Version set to 1.0-alpha10

include/Common.props

@@ -32,7 +32,7 @@
   <ItemDefinitionGroup>
     <ClCompile>
       <WarningLevel>Level4</WarningLevel>
-      <PreprocessorDefinitions>_WIN32_WINNT=0x0600;ISOLATION_AWARE_ENABLED=1;CERT_CHAIN_PARA_HAS_EXTRA_FIELDS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>_WIN32_WINNT=0x0600;ISOLATION_AWARE_ENABLED=1;SECURITY_WIN32;CERT_CHAIN_PARA_HAS_EXTRA_FIELDS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <PrecompiledHeader>Use</PrecompiledHeader>
       <PrecompiledHeaderFile>StdAfx.h</PrecompiledHeaderFile>
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>

include/Version.h

@@ -45,7 +45,7 @@
 //
 // Human readable product version and build year for UI
 //
-#define PRODUCT_VERSION_STR      "1.0-alpha10-owntls"
+#define PRODUCT_VERSION_STR      "1.0-alpha10"
 #define PRODUCT_BUILD_YEAR_STR   "2016"
 
 //
@@ -58,7 +58,7 @@
 // The product code for ProductCode property in MSI packages
 // Replace with new on every version change, regardless how minor it is.
 //
-#define PRODUCT_VERSION_GUID     "{C3675615-0D70-47C7-9BCB-B683A77C6ED6}"
+#define PRODUCT_VERSION_GUID     "{2A743CF3-8AAE-416B-B779-2EC1F509121D}"
 
 //
 // Since the product name is not finally confirmed at the time of

lib/EAPBase/src/Module.cpp

@@ -102,6 +102,12 @@ EAP_ERROR* eap::module::make_error(_In_ std::exception &err) const
             return make_error(HRESULT_CODE(e.number()), what.c_str());
     }
 
+    {
+        sec_runtime_error &e(dynamic_cast<sec_runtime_error&>(err));
+        if (&e)
+            return make_error(HRESULT_CODE(e.number()), what.c_str());
+    }
+
     {
         invalid_argument &e(dynamic_cast<invalid_argument&>(err));
         if (&e)

lib/EAPBase/src/StdAfx.h

@@ -30,5 +30,6 @@
 
 #include <WinStd/Cred.h>
 #include <WinStd/ETW.h>
+#include <WinStd/Sec.h>
 
 #include <EventsETW.h>

lib/TLS/include/Config.h

@@ -168,9 +168,5 @@ namespace eap
     public:
         std::list<winstd::cert_context> m_trusted_root_ca;  ///< Trusted root CAs
         std::list<std::wstring> m_server_names;             ///< Acceptable authenticating server names
-
-        // Following members are used for session resumptions. They are not exported/imported to XML.
-        sanitizing_blob m_session_id;                       ///< TLS session ID
-        tls_master_secret m_master_secret;                  ///< TLS master secret
     };
 }

lib/TLS/include/Method.h

@@ -36,6 +36,7 @@ namespace eap
 #include "../../EAPBase/include/Method.h"
 
 #include <WinStd/Crypt.h>
+#include <WinStd/Sec.h>
 
 #include <list>
 #include <vector>
@@ -127,19 +128,6 @@ namespace eap
             std::vector<unsigned char> m_data;          ///< Packet data
         };
 
-#pragma pack(push)
-#pragma pack(1)
-        ///
-        /// TLS message
-        ///
-        struct message_header
-        {
-            tls_message_type_t type;    ///< Message type (one of `message_type_t` constants)
-            tls_version version;        ///< SSL/TLS version
-            unsigned char length[2];    ///< Message length (in network byte order)
-        };
-#pragma pack(pop)
-
     public:
         ///
         /// Constructs an EAP method
@@ -216,271 +204,30 @@ namespace eap
         /// @}
 
     protected:
-        /// \name Client handshake message generation
-        /// @{
+        ///
+        /// Process handshake
+        ///
+        void process_handshake();
 
