Version set to 1.0-alpha10-owntls

Event descriptors updated
Sub-module update
2016-08-23 14:52:26 +02:00 · 2016-08-23 14:48:47 +02:00 · 2016-08-23 14:46:06 +02:00 · 2016-08-23 14:43:07 +02:00 · 2016-08-23 14:42:43 +02:00 · 2016-08-23 14:42:11 +02:00
33 changed files with 7405 additions and 5062 deletions
--- a/include/Version.h
+++ b/include/Version.h
@@ -29,7 +29,7 @@
 // Product version as a single DWORD
 // Note: Used for version comparison within C/C++ code.
 //
-#define PRODUCT_VERSION          0x00ff0700
+#define PRODUCT_VERSION          0x00ff0a00
 //
 // Product version by components
@@ -39,26 +39,26 @@
 //
 #define PRODUCT_VERSION_MAJ      0
 #define PRODUCT_VERSION_MIN      255
-#define PRODUCT_VERSION_REV      7
+#define PRODUCT_VERSION_REV      10
 #define PRODUCT_VERSION_BUILD    0
 //
 // Human readable product version and build year for UI
 //
-#define PRODUCT_VERSION_STR      "1.0-alpha7"
+#define PRODUCT_VERSION_STR      "1.0-alpha10-owntls"
 #define PRODUCT_BUILD_YEAR_STR   "2016"
 //
 // Numerical version presentation for ProductVersion propery in
 // MSI packages (syntax: N.N[.N[.N]])
 //
-#define PRODUCT_VERSION_INST     "0.255.7"
+#define PRODUCT_VERSION_INST     "0.255.10"
 //
 // The product code for ProductCode property in MSI packages
 // Replace with new on every version change, regardless how minor it is.
 //
-#define PRODUCT_VERSION_GUID     "{54C2BA4B-EFC8-4F3E-A838-28744134A136}"
+#define PRODUCT_VERSION_GUID     "{C3675615-0D70-47C7-9BCB-B683A77C6ED6}"
 //
 // Since the product name is not finally confirmed at the time of
--- a/lib/EAPBase/include/Config.h
+++ b/lib/EAPBase/include/Config.h
@@ -89,7 +89,6 @@ inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::config &val);
 #include <eaptypes.h> // Must include after <Windows.h>
 #include <tchar.h>
 #include <list>
 #include <string>
 #include <memory>
@@ -342,7 +341,7 @@ namespace eap
        bool m_allow_save;                          ///< Are credentials allowed to be saved to Windows Credential Manager?
        bool m_use_preshared;                       ///< Use pre-shared credentials
        std::unique_ptr<credentials> m_preshared;   ///< Pre-shared credentials
-        bool m_cred_failed;                         ///< Did credential fail last time?
+        bool m_auth_failed;                         ///< Did credential fail last time?
    };
@@ -451,7 +450,7 @@ namespace eap
        winstd::tstring m_lbl_alt_credential;                   ///< Alternative label for credential prompt
        winstd::tstring m_lbl_alt_identity;                     ///< Alternative label for identity prompt
        winstd::tstring m_lbl_alt_password;                     ///< Alternative label for password prompt
-        std::list<std::unique_ptr<config_method> > m_methods;   ///< List of method configurations
+        std::vector<std::unique_ptr<config_method> > m_methods; ///< Array of method configurations
    };
@@ -551,7 +550,7 @@ namespace eap
        /// @}
    public:
-        std::list<eap::config_provider> m_providers;    ///< List of provider configurations
+        std::vector<eap::config_provider> m_providers;  ///< Array of provider configurations
    };
 }
--- a/lib/EAPBase/include/Credentials.h
+++ b/lib/EAPBase/include/Credentials.h
@@ -54,6 +54,18 @@ namespace eap
 {
    class credentials : public config
    {
    public:
        ///
        /// Credential source when combined
        ///
        enum  source_t {
            source_unknown = -1, ///< Unknown source
            source_cache = 0,    ///< Credentials were obtained from EAPHost cache
            source_preshared,    ///< Credentials were set by method configuration
            source_storage       ///< Credentials were loaded from Windows Credential Manager
        };
    public:
        ///
        /// Constructs credentials
@@ -158,26 +170,6 @@ namespace eap
        /// Returns credential name (for GUI display).
        ///
        virtual winstd::tstring get_name() const;
        ///
        /// Combine credentials in the following order:
        ///
        /// 1. Cached credentials
        /// 2. Pre-configured credentials
        /// 3. Stored credentials
        ///
        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
        /// \param[in] cfg            Method configuration
        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
        ///
        /// \returns
        /// - \c true  if credentials were set;
        /// - \c false otherwise
        ///
        virtual bool combine(
            _In_       const credentials       *cred_cached,
            _In_       config_method_with_cred &cfg,
            _In_opt_z_ LPCTSTR                 pszTargetName);
    };
--- a/lib/EAPBase/src/Config.cpp
+++ b/lib/EAPBase/src/Config.cpp
@@ -139,7 +139,7 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
    m_allow_save(true),
    m_use_preshared(false),
-    m_cred_failed(false),
+    m_auth_failed(false),
    config_method(mod)
 {
 }
@@ -149,7 +149,7 @@ eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_w
    m_allow_save(other.m_allow_save),
    m_use_preshared(other.m_use_preshared),
    m_preshared(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr),
-    m_cred_failed(other.m_cred_failed),
+    m_auth_failed(other.m_auth_failed),
    config_method(other)
 {
 }
@@ -159,7 +159,7 @@ eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with
    m_allow_save(std::move(other.m_allow_save)),
    m_use_preshared(std::move(other.m_use_preshared)),
    m_preshared(std::move(other.m_preshared)),
-    m_cred_failed(std::move(other.m_cred_failed)),
+    m_auth_failed(std::move(other.m_auth_failed)),
    config_method(std::move(other))
 {
 }
@@ -172,7 +172,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_In_ const
        m_allow_save          = other.m_allow_save;
        m_use_preshared       = other.m_use_preshared;
        m_preshared.reset(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr);
-        m_cred_failed         = other.m_cred_failed;
+        m_auth_failed         = other.m_auth_failed;
    }
    return *this;
@@ -186,7 +186,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_Inout_ co
        m_allow_save          = std::move(other.m_allow_save   );
        m_use_preshared       = std::move(other.m_use_preshared);
        m_preshared           = std::move(other.m_preshared    );
-        m_cred_failed         = std::move(other.m_cred_failed  );
+        m_auth_failed         = std::move(other.m_auth_failed  );
    }
    return *this;
@@ -248,7 +248,7 @@ void eap::config_method_with_cred::operator<<(_Inout_ cursor_out &cursor) const
    cursor << m_allow_save;
    cursor << m_use_preshared;
    cursor << *m_preshared;
-    cursor << m_cred_failed;
+    cursor << m_auth_failed;
 }
@@ -259,7 +259,7 @@ size_t eap::config_method_with_cred::get_pk_size() const
        pksizeof(m_allow_save   ) +
        pksizeof(m_use_preshared) +
        pksizeof(*m_preshared   ) +
-        pksizeof(m_cred_failed  );
+        pksizeof(m_auth_failed  );
 }
@@ -269,7 +269,7 @@ void eap::config_method_with_cred::operator>>(_Inout_ cursor_in &cursor)
    cursor >> m_allow_save;
    cursor >> m_use_preshared;
    cursor >> *m_preshared;
-    cursor >> m_cred_failed;
+    cursor >> m_auth_failed;
 }
@@ -296,7 +296,8 @@ eap::config_provider::config_provider(_In_ const config_provider &other) :
    m_lbl_alt_password(other.m_lbl_alt_password),
    config(other)
 {
-    for (list<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
+    m_methods.reserve(other.m_methods.size());
    for (vector<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
        m_methods.push_back(std::move(unique_ptr<config_method>(*method ? (config_method*)method->get()->clone() : nullptr)));
 }
@@ -332,7 +333,8 @@ eap::config_provider& eap::config_provider::operator=(_In_ const config_provider
        m_lbl_alt_password   = other.m_lbl_alt_password;
        m_methods.clear();
-        for (list<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
+        m_methods.reserve(other.m_methods.size());
        for (vector<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
            m_methods.push_back(std::move(unique_ptr<config_method>(*method ? (config_method*)method->get()->clone() : nullptr)));
    }
@@ -432,7 +434,7 @@ void eap::config_provider::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pC
    if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:AuthenticationMethods"), bstr(L"AuthenticationMethods"), bstrNamespace, &pXmlElAuthenticationMethods)))
        throw com_runtime_error(hr, __FUNCTION__ " Error creating <AuthenticationMethods> element.");
-    for (list<unique_ptr<config_method> >::const_iterator method = m_methods.cbegin(), method_end = m_methods.cend(); method != method_end; ++method) {
+    for (vector<unique_ptr<config_method> >::const_iterator method = m_methods.cbegin(), method_end = m_methods.cend(); method != method_end; ++method) {
        // <AuthenticationMethod>
        com_obj<IXMLDOMElement> pXmlElAuthenticationMethod;
        if (FAILED(hr = eapxml::create_element(pDoc, bstr(L"AuthenticationMethod"), bstrNamespace, &pXmlElAuthenticationMethod)))
@@ -669,7 +671,7 @@ void eap::config_provider_list::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNod
    if (FAILED(hr = eapxml::select_node(pConfigRoot, bstr(L"eap-metadata:EAPIdentityProviderList"), &pXmlElIdentityProviderList)))
        throw com_runtime_error(hr, __FUNCTION__ " Error selecting <EAPIdentityProviderList> element.");
-    for (list<config_provider>::const_iterator provider = m_providers.cbegin(), provider_end = m_providers.cend(); provider != provider_end; ++provider) {
+    for (vector<config_provider>::const_iterator provider = m_providers.cbegin(), provider_end = m_providers.cend(); provider != provider_end; ++provider) {
        // <EAPIdentityProvider>
        com_obj<IXMLDOMElement> pXmlElIdentityProvider;
        if (FAILED(hr = eapxml::create_element(pDoc, bstr(L"EAPIdentityProvider"), bstrNamespace, &pXmlElIdentityProvider)))
--- a/lib/EAPBase/src/Credentials.cpp
+++ b/lib/EAPBase/src/Credentials.cpp
@@ -83,19 +83,6 @@ tstring eap::credentials::get_name() const
 }
 bool eap::credentials::combine(
    _In_       const credentials       *cred_cached,
    _In_       config_method_with_cred &cfg,
    _In_opt_z_ LPCTSTR                 pszTargetName)
 {
    UNREFERENCED_PARAMETER(cred_cached);
    UNREFERENCED_PARAMETER(cfg);
    UNREFERENCED_PARAMETER(pszTargetName);
    // When there's nothing to combine...
    return true;
 }
 //////////////////////////////////////////////////////////////////////
 // eap::credentials_pass
 //////////////////////////////////////////////////////////////////////
--- a/lib/EAPBase_UI/include/EAP_UI.h
+++ b/lib/EAPBase_UI/include/EAP_UI.h
@@ -20,6 +20,7 @@
 #include <wx/hyperlink.h>
 #include <wx/icon.h>
 #include <wx/scrolwin.h>
 #include <wx/statbmp.h>
 #include <Windows.h>
@@ -34,18 +35,21 @@ class wxEAPBannerPanel;
 ///
 template <class _wxT> class wxEAPConfigDialog;
 ///
 /// EAP general-use dialog
 ///
 class wxEAPGeneralDialog;
 ///
 /// EAP top-most credential dialog
 ///
 class wxEAPCredentialsDialog;
 ///
 /// EAP general note
 ///
 class wxEAPNotePanel;
 ///
 /// EAP provider-locked congifuration note
 ///
@@ -56,6 +60,21 @@ class wxEAPProviderLockedPanel;
 ///
 class wxEAPCredentialWarningPanel;
 ///
 /// EAP Configuration window
 ///
 class wxEAPConfigWindow;
 ///
 /// EAP provider identity config panel
 ///
 class wxEAPProviderIdentityPanel;
 ///
 /// EAP provider configuration dialog
 ///
 class wxEAPConfigProvider;
 ///
 /// Base template for credential configuration panel
 ///
@@ -76,6 +95,11 @@ template <class _Tcred, class _Tbase> class wxPasswordCredentialsPanel;
 ///
 inline bool wxSetIconFromResource(wxStaticBitmap *bmp, wxIcon &icon, HINSTANCE hinst, PCWSTR pszName);
 ///
 /// Returns GUI displayable provider name
 ///
 inline wxString wxEAPGetProviderName(const std::wstring &id);
 #pragma once
 #include <wx/msw/winundef.h> // Fixes `CreateDialog` name collision
@@ -128,10 +152,10 @@ public:
        // Set extra style here, as wxFormBuilder overrides all default flags.
        this->SetExtraStyle(this->GetExtraStyle() | wxWS_EX_VALIDATE_RECURSIVELY);
-        for (std::list<eap::config_provider>::iterator provider = m_cfg.m_providers.begin(), provider_end = m_cfg.m_providers.end(); provider != provider_end; ++provider) {
+        for (std::vector<eap::config_provider>::iterator provider = m_cfg.m_providers.begin(), provider_end = m_cfg.m_providers.end(); provider != provider_end; ++provider) {
            bool is_single = provider->m_methods.size() == 1;
-            std::list<std::unique_ptr<eap::config_method> >::size_type count = 0;
+            std::vector<std::unique_ptr<eap::config_method> >::size_type count = 0;
-            std::list<std::unique_ptr<eap::config_method> >::iterator method = provider->m_methods.begin(), method_end = provider->m_methods.end();
+            std::vector<std::unique_ptr<eap::config_method> >::iterator method = provider->m_methods.begin(), method_end = provider->m_methods.end();
            for (; method != method_end; ++method, count++)
                m_providers->AddPage(
                    new _wxT(
@@ -139,7 +163,9 @@ public:
                        *method->get(),
                        provider->m_id.c_str(),
                        m_providers),
-                    is_single ? provider->m_id : winstd::tstring_printf(_T("%s (%u)"), provider->m_id.c_str(), count));
+                    is_single ?
                        wxEAPGetProviderName(provider->m_id) :
                        winstd::tstring_printf(_T("%s (%u)"), wxEAPGetProviderName(provider->m_id), count));
        }
        this->Layout();
@@ -151,6 +177,7 @@ public:
 protected:
    /// \cond internal
    virtual void OnInitDialog(wxInitDialogEvent& event)
    {
        // Forward the event to child panels.
