
         throw win_runtime_error(__FUNCTION__ " CredRead failed.");
 
     if (cred->CredentialBlobSize) {
@@ -240,7 +240,7 @@ void eap::credentials_tls::retrieve(_In_z_ LPCTSTR pszTargetName)
 
 LPCTSTR eap::credentials_tls::target_suffix() const
 {
-    return _T("TLS");
+    return _T("Cert");
 }
 
 
@@ -313,7 +313,7 @@ eap::credentials::source_t eap::credentials_tls::combine(
     if (pszTargetName) {
         try {
             credentials_tls cred_loaded(m_module);
-            cred_loaded.retrieve(pszTargetName);
+            cred_loaded.retrieve(pszTargetName, cfg.m_level);
 
             // Using stored credentials.
             *this = std::move(cred_loaded);

lib/TTLS/include/Config.h

@@ -47,9 +47,10 @@ namespace eap {
         ///
         /// Constructs configuration
         ///
-        /// \param[in] mod  EAP module to use for global services
+        /// \param[in] mod    EAP module to use for global services
+        /// \param[in] level  Config level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        config_method_ttls(_In_ module &mod);
+        config_method_ttls(_In_ module &mod, _In_ unsigned int level);
 
         ///
         /// Copies configuration

lib/TTLS/include/Credentials.h

@@ -149,15 +149,17 @@ namespace eap
         /// Save credentials to Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to store credentials as
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void store(_In_z_ LPCTSTR pszTargetName) const;
+        virtual void store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const;
 
         ///
         /// Retrieve credentials from Windows Credential Manager
         ///
         /// \param[in]  pszTargetName  The name in Windows Credential Manager to retrieve credentials from
+        /// \param[in]  level          Credential level (0=outer, 1=inner, 2=inner-inner...)
         ///
-        virtual void retrieve(_In_z_ LPCTSTR pszTargetName);
+        virtual void retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level);
 
         ///
         /// Returns credential identity.

lib/TTLS/src/Config.cpp

@@ -28,9 +28,9 @@ using namespace winstd;
 // eap::config_method_ttls
 //////////////////////////////////////////////////////////////////////
 
-eap::config_method_ttls::config_method_ttls(_In_ module &mod) :
+eap::config_method_ttls::config_method_ttls(_In_ module &mod, _In_ unsigned int level) :
-    m_inner(new config_method_pap(mod)),
+    m_inner(new config_method_pap(mod, level + 1)),
-    config_method_tls(mod)
+    config_method_tls(mod, level)
 {
     // TTLS is using blank pre-shared credentials per default.
     m_use_preshared = true;
@@ -265,10 +265,10 @@ eap::credentials* eap::config_method_ttls::make_credentials() const
 eap::config_method_with_cred* eap::config_method_ttls::make_config_method(_In_ winstd::eap_type_t eap_type) const
 {
     switch (eap_type) {
-    case eap_type_tls            : return new config_method_tls     (m_module);
+    case eap_type_tls            : return new config_method_tls     (m_module, m_level + 1);
-    case eap_type_ttls           : return new config_method_ttls    (m_module);
+    case eap_type_ttls           : return new config_method_ttls    (m_module, m_level + 1);
-    case eap_type_legacy_pap     : return new config_method_pap     (m_module);
+    case eap_type_legacy_pap     : return new config_method_pap     (m_module, m_level + 1);
-    case eap_type_legacy_mschapv2: return new config_method_mschapv2(m_module);
+    case eap_type_legacy_mschapv2: return new config_method_mschapv2(m_module, m_level + 1);
     default                      : throw invalid_argument(__FUNCTION__ " Unsupported inner authentication method.");
     }
 }
@@ -276,10 +276,10 @@ eap::config_method_with_cred* eap::config_method_ttls::make_config_method(_In_ w
 
