Version set to 1.0-alpha9

(closes #10)

include/Version.h

@@ -29,7 +29,7 @@
 // Product version as a single DWORD
 // Note: Used for version comparison within C/C++ code.
 //
-#define PRODUCT_VERSION          0x00ff0700
+#define PRODUCT_VERSION          0x00ff0900
 
 //
 // Product version by components
@@ -39,26 +39,26 @@
 //
 #define PRODUCT_VERSION_MAJ      0
 #define PRODUCT_VERSION_MIN      255
-#define PRODUCT_VERSION_REV      7
+#define PRODUCT_VERSION_REV      9
 #define PRODUCT_VERSION_BUILD    0
 
 //
 // Human readable product version and build year for UI
 //
-#define PRODUCT_VERSION_STR      "1.0-alpha7"
+#define PRODUCT_VERSION_STR      "1.0-alpha9"
 #define PRODUCT_BUILD_YEAR_STR   "2016"
 
 //
 // Numerical version presentation for ProductVersion propery in
 // MSI packages (syntax: N.N[.N[.N]])
 //
-#define PRODUCT_VERSION_INST     "0.255.7"
+#define PRODUCT_VERSION_INST     "0.255.9"
 
 //
 // The product code for ProductCode property in MSI packages
 // Replace with new on every version change, regardless how minor it is.
 //
-#define PRODUCT_VERSION_GUID     "{54C2BA4B-EFC8-4F3E-A838-28744134A136}"
+#define PRODUCT_VERSION_GUID     "{E6169375-3FA7-443A-921A-44105A94201C}"
 
 //
 // Since the product name is not finally confirmed at the time of

lib/EAPBase/include/Config.h

@@ -89,7 +89,6 @@ inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::config &val);
 #include <eaptypes.h> // Must include after <Windows.h>
 #include <tchar.h>
 
-#include <list>
 #include <string>
 #include <memory>
 
@@ -342,7 +341,7 @@ namespace eap
         bool m_allow_save;                          ///< Are credentials allowed to be saved to Windows Credential Manager?
         bool m_use_preshared;                       ///< Use pre-shared credentials
         std::unique_ptr<credentials> m_preshared;   ///< Pre-shared credentials
-        bool m_cred_failed;                         ///< Did credential fail last time?
+        bool m_auth_failed;                         ///< Did credential fail last time?
     };
 
 
@@ -451,7 +450,7 @@ namespace eap
         winstd::tstring m_lbl_alt_credential;                   ///< Alternative label for credential prompt
         winstd::tstring m_lbl_alt_identity;                     ///< Alternative label for identity prompt
         winstd::tstring m_lbl_alt_password;                     ///< Alternative label for password prompt
-        std::list<std::unique_ptr<config_method> > m_methods;   ///< List of method configurations
+        std::vector<std::unique_ptr<config_method> > m_methods; ///< Array of method configurations
     };
 
 
@@ -551,7 +550,7 @@ namespace eap
         /// @}
 
     public:
-        std::list<eap::config_provider> m_providers;    ///< List of provider configurations
+        std::vector<eap::config_provider> m_providers;  ///< Array of provider configurations
     };
 }
 

lib/EAPBase/include/Credentials.h

@@ -54,6 +54,18 @@ namespace eap
 {
     class credentials : public config
     {
+    public:
+        ///
+        /// Credential source when combined
+        ///
+        enum  source_t {
+            source_unknown = -1, ///< Unknown source
+            source_cache = 0,    ///< Credentials were obtained from EAPHost cache
+            source_preshared,    ///< Credentials were set by method configuration
+            source_storage       ///< Credentials were loaded from Windows Credential Manager
+        };
+
+
     public:
         ///
         /// Constructs credentials
@@ -158,26 +170,6 @@ namespace eap
         /// Returns credential name (for GUI display).
         ///
         virtual winstd::tstring get_name() const;
-
-        ///
-        /// Combine credentials in the following order:
-        ///
-        /// 1. Cached credentials
-        /// 2. Pre-configured credentials
-        /// 3. Stored credentials
-        ///
-        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
-        /// \param[in] cfg            Method configuration
-        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
-        ///
-        /// \returns
-        /// - \c true  if credentials were set;
-        /// - \c false otherwise
-        ///
-        virtual bool combine(
-            _In_       const credentials       *cred_cached,
-            _In_       config_method_with_cred &cfg,
-            _In_opt_z_ LPCTSTR                 pszTargetName);
     };
 
 

lib/EAPBase/src/Config.cpp

@@ -139,7 +139,7 @@ eap::config_method& eap::config_method::operator=(_Inout_ config_method &&other)
 eap::config_method_with_cred::config_method_with_cred(_In_ module &mod) :
     m_allow_save(true),
     m_use_preshared(false),
-    m_cred_failed(false),
+    m_auth_failed(false),
     config_method(mod)
 {
 }
@@ -149,7 +149,7 @@ eap::config_method_with_cred::config_method_with_cred(_In_ const config_method_w
     m_allow_save(other.m_allow_save),
     m_use_preshared(other.m_use_preshared),
     m_preshared(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr),
-    m_cred_failed(other.m_cred_failed),
+    m_auth_failed(other.m_auth_failed),
     config_method(other)
 {
 }
@@ -159,7 +159,7 @@ eap::config_method_with_cred::config_method_with_cred(_Inout_ config_method_with
     m_allow_save(std::move(other.m_allow_save)),
     m_use_preshared(std::move(other.m_use_preshared)),
     m_preshared(std::move(other.m_preshared)),
-    m_cred_failed(std::move(other.m_cred_failed)),
+    m_auth_failed(std::move(other.m_auth_failed)),
     config_method(std::move(other))
 {
 }
@@ -172,7 +172,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_In_ const
         m_allow_save          = other.m_allow_save;
         m_use_preshared       = other.m_use_preshared;
         m_preshared.reset(other.m_preshared ? (credentials*)other.m_preshared->clone() : nullptr);
-        m_cred_failed         = other.m_cred_failed;
+        m_auth_failed         = other.m_auth_failed;
     }
 
     return *this;
@@ -186,7 +186,7 @@ eap::config_method_with_cred& eap::config_method_with_cred::operator=(_Inout_ co
         m_allow_save          = std::move(other.m_allow_save   );
         m_use_preshared       = std::move(other.m_use_preshared);
         m_preshared           = std::move(other.m_preshared    );
-        m_cred_failed         = std::move(other.m_cred_failed  );
+        m_auth_failed         = std::move(other.m_auth_failed  );
     }
 
     return *this;
@@ -248,7 +248,7 @@ void eap::config_method_with_cred::operator<<(_Inout_ cursor_out &cursor) const
     cursor << m_allow_save;
     cursor << m_use_preshared;
     cursor << *m_preshared;
-    cursor << m_cred_failed;
+    cursor << m_auth_failed;
 }
 
 
@@ -259,7 +259,7 @@ size_t eap::config_method_with_cred::get_pk_size() const
         pksizeof(m_allow_save   ) +
         pksizeof(m_use_preshared) +
         pksizeof(*m_preshared   ) +
-        pksizeof(m_cred_failed  );
+        pksizeof(m_auth_failed  );
 }
 
 
@@ -269,7 +269,7 @@ void eap::config_method_with_cred::operator>>(_Inout_ cursor_in &cursor)
     cursor >> m_allow_save;
     cursor >> m_use_preshared;
     cursor >> *m_preshared;
-    cursor >> m_cred_failed;
+    cursor >> m_auth_failed;
 }
 
 
@@ -296,7 +296,8 @@ eap::config_provider::config_provider(_In_ const config_provider &other) :
     m_lbl_alt_password(other.m_lbl_alt_password),
     config(other)
 {
-    for (list<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
+    m_methods.reserve(other.m_methods.size());
+    for (vector<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
         m_methods.push_back(std::move(unique_ptr<config_method>(*method ? (config_method*)method->get()->clone() : nullptr)));
 }
 
@@ -332,7 +333,8 @@ eap::config_provider& eap::config_provider::operator=(_In_ const config_provider
         m_lbl_alt_password   = other.m_lbl_alt_password;
 
         m_methods.clear();
-        for (list<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
+        m_methods.reserve(other.m_methods.size());
+        for (vector<unique_ptr<config_method> >::const_iterator method = other.m_methods.cbegin(), method_end = other.m_methods.cend(); method != method_end; ++method)
             m_methods.push_back(std::move(unique_ptr<config_method>(*method ? (config_method*)method->get()->clone() : nullptr)));
     }
 
@@ -432,7 +434,7 @@ void eap::config_provider::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNode *pC
     if (FAILED(hr = eapxml::create_element(pDoc, pConfigRoot, bstr(L"eap-metadata:AuthenticationMethods"), bstr(L"AuthenticationMethods"), bstrNamespace, &pXmlElAuthenticationMethods)))
         throw com_runtime_error(hr, __FUNCTION__ " Error creating <AuthenticationMethods> element.");
 
-    for (list<unique_ptr<config_method> >::const_iterator method = m_methods.cbegin(), method_end = m_methods.cend(); method != method_end; ++method) {
+    for (vector<unique_ptr<config_method> >::const_iterator method = m_methods.cbegin(), method_end = m_methods.cend(); method != method_end; ++method) {
         // <AuthenticationMethod>
         com_obj<IXMLDOMElement> pXmlElAuthenticationMethod;
         if (FAILED(hr = eapxml::create_element(pDoc, bstr(L"AuthenticationMethod"), bstrNamespace, &pXmlElAuthenticationMethod)))
@@ -669,7 +671,7 @@ void eap::config_provider_list::save(_In_ IXMLDOMDocument *pDoc, _In_ IXMLDOMNod
     if (FAILED(hr = eapxml::select_node(pConfigRoot, bstr(L"eap-metadata:EAPIdentityProviderList"), &pXmlElIdentityProviderList)))
         throw com_runtime_error(hr, __FUNCTION__ " Error selecting <EAPIdentityProviderList> element.");
 
-    for (list<config_provider>::const_iterator provider = m_providers.cbegin(), provider_end = m_providers.cend(); provider != provider_end; ++provider) {
+    for (vector<config_provider>::const_iterator provider = m_providers.cbegin(), provider_end = m_providers.cend(); provider != provider_end; ++provider) {
         // <EAPIdentityProvider>
         com_obj<IXMLDOMElement> pXmlElIdentityProvider;
         if (FAILED(hr = eapxml::create_element(pDoc, bstr(L"EAPIdentityProvider"), bstrNamespace, &pXmlElIdentityProvider)))

lib/EAPBase/src/Credentials.cpp

@@ -83,19 +83,6 @@ tstring eap::credentials::get_name() const
 }
 
 
-bool eap::credentials::combine(
-    _In_       const credentials       *cred_cached,
-    _In_       config_method_with_cred &cfg,
-    _In_opt_z_ LPCTSTR                 pszTargetName)
-{
-    UNREFERENCED_PARAMETER(cred_cached);
-    UNREFERENCED_PARAMETER(cfg);
-    UNREFERENCED_PARAMETER(pszTargetName);
-
-    // When there's nothing to combine...
-    return true;
-}
-
 //////////////////////////////////////////////////////////////////////
 // eap::credentials_pass
 //////////////////////////////////////////////////////////////////////

lib/EAPBase_UI/include/EAP_UI.h

@@ -20,6 +20,7 @@
 
 #include <wx/hyperlink.h>
 #include <wx/icon.h>
+#include <wx/scrolwin.h>
 #include <wx/statbmp.h>
 #include <Windows.h>
 
@@ -34,18 +35,21 @@ class wxEAPBannerPanel;
 ///
 template <class _wxT> class wxEAPConfigDialog;
 
+///
+/// EAP general-use dialog
+///
+class wxEAPGeneralDialog;
+
 ///
 /// EAP top-most credential dialog
 ///
 class wxEAPCredentialsDialog;
 
-
 ///
 /// EAP general note
 ///
 class wxEAPNotePanel;
 
-
 ///
 /// EAP provider-locked congifuration note
 ///
@@ -56,6 +60,21 @@ class wxEAPProviderLockedPanel;
 ///
 class wxEAPCredentialWarningPanel;
 
+///
+/// EAP Configuration window
+///
+class wxEAPConfigWindow;
+
+///
+/// EAP provider identity config panel
+///
+class wxEAPProviderIdentityPanel;
+
+///
+/// EAP provider configuration dialog
+///
+class wxEAPConfigProvider;
+
 ///
 /// Base template for credential configuration panel
 ///
@@ -76,6 +95,11 @@ template <class _Tcred, class _Tbase> class wxPasswordCredentialsPanel;
 ///
 inline bool wxSetIconFromResource(wxStaticBitmap *bmp, wxIcon &icon, HINSTANCE hinst, PCWSTR pszName);
 
+///
+/// Returns GUI displayable provider name
+///
+inline wxString wxEAPGetProviderName(const std::wstring &id);
+
 #pragma once
 
 #include <wx/msw/winundef.h> // Fixes `CreateDialog` name collision
@@ -128,10 +152,10 @@ public:
         // Set extra style here, as wxFormBuilder overrides all default flags.
         this->SetExtraStyle(this->GetExtraStyle() | wxWS_EX_VALIDATE_RECURSIVELY);
 
-        for (std::list<eap::config_provider>::iterator provider = m_cfg.m_providers.begin(), provider_end = m_cfg.m_providers.end(); provider != provider_end; ++provider) {
+        for (std::vector<eap::config_provider>::iterator provider = m_cfg.m_providers.begin(), provider_end = m_cfg.m_providers.end(); provider != provider_end; ++provider) {
             bool is_single = provider->m_methods.size() == 1;
-            std::list<std::unique_ptr<eap::config_method> >::size_type count = 0;
+            std::vector<std::unique_ptr<eap::config_method> >::size_type count = 0;
-            std::list<std::unique_ptr<eap::config_method> >::iterator method = provider->m_methods.begin(), method_end = provider->m_methods.end();
+            std::vector<std::unique_ptr<eap::config_method> >::iterator method = provider->m_methods.begin(), method_end = provider->m_methods.end();
             for (; method != method_end; ++method, count++)
                 m_providers->AddPage(
                     new _wxT(
@@ -139,7 +163,9 @@ public:
                         *method->get(),
                         provider->m_id.c_str(),
                         m_providers),
-                    is_single ? provider->m_id : winstd::tstring_printf(_T("%s (%u)"), provider->m_id.c_str(), count));
+                    is_single ?
+                        wxEAPGetProviderName(provider->m_id) :
+                        winstd::tstring_printf(_T("%s (%u)"), wxEAPGetProviderName(provider->m_id), count));
         }
 
         this->Layout();
@@ -151,6 +177,7 @@ public:
 
 protected:
     /// \cond internal
+
     virtual void OnInitDialog(wxInitDialogEvent& event)
     {
         // Forward the event to child panels.
@@ -160,6 +187,22 @@ protected:
                 prov->GetEventHandler()->ProcessEvent(event);
         }
     }
+
+    virtual void OnUpdateUI(wxUpdateUIEvent& event)
+    {
+        UNREFERENCED_PARAMETER(event);
+
+        m_advanced->Enable(!m_cfg.m_providers.at(m_providers->GetSelection()).m_read_only);
+    }
+
+    virtual void OnAdvanced(wxCommandEvent& event)
+    {
+        UNREFERENCED_PARAMETER(event);
+
+        wxEAPConfigProvider dlg(m_cfg.m_providers.at(m_providers->GetSelection()), this);
+        dlg.ShowModal();
+    }
+
     /// \endcond
 
