diff --git a/lib/EAPBase/include/Module.h b/lib/EAPBase/include/Module.h index 9ac6a92..43d45e2 100644 --- a/lib/EAPBase/include/Module.h +++ b/lib/EAPBase/include/Module.h @@ -530,15 +530,45 @@ namespace eap /// @{ /// - /// Unencrypts and unpacks the BLOB + /// Decrypts a BLOB + /// + /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is decrypted; otherwise, it is copied only. /// - /// \param[inout] record Object to unpack to /// \param[in ] pDataIn Pointer to encrypted BLOB /// \param[in ] dwDataInSize Size of \p pDataIn /// + /// \returns Encrypted BLOB + /// + sanitizing_blob unpack( + _In_count_(dwDataInSize) const BYTE *pDataIn, + _In_ DWORD dwDataInSize) + { +#if EAP_ENCRYPT_BLOBS + // Prepare cryptographics provider. + winstd::crypt_prov cp; + if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) + throw winstd::win_runtime_error(__FUNCTION__ " CryptAcquireContext failed."); + + // Decrypt data. + return std::move(decrypt_md5 >(cp, pDataIn, dwDataInSize)); +#else + return sanitizing_blob(pDataIn, pDataIn + dwDataInSize); +#endif + } + + + /// + /// Decrypts and unpacks the BLOB + /// + /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is decrypted and unpacked to the \p record; otherwise, it is unpacked to the \p record only. + /// + /// \param[out] record Object to unpack to + /// \param[in ] pDataIn Pointer to encrypted BLOB + /// \param[in ] dwDataInSize Size of \p pDataIn + /// template void unpack( - _Inout_ T &record, + _Out_ T &record, _In_count_(dwDataInSize) const BYTE *pDataIn, _In_ DWORD dwDataInSize) { @@ -560,9 +590,49 @@ namespace eap } + /// + /// Encrypts a BLOB + /// + /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is encrypted; otherwise, it is copied only. + /// + /// \param[in ] data BLOB to encrypt + /// \param[out] ppDataOut Pointer to pointer to receive encrypted BLOB. Pointer must be freed using `module::free_memory()`. + /// \param[out] pdwDataOutSize Pointer to \p ppDataOut size + /// + void pack( + _In_ const sanitizing_blob &data, + _Out_ BYTE **ppDataOut, + _Out_ DWORD *pdwDataOutSize) + { + assert(ppDataOut); + assert(pdwDataOutSize); + +#if EAP_ENCRYPT_BLOBS + // Prepare cryptographics provider. + winstd::crypt_prov cp; + if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) + throw winstd::win_runtime_error(__FUNCTION__ " CryptAcquireContext failed."); + + // Encrypt BLOB. + std::vector data_enc(std::move(encrypt_md5(cp, data.data(), data.size()))); + + // Copy encrypted BLOB to output. + *pdwDataOutSize = (DWORD)data_enc.size(); + *ppDataOut = alloc_memory(*pdwDataOutSize); + memcpy(*ppDataOut, data_enc.data(), *pdwDataOutSize); +#else + // Allocate and copy BLOB. + *pdwDataOutSize = (DWORD)data.size(); + memcpy(*ppDataOut = alloc_memory(*pdwDataOutSize), data.data(), *pdwDataOutSize); +#endif + } + + /// /// Packs and encrypts to the BLOB /// + /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the \p record is packed and encrypted; otherwise, it is packed to an unencrypted BLOB only. + /// /// \param[in ] record Object to pack /// \param[out] ppDataOut Pointer to pointer to receive encrypted BLOB. Pointer must be freed using `module::free_memory()`. /// \param[out] pdwDataOutSize Pointer to \p ppDataOut size diff --git a/lib/TTLS/src/Method.cpp b/lib/TTLS/src/Method.cpp index 99bd356..42bafb7 100644 --- a/lib/TTLS/src/Method.cpp +++ b/lib/TTLS/src/Method.cpp @@ -661,7 +661,7 @@ EapPeerMethodResponseAction eap::method_ttls::process_request_packet( // No extra initial data for inner authentication avaliable. action = method_tunnel::process_request_packet(NULL, 0); } else { - // Authenticator sent some data for inner authentication. Unencrypt it. + // Authenticator sent some data for inner authentication. Decrypt it. // Decrypt the message. SecBuffer buf[] = { @@ -722,7 +722,7 @@ EapPeerMethodResponseAction eap::method_ttls::process_request_packet( // No extra data for inner authentication. return method_tunnel::process_request_packet(NULL, 0); } else { - // Authenticator sent data for inner authentication. Unencrypt it. + // Authenticator sent data for inner authentication. Decrypt it. // Decrypt the message. SecBuffer buf[] = {