 eap::config_method_with_cred* eap::config_method_ttls::make_config_method(_In_ const wchar_t *eap_type) const
 {
-         if (_wcsicmp(eap_type, L"EAP-TLS" ) == 0) return new config_method_tls     (m_module);
+         if (_wcsicmp(eap_type, L"EAP-TLS" ) == 0) return new config_method_tls     (m_module, m_level + 1);
-    else if (_wcsicmp(eap_type, L"EAP-TTLS") == 0) return new config_method_ttls    (m_module);
+    else if (_wcsicmp(eap_type, L"EAP-TTLS") == 0) return new config_method_ttls    (m_module, m_level + 1);
-    else if (_wcsicmp(eap_type, L"PAP"     ) == 0) return new config_method_pap     (m_module);
+    else if (_wcsicmp(eap_type, L"PAP"     ) == 0) return new config_method_pap     (m_module, m_level + 1);
-    else if (_wcsicmp(eap_type, L"MSCHAPv2") == 0) return new config_method_mschapv2(m_module);
+    else if (_wcsicmp(eap_type, L"MSCHAPv2") == 0) return new config_method_mschapv2(m_module, m_level + 1);
     else                                           throw invalid_argument(__FUNCTION__ " Unsupported inner authentication method.");
 }
 

lib/TTLS/src/Credentials.cpp

@@ -146,23 +146,23 @@ void eap::credentials_ttls::operator>>(_Inout_ cursor_in &cursor)
 }
 
 
-void eap::credentials_ttls::store(_In_z_ LPCTSTR pszTargetName) const
+void eap::credentials_ttls::store(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level) const
 {
     assert(0); // Not that we would ever store inner&outer credentials to Windows Credential Manager joined, but for completness sake... Here we go:
 
-    credentials_tls::store(pszTargetName);
+    credentials_tls::store(pszTargetName, level);
 
-    m_inner->store(pszTargetName);
+    m_inner->store(pszTargetName, level + 1);
 }
 
 
-void eap::credentials_ttls::retrieve(_In_z_ LPCTSTR pszTargetName)
+void eap::credentials_ttls::retrieve(_In_z_ LPCTSTR pszTargetName, _In_ unsigned int level)
 {
     assert(0); // Not that we would ever retrieve inner&outer credentials to Windows Credential Manager joined, but for completness sake... Here we go:
 
-    credentials_tls::retrieve(pszTargetName);
+    credentials_tls::retrieve(pszTargetName, level);
 
-    m_inner->retrieve(pszTargetName);
+    m_inner->retrieve(pszTargetName, level + 1);
 }
 
 

lib/TTLS/src/Method.cpp

@@ -69,8 +69,8 @@ void eap::method_ttls::begin_session(
 
     // Initialize inner method.
     switch (m_cfg.m_inner->get_method_id()) {
-    case eap_type_legacy_pap     : m_inner.reset(new method_pap     (m_module, (config_method_pap     &)*m_cfg.m_inner, (credentials_pap     &)*m_cred.m_inner.get())); break;
+    case eap_type_legacy_pap     : m_inner.reset(new method_pap     (m_module, (config_method_pap     &)*m_cfg.m_inner, (credentials_pass     &)*m_cred.m_inner.get())); break;
-    case eap_type_legacy_mschapv2: m_inner.reset(new method_mschapv2(m_module, (config_method_mschapv2&)*m_cfg.m_inner, (credentials_mschapv2&)*m_cred.m_inner.get())); break;
+    case eap_type_legacy_mschapv2: m_inner.reset(new method_mschapv2(m_module, (config_method_mschapv2&)*m_cfg.m_inner, (credentials_pass&)*m_cred.m_inner.get())); break;
     default: throw invalid_argument(__FUNCTION__ " Unsupported inner authentication method.");
     }
     m_inner->begin_session(dwFlags, pAttributeArray, hTokenImpersonateUser, MAXDWORD);

lib/TTLS/src/Module.cpp

@@ -35,7 +35,7 @@ eap::peer_ttls::peer_ttls() : peer(eap_type_ttls)
 
 eap::config_method* eap::peer_ttls::make_config_method()
 {
-    return new config_method_ttls(*this);
+    return new config_method_ttls(*this, 0);
 }
 
 

lib/TTLS/src/StdAfx.h

@@ -27,11 +27,9 @@
 #include "../include/TTLS.h"
 
 #include "../../PAP/include/Config.h"
-#include "../../PAP/include/Credentials.h"
 #include "../../PAP/include/Method.h"
 
 #include "../../MSCHAPv2/include/Config.h"
-#include "../../MSCHAPv2/include/Credentials.h"
 #include "../../MSCHAPv2/include/Method.h"
 #include "../../MSCHAPv2/include/MSCHAPv2.h"
 

lib/TTLS_UI/src/Module.cpp

@@ -52,7 +52,7 @@ eap::peer_ttls_ui::peer_ttls_ui() : peer_ui(eap_type_ttls)
 
 eap::config_method* eap::peer_ttls_ui::make_config_method()
 {
-    return new config_method_ttls(*this);
+    return new config_method_ttls(*this, 0);
 }
 