@@ -160,6 +187,22 @@ protected:
                prov->GetEventHandler()->ProcessEvent(event);
        }
    }
    virtual void OnUpdateUI(wxUpdateUIEvent& event)
    {
        UNREFERENCED_PARAMETER(event);
        m_advanced->Enable(!m_cfg.m_providers.at(m_providers->GetSelection()).m_read_only);
    }
    virtual void OnAdvanced(wxCommandEvent& event)
    {
        UNREFERENCED_PARAMETER(event);
        wxEAPConfigProvider dlg(m_cfg.m_providers.at(m_providers->GetSelection()), this);
        dlg.ShowModal();
    }
    /// \endcond
@@ -168,23 +211,38 @@ protected:
 };
-class wxEAPCredentialsDialog : public wxEAPCredentialsDialogBase
+class wxEAPGeneralDialog : public wxEAPGeneralDialogBase
 {
 public:
    ///
    /// Constructs a dialog
    ///
    wxEAPGeneralDialog(wxWindow* parent, const wxString& title = wxEmptyString);
    ///
    /// Adds panels to the dialog
    ///
    void AddContent(wxPanel **contents, size_t content_count);
    ///
    /// Adds single panel to the dialog
    ///
    void AddContent(wxPanel *content);
 protected:
    /// \cond internal
    virtual void OnInitDialog(wxInitDialogEvent& event);
    /// \endcond
 };
 class wxEAPCredentialsDialog : public wxEAPGeneralDialog
 {
 public:
    ///
    /// Constructs a credential dialog
    ///
    wxEAPCredentialsDialog(const eap::config_provider &prov, wxWindow* parent);
    ///
    /// Adds panels to the dialog
    ///
    void AddContents(wxPanel **contents, size_t content_count);
 protected:
    /// \cond internal
    virtual void OnInitDialog(wxInitDialogEvent& event);
    /// \endcond
 };
@@ -265,6 +323,103 @@ protected:
 };
 class wxEAPConfigWindow : public wxScrolledWindow
 {
 public:
    ///
    /// Constructs a configuration window
    ///
    /// \param[in]    prov    Provider configuration data
    /// \param[inout] cfg     Configuration data
    /// \param[in]    parent  Parent window
    ///
    wxEAPConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, wxWindow* parent);
    ///
    /// Destructs the configuration window
    ///
    virtual ~wxEAPConfigWindow();
 protected:
    /// \cond internal
    virtual void OnInitDialog(wxInitDialogEvent& event);
    virtual void OnUpdateUI(wxUpdateUIEvent& event);
    /// \endcond
 protected:
    const eap::config_provider &m_prov;     ///< EAP provider
    eap::config_method &m_cfg;              ///< Method configuration
 };
 class wxEAPProviderIdentityPanel : public wxEAPProviderIdentityPanelBase
 {
 public:
    ///
    /// Constructs a provider identity pannel
    ///
    /// \param[inout] prov    Provider configuration data
    /// \param[in]    parent  Parent window
    ///
    wxEAPProviderIdentityPanel(eap::config_provider &prov, wxWindow* parent);
    friend class wxEAPConfigProvider; // Allows direct setting of keyboard focus
 protected:
    /// \cond internal
    virtual bool TransferDataToWindow();
    virtual bool TransferDataFromWindow();
    /// \endcond
 protected:
    eap::config_provider &m_prov;   ///< EAP method configuration
    winstd::library m_shell32;      ///< shell32.dll resource library reference
    wxIcon m_icon;                  ///< Panel icon
 };
 class wxEAPProviderLockPanel : public wxEAPProviderLockPanelBase
 {
 public:
    ///
    /// Constructs a provider lock pannel
    ///
    /// \param[inout] prov    Provider configuration data
    /// \param[in]    parent  Parent window
    ///
    wxEAPProviderLockPanel(eap::config_provider &prov, wxWindow* parent);
 protected:
    /// \cond internal
    virtual bool TransferDataToWindow();
    virtual bool TransferDataFromWindow();
    /// \endcond
 protected:
    eap::config_provider &m_prov;   ///< EAP method configuration
    winstd::library m_shell32;      ///< shell32.dll resource library reference
    wxIcon m_icon;                  ///< Panel icon
 };
 class wxEAPConfigProvider : public wxEAPGeneralDialog
 {
 public:
    ///
    /// Constructs a provider config dialog
    ///
    /// \param[inout] prov    Provider configuration data
    /// \param[in]    parent  Parent window
    ///
    wxEAPConfigProvider(eap::config_provider &prov, wxWindow* parent);
 protected:
    eap::config_provider &m_prov;           ///< EAP method configuration
    wxEAPProviderIdentityPanel *m_identity; ///< Provider identity panel
    wxEAPProviderLockPanel *m_lock;         ///< Provider lock panel
 };
 template <class _Tcred, class _wxT>
 class wxEAPCredentialsConfigPanel : public wxEAPCredentialsConfigPanelBase
 {
@@ -289,6 +444,14 @@ public:
            wxSetIconFromResource(m_credentials_icon, m_icon, m_shell32, MAKEINTRESOURCE(/*16770*/269));
    }
    ///
    /// Sets keyboard focus to the first control that do not capture mouse wheel
    ///
    inline void SetFocusFromKbd()
    {
        m_own->SetFocusFromKbd();
    }
 protected:
    /// \cond internal
@@ -402,7 +565,7 @@ protected:
        // Display credential prompt.
        wxEAPCredentialsDialog dlg(m_prov, this);
        _wxT *panel = new _wxT(m_prov, m_cfg, cred, m_target.c_str(), &dlg, true);
-        dlg.AddContents((wxPanel**)&panel, 1);
+        dlg.AddContent(panel);
        if (dlg.ShowModal() == wxID_OK && panel->GetRememberValue()) {
            // Write credentials to credential manager.
            try {
@@ -433,7 +596,7 @@ protected:
        _wxT *panel = new _wxT(m_prov, m_cfg, m_cred, _T(""), &dlg, true);
-        dlg.AddContents((wxPanel**)&panel, 1);
+        dlg.AddContent(panel);
        dlg.ShowModal();
    }
@@ -486,6 +649,11 @@ public:
        this->Disconnect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(_Tthis::OnUpdateUI));
    }
    inline void SetRememberValue(bool val)
    {
        return m_remember->SetValue(val);
    }
    inline bool GetRememberValue() const
    {
        return m_remember->GetValue();
@@ -576,12 +744,12 @@ protected:
        m_identity->SetSelection(0, -1);
        m_password->SetValue(m_cred.m_password.empty() ? wxEmptyString : s_dummy_password);
-        return wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPanelPassBase>::TransferDataToWindow();
+        return wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPassPanelBase>::TransferDataToWindow();
    }
    virtual bool TransferDataFromWindow()
    {
-        if (!wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPanelPassBase>::TransferDataFromWindow())
+        if (!wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPassPanelBase>::TransferDataFromWindow())
            return false;
        m_cred.m_identity = m_identity->GetValue();
@@ -604,7 +772,7 @@ protected:
            m_password      ->Enable(false);
        }
-        wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPanelPassBase>::OnUpdateUI(event);
+        wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPassPanelBase>::OnUpdateUI(event);
    }
    /// \endcond
@@ -633,3 +801,10 @@ inline bool wxSetIconFromResource(wxStaticBitmap *bmp, wxIcon &icon, HINSTANCE h
    } else
        return false;
 }
 inline wxString wxEAPGetProviderName(const std::wstring &id)
 {
    return
        !id.empty() ? id : _("<Your Organization>");
 }
--- a/lib/EAPBase_UI/res/wxEAP_UI.cpp
+++ b/lib/EAPBase_UI/res/wxEAP_UI.cpp
@@ -28,6 +28,20 @@ wxEAPConfigDialogBase::wxEAPConfigDialogBase( wxWindow* parent, wxWindowID id, c
 	sb_content->Add( m_providers, 1, wxEXPAND|wxALL, 10 );
 	wxBoxSizer* sb_bottom_horiz;
 	sb_bottom_horiz = new wxBoxSizer( wxHORIZONTAL );
 	wxBoxSizer* sb_bottom_horiz_inner;
 	sb_bottom_horiz_inner = new wxBoxSizer( wxHORIZONTAL );
 	m_advanced = new wxButton( this, wxID_ANY, _("Advanced..."), wxDefaultPosition, wxDefaultSize, 0 );
 	m_advanced->SetToolTip( _("Opens dialog with provider settings") );
 	sb_bottom_horiz_inner->Add( m_advanced, 0, wxALL, 5 );
 	sb_bottom_horiz->Add( sb_bottom_horiz_inner, 1, wxEXPAND, 5 );
 	m_buttons = new wxStdDialogButtonSizer();
 	m_buttonsOK = new wxButton( this, wxID_OK );
 	m_buttons->AddButton( m_buttonsOK );
@@ -35,7 +49,10 @@ wxEAPConfigDialogBase::wxEAPConfigDialogBase( wxWindow* parent, wxWindowID id, c
 	m_buttons->AddButton( m_buttonsCancel );
 	m_buttons->Realize();
-	sb_content->Add( m_buttons, 0, wxEXPAND|wxALL, 5 );
+	sb_bottom_horiz->Add( m_buttons, 0, wxEXPAND|wxALL, 5 );
 	sb_content->Add( sb_bottom_horiz, 0, wxEXPAND, 5 );
 	this->SetSizer( sb_content );
@@ -44,16 +61,20 @@ wxEAPConfigDialogBase::wxEAPConfigDialogBase( wxWindow* parent, wxWindowID id, c
 	// Connect Events
 	this->Connect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPConfigDialogBase::OnInitDialog ) );
 	this->Connect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPConfigDialogBase::OnUpdateUI ) );
 	m_advanced->Connect( wxEVT_COMMAND_BUTTON_CLICKED, wxCommandEventHandler( wxEAPConfigDialogBase::OnAdvanced ), NULL, this );
 }
 wxEAPConfigDialogBase::~wxEAPConfigDialogBase()
 {
 	// Disconnect Events
 	this->Disconnect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPConfigDialogBase::OnInitDialog ) );
 	this->Disconnect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPConfigDialogBase::OnUpdateUI ) );
 	m_advanced->Disconnect( wxEVT_COMMAND_BUTTON_CLICKED, wxCommandEventHandler( wxEAPConfigDialogBase::OnAdvanced ), NULL, this );
 }
-wxEAPCredentialsDialogBase::wxEAPCredentialsDialogBase( wxWindow* parent, wxWindowID id, const wxString& title, const wxPoint& pos, const wxSize& size, long style ) : wxDialog( parent, id, title, pos, size, style )
+wxEAPGeneralDialogBase::wxEAPGeneralDialogBase( wxWindow* parent, wxWindowID id, const wxString& title, const wxPoint& pos, const wxSize& size, long style ) : wxDialog( parent, id, title, pos, size, style )
 {
 	this->SetSizeHints( wxDefaultSize, wxDefaultSize );
@@ -84,13 +105,13 @@ wxEAPCredentialsDialogBase::wxEAPCredentialsDialogBase( wxWindow* parent, wxWind
 	sb_content->Fit( this );
 	// Connect Events
-	this->Connect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPCredentialsDialogBase::OnInitDialog ) );
+	this->Connect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPGeneralDialogBase::OnInitDialog ) );
 }
-wxEAPCredentialsDialogBase::~wxEAPCredentialsDialogBase()
+wxEAPGeneralDialogBase::~wxEAPGeneralDialogBase()
 {
 	// Disconnect Events
-	this->Disconnect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPCredentialsDialogBase::OnInitDialog ) );
+	this->Disconnect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPGeneralDialogBase::OnInitDialog ) );
 }
@@ -99,20 +120,20 @@ wxEAPBannerPanelBase::wxEAPBannerPanelBase( wxWindow* parent, wxWindowID id, con
 	this->SetBackgroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_HIGHLIGHT ) );
 	this->SetMinSize( wxSize( -1,48 ) );
-	wxBoxSizer* sc_content;
+	wxBoxSizer* sb_content;
-	sc_content = new wxBoxSizer( wxVERTICAL );
+	sb_content = new wxBoxSizer( wxVERTICAL );
 	m_title = new wxStaticText( this, wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, wxALIGN_RIGHT );
 	m_title->Wrap( -1 );
 	m_title->SetFont( wxFont( 18, 70, 90, 90, false, wxEmptyString ) );
 	m_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_HIGHLIGHTTEXT ) );
-	sc_content->Add( m_title, 0, wxALL|wxEXPAND, 5 );
+	sb_content->Add( m_title, 0, wxALL|wxEXPAND, 5 );
-	this->SetSizer( sc_content );
+	this->SetSizer( sb_content );
 	this->Layout();
-	sc_content->Fit( this );
+	sb_content->Fit( this );
 }
 wxEAPBannerPanelBase::~wxEAPBannerPanelBase()
@@ -269,7 +290,7 @@ wxEAPCredentialsConfigPanelBase::~wxEAPCredentialsConfigPanelBase()
 }
-wxEAPCredentialsPanelPassBase::wxEAPCredentialsPanelPassBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
+wxEAPCredentialsPassPanelBase::wxEAPCredentialsPassPanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
 {
 	wxStaticBoxSizer* sb_credentials;
 	sb_credentials = new wxStaticBoxSizer( new wxStaticBox( this, wxID_ANY, _("Client Credentials") ), wxVERTICAL );
@@ -330,6 +351,168 @@ wxEAPCredentialsPanelPassBase::wxEAPCredentialsPanelPassBase( wxWindow* parent,
 	this->Layout();
 }
-wxEAPCredentialsPanelPassBase::~wxEAPCredentialsPanelPassBase()
+wxEAPCredentialsPassPanelBase::~wxEAPCredentialsPassPanelBase()
 {
 }
 wxEAPProviderIdentityPanelBase::wxEAPProviderIdentityPanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
 {
 	wxStaticBoxSizer* sb_provider_id;
 	sb_provider_id = new wxStaticBoxSizer( new wxStaticBox( this, wxID_ANY, _("Your Organization") ), wxVERTICAL );
 	wxBoxSizer* sb_provider_id_horiz;
 	sb_provider_id_horiz = new wxBoxSizer( wxHORIZONTAL );
 	m_provider_id_icon = new wxStaticBitmap( sb_provider_id->GetStaticBox(), wxID_ANY, wxNullBitmap, wxDefaultPosition, wxDefaultSize, 0 );
 	sb_provider_id_horiz->Add( m_provider_id_icon, 0, wxALL, 5 );
 	wxBoxSizer* sb_provider_id_vert;
 	sb_provider_id_vert = new wxBoxSizer( wxVERTICAL );
 	m_provider_id_label = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("Describe your organization to customize user prompts.  When organization is introduced, end-users find program messages easier to understand and act."), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_id_label->Wrap( 446 );
 	sb_provider_id_vert->Add( m_provider_id_label, 0, wxALL|wxEXPAND, 5 );
 	wxBoxSizer* sb_provider_name;
 	sb_provider_name = new wxBoxSizer( wxVERTICAL );
 	m_provider_name_label = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("Your organization &name:"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_name_label->Wrap( -1 );
 	sb_provider_name->Add( m_provider_name_label, 0, wxBOTTOM, 5 );
 	m_provider_name = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_name->SetToolTip( _("Your organization name as it will appear on helpdesk contact notifications") );
 	sb_provider_name->Add( m_provider_name, 0, wxEXPAND|wxBOTTOM, 5 );
 	m_provider_name_note = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("(Keep it short, please)"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_name_note->Wrap( -1 );
 	sb_provider_name->Add( m_provider_name_note, 0, wxALIGN_RIGHT, 5 );
 	sb_provider_id_vert->Add( sb_provider_name, 0, wxEXPAND|wxALL, 5 );