         ///
-        /// Makes a TLS client hello message
+        /// Process application data
         ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.1.2. Client Hello)](https://tools.ietf.org/html/rfc5246#section-7.4.1.2)
-        ///
-        /// \returns Client hello message
-        ///
-        sanitizing_blob make_client_hello();
+        void process_application_data();
 
         ///
-        /// Makes a TLS client certificate message
+        /// Processes an application message
         ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.6. Client Certificate)](https://tools.ietf.org/html/rfc5246#section-7.4.6)
+        /// \param[in] msg       Application message data
+        /// \param[in] size_msg  Application message data size
         ///
-        /// \returns Client certificate message
-        ///
-        sanitizing_blob make_client_cert() const;
-
-        ///
-        /// Makes a TLS client key exchange message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.7. Client Key Exchange Message )](https://tools.ietf.org/html/rfc5246#section-7.4.7)
-        ///
-        /// \param[in] pms  Pre-master secret
-        ///
-        /// \returns Client key exchange message
-        ///
-        sanitizing_blob make_client_key_exchange(_In_ const tls_master_secret &pms) const;
-
-        ///
-        /// Makes a TLS finished message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
-        ///
-        /// \returns Change cipher spec
-        ///
-        eap::sanitizing_blob make_finished() const;
-
-        /// @}
-
-        /// \name Client/Server handshake hashing
-        /// @{
-
-        ///
-        /// Hashes handshake message for "finished" message validation.
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.9. Finished)](https://tools.ietf.org/html/rfc5246#section-7.4.9)
-        ///
-        /// \param[in] data  Data to hash
-        /// \param[in] size  \p data size in bytes
-        ///
-        inline void hash_handshake(_In_count_(size) const void *data, _In_ size_t size)
-        {
-            CryptHashData(m_hash_handshake_msgs_md5   , (const BYTE*)data, (DWORD)size, 0);
-            CryptHashData(m_hash_handshake_msgs_sha1  , (const BYTE*)data, (DWORD)size, 0);
-            CryptHashData(m_hash_handshake_msgs_sha256, (const BYTE*)data, (DWORD)size, 0);
-        }
-
-        ///
-        /// Hashes handshake message for "finished" message validation.
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.9. Finished)](https://tools.ietf.org/html/rfc5246#section-7.4.9)
-        ///
-        /// \param[in] data  Data to hash
-        /// \param[in] size  \p data size in bytes
-        ///
-        template<class _Ty, class _Ax>
-        inline void hash_handshake(_In_ const std::vector<_Ty, _Ax> &data)
-        {
-            hash_handshake(data.data(), data.size() * sizeof(_Ty));
-        }
-
-        /// @}
-
-        ///
-        /// Makes a TLS message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
-        ///
-        /// \param[in]    type  Message type
-        /// \param[inout] data  Message data contents
-        ///
-        /// \returns TLS message message
-        ///
-        eap::sanitizing_blob make_message(_In_ tls_message_type_t type, _Inout_ sanitizing_blob &&data);
-
-        /// @}
-
-        /// \name Key derivation
-        /// @{
-
-        ///
-        /// Generates master session key
-        ///
-        /// \sa [The EAP-TLS Authentication Protocol (Chapter 2.3. Key Hierarchy)](https://tools.ietf.org/html/rfc5216#section-2.3)
-        ///
-        virtual void derive_msk();
-
-        /// @}
-
-        /// \name Server message processing
-        /// @{
-
-        ///
-        /// Processes messages in a TLS packet
-        ///
-        /// \param[in] pck       Packet data
-        /// \param[in] size_pck  \p pck size in bytes
-        ///
-        void process_packet(_In_bytecount_(size_pck) const void *pck, _In_ size_t size_pck);
-
-        ///
-        /// Processes a TLS change_cipher_spec message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.1. Change Cipher Spec Protocol)](https://tools.ietf.org/html/rfc5246#section-7.1)
-        ///
-        /// \param[in] msg       TLS change_cipher_spec message data
-        /// \param[in] msg_size  TLS change_cipher_spec message data size
-        ///
-        virtual void process_change_cipher_spec(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
-
-        ///
-        /// Processes a TLS alert message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.2. Alert Protocol)](https://tools.ietf.org/html/rfc5246#section-7.2)
-        ///
-        /// \param[in] msg       TLS alert message data
-        /// \param[in] msg_size  TLS alert message data size
-        ///
-        virtual void process_alert(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
-
-        ///
-        /// Processes a TLS handshake message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4. Handshake Protocol)](https://tools.ietf.org/html/rfc5246#section-7.4)
-        ///
-        /// \param[in] msg       TLS handshake message data
-        /// \param[in] msg_size  TLS handshake message data size
-        ///
-        virtual void process_handshake(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
-
-        ///
-        /// Processes a TLS application_data message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 10. Application Data Protocol)](https://tools.ietf.org/html/rfc5246#section-10)
-        ///
-        /// \param[in] msg       TLS application_data message data
-        /// \param[in] msg_size  TLS application_data message data size
-        ///
-        virtual void process_application_data(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
-
-        /////
-        ///// Processes a vendor-specific TLS message
-        /////
-        ///// \note Please see `m_cipher_spec` member if the message data came encrypted.
-        /////
-        ///// \param[in] type      TLS message type
-        ///// \param[in] msg       TLS message data
-        ///// \param[in] msg_size  TLS message data size
-        /////
-        //virtual void process_vendor_data(_In_ tls_message_type_t type, _In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
-
-        /// @}
+        virtual void process_application_data(_In_bytecount_(size_msg) const void *msg, _In_ size_t size_msg);
 
