From 9b174b7855142529a3416ee987d1fb6637fffabc Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Wed, 1 Feb 2017 10:12:57 +0100
Subject: [PATCH] Simple BLOB encryption/decryption added & comment updates

---
 lib/EAPBase/include/Module.h | 76 ++++++++++++++++++++++++++++++++++--
 lib/TLS/src/Method.cpp       |  2 +-
 2 files changed, 74 insertions(+), 4 deletions(-)

diff --git a/lib/EAPBase/include/Module.h b/lib/EAPBase/include/Module.h
index 5a95770..16d714a 100644
--- a/lib/EAPBase/include/Module.h
+++ b/lib/EAPBase/include/Module.h
@@ -514,9 +514,10 @@ namespace eap
         /// @{
 
         ///
-        /// Unencrypts and unpacks the BLOB
+        /// Decrypts a BLOB
+        ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is decrypted; otherwise, it is copied only.
         ///
-        /// \param[inout] record        Object to unpack to
         /// \param[in   ] pDataIn       Pointer to encrypted BLOB
         /// \param[in   ] dwDataInSize  Size of \p pDataIn
         /// \param[out  ] ppEapError    Pointer to error descriptor in case of failure. Free using `module::free_error_memory()`.
@@ -525,9 +526,38 @@ namespace eap
         /// - \c true if succeeded
         /// - \c false otherwise. See \p ppEapError for details.
         ///
+        /// \returns Encrypted BLOB
+        ///
+        sanitizing_blob unpack(
+            _In_count_(dwDataInSize) const BYTE  *pDataIn,
+            _In_                           DWORD dwDataInSize)
+        {
+#if EAP_ENCRYPT_BLOBS
+            // Prepare cryptographics provider.
+            winstd::crypt_prov cp;
+            if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
+                throw winstd::win_runtime_error(__FUNCTION__ " CryptAcquireContext failed.");
+
+            // Decrypt data.
+            return std::move(decrypt_md5<unsigned char, winstd::sanitizing_allocator<unsigned char> >(cp, pDataIn, dwDataInSize));
+#else
+            return sanitizing_blob(pDataIn, pDataIn + dwDataInSize);
+#endif
+        }
+
+
+        ///
+        /// Decrypts and unpacks the BLOB
+        ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is decrypted and unpacked to the \p record; otherwise, it is unpacked to the \p record only.
+        ///
+        /// \param[out] record        Object to unpack to
+        /// \param[in ] pDataIn       Pointer to encrypted BLOB
+        /// \param[in ] dwDataInSize  Size of \p pDataIn
+        ///
         template<class T>
         void unpack(
-            _Inout_                        T     &record,
+            _Out_                          T     &record,
             _In_count_(dwDataInSize) const BYTE  *pDataIn,
             _In_                           DWORD dwDataInSize)
         {
@@ -549,9 +579,49 @@ namespace eap
         }
 
 
+        ///
+        /// Encrypts a BLOB
+        ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is encrypted; otherwise, it is copied only.
+        ///
+        /// \param[in ] data            BLOB to encrypt
+        /// \param[out] ppDataOut       Pointer to pointer to receive encrypted BLOB. Pointer must be freed using `module::free_memory()`.
+        /// \param[out] pdwDataOutSize  Pointer to \p ppDataOut size
+        ///
+        void pack(
+            _In_  const sanitizing_blob &data,
+            _Out_       BYTE            **ppDataOut,
+            _Out_       DWORD           *pdwDataOutSize)
+        {
+            assert(ppDataOut);
+            assert(pdwDataOutSize);
+
+#if EAP_ENCRYPT_BLOBS
+            // Prepare cryptographics provider.
+            winstd::crypt_prov cp;
+            if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
+                throw winstd::win_runtime_error(__FUNCTION__ " CryptAcquireContext failed.");
+
+            // Encrypt BLOB.
+            std::vector<unsigned char> data_enc(std::move(encrypt_md5(cp, data.data(), data.size())));
+
+            // Copy encrypted BLOB to output.
+            *pdwDataOutSize = (DWORD)data_enc.size();
+            *ppDataOut = alloc_memory(*pdwDataOutSize);
+            memcpy(*ppDataOut, data_enc.data(), *pdwDataOutSize);
+#else
+            // Allocate and copy BLOB.
+            *pdwDataOutSize = (DWORD)data.size();
+            memcpy(*ppDataOut = alloc_memory(*pdwDataOutSize), data.data(), *pdwDataOutSize);
+#endif
+        }
+
+
         ///
         /// Packs and encrypts to the BLOB
         ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the \p record is packed and encrypted; otherwise, it is packed to an unencrypted BLOB only.
+        ///
         /// \param[in ] record          Object to pack
         /// \param[out] ppDataOut       Pointer to pointer to receive encrypted BLOB. Pointer must be freed using `module::free_memory()`.
         /// \param[out] pdwDataOutSize  Pointer to \p ppDataOut size
diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp
index ba4c498..9a1b1f5 100644
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@@ -1216,7 +1216,7 @@ void eap::method_tls::process_handshake()
 void eap::method_tls::process_application_data()
 {
     if (m_sc_queue.empty()) {
-        // An ACK packet received. Nothing to unencrypt.
+        // An ACK packet received. Nothing to decrypt.
         process_application_data(NULL, 0);
         return;
     }