 	wxBoxSizer* sb_provider_helpdesk;
 	sb_provider_helpdesk = new wxBoxSizer( wxVERTICAL );
 	m_provider_helpdesk_label = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("Helpdesk contact &information:"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_helpdesk_label->Wrap( -1 );
 	sb_provider_helpdesk->Add( m_provider_helpdesk_label, 0, wxBOTTOM, 5 );
 	wxFlexGridSizer* sb_provider_helpdesk_inner;
 	sb_provider_helpdesk_inner = new wxFlexGridSizer( 0, 2, 0, 0 );
 	sb_provider_helpdesk_inner->AddGrowableCol( 1 );
 	sb_provider_helpdesk_inner->SetFlexibleDirection( wxBOTH );
 	sb_provider_helpdesk_inner->SetNonFlexibleGrowMode( wxFLEX_GROWMODE_SPECIFIED );
 	m_provider_web_icon = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("¶"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_web_icon->Wrap( -1 );
 	m_provider_web_icon->SetFont( wxFont( wxNORMAL_FONT->GetPointSize(), 70, 90, 90, false, wxT("Wingdings") ) );
 	sb_provider_helpdesk_inner->Add( m_provider_web_icon, 0, wxALIGN_CENTER_VERTICAL|wxBOTTOM|wxRIGHT, 5 );
 	m_provider_web = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_web->SetToolTip( _("Your helpdesk website") );
 	sb_provider_helpdesk_inner->Add( m_provider_web, 1, wxEXPAND|wxALIGN_CENTER_VERTICAL|wxBOTTOM, 5 );
 	m_provider_email_icon = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("*"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_email_icon->Wrap( -1 );
 	m_provider_email_icon->SetFont( wxFont( wxNORMAL_FONT->GetPointSize(), 70, 90, 90, false, wxT("Wingdings") ) );
 	sb_provider_helpdesk_inner->Add( m_provider_email_icon, 0, wxALIGN_CENTER_VERTICAL|wxBOTTOM|wxRIGHT, 5 );
 	m_provider_email = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_email->SetToolTip( _("Your helpdesk e-mail address") );
 	sb_provider_helpdesk_inner->Add( m_provider_email, 1, wxEXPAND|wxALIGN_CENTER_VERTICAL|wxBOTTOM, 5 );
 	m_provider_phone_icon = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _(")"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_phone_icon->Wrap( -1 );
 	m_provider_phone_icon->SetFont( wxFont( wxNORMAL_FONT->GetPointSize(), 70, 90, 90, false, wxT("Wingdings") ) );
 	sb_provider_helpdesk_inner->Add( m_provider_phone_icon, 0, wxALIGN_CENTER_VERTICAL|wxRIGHT, 5 );
 	m_provider_phone = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_phone->SetToolTip( _("Your helpdesk phone number") );
 	sb_provider_helpdesk_inner->Add( m_provider_phone, 1, wxEXPAND|wxALIGN_CENTER_VERTICAL, 5 );
 	sb_provider_helpdesk->Add( sb_provider_helpdesk_inner, 1, wxEXPAND, 5 );
 	sb_provider_id_vert->Add( sb_provider_helpdesk, 1, wxEXPAND, 5 );
 	sb_provider_id_horiz->Add( sb_provider_id_vert, 1, wxEXPAND, 5 );
 	sb_provider_id->Add( sb_provider_id_horiz, 1, wxEXPAND, 5 );
 	this->SetSizer( sb_provider_id );
 	this->Layout();
 	// Connect Events
 	this->Connect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderIdentityPanelBase::OnUpdateUI ) );
 }
 wxEAPProviderIdentityPanelBase::~wxEAPProviderIdentityPanelBase()
 {
 	// Disconnect Events
 	this->Disconnect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderIdentityPanelBase::OnUpdateUI ) );
 }
 wxEAPProviderLockPanelBase::wxEAPProviderLockPanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
 {
 	wxStaticBoxSizer* sb_provider_lock;
 	sb_provider_lock = new wxStaticBoxSizer( new wxStaticBox( this, wxID_ANY, _("Configuration Lock") ), wxVERTICAL );
 	wxBoxSizer* sb_provider_lock_horiz;
 	sb_provider_lock_horiz = new wxBoxSizer( wxHORIZONTAL );
 	m_provider_lock_icon = new wxStaticBitmap( sb_provider_lock->GetStaticBox(), wxID_ANY, wxNullBitmap, wxDefaultPosition, wxDefaultSize, 0 );
 	sb_provider_lock_horiz->Add( m_provider_lock_icon, 0, wxALL, 5 );
 	wxBoxSizer* sb_provider_lock_vert;
 	sb_provider_lock_vert = new wxBoxSizer( wxVERTICAL );
 	m_provider_lock_label = new wxStaticText( sb_provider_lock->GetStaticBox(), wxID_ANY, _("Your configuration can be locked to prevent accidental modification by end-users. Users will only be allowed to enter credentials."), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_lock_label->Wrap( 446 );
 	sb_provider_lock_vert->Add( m_provider_lock_label, 0, wxALL|wxEXPAND, 5 );
 	wxBoxSizer* sb_provider_name;
 	sb_provider_name = new wxBoxSizer( wxVERTICAL );
 	m_provider_lock = new wxCheckBox( sb_provider_lock->GetStaticBox(), wxID_ANY, _("&Lock this configuration and prevent any further modification via user interface."), wxDefaultPosition, wxDefaultSize, 0 );
 	sb_provider_name->Add( m_provider_lock, 0, wxEXPAND|wxBOTTOM, 5 );
 	m_provider_lock_note = new wxStaticText( sb_provider_lock->GetStaticBox(), wxID_ANY, _("(Warning: Once locked, you can not revert using this dialog!)"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_provider_lock_note->Wrap( -1 );
 	sb_provider_name->Add( m_provider_lock_note, 0, wxALIGN_RIGHT, 5 );
 	sb_provider_lock_vert->Add( sb_provider_name, 0, wxEXPAND|wxALL, 5 );
 	sb_provider_lock_horiz->Add( sb_provider_lock_vert, 1, wxEXPAND, 5 );
 	sb_provider_lock->Add( sb_provider_lock_horiz, 1, wxEXPAND, 5 );
 	this->SetSizer( sb_provider_lock );
 	this->Layout();
 	// Connect Events
 	this->Connect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderLockPanelBase::OnUpdateUI ) );
 }
 wxEAPProviderLockPanelBase::~wxEAPProviderLockPanelBase()
 {
 	// Disconnect Events
 	this->Disconnect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderLockPanelBase::OnUpdateUI ) );
 }
--- a/lib/EAPBase_UI/res/wxEAP_UI.fbp
+++ b/lib/EAPBase_UI/res/wxEAP_UI.fbp
--- a/lib/EAPBase_UI/res/wxEAP_UI.h
+++ b/lib/EAPBase_UI/res/wxEAP_UI.h
@@ -18,8 +18,8 @@ class wxEAPBannerPanel;
 #include <wx/settings.h>
 #include <wx/string.h>
 #include <wx/notebook.h>
 #include <wx/sizer.h>
 #include <wx/button.h>
 #include <wx/sizer.h>
 #include <wx/dialog.h>
 #include <wx/stattext.h>
 #include <wx/panel.h>
@@ -44,12 +44,15 @@ class wxEAPConfigDialogBase : public wxDialog
 	protected:
 		wxEAPBannerPanel *m_banner;
 		wxNotebook* m_providers;
 		wxButton* m_advanced;
 		wxStdDialogButtonSizer* m_buttons;
 		wxButton* m_buttonsOK;
 		wxButton* m_buttonsCancel;
 		// Virtual event handlers, overide them in your derived class
 		virtual void OnInitDialog( wxInitDialogEvent& event ) { event.Skip(); }
 		virtual void OnUpdateUI( wxUpdateUIEvent& event ) { event.Skip(); }
 		virtual void OnAdvanced( wxCommandEvent& event ) { event.Skip(); }
 	public:
@@ -60,9 +63,9 @@ class wxEAPConfigDialogBase : public wxDialog
 };
 ///////////////////////////////////////////////////////////////////////////////
-/// Class wxEAPCredentialsDialogBase
+/// Class wxEAPGeneralDialogBase
 ///////////////////////////////////////////////////////////////////////////////
-class wxEAPCredentialsDialogBase : public wxDialog 
+class wxEAPGeneralDialogBase : public wxDialog 
 {
 	private:
@@ -79,8 +82,8 @@ class wxEAPCredentialsDialogBase : public wxDialog
 	public:
-		wxEAPCredentialsDialogBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxString& title = _("EAP Credentials"), const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxDefaultSize, long style = wxDEFAULT_DIALOG_STYLE ); 
+		wxEAPGeneralDialogBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxString& title = wxEmptyString, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxDefaultSize, long style = wxDEFAULT_DIALOG_STYLE ); 
-		~wxEAPCredentialsDialogBase();
+		~wxEAPGeneralDialogBase();
 };
@@ -153,9 +156,9 @@ class wxEAPCredentialsConfigPanelBase : public wxPanel
 };
 ///////////////////////////////////////////////////////////////////////////////
-/// Class wxEAPCredentialsPanelPassBase
+/// Class wxEAPCredentialsPassPanelBase
 ///////////////////////////////////////////////////////////////////////////////
-class wxEAPCredentialsPanelPassBase : public wxPanel 
+class wxEAPCredentialsPassPanelBase : public wxPanel 
 {
 	private:
@@ -170,8 +173,64 @@ class wxEAPCredentialsPanelPassBase : public wxPanel
 	public:
-		wxEAPCredentialsPanelPassBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
+		wxEAPCredentialsPassPanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
-		~wxEAPCredentialsPanelPassBase();
+		~wxEAPCredentialsPassPanelBase();
 };
 ///////////////////////////////////////////////////////////////////////////////
 /// Class wxEAPProviderIdentityPanelBase
 ///////////////////////////////////////////////////////////////////////////////
 class wxEAPProviderIdentityPanelBase : public wxPanel 
 {
 	private:
 	protected:
 		wxStaticBitmap* m_provider_id_icon;
 		wxStaticText* m_provider_id_label;
 		wxStaticText* m_provider_name_label;
 		wxTextCtrl* m_provider_name;
 		wxStaticText* m_provider_name_note;
 		wxStaticText* m_provider_helpdesk_label;
 		wxStaticText* m_provider_web_icon;
 		wxTextCtrl* m_provider_web;
 		wxStaticText* m_provider_email_icon;
 		wxTextCtrl* m_provider_email;
 		wxStaticText* m_provider_phone_icon;
 		wxTextCtrl* m_provider_phone;
 		// Virtual event handlers, overide them in your derived class
 		virtual void OnUpdateUI( wxUpdateUIEvent& event ) { event.Skip(); }
 	public:
 		wxEAPProviderIdentityPanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
 		~wxEAPProviderIdentityPanelBase();
 };
 ///////////////////////////////////////////////////////////////////////////////
 /// Class wxEAPProviderLockPanelBase
 ///////////////////////////////////////////////////////////////////////////////
 class wxEAPProviderLockPanelBase : public wxPanel 
 {
 	private:
 	protected:
 		wxStaticBitmap* m_provider_lock_icon;
 		wxStaticText* m_provider_lock_label;
 		wxCheckBox* m_provider_lock;
 		wxStaticText* m_provider_lock_note;
 		// Virtual event handlers, overide them in your derived class
 		virtual void OnUpdateUI( wxUpdateUIEvent& event ) { event.Skip(); }
 	public:
 		wxEAPProviderLockPanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
 		~wxEAPProviderLockPanelBase();
 };
--- a/lib/EAPBase_UI/src/EAP_UI.cpp
+++ b/lib/EAPBase_UI/src/EAP_UI.cpp
@@ -38,22 +38,19 @@ bool wxEAPBannerPanel::AcceptsFocusFromKeyboard() const
 //////////////////////////////////////////////////////////////////////
-// wxEAPCredentialsDialog
+// wxEAPGeneralDialog
 //////////////////////////////////////////////////////////////////////
-wxEAPCredentialsDialog::wxEAPCredentialsDialog(const eap::config_provider &prov, wxWindow* parent) : wxEAPCredentialsDialogBase(parent)
+wxEAPGeneralDialog::wxEAPGeneralDialog(wxWindow* parent, const wxString& title) : wxEAPGeneralDialogBase(parent, wxID_ANY, title)
 {
    // Set extra style here, as wxFormBuilder overrides all default flags.
    this->SetExtraStyle(this->GetExtraStyle() | wxWS_EX_VALIDATE_RECURSIVELY);
    // Set banner title.
    m_banner->m_title->SetLabel(wxString::Format(_("%s Credentials"), prov.m_id.c_str()));
    m_buttonsOK->SetDefault();
 }
-void wxEAPCredentialsDialog::AddContents(wxPanel **contents, size_t content_count)
+void wxEAPGeneralDialog::AddContent(wxPanel **contents, size_t content_count)
 {
    if (content_count) {
        for (size_t i = 0; i < content_count; i++)
@@ -66,13 +63,30 @@ void wxEAPCredentialsDialog::AddContents(wxPanel **contents, size_t content_coun
 }
-void wxEAPCredentialsDialog::OnInitDialog(wxInitDialogEvent& event)
+void wxEAPGeneralDialog::AddContent(wxPanel *content)
 {
    AddContent(&content, 1);
 }
 void wxEAPGeneralDialog::OnInitDialog(wxInitDialogEvent& event)
 {
    for (wxSizerItemList::compatibility_iterator panel = m_panels->GetChildren().GetFirst(); panel; panel = panel->GetNext())
        panel->GetData()->GetWindow()->GetEventHandler()->ProcessEvent(event);
 }
 //////////////////////////////////////////////////////////////////////
 // wxEAPCredentialsDialog
 //////////////////////////////////////////////////////////////////////
 wxEAPCredentialsDialog::wxEAPCredentialsDialog(const eap::config_provider &prov, wxWindow* parent) : wxEAPGeneralDialog(parent, _("EAP Credentials"))
 {
    // Set banner title.
    m_banner->m_title->SetLabel(wxString::Format(_("%s Credentials"), wxEAPGetProviderName(prov.m_id).c_str()));
 }
 //////////////////////////////////////////////////////////////////////
 // wxEAPNotePanel
 //////////////////////////////////////////////////////////////////////
@@ -182,10 +196,150 @@ wxEAPCredentialWarningPanel::wxEAPCredentialWarningPanel(const eap::config_provi
    if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
        wxSetIconFromResource(m_note_icon, m_icon, m_shell32, MAKEINTRESOURCE(161));
-    m_note_label->SetLabel(_("Previous attempt to connect using provided credentials failed. Please, make sure your credentials are correct, or try again later."));
+    m_note_label->SetLabel(_("Previous attempt to connect failed. Please, make sure your credentials are correct, or try again later."));
    m_note_label->Wrap(449);
    CreateContactFields(prov);
    this->Layout();
 }
 //////////////////////////////////////////////////////////////////////
 // wxEAPConfigWindow
 //////////////////////////////////////////////////////////////////////
 wxEAPConfigWindow::wxEAPConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, wxWindow* parent) :
    m_prov(prov),
    m_cfg(cfg),
    wxScrolledWindow(parent, wxID_ANY, wxDefaultPosition, wxDefaultSize, wxVSCROLL)
 {
    this->SetScrollRate(5, 5);
    // Connect Events
    this->Connect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxEAPConfigWindow::OnInitDialog));
    this->Connect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(wxEAPConfigWindow::OnUpdateUI));
 }
 wxEAPConfigWindow::~wxEAPConfigWindow()
 {
    // Disconnect Events
    this->Disconnect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(wxEAPConfigWindow::OnUpdateUI));
    this->Disconnect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxEAPConfigWindow::OnInitDialog));
 }
 void wxEAPConfigWindow::OnInitDialog(wxInitDialogEvent& event)
 {
    UNREFERENCED_PARAMETER(event);
    // Call TransferDataToWindow() manually, as wxScrolledWindow somehow skips that.