+#ifndef SCHANNEL_SRV_CERT_CHECK
         ///
         /// Verifies server's certificate if trusted by configuration
         ///
         void verify_server_trust() const;
-
-        /// \name Encryption
-        /// @{
-
-        ///
-        /// Encrypt TLS message
-        ///
-        /// \param[in]    type  Message type
-        /// \param[inout] data  TLS message to encrypt
-        ///
-        void encrypt_message(_In_ tls_message_type_t type, _Inout_ sanitizing_blob &data);
-
-        ///
-        /// Decrypt TLS message
-        ///
-        /// \param[in]    type  Original message type for HMAC verification
-        /// \param[inout] data  TLS message to decrypt
-        ///
-        void decrypt_message(_In_ tls_message_type_t type, _Inout_ sanitizing_blob &data);
-
-        /// @}
-
-        /// \name Pseudo-random generation
-        /// @{
-
-        ///
-        /// Calculates pseudo-random P_hash data defined in RFC 5246
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.1 (Chapter 5. HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc4346#section-5)
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 5. HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc5246#section-5)
-        ///
-        /// \param[in] cp         Handle of the cryptographics provider
-        /// \param[in] alg        Hashing Algorithm to use (CALG_TLS1PRF = combination of MD5 and SHA-1, CALG_SHA_256...)
-        /// \param[in] secret     Hashing secret key
-        /// \param[in] seed       Random seed
-        /// \param[in] size_seed  \p seed size
-        /// \param[in] size       Number of bytes of pseudo-random data required
-        ///
-        /// \returns Generated pseudo-random data (\p size bytes)
-        ///
-        static sanitizing_blob prf(
-            _In_                            HCRYPTPROV        cp,
-            _In_                            ALG_ID            alg,
-            _In_                      const tls_master_secret &secret,
-            _In_bytecount_(size_seed) const void              *seed,
-            _In_                            size_t            size_seed,
-            _In_                            size_t            size);
-
-        ///
-        /// Calculates pseudo-random P_hash data defined in RFC 5246
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.1 (Chapter 5. HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc4346#section-5)
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 5. HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc5246#section-5)
-        ///
-        /// \param[in] cp      Handle of the cryptographics provider
-        /// \param[in] alg     Hashing Algorithm to use (CALG_TLS1PRF = combination of MD5 and SHA-1, CALG_SHA_256...)
-        /// \param[in] secret  Hashing secret key
-        /// \param[in] seed    Random seed
-        /// \param[in] size    Number of bytes of pseudo-random data required
-        ///
-        /// \returns Generated pseudo-random data (\p size bytes)
-        ///
-        template<class _Ty, class _Ax>
-        inline static sanitizing_blob prf(
-            _In_       HCRYPTPROV            cp,
-            _In_       ALG_ID                alg,
-            _In_ const tls_master_secret     &secret,
-            _In_ const std::vector<_Ty, _Ax> &seed,
-            _In_       size_t                size)
-        {
-            return prf(cp, alg, secret, seed.data(), seed.size() * sizeof(_Ty), size);
-        }
-
-        /// @}
-
-        ///
-        /// Creates a key
-        ///
-        /// \sa [How to export and import plain text session keys by using CryptoAPI](https://support.microsoft.com/en-us/kb/228786)
-        ///
-        /// \param[in] cp           Handle of the cryptographics provider
-        /// \param[in] alg          Key algorithm
-        /// \param[in] key          Key that decrypts \p secret
-        /// \param[in] secret       Key data
-        /// \param[in] size_secret  \p secret size
-        ///
-        /// \returns Key
-        ///
-        HCRYPTKEY create_key(
-            _In_                              HCRYPTPROV cp,
-            _In_                              ALG_ID     alg,
-            _In_                              HCRYPTKEY  key,
-            _In_bytecount_(size_secret) const void       *secret,
-            _In_                              size_t     size_secret);
+#endif
 