 
@@ -168,23 +211,38 @@ protected:
 };
 
 
-class wxEAPCredentialsDialog : public wxEAPCredentialsDialogBase
+class wxEAPGeneralDialog : public wxEAPGeneralDialogBase
+{
+public:
+    ///
+    /// Constructs a dialog
+    ///
+    wxEAPGeneralDialog(wxWindow* parent, const wxString& title = wxEmptyString);
+
+    ///
+    /// Adds panels to the dialog
+    ///
+    void AddContent(wxPanel **contents, size_t content_count);
+
+    ///
+    /// Adds single panel to the dialog
+    ///
+    void AddContent(wxPanel *content);
+
+protected:
+    /// \cond internal
+    virtual void OnInitDialog(wxInitDialogEvent& event);
+    /// \endcond
+};
+
+
+class wxEAPCredentialsDialog : public wxEAPGeneralDialog
 {
 public:
     ///
     /// Constructs a credential dialog
     ///
     wxEAPCredentialsDialog(const eap::config_provider &prov, wxWindow* parent);
-
-    ///
-    /// Adds panels to the dialog
-    ///
-    void AddContents(wxPanel **contents, size_t content_count);
-
-protected:
-    /// \cond internal
-    virtual void OnInitDialog(wxInitDialogEvent& event);
-    /// \endcond
 };
 
 
@@ -265,6 +323,103 @@ protected:
 };
 
 
+class wxEAPConfigWindow : public wxScrolledWindow
+{
+public:
+    ///
+    /// Constructs a configuration window
+    ///
+    /// \param[in]    prov    Provider configuration data
+    /// \param[inout] cfg     Configuration data
+    /// \param[in]    parent  Parent window
+    ///
+    wxEAPConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, wxWindow* parent);
+
+    ///
+    /// Destructs the configuration window
+    ///
+    virtual ~wxEAPConfigWindow();
+
+protected:
+    /// \cond internal
+    virtual void OnInitDialog(wxInitDialogEvent& event);
+    virtual void OnUpdateUI(wxUpdateUIEvent& event);
+    /// \endcond
+
+protected:
+    const eap::config_provider &m_prov;     ///< EAP provider
+    eap::config_method &m_cfg;              ///< Method configuration
+};
+
+
+class wxEAPProviderIdentityPanel : public wxEAPProviderIdentityPanelBase
+{
+public:
+    ///
+    /// Constructs a provider identity pannel
+    ///
+    /// \param[inout] prov    Provider configuration data
+    /// \param[in]    parent  Parent window
+    ///
+    wxEAPProviderIdentityPanel(eap::config_provider &prov, wxWindow* parent);
+
+    friend class wxEAPConfigProvider; // Allows direct setting of keyboard focus
+
+protected:
+    /// \cond internal
+    virtual bool TransferDataToWindow();
+    virtual bool TransferDataFromWindow();
+    /// \endcond
+
+protected:
+    eap::config_provider &m_prov;   ///< EAP method configuration
+    winstd::library m_shell32;      ///< shell32.dll resource library reference
+    wxIcon m_icon;                  ///< Panel icon
+};
+
+
+class wxEAPProviderLockPanel : public wxEAPProviderLockPanelBase
+{
+public:
+    ///
+    /// Constructs a provider lock pannel
+    ///
+    /// \param[inout] prov    Provider configuration data
+    /// \param[in]    parent  Parent window
+    ///
+    wxEAPProviderLockPanel(eap::config_provider &prov, wxWindow* parent);
+
+protected:
+    /// \cond internal
+    virtual bool TransferDataToWindow();
+    virtual bool TransferDataFromWindow();
+    /// \endcond
+
+protected:
+    eap::config_provider &m_prov;   ///< EAP method configuration
+    winstd::library m_shell32;      ///< shell32.dll resource library reference
+    wxIcon m_icon;                  ///< Panel icon
+};
+
+
+class wxEAPConfigProvider : public wxEAPGeneralDialog
+{
+public:
+    ///
+    /// Constructs a provider config dialog
+    ///
+    /// \param[inout] prov    Provider configuration data
+    /// \param[in]    parent  Parent window
+    ///
+    wxEAPConfigProvider(eap::config_provider &prov, wxWindow* parent);
+
+protected:
+    eap::config_provider &m_prov;           ///< EAP method configuration
+    wxEAPProviderIdentityPanel *m_identity; ///< Provider identity panel
+    wxEAPProviderLockPanel *m_lock;         ///< Provider lock panel
+};
+
+
 template <class _Tcred, class _wxT>
 class wxEAPCredentialsConfigPanel : public wxEAPCredentialsConfigPanelBase
 {
@@ -289,6 +444,14 @@ public:
             wxSetIconFromResource(m_credentials_icon, m_icon, m_shell32, MAKEINTRESOURCE(/*16770*/269));
     }
 
+    ///
+    /// Sets keyboard focus to the first control that do not capture mouse wheel
+    ///
+    inline void SetFocusFromKbd()
+    {
+        m_own->SetFocusFromKbd();
+    }
+
 protected:
     /// \cond internal
 
@@ -402,7 +565,7 @@ protected:
         // Display credential prompt.
         wxEAPCredentialsDialog dlg(m_prov, this);
         _wxT *panel = new _wxT(m_prov, m_cfg, cred, m_target.c_str(), &dlg, true);
-        dlg.AddContents((wxPanel**)&panel, 1);
+        dlg.AddContent(panel);
         if (dlg.ShowModal() == wxID_OK && panel->GetRememberValue()) {
             // Write credentials to credential manager.
             try {
@@ -433,7 +596,7 @@ protected:
 
         _wxT *panel = new _wxT(m_prov, m_cfg, m_cred, _T(""), &dlg, true);
 
-        dlg.AddContents((wxPanel**)&panel, 1);
+        dlg.AddContent(panel);
         dlg.ShowModal();
     }
 
@@ -486,6 +649,11 @@ public:
         this->Disconnect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(_Tthis::OnUpdateUI));
     }
 
+    inline void SetRememberValue(bool val)
+    {
+        return m_remember->SetValue(val);
+    }
+
     inline bool GetRememberValue() const
     {
         return m_remember->GetValue();
@@ -576,12 +744,12 @@ protected:
         m_identity->SetSelection(0, -1);
         m_password->SetValue(m_cred.m_password.empty() ? wxEmptyString : s_dummy_password);
 
-        return wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPanelPassBase>::TransferDataToWindow();
+        return wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPassPanelBase>::TransferDataToWindow();
     }
 
     virtual bool TransferDataFromWindow()
     {
-        if (!wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPanelPassBase>::TransferDataFromWindow())
+        if (!wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPassPanelBase>::TransferDataFromWindow())
             return false;
 
         m_cred.m_identity = m_identity->GetValue();
@@ -604,7 +772,7 @@ protected:
             m_password      ->Enable(false);
         }
 
-        wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPanelPassBase>::OnUpdateUI(event);
+        wxEAPCredentialsPanelBase<_Tcred, wxEAPCredentialsPassPanelBase>::OnUpdateUI(event);
     }
 
     /// \endcond
@@ -633,3 +801,10 @@ inline bool wxSetIconFromResource(wxStaticBitmap *bmp, wxIcon &icon, HINSTANCE h
     } else
         return false;
 }
+
+
+inline wxString wxEAPGetProviderName(const std::wstring &id)
+{
+    return
+        !id.empty() ? id : _("<Your Organization>");
+}

lib/EAPBase_UI/res/wxEAP_UI.cpp

@@ -28,6 +28,20 @@ wxEAPConfigDialogBase::wxEAPConfigDialogBase( wxWindow* parent, wxWindowID id, c
 	
 	sb_content->Add( m_providers, 1, wxEXPAND|wxALL, 10 );
 	
+	wxBoxSizer* sb_bottom_horiz;
+	sb_bottom_horiz = new wxBoxSizer( wxHORIZONTAL );
+	
+	wxBoxSizer* sb_bottom_horiz_inner;
+	sb_bottom_horiz_inner = new wxBoxSizer( wxHORIZONTAL );
+	
+	m_advanced = new wxButton( this, wxID_ANY, _("Advanced..."), wxDefaultPosition, wxDefaultSize, 0 );
+	m_advanced->SetToolTip( _("Opens dialog with provider settings") );
+	
+	sb_bottom_horiz_inner->Add( m_advanced, 0, wxALL, 5 );
+	
+	
+	sb_bottom_horiz->Add( sb_bottom_horiz_inner, 1, wxEXPAND, 5 );
+	
 	m_buttons = new wxStdDialogButtonSizer();
 	m_buttonsOK = new wxButton( this, wxID_OK );
 	m_buttons->AddButton( m_buttonsOK );
@@ -35,7 +49,10 @@ wxEAPConfigDialogBase::wxEAPConfigDialogBase( wxWindow* parent, wxWindowID id, c
 	m_buttons->AddButton( m_buttonsCancel );
 	m_buttons->Realize();
 	
-	sb_content->Add( m_buttons, 0, wxEXPAND|wxALL, 5 );
+	sb_bottom_horiz->Add( m_buttons, 0, wxEXPAND|wxALL, 5 );
+	
+	
+	sb_content->Add( sb_bottom_horiz, 0, wxEXPAND, 5 );
 	
 	
 	this->SetSizer( sb_content );
@@ -44,16 +61,20 @@ wxEAPConfigDialogBase::wxEAPConfigDialogBase( wxWindow* parent, wxWindowID id, c
 	
 	// Connect Events
 	this->Connect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPConfigDialogBase::OnInitDialog ) );
+	this->Connect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPConfigDialogBase::OnUpdateUI ) );
+	m_advanced->Connect( wxEVT_COMMAND_BUTTON_CLICKED, wxCommandEventHandler( wxEAPConfigDialogBase::OnAdvanced ), NULL, this );
 }
 
 wxEAPConfigDialogBase::~wxEAPConfigDialogBase()
 {
 	// Disconnect Events
 	this->Disconnect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPConfigDialogBase::OnInitDialog ) );
+	this->Disconnect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPConfigDialogBase::OnUpdateUI ) );
+	m_advanced->Disconnect( wxEVT_COMMAND_BUTTON_CLICKED, wxCommandEventHandler( wxEAPConfigDialogBase::OnAdvanced ), NULL, this );
 	
 }
 
-wxEAPCredentialsDialogBase::wxEAPCredentialsDialogBase( wxWindow* parent, wxWindowID id, const wxString& title, const wxPoint& pos, const wxSize& size, long style ) : wxDialog( parent, id, title, pos, size, style )
+wxEAPGeneralDialogBase::wxEAPGeneralDialogBase( wxWindow* parent, wxWindowID id, const wxString& title, const wxPoint& pos, const wxSize& size, long style ) : wxDialog( parent, id, title, pos, size, style )
 {
 	this->SetSizeHints( wxDefaultSize, wxDefaultSize );
 	
@@ -84,13 +105,13 @@ wxEAPCredentialsDialogBase::wxEAPCredentialsDialogBase( wxWindow* parent, wxWind
 	sb_content->Fit( this );
 	
 	// Connect Events
-	this->Connect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPCredentialsDialogBase::OnInitDialog ) );
+	this->Connect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPGeneralDialogBase::OnInitDialog ) );
 }
 
-wxEAPCredentialsDialogBase::~wxEAPCredentialsDialogBase()
+wxEAPGeneralDialogBase::~wxEAPGeneralDialogBase()
 {
 	// Disconnect Events
-	this->Disconnect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPCredentialsDialogBase::OnInitDialog ) );
+	this->Disconnect( wxEVT_INIT_DIALOG, wxInitDialogEventHandler( wxEAPGeneralDialogBase::OnInitDialog ) );
 	
 }
 
@@ -99,20 +120,20 @@ wxEAPBannerPanelBase::wxEAPBannerPanelBase( wxWindow* parent, wxWindowID id, con
 	this->SetBackgroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_HIGHLIGHT ) );
 	this->SetMinSize( wxSize( -1,48 ) );
 	
-	wxBoxSizer* sc_content;
+	wxBoxSizer* sb_content;
-	sc_content = new wxBoxSizer( wxVERTICAL );
+	sb_content = new wxBoxSizer( wxVERTICAL );
 	
 	m_title = new wxStaticText( this, wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, wxALIGN_RIGHT );
 	m_title->Wrap( -1 );
 	m_title->SetFont( wxFont( 18, 70, 90, 90, false, wxEmptyString ) );
 	m_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_HIGHLIGHTTEXT ) );
 	
-	sc_content->Add( m_title, 0, wxALL|wxEXPAND, 5 );
+	sb_content->Add( m_title, 0, wxALL|wxEXPAND, 5 );
 	
 	
-	this->SetSizer( sc_content );
+	this->SetSizer( sb_content );
 	this->Layout();
-	sc_content->Fit( this );
+	sb_content->Fit( this );
 }
 
 wxEAPBannerPanelBase::~wxEAPBannerPanelBase()
@@ -269,7 +290,7 @@ wxEAPCredentialsConfigPanelBase::~wxEAPCredentialsConfigPanelBase()
 	