    TransferDataToWindow();
 }
 void wxEAPConfigWindow::OnUpdateUI(wxUpdateUIEvent& event)
 {
    UNREFERENCED_PARAMETER(event);
    if (m_parent && m_parent->IsKindOf(wxCLASSINFO(wxNotebook))) {
        // We're a notebook page. Set the ID of our provider as our page label.
        wxNotebook *notebook = (wxNotebook*)m_parent;
        int idx = notebook->FindPage(this);
        if (idx != wxNOT_FOUND)
            notebook->SetPageText(idx, wxEAPGetProviderName(m_prov.m_id));
    } else
        this->SetLabel(wxEAPGetProviderName(m_prov.m_id));
 }
 //////////////////////////////////////////////////////////////////////
 // wxEAPProviderIdentityPanel
 //////////////////////////////////////////////////////////////////////
 wxEAPProviderIdentityPanel::wxEAPProviderIdentityPanel(eap::config_provider &prov, wxWindow* parent) :
    m_prov(prov),
    wxEAPProviderIdentityPanelBase(parent)
 {
    // Load and set icon.
    if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
        wxSetIconFromResource(m_provider_id_icon, m_icon, m_shell32, MAKEINTRESOURCE(259));
 }
 bool wxEAPProviderIdentityPanel::TransferDataToWindow()
 {
    m_provider_name ->SetValue(m_prov.m_id        );
    m_provider_web  ->SetValue(m_prov.m_help_web  );
    m_provider_email->SetValue(m_prov.m_help_email);
    m_provider_phone->SetValue(m_prov.m_help_phone);
    return wxEAPProviderIdentityPanelBase::TransferDataToWindow();
 }
 bool wxEAPProviderIdentityPanel::TransferDataFromWindow()
 {
    wxCHECK(wxEAPProviderIdentityPanelBase::TransferDataFromWindow(), false);
    m_prov.m_id         = m_provider_name ->GetValue();
    m_prov.m_help_web   = m_provider_web  ->GetValue();
    m_prov.m_help_email = m_provider_email->GetValue();
    m_prov.m_help_phone = m_provider_phone->GetValue();
    return true;
 }
 //////////////////////////////////////////////////////////////////////
 // wxEAPProviderLockPanel
 //////////////////////////////////////////////////////////////////////
 wxEAPProviderLockPanel::wxEAPProviderLockPanel(eap::config_provider &prov, wxWindow* parent) :
    m_prov(prov),
    wxEAPProviderLockPanelBase(parent)
 {
    // Load and set icon.
    if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
        wxSetIconFromResource(m_provider_lock_icon, m_icon, m_shell32, MAKEINTRESOURCE(1003));
 }
 bool wxEAPProviderLockPanel::TransferDataToWindow()
 {
    m_provider_lock->SetValue(m_prov.m_read_only);
    return wxEAPProviderLockPanelBase::TransferDataToWindow();
 }
 bool wxEAPProviderLockPanel::TransferDataFromWindow()
 {
    wxCHECK(wxEAPProviderLockPanelBase::TransferDataFromWindow(), false);
    m_prov.m_read_only = m_provider_lock->GetValue();
    return true;
 }
 //////////////////////////////////////////////////////////////////////
 // wxEAPConfigProvider
 //////////////////////////////////////////////////////////////////////
 wxEAPConfigProvider::wxEAPConfigProvider(eap::config_provider &prov, wxWindow* parent) :
    m_prov(prov),
    wxEAPGeneralDialog(parent, _("Provider Settings"))
 {
    // Set banner title.
    m_banner->m_title->SetLabel(_("Provider Settings"));
    m_identity = new wxEAPProviderIdentityPanel(prov, this);
    AddContent(m_identity);
    m_lock = new wxEAPProviderLockPanel(prov, this);
    AddContent(m_lock);
    m_identity->m_provider_name->SetFocusFromKbd();
 }
--- a/lib/Events/res/EventsETW.man
+++ b/lib/Events/res/EventsETW.man
--- a/lib/PAP/include/Credentials.h
+++ b/lib/PAP/include/Credentials.h
@@ -113,7 +113,7 @@ namespace eap
        /// - \c true  if credentials were set;
        /// - \c false otherwise
        ///
-        bool combine(
+        source_t combine(
            _In_       const credentials_pap   *cred_cached,
            _In_       const config_method_pap &cfg,
            _In_opt_z_       LPCTSTR           pszTargetName);
--- a/lib/PAP/src/Credentials.cpp
+++ b/lib/PAP/src/Credentials.cpp
@@ -75,7 +75,7 @@ LPCTSTR eap::credentials_pap::target_suffix() const
 }
-bool eap::credentials_pap::combine(
+eap::credentials::source_t eap::credentials_pap::combine(
    _In_       const credentials_pap   *cred_cached,
    _In_       const config_method_pap &cfg,
    _In_opt_z_       LPCTSTR           pszTargetName)
@@ -84,14 +84,14 @@ bool eap::credentials_pap::combine(
        // Using EAP service cached credentials.
        *this = *cred_cached;
        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
-        return true;
+        return source_cache;
    }
    if (cfg.m_use_preshared) {
        // Using preshared credentials.
        *this = *(credentials_pap*)cfg.m_preshared.get();
        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
-        return true;
+        return source_preshared;
    }
    if (pszTargetName) {
@@ -102,11 +102,11 @@ bool eap::credentials_pap::combine(
            // Using stored credentials.
            *this = std::move(cred_loaded);
            m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
-            return true;
+            return source_storage;
        } catch (...) {
            // Not actually an error.
        }
    }
-    return false;
+    return source_unknown;
 }
--- a/lib/PAP_UI/include/PAP_UI.h
+++ b/lib/PAP_UI/include/PAP_UI.h
@@ -25,7 +25,7 @@
 ///
 /// PAP credential configuration panel
 ///
-typedef wxEAPCredentialsConfigPanel<eap::credentials_pap, wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPanelPassBase> > wxPAPCredentialsConfigPanel;
+typedef wxEAPCredentialsConfigPanel<eap::credentials_pap, wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPassPanelBase> > wxPAPCredentialsConfigPanel;
 ///
 /// PAP configuration panel
@@ -35,7 +35,7 @@ class wxPAPConfigPanel;
 ///
 /// PAP credential entry panel
 ///
-typedef wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPanelPassBase> wxPAPCredentialsPanel;
+typedef wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPassPanelBase> wxPAPCredentialsPanel;
 #pragma once
--- a/lib/TLS/include/Config.h
+++ b/lib/TLS/include/Config.h
@@ -167,7 +167,7 @@ namespace eap
    public:
        std::list<winstd::cert_context> m_trusted_root_ca;  ///< Trusted root CAs
-        std::list<std::string> m_server_names;              ///< Acceptable authenticating server names
+        std::list<std::wstring> m_server_names;             ///< Acceptable authenticating server names
        // Following members are used for session resumptions. They are not exported/imported to XML.
        sanitizing_blob m_session_id;                       ///< TLS session ID
--- a/lib/TLS/include/Credentials.h
+++ b/lib/TLS/include/Credentials.h
@@ -200,7 +200,7 @@ namespace eap
        /// - \c true  if credentials were set;
        /// - \c false otherwise
        ///
-        bool combine(
+        source_t combine(
            _In_       const credentials_tls   *cred_cached,
            _In_       const config_method_tls &cfg,
            _In_opt_z_       LPCTSTR           pszTargetName);
--- a/lib/TLS/include/Method.h
+++ b/lib/TLS/include/Method.h
@@ -248,15 +248,6 @@ namespace eap
        ///
        sanitizing_blob make_client_key_exchange(_In_ const tls_master_secret &pms) const;
        ///
        /// Makes a TLS change cipher spec message
        ///
        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
        ///
        /// \returns Change cipher spec
        ///
        eap::sanitizing_blob make_change_chiper_spec() const;
        ///
        /// Makes a TLS finished message
        ///
@@ -476,6 +467,7 @@ namespace eap
        ///
        /// \sa [How to export and import plain text session keys by using CryptoAPI](https://support.microsoft.com/en-us/kb/228786)
        ///
        /// \param[in] cp           Handle of the cryptographics provider
        /// \param[in] alg          Key algorithm
        /// \param[in] key          Key that decrypts \p secret
        /// \param[in] secret       Key data
@@ -484,6 +476,7 @@ namespace eap
        /// \returns Key
        ///
        HCRYPTKEY create_key(
            _In_                              HCRYPTPROV cp,
            _In_                              ALG_ID     alg,
            _In_                              HCRYPTKEY  key,
            _In_bytecount_(size_secret) const void       *secret,
@@ -496,7 +489,8 @@ namespace eap
        packet m_packet_res;                                    ///< Response packet
        winstd::crypt_prov m_cp;                                ///< Cryptography provider for general services
-        winstd::crypt_prov m_cp_enc;                            ///< Cryptography provider for encryption
+        winstd::crypt_prov m_cp_enc_client;                     ///< Cryptography provider for encryption
        winstd::crypt_prov m_cp_enc_server;                     ///< Cryptography provider for encryption
        winstd::crypt_key m_key_exp1;                           ///< Key for importing derived keys
        tls_version m_tls_version;                              ///< TLS version in use
@@ -522,9 +516,15 @@ namespace eap
        winstd::crypt_hash m_hash_handshake_msgs_sha1;          ///< Running SHA-1 hash of handshake messages
        winstd::crypt_hash m_hash_handshake_msgs_sha256;        ///< Running SHA-256 hash of handshake messages
-        bool m_certificate_req;                                 ///< Did server request client certificate?
+        bool m_handshake[tls_handshake_type_max];               ///< Handshake flags (map od handshake messages received)
-        bool m_server_hello_done;                               ///< Is server hello done?
+
-        bool m_server_finished;                                 ///< Did server send a valid finish message?
+        enum {
            phase_unknown = -1,                                 ///< Unknown phase
            phase_client_hello = 0,                             ///< Send client hello
            phase_server_hello,                                 ///< Wait for server hello
            phase_change_cipher_spec,                           ///< Wait for change cipher spec
            phase_application_data                              ///< Exchange application data
        } m_phase;                                              ///< What phase is our communication at?
        unsigned __int64 m_seq_num_client;                      ///< Sequence number for encrypting
        unsigned __int64 m_seq_num_server;                      ///< Sequence number for decrypting
--- a/lib/TLS/include/TLS.h
+++ b/lib/TLS/include/TLS.h
@@ -148,7 +148,10 @@ namespace eap
        tls_handshake_type_server_hello_done   = 14,
        tls_handshake_type_certificate_verify  = 15,
        tls_handshake_type_client_key_exchange = 16,
-        tls_handshake_type_finished            = 20
+        tls_handshake_type_finished            = 20,
        tls_handshake_type_min                 =  0,    ///< First existing handshake message
        tls_handshake_type_max                 = 21     ///< First non-existing (officially) handshake message
    };
@@ -512,28 +515,3 @@ namespace eap
        hmac_padding m_padding_hmac;    ///< Padding (key) for HMAC calculation
    };
 }
 //inline void operator<<(_Inout_ eap::cursor_out &cursor, _In_ const eap::tls_conn_state &val)
 //{
 //    cursor << val.m_master_secret;
 //    cursor << val.m_random_client;
 //    cursor << val.m_random_server;
 //}
 //
 //
 //inline size_t pksizeof(_In_ const eap::tls_conn_state &val)
 //{
 //    return
 //        pksizeof(val.m_master_secret) +
 //        pksizeof(val.m_random_client) +
 //        pksizeof(val.m_random_server);
 //}
 //
 //
 //inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::tls_conn_state &val)
 //{
 //    cursor >> val.m_master_secret;
 //    cursor >> val.m_random_client;
 //    cursor >> val.m_random_server;
 //}
--- a/lib/TLS/src/Config.cpp
+++ b/lib/TLS/src/Config.cpp
@@ -161,10 +161,8 @@ void eap::config_method_tls::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *
    }
    // <ServerName>
-    for (list<string>::const_iterator i = m_server_names.begin(), i_end = m_server_names.end(); i != i_end; ++i) {
+    for (list<wstring>::const_iterator i = m_server_names.begin(), i_end = m_server_names.end(); i != i_end; ++i) {
-        wstring str;
+        if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElServerSideCredential, bstr(L"ServerName"), bstrNamespace, bstr(*i))))
        MultiByteToWideChar(CP_UTF8, 0, i->c_str(), (int)i->length(), str);
        if (FAILED(hr = eapxml::put_element_value(pDoc, pXmlElServerSideCredential, bstr(L"ServerName"), bstrNamespace, bstr(str))))
            throw com_runtime_error(hr, __FUNCTION__ " Error creating <ServerName> element.");
    }
 }
@@ -231,12 +229,7 @@ void eap::config_method_tls::load(_In_ IXMLDOMNode *pConfigRoot)
                pXmlListServerIDs->get_item(j, &pXmlElServerID);
                bstr bstrServerID;
                pXmlElServerID->get_text(&bstrServerID);
-
+                m_server_names.push_back(wstring(bstrServerID));
                // Server names (FQDNs) are always ASCII. Hopefully. Convert them to UTF-8 anyway for consistent comparison. CP_ANSI varies.
                string str;
                WideCharToMultiByte(CP_UTF8, 0, bstrServerID, bstrServerID.length(), str, NULL, NULL);
                m_server_names.push_back(str);
            }
            m_module.log_config((xpathServerSideCredential + L"/ServerName").c_str(), m_server_names);
--- a/lib/TLS/src/Credentials.cpp
+++ b/lib/TLS/src/Credentials.cpp
@@ -254,7 +254,7 @@ tstring eap::credentials_tls::get_name() const
 }
-bool eap::credentials_tls::combine(
+eap::credentials::source_t eap::credentials_tls::combine(
    _In_       const credentials_tls   *cred_cached,
    _In_       const config_method_tls &cfg,
    _In_opt_z_       LPCTSTR           pszTargetName)
@@ -263,14 +263,14 @@ bool eap::credentials_tls::combine(
        // Using EAP service cached credentials.
        *this = *cred_cached;
        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
-        return true;
+        return source_cache;
    }
    if (cfg.m_use_preshared) {
        // Using preshared credentials.
        *this = *(credentials_tls*)cfg.m_preshared.get();
        m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
-        return true;
+        return source_preshared;
    }
    if (pszTargetName) {
@@ -281,13 +281,13 @@ bool eap::credentials_tls::combine(
            // Using stored credentials.
            *this = std::move(cred_loaded);
            m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
-            return true;
+            return source_storage;
        } catch (...) {
            // Not actually an error.
        }
    }
-    return false;
+    return source_unknown;
 }
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@@ -95,9 +95,7 @@ void eap::method_tls::packet::clear()
 eap::method_tls::method_tls(_In_ module &module, _In_ config_provider_list &cfg, _In_ credentials_tls &cred) :
    m_cred(cred),
-    m_certificate_req(false),
+    m_phase(phase_unknown),
    m_server_hello_done(false),
    m_server_finished(false),
    m_seq_num_client(0),
    m_seq_num_server(0),
    m_blob_cfg(NULL),
@@ -107,6 +105,7 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_provider_list &cfg,
    method(module, cfg, cred)
 {
    m_tls_version = tls_version_1_2;
    memset(m_handshake, 0, sizeof(m_handshake));
 }
@@ -115,7 +114,8 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
    m_packet_req                (std::move(other.m_packet_req                )),
    m_packet_res                (std::move(other.m_packet_res                )),
    m_cp                        (std::move(other.m_cp                        )),
-    m_cp_enc                    (std::move(other.m_cp_enc                    )),
+    m_cp_enc_client             (std::move(other.m_cp_enc_client             )),
    m_cp_enc_server             (std::move(other.m_cp_enc_server             )),
    m_key_exp1                  (std::move(other.m_key_exp1                  )),
    m_tls_version               (std::move(other.m_tls_version               )),
    m_alg_prf                   (std::move(other.m_alg_prf                   )),
@@ -133,13 +133,15 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
    m_hash_handshake_msgs_md5   (std::move(other.m_hash_handshake_msgs_md5   )),
    m_hash_handshake_msgs_sha1  (std::move(other.m_hash_handshake_msgs_sha1  )),
    m_hash_handshake_msgs_sha256(std::move(other.m_hash_handshake_msgs_sha256)),
-    m_certificate_req           (std::move(other.m_certificate_req           )),
+    m_phase                     (std::move(other.m_phase                     )),
    m_server_hello_done         (std::move(other.m_server_hello_done         )),
    m_server_finished           (std::move(other.m_server_finished           )),
    m_seq_num_client            (std::move(other.m_seq_num_client            )),
    m_seq_num_server            (std::move(other.m_seq_num_server            )),
    method                      (std::move(other                             ))
 {
    memcpy(m_handshake, other.m_handshake, sizeof(m_handshake));
 #ifdef _DEBUG
    memset(other.m_handshake, 0, sizeof(m_handshake));
 #endif
 }
@@ -163,7 +165,8 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
        m_packet_req                 = std::move(other.m_packet_req                );
        m_packet_res                 = std::move(other.m_packet_res                );
        m_cp                         = std::move(other.m_cp                        );
-        m_cp_enc                     = std::move(other.m_cp_enc                    );
+        m_cp_enc_client              = std::move(other.m_cp_enc_client             );
        m_cp_enc_server              = std::move(other.m_cp_enc_server             );
        m_key_exp1                   = std::move(other.m_key_exp1                  );
        m_tls_version                = std::move(other.m_tls_version               );
        m_alg_prf                    = std::move(other.m_alg_prf                   );
@@ -181,11 +184,14 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
        m_hash_handshake_msgs_md5    = std::move(other.m_hash_handshake_msgs_md5   );
        m_hash_handshake_msgs_sha1   = std::move(other.m_hash_handshake_msgs_sha1  );
        m_hash_handshake_msgs_sha256 = std::move(other.m_hash_handshake_msgs_sha256);
-        m_certificate_req            = std::move(other.m_certificate_req           );
+        m_phase                      = std::move(other.m_phase                     );
        m_server_hello_done          = std::move(other.m_server_hello_done         );
        m_server_finished            = std::move(other.m_server_finished           );
        m_seq_num_client             = std::move(other.m_seq_num_client            );
        m_seq_num_server             = std::move(other.m_seq_num_server            );
        memcpy(m_handshake, other.m_handshake, sizeof(m_handshake));
 #ifdef _DEBUG
        memset(other.m_handshake, 0, sizeof(m_handshake));
 #endif
    }
    return *this;
@@ -200,7 +206,7 @@ void eap::method_tls::begin_session(
 {
    method::begin_session(dwFlags, pAttributeArray, hTokenImpersonateUser, dwMaxSendPacketSize);
-    // Create cryptographics provider.