     protected:
         credentials_tls &m_cred;                                ///< EAP-TLS user credentials
@@ -488,47 +235,20 @@ namespace eap
         packet m_packet_req;                                    ///< Request packet
         packet m_packet_res;                                    ///< Response packet
 
-        winstd::crypt_prov m_cp;                                ///< Cryptography provider for general services
-        winstd::crypt_prov m_cp_enc_client;                     ///< Cryptography provider for encryption
-        winstd::crypt_prov m_cp_enc_server;                     ///< Cryptography provider for encryption
-        winstd::crypt_key m_key_exp1;                           ///< Key for importing derived keys
-
-        tls_version m_tls_version;                              ///< TLS version in use
-        ALG_ID m_alg_prf;                                       ///< Pseudo-random function algorithm in use
-
-        tls_conn_state m_state_client;                          ///< Client TLS connection state
-        tls_conn_state m_state_client_pending;                  ///< Client TLS connection state (pending)
-        tls_conn_state m_state_server;                          ///< Server TLS connection state
-        tls_conn_state m_state_server_pending;                  ///< Server TLS connection state (pending)
-
-        tls_master_secret m_master_secret;                      ///< TLS master secret
-        tls_random m_random_client;                             ///< Client random
-        tls_random m_random_server;                             ///< Server random
-
-        tls_random m_key_mppe_client;                           ///< MS-MPPE-Recv-Key
-        tls_random m_key_mppe_server;                           ///< MS-MPPE-Send-Key
-
-        sanitizing_blob m_session_id;                           ///< TLS session ID
-
-        std::list<winstd::cert_context> m_server_cert_chain;    ///< Server certificate chain
-
-        winstd::crypt_hash m_hash_handshake_msgs_md5;           ///< Running MD5 hash of handshake messages
-        winstd::crypt_hash m_hash_handshake_msgs_sha1;          ///< Running SHA-1 hash of handshake messages
-        winstd::crypt_hash m_hash_handshake_msgs_sha256;        ///< Running SHA-256 hash of handshake messages
-
-        bool m_handshake[tls_handshake_type_max];               ///< Handshake flags (map od handshake messages received)
+        HANDLE m_user_ctx;                                      ///< Handle to user context
+        winstd::tstring m_sc_target_name;                       ///< Schannel target name
+        winstd::sec_credentials m_sc_cred;                      ///< Schannel client credentials
+        std::vector<unsigned char> m_sc_queue;                  ///< TLS data queue
+        winstd::sec_context m_sc_ctx;                           ///< Schannel context
 
         enum {
             phase_unknown = -1,                                 ///< Unknown phase
-            phase_client_hello = 0,                             ///< Send client hello
-            phase_server_hello,                                 ///< Wait for server hello
-            phase_change_cipher_spec,                           ///< Wait for change cipher spec
-            phase_application_data                              ///< Exchange application data
+            phase_handshake_init = 0,                           ///< Handshake initialize
+            phase_handshake_cont,                               ///< Handshake continue
+            phase_application_data,                             ///< Exchange application data
+            phase_shutdown,                                     ///< Connection shut down
         } m_phase;                                              ///< What phase is our communication at?
 