 }
 
-wxEAPCredentialsPanelPassBase::wxEAPCredentialsPanelPassBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
+wxEAPCredentialsPassPanelBase::wxEAPCredentialsPassPanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
 {
 	wxStaticBoxSizer* sb_credentials;
 	sb_credentials = new wxStaticBoxSizer( new wxStaticBox( this, wxID_ANY, _("Client Credentials") ), wxVERTICAL );
@@ -330,6 +351,168 @@ wxEAPCredentialsPanelPassBase::wxEAPCredentialsPanelPassBase( wxWindow* parent,
 	this->Layout();
 }
 
-wxEAPCredentialsPanelPassBase::~wxEAPCredentialsPanelPassBase()
+wxEAPCredentialsPassPanelBase::~wxEAPCredentialsPassPanelBase()
 {
 }
+
+wxEAPProviderIdentityPanelBase::wxEAPProviderIdentityPanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
+{
+	wxStaticBoxSizer* sb_provider_id;
+	sb_provider_id = new wxStaticBoxSizer( new wxStaticBox( this, wxID_ANY, _("Your Organization") ), wxVERTICAL );
+	
+	wxBoxSizer* sb_provider_id_horiz;
+	sb_provider_id_horiz = new wxBoxSizer( wxHORIZONTAL );
+	
+	m_provider_id_icon = new wxStaticBitmap( sb_provider_id->GetStaticBox(), wxID_ANY, wxNullBitmap, wxDefaultPosition, wxDefaultSize, 0 );
+	sb_provider_id_horiz->Add( m_provider_id_icon, 0, wxALL, 5 );
+	
+	wxBoxSizer* sb_provider_id_vert;
+	sb_provider_id_vert = new wxBoxSizer( wxVERTICAL );
+	
+	m_provider_id_label = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("Describe your organization to customize user prompts.  When organization is introduced, end-users find program messages easier to understand and act."), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_id_label->Wrap( 446 );
+	sb_provider_id_vert->Add( m_provider_id_label, 0, wxALL|wxEXPAND, 5 );
+	
+	wxBoxSizer* sb_provider_name;
+	sb_provider_name = new wxBoxSizer( wxVERTICAL );
+	
+	m_provider_name_label = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("Your organization &name:"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_name_label->Wrap( -1 );
+	sb_provider_name->Add( m_provider_name_label, 0, wxBOTTOM, 5 );
+	
+	m_provider_name = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_name->SetToolTip( _("Your organization name as it will appear on helpdesk contact notifications") );
+	
+	sb_provider_name->Add( m_provider_name, 0, wxEXPAND|wxBOTTOM, 5 );
+	
+	m_provider_name_note = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("(Keep it short, please)"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_name_note->Wrap( -1 );
+	sb_provider_name->Add( m_provider_name_note, 0, wxALIGN_RIGHT, 5 );
+	
+	
+	sb_provider_id_vert->Add( sb_provider_name, 0, wxEXPAND|wxALL, 5 );
+	
+	wxBoxSizer* sb_provider_helpdesk;
+	sb_provider_helpdesk = new wxBoxSizer( wxVERTICAL );
+	
+	m_provider_helpdesk_label = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("Helpdesk contact &information:"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_helpdesk_label->Wrap( -1 );
+	sb_provider_helpdesk->Add( m_provider_helpdesk_label, 0, wxBOTTOM, 5 );
+	
+	wxFlexGridSizer* sb_provider_helpdesk_inner;
+	sb_provider_helpdesk_inner = new wxFlexGridSizer( 0, 2, 0, 0 );
+	sb_provider_helpdesk_inner->AddGrowableCol( 1 );
+	sb_provider_helpdesk_inner->SetFlexibleDirection( wxBOTH );
+	sb_provider_helpdesk_inner->SetNonFlexibleGrowMode( wxFLEX_GROWMODE_SPECIFIED );
+	
+	m_provider_web_icon = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("¶"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_web_icon->Wrap( -1 );
+	m_provider_web_icon->SetFont( wxFont( wxNORMAL_FONT->GetPointSize(), 70, 90, 90, false, wxT("Wingdings") ) );
+	
+	sb_provider_helpdesk_inner->Add( m_provider_web_icon, 0, wxALIGN_CENTER_VERTICAL|wxBOTTOM|wxRIGHT, 5 );
+	
+	m_provider_web = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_web->SetToolTip( _("Your helpdesk website") );
+	
+	sb_provider_helpdesk_inner->Add( m_provider_web, 1, wxEXPAND|wxALIGN_CENTER_VERTICAL|wxBOTTOM, 5 );
+	
+	m_provider_email_icon = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _("*"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_email_icon->Wrap( -1 );
+	m_provider_email_icon->SetFont( wxFont( wxNORMAL_FONT->GetPointSize(), 70, 90, 90, false, wxT("Wingdings") ) );
+	
+	sb_provider_helpdesk_inner->Add( m_provider_email_icon, 0, wxALIGN_CENTER_VERTICAL|wxBOTTOM|wxRIGHT, 5 );
+	
+	m_provider_email = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_email->SetToolTip( _("Your helpdesk e-mail address") );
+	
+	sb_provider_helpdesk_inner->Add( m_provider_email, 1, wxEXPAND|wxALIGN_CENTER_VERTICAL|wxBOTTOM, 5 );
+	
+	m_provider_phone_icon = new wxStaticText( sb_provider_id->GetStaticBox(), wxID_ANY, _(")"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_phone_icon->Wrap( -1 );
+	m_provider_phone_icon->SetFont( wxFont( wxNORMAL_FONT->GetPointSize(), 70, 90, 90, false, wxT("Wingdings") ) );
+	
+	sb_provider_helpdesk_inner->Add( m_provider_phone_icon, 0, wxALIGN_CENTER_VERTICAL|wxRIGHT, 5 );
+	
+	m_provider_phone = new wxTextCtrl( sb_provider_id->GetStaticBox(), wxID_ANY, wxEmptyString, wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_phone->SetToolTip( _("Your helpdesk phone number") );
+	
+	sb_provider_helpdesk_inner->Add( m_provider_phone, 1, wxEXPAND|wxALIGN_CENTER_VERTICAL, 5 );
+	
+	
+	sb_provider_helpdesk->Add( sb_provider_helpdesk_inner, 1, wxEXPAND, 5 );
+	
+	
+	sb_provider_id_vert->Add( sb_provider_helpdesk, 1, wxEXPAND, 5 );
+	
+	
+	sb_provider_id_horiz->Add( sb_provider_id_vert, 1, wxEXPAND, 5 );
+	
+	
+	sb_provider_id->Add( sb_provider_id_horiz, 1, wxEXPAND, 5 );
+	
+	
+	this->SetSizer( sb_provider_id );
+	this->Layout();
+	
+	// Connect Events
+	this->Connect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderIdentityPanelBase::OnUpdateUI ) );
+}
+
+wxEAPProviderIdentityPanelBase::~wxEAPProviderIdentityPanelBase()
+{
+	// Disconnect Events
+	this->Disconnect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderIdentityPanelBase::OnUpdateUI ) );
+	
+}
+
+wxEAPProviderLockPanelBase::wxEAPProviderLockPanelBase( wxWindow* parent, wxWindowID id, const wxPoint& pos, const wxSize& size, long style ) : wxPanel( parent, id, pos, size, style )
+{
+	wxStaticBoxSizer* sb_provider_lock;
+	sb_provider_lock = new wxStaticBoxSizer( new wxStaticBox( this, wxID_ANY, _("Configuration Lock") ), wxVERTICAL );
+	
+	wxBoxSizer* sb_provider_lock_horiz;
+	sb_provider_lock_horiz = new wxBoxSizer( wxHORIZONTAL );
+	
+	m_provider_lock_icon = new wxStaticBitmap( sb_provider_lock->GetStaticBox(), wxID_ANY, wxNullBitmap, wxDefaultPosition, wxDefaultSize, 0 );
+	sb_provider_lock_horiz->Add( m_provider_lock_icon, 0, wxALL, 5 );
+	
+	wxBoxSizer* sb_provider_lock_vert;
+	sb_provider_lock_vert = new wxBoxSizer( wxVERTICAL );
+	
+	m_provider_lock_label = new wxStaticText( sb_provider_lock->GetStaticBox(), wxID_ANY, _("Your configuration can be locked to prevent accidental modification by end-users. Users will only be allowed to enter credentials."), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_lock_label->Wrap( 446 );
+	sb_provider_lock_vert->Add( m_provider_lock_label, 0, wxALL|wxEXPAND, 5 );
+	
+	wxBoxSizer* sb_provider_name;
+	sb_provider_name = new wxBoxSizer( wxVERTICAL );
+	
+	m_provider_lock = new wxCheckBox( sb_provider_lock->GetStaticBox(), wxID_ANY, _("&Lock this configuration and prevent any further modification via user interface."), wxDefaultPosition, wxDefaultSize, 0 );
+	sb_provider_name->Add( m_provider_lock, 0, wxEXPAND|wxBOTTOM, 5 );
+	
+	m_provider_lock_note = new wxStaticText( sb_provider_lock->GetStaticBox(), wxID_ANY, _("(Warning: Once locked, you can not revert using this dialog!)"), wxDefaultPosition, wxDefaultSize, 0 );
+	m_provider_lock_note->Wrap( -1 );
+	sb_provider_name->Add( m_provider_lock_note, 0, wxALIGN_RIGHT, 5 );
+	
+	
+	sb_provider_lock_vert->Add( sb_provider_name, 0, wxEXPAND|wxALL, 5 );
+	
+	
+	sb_provider_lock_horiz->Add( sb_provider_lock_vert, 1, wxEXPAND, 5 );
+	
+	
+	sb_provider_lock->Add( sb_provider_lock_horiz, 1, wxEXPAND, 5 );
+	
+	
+	this->SetSizer( sb_provider_lock );
+	this->Layout();
+	
+	// Connect Events
+	this->Connect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderLockPanelBase::OnUpdateUI ) );
+}
+
+wxEAPProviderLockPanelBase::~wxEAPProviderLockPanelBase()
+{
+	// Disconnect Events
+	this->Disconnect( wxEVT_UPDATE_UI, wxUpdateUIEventHandler( wxEAPProviderLockPanelBase::OnUpdateUI ) );
+	
+}

lib/EAPBase_UI/res/wxEAP_UI.h

@@ -18,8 +18,8 @@ class wxEAPBannerPanel;
 #include <wx/settings.h>
 #include <wx/string.h>
 #include <wx/notebook.h>
-#include <wx/sizer.h>
 #include <wx/button.h>
+#include <wx/sizer.h>
 #include <wx/dialog.h>
 #include <wx/stattext.h>
 #include <wx/panel.h>
@@ -44,12 +44,15 @@ class wxEAPConfigDialogBase : public wxDialog
 	protected:
 		wxEAPBannerPanel *m_banner;
 		wxNotebook* m_providers;
+		wxButton* m_advanced;
 		wxStdDialogButtonSizer* m_buttons;
 		wxButton* m_buttonsOK;
 		wxButton* m_buttonsCancel;
 		
 		// Virtual event handlers, overide them in your derived class
 		virtual void OnInitDialog( wxInitDialogEvent& event ) { event.Skip(); }
+		virtual void OnUpdateUI( wxUpdateUIEvent& event ) { event.Skip(); }
+		virtual void OnAdvanced( wxCommandEvent& event ) { event.Skip(); }
 		
 	
 	public:
@@ -60,9 +63,9 @@ class wxEAPConfigDialogBase : public wxDialog
 };
 
 ///////////////////////////////////////////////////////////////////////////////
-/// Class wxEAPCredentialsDialogBase
+/// Class wxEAPGeneralDialogBase
 ///////////////////////////////////////////////////////////////////////////////
-class wxEAPCredentialsDialogBase : public wxDialog 
+class wxEAPGeneralDialogBase : public wxDialog 
 {
 	private:
 	
@@ -79,8 +82,8 @@ class wxEAPCredentialsDialogBase : public wxDialog
 	
 	public:
 		
-		wxEAPCredentialsDialogBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxString& title = _("EAP Credentials"), const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxDefaultSize, long style = wxDEFAULT_DIALOG_STYLE ); 
+		wxEAPGeneralDialogBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxString& title = wxEmptyString, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxDefaultSize, long style = wxDEFAULT_DIALOG_STYLE ); 
-		~wxEAPCredentialsDialogBase();
+		~wxEAPGeneralDialogBase();
 	
 };
 
@@ -153,9 +156,9 @@ class wxEAPCredentialsConfigPanelBase : public wxPanel
 };
 
 ///////////////////////////////////////////////////////////////////////////////
-/// Class wxEAPCredentialsPanelPassBase
+/// Class wxEAPCredentialsPassPanelBase
 ///////////////////////////////////////////////////////////////////////////////
-class wxEAPCredentialsPanelPassBase : public wxPanel 
+class wxEAPCredentialsPassPanelBase : public wxPanel 
 {
 	private:
 	
@@ -170,8 +173,64 @@ class wxEAPCredentialsPanelPassBase : public wxPanel
 	
 	public:
 		
-		wxEAPCredentialsPanelPassBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
+		wxEAPCredentialsPassPanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
-		~wxEAPCredentialsPanelPassBase();
+		~wxEAPCredentialsPassPanelBase();
+	
+};
+
+///////////////////////////////////////////////////////////////////////////////
+/// Class wxEAPProviderIdentityPanelBase
+///////////////////////////////////////////////////////////////////////////////
+class wxEAPProviderIdentityPanelBase : public wxPanel 
+{
+	private:
+	
+	protected:
+		wxStaticBitmap* m_provider_id_icon;
+		wxStaticText* m_provider_id_label;
+		wxStaticText* m_provider_name_label;
+		wxTextCtrl* m_provider_name;
+		wxStaticText* m_provider_name_note;
+		wxStaticText* m_provider_helpdesk_label;
+		wxStaticText* m_provider_web_icon;
+		wxTextCtrl* m_provider_web;
+		wxStaticText* m_provider_email_icon;
+		wxTextCtrl* m_provider_email;
+		wxStaticText* m_provider_phone_icon;
+		wxTextCtrl* m_provider_phone;
+		
+		// Virtual event handlers, overide them in your derived class
+		virtual void OnUpdateUI( wxUpdateUIEvent& event ) { event.Skip(); }
+		
+	
+	public:
+		
+		wxEAPProviderIdentityPanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
+		~wxEAPProviderIdentityPanelBase();
+	
+};
+
+///////////////////////////////////////////////////////////////////////////////
+/// Class wxEAPProviderLockPanelBase
+///////////////////////////////////////////////////////////////////////////////
+class wxEAPProviderLockPanelBase : public wxPanel 
+{
+	private:
+	
+	protected:
+		wxStaticBitmap* m_provider_lock_icon;
+		wxStaticText* m_provider_lock_label;
+		wxCheckBox* m_provider_lock;
+		wxStaticText* m_provider_lock_note;
+		
+		// Virtual event handlers, overide them in your derived class
+		virtual void OnUpdateUI( wxUpdateUIEvent& event ) { event.Skip(); }
+		
+	
+	public:
+		
+		wxEAPProviderLockPanelBase( wxWindow* parent, wxWindowID id = wxID_ANY, const wxPoint& pos = wxDefaultPosition, const wxSize& size = wxSize( 500,-1 ), long style = wxTAB_TRAVERSAL ); 
+		~wxEAPProviderLockPanelBase();
 	
