Clean-up

lib/TLS/include/Method.h

@@ -314,6 +314,9 @@ namespace eap
         ///
         class hash_hmac
         {
+        public:
+            typedef unsigned char padding_t[64];
+
         public:
             ///
             /// Construct new HMAC hashing object
@@ -337,9 +340,9 @@ namespace eap
             /// \param[in] padding      HMAC secret XOR inner padding
             ///
             hash_hmac(
-                _In_       HCRYPTPROV    hProv,
-                _In_       ALG_ID        alg,
-                _In_ const unsigned char padding[64]);
+                _In_       HCRYPTPROV hProv,
+                _In_       ALG_ID     alg,
+                _In_ const padding_t  padding);
 
             ///
             /// Provides access to inner hash object to hash data at will.
@@ -382,11 +385,11 @@ namespace eap
             /// \param[out] padding      HMAC secret XOR inner padding
             ///
             static void inner_padding(
-                _In_                               HCRYPTPROV    hProv,
-                _In_                               ALG_ID        alg,
-                _In_bytecount_(size_secret ) const void          *secret,
-                _In_                               size_t        size_secret,
-                _Out_                              unsigned char padding[64]);
+                _In_                               HCRYPTPROV hProv,
+                _In_                               ALG_ID     alg,
+                _In_bytecount_(size_secret ) const void       *secret,
+                _In_                               size_t     size_secret,
+                _Out_                              padding_t  padding);
 
         protected:
             winstd::crypt_hash m_hash_inner; ///< Inner hashing object
@@ -671,7 +674,7 @@ namespace eap
             return key.detach();
         }
 
-    public:
+    protected:
         config_method_tls &m_cfg;                               ///< EAP-TLS method configuration
         credentials_tls &m_cred;                                ///< EAP-TLS user credentials
 
@@ -686,7 +689,8 @@ namespace eap
         packet m_packet_res;                                    ///< Response packet
 
         winstd::crypt_prov m_cp;                                ///< Cryptography provider
-        sanitizing_blob m_padding_hmac_client;                  ///< Padding (key) for HMAC calculation
+        sanitizing_blob m_padding_hmac_client;                  ///< Padding (key) for client side HMAC calculation
+        //sanitizing_blob m_padding_hmac_server;                  ///< Padding (key) for server side HMAC calculation
         winstd::crypt_key m_key_client;                         ///< Key for encrypting messages
         winstd::crypt_key m_key_server;                         ///< Key for decrypting messages
 
@@ -707,7 +711,6 @@ namespace eap
         bool m_server_finished;                                 ///< Did server send a valid finish message?
         bool m_cipher_spec;                                     ///< Did server specify cipher?
 
-    protected:
         unsigned __int64 m_seq_num;                             ///< Sequence number for encryption
     };
 }

lib/TLS/src/Method.cpp

@@ -189,7 +189,7 @@ eap::method_tls::hash_hmac::hash_hmac(
     _In_                               size_t     size_secret)
 {
     // Prepare padding.
-    sanitizing_blob padding(64);
+    sanitizing_blob padding(sizeof(padding_t));
     inner_padding(hProv, alg, secret, size_secret, padding.data());
 
     // Continue with the other constructor.
@@ -198,21 +198,21 @@ eap::method_tls::hash_hmac::hash_hmac(
 
 
 eap::method_tls::hash_hmac::hash_hmac(
-    _In_       HCRYPTPROV    hProv,
-    _In_       ALG_ID        alg,
-    _In_ const unsigned char padding[64])
+    _In_       HCRYPTPROV hProv,
+    _In_       ALG_ID     alg,
+    _In_ const padding_t  padding)
 {
     // Create inner hash.
     if (!m_hash_inner.create(hProv, alg))
         throw win_runtime_error(__FUNCTION__ " Error creating inner hash.");
 
     // Initialize it with the inner padding.
-    if (!CryptHashData(m_hash_inner, padding, 64, 0))
+    if (!CryptHashData(m_hash_inner, padding, sizeof(padding_t), 0))
         throw win_runtime_error(__FUNCTION__ " Error hashing secret XOR inner padding.");
 