+    // Create cryptographics provider for support needs (handshake hashing, client random, temporary keys...).
    if (!m_cp.create(NULL, NULL, PROV_RSA_AES))
        throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
@@ -216,6 +222,7 @@ void eap::method_tls::begin_session(
    const config_method_tls *cfg_method = dynamic_cast<const config_method_tls*>(cfg_prov.m_methods.front().get());
    assert(cfg_method);
    // Restore previous session ID and master secret. We might get lucky.
    m_session_id = cfg_method->m_session_id;
    m_master_secret = cfg_method->m_master_secret;
 }
@@ -248,7 +255,7 @@ void eap::method_tls::process_request_packet(
        packet_data_size = dwReceivedPacketSize - 6;
    }
-    // Do the TLS defragmentation.
+    // Do the EAP-TLS defragmentation.
    if (pReceivedPacket->Data[1] & flags_req_more_frag) {
        if (m_packet_req.m_data.empty()) {
            // Start a new packet.
@@ -310,8 +317,19 @@ void eap::method_tls::process_request_packet(
    m_packet_res.m_flags = 0;
    if (pReceivedPacket->Code == EapCodeRequest && (m_packet_req.m_flags & flags_req_start)) {
-        // This is the TLS start message: (re)initialize method.
+        // This is the EAP-TLS start message: (re)initialize method.
        m_module.log_event(&EAPMETHOD_TLS_HANDSHAKE_START2, event_data((unsigned int)eap_type_tls), event_data::blank);
        m_phase = phase_client_hello;
    } else {
        // Process the packet.
        memset(m_handshake, 0, sizeof(m_handshake));
        m_packet_res.m_data.clear();
        process_packet(m_packet_req.m_data.data(), m_packet_req.m_data.size());
    }
    switch (m_phase) {
    case phase_client_hello: {
        m_tls_version = tls_version_1_2;
        m_key_mppe_client.clear();
        m_key_mppe_server.clear();
@@ -326,91 +344,90 @@ void eap::method_tls::process_request_packet(
        if (!m_hash_handshake_msgs_sha256.create(m_cp, CALG_SHA_256))
            throw win_runtime_error(__FUNCTION__ " Error creating SHA-256 hashing object.");
        m_certificate_req   = false;
        m_server_hello_done = false;
        m_server_finished   = false;
        m_seq_num_client = 0;
        m_seq_num_server = 0;
        // Build client hello packet.
        sanitizing_blob msg_client_hello(make_message(tls_message_type_handshake, make_client_hello()));
-        m_packet_res.m_data.assign(msg_client_hello.begin(), msg_client_hello.end());
+        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_client_hello.begin(), msg_client_hello.end());
    } else {
        // Process the packet.
        m_packet_res.m_data.clear();
        process_packet(m_packet_req.m_data.data(), m_packet_req.m_data.size());
-        if (m_server_finished) {
+        m_phase = phase_server_hello;
-            // Server finished.
+        break;
-        } else if (m_state_server.m_alg_encrypt) {
+    }
-            // Cipher specified (server).
+
-        } else if (m_server_hello_done) {
+    case phase_server_hello: {
-            // Server hello specified.
+        if (!m_handshake[tls_handshake_type_server_hello])
            throw win_runtime_error(__FUNCTION__ " Server did not hello back. No server random! What cipher to use?");
        // Create cryptographics provider (based on server selected cipher?).
-            if (!m_cp_enc.create(NULL, NULL, PROV_RSA_AES))
+        if (!m_cp_enc_client.create(NULL, NULL, PROV_RSA_AES))
            throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
        if (m_handshake[tls_handshake_type_certificate]) {
            // Do we trust this server?
            if (m_server_cert_chain.empty())
-                throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Can not continue without server's certificate.");
+                throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Server sent an empty certificate (chain).");
            verify_server_trust();
        }
-            if (m_certificate_req) {
+        if (m_handshake[tls_handshake_type_certificate_request]) {
            // Client certificate requested.
            sanitizing_blob msg_client_cert(make_message(tls_message_type_handshake, make_client_cert()));
            m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_client_cert.begin(), msg_client_cert.end());
        }
-            {
+        if (m_handshake[tls_handshake_type_server_hello_done]) {
            if (m_server_cert_chain.empty())
                throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Can not do a client key exchange without a server public key (missing server certificate).");
            // Generate pre-master secret. PMS will get sanitized in its destructor when going out-of-scope.
-                tls_master_secret pms(m_cp_enc, m_tls_version);
+            // Always use latest supported version by client (not negotiated one, to detect version rollback attacks).
            tls_master_secret pms(m_cp_enc_client, tls_version_1_2);
            // Derive master secret.
            static const unsigned char s_label[] = "master secret";
            sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
            seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
            seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
-                memcpy(&m_master_secret, prf(m_cp_enc, m_alg_prf, pms, seed, sizeof(tls_master_secret)).data(), sizeof(tls_master_secret));
+            memcpy(&m_master_secret, prf(m_cp_enc_client, m_alg_prf, pms, seed, sizeof(tls_master_secret)).data(), sizeof(tls_master_secret));
            // Create client key exchange message, and append to packet.
            sanitizing_blob msg_client_key_exchange(make_message(tls_message_type_handshake, make_client_key_exchange(pms)));
            m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_client_key_exchange.begin(), msg_client_key_exchange.end());
        }
-            if (m_certificate_req) {
+        if (m_handshake[tls_handshake_type_certificate_request]) {
-                // TODO: Create and append certificate_verify message!
+            // TODO: Create and append client certificate verify message!
        }
        // Append change cipher spec to packet.
-            sanitizing_blob ccs(make_change_chiper_spec());
+        sanitizing_blob ccs(make_message(tls_message_type_change_cipher_spec, sanitizing_blob(1, 1)));
        m_packet_res.m_data.insert(m_packet_res.m_data.end(), ccs.begin(), ccs.end());
-            {
+        // Adopt server state as client pending.
-                // Adopt server provided pending state as client pending.
+        // If server already send the change cipher spec, use active server state. Otherwise pending.
-                m_state_client_pending = m_state_server_pending;
+        m_state_client_pending = m_state_server.m_alg_encrypt ? m_state_server : m_state_server_pending;
-                // Derive client side keys
+        // Derive client side keys.
        static const unsigned char s_label[] = "key expansion";
        sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
        seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
        seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
-                sanitizing_blob key_block(prf(m_cp_enc, m_alg_prf, m_master_secret, seed,
+        sanitizing_blob key_block(prf(m_cp_enc_client, m_alg_prf, m_master_secret, seed,
            2*m_state_client_pending.m_size_mac_key +  // client_write_MAC_secret & server_write_MAC_secret (SHA1)
            2*m_state_client_pending.m_size_enc_key +  // client_write_key        & server_write_key
            2*m_state_client_pending.m_size_enc_iv )); // client_write_IV         & server_write_IV
        const unsigned char *_key_block = key_block.data();
        // client_write_MAC_secret
-                m_state_client_pending.m_padding_hmac = hmac_padding(m_cp_enc, m_state_client_pending.m_alg_mac, _key_block, m_state_client_pending.m_size_mac_key);
+        m_state_client_pending.m_padding_hmac = hmac_padding(m_cp_enc_client, m_state_client_pending.m_alg_mac, _key_block, m_state_client_pending.m_size_mac_key);
        _key_block += m_state_client_pending.m_size_mac_key;
        // server_write_MAC_secret
        _key_block += m_state_client_pending.m_size_mac_key;
        // client_write_key
-                m_state_client_pending.m_key = create_key(m_state_client_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_client_pending.m_size_enc_key);
+        m_state_client_pending.m_key = create_key(m_cp_enc_client, m_state_client_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_client_pending.m_size_enc_key);
        _key_block += m_state_client_pending.m_size_enc_key;
        // server_write_key
@@ -425,15 +442,27 @@ void eap::method_tls::process_request_packet(
        // Accept client pending state as current client state.
        m_state_client = std::move(m_state_client_pending);
            }
        // Create finished message, and append to packet.
        sanitizing_blob msg_finished(make_message(tls_message_type_handshake, make_finished()));
        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_finished.begin(), msg_finished.end());
-        }
+
        m_phase = m_handshake[tls_handshake_type_finished] ? phase_application_data : phase_change_cipher_spec;
        break;
    }
-    // Request packet was processed. Clear its data since we use the absence of data to detect first of fragmented message packages.
+    case phase_change_cipher_spec:
        // Wait in this phase until server sends change cipher spec and finish.
        if (m_state_server.m_alg_encrypt && m_handshake[tls_handshake_type_finished])
            m_phase = phase_application_data;
        break;
    case phase_application_data:
        if (m_handshake[tls_handshake_type_hello_request])
            m_phase = phase_client_hello;
    }
    // EAP-Request packet was processed. Clear its data since we use the absence of data to detect first of fragmented message packages.
    m_packet_req.m_data.clear();
    pEapOutput->fAllowNotifications = FALSE;
@@ -509,10 +538,12 @@ void eap::method_tls::get_result(
    switch (reason) {
    case EapPeerMethodResultSuccess: {
-        if (!m_server_finished)
+        if (!m_handshake[tls_handshake_type_finished])
            throw invalid_argument(__FUNCTION__ " Premature success.");
-        // Derive MSK.
+        m_module.log_event(&EAPMETHOD_TLS_SUCCESS, event_data((unsigned int)eap_type_tls), event_data::blank);
        // Derive MSK/EMSK for line encryption.
        derive_msk();
        // Fill array with RADIUS attributes.
@@ -530,7 +561,7 @@ void eap::method_tls::get_result(
        ppResult->pAttribArray = &m_eap_attr_desc;
        // Clear credentials as failed.
-        cfg_method->m_cred_failed = false;
+        cfg_method->m_auth_failed = false;
        ppResult->fIsSuccess = TRUE;
        ppResult->dwFailureReasonCode = ERROR_SUCCESS;
@@ -543,15 +574,19 @@ void eap::method_tls::get_result(
    }
    case EapPeerMethodResultFailure:
        m_module.log_event(&EAPMETHOD_TLS_FAILURE, event_data((unsigned int)eap_type_tls), event_data::blank);
        // Clear session resumption data.
        cfg_method->m_session_id.clear();
        cfg_method->m_master_secret.clear();
        // Mark credentials as failed, so GUI can re-prompt user.
-        cfg_method->m_cred_failed = true;
+        cfg_method->m_auth_failed = true;
-        ppResult->fIsSuccess = FALSE;
+        // Do not report failure to EAPHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
-        ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
+        // EAPHost is well aware of the failed condition.
        //ppResult->fIsSuccess = FALSE;
        //ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
        break;
@@ -582,6 +617,10 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
        0x00, 0x2f, // TLS_RSA_WITH_AES_128_CBC_SHA (required by TLS 1.2)
        0x00, 0x0a, // TLS_RSA_WITH_3DES_EDE_CBC_SHA (required by EAP-TLS)
    };
    static const unsigned char s_compression_suite[] = {
        0x00, // No compression
    };
    size_t size_data;
    sanitizing_blob msg;
    msg.reserve(
@@ -594,7 +633,7 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
        2                            + // Length of cypher suite list
        sizeof(s_cipher_suite)       + // Cipher suite list
        1                            + // Length of compression suite
-        1));                     // Compression suite
+        sizeof(s_compression_suite))); // Compression suite
    // SSL header
    assert(size_data <= 0xffffff);
@@ -614,13 +653,13 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
    msg.insert(msg.end(), m_session_id.begin(), m_session_id.end());
    // Cypher suite list
-    unsigned short size_cipher_suite2 = htons((unsigned short)sizeof(s_cipher_suite));
+    unsigned short size_cipher_suite2 = htons((unsigned short)sizeof(s_cipher_suite)/2);
    msg.insert(msg.end(), (unsigned char*)&size_cipher_suite2, (unsigned char*)(&size_cipher_suite2 + 1));
    msg.insert(msg.end(), s_cipher_suite, s_cipher_suite + _countof(s_cipher_suite));
    // Compression
-    msg.push_back(0x01); // Length of compression section
+    msg.push_back((unsigned char)sizeof(s_compression_suite));
-    msg.push_back(0x00); // No compression (0)
+    msg.insert(msg.end(), s_compression_suite, s_compression_suite + _countof(s_compression_suite));
    return msg;
 }
@@ -667,10 +706,10 @@ eap::sanitizing_blob eap::method_tls::make_client_cert() const
 eap::sanitizing_blob eap::method_tls::make_client_key_exchange(_In_ const tls_master_secret &pms) const
 {
-    // Encrypt pre-master key first.
+    // Encrypt pre-master key with server public key first.
    sanitizing_blob pms_enc((const unsigned char*)&pms, (const unsigned char*)(&pms + 1));
    crypt_key key;
-    if (!key.import_public(m_cp_enc, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(m_server_cert_chain.front()->pCertInfo->SubjectPublicKeyInfo)))
+    if (!key.import_public(m_cp_enc_client, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(m_server_cert_chain.front()->pCertInfo->SubjectPublicKeyInfo)))
        throw win_runtime_error(__FUNCTION__ " Error importing server's public key.");
    if (!CryptEncrypt(key,  NULL, TRUE, 0, pms_enc))
        throw win_runtime_error(__FUNCTION__ " Error encrypting PMS.");
@@ -703,20 +742,6 @@ eap::sanitizing_blob eap::method_tls::make_client_key_exchange(_In_ const tls_ma
 }
 eap::sanitizing_blob eap::method_tls::make_change_chiper_spec() const
 {
    const unsigned char msg_css[] = {
        tls_message_type_change_cipher_spec,    // SSL record type
        m_tls_version.major,                    // SSL major version
        m_tls_version.minor,                    // SSL minor version
        0,                                      // Message size (high-order byte)
        1,                                      // Message size (low-order byte)
        1,                                      // Message: change_cipher_spec is always "1"
    };
    return sanitizing_blob(msg_css, msg_css + _countof(msg_css));
 }
 eap::sanitizing_blob eap::method_tls::make_finished() const
 {
    sanitizing_blob msg;
@@ -747,7 +772,7 @@ eap::sanitizing_blob eap::method_tls::make_finished() const
            throw win_runtime_error(__FUNCTION__ " Error finishing SHA-256 hash calculation.");
        seed.insert(seed.end(), hash_data.begin(), hash_data.end());
    }
-    sanitizing_blob verify(prf(m_cp_enc, m_alg_prf, m_master_secret, seed, 12));
+    sanitizing_blob verify(prf(m_cp_enc_client, m_alg_prf, m_master_secret, seed, 12));
    msg.insert(msg.end(), verify.begin(), verify.end());
    return msg;
@@ -791,7 +816,7 @@ void eap::method_tls::derive_msk()
    sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
    seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
    seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
-    sanitizing_blob key_block(prf(m_cp_enc, m_alg_prf, m_master_secret, seed, 2*sizeof(tls_random)));
+    sanitizing_blob key_block(prf(m_cp_enc_client, m_alg_prf, m_master_secret, seed, 2*sizeof(tls_random)));
    const unsigned char *_key_block = key_block.data();
    // MS-MPPE-Recv-Key
@@ -819,9 +844,14 @@ void eap::method_tls::process_packet(_In_bytecount_(size_pck) const void *_pck,
            throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete message data.");
        if (hdr->version >= tls_version_1_0) {
-            // Process TLS 1.0 message.