 };
 

lib/EAPBase_UI/src/EAP_UI.cpp

@@ -38,22 +38,19 @@ bool wxEAPBannerPanel::AcceptsFocusFromKeyboard() const
 
 
 //////////////////////////////////////////////////////////////////////
-// wxEAPCredentialsDialog
+// wxEAPGeneralDialog
 //////////////////////////////////////////////////////////////////////
 
-wxEAPCredentialsDialog::wxEAPCredentialsDialog(const eap::config_provider &prov, wxWindow* parent) : wxEAPCredentialsDialogBase(parent)
+wxEAPGeneralDialog::wxEAPGeneralDialog(wxWindow* parent, const wxString& title) : wxEAPGeneralDialogBase(parent, wxID_ANY, title)
 {
     // Set extra style here, as wxFormBuilder overrides all default flags.
     this->SetExtraStyle(this->GetExtraStyle() | wxWS_EX_VALIDATE_RECURSIVELY);
 
-    // Set banner title.
-    m_banner->m_title->SetLabel(wxString::Format(_("%s Credentials"), prov.m_id.c_str()));
-
     m_buttonsOK->SetDefault();
 }
 
 
-void wxEAPCredentialsDialog::AddContents(wxPanel **contents, size_t content_count)
+void wxEAPGeneralDialog::AddContent(wxPanel **contents, size_t content_count)
 {
     if (content_count) {
         for (size_t i = 0; i < content_count; i++)
@@ -66,13 +63,30 @@ void wxEAPCredentialsDialog::AddContents(wxPanel **contents, size_t content_coun
 }
 
 
-void wxEAPCredentialsDialog::OnInitDialog(wxInitDialogEvent& event)
+void wxEAPGeneralDialog::AddContent(wxPanel *content)
+{
+    AddContent(&content, 1);
+}
+
+
+void wxEAPGeneralDialog::OnInitDialog(wxInitDialogEvent& event)
 {
     for (wxSizerItemList::compatibility_iterator panel = m_panels->GetChildren().GetFirst(); panel; panel = panel->GetNext())
         panel->GetData()->GetWindow()->GetEventHandler()->ProcessEvent(event);
 }
 
 
+//////////////////////////////////////////////////////////////////////
+// wxEAPCredentialsDialog
+//////////////////////////////////////////////////////////////////////
+
+wxEAPCredentialsDialog::wxEAPCredentialsDialog(const eap::config_provider &prov, wxWindow* parent) : wxEAPGeneralDialog(parent, _("EAP Credentials"))
+{
+    // Set banner title.
+    m_banner->m_title->SetLabel(wxString::Format(_("%s Credentials"), wxEAPGetProviderName(prov.m_id).c_str()));
+}
+
+
 //////////////////////////////////////////////////////////////////////
 // wxEAPNotePanel
 //////////////////////////////////////////////////////////////////////
@@ -182,10 +196,150 @@ wxEAPCredentialWarningPanel::wxEAPCredentialWarningPanel(const eap::config_provi
     if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
         wxSetIconFromResource(m_note_icon, m_icon, m_shell32, MAKEINTRESOURCE(161));
 
-    m_note_label->SetLabel(_("Previous attempt to connect using provided credentials failed. Please, make sure your credentials are correct, or try again later."));
+    m_note_label->SetLabel(_("Previous attempt to connect failed. Please, make sure your credentials are correct, or try again later."));
     m_note_label->Wrap(449);
 
     CreateContactFields(prov);
 
     this->Layout();
 }
+
+
+//////////////////////////////////////////////////////////////////////
+// wxEAPConfigWindow
+//////////////////////////////////////////////////////////////////////
+
+wxEAPConfigWindow::wxEAPConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, wxWindow* parent) :
+    m_prov(prov),
+    m_cfg(cfg),
+    wxScrolledWindow(parent, wxID_ANY, wxDefaultPosition, wxDefaultSize, wxVSCROLL)
+{
+    this->SetScrollRate(5, 5);
+
+    // Connect Events
+    this->Connect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxEAPConfigWindow::OnInitDialog));
+    this->Connect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(wxEAPConfigWindow::OnUpdateUI));
+}
+
+
+wxEAPConfigWindow::~wxEAPConfigWindow()
+{
+    // Disconnect Events
+    this->Disconnect(wxEVT_UPDATE_UI, wxUpdateUIEventHandler(wxEAPConfigWindow::OnUpdateUI));
+    this->Disconnect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxEAPConfigWindow::OnInitDialog));
+}
+
+
+void wxEAPConfigWindow::OnInitDialog(wxInitDialogEvent& event)
+{
+    UNREFERENCED_PARAMETER(event);
+
+    // Call TransferDataToWindow() manually, as wxScrolledWindow somehow skips that.
+    TransferDataToWindow();
+}
+
+
+void wxEAPConfigWindow::OnUpdateUI(wxUpdateUIEvent& event)
+{
+    UNREFERENCED_PARAMETER(event);
+
+    if (m_parent && m_parent->IsKindOf(wxCLASSINFO(wxNotebook))) {
+        // We're a notebook page. Set the ID of our provider as our page label.
+        wxNotebook *notebook = (wxNotebook*)m_parent;
+        int idx = notebook->FindPage(this);
+        if (idx != wxNOT_FOUND)
+            notebook->SetPageText(idx, wxEAPGetProviderName(m_prov.m_id));
+    } else
+        this->SetLabel(wxEAPGetProviderName(m_prov.m_id));
+}
+
+
+//////////////////////////////////////////////////////////////////////
+// wxEAPProviderIdentityPanel
+//////////////////////////////////////////////////////////////////////
+
+wxEAPProviderIdentityPanel::wxEAPProviderIdentityPanel(eap::config_provider &prov, wxWindow* parent) :
+    m_prov(prov),
+    wxEAPProviderIdentityPanelBase(parent)
+{
+    // Load and set icon.
+    if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
+        wxSetIconFromResource(m_provider_id_icon, m_icon, m_shell32, MAKEINTRESOURCE(259));
+}
+
+
+bool wxEAPProviderIdentityPanel::TransferDataToWindow()
+{
+    m_provider_name ->SetValue(m_prov.m_id        );
+    m_provider_web  ->SetValue(m_prov.m_help_web  );
+    m_provider_email->SetValue(m_prov.m_help_email);
+    m_provider_phone->SetValue(m_prov.m_help_phone);
+
+    return wxEAPProviderIdentityPanelBase::TransferDataToWindow();
+}
+
+
+bool wxEAPProviderIdentityPanel::TransferDataFromWindow()
+{
+    wxCHECK(wxEAPProviderIdentityPanelBase::TransferDataFromWindow(), false);
+
+    m_prov.m_id         = m_provider_name ->GetValue();
+    m_prov.m_help_web   = m_provider_web  ->GetValue();
+    m_prov.m_help_email = m_provider_email->GetValue();
+    m_prov.m_help_phone = m_provider_phone->GetValue();
+
+    return true;
+}
+
+
+//////////////////////////////////////////////////////////////////////
+// wxEAPProviderLockPanel
+//////////////////////////////////////////////////////////////////////
+
+wxEAPProviderLockPanel::wxEAPProviderLockPanel(eap::config_provider &prov, wxWindow* parent) :
+    m_prov(prov),
+    wxEAPProviderLockPanelBase(parent)
+{
+    // Load and set icon.
+    if (m_shell32.load(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
+        wxSetIconFromResource(m_provider_lock_icon, m_icon, m_shell32, MAKEINTRESOURCE(1003));
+}
+
+
+bool wxEAPProviderLockPanel::TransferDataToWindow()
+{
+    m_provider_lock->SetValue(m_prov.m_read_only);
+
+    return wxEAPProviderLockPanelBase::TransferDataToWindow();
+}
+
+
+bool wxEAPProviderLockPanel::TransferDataFromWindow()
+{
+    wxCHECK(wxEAPProviderLockPanelBase::TransferDataFromWindow(), false);
+
+    m_prov.m_read_only = m_provider_lock->GetValue();
+
+    return true;
+}
+
+
+//////////////////////////////////////////////////////////////////////
+// wxEAPConfigProvider
+//////////////////////////////////////////////////////////////////////
+
+wxEAPConfigProvider::wxEAPConfigProvider(eap::config_provider &prov, wxWindow* parent) :
+    m_prov(prov),
+    wxEAPGeneralDialog(parent, _("Provider Settings"))
+{
+    // Set banner title.
+    m_banner->m_title->SetLabel(_("Provider Settings"));
+
+    m_identity = new wxEAPProviderIdentityPanel(prov, this);
+    AddContent(m_identity);
+
+    m_lock = new wxEAPProviderLockPanel(prov, this);
+    AddContent(m_lock);
+
+    m_identity->m_provider_name->SetFocusFromKbd();
+}

lib/PAP/include/Credentials.h

@@ -113,7 +113,7 @@ namespace eap
         /// - \c true  if credentials were set;
         /// - \c false otherwise
         ///
-        bool combine(
+        source_t combine(
             _In_       const credentials_pap   *cred_cached,
             _In_       const config_method_pap &cfg,
             _In_opt_z_       LPCTSTR           pszTargetName);

lib/PAP/src/Credentials.cpp

@@ -75,7 +75,7 @@ LPCTSTR eap::credentials_pap::target_suffix() const
 }
 
 
-bool eap::credentials_pap::combine(
+eap::credentials::source_t eap::credentials_pap::combine(
     _In_       const credentials_pap   *cred_cached,
     _In_       const config_method_pap &cfg,
     _In_opt_z_       LPCTSTR           pszTargetName)
@@ -84,14 +84,14 @@ bool eap::credentials_pap::combine(
         // Using EAP service cached credentials.
         *this = *cred_cached;
         m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
-        return true;
+        return source_cache;
     }
 
     if (cfg.m_use_preshared) {
         // Using preshared credentials.
         *this = *(credentials_pap*)cfg.m_preshared.get();
         m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
-        return true;
+        return source_preshared;
     }
 
     if (pszTargetName) {
@@ -102,11 +102,11 @@ bool eap::credentials_pap::combine(
             // Using stored credentials.
             *this = std::move(cred_loaded);
             m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_pap), event_data(credentials_pap::get_name()), event_data::blank);
-            return true;
+            return source_storage;
         } catch (...) {
             // Not actually an error.
         }
     }
 
-    return false;
+    return source_unknown;
 }

lib/PAP_UI/include/PAP_UI.h

@@ -25,7 +25,7 @@
 ///
 /// PAP credential configuration panel
 ///
-typedef wxEAPCredentialsConfigPanel<eap::credentials_pap, wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPanelPassBase> > wxPAPCredentialsConfigPanel;
+typedef wxEAPCredentialsConfigPanel<eap::credentials_pap, wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPassPanelBase> > wxPAPCredentialsConfigPanel;
 
 ///
 /// PAP configuration panel
@@ -35,7 +35,7 @@ class wxPAPConfigPanel;
 ///
 /// PAP credential entry panel
 ///
-typedef wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPanelPassBase> wxPAPCredentialsPanel;
+typedef wxPasswordCredentialsPanel<eap::credentials_pap, wxEAPCredentialsPassPanelBase> wxPAPCredentialsPanel;
 
 #pragma once
 

lib/TLS/include/Credentials.h

@@ -200,7 +200,7 @@ namespace eap
         /// - \c true  if credentials were set;
         /// - \c false otherwise
         ///
-        bool combine(
+        source_t combine(
             _In_       const credentials_tls   *cred_cached,
             _In_       const config_method_tls &cfg,
             _In_opt_z_       LPCTSTR           pszTargetName);

lib/TLS/include/Method.h

@@ -248,15 +248,6 @@ namespace eap
         ///
         sanitizing_blob make_client_key_exchange(_In_ const tls_master_secret &pms) const;
 
-        ///
-        /// Makes a TLS change cipher spec message
-        ///
-        /// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
-        ///
-        /// \returns Change cipher spec
-        ///
-        eap::sanitizing_blob make_change_chiper_spec() const;
-
         ///
         /// Makes a TLS finished message
         ///
@@ -476,6 +467,7 @@ namespace eap
         ///
         /// \sa [How to export and import plain text session keys by using CryptoAPI](https://support.microsoft.com/en-us/kb/228786)
         ///
+        /// \param[in] cp           Handle of the cryptographics provider
         /// \param[in] alg          Key algorithm
         /// \param[in] key          Key that decrypts \p secret
         /// \param[in] secret       Key data
@@ -484,6 +476,7 @@ namespace eap
         /// \returns Key
         ///
         HCRYPTKEY create_key(
+            _In_                              HCRYPTPROV cp,
             _In_                              ALG_ID     alg,
             _In_                              HCRYPTKEY  key,
             _In_bytecount_(size_secret) const void       *secret,
@@ -496,7 +489,8 @@ namespace eap
         packet m_packet_res;                                    ///< Response packet
 
         winstd::crypt_prov m_cp;                                ///< Cryptography provider for general services
-        winstd::crypt_prov m_cp_enc;                            ///< Cryptography provider for encryption
+        winstd::crypt_prov m_cp_enc_client;                     ///< Cryptography provider for encryption
+        winstd::crypt_prov m_cp_enc_server;                     ///< Cryptography provider for encryption
         winstd::crypt_key m_key_exp1;                           ///< Key for importing derived keys
 
         tls_version m_tls_version;                              ///< TLS version in use
@@ -522,9 +516,15 @@ namespace eap
         winstd::crypt_hash m_hash_handshake_msgs_sha1;          ///< Running SHA-1 hash of handshake messages
         winstd::crypt_hash m_hash_handshake_msgs_sha256;        ///< Running SHA-256 hash of handshake messages
 