-        unsigned __int64 m_seq_num_client;                      ///< Sequence number for encrypting
-        unsigned __int64 m_seq_num_server;                      ///< Sequence number for decrypting
-
         // The following members are required to avoid memory leakage in get_result()
         EAP_ATTRIBUTES m_eap_attr_desc;                         ///< EAP Radius attributes descriptor
         std::vector<winstd::eap_attr> m_eap_attr;               ///< EAP Radius attributes

lib/TLS/src/Config.cpp

@@ -75,8 +75,6 @@ eap::config_method_tls::config_method_tls(_In_ module &mod) : config_method_with
 eap::config_method_tls::config_method_tls(_In_ const config_method_tls &other) :
     m_trusted_root_ca(other.m_trusted_root_ca),
     m_server_names(other.m_server_names),
-    m_session_id(other.m_session_id),
-    m_master_secret(other.m_master_secret),
     config_method_with_cred(other)
 {
 }
@@ -85,8 +83,6 @@ eap::config_method_tls::config_method_tls(_In_ const config_method_tls &other) :
 eap::config_method_tls::config_method_tls(_Inout_ config_method_tls &&other) :
     m_trusted_root_ca(std::move(other.m_trusted_root_ca)),
     m_server_names(std::move(other.m_server_names)),
-    m_session_id(std::move(other.m_session_id)),
-    m_master_secret(std::move(other.m_master_secret)),
     config_method_with_cred(std::move(other))
 {
 }
@@ -98,8 +94,6 @@ eap::config_method_tls& eap::config_method_tls::operator=(_In_ const config_meth
         (config_method_with_cred&)*this = other;
         m_trusted_root_ca = other.m_trusted_root_ca;
         m_server_names    = other.m_server_names;
-        m_session_id      = other.m_session_id;
-        m_master_secret   = other.m_master_secret;
     }
 
     return *this;
@@ -112,8 +106,6 @@ eap::config_method_tls& eap::config_method_tls::operator=(_Inout_ config_method_
         (config_method_with_cred&&)*this = std::move(other);
         m_trusted_root_ca = std::move(other.m_trusted_root_ca);
         m_server_names    = std::move(other.m_server_names);
-        m_session_id      = std::move(other.m_session_id);
-        m_master_secret   = std::move(other.m_master_secret);
     }
 
     return *this;
@@ -243,8 +235,6 @@ void eap::config_method_tls::operator<<(_Inout_ cursor_out &cursor) const
     config_method_with_cred::operator<<(cursor);
     cursor << m_trusted_root_ca;
     cursor << m_server_names   ;
-    cursor << m_session_id     ;
-    cursor << m_master_secret  ;
 }
 
 
@@ -253,9 +243,7 @@ size_t eap::config_method_tls::get_pk_size() const
     return
         config_method_with_cred::get_pk_size() +
         pksizeof(m_trusted_root_ca) +
-        pksizeof(m_server_names   ) +
-        pksizeof(m_session_id     ) +
-        pksizeof(m_master_secret  );
+        pksizeof(m_server_names   );
 }
 
 
@@ -264,8 +252,6 @@ void eap::config_method_tls::operator>>(_Inout_ cursor_in &cursor)
     config_method_with_cred::operator>>(cursor);
     cursor >> m_trusted_root_ca;
     cursor >> m_server_names   ;
-    cursor >> m_session_id     ;
-    cursor >> m_master_secret  ;
 }
 
