credentials_tls: Keep thumbprint rather than client certificate

By storing the client certificate the certificate became detached from
its private key stored in user certificate store. This rendered client
certificates useless for client TLS authentication.

Now, the client certificate thumbprint is stored instead. The client
certificate is looked up in the user certificate store as required.

This breaks profile XML and BLOB backward compatibility. Since the
client certificate support was broken, nobody probably used those in
the settings before.

Signed-off-by: Simon Rozman <simon@rozman.si>

lib/TLS/include/Credentials.h

@@ -142,12 +142,7 @@ namespace eap
             _In_opt_z_       LPCTSTR       pszTargetName);
 
     public:
-        winstd::cert_context m_cert;                ///< Client certificate
-
-    private:
-        /// \cond internal
-        static const unsigned char s_entropy[1024];
-        /// \endcond
+        std::vector<unsigned char> m_cert_hash; ///< Client certificate SHA-1 thumbprint
     };
 
     /// @}

lib/TLS/include/Method.h

@@ -143,6 +143,8 @@ namespace eap
             _In_        HANDLE        hTokenImpersonateUser,
             _In_opt_    DWORD         dwMaxSendPacketSize = MAXDWORD);
 
+        virtual void end_session();
+
         /// @}
 
         /// \name Packet processing
@@ -192,6 +194,7 @@ namespace eap
         config_method_tls &m_cfg;                   ///< Method configuration
         credentials_tls &m_cred;                    ///< Method user credentials
         HANDLE m_user_ctx;                          ///< Handle to user context
+        winstd::cert_store m_store;                 ///< User certificate store
         winstd::tstring m_sc_target_name;           ///< Schannel target name
         winstd::sec_credentials m_sc_cred;          ///< Schannel client credentials
         std::vector<unsigned char> m_sc_queue;      ///< TLS data queue