-        bool m_certificate_req;                                 ///< Did server request client certificate?
+        bool m_handshake[tls_handshake_type_max];               ///< Handshake flags (map od handshake messages received)
-        bool m_server_hello_done;                               ///< Is server hello done?
+
-        bool m_server_finished;                                 ///< Did server send a valid finish message?
+        enum {
+            phase_unknown = -1,                                 ///< Unknown phase
+            phase_client_hello = 0,                             ///< Send client hello
+            phase_server_hello,                                 ///< Wait for server hello
+            phase_change_cipher_spec,                           ///< Wait for change cipher spec
+            phase_application_data                              ///< Exchange application data
+        } m_phase;                                              ///< What phase is our communication at?
 
         unsigned __int64 m_seq_num_client;                      ///< Sequence number for encrypting
         unsigned __int64 m_seq_num_server;                      ///< Sequence number for decrypting

lib/TLS/include/TLS.h

@@ -148,7 +148,10 @@ namespace eap
         tls_handshake_type_server_hello_done   = 14,
         tls_handshake_type_certificate_verify  = 15,
         tls_handshake_type_client_key_exchange = 16,
-        tls_handshake_type_finished            = 20
+        tls_handshake_type_finished            = 20,
+
+        tls_handshake_type_min                 =  0,    ///< First existing handshake message
+        tls_handshake_type_max                 = 21     ///< First non-existing (officially) handshake message
     };
 
 
@@ -512,28 +515,3 @@ namespace eap
         hmac_padding m_padding_hmac;    ///< Padding (key) for HMAC calculation
     };
 }
-
-
-//inline void operator<<(_Inout_ eap::cursor_out &cursor, _In_ const eap::tls_conn_state &val)
-//{
-//    cursor << val.m_master_secret;
-//    cursor << val.m_random_client;
-//    cursor << val.m_random_server;
-//}
-//
-//
-//inline size_t pksizeof(_In_ const eap::tls_conn_state &val)
-//{
-//    return
-//        pksizeof(val.m_master_secret) +
-//        pksizeof(val.m_random_client) +
-//        pksizeof(val.m_random_server);
-//}
-//
-//
-//inline void operator>>(_Inout_ eap::cursor_in &cursor, _Out_ eap::tls_conn_state &val)
-//{
-//    cursor >> val.m_master_secret;
-//    cursor >> val.m_random_client;
-//    cursor >> val.m_random_server;
-//}

lib/TLS/src/Credentials.cpp

@@ -254,7 +254,7 @@ tstring eap::credentials_tls::get_name() const
 }
 
 
-bool eap::credentials_tls::combine(
+eap::credentials::source_t eap::credentials_tls::combine(
     _In_       const credentials_tls   *cred_cached,
     _In_       const config_method_tls &cfg,
     _In_opt_z_       LPCTSTR           pszTargetName)
@@ -263,14 +263,14 @@ bool eap::credentials_tls::combine(
         // Using EAP service cached credentials.
         *this = *cred_cached;
         m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_CACHED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
-        return true;
+        return source_cache;
     }
 
     if (cfg.m_use_preshared) {
         // Using preshared credentials.
         *this = *(credentials_tls*)cfg.m_preshared.get();
         m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_PRESHARED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
-        return true;
+        return source_preshared;
     }
 
     if (pszTargetName) {
@@ -281,13 +281,13 @@ bool eap::credentials_tls::combine(
             // Using stored credentials.
             *this = std::move(cred_loaded);
             m_module.log_event(&EAPMETHOD_TRACE_EVT_CRED_STORED1, event_data((unsigned int)eap_type_tls), event_data(credentials_tls::get_name()), event_data::blank);
-            return true;
+            return source_storage;
         } catch (...) {
             // Not actually an error.
         }
     }
 
-    return false;
+    return source_unknown;
 }
 
 

lib/TLS/src/Method.cpp

@@ -95,9 +95,7 @@ void eap::method_tls::packet::clear()
 
 eap::method_tls::method_tls(_In_ module &module, _In_ config_provider_list &cfg, _In_ credentials_tls &cred) :
     m_cred(cred),
-    m_certificate_req(false),
+    m_phase(phase_unknown),
-    m_server_hello_done(false),
-    m_server_finished(false),
     m_seq_num_client(0),
     m_seq_num_server(0),
     m_blob_cfg(NULL),
@@ -107,6 +105,7 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_provider_list &cfg,
     method(module, cfg, cred)
 {
     m_tls_version = tls_version_1_2;
+    memset(m_handshake, 0, sizeof(m_handshake));
 }
 
 
@@ -115,7 +114,8 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
     m_packet_req                (std::move(other.m_packet_req                )),
     m_packet_res                (std::move(other.m_packet_res                )),
     m_cp                        (std::move(other.m_cp                        )),
-    m_cp_enc                    (std::move(other.m_cp_enc                    )),
+    m_cp_enc_client             (std::move(other.m_cp_enc_client             )),
+    m_cp_enc_server             (std::move(other.m_cp_enc_server             )),
     m_key_exp1                  (std::move(other.m_key_exp1                  )),
     m_tls_version               (std::move(other.m_tls_version               )),
     m_alg_prf                   (std::move(other.m_alg_prf                   )),
@@ -133,13 +133,15 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
     m_hash_handshake_msgs_md5   (std::move(other.m_hash_handshake_msgs_md5   )),
     m_hash_handshake_msgs_sha1  (std::move(other.m_hash_handshake_msgs_sha1  )),
     m_hash_handshake_msgs_sha256(std::move(other.m_hash_handshake_msgs_sha256)),
-    m_certificate_req           (std::move(other.m_certificate_req           )),
+    m_phase                     (std::move(other.m_phase                     )),
-    m_server_hello_done         (std::move(other.m_server_hello_done         )),
-    m_server_finished           (std::move(other.m_server_finished           )),
     m_seq_num_client            (std::move(other.m_seq_num_client            )),
     m_seq_num_server            (std::move(other.m_seq_num_server            )),
     method                      (std::move(other                             ))
 {
+    memcpy(m_handshake, other.m_handshake, sizeof(m_handshake));
+#ifdef _DEBUG
+    memset(other.m_handshake, 0, sizeof(m_handshake));
+#endif
 }
 
 
@@ -163,7 +165,8 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
         m_packet_req                 = std::move(other.m_packet_req                );
         m_packet_res                 = std::move(other.m_packet_res                );
         m_cp                         = std::move(other.m_cp                        );
-        m_cp_enc                     = std::move(other.m_cp_enc                    );
+        m_cp_enc_client              = std::move(other.m_cp_enc_client             );
+        m_cp_enc_server              = std::move(other.m_cp_enc_server             );
         m_key_exp1                   = std::move(other.m_key_exp1                  );
         m_tls_version                = std::move(other.m_tls_version               );
         m_alg_prf                    = std::move(other.m_alg_prf                   );
@@ -181,11 +184,14 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
         m_hash_handshake_msgs_md5    = std::move(other.m_hash_handshake_msgs_md5   );
         m_hash_handshake_msgs_sha1   = std::move(other.m_hash_handshake_msgs_sha1  );
         m_hash_handshake_msgs_sha256 = std::move(other.m_hash_handshake_msgs_sha256);
-        m_certificate_req            = std::move(other.m_certificate_req           );
+        m_phase                      = std::move(other.m_phase                     );
-        m_server_hello_done          = std::move(other.m_server_hello_done         );
-        m_server_finished            = std::move(other.m_server_finished           );
         m_seq_num_client             = std::move(other.m_seq_num_client            );
         m_seq_num_server             = std::move(other.m_seq_num_server            );
+
+        memcpy(m_handshake, other.m_handshake, sizeof(m_handshake));
+#ifdef _DEBUG
+        memset(other.m_handshake, 0, sizeof(m_handshake));
+#endif
     }
 
     return *this;
@@ -200,7 +206,7 @@ void eap::method_tls::begin_session(
 {
     method::begin_session(dwFlags, pAttributeArray, hTokenImpersonateUser, dwMaxSendPacketSize);
 
-    // Create cryptographics provider.
+    // Create cryptographics provider for support needs (handshake hashing, client random, temporary keys...).
     if (!m_cp.create(NULL, NULL, PROV_RSA_AES))
         throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
 
@@ -216,6 +222,7 @@ void eap::method_tls::begin_session(
     const config_method_tls *cfg_method = dynamic_cast<const config_method_tls*>(cfg_prov.m_methods.front().get());
     assert(cfg_method);
 
+    // Restore previous session ID and master secret. We might get lucky.
     m_session_id = cfg_method->m_session_id;
     m_master_secret = cfg_method->m_master_secret;
 }
@@ -248,7 +255,7 @@ void eap::method_tls::process_request_packet(
         packet_data_size = dwReceivedPacketSize - 6;
     }
 
-    // Do the TLS defragmentation.
+    // Do the EAP-TLS defragmentation.
     if (pReceivedPacket->Data[1] & flags_req_more_frag) {
         if (m_packet_req.m_data.empty()) {
             // Start a new packet.
@@ -310,8 +317,19 @@ void eap::method_tls::process_request_packet(
     m_packet_res.m_flags = 0;
 
     if (pReceivedPacket->Code == EapCodeRequest && (m_packet_req.m_flags & flags_req_start)) {
-        // This is the TLS start message: (re)initialize method.
+        // This is the EAP-TLS start message: (re)initialize method.
         m_module.log_event(&EAPMETHOD_TLS_HANDSHAKE_START2, event_data((unsigned int)eap_type_tls), event_data::blank);
+        m_phase = phase_client_hello;
+    } else {
+        // Process the packet.
+        memset(m_handshake, 0, sizeof(m_handshake));
+        m_packet_res.m_data.clear();
+        process_packet(m_packet_req.m_data.data(), m_packet_req.m_data.size());
+    }
+
+    switch (m_phase) {
+    case phase_client_hello: {
+        m_tls_version = tls_version_1_2;
 
         m_key_mppe_client.clear();
         m_key_mppe_server.clear();
@@ -326,91 +344,90 @@ void eap::method_tls::process_request_packet(
         if (!m_hash_handshake_msgs_sha256.create(m_cp, CALG_SHA_256))
             throw win_runtime_error(__FUNCTION__ " Error creating SHA-256 hashing object.");
 
-        m_certificate_req   = false;
-        m_server_hello_done = false;
-        m_server_finished   = false;
-
         m_seq_num_client = 0;
         m_seq_num_server = 0;
 
         // Build client hello packet.
         sanitizing_blob msg_client_hello(make_message(tls_message_type_handshake, make_client_hello()));
-        m_packet_res.m_data.assign(msg_client_hello.begin(), msg_client_hello.end());
+        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_client_hello.begin(), msg_client_hello.end());
-    } else {
-        // Process the packet.
-        m_packet_res.m_data.clear();
-        process_packet(m_packet_req.m_data.data(), m_packet_req.m_data.size());
 
-        if (m_server_finished) {
+        m_phase = phase_server_hello;
-            // Server finished.
+        break;
-        } else if (m_state_server.m_alg_encrypt) {
+    }
-            // Cipher specified (server).
+
-        } else if (m_server_hello_done) {
+    case phase_server_hello: {
-            // Server hello specified.
+        if (!m_handshake[tls_handshake_type_server_hello])
+            throw win_runtime_error(__FUNCTION__ " Server did not hello back. No server random! What cipher to use?");
 
         // Create cryptographics provider (based on server selected cipher?).
-            if (!m_cp_enc.create(NULL, NULL, PROV_RSA_AES))
+        if (!m_cp_enc_client.create(NULL, NULL, PROV_RSA_AES))
             throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
 
+        if (m_handshake[tls_handshake_type_certificate]) {
             // Do we trust this server?
             if (m_server_cert_chain.empty())
-                throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Can not continue without server's certificate.");
+                throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Server sent an empty certificate (chain).");
             verify_server_trust();
+        }
 
-            if (m_certificate_req) {
+        if (m_handshake[tls_handshake_type_certificate_request]) {
             // Client certificate requested.
             sanitizing_blob msg_client_cert(make_message(tls_message_type_handshake, make_client_cert()));
             m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_client_cert.begin(), msg_client_cert.end());
         }
 
-            {
+        if (m_handshake[tls_handshake_type_server_hello_done]) {
+            if (m_server_cert_chain.empty())
+                throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Can not do a client key exchange without a server public key (missing server certificate).");
+
             // Generate pre-master secret. PMS will get sanitized in its destructor when going out-of-scope.
-                tls_master_secret pms(m_cp_enc, m_tls_version);
+            // Always use latest supported version by client (not negotiated one, to detect version rollback attacks).
+            tls_master_secret pms(m_cp_enc_client, tls_version_1_2);
 
             // Derive master secret.
             static const unsigned char s_label[] = "master secret";
             sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
             seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
             seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
-                memcpy(&m_master_secret, prf(m_cp_enc, m_alg_prf, pms, seed, sizeof(tls_master_secret)).data(), sizeof(tls_master_secret));
+            memcpy(&m_master_secret, prf(m_cp_enc_client, m_alg_prf, pms, seed, sizeof(tls_master_secret)).data(), sizeof(tls_master_secret));
 
             // Create client key exchange message, and append to packet.
             sanitizing_blob msg_client_key_exchange(make_message(tls_message_type_handshake, make_client_key_exchange(pms)));
             m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_client_key_exchange.begin(), msg_client_key_exchange.end());
         }
 
-            if (m_certificate_req) {
+        if (m_handshake[tls_handshake_type_certificate_request]) {
-                // TODO: Create and append certificate_verify message!
+            // TODO: Create and append client certificate verify message!
         }
 
         // Append change cipher spec to packet.
-            sanitizing_blob ccs(make_change_chiper_spec());
+        sanitizing_blob ccs(make_message(tls_message_type_change_cipher_spec, sanitizing_blob(1, 1)));
         m_packet_res.m_data.insert(m_packet_res.m_data.end(), ccs.begin(), ccs.end());
 
-            {
+        // Adopt server state as client pending.
-                // Adopt server provided pending state as client pending.
+        // If server already send the change cipher spec, use active server state. Otherwise pending.
-                m_state_client_pending = m_state_server_pending;
+        m_state_client_pending = m_state_server.m_alg_encrypt ? m_state_server : m_state_server_pending;
 