+            // Process TLS message.
            switch (hdr->type) {
            case tls_message_type_change_cipher_spec:
                if (m_state_server.m_alg_encrypt) {
                    sanitizing_blob msg_dec(msg, msg_end);
                    decrypt_message(hdr->type, msg_dec);
                    process_change_cipher_spec(msg_dec.data(), msg_dec.size());
                } else
                    process_change_cipher_spec(msg, msg_end - msg);
                break;
@@ -879,11 +909,18 @@ void eap::method_tls::process_change_cipher_spec(_In_bytecount_(msg_size) const
    m_module.log_event(&EAPMETHOD_TLS_CHANGE_CIPHER_SPEC, event_data((unsigned int)eap_type_tls), event_data::blank);
    if (!m_state_server_pending.m_alg_encrypt)
        throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Change cipher spec received without cipher being negotiated first.");
    // Create cryptographics provider (based on server selected cipher?).
    if (!m_cp_enc_server.create(NULL, NULL, PROV_RSA_AES))
        throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
    static const unsigned char s_label[] = "key expansion";
    sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
    seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
    seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
-    sanitizing_blob key_block(prf(m_cp_enc, m_alg_prf, m_master_secret, seed,
+    sanitizing_blob key_block(prf(m_cp_enc_server, m_alg_prf, m_master_secret, seed,
        2*m_state_server_pending.m_size_mac_key +  // client_write_MAC_secret & server_write_MAC_secret (SHA1)
        2*m_state_server_pending.m_size_enc_key +  // client_write_key        & server_write_key
        2*m_state_server_pending.m_size_enc_iv )); // client_write_IV         & server_write_IV
@@ -893,14 +930,14 @@ void eap::method_tls::process_change_cipher_spec(_In_bytecount_(msg_size) const
    _key_block += m_state_server_pending.m_size_mac_key;
    // server_write_MAC_secret
-    m_state_server_pending.m_padding_hmac = hmac_padding(m_cp_enc, m_state_server_pending.m_alg_mac, _key_block, m_state_server_pending.m_size_mac_key);
+    m_state_server_pending.m_padding_hmac = hmac_padding(m_cp_enc_server, m_state_server_pending.m_alg_mac, _key_block, m_state_server_pending.m_size_mac_key);
    _key_block += m_state_server_pending.m_size_mac_key;
    // client_write_key
    _key_block += m_state_server_pending.m_size_enc_key;
    // server_write_key
-    m_state_server_pending.m_key = create_key(m_state_server_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_server_pending.m_size_enc_key);
+    m_state_server_pending.m_key = create_key(m_cp_enc_server, m_state_server_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_server_pending.m_size_enc_key);
    _key_block += m_state_server_pending.m_size_enc_key;
    if (m_state_server_pending.m_size_enc_iv && m_tls_version < tls_version_1_1) {
@@ -915,6 +952,7 @@ void eap::method_tls::process_change_cipher_spec(_In_bytecount_(msg_size) const
    // Accept server pending state as current server state.
    m_state_server = std::move(m_state_server_pending);
    m_state_server_pending.m_alg_encrypt = 0; // Explicitly invalidate server pending state. (To mark that server must re-negotiate cipher.)
 }
@@ -970,7 +1008,11 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                if (rec + 1 > rec_end || rec + 1 + rec[0] > rec_end)
                    throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Session ID missing or incomplete.");
                assert(rec[0] <= 32); // According to RFC 5246 session IDs should not be longer than 32B.
                if (m_session_id.size() != rec[0] || memcmp(m_session_id.data(), rec + 1, rec[0]) != 0) {
                    m_module.log_event(&EAPMETHOD_TLS_SESSION_NEW, event_data((unsigned int)eap_type_tls), event_data::blank);
                    m_session_id.assign(rec + 1, rec + 1 + rec[0]);
                } else
                    m_module.log_event(&EAPMETHOD_TLS_SESSION_RESUME, event_data((unsigned int)eap_type_tls), event_data::blank);
                rec += rec[0] + 1;
                // Cipher
@@ -1041,12 +1083,10 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
            }
            case tls_handshake_type_certificate_request:
                m_certificate_req = true;
                m_module.log_event(&EAPMETHOD_TLS_CERTIFICATE_REQUEST, event_data((unsigned int)eap_type_tls), event_data::blank);
                break;
            case tls_handshake_type_server_hello_done:
                m_server_hello_done = true;
                m_module.log_event(&EAPMETHOD_TLS_SERVER_HELLO_DONE, event_data((unsigned int)eap_type_tls), event_data::blank);
                break;
@@ -1078,10 +1118,9 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                    seed.insert(seed.end(), hash_data.begin(), hash_data.end());
                }
-                if (memcmp(prf(m_cp_enc, m_alg_prf, m_master_secret, seed, 12).data(), rec, 12))
+                if (memcmp(prf(m_cp_enc_server, m_alg_prf, m_master_secret, seed, 12).data(), rec, 12))
                    throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Integrity check failed.");
                m_server_finished = true;
                m_module.log_event(&EAPMETHOD_TLS_FINISHED, event_data((unsigned int)eap_type_tls), event_data::blank);
                break;
            }
@@ -1090,10 +1129,18 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                m_module.log_event(&EAPMETHOD_TLS_HANDSHAKE_IGNORE, event_data((unsigned int)eap_type_tls), event_data((unsigned char)type), event_data::blank);
        }
-        msg = rec_end;
+        if (type < tls_handshake_type_max) {
            // Set the flag this handshake message was received.
            m_handshake[type] = true;
        }
-    hash_handshake(_msg, msg_size);
+        if (type != tls_handshake_type_hello_request) {
            // Hash all but hello requests (https://tools.ietf.org/html/rfc5246#section-7.4.1.1).
            hash_handshake(msg, rec_end - msg);
        }
        msg = rec_end;
    }
 }
@@ -1123,33 +1170,79 @@ void eap::method_tls::verify_server_trust() const
    const config_method_tls *cfg_method = dynamic_cast<const config_method_tls*>(cfg_prov.m_methods.front().get());
    assert(cfg_method);
    if (!cfg_method->m_server_names.empty()) {
    // Check server name.
    if (!cfg_method->m_server_names.empty()) {
        bool
            has_san = false,
            found   = false;
-        string subj;
+        // Search subjectAltName2 and subjectAltName.
-        if (!CertGetNameStringA(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, subj))
+        for (DWORD i = 0; !found && i < cert->pCertInfo->cExtension; i++) {
            unique_ptr<CERT_ALT_NAME_INFO, LocalFree_delete<CERT_ALT_NAME_INFO> > san_info;
            if (strcmp(cert->pCertInfo->rgExtension[i].pszObjId, szOID_SUBJECT_ALT_NAME2) == 0) {
                unsigned char *output = NULL;
                DWORD size_output;
                if (!CryptDecodeObjectEx(
                        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                        szOID_SUBJECT_ALT_NAME2,
                        cert->pCertInfo->rgExtension[i].Value.pbData, cert->pCertInfo->rgExtension[i].Value.cbData,
                        CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_ENABLE_PUNYCODE_FLAG,
                        NULL,
                        &output, &size_output))
                    throw win_runtime_error(__FUNCTION__ " Error decoding certificate extension.");
                san_info.reset((CERT_ALT_NAME_INFO*)output);
            } else if (strcmp(cert->pCertInfo->rgExtension[i].pszObjId, szOID_SUBJECT_ALT_NAME) == 0) {
                unsigned char *output = NULL;
                DWORD size_output;
                if (!CryptDecodeObjectEx(
                        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                        szOID_SUBJECT_ALT_NAME,
                        cert->pCertInfo->rgExtension[i].Value.pbData, cert->pCertInfo->rgExtension[i].Value.cbData,
                        CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_ENABLE_PUNYCODE_FLAG,
                        NULL,
                        &output, &size_output))
                    throw win_runtime_error(__FUNCTION__ " Error decoding certificate extension.");
                san_info.reset((CERT_ALT_NAME_INFO*)output);
            } else {
                // Skip this extension.
                continue;
            }
            has_san = true;
            for (list<wstring>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend(); !found && s != s_end; ++s) {
                for (DWORD i = 0; !found && i < san_info->cAltEntry; i++) {
                    if (san_info->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME &&
                        _wcsicmp(s->c_str(), san_info->rgAltEntry[i].pwszDNSName) == 0)
                    {
                        m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED1, event_data(san_info->rgAltEntry[i].pwszDNSName), event_data::blank);
                        found = true;
                    }
                }
            }
        }
        if (!has_san) {
            // Certificate has no subjectAltName. Compare against Common Name.
            wstring subj;
            if (!CertGetNameStringW(cert, CERT_NAME_DNS_TYPE, CERT_NAME_STR_ENABLE_PUNYCODE_FLAG, NULL, subj))
                throw win_runtime_error(__FUNCTION__ " Error retrieving server's certificate subject name.");
-        for (list<string>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend();; ++s) {
+            for (list<wstring>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend(); !found && s != s_end; ++s) {
-            if (s != s_end) {
+                if (_wcsicmp(s->c_str(), subj.c_str()) == 0) {
-                const char
+                    m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED1, event_data(subj), event_data::blank);
-                    *a = s->c_str(),
+                    found = true;
-                    *b = subj.c_str();
+                }
-                size_t
+            }
-                    len_a = s->length(),
+        }
                    len_b = subj.length();
-                if (_stricmp(a, b) == 0 || // Direct match
+        if (!found)
-                    a[0] == '*' && len_b + 1 >= len_a && _stricmp(a + 1, b + len_b - (len_a - 1)) == 0) // "*..." wildchar match
+            throw win_runtime_error(ERROR_INVALID_DOMAINNAME, __FUNCTION__ " Server name is not on the list of trusted server names.");
                {
                    m_module.log_event(&EAPMETHOD_TLS_SERVER_NAME_TRUSTED, event_data(subj), event_data::blank);
                    break;
                }
            } else
                throw win_runtime_error(ERROR_INVALID_DOMAINNAME, string_printf(__FUNCTION__ " Server name %s is not on the list of trusted server names.", subj.c_str()).c_str());
        }
    }
    if (cert->pCertInfo->Issuer.cbData == cert->pCertInfo->Subject.cbData &&
        memcmp(cert->pCertInfo->Issuer.pbData, cert->pCertInfo->Subject.pbData, cert->pCertInfo->Issuer.cbData) == 0)
        throw com_runtime_error(CRYPT_E_SELF_SIGNED, __FUNCTION__ " Server is using a self-signed certificate. Cannot trust it.");
    // Create temporary certificate store of our trusted root CAs.
    cert_store store;
    if (!store.create(CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, 0, NULL))
@@ -1157,9 +1250,18 @@ void eap::method_tls::verify_server_trust() const
    for (list<cert_context>::const_iterator c = cfg_method->m_trusted_root_ca.cbegin(), c_end = cfg_method->m_trusted_root_ca.cend(); c != c_end; ++c)
        CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
-    // Add all certificates from the server's certificate chain, except the first one.
+    // Add all intermediate certificates from the server's certificate chain.
-    for (list<cert_context>::const_iterator c = m_server_cert_chain.cbegin(), c_end = m_server_cert_chain.cend(); ++c != c_end;)
+    for (list<cert_context>::const_iterator c = m_server_cert_chain.cbegin(), c_end = m_server_cert_chain.cend(); ++c != c_end;) {
        const cert_context &_c = *c;
        if (_c->pCertInfo->Issuer.cbData == _c->pCertInfo->Subject.cbData &&
            memcmp(_c->pCertInfo->Issuer.pbData, _c->pCertInfo->Subject.pbData, _c->pCertInfo->Issuer.cbData) == 0)
        {
            // Skip the root CA certificates (self-signed). We define in whom we trust!
            continue;
        }
        CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
    }
    // Prepare the certificate chain validation, and check.
    CERT_CHAIN_PARA chain_params = {
@@ -1179,9 +1281,9 @@ void eap::method_tls::verify_server_trust() const
    };
    cert_chain_context context;
    if (!context.create(NULL, cert, NULL, store, &chain_params, 0))
-        throw win_runtime_error(ERROR_INVALID_DOMAINNAME, __FUNCTION__ " Error creating certificate chain context.");
+        throw win_runtime_error(__FUNCTION__ " Error creating certificate chain context.");
-    // Check chain validation error flags. Ignore CERT_TRUST_IS_UNTRUSTED_ROOT flag when we check root CA explicitly.
+    // Check chain validation error flags. Ignore CERT_TRUST_IS_UNTRUSTED_ROOT flag since we check root CA explicitly.
    if (context->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR &&
        (cfg_method->m_trusted_root_ca.empty() || (context->TrustStatus.dwErrorStatus & ~CERT_TRUST_IS_UNTRUSTED_ROOT) != CERT_TRUST_NO_ERROR))
        throw win_runtime_error(context->TrustStatus.dwErrorStatus, "Error validating certificate chain.");
@@ -1217,7 +1319,7 @@ void eap::method_tls::encrypt_message(_In_ tls_message_type_t type, _Inout_ sani
 {
    // Hash sequence number, TLS header, and message.
    size_t size_data = data.size();
-    hmac_hash hash(m_cp_enc, m_state_client.m_alg_mac, m_state_client.m_padding_hmac);
+    hmac_hash hash(m_cp_enc_client, m_state_client.m_alg_mac, m_state_client.m_padding_hmac);
    unsigned __int64 seq_num2 = htonll(m_seq_num_client);
    unsigned short size_data2 = htons((unsigned short)size_data);
    if (!CryptHashData(hash, (const BYTE*)&seq_num2     , sizeof(seq_num2     ), 0) ||
@@ -1239,7 +1341,7 @@ void eap::method_tls::encrypt_message(_In_ tls_message_type_t type, _Inout_ sani
        if (m_tls_version >= tls_version_1_1) {
            // TLS 1.1+: Set random IV.
            data.insert(data.begin(), m_state_client.m_size_enc_iv, 0);
-            if (!CryptGenRandom(m_cp_enc, (DWORD)m_state_client.m_size_enc_iv, data.data()))
+            if (!CryptGenRandom(m_cp_enc_client, (DWORD)m_state_client.m_size_enc_iv, data.data()))
                throw win_runtime_error(__FUNCTION__ " Error generating IV.");
            size_data_enc += m_state_client.m_size_enc_iv;
        }
@@ -1304,7 +1406,7 @@ void eap::method_tls::decrypt_message(_In_ tls_message_type_t type, _Inout_ sani
        size_data -= m_state_server.m_size_mac_hash;
        // Hash sequence number, TLS header (without length), original message length, and message.
