- TLS revised (again)

- TLS Session resumption issues resolved
- Credential prompt has "Remember" checkbox initially selected when credentials originate from Windows Credential Manager
- Last authentication attempt failure notice is more general and no longer insinuate user credentials are the likely cause of the failure
- Additional log messages added

lib/TTLS/src/Credentials.cpp

@@ -226,15 +226,12 @@ std::wstring eap::credentials_ttls::get_identity() const
 }
 
 
-bool eap::credentials_ttls::combine(
+pair<eap::credentials::source_t, eap::credentials::source_t> eap::credentials_ttls::combine(
     _In_       const credentials_ttls   *cred_cached,
     _In_       const config_method_ttls &cfg,
     _In_opt_z_       LPCTSTR            pszTargetName)
 {
-    bool
-        is_outer_set = credentials_tls::combine(cred_cached, cfg, pszTargetName),
-        is_inner_set =
-            dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : false;
-
-    return is_outer_set && is_inner_set;
+    return pair<source_t, source_t>(
+        credentials_tls::combine(cred_cached, cfg, pszTargetName),
+        dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : source_unknown);
 }

lib/TTLS/src/Method.cpp

@@ -69,27 +69,24 @@ void eap::method_ttls::process_request_packet(
         m_module.log_event(&EAPMETHOD_TTLS_HANDSHAKE_START, event_data((unsigned int)eap_type_ttls), event_data((unsigned char)m_version), event_data((unsigned char)ver_remote), event_data::blank);
     }
 
-    if (!m_handshake[tls_handshake_type_finished]) {
-        // Do the TLS.
-        method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
+    // Do the TLS.
+    method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
 
-        if (m_handshake[tls_handshake_type_finished]) {
-            // Piggyback inner authentication.
-            if (!m_state_client.m_alg_encrypt)
-                throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
+    if (m_phase == phase_application_data) {
+        // Send inner authentication.
+        if (!m_state_client.m_alg_encrypt)
+            throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
 
-            m_packet_res.m_code  = EapCodeResponse;
-            m_packet_res.m_id    = m_packet_req.m_id;
-            m_packet_res.m_flags = 0;
-            sanitizing_blob msg_application(make_message(tls_message_type_application_data, make_pap_client()));
-            m_packet_res.m_data.assign(msg_application.begin(), msg_application.end());
+        m_module.log_event(&EAPMETHOD_TTLS_INNER_CRED, event_data((unsigned int)eap_type_ttls), event_data(m_cred.m_inner->get_name()), event_data::blank);
 
-            pEapOutput->fAllowNotifications = FALSE;
-            pEapOutput->action = EapPeerMethodResponseActionSend;
-        }
-    } else {
-        // Do the TLS. Again.
-        method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
+        m_packet_res.m_code  = EapCodeResponse;
+        m_packet_res.m_id    = m_packet_req.m_id;
+        m_packet_res.m_flags = 0;
+        sanitizing_blob msg_application(make_message(tls_message_type_application_data, make_pap_client()));
+        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_application.begin(), msg_application.end());
+
+        pEapOutput->fAllowNotifications = FALSE;
+        pEapOutput->action = EapPeerMethodResponseActionSend;
     }
 }
 
@@ -111,7 +108,7 @@ void eap::method_ttls::get_result(
     _In_    EapPeerMethodResultReason reason,
     _Inout_ EapPeerMethodResult       *ppResult)
 {
-    if (!m_handshake[tls_handshake_type_finished]) {
+    if (m_phase != phase_application_data) {
         // Do the TLS.
         method_tls::get_result(reason, ppResult);
     } else {
@@ -120,12 +117,27 @@ void eap::method_ttls::get_result(
         config_method_ttls *cfg_method = dynamic_cast<config_method_ttls*>(cfg_prov.m_methods.front().get());
         assert(cfg_method);
 
-        // Mark credentials appropriately, so GUI can re-prompt user.
-        cfg_method->m_inner->m_cred_failed = reason == EapPeerMethodResultFailure;
+        switch (reason) {
+        case EapPeerMethodResultSuccess: {
+            m_module.log_event(&EAPMETHOD_TTLS_INNER_SUCCESS, event_data((unsigned int)eap_type_ttls), event_data::blank);
+            cfg_method->m_inner->m_auth_failed = false;
+            break;
+        }
+
+        case EapPeerMethodResultFailure:
+            m_module.log_event(&EAPMETHOD_TTLS_INNER_FAILURE, event_data((unsigned int)eap_type_ttls), event_data::blank);
+            cfg_method->m_inner->m_auth_failed = true;
+            break;
+
+        default:
+            throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
+        }
 
         // The TLS was OK.
         method_tls::get_result(EapPeerMethodResultSuccess, ppResult);
 
+        // Do not report failure to EAPHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
+        // EAPHost is well aware of the failed condition.
         //if (reason == EapPeerMethodResultFailure) {
         //    ppResult->fIsSuccess = FALSE;
         //    ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;

lib/TTLS/src/Module.cpp

@@ -109,14 +109,17 @@ void eap::peer_ttls::get_identity(
     {
         // Combine credentials.
         user_impersonator impersonating(hTokenImpersonateUser);
-        *pfInvokeUI = cred_out.combine(
+        pair<eap::credentials::source_t, eap::credentials::source_t> cred_source(cred_out.combine(
 #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
             &cred_in,
 #else
             NULL,
 #endif
             *cfg_method,
-            (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL) ? FALSE : TRUE;
+            (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL));
+
+        // If either of credentials is unknown, request UI.
+        *pfInvokeUI = cred_source.first == eap::credentials::source_unknown || cred_source.second == eap::credentials::source_unknown ? TRUE : FALSE;
     }
 
     if (*pfInvokeUI) {
@@ -132,14 +135,14 @@ void eap::peer_ttls::get_identity(
 
     // If we got here, we have all credentials we need. But, wait!
 
-    if (cfg_method->m_cred_failed) {
+    if (cfg_method->m_auth_failed) {
         // Outer TLS: Credentials failed on last connection attempt.
         log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)eap_type_tls), event_data::blank);
         *pfInvokeUI = TRUE;
         return;
     }
 
-    if (cfg_method->m_inner->m_cred_failed) {
+    if (cfg_method->m_inner->m_auth_failed) {
         // Inner: Credentials failed on last connection attempt.
         log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)type_inner), event_data::blank);
         *pfInvokeUI = TRUE;