-                // Derive client side keys
+        // Derive client side keys.
         static const unsigned char s_label[] = "key expansion";
         sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
         seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
         seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
-                sanitizing_blob key_block(prf(m_cp_enc, m_alg_prf, m_master_secret, seed,
+        sanitizing_blob key_block(prf(m_cp_enc_client, m_alg_prf, m_master_secret, seed,
             2*m_state_client_pending.m_size_mac_key +  // client_write_MAC_secret & server_write_MAC_secret (SHA1)
             2*m_state_client_pending.m_size_enc_key +  // client_write_key        & server_write_key
             2*m_state_client_pending.m_size_enc_iv )); // client_write_IV         & server_write_IV
         const unsigned char *_key_block = key_block.data();
 
         // client_write_MAC_secret
-                m_state_client_pending.m_padding_hmac = hmac_padding(m_cp_enc, m_state_client_pending.m_alg_mac, _key_block, m_state_client_pending.m_size_mac_key);
+        m_state_client_pending.m_padding_hmac = hmac_padding(m_cp_enc_client, m_state_client_pending.m_alg_mac, _key_block, m_state_client_pending.m_size_mac_key);
         _key_block += m_state_client_pending.m_size_mac_key;
 
         // server_write_MAC_secret
         _key_block += m_state_client_pending.m_size_mac_key;
 
         // client_write_key
-                m_state_client_pending.m_key = create_key(m_state_client_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_client_pending.m_size_enc_key);
+        m_state_client_pending.m_key = create_key(m_cp_enc_client, m_state_client_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_client_pending.m_size_enc_key);
         _key_block += m_state_client_pending.m_size_enc_key;
 
         // server_write_key
@@ -425,15 +442,27 @@ void eap::method_tls::process_request_packet(
 
         // Accept client pending state as current client state.
         m_state_client = std::move(m_state_client_pending);
-            }
 
         // Create finished message, and append to packet.
         sanitizing_blob msg_finished(make_message(tls_message_type_handshake, make_finished()));
         m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_finished.begin(), msg_finished.end());
-        }
+
+        m_phase = m_handshake[tls_handshake_type_finished] ? phase_application_data : phase_change_cipher_spec;
+        break;
     }
 
-    // Request packet was processed. Clear its data since we use the absence of data to detect first of fragmented message packages.
+    case phase_change_cipher_spec:
+        // Wait in this phase until server sends change cipher spec and finish.
+        if (m_state_server.m_alg_encrypt && m_handshake[tls_handshake_type_finished])
+            m_phase = phase_application_data;
+        break;
+
+    case phase_application_data:
+        if (m_handshake[tls_handshake_type_hello_request])
+            m_phase = phase_client_hello;
+    }
+
+    // EAP-Request packet was processed. Clear its data since we use the absence of data to detect first of fragmented message packages.
     m_packet_req.m_data.clear();
 
     pEapOutput->fAllowNotifications = FALSE;
@@ -509,10 +538,12 @@ void eap::method_tls::get_result(
 
     switch (reason) {
     case EapPeerMethodResultSuccess: {
-        if (!m_server_finished)
+        if (!m_handshake[tls_handshake_type_finished])
             throw invalid_argument(__FUNCTION__ " Premature success.");
 
-        // Derive MSK.
+        m_module.log_event(&EAPMETHOD_TLS_SUCCESS, event_data((unsigned int)eap_type_tls), event_data::blank);
+
+        // Derive MSK/EMSK for line encryption.
         derive_msk();
 
         // Fill array with RADIUS attributes.
@@ -530,7 +561,7 @@ void eap::method_tls::get_result(
         ppResult->pAttribArray = &m_eap_attr_desc;
 
         // Clear credentials as failed.
-        cfg_method->m_cred_failed = false;
+        cfg_method->m_auth_failed = false;
 
         ppResult->fIsSuccess = TRUE;
         ppResult->dwFailureReasonCode = ERROR_SUCCESS;
@@ -543,15 +574,19 @@ void eap::method_tls::get_result(
     }
 
     case EapPeerMethodResultFailure:
+        m_module.log_event(&EAPMETHOD_TLS_FAILURE, event_data((unsigned int)eap_type_tls), event_data::blank);
+
         // Clear session resumption data.
         cfg_method->m_session_id.clear();
         cfg_method->m_master_secret.clear();
 
         // Mark credentials as failed, so GUI can re-prompt user.
-        cfg_method->m_cred_failed = true;
+        cfg_method->m_auth_failed = true;
 
-        ppResult->fIsSuccess = FALSE;
+        // Do not report failure to EAPHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
-        ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
+        // EAPHost is well aware of the failed condition.
+        //ppResult->fIsSuccess = FALSE;
+        //ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
 
         break;
 
@@ -582,6 +617,10 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
         0x00, 0x2f, // TLS_RSA_WITH_AES_128_CBC_SHA (required by TLS 1.2)
         0x00, 0x0a, // TLS_RSA_WITH_3DES_EDE_CBC_SHA (required by EAP-TLS)
     };
+    static const unsigned char s_compression_suite[] = {
+        0x00, // No compression
+    };
+
     size_t size_data;
     sanitizing_blob msg;
     msg.reserve(
@@ -594,7 +633,7 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
         2                            + // Length of cypher suite list
         sizeof(s_cipher_suite)       + // Cipher suite list
         1                            + // Length of compression suite
-        1));                     // Compression suite
+        sizeof(s_compression_suite))); // Compression suite
 
     // SSL header
     assert(size_data <= 0xffffff);
@@ -619,8 +658,8 @@ eap::sanitizing_blob eap::method_tls::make_client_hello()
     msg.insert(msg.end(), s_cipher_suite, s_cipher_suite + _countof(s_cipher_suite));
 
     // Compression
-    msg.push_back(0x01); // Length of compression section
+    msg.push_back((unsigned char)sizeof(s_compression_suite));
-    msg.push_back(0x00); // No compression (0)
+    msg.insert(msg.end(), s_compression_suite, s_compression_suite + _countof(s_compression_suite));
 
     return msg;
 }
@@ -667,10 +706,10 @@ eap::sanitizing_blob eap::method_tls::make_client_cert() const
 
 eap::sanitizing_blob eap::method_tls::make_client_key_exchange(_In_ const tls_master_secret &pms) const
 {
-    // Encrypt pre-master key first.
+    // Encrypt pre-master key with server public key first.
     sanitizing_blob pms_enc((const unsigned char*)&pms, (const unsigned char*)(&pms + 1));
     crypt_key key;
-    if (!key.import_public(m_cp_enc, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(m_server_cert_chain.front()->pCertInfo->SubjectPublicKeyInfo)))
+    if (!key.import_public(m_cp_enc_client, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(m_server_cert_chain.front()->pCertInfo->SubjectPublicKeyInfo)))
         throw win_runtime_error(__FUNCTION__ " Error importing server's public key.");
     if (!CryptEncrypt(key,  NULL, TRUE, 0, pms_enc))
         throw win_runtime_error(__FUNCTION__ " Error encrypting PMS.");
@@ -703,20 +742,6 @@ eap::sanitizing_blob eap::method_tls::make_client_key_exchange(_In_ const tls_ma
 }
 
 
-eap::sanitizing_blob eap::method_tls::make_change_chiper_spec() const
-{
-    const unsigned char msg_css[] = {
-        tls_message_type_change_cipher_spec,    // SSL record type
-        m_tls_version.major,                    // SSL major version
-        m_tls_version.minor,                    // SSL minor version
-        0,                                      // Message size (high-order byte)
-        1,                                      // Message size (low-order byte)
-        1,                                      // Message: change_cipher_spec is always "1"
-    };
-    return sanitizing_blob(msg_css, msg_css + _countof(msg_css));
-}
-
-
 eap::sanitizing_blob eap::method_tls::make_finished() const
 {
     sanitizing_blob msg;
@@ -747,7 +772,7 @@ eap::sanitizing_blob eap::method_tls::make_finished() const
             throw win_runtime_error(__FUNCTION__ " Error finishing SHA-256 hash calculation.");
         seed.insert(seed.end(), hash_data.begin(), hash_data.end());
     }
-    sanitizing_blob verify(prf(m_cp_enc, m_alg_prf, m_master_secret, seed, 12));
+    sanitizing_blob verify(prf(m_cp_enc_client, m_alg_prf, m_master_secret, seed, 12));
     msg.insert(msg.end(), verify.begin(), verify.end());
 
     return msg;
@@ -791,7 +816,7 @@ void eap::method_tls::derive_msk()
     sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
     seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
     seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
-    sanitizing_blob key_block(prf(m_cp_enc, m_alg_prf, m_master_secret, seed, 2*sizeof(tls_random)));
+    sanitizing_blob key_block(prf(m_cp_enc_client, m_alg_prf, m_master_secret, seed, 2*sizeof(tls_random)));
     const unsigned char *_key_block = key_block.data();
 
     // MS-MPPE-Recv-Key
@@ -819,9 +844,14 @@ void eap::method_tls::process_packet(_In_bytecount_(size_pck) const void *_pck,
             throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete message data.");
 
         if (hdr->version >= tls_version_1_0) {
-            // Process TLS 1.0 message.
+            // Process TLS message.
             switch (hdr->type) {
             case tls_message_type_change_cipher_spec:
+                if (m_state_server.m_alg_encrypt) {
+                    sanitizing_blob msg_dec(msg, msg_end);
+                    decrypt_message(hdr->type, msg_dec);
+                    process_change_cipher_spec(msg_dec.data(), msg_dec.size());
+                } else
                     process_change_cipher_spec(msg, msg_end - msg);
                 break;
 
@@ -879,11 +909,18 @@ void eap::method_tls::process_change_cipher_spec(_In_bytecount_(msg_size) const
 
     m_module.log_event(&EAPMETHOD_TLS_CHANGE_CIPHER_SPEC, event_data((unsigned int)eap_type_tls), event_data::blank);
 
+    if (!m_state_server_pending.m_alg_encrypt)
+        throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Change cipher spec received without cipher being negotiated first.");
+
+    // Create cryptographics provider (based on server selected cipher?).
+    if (!m_cp_enc_server.create(NULL, NULL, PROV_RSA_AES))
+        throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
+
     static const unsigned char s_label[] = "key expansion";
     sanitizing_blob seed(s_label, s_label + _countof(s_label) - 1);
     seed.insert(seed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
     seed.insert(seed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
-    sanitizing_blob key_block(prf(m_cp_enc, m_alg_prf, m_master_secret, seed,
+    sanitizing_blob key_block(prf(m_cp_enc_server, m_alg_prf, m_master_secret, seed,
         2*m_state_server_pending.m_size_mac_key +  // client_write_MAC_secret & server_write_MAC_secret (SHA1)
         2*m_state_server_pending.m_size_enc_key +  // client_write_key        & server_write_key
         2*m_state_server_pending.m_size_enc_iv )); // client_write_IV         & server_write_IV
@@ -893,14 +930,14 @@ void eap::method_tls::process_change_cipher_spec(_In_bytecount_(msg_size) const
     _key_block += m_state_server_pending.m_size_mac_key;
 
     // server_write_MAC_secret
-    m_state_server_pending.m_padding_hmac = hmac_padding(m_cp_enc, m_state_server_pending.m_alg_mac, _key_block, m_state_server_pending.m_size_mac_key);
+    m_state_server_pending.m_padding_hmac = hmac_padding(m_cp_enc_server, m_state_server_pending.m_alg_mac, _key_block, m_state_server_pending.m_size_mac_key);
     _key_block += m_state_server_pending.m_size_mac_key;
 
     // client_write_key
     _key_block += m_state_server_pending.m_size_enc_key;
 
     // server_write_key
-    m_state_server_pending.m_key = create_key(m_state_server_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_server_pending.m_size_enc_key);
+    m_state_server_pending.m_key = create_key(m_cp_enc_server, m_state_server_pending.m_alg_encrypt, m_key_exp1, _key_block, m_state_server_pending.m_size_enc_key);
     _key_block += m_state_server_pending.m_size_enc_key;
 
     if (m_state_server_pending.m_size_enc_iv && m_tls_version < tls_version_1_1) {
@@ -915,6 +952,7 @@ void eap::method_tls::process_change_cipher_spec(_In_bytecount_(msg_size) const
 
     // Accept server pending state as current server state.
     m_state_server = std::move(m_state_server_pending);
+    m_state_server_pending.m_alg_encrypt = 0; // Explicitly invalidate server pending state. (To mark that server must re-negotiate cipher.)
 }
 
 
@@ -970,7 +1008,11 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                 if (rec + 1 > rec_end || rec + 1 + rec[0] > rec_end)
                     throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Session ID missing or incomplete.");
                 assert(rec[0] <= 32); // According to RFC 5246 session IDs should not be longer than 32B.
+                if (m_session_id.size() != rec[0] || memcmp(m_session_id.data(), rec + 1, rec[0]) != 0) {
+                    m_module.log_event(&EAPMETHOD_TLS_SESSION_NEW, event_data((unsigned int)eap_type_tls), event_data::blank);
                     m_session_id.assign(rec + 1, rec + 1 + rec[0]);
+                } else
+                    m_module.log_event(&EAPMETHOD_TLS_SESSION_RESUME, event_data((unsigned int)eap_type_tls), event_data::blank);
                 rec += rec[0] + 1;
 
                 // Cipher
@@ -1041,12 +1083,10 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
             }
 
             case tls_handshake_type_certificate_request:
-                m_certificate_req = true;
                 m_module.log_event(&EAPMETHOD_TLS_CERTIFICATE_REQUEST, event_data((unsigned int)eap_type_tls), event_data::blank);
                 break;
 
             case tls_handshake_type_server_hello_done:
-                m_server_hello_done = true;
                 m_module.log_event(&EAPMETHOD_TLS_SERVER_HELLO_DONE, event_data((unsigned int)eap_type_tls), event_data::blank);
                 break;
 
@@ -1078,10 +1118,9 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                     seed.insert(seed.end(), hash_data.begin(), hash_data.end());
                 }
 
-                if (memcmp(prf(m_cp_enc, m_alg_prf, m_master_secret, seed, 12).data(), rec, 12))
+                if (memcmp(prf(m_cp_enc_server, m_alg_prf, m_master_secret, seed, 12).data(), rec, 12))
                     throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Integrity check failed.");
 