 

lib/TLS/src/StdAfx.h

@@ -31,6 +31,7 @@
 #include <WinStd/EAP.h>
 
 #include <EapHostError.h>
+#include <schnlsp.h>
 #include <time.h>
 
 #include <algorithm>

lib/TLS_UI/include/TLS_UI.h

@@ -331,7 +331,6 @@ public:
 protected:
     /// \cond internal
     virtual void OnInitDialog(wxInitDialogEvent& event);
-    virtual bool TransferDataFromWindow();
     /// \endcond
 
 protected:

lib/TLS_UI/src/TLS_UI.cpp

@@ -603,21 +603,3 @@ void wxTLSConfigPanel::OnInitDialog(wxInitDialogEvent& event)
     if (m_credentials)
         m_credentials->GetEventHandler()->ProcessEvent(event);
 }
-
-
-bool wxTLSConfigPanel::TransferDataFromWindow()
-{
-    wxCHECK(wxPanel::TransferDataFromWindow(), false);
-
-    if (!m_prov.m_read_only) {
-        // This is not a provider-locked configuration. The data will get saved.
-
-        // Reset session ID and master secret to force clean connect next time.
-        m_cfg.m_session_id.clear();
-        m_cfg.m_master_secret.clear();
-    }
-
-    return true;
-}
-
-

lib/TTLS/include/Method.h

@@ -112,14 +112,15 @@ namespace eap
 
         /// @}
 
-        ///
-        /// Generates master session key
-        ///
-        /// \sa [The EAP-TLS Authentication Protocol (Chapter 2.3. Key Hierarchy)](https://tools.ietf.org/html/rfc5216#section-2.3)
-        ///
-        virtual void derive_msk();
-
     protected:
+        ///
+        /// Processes an application message
+        ///
+        /// \param[in] msg       Application message data
+        /// \param[in] size_msg  Application message data size
+        ///
+        virtual void process_application_data(_In_bytecount_(size_msg) const void *msg, _In_ size_t size_msg);
+
         ///
         /// Makes a PAP client message
         ///

lib/TTLS/src/Method.cpp

@@ -71,23 +71,6 @@ void eap::method_ttls::process_request_packet(
 
     // Do the TLS.
     method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
-
-    if (m_phase == phase_application_data) {
-        // Send inner authentication.
-        if (!m_state_client.m_alg_encrypt)
-            throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
-
-        m_module.log_event(&EAPMETHOD_TTLS_INNER_CRED, event_data((unsigned int)eap_type_ttls), event_data(m_cred.m_inner->get_name()), event_data::blank);
-
-        m_packet_res.m_code  = EapCodeResponse;
-        m_packet_res.m_id    = m_packet_req.m_id;
-        m_packet_res.m_flags = 0;
-        sanitizing_blob msg_application(make_message(tls_message_type_application_data, make_pap_client()));
-        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_application.begin(), msg_application.end());
-
-        pEapOutput->fAllowNotifications = FALSE;
-        pEapOutput->action = EapPeerMethodResponseActionSend;
-    }
 }
 
 
@@ -133,6 +116,13 @@ void eap::method_ttls::get_result(
             throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
         }
 
+        // EAP-TTLS uses different label in PRF for MSK derivation than EAP-TLS.
+        static const DWORD s_key_id = 0x01; // EAP-TTLSv0 Keying Material
+        static const SecPkgContext_EapPrfInfo s_prf_info = { 0, sizeof(s_key_id), (PBYTE)&s_key_id };
+        SECURITY_STATUS status = SetContextAttributes(m_sc_ctx, SECPKG_ATTR_EAP_PRF_INFO, (void*)&s_prf_info, sizeof(s_prf_info));
+        if (FAILED(status))
+            throw sec_runtime_error(status, __FUNCTION__ "Error setting EAP-TTLS PRF in Schannel.");
+
         // The TLS was OK.
         method_tls::get_result(EapPeerMethodResultSuccess, ppResult);
 