 
@@ -270,7 +270,7 @@ void eap::peer_ttls_ui::invoke_identity_ui(
                     // Write credentials to credential manager.
                     if (panel->m_outer_cred->GetRemember()) {
                         try {
-                            _cred_out->credentials_tls::store(target_name.c_str());
+                            _cred_out->credentials_tls::store(target_name.c_str(), 0);
                         } catch (winstd::win_runtime_error &err) {
                             wxLogError(winstd::tstring_printf(_("Error writing credentials to Credential Manager: %hs (error %u)"), err.what(), err.number()).c_str());
                         } catch (...) {
@@ -280,7 +280,7 @@ void eap::peer_ttls_ui::invoke_identity_ui(
 
                     if (panel->m_inner_cred->GetRemember()) {
                         try {
-                            _cred_out->m_inner->store(target_name.c_str());
+                            _cred_out->m_inner->store(target_name.c_str(), 1);
                         } catch (winstd::win_runtime_error &err) {
                             wxLogError(winstd::tstring_printf(_("Error writing credentials to Credential Manager: %hs (error %u)"), err.what(), err.number()).c_str());
                         } catch (...) {

lib/TTLS_UI/src/TTLS_UI.cpp

@@ -95,8 +95,8 @@ void wxTTLSConfigPanel::OnUpdateUI(wxUpdateUIEvent& /*event*/)
 
 wxTTLSConfigWindow::wxTTLSConfigWindow(eap::config_provider &prov, eap::config_method &cfg, wxWindow* parent) :
     m_cfg((eap::config_method_ttls&)cfg),
-    m_cfg_pap(cfg.m_module),
+    m_cfg_pap(cfg.m_module, cfg.m_level + 1),
-    m_cfg_mschapv2(cfg.m_module),
+    m_cfg_mschapv2(cfg.m_module, cfg.m_level + 1),
     wxEAPConfigWindow(prov, cfg, parent)
 {
     wxBoxSizer* sb_content;
@@ -246,13 +246,13 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
     const eap::config_method_mschapv2 *cfg_inner_mschapv2;
     if ((cfg_inner_pap = dynamic_cast<const eap::config_method_pap*>(m_cfg.m_inner.get())) != NULL) {
         eap::credentials_ttls &cred_ttls = (eap::credentials_ttls&)cred;
-        if (!cred_ttls.m_inner) cred_ttls.m_inner.reset(new eap::credentials_pap(cred.m_module));
+        if (!cred_ttls.m_inner) cred_ttls.m_inner.reset(new eap::credentials_pass(cred.m_module));
-        m_inner_cred = new wxPAPCredentialsPanel(m_prov, *cfg_inner_pap, *(eap::credentials_pap*)cred_ttls.m_inner.get(), this, is_config);
+        m_inner_cred = new wxPAPCredentialsPanel(m_prov, *cfg_inner_pap, *(eap::credentials_pass*)cred_ttls.m_inner.get(), this, is_config);
         sb_content->Add(m_inner_cred, 0, wxALL|wxEXPAND, 5);
     } else if ((cfg_inner_mschapv2 = dynamic_cast<const eap::config_method_mschapv2*>(m_cfg.m_inner.get())) != NULL) {
         eap::credentials_ttls &cred_ttls = (eap::credentials_ttls&)cred;
-        if (!cred_ttls.m_inner) cred_ttls.m_inner.reset(new eap::credentials_mschapv2(cred.m_module));
+        if (!cred_ttls.m_inner) cred_ttls.m_inner.reset(new eap::credentials_pass(cred.m_module));
-        m_inner_cred = new wxMSCHAPv2CredentialsPanel(m_prov, *cfg_inner_mschapv2, *(eap::credentials_mschapv2*)cred_ttls.m_inner.get(), this, is_config);
+        m_inner_cred = new wxMSCHAPv2CredentialsPanel(m_prov, *cfg_inner_mschapv2, *(eap::credentials_pass*)cred_ttls.m_inner.get(), this, is_config);
         sb_content->Add(m_inner_cred, 0, wxALL|wxEXPAND, 5);
     } else
         assert(0); // Unsupported inner authentication method type.