-                m_server_finished = true;
                 m_module.log_event(&EAPMETHOD_TLS_FINISHED, event_data((unsigned int)eap_type_tls), event_data::blank);
                 break;
             }
@@ -1090,10 +1129,18 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                 m_module.log_event(&EAPMETHOD_TLS_HANDSHAKE_IGNORE, event_data((unsigned int)eap_type_tls), event_data((unsigned char)type), event_data::blank);
         }
 
-        msg = rec_end;
+        if (type < tls_handshake_type_max) {
+            // Set the flag this handshake message was received.
+            m_handshake[type] = true;
         }
 
-    hash_handshake(_msg, msg_size);
+        if (type != tls_handshake_type_hello_request) {
+            // Hash all but hello requests (https://tools.ietf.org/html/rfc5246#section-7.4.1.1).
+            hash_handshake(msg, rec_end - msg);
+        }
+
+        msg = rec_end;
+    }
 }
 
 
@@ -1119,17 +1166,16 @@ void eap::method_tls::verify_server_trust() const
     assert(!m_server_cert_chain.empty());
     const cert_context &cert = m_server_cert_chain.front();
 
+    string subj;
+    if (!CertGetNameStringA(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, subj))
+        throw win_runtime_error(__FUNCTION__ " Error retrieving server's certificate subject name.");
+
     const config_provider &cfg_prov(m_cfg.m_providers.front());
     const config_method_tls *cfg_method = dynamic_cast<const config_method_tls*>(cfg_prov.m_methods.front().get());
     assert(cfg_method);
 
     if (!cfg_method->m_server_names.empty()) {
         // Check server name.
-
-        string subj;
-        if (!CertGetNameStringA(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, subj))
-            throw win_runtime_error(__FUNCTION__ " Error retrieving server's certificate subject name.");
-
         for (list<string>::const_iterator s = cfg_method->m_server_names.cbegin(), s_end = cfg_method->m_server_names.cend();; ++s) {
             if (s != s_end) {
                 const char
@@ -1150,6 +1196,10 @@ void eap::method_tls::verify_server_trust() const
         }
     }
 
+    if (cert->pCertInfo->Issuer.cbData == cert->pCertInfo->Subject.cbData &&
+        memcmp(cert->pCertInfo->Issuer.pbData, cert->pCertInfo->Subject.pbData, cert->pCertInfo->Issuer.cbData) == 0)
+        throw com_runtime_error(CRYPT_E_SELF_SIGNED, string_printf(__FUNCTION__ " Server is using a self-signed certificate %s. Cannot trust it.", subj.c_str()).c_str());
+
     // Create temporary certificate store of our trusted root CAs.
     cert_store store;
     if (!store.create(CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, 0, NULL))
@@ -1158,8 +1208,17 @@ void eap::method_tls::verify_server_trust() const
         CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
 
     // Add all certificates from the server's certificate chain, except the first one.
-    for (list<cert_context>::const_iterator c = m_server_cert_chain.cbegin(), c_end = m_server_cert_chain.cend(); ++c != c_end;)
+    for (list<cert_context>::const_iterator c = m_server_cert_chain.cbegin(), c_end = m_server_cert_chain.cend(); ++c != c_end;) {
+        const cert_context &_c = *c;
+        if (_c->pCertInfo->Issuer.cbData == _c->pCertInfo->Subject.cbData &&
+            memcmp(_c->pCertInfo->Issuer.pbData, _c->pCertInfo->Subject.pbData, _c->pCertInfo->Issuer.cbData) == 0)
+        {
+            // Skip the root CA certificates (self-signed). We define in whom we trust!
+            continue;
+        }
+
         CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
+    }
 
     // Prepare the certificate chain validation, and check.
     CERT_CHAIN_PARA chain_params = {
@@ -1179,7 +1238,7 @@ void eap::method_tls::verify_server_trust() const
     };
     cert_chain_context context;
     if (!context.create(NULL, cert, NULL, store, &chain_params, 0))
-        throw win_runtime_error(ERROR_INVALID_DOMAINNAME, __FUNCTION__ " Error creating certificate chain context.");
+        throw win_runtime_error(__FUNCTION__ " Error creating certificate chain context.");
 
     // Check chain validation error flags. Ignore CERT_TRUST_IS_UNTRUSTED_ROOT flag when we check root CA explicitly.
     if (context->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR &&
@@ -1217,7 +1276,7 @@ void eap::method_tls::encrypt_message(_In_ tls_message_type_t type, _Inout_ sani
 {
     // Hash sequence number, TLS header, and message.
     size_t size_data = data.size();
-    hmac_hash hash(m_cp_enc, m_state_client.m_alg_mac, m_state_client.m_padding_hmac);
+    hmac_hash hash(m_cp_enc_client, m_state_client.m_alg_mac, m_state_client.m_padding_hmac);
     unsigned __int64 seq_num2 = htonll(m_seq_num_client);
     unsigned short size_data2 = htons((unsigned short)size_data);
     if (!CryptHashData(hash, (const BYTE*)&seq_num2     , sizeof(seq_num2     ), 0) ||
@@ -1239,7 +1298,7 @@ void eap::method_tls::encrypt_message(_In_ tls_message_type_t type, _Inout_ sani
         if (m_tls_version >= tls_version_1_1) {
             // TLS 1.1+: Set random IV.
             data.insert(data.begin(), m_state_client.m_size_enc_iv, 0);
-            if (!CryptGenRandom(m_cp_enc, (DWORD)m_state_client.m_size_enc_iv, data.data()))
+            if (!CryptGenRandom(m_cp_enc_client, (DWORD)m_state_client.m_size_enc_iv, data.data()))
                 throw win_runtime_error(__FUNCTION__ " Error generating IV.");
             size_data_enc += m_state_client.m_size_enc_iv;
         }
@@ -1304,7 +1363,7 @@ void eap::method_tls::decrypt_message(_In_ tls_message_type_t type, _Inout_ sani
         size_data -= m_state_server.m_size_mac_hash;
 
         // Hash sequence number, TLS header (without length), original message length, and message.
-        hmac_hash hash(m_cp_enc, m_state_server.m_alg_mac, m_state_server.m_padding_hmac);
+        hmac_hash hash(m_cp_enc_server, m_state_server.m_alg_mac, m_state_server.m_padding_hmac);
         unsigned __int64 seq_num2 = htonll(m_seq_num_server);
         unsigned short size_data2 = htons((unsigned short)size_data);
         if (!CryptHashData(hash, (const BYTE*)&seq_num2     , sizeof(seq_num2     ), 0) ||
@@ -1438,6 +1497,7 @@ eap::sanitizing_blob eap::method_tls::prf(
 
 
 HCRYPTKEY eap::method_tls::create_key(
+    _In_                              HCRYPTPROV cp,
     _In_                              ALG_ID     alg,
     _In_                              HCRYPTKEY  key,
     _In_bytecount_(size_secret) const void       *secret,
@@ -1467,7 +1527,7 @@ HCRYPTKEY eap::method_tls::create_key(
 
     // Import the key.
     winstd::crypt_key key_out;
-    if (!key_out.import(m_cp_enc, key_blob.data(), (DWORD)key_blob.size(), NULL, 0))
+    if (!key_out.import(cp, key_blob.data(), (DWORD)key_blob.size(), NULL, 0))
         throw winstd::win_runtime_error(__FUNCTION__ " Error importing key.");
     return key_out.detach();
 #else
@@ -1513,7 +1573,7 @@ HCRYPTKEY eap::method_tls::create_key(
     // Is random PS required at all? We are importing a clear-text session key with the exponent-of-one key. How low on security can we get?
     key_blob.insert(key_blob.end(), size_ps, 0);
     unsigned char *ps = &*(key_blob.end() - size_ps);
-    CryptGenRandom(m_cp_enc, (DWORD)size_ps, ps);
+    CryptGenRandom(cp, (DWORD)size_ps, ps);
     for (size_t i = 0; i < size_ps; i++)
         if (ps[i] == 0) ps[i] = 1;
 #endif
@@ -1529,7 +1589,7 @@ HCRYPTKEY eap::method_tls::create_key(
 
     // Import the key.
     winstd::crypt_key key_out;
-    if (!key_out.import(m_cp_enc, key_blob.data(), (DWORD)key_blob.size(), key, 0))
+    if (!key_out.import(cp, key_blob.data(), (DWORD)key_blob.size(), key, 0))
         throw winstd::win_runtime_error(__FUNCTION__ " Error importing key.");
     return key_out.detach();
 #endif

lib/TLS_UI/src/TLS_UI.cpp

@@ -423,14 +423,6 @@ wxTLSServerTrustPanel::wxTLSServerTrustPanel(const eap::config_provider &prov, e
 
 bool wxTLSServerTrustPanel::TransferDataToWindow()
 {
-    if (m_prov.m_read_only) {
-        // This is provider-locked configuration. Disable controls.
-        m_root_ca_add_store->Enable(false);
-        m_root_ca_add_file ->Enable(false);
-        m_root_ca_remove   ->Enable(false);
-        m_server_names     ->Enable(false);
-    }
-
     // Populate trusted CA list.
     for (std::list<winstd::cert_context>::const_iterator cert = m_cfg.m_trusted_root_ca.cbegin(), cert_end = m_cfg.m_trusted_root_ca.cend(); cert != cert_end; ++cert)
         m_root_ca->Append(wxString(eap::get_cert_title(*cert)), new wxCertificateClientData(cert->duplicate()));
@@ -469,10 +461,19 @@ void wxTLSServerTrustPanel::OnUpdateUI(wxUpdateUIEvent& event)
 {
     UNREFERENCED_PARAMETER(event);
 
-    if (!m_prov.m_read_only) {
+    if (m_prov.m_read_only) {
+        // This is provider-locked configuration. Disable controls.
+        m_root_ca_add_store->Enable(false);
+        m_root_ca_add_file ->Enable(false);
+        m_root_ca_remove   ->Enable(false);
+        m_server_names     ->Enable(false);
+    } else {
         // This is not a provider-locked configuration. Selectively enable/disable controls.
+        m_root_ca_add_store->Enable(true);
+        m_root_ca_add_file ->Enable(true);
         wxArrayInt selections;
         m_root_ca_remove->Enable(m_root_ca->GetSelections(selections) ? true : false);
+        m_server_names     ->Enable(true);
     }
 }
 

lib/TTLS/include/Credentials.h

@@ -32,6 +32,7 @@ namespace eap
 #include "../../PAP/include/Credentials.h"
 
 #include <memory>
+#include <utility>
 
 
 namespace eap
@@ -187,7 +188,7 @@ namespace eap
         /// - \c true  if credentials were set;
         /// - \c false otherwise
         ///
-        bool combine(
+        std::pair<source_t, source_t> combine(
             _In_       const credentials_ttls   *cred_cached,
             _In_       const config_method_ttls &cfg,
             _In_opt_z_       LPCTSTR            pszTargetName);

lib/TTLS/src/Credentials.cpp

@@ -226,15 +226,12 @@ std::wstring eap::credentials_ttls::get_identity() const
 }
 
 
-bool eap::credentials_ttls::combine(
+pair<eap::credentials::source_t, eap::credentials::source_t> eap::credentials_ttls::combine(
     _In_       const credentials_ttls   *cred_cached,
     _In_       const config_method_ttls &cfg,
     _In_opt_z_       LPCTSTR            pszTargetName)
 {
-    bool
+    return pair<source_t, source_t>(
-        is_outer_set = credentials_tls::combine(cred_cached, cfg, pszTargetName),
+        credentials_tls::combine(cred_cached, cfg, pszTargetName),
-        is_inner_set =
+        dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : source_unknown);
-            dynamic_cast<const credentials_pap*>(m_inner.get()) ? ((credentials_pap*)m_inner.get())->combine(cred_cached ? (credentials_pap*)cred_cached->m_inner.get() : NULL, (const config_method_pap&)*cfg.m_inner, pszTargetName) : false;
-
-    return is_outer_set && is_inner_set;
 }

lib/TTLS/src/Method.cpp

@@ -69,28 +69,25 @@ void eap::method_ttls::process_request_packet(
         m_module.log_event(&EAPMETHOD_TTLS_HANDSHAKE_START, event_data((unsigned int)eap_type_ttls), event_data((unsigned char)m_version), event_data((unsigned char)ver_remote), event_data::blank);
     }
 
-    if (!m_server_finished) {
     // Do the TLS.
     method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
 
-        if (m_server_finished) {
+    if (m_phase == phase_application_data) {
-            // Piggyback inner authentication.
+        // Send inner authentication.
         if (!m_state_client.m_alg_encrypt)
             throw runtime_error(__FUNCTION__ " Refusing to send credentials unencrypted.");
 
+        m_module.log_event(&EAPMETHOD_TTLS_INNER_CRED, event_data((unsigned int)eap_type_ttls), event_data(m_cred.m_inner->get_name()), event_data::blank);
+
         m_packet_res.m_code  = EapCodeResponse;
         m_packet_res.m_id    = m_packet_req.m_id;
         m_packet_res.m_flags = 0;
         sanitizing_blob msg_application(make_message(tls_message_type_application_data, make_pap_client()));
-            m_packet_res.m_data.assign(msg_application.begin(), msg_application.end());
+        m_packet_res.m_data.insert(m_packet_res.m_data.end(), msg_application.begin(), msg_application.end());
 
         pEapOutput->fAllowNotifications = FALSE;
         pEapOutput->action = EapPeerMethodResponseActionSend;
     }
-    } else {
-        // Do the TLS. Again.
-        method_tls::process_request_packet(pReceivedPacket, dwReceivedPacketSize, pEapOutput);
-    }
 }
 
 
@@ -111,20 +108,36 @@ void eap::method_ttls::get_result(
     _In_    EapPeerMethodResultReason reason,
     _Inout_ EapPeerMethodResult       *ppResult)
 {
-    if (!m_server_finished) {
+    if (m_phase != phase_application_data) {
         // Do the TLS.
         method_tls::get_result(reason, ppResult);
     } else {
+        // The TLS finished, this is inner authentication's bussines.
         config_provider &cfg_prov(m_cfg.m_providers.front());
         config_method_ttls *cfg_method = dynamic_cast<config_method_ttls*>(cfg_prov.m_methods.front().get());
         assert(cfg_method);
 
-        // Mark credentials appropriately, so GUI can re-prompt user.
+        switch (reason) {
-        cfg_method->m_inner->m_cred_failed = reason == EapPeerMethodResultFailure;
+        case EapPeerMethodResultSuccess: {
+            m_module.log_event(&EAPMETHOD_TTLS_INNER_SUCCESS, event_data((unsigned int)eap_type_ttls), event_data::blank);
+            cfg_method->m_inner->m_auth_failed = false;
+            break;
+        }
+
+        case EapPeerMethodResultFailure:
+            m_module.log_event(&EAPMETHOD_TTLS_INNER_FAILURE, event_data((unsigned int)eap_type_ttls), event_data::blank);
+            cfg_method->m_inner->m_auth_failed = true;
+            break;
+
+        default:
+            throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Not supported.");
+        }
 
         // The TLS was OK.
         method_tls::get_result(EapPeerMethodResultSuccess, ppResult);
 
+        // Do not report failure to EAPHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
+        // EAPHost is well aware of the failed condition.
         //if (reason == EapPeerMethodResultFailure) {
         //    ppResult->fIsSuccess = FALSE;
         //    ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;

lib/TTLS/src/Module.cpp

@@ -109,14 +109,17 @@ void eap::peer_ttls::get_identity(
     {
         // Combine credentials.
         user_impersonator impersonating(hTokenImpersonateUser);
-        *pfInvokeUI = cred_out.combine(
+        pair<eap::credentials::source_t, eap::credentials::source_t> cred_source(cred_out.combine(
 #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
             &cred_in,
 #else
             NULL,
 #endif
             *cfg_method,
-            (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL) ? FALSE : TRUE;
+            (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL));
+
+        // If either of credentials is unknown, request UI.
+        *pfInvokeUI = cred_source.first == eap::credentials::source_unknown || cred_source.second == eap::credentials::source_unknown ? TRUE : FALSE;
     }
 
     if (*pfInvokeUI) {
@@ -132,14 +135,14 @@ void eap::peer_ttls::get_identity(
 
     // If we got here, we have all credentials we need. But, wait!
 
