- PPP authentication EAP response packet is correctly formed now

- MS-MPPE-Send-Key/MS-MPPE-Recv-Key sorted out

lib/TLS/include/Method.h

@@ -492,8 +492,8 @@ namespace eap
         winstd::crypt_key m_key_client;                         ///< Key for encrypting messages
         winstd::crypt_key m_key_server;                         ///< Key for decrypting messages
 
-        tls_random m_key_mppe_send;                             ///< MS-MPPE-Send-Key
-        tls_random m_key_mppe_recv;                             ///< MS-MPPE-Recv-Key
+        tls_random m_key_mppe_client;                           ///< MS-MPPE-Recv-Key
+        tls_random m_key_mppe_server;                           ///< MS-MPPE-Send-Key
 
         sanitizing_blob m_session_id;                           ///< TLS session ID
 

lib/TLS/include/TLS.h

@@ -217,7 +217,7 @@ namespace eap
 
 #pragma pack(push)
 #pragma pack(1)
-    struct tls_random
+    struct __declspec(novtable) tls_random
     {
         unsigned char data[32]; ///< Randomness
 
@@ -264,7 +264,7 @@ namespace eap
 
 #pragma pack(push)
 #pragma pack(1)
-    struct tls_master_secret
+    struct __declspec(novtable) tls_master_secret
     {
         unsigned char data[48];
 

lib/TLS/src/Method.cpp

@@ -120,8 +120,8 @@ eap::method_tls::method_tls(_In_ const method_tls &other) :
     m_padding_hmac_server(other.m_padding_hmac_server),
     m_key_client(other.m_key_client),
     m_key_server(other.m_key_server),
-    m_key_mppe_send(other.m_key_mppe_send),
-    m_key_mppe_recv(other.m_key_mppe_recv),
+    m_key_mppe_client(other.m_key_mppe_client),
+    m_key_mppe_server(other.m_key_mppe_server),
     m_session_id(other.m_session_id),
     m_server_cert_chain(other.m_server_cert_chain),
     m_hash_handshake_msgs_md5(other.m_hash_handshake_msgs_md5),
@@ -148,8 +148,8 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
     m_padding_hmac_server(std::move(other.m_padding_hmac_server)),
     m_key_client(std::move(other.m_key_client)),
     m_key_server(std::move(other.m_key_server)),
-    m_key_mppe_send(std::move(other.m_key_mppe_send)),
-    m_key_mppe_recv(std::move(other.m_key_mppe_recv)),
+    m_key_mppe_client(std::move(other.m_key_mppe_client)),
+    m_key_mppe_server(std::move(other.m_key_mppe_server)),
     m_session_id(std::move(other.m_session_id)),
     m_server_cert_chain(std::move(other.m_server_cert_chain)),
     m_hash_handshake_msgs_md5(std::move(other.m_hash_handshake_msgs_md5)),
@@ -186,8 +186,8 @@ eap::method_tls& eap::method_tls::operator=(_In_ const method_tls &other)
         m_padding_hmac_server       = other.m_padding_hmac_server;
         m_key_client                = other.m_key_client;
         m_key_server                = other.m_key_server;
-        m_key_mppe_send             = other.m_key_mppe_send;
-        m_key_mppe_recv             = other.m_key_mppe_recv;
+        m_key_mppe_client           = other.m_key_mppe_client;
+        m_key_mppe_server           = other.m_key_mppe_server;
         m_session_id                = other.m_session_id;
         m_server_cert_chain         = other.m_server_cert_chain;
         m_hash_handshake_msgs_md5   = other.m_hash_handshake_msgs_md5;
@@ -218,8 +218,8 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
         m_padding_hmac_server       = std::move(other.m_padding_hmac_server);
         m_key_client                = std::move(other.m_key_client);
         m_key_server                = std::move(other.m_key_server);
-        m_key_mppe_send             = std::move(other.m_key_mppe_send);
-        m_key_mppe_recv             = std::move(other.m_key_mppe_recv);
+        m_key_mppe_client           = std::move(other.m_key_mppe_client);
+        m_key_mppe_server           = std::move(other.m_key_mppe_server);
         m_session_id                = std::move(other.m_session_id);
         m_server_cert_chain         = std::move(other.m_server_cert_chain);
         m_hash_handshake_msgs_md5   = std::move(other.m_hash_handshake_msgs_md5);
@@ -351,8 +351,8 @@ void eap::method_tls::process_request_packet(
         m_padding_hmac_server.clear();
         m_key_client.free();
         m_key_server.free();
-        m_key_mppe_send.clear();
-        m_key_mppe_recv.clear();
+        m_key_mppe_client.clear();
+        m_key_mppe_server.clear();
 
         m_server_cert_chain.clear();
 
@@ -565,12 +565,12 @@ void eap::method_tls::get_result(
         derive_msk();
 
         // Fill array with RADIUS attributes.
-        // Note: MS-MPPE-Send-Key/MS-MPPE-Recv-Key are sent in swapped to change between client and server point of view.
         eap_attr a;
         m_eap_attr.clear();
-        a.create_ms_mppe_key(16, (LPCBYTE)&m_key_mppe_recv, sizeof(tls_random));
+        m_eap_attr.reserve(3);
+        a.create_ms_mppe_key(16, (LPCBYTE)&m_key_mppe_client, sizeof(tls_random));
         m_eap_attr.push_back(std::move(a));
-        a.create_ms_mppe_key(17, (LPCBYTE)&m_key_mppe_send, sizeof(tls_random));
+        a.create_ms_mppe_key(17, (LPCBYTE)&m_key_mppe_server, sizeof(tls_random));
         m_eap_attr.push_back(std::move(a));
         m_eap_attr.push_back(eap_attr::blank);
 