-        hmac_hash hash(m_cp_enc, m_state_server.m_alg_mac, m_state_server.m_padding_hmac);
+        hmac_hash hash(m_cp_enc_server, m_state_server.m_alg_mac, m_state_server.m_padding_hmac);
        unsigned __int64 seq_num2 = htonll(m_seq_num_server);
        unsigned short size_data2 = htons((unsigned short)size_data);
        if (!CryptHashData(hash, (const BYTE*)&seq_num2     , sizeof(seq_num2     ), 0) ||
@@ -1438,6 +1540,7 @@ eap::sanitizing_blob eap::method_tls::prf(
 HCRYPTKEY eap::method_tls::create_key(
    _In_                              HCRYPTPROV cp,
    _In_                              ALG_ID     alg,
    _In_                              HCRYPTKEY  key,
    _In_bytecount_(size_secret) const void       *secret,
@@ -1467,7 +1570,7 @@ HCRYPTKEY eap::method_tls::create_key(
    // Import the key.
    winstd::crypt_key key_out;
-    if (!key_out.import(m_cp_enc, key_blob.data(), (DWORD)key_blob.size(), NULL, 0))
+    if (!key_out.import(cp, key_blob.data(), (DWORD)key_blob.size(), NULL, 0))
        throw winstd::win_runtime_error(__FUNCTION__ " Error importing key.");
    return key_out.detach();
 #else
@@ -1513,7 +1616,7 @@ HCRYPTKEY eap::method_tls::create_key(
    // Is random PS required at all? We are importing a clear-text session key with the exponent-of-one key. How low on security can we get?
    key_blob.insert(key_blob.end(), size_ps, 0);
    unsigned char *ps = &*(key_blob.end() - size_ps);
-    CryptGenRandom(m_cp_enc, (DWORD)size_ps, ps);
+    CryptGenRandom(cp, (DWORD)size_ps, ps);
    for (size_t i = 0; i < size_ps; i++)
        if (ps[i] == 0) ps[i] = 1;
 #endif
@@ -1529,7 +1632,7 @@ HCRYPTKEY eap::method_tls::create_key(
    // Import the key.
    winstd::crypt_key key_out;
-    if (!key_out.import(m_cp_enc, key_blob.data(), (DWORD)key_blob.size(), key, 0))
+    if (!key_out.import(cp, key_blob.data(), (DWORD)key_blob.size(), key, 0))
        throw winstd::win_runtime_error(__FUNCTION__ " Error importing key.");
    return key_out.detach();
 #endif
--- a/lib/TLS_UI/include/TLS_UI.h
+++ b/lib/TLS_UI/include/TLS_UI.h
@@ -119,7 +119,7 @@ public:
    ///
    /// Construct the validator with a value to store data
    ///
-    wxHostNameValidator(std::string *val = NULL);
+    wxHostNameValidator(std::wstring *val = NULL);
    ///
    /// Copy constructor
@@ -149,10 +149,10 @@ public:
    ///
    /// Parses FQDN value
    ///
-    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out = NULL);
+    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out = NULL);
 protected:
-    std::string *m_val; ///< Pointer to variable to receive control's parsed value
+    std::wstring *m_val; ///< Pointer to variable to receive control's parsed value
 };
@@ -165,7 +165,7 @@ public:
    ///
    /// Construct the validator with a value to store data
    ///
-    wxFQDNValidator(std::string *val = NULL);
+    wxFQDNValidator(std::wstring *val = NULL);
    ///
    /// Copy constructor
@@ -195,10 +195,10 @@ public:
    ///
    /// Parses FQDN value
    ///
-    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out = NULL);
+    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out = NULL);
 protected:
-    std::string *m_val; ///< Pointer to variable to receive control's parsed value
+    std::wstring *m_val; ///< Pointer to variable to receive control's parsed value
 };
@@ -211,7 +211,7 @@ public:
    ///
    /// Construct the validator with a value to store data
    ///
-    wxFQDNListValidator(std::list<std::string> *val = NULL);
+    wxFQDNListValidator(std::list<std::wstring> *val = NULL);
    ///
    /// Copy constructor
@@ -241,10 +241,10 @@ public:
    ///
    /// Parses FQDN list value
    ///
-    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::string> *val_out = NULL);
+    static bool Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::wstring> *val_out = NULL);
 protected:
-    std::list<std::string> *m_val;  ///< Pointer to variable to receive control's parsed value
+    std::list<std::wstring> *m_val;  ///< Pointer to variable to receive control's parsed value
 };
@@ -311,7 +311,7 @@ protected:
    eap::config_method_tls &m_cfg;              ///< TLS configuration
    winstd::library m_certmgr;                  ///< certmgr.dll resource library reference
    wxIcon m_icon;                              ///< Panel icon
-    std::list<std::string> m_server_names_val;  ///< Acceptable authenticating server names
+    std::list<std::wstring> m_server_names_val; ///< Acceptable authenticating server names
 };
--- a/lib/TLS_UI/res/wxTLS_UI.cpp
+++ b/lib/TLS_UI/res/wxTLS_UI.cpp
@@ -74,11 +74,11 @@ wxEAPTLSServerTrustConfigPanelBase::wxEAPTLSServerTrustConfigPanelBase( wxWindow
 	sb_server_names->Add( m_server_names_label, 0, wxBOTTOM, 5 );
 	m_server_names = new wxTextCtrl( sb_server_trust->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
-	m_server_names->SetToolTip( _("A semicolon delimited list of acceptable server FQDN names; blank to skip name check; \"*\" wildchar allowed") );
+	m_server_names->SetToolTip( _("A semicolon delimited list of acceptable server FQDN names; blank to skip name check; Unicode characters allowed") );
 	sb_server_names->Add( m_server_names, 0, wxEXPAND|wxBOTTOM, 5 );
-	m_server_names_note = new wxStaticText( sb_server_trust->GetStaticBox(), wxID_ANY, _("(Example: foo.bar.com;*.domain.org)"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_server_names_note = new wxStaticText( sb_server_trust->GetStaticBox(), wxID_ANY, _("(Example: foo.bar.com;server2.bar.com)"), wxDefaultPosition, wxDefaultSize, 0 );
 	m_server_names_note->Wrap( -1 );
 	sb_server_names->Add( m_server_names_note, 0, wxALIGN_RIGHT, 5 );
--- a/lib/TLS_UI/res/wxTLS_UI.fbp
+++ b/lib/TLS_UI/res/wxTLS_UI.fbp
@@ -870,7 +870,7 @@
                                                <property name="style"></property>
                                                <property name="subclass"></property>
                                                <property name="toolbar_pane">0</property>
-                                                <property name="tooltip">A semicolon delimited list of acceptable server FQDN names; blank to skip name check; &quot;*&quot; wildchar allowed</property>
+                                                <property name="tooltip">A semicolon delimited list of acceptable server FQDN names; blank to skip name check; Unicode characters allowed</property>
                                                <property name="validator_data_type"></property>
                                                <property name="validator_style">wxFILTER_NONE</property>
                                                <property name="validator_type">wxDefaultValidator</property>
@@ -940,7 +940,7 @@
                                                <property name="gripper">0</property>
                                                <property name="hidden">0</property>
                                                <property name="id">wxID_ANY</property>
-                                                <property name="label">(Example: foo.bar.com;*.domain.org)</property>
+                                                <property name="label">(Example: foo.bar.com;server2.bar.com)</property>
                                                <property name="max_size"></property>
                                                <property name="maximize_button">0</property>
                                                <property name="maximum_size"></property>
--- a/lib/TLS_UI/src/TLS_UI.cpp
+++ b/lib/TLS_UI/src/TLS_UI.cpp
@@ -46,7 +46,7 @@ wxCertificateClientData::~wxCertificateClientData()
 wxIMPLEMENT_DYNAMIC_CLASS(wxHostNameValidator, wxValidator);
-wxHostNameValidator::wxHostNameValidator(std::string *val) :
+wxHostNameValidator::wxHostNameValidator(std::wstring *val) :
    m_val(val),
    wxValidator()
 {
@@ -98,7 +98,7 @@ bool wxHostNameValidator::TransferFromWindow()
 }
-bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out)
+bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out)
 {
    const wxStringCharType *buf = val_in;
@@ -108,7 +108,7 @@ bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i
            // End of host name found.
            if (val_out) val_out->assign(val_in.c_str() + i_start, i - i_start);
            return true;
-        } else if (_tcschr(wxT("abcdefghijklmnopqrstuvwxyz0123456789-*"), buf[i])) {
+        } else if (buf[i] == _T('-') || buf[i] == _T('_') || _istalnum(buf[i])) {
            // Valid character found.
            i++;
        } else {
@@ -129,7 +129,7 @@ bool wxHostNameValidator::Parse(const wxString &val_in, size_t i_start, size_t i
 wxIMPLEMENT_DYNAMIC_CLASS(wxFQDNValidator, wxValidator);
-wxFQDNValidator::wxFQDNValidator(std::string *val) :
+wxFQDNValidator::wxFQDNValidator(std::wstring *val) :
    m_val(val),
    wxValidator()
 {
@@ -181,7 +181,7 @@ bool wxFQDNValidator::TransferFromWindow()
 }
-bool wxFQDNValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::string *val_out)
+bool wxFQDNValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::wstring *val_out)
 {
    const wxStringCharType *buf = val_in;
@@ -210,7 +210,7 @@ bool wxFQDNValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end
 wxIMPLEMENT_DYNAMIC_CLASS(wxFQDNListValidator, wxValidator);
-wxFQDNListValidator::wxFQDNListValidator(std::list<std::string> *val) :
+wxFQDNListValidator::wxFQDNListValidator(std::list<std::wstring> *val) :
    m_val(val),
    wxValidator()
 {
@@ -246,7 +246,7 @@ bool wxFQDNListValidator::TransferToWindow()
    if (m_val) {
        wxString str;
-        for (std::list<std::string>::const_iterator name = m_val->cbegin(), name_end = m_val->cend(); name != name_end; ++name) {
+        for (std::list<std::wstring>::const_iterator name = m_val->cbegin(), name_end = m_val->cend(); name != name_end; ++name) {
            if (!str.IsEmpty()) str += wxT("; ");
            str += *name;
        }
@@ -267,11 +267,11 @@ bool wxFQDNListValidator::TransferFromWindow()
 }
-bool wxFQDNListValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::string> *val_out)
+bool wxFQDNListValidator::Parse(const wxString &val_in, size_t i_start, size_t i_end, wxTextCtrl *ctrl, wxWindow *parent, std::list<std::wstring> *val_out)
 {
    const wxStringCharType *buf = val_in;
-    std::string _fqdn, *fqdn = val_out ? &_fqdn : NULL;
+    std::wstring _fqdn, *fqdn = val_out ? &_fqdn : NULL;
-    std::list<std::string> _val_out;
+    std::list<std::wstring> _val_out;
    size_t i = i_start;
    for (;;) {
@@ -423,14 +423,6 @@ wxTLSServerTrustPanel::wxTLSServerTrustPanel(const eap::config_provider &prov, e
 bool wxTLSServerTrustPanel::TransferDataToWindow()
 {
    if (m_prov.m_read_only) {
        // This is provider-locked configuration. Disable controls.
        m_root_ca_add_store->Enable(false);
        m_root_ca_add_file ->Enable(false);
        m_root_ca_remove   ->Enable(false);
        m_server_names     ->Enable(false);
    }
    // Populate trusted CA list.
    for (std::list<winstd::cert_context>::const_iterator cert = m_cfg.m_trusted_root_ca.cbegin(), cert_end = m_cfg.m_trusted_root_ca.cend(); cert != cert_end; ++cert)
        m_root_ca->Append(wxString(eap::get_cert_title(*cert)), new wxCertificateClientData(cert->duplicate()));
@@ -469,10 +461,19 @@ void wxTLSServerTrustPanel::OnUpdateUI(wxUpdateUIEvent& event)
 {
    UNREFERENCED_PARAMETER(event);
-    if (!m_prov.m_read_only) {
+    if (m_prov.m_read_only) {
        // This is provider-locked configuration. Disable controls.
        m_root_ca_add_store->Enable(false);
        m_root_ca_add_file ->Enable(false);
        m_root_ca_remove   ->Enable(false);
        m_server_names     ->Enable(false);
    } else {
        // This is not a provider-locked configuration. Selectively enable/disable controls.
        m_root_ca_add_store->Enable(true);
        m_root_ca_add_file ->Enable(true);
        wxArrayInt selections;
        m_root_ca_remove->Enable(m_root_ca->GetSelections(selections) ? true : false);
        m_server_names     ->Enable(true);
    }
 }
--- a/lib/TTLS/include/Credentials.h
+++ b/lib/TTLS/include/Credentials.h
@@ -32,6 +32,7 @@ namespace eap
 #include "../../PAP/include/Credentials.h"
 #include <memory>
 #include <utility>
 namespace eap
@@ -187,7 +188,7 @@ namespace eap
        /// - \c true  if credentials were set;
        /// - \c false otherwise
        ///
-        bool combine(
+        std::pair<source_t, source_t> combine(
            _In_       const credentials_ttls   *cred_cached,
            _In_       const config_method_ttls &cfg,
            _In_opt_z_       LPCTSTR            pszTargetName);
--- a/lib/TTLS/src/Credentials.cpp
+++ b/lib/TTLS/src/Credentials.cpp
@@ -226,15 +226,12 @@ std::wstring eap::credentials_ttls::get_identity() const
 }
-bool eap::credentials_ttls::combine(
+pair<eap::credentials::source_t, eap::credentials::source_t> eap::credentials_ttls::combine(
    _In_       const credentials_ttls   *cred_cached,
    _In_       const config_method_ttls &cfg,
    _In_opt_z_       LPCTSTR            pszTargetName)
 {
-    bool
+    return pair<source_t, source_t>(
-        is_outer_set = credentials_tls::combine(cred_cached, cfg, pszTargetName),
+        credentials_tls::combine(cred_cached, cfg, pszTargetName),
-        is_inner_set =
+        dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : source_unknown);
            dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : false;
    return is_outer_set && is_inner_set;
 }
--- a/lib/TTLS/src/Method.cpp
+++ b/lib/TTLS/src/Method.cpp
@@ -69,28 +69,25 @@ void eap::method_ttls::process_request_packet(
        m_module.log_event(&EAPMETHOD_TTLS_HANDSHAKE_START, event_data((unsigned int)eap_type_ttls), event_data((unsigned char)m_version), event_data((unsigned char)ver_remote), event_data::blank);
    }
    if (!m_server_finished) {
    // Do the TLS.
    method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
-        if (m_server_finished) {
+    if (m_phase == phase_application_data) {
-            // Piggyback inner authentication.
+        // Send inner authentication.
        if (!m_state_client.m_alg_encrypt)
            throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
        m_module.log_event(&EAPMETHOD_TTLS_INNER_CRED, event_data((unsigned int)eap_type_ttls), event_data(m_cred.m_inner->get_name()), event_data::blank);
        m_packet_res.m_code  = EapCodeResponse;
        m_packet_res.m_id    = m_packet_req.m_id;
        m_packet_res.m_flags = 0;
        sanitizing_blob msg_application(make_message(tls_message_type_application_data, make_pap_client()));
-            m_packet_res.m_data.assign(msg_application.begin(), msg_application.end());
+        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_application.begin(), msg_application.end());
        pEapOutput->fAllowNotifications = FALSE;
        pEapOutput->action = EapPeerMethodResponseActionSend;
    }
    } else {
        // Do the TLS. Again.
        method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
    }
 }
@@ -111,20 +108,36 @@ void eap::method_ttls::get_result(
    _In_    EapPeerMethodResultReason reason,
    _Inout_ EapPeerMethodResult       *ppResult)
 {
-    if (!m_server_finished) {
+    if (m_phase != phase_application_data) {
        // Do the TLS.
        method_tls::get_result(reason, ppResult);
    } else {
        // The TLS finished, this is inner authentication's bussines.
        config_provider &cfg_prov(m_cfg.m_providers.front());
        config_method_ttls *cfg_method = dynamic_cast<config_method_ttls*>(cfg_prov.m_methods.front().get());
        assert(cfg_method);
-        // Mark credentials appropriately, so GUI can re-prompt user.
+        switch (reason) {
-        cfg_method->m_inner->m_cred_failed = reason == EapPeerMethodResultFailure;
+        case EapPeerMethodResultSuccess: {
            m_module.log_event(&EAPMETHOD_TTLS_INNER_SUCCESS, event_data((unsigned int)eap_type_ttls), event_data::blank);
            cfg_method->m_inner->m_auth_failed = false;
            break;
        }
        case EapPeerMethodResultFailure:
            m_module.log_event(&EAPMETHOD_TTLS_INNER_FAILURE, event_data((unsigned int)eap_type_ttls), event_data::blank);
            cfg_method->m_inner->m_auth_failed = true;
            break;
        default:
            throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
        }
        // The TLS was OK.
        method_tls::get_result(EapPeerMethodResultSuccess, ppResult);
        // Do not report failure to EAPHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
        // EAPHost is well aware of the failed condition.
        //if (reason == EapPeerMethodResultFailure) {
        //    ppResult->fIsSuccess = FALSE;
        //    ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
--- a/lib/TTLS/src/Module.cpp
+++ b/lib/TTLS/src/Module.cpp
@@ -109,14 +109,17 @@ void eap::peer_ttls::get_identity(
    {
        // Combine credentials.
        user_impersonator impersonating(hTokenImpersonateUser);
-        *pfInvokeUI = cred_out.combine(
+        pair<eap::credentials::source_t, eap::credentials::source_t> cred_source(cred_out.combine(
 #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
            &cred_in,
 #else
            NULL,
 #endif
            *cfg_method,
-            (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL) ? FALSE : TRUE;
+            (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL));
        // If either of credentials is unknown, request UI.