-    if (cfg_method->m_cred_failed) {
+    if (cfg_method->m_auth_failed) {
         // Outer TLS: Credentials failed on last connection attempt.
         log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)eap_type_tls), event_data::blank);
         *pfInvokeUI = TRUE;
         return;
     }
 
-    if (cfg_method->m_inner->m_cred_failed) {
+    if (cfg_method->m_inner->m_auth_failed) {
         // Inner: Credentials failed on last connection attempt.
         log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)type_inner), event_data::blank);
         *pfInvokeUI = TRUE;

lib/TTLS_UI/include/TTLS_UI.h

@@ -45,7 +45,6 @@ class wxTTLSCredentialsPanel;
 
 #include <wx/choicebk.h>
 #include <wx/icon.h>
-#include <wx/scrolwin.h>
 #include <wx/stattext.h>
 
 #include <Windows.h>
@@ -74,32 +73,28 @@ protected:
 };
 
 
-class wxTTLSConfigWindow : public wxScrolledWindow
+class wxTTLSConfigWindow : public wxEAPConfigWindow
 {
 public:
     ///
     /// Constructs a configuration panel
     ///
+    /// \param[in]    prov           Provider configuration data
     /// \param[inout] cfg            Configuration data
     /// \param[in]    pszCredTarget  Target name of credentials in Windows Credential Manager. Can be further decorated to create final target name.
     /// \param[in]    parent         Parent window
     ///
     wxTTLSConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, LPCTSTR pszCredTarget, wxWindow* parent);
 
-    ///
-    /// Destructs the configuration panel
-    ///
-    virtual ~wxTTLSConfigWindow();
-
 protected:
     /// \cond internal
     virtual bool TransferDataToWindow();
     virtual bool TransferDataFromWindow();
     virtual void OnInitDialog(wxInitDialogEvent& event);
+    virtual void OnUpdateUI(wxUpdateUIEvent& event);
     /// \endcond
 
 protected:
-    const eap::config_provider &m_prov;     ///< EAP provider
     eap::config_method_ttls &m_cfg;         ///< TTLS configuration
     wxStaticText *m_outer_title;            ///< Outer authentication title
     wxTTLSConfigPanel *m_outer_identity;    ///< Outer identity configuration panel

lib/TTLS_UI/src/Module.cpp

@@ -83,8 +83,26 @@ void eap::peer_ttls_ui::invoke_config_ui(
 {
     // Unpack configuration.
     config_provider_list cfg(*this);
-    if (dwConnectionDataInSize)
+    if (dwConnectionDataInSize) {
+        // Load existing configuration.
         unpack(cfg, pConnectionDataIn, dwConnectionDataInSize);
+    } else {
+        // This is a blank network profile. Create default configuraton.
+
+        // Start with PAP inner configuration.
+        unique_ptr<config_method_ttls> cfg_method(new config_method_ttls(*this));
+        cfg_method->m_inner.reset(new config_method_pap(*this));
+        cfg_method->m_anonymous_identity = L"@";
+        cfg_method->m_use_preshared = true;
+        cfg_method->m_preshared.reset(new credentials_tls(*this));
+
+        // Start with one method.
+        config_provider cfg_provider(*this);
+        cfg_provider.m_methods.push_back(std::move(cfg_method));
+
+        // Start with one provider.
+        cfg.m_providers.push_back(std::move(cfg_provider));
+    }
 
     // Initialize application.
     new wxApp();
@@ -163,14 +181,14 @@ void eap::peer_ttls_ui::invoke_identity_ui(
     }
 
     // Combine credentials.
-    cred_out.combine(
+    pair<eap::credentials::source_t, eap::credentials::source_t> cred_source(cred_out.combine(
 #ifdef EAP_USE_NATIVE_CREDENTIAL_CACHE
         &cred_in,
 #else
         NULL,
 #endif
         *cfg_method,
-        (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL);
+        (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? cfg_prov.m_id.c_str() : NULL));
 
     if (dwFlags & EAP_FLAG_GUEST_ACCESS) {
         // Disable credential saving for guests.
@@ -190,10 +208,18 @@ void eap::peer_ttls_ui::invoke_identity_ui(
         parent.AdoptAttributesFromHWND();
         wxTopLevelWindows.Append(&parent);
 
-        // Create and launch credentials dialog.
+        // Create credentials dialog.
         wxEAPCredentialsDialog dlg(cfg_prov, &parent);
         wxTTLSCredentialsPanel *panel = new wxTTLSCredentialsPanel(cfg_prov, *cfg_method, cred_out, cfg_prov.m_id.c_str(), &dlg);
-        dlg.AddContents((wxPanel**)&panel, 1);
+        dlg.AddContent(panel);
+
+        // Set "Remember" checkboxes according to credential source,
+        panel->m_outer_cred->SetRememberValue(cred_source.first == eap::credentials::source_storage);
+        wxPAPCredentialsPanel *panel_inner_cred_pap = dynamic_cast<wxPAPCredentialsPanel*>(panel->m_inner_cred);
+        if (panel_inner_cred_pap)
+            panel_inner_cred_pap->SetRememberValue(cred_source.second == eap::credentials::source_storage);
+
+        // Centre and display dialog.
         dlg.Centre(wxBOTH);
         result = dlg.ShowModal();
         if (result == wxID_OK) {
@@ -208,7 +234,6 @@ void eap::peer_ttls_ui::invoke_identity_ui(
                 }
             }
 
-            wxPAPCredentialsPanel *panel_inner_cred_pap = dynamic_cast<wxPAPCredentialsPanel*>(panel->m_inner_cred);
             if (panel_inner_cred_pap && panel_inner_cred_pap->GetRememberValue()) {
                 try {
                     cred_out.m_inner->store(cfg_prov.m_id.c_str());

lib/TTLS_UI/src/TTLS_UI.cpp

@@ -38,14 +38,6 @@ wxTTLSConfigPanel::wxTTLSConfigPanel(const eap::config_provider &prov, eap::conf
 
 bool wxTTLSConfigPanel::TransferDataToWindow()
 {
-    if (m_prov.m_read_only) {
-        // This is provider-locked configuration. Disable controls.
-        m_outer_identity_same      ->Enable(false);
-        m_outer_identity_empty     ->Enable(false);
-        m_outer_identity_custom    ->Enable(false);
-        m_outer_identity_custom_val->Enable(false);
-    }
-
     // Populate identity controls.
     if (m_cfg.m_anonymous_identity.empty()) {
         m_outer_identity_same->SetValue(true);
@@ -82,8 +74,17 @@ void wxTTLSConfigPanel::OnUpdateUI(wxUpdateUIEvent& event)
 {
     UNREFERENCED_PARAMETER(event);
 
-    if (!m_prov.m_read_only) {
+    if (m_prov.m_read_only) {
+        // This is provider-locked configuration. Disable controls.
+        m_outer_identity_same      ->Enable(false);
+        m_outer_identity_empty     ->Enable(false);
+        m_outer_identity_custom    ->Enable(false);
+        m_outer_identity_custom_val->Enable(false);
+    } else {
         // This is not a provider-locked configuration. Selectively enable/disable controls.
+        m_outer_identity_same      ->Enable(true);
+        m_outer_identity_empty     ->Enable(true);
+        m_outer_identity_custom    ->Enable(true);
         m_outer_identity_custom_val->Enable(m_outer_identity_custom->GetValue());
     }
 }
@@ -94,10 +95,9 @@ void wxTTLSConfigPanel::OnUpdateUI(wxUpdateUIEvent& event)
 //////////////////////////////////////////////////////////////////////
 
 wxTTLSConfigWindow::wxTTLSConfigWindow(const eap::config_provider &prov, eap::config_method &cfg, LPCTSTR pszCredTarget, wxWindow* parent) :
-    m_prov(prov),
     m_cfg((eap::config_method_ttls&)cfg),
     m_cfg_pap(cfg.m_module),
-    wxScrolledWindow(parent, wxID_ANY, wxDefaultPosition, wxDefaultSize, wxVSCROLL)
+    wxEAPConfigWindow(prov, cfg, parent)
 {
     wxBoxSizer* sb_content;
     sb_content = new wxBoxSizer( wxVERTICAL );
@@ -112,7 +112,8 @@ wxTTLSConfigWindow::wxTTLSConfigWindow(const eap::config_provider &prov, eap::co
 
     m_inner_type = new wxChoicebook(this, wxID_ANY, wxDefaultPosition, wxDefaultSize, wxCHB_DEFAULT);
     m_inner_type->SetToolTip( _("Select inner authentication method from the list") );
-    m_inner_type->AddPage(new wxPAPConfigPanel(m_prov, m_cfg_pap, pszCredTarget, m_inner_type), _("PAP"));
+    wxPAPConfigPanel *panel_pap = new wxPAPConfigPanel(m_prov, m_cfg_pap, pszCredTarget, m_inner_type);
+    m_inner_type->AddPage(panel_pap, _("PAP"));
     sb_content->Add(m_inner_type, 0, wxALL|wxEXPAND, 5);
 
     sb_content->Add(20, 20, 1, wxALL|wxEXPAND, 5);
@@ -135,32 +136,17 @@ wxTTLSConfigWindow::wxTTLSConfigWindow(const eap::config_provider &prov, eap::co
         size.y  = 500;
     }
     this->SetMinSize(size);
-    this->SetScrollRate(5, 5);
 
     this->SetSizer(sb_content);
     this->Layout();
 
-    m_inner_type->SetFocusFromKbd();
+    // m_inner_type->SetFocusFromKbd(); // This control steals mouse-wheel scrolling for itself
-
+    panel_pap->SetFocusFromKbd();
-    // Connect Events
-    this->Connect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxTTLSConfigWindow::OnInitDialog));
-}
-
-
-wxTTLSConfigWindow::~wxTTLSConfigWindow()
-{
-    // Disconnect Events
-    this->Disconnect(wxEVT_INIT_DIALOG, wxInitDialogEventHandler(wxTTLSConfigWindow::OnInitDialog));
 }
 
 
 bool wxTTLSConfigWindow::TransferDataToWindow()
 {
-    if (m_prov.m_read_only) {
-        // This is provider-locked configuration. Disable controls.
-        m_inner_type->GetChoiceCtrl()->Enable(false);
-    }
-
     eap::config_method_pap *cfg_pap = dynamic_cast<eap::config_method_pap*>(m_cfg.m_inner.get());
     if (cfg_pap) {
         m_cfg_pap = *cfg_pap;
@@ -196,8 +182,7 @@ bool wxTTLSConfigWindow::TransferDataFromWindow()
 
 void wxTTLSConfigWindow::OnInitDialog(wxInitDialogEvent& event)
 {
-    // Call TransferDataToWindow() manually, as wxScrolledWindow somehow skips that.
+    wxEAPConfigWindow::OnInitDialog(event);
-    TransferDataToWindow();
 
     // Forward the event to child panels.
     m_outer_identity->GetEventHandler()->ProcessEvent(event);
@@ -207,6 +192,14 @@ void wxTTLSConfigWindow::OnInitDialog(wxInitDialogEvent& event)
 }
 
 
+void wxTTLSConfigWindow::OnUpdateUI(wxUpdateUIEvent& event)
+{
+    wxEAPConfigWindow::OnUpdateUI(event);
+
+    m_inner_type->GetChoiceCtrl()->Enable(!m_prov.m_read_only);
+}
+
+
 //////////////////////////////////////////////////////////////////////
 // wxTTLSCredentialsPanel
 //////////////////////////////////////////////////////////////////////
@@ -226,7 +219,7 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
 
     assert(m_cfg.m_inner);
 
-    if (m_cfg.m_inner->m_cred_failed)
+    if (m_cfg.m_inner->m_auth_failed)
         sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5);
 
     const eap::config_method_pap *cfg_inner_pap = dynamic_cast<const eap::config_method_pap*>(m_cfg.m_inner.get());
@@ -245,7 +238,7 @@ wxTTLSCredentialsPanel::wxTTLSCredentialsPanel(const eap::config_provider &prov,
     m_outer_title->SetForegroundColour( wxSystemSettings::GetColour( wxSYS_COLOUR_INACTIVECAPTION ) );
     sb_content->Add(m_outer_title, 0, wxALL|wxALIGN_RIGHT, 5);
 
-    if (m_cfg.m_cred_failed)
+    if (m_cfg.m_auth_failed)
         sb_content->Add(new wxEAPCredentialWarningPanel(m_prov, this), 0, wxALL|wxEXPAND, 5);
 
     m_outer_cred = new wxTLSCredentialsPanel(m_prov, (const eap::config_method_tls&)m_cfg, (eap::credentials_tls&)cred, pszCredTarget, this, is_config);