@@ -882,11 +882,11 @@ void eap::method_tls::derive_msk()
     const unsigned char *_key_block = key_block.data();
 
     // MS-MPPE-Recv-Key
-    memcpy(&m_key_mppe_recv, _key_block, sizeof(tls_random));
+    memcpy(&m_key_mppe_client, _key_block, sizeof(tls_random));
     _key_block += sizeof(tls_random);
 
     // MS-MPPE-Send-Key
-    memcpy(&m_key_mppe_send, _key_block, sizeof(tls_random));
+    memcpy(&m_key_mppe_server, _key_block, sizeof(tls_random));
     _key_block += sizeof(tls_random);
 }
 

lib/TTLS/src/Method.cpp

@@ -99,9 +99,14 @@ void eap::method_ttls::process_request_packet(
             if (!m_cipher_spec)
                 throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
 
+            m_packet_res.m_code  = EapCodeResponse;
+            m_packet_res.m_id    = m_packet_req.m_id;
+            m_packet_res.m_flags = 0;
             sanitizing_blob client(make_pap_client());
             sanitizing_blob application(make_message(tls_message_type_application_data, client, m_cipher_spec));
-            m_packet_res.m_data.insert(m_packet_res.m_data.end(), application.begin(), application.end());
+            m_packet_res.m_data.assign(application.begin(), application.end());
+
+            pEapOutput->fAllowNotifications = FALSE;
             pEapOutput->action = EapPeerMethodResponseActionSend;
         }
     } else {
@@ -133,12 +138,12 @@ void eap::method_ttls::derive_msk()
     sanitizing_blob key_block(prf(m_state.m_master_secret, seed, 2*sizeof(tls_random)));
     const unsigned char *_key_block = key_block.data();
 
-    // MS-MPPE-Recv-Key
-    memcpy(&m_key_mppe_recv, _key_block, sizeof(tls_random));
+    // MSK: MPPE-Recv-Key
+    memcpy(&m_key_mppe_client, _key_block, sizeof(tls_random));
     _key_block += sizeof(tls_random);
 
-    // MS-MPPE-Send-Key
-    memcpy(&m_key_mppe_send, _key_block, sizeof(tls_random));
+    // MSK: MPPE-Send-Key
+    memcpy(&m_key_mppe_server, _key_block, sizeof(tls_random));
     _key_block += sizeof(tls_random);
 }
 
@@ -154,25 +159,25 @@ eap::sanitizing_blob eap::method_ttls::make_pap_client() const
     WideCharToMultiByte(CP_UTF8, 0, cred->m_identity.c_str(), (int)cred->m_identity.length(), identity_utf8, NULL, NULL);
     WideCharToMultiByte(CP_UTF8, 0, cred->m_password.c_str(), (int)cred->m_password.length(), password_utf8, NULL, NULL);
 
-    unsigned char rnd;
-    if (!CryptGenRandom(m_cp, sizeof(rnd), &rnd))
-        rnd = 0;
-
     size_t
         size_identity    = identity_utf8.length(),
         size_password    = password_utf8.length(),
         padding_identity = (4 - size_identity         ) % 4,
-        padding_password = (16 - (password_utf8.length() + rnd)) % 16; // According to RFC 5281 passwords must be padded to 16B boundary with random padding blocks to make password length guessing harder.
+        padding_password = (4 - password_utf8.length()) % 4,
+        size_identity_outer,
+        size_password_outer;
 
     sanitizing_blob msg;
     msg.reserve(
+        (size_identity_outer = 
         4                + // Diameter AVP Code
         4                + // Diameter AVP Flags & Length
-        size_identity    + // Identity
+        size_identity)   + // Identity
         padding_identity + // Identity padding
+        (size_password_outer = 
         4                + // Diameter AVP Code
         4                + // Diameter AVP Flags & Length
-        size_password    + // Password
+        size_password)   + // Password
         padding_password); // Password padding
 
     // Diameter AVP Code User-Name (0x00000001)
@@ -182,7 +187,7 @@ eap::sanitizing_blob eap::method_ttls::make_pap_client() const
     msg.push_back(0x01);
 
     // Diameter AVP Flags & Length
-    unsigned int identity_hdr = htonl((diameter_avp_flag_mandatory << 24) | (unsigned int)size_identity);
+    unsigned int identity_hdr = htonl((diameter_avp_flag_mandatory << 24) | (unsigned int)size_identity_outer);
     msg.insert(msg.end(), (unsigned char*)&identity_hdr, (unsigned char*)(&identity_hdr + 1));
 
     // Identity
@@ -196,7 +201,7 @@ eap::sanitizing_blob eap::method_ttls::make_pap_client() const
     msg.push_back(0x02);
 
     // Diameter AVP Flags & Length
-    unsigned int password_hdr = htonl((diameter_avp_flag_mandatory << 24) | (unsigned int)size_password);
+    unsigned int password_hdr = htonl((diameter_avp_flag_mandatory << 24) | (unsigned int)size_password_outer);
     msg.insert(msg.end(), (unsigned char*)&password_hdr, (unsigned char*)(&password_hdr + 1));
 
     // Password

lib/WinStd

@@ -1 +1 @@
-Subproject commit 25c886754dafdf0d7fef2dc9d28f5328d2bf7ddd
+Subproject commit 028979524a6c944549b4adda490e48c91d998361