@@ -146,37 +136,51 @@ void eap::method_ttls::get_result(
 }
 
 
-void eap::method_ttls::derive_msk()
+void eap::method_ttls::process_application_data(_In_bytecount_(size_msg) const void *msg, _In_ size_t size_msg)
 {
-    //
-    //   TLS versions 1.0 [RFC2246] and 1.1 [RFC4346] define the same PRF
-    //   function, and any EAP-TTLSv0 implementation based on these versions
-    //   of TLS must use the PRF defined therein.  It is expected that future
-    //   versions of or extensions to the TLS protocol will permit alternative
-    //   PRF functions to be negotiated.  If an alternative PRF function is
-    //   specified for the underlying TLS version or has been negotiated
-    //   during the TLS handshake negotiation, then that alternative PRF
-    //   function must be used in EAP-TTLSv0 computations instead of the TLS
-    //   1.0/1.1 PRF.
-    //
-    // [Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0) (Chapter 7.8. Use of TLS PRF)](https://tools.ietf.org/html/rfc5281#section-7.8)
-    //
-    // If we use PRF_SHA256() the key exchange fails. Therefore we use PRF of TLS 1.0/1.1.
-    //
-    static const unsigned char s_label[] = "ttls keying material";
-    sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
-    seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
-    seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
-    sanitizing_blob key_block(prf(m_cp, CALG_TLS1PRF, m_master_secret, seed, 2*sizeof(tls_random)));
-    const unsigned char *_key_block = key_block.data();
+    UNREFERENCED_PARAMETER(msg);
+    UNREFERENCED_PARAMETER(size_msg);
 
-    // MSK: MPPE-Recv-Key
-    memcpy(&m_key_mppe_client, _key_block, sizeof(tls_random));
-    _key_block += sizeof(tls_random);
+    // Prepare inner authentication.
+    if (!(m_sc_ctx.m_attrib & ISC_RET_CONFIDENTIALITY))
+        throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
 
-    // MSK: MPPE-Send-Key
-    memcpy(&m_key_mppe_server, _key_block, sizeof(tls_random));
-    _key_block += sizeof(tls_random);
+    m_module.log_event(&EAPMETHOD_TTLS_INNER_CRED, event_data((unsigned int)eap_type_ttls), event_data(m_cred.m_inner->get_name()), event_data::blank);
+
+    SECURITY_STATUS status;
+
+    // Get maximum message sizes.
+    SecPkgContext_StreamSizes sizes;
+    status = QueryContextAttributes(m_sc_ctx, SECPKG_ATTR_STREAM_SIZES, &sizes);
+    if (FAILED(status))
+        throw sec_runtime_error(status, __FUNCTION__ " Error getting Schannel required encryption sizes.");
+
+    // Make PAP message.
+    sanitizing_blob msg_pap(make_pap_client());
+    assert(msg_pap.size() < sizes.cbMaximumMessage);
+    unsigned long size_data = std::min<unsigned long>(sizes.cbMaximumMessage, (unsigned long)msg_pap.size()); // Truncate
+
+    sanitizing_blob data(sizes.cbHeader + size_data + sizes.cbTrailer, 0);
+    memcpy(data.data() + sizes.cbHeader, msg_pap.data(), size_data);
+
+    // Prepare input/output buffer(s).
+    SecBuffer buf[] = {
+        {  sizes.cbHeader, SECBUFFER_STREAM_HEADER , data.data()                              },
+        {       size_data, SECBUFFER_DATA          , data.data() + sizes.cbHeader             },
+        { sizes.cbTrailer, SECBUFFER_STREAM_TRAILER, data.data() + sizes.cbHeader + size_data },
+        {               0, SECBUFFER_EMPTY         , NULL                                     },
+    };
+    SecBufferDesc buf_desc = {
+        SECBUFFER_VERSION,
+        _countof(buf),
+        buf
+    };
+
+    // Encrypt the message.
+    status = EncryptMessage(m_sc_ctx, 0, &buf_desc, 0);
+    if (FAILED(status))
+        throw sec_runtime_error(status, __FUNCTION__ " Error encrypting message.");
+    m_packet_res.m_data.insert(m_packet_res.m_data.end(), (const unsigned char*)buf[0].pvBuffer, (const unsigned char*)buf[0].pvBuffer + buf[0].cbBuffer + buf[1].cbBuffer + buf[2].cbBuffer);
 }
 
 

lib/TTLS/src/StdAfx.h

@@ -30,3 +30,4 @@
 #include <WinStd/EAP.h>
 
 #include <EapHostError.h>
+#include <schannel.h>