     // Convert inner padding to outer padding for final calculation.
-    unsigned char padding_out[64];
-    for (size_t i = 0; i < 64; i++)
+    padding_t padding_out;
+    for (size_t i = 0; i < sizeof(padding_t); i++)
         padding_out[i] = padding[i] ^ (0x36 ^ 0x5c);
 
     // Create outer hash.
@@ -220,26 +220,26 @@ eap::method_tls::hash_hmac::hash_hmac(
         throw win_runtime_error(__FUNCTION__ " Error creating outer hash.");
 
     // Initialize it with the outer padding.
-    if (!CryptHashData(m_hash_outer, padding_out, 64, 0))
+    if (!CryptHashData(m_hash_outer, padding_out, sizeof(padding_t), 0))
         throw win_runtime_error(__FUNCTION__ " Error hashing secret XOR inner padding.");
 }
 
 
 void eap::method_tls::hash_hmac::inner_padding(
-    _In_                               HCRYPTPROV    hProv,
-    _In_                               ALG_ID        alg,
-    _In_bytecount_(size_secret ) const void          *secret,
-    _In_                               size_t        size_secret,
-    _Out_                              unsigned char padding[64])
+    _In_                               HCRYPTPROV hProv,
+    _In_                               ALG_ID     alg,
+    _In_bytecount_(size_secret ) const void       *secret,
+    _In_                               size_t     size_secret,
+    _Out_                              padding_t  padding)
 {
-    if (size_secret > 64) {
+    if (size_secret > sizeof(padding_t)) {
         // If the secret is longer than padding, use secret's hash instead.
         crypt_hash hash;
         if (!hash.create(hProv, alg))
             throw win_runtime_error(__FUNCTION__ " Error creating hash.");
         if (!CryptHashData(hash, (const BYTE*)secret, (DWORD)size_secret, 0))
             throw win_runtime_error(__FUNCTION__ " Error hashing.");
-        DWORD size_hash = 64;
+        DWORD size_hash = sizeof(padding_t);
         if (!CryptGetHashParam(hash, HP_HASHVAL, padding, &size_hash, 0))
             throw win_runtime_error(__FUNCTION__ " Error finishing hash.");
         size_secret = size_hash;
@@ -247,7 +247,7 @@ void eap::method_tls::hash_hmac::inner_padding(
         memcpy(padding, secret, size_secret);
     for (size_t i = 0; i < size_secret; i++)
         padding[i] ^= 0x36;
-    memset(padding + size_secret, 0x36, 64 - size_secret);
+    memset(padding + size_secret, 0x36, sizeof(padding_t) - size_secret);
 }
 
 
@@ -452,6 +452,7 @@ void eap::method_tls::process_request_packet(
         m_phase = phase_client_hello;
         m_packet_res.clear();
         m_padding_hmac_client.clear();
+        //m_padding_hmac_server.clear();
         m_key_client.free();
         m_key_server.free();
 
@@ -874,12 +875,13 @@ void eap::method_tls::derive_keys()
     const unsigned char *_key_block = key_block.data();
 
     // client_write_MAC_secret
-    m_padding_hmac_client.resize(64);
+    m_padding_hmac_client.resize(sizeof(hash_hmac::padding_t));
     hash_hmac::inner_padding(m_cp, CALG_SHA1, _key_block, 20, m_padding_hmac_client.data());
     _key_block += 20;
 
     // server_write_MAC_secret
-    // Skip!
+    //m_padding_hmac_server.resize(sizeof(hash_hmac::padding_t));
+    //hash_hmac::inner_padding(m_cp, CALG_SHA1, _key_block, 20, m_padding_hmac_server.data());
     _key_block += 20;
 
     // client_write_key
@@ -1252,8 +1254,8 @@ eap::sanitizing_blob eap::method_tls::prf(
 
     // Precalculate HMAC padding for speed.
     sanitizing_blob
-        hmac_padding1(64),
-        hmac_padding2(64);
+        hmac_padding1(sizeof(hash_hmac::padding_t)),
+        hmac_padding2(sizeof(hash_hmac::padding_t));
     hash_hmac::inner_padding(m_cp, CALG_MD5 , S1, size_S1, hmac_padding1.data());
     hash_hmac::inner_padding(m_cp, CALG_SHA1, S2, size_S2, hmac_padding2.data());