        *pfInvokeUI = cred_source.first == eap::credentials::source_unknown || cred_source.second == eap::credentials::source_unknown ? TRUE : FALSE;
    }
    if (*pfInvokeUI) {
@@ -132,14 +135,14 @@ void eap::peer_ttls::get_identity(
    // If we got here, we have all credentials we need. But, wait!
-    if (cfg_method->m_cred_failed) {
+    if (cfg_method->m_auth_failed) {
        // Outer TLS: Credentials failed on last connection attempt.
        log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)eap_type_tls), event_data::blank);
        *pfInvokeUI = TRUE;
        return;
    }
-    if (cfg_method->m_inner->m_cred_failed) {
+    if (cfg_method->m_inner->m_auth_failed) {
        // Inner: Credentials failed on last connection attempt.
        log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)type_inner), event_data::blank);
        *pfInvokeUI = TRUE;
--- a/lib/TTLS_UI/include/TTLS_UI.h
+++ b/lib/TTLS_UI/include/TTLS_UI.h
@@ -45,7 +45,6 @@ class wxTTLSCredentialsPanel;
 #include <wx/choicebk.h>
 #include <wx/icon.h>
 #include <wx/scrolwin.h>
 #include <wx/stattext.h>
 #include <Windows.h>
@@ -74,32 +73,28 @@ protected:
 };
-class wxTTLSConfigWindow : public wxScrolledWindow
+class wxTTLSConfigWindow : public wxEAPConfigWindow
 {
 public:
    ///
    /// Constructs a configuration panel
    ///
    /// \param[in]    prov           Provider configuration data
    /// \param[inout] cfg            Configuration data
    /// \param[in]    pszCredTarget  Target name of credentials in Windows Credential Manager. Can be further decorated to create final target name.
    /// \param[in]    parent         Parent window
    ///
    wxTTLSConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, LPCTSTR pszCredTarget, wxWindow* parent);
    ///
    /// Destructs the configuration panel
    ///
    virtual ~wxTTLSConfigWindow();
 protected:
    /// \cond internal
    virtual bool TransferDataToWindow();
    virtual bool TransferDataFromWindow();
    virtual void OnInitDialog(wxInitDialogEvent& event);
    virtual void OnUpdateUI(wxUpdateUIEvent& event);
    /// \endcond
 protected:
    const eap::config_provider &m_prov;     ///< EAP provider
    eap::config_method_ttls &m_cfg;         ///< TTLS configuration
    wxStaticText *m_outer_title;            ///< Outer authentication title
    wxTTLSConfigPanel *m_outer_identity;    ///< Outer identity configuration panel
--- a/lib/TTLS_UI/src/Module.cpp
+++ b/lib/TTLS_UI/src/Module.cpp
@@ -83,8 +83,26 @@ void eap::peer_ttls_ui::invoke_config_ui(
 {
    // Unpack configuration.
    config_provider_list cfg(*this);
-    if (dwConnectionDataInSize)
+    if (dwConnectionDataInSize) {
        // Load existing configuration.
        unpack(cfg, pConnectionDataIn, dwConnectionDataInSize);
    } else {
        // This is a blank network profile. Create default configuraton.
        // Start with PAP inner configuration.
        unique_ptr<config_method_ttls> cfg_method(new config_method_ttls(*this));
        cfg_method->m_inner.reset(new config_method_pap(*this));
        cfg_method->m_anonymous_identity = L"@";
        cfg_method->m_use_preshared = true;
        cfg_method->m_preshared.reset(new credentials_tls(*this));
        // Start with one method.
        config_provider cfg_provider(*this);
        cfg_provider.m_methods.push_back(std::move(cfg_method));
        // Start with one provider.
        cfg.m_providers.push_back(std::move(cfg_provider));
    }
    // Initialize application.
    new wxApp();
@@ -163,14 +181,14 @@ void eap::peer_ttls_ui::invoke_identity_ui(
    }
    // Combine credentials.
-    cred_out.combine(
+    pair<eap::credentials::source_t, eap::credentials::source_t> cred_source(cred_out.combine(
 #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
        &cred_in,
 #else
        NULL,
 #endif
        *cfg_method,
-        (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL);
+        (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL));
    if (dwFlags & EAP_FLAG_GUEST_ACCESS) {
        // Disable credential saving for guests.
@@ -190,10 +208,18 @@ void eap::peer_ttls_ui::invoke_identity_ui(
        parent.AdoptAttributesFromHWND();
        wxTopLevelWindows.Append(&parent);
-        // Create and launch credentials dialog.
+        // Create credentials dialog.
        wxEAPCredentialsDialog dlg(cfg_prov, &parent);
        wxTTLSCredentialsPanel *panel = new wxTTLSCredentialsPanel(cfg_prov, *cfg_method, cred_out, cfg_prov.m_id.c_str(), &dlg);
-        dlg.AddContents((wxPanel**)&panel, 1);
+        dlg.AddContent(panel);
        // Set "Remember" checkboxes according to credential source,
        panel->m_outer_cred->SetRememberValue(cred_source.first == eap::credentials::source_storage);
        wxPAPCredentialsPanel *panel_inner_cred_pap = dynamic_cast<wxPAPCredentialsPanel*>(panel->m_inner_cred);
        if (panel_inner_cred_pap)
            panel_inner_cred_pap->SetRememberValue(cred_source.second == eap::credentials::source_storage);
        // Centre and display dialog.
        dlg.Centre(wxBOTH);
        result = dlg.ShowModal();
        if (result == wxID_OK) {
@@ -208,7 +234,6 @@ void eap::peer_ttls_ui::invoke_identity_ui(
                }
            }
            wxPAPCredentialsPanel *panel_inner_cred_pap = dynamic_cast<wxPAPCredentialsPanel*>(panel->m_inner_cred);
            if (panel_inner_cred_pap && panel_inner_cred_pap->GetRememberValue()) {
                try {
                    cred_out.m_inner->store(cfg_prov.m_id.c_str());
--- a/lib/TTLS_UI/src/TTLS_UI.cpp
+++ b/lib/TTLS_UI/src/TTLS_UI.cpp
@@ -38,14 +38,6 @@ wxTTLSConfigPanel::wxTTLSConfigPanel(const eap::config_provider &prov, eap::conf
 bool wxTTLSConfigPanel::TransferDataToWindow()
 {
    if (m_prov.m_read_only) {
        // This is provider-locked configuration. Disable controls.
        m_outer_identity_same      ->Enable(false);
        m_outer_identity_empty     ->Enable(false);
        m_outer_identity_custom    ->Enable(false);
        m_outer_identity_custom_val->Enable(false);
    }
    // Populate identity controls.
    if (m_cfg.m_anonymous_identity.empty()) {
        m_outer_identity_same->SetValue(true);
@@ -82,8 +74,17 @@ void wxTTLSConfigPanel::OnUpdateUI(wxUpdateUIEvent& event)
 {
    UNREFERENCED_PARAMETER(event);
-    if (!m_prov.m_read_only) {
+    if (m_prov.m_read_only) {
        // This is provider-locked configuration. Disable controls.
        m_outer_identity_same      ->Enable(false);
        m_outer_identity_empty     ->Enable(false);
        m_outer_identity_custom    ->Enable(false);
        m_outer_identity_custom_val->Enable(false);
    } else {
        // This is not a provider-locked configuration. Selectively enable/disable controls.
        m_outer_identity_same      ->Enable(true);
        m_outer_identity_empty     ->Enable(true);
        m_outer_identity_custom    ->Enable(true);
        m_outer_identity_custom_val->Enable(m_outer_identity_custom->GetValue());
    }
 }
@@ -94,10 +95,9 @@ void wxTTLSConfigPanel::OnUpdateUI(wxUpdateUIEvent& event)
 //////////////////////////////////////////////////////////////////////
 wxTTLSConfigWindow::wxTTLSConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, LPCTSTR pszCredTarget, wxWindow* parent) :
    m_prov(prov),
    m_cfg((eap::config_method_ttls&)cfg),
    m_cfg_pap(cfg.m_module),
-    wxScrolledWindow(parent, wxID_ANY, wxDefaultPosition, wxDefaultSize, wxVSCROLL)
+    wxEAPConfigWindow(prov, cfg, parent)
 {
    wxBoxSizer* sb_content;
    sb_content = new wxBoxSizer( wxVERTICAL );
@@ -112,7 +112,8 @@ wxTTLSConfigWindow::wxTTLSConfigWindow(const eap::config_provider &prov, eap::co
    m_inner_type = new wxChoicebook(this, wxID_ANY, wxDefaultPosition, wxDefaultSize, wxCHB_DEFAULT);
    m_inner_type->SetToolTip( _("Select inner authentication method from the list") );
-    m_inner_type->AddPage(new wxPAPConfigPanel(m_prov, m_cfg_pap, pszCredTarget, m_inner_type), _("PAP"));
+    wxPAPConfigPanel *panel_pap = new wxPAPConfigPanel(m_prov, m_cfg_pap, pszCredTarget, m_inner_type);
    m_inner_type->AddPage(panel_pap, _("PAP"));
    sb_content->Add(m_inner_type, 0, wxALL|wxEXPAND, 5);
    sb_content->Add(20, 20, 1, wxALL|wxEXPAND, 5);
@@ -135,32 +136,17 @@ wxTTLSConfigWindow::wxTTLSConfigWindow(const eap::config_provider &prov, eap::co
        size.y  = 500;
    }
    this->SetMinSize(size);
    this->SetScrollRate(5, 5);
    this->SetSizer(sb_content);
    this->Layout();
-    m_inner_type->SetFocusFromKbd();
+    // m_inner_type->SetFocusFromKbd(); // This control steals mouse-wheel scrolling for itself
-
+    panel_pap->SetFocusFromKbd();
    // Connect Events
    this->Connect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxTTLSConfigWindow::OnInitDialog));
 }
 wxTTLSConfigWindow::~wxTTLSConfigWindow()
 {
    // Disconnect Events
    this->Disconnect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxTTLSConfigWindow::OnInitDialog));
 }
 bool wxTTLSConfigWindow::TransferDataToWindow()
 {
    if (m_prov.m_read_only) {
        // This is provider-locked configuration. Disable controls.
        m_inner_type->GetChoiceCtrl()->Enable(false);
    }
    eap::config_method_pap *cfg_pap = dynamic_cast<eap::config_method_pap*>(m_cfg.m_inner.get());
    if (cfg_pap) {
        m_cfg_pap = *cfg_pap;
@@ -196,8 +182,7 @@ bool wxTTLSConfigWindow::TransferDataFromWindow()
 void wxTTLSConfigWindow::OnInitDialog(wxInitDialogEvent& event)
 {
-    // Call TransferDataToWindow() manually, as wxScrolledWindow somehow skips that.
+    wxEAPConfigWindow::OnInitDialog(event);
    TransferDataToWindow();
    // Forward the event to child panels.
    m_outer_identity->GetEventHandler()->ProcessEvent(event);
@@ -207,6 +192,14 @@ void wxTTLSConfigWindow::OnInitDialog(wxInitDialogEvent& event)
 }
 void wxTTLSConfigWindow::OnUpdateUI(wxUpdateUIEvent& event)
 {
    wxEAPConfigWindow::OnUpdateUI(event);
    m_inner_type->GetChoiceCtrl()->Enable(!m_prov.m_read_only);
 }
 //////////////////////////////////////////////////////////////////////
 // wxTTLSCredentialsPanel
 //////////////////////////////////////////////////////////////////////
@@ -226,7 +219,7 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
    assert(m_cfg.m_inner);
-    if (m_cfg.m_inner->m_cred_failed)
+    if (m_cfg.m_inner->m_auth_failed)
        sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5);
    const eap::config_method_pap *cfg_inner_pap = dynamic_cast<const eap::config_method_pap*>(m_cfg.m_inner.get());
@@ -245,7 +238,7 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
    m_outer_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_INACTIVECAPTION ) );
    sb_content->Add(m_outer_title, 0, wxALL|wxALIGN_RIGHT, 5);
-    if (m_cfg.m_cred_failed)
+    if (m_cfg.m_auth_failed)
        sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5);
    m_outer_cred = new wxTLSCredentialsPanel(m_prov, (const eap::config_method_tls&)m_cfg, (eap::credentials_tls&)cred, pszCredTarget, this, is_config);
--- a/lib/WinStd
+++ b/lib/WinStd
Author	SHA1	Message	Date
Simon Rozman	e4c3f5cbd8	Version set to 1.0-alpha10-owntls	2016-08-23 14:52:26 +02:00
Simon Rozman	1df98af5a1	Event descriptors updated	2016-08-23 14:48:47 +02:00
Simon Rozman	3cbd749966	Sub-module update	2016-08-23 14:46:06 +02:00
Simon Rozman	2125679385	Server certificate name check extended to search for the name in the subjectAltName(2) extension first; only when none present, compares against Common Name	2016-08-23 14:43:07 +02:00
Simon Rozman	fb5d969c2b	Support for the wild-char certificate names dropped	2016-08-23 14:42:43 +02:00
Simon Rozman	f39cb94ee5	Server names can be Unicode now	2016-08-23 14:42:11 +02:00
Simon Rozman	59768e8097	Cipher suite list size is now in number of elements, not bytes	2016-08-23 14:41:25 +02:00
Simon Rozman	5720524abe	Version set to 1.0-alpha9	2016-08-18 06:33:02 +02:00
Simon Rozman	1f1b9b1084	GUI boots with a predefined configuration on new profiles now (closes #10)	2016-08-18 06:31:16 +02:00
Simon Rozman	076c6b77d7	GUI updated to show "<Your Provider>" when provider ID is blank	2016-08-18 06:30:02 +02:00
Simon Rozman	92460c571f	Initial focus changed to the first non-mouse-wheel-capturing control to allow initial scrolling of the configuration dialog using mouse wheel	2016-08-17 16:42:19 +02:00
Simon Rozman	b79a2f26f6	Support for read-only lock added to GUI	2016-08-17 16:27:43 +02:00
Simon Rozman	373c83dbbe	Provider identity and help-desk is configurable via GUI now	2016-08-17 15:56:11 +02:00
Simon Rozman	543dada025	Provider and method lists are arrays now, to allow random access for configuration dialog coming-up	2016-08-17 14:47:15 +02:00
Simon Rozman	ce22ec3bfa	wxEAPCredentialsPanelPassBase >> wxEAPCredentialsPassPanelBase	2016-08-17 13:48:14 +02:00
Simon Rozman	a04647b7b5	Version set to 1.0-alpha8	2016-08-17 11:51:36 +02:00
Simon Rozman	df1d431bd0	- TLS revised (again) - TLS Session resumption issues resolved - Credential prompt has "Remember" checkbox initially selected when credentials originate from Windows Credential Manager - Last authentication attempt failure notice is more general and no longer insinuate user credentials are the likely cause of the failure - Additional log messages added	2016-08-17 11:50:34 +02:00
Simon Rozman	16527c8124	Client explicitly refuses to accept change cipher spec if no or NULL cipher was proposed now	2016-08-17 09:32:43 +02:00
Simon Rozman	69e6b775f8	Hello requests are no longer included in the handshake hashing (as per RFC)	2016-08-17 09:29:55 +02:00
Simon Rozman	c69316071f	Support for encrypted change cipher spec messages added	2016-08-17 09:26:46 +02:00
Simon Rozman	a02d1e7094	Explicit checks on server certificate chain added: - Certificate can not be self-signed: Cannot check trust against configured root CAs when server certificate is self-signed - Server can provide full certificate chain up-to and including root CA. Importing root CA to the store for certificate chain validation would implicitly trust this certificate chain. Thus, we skip all self-signed certificates on import.	2016-08-17 09:22:38 +02:00
Simon Rozman	078636eb14	make_change_chiper_spec() removed as this message can simply be created using make_message()	2016-08-17 09:09:42 +02:00
Simon Rozman	cabae26e0b	Flags describing handshake messages received assembled in a boolean table of flags	2016-08-17 09:01:11 +02:00
Simon Rozman	7376693838	Additional constants	2016-08-17 08:34:25 +02:00
Simon Rozman	a5b3914a09	Comments and some minor clean-up	2016-08-16 22:27:30 +02:00