Wpa supplicant as a class. Certificate problems.

[Douglas Diniz]

Hi.

I was using wpa supplicant normally in my work, authenticating with
TTLS/Mschapv2.
I changed wpasupplicant code to work as a class, creating a function
interface where I send a Eap packet as parameter and the class return
another Eap packet as response.
To do this I used  the GIT code:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree  , changing some parts of
the code based on my needs.

All is working fine, but something is very strange about the certificates.

In eap_example_peer.c the certificates are load as following:

    eap_ctx.eap_config.identity = (u8 *) os_strdup("user");
    eap_ctx.eap_config.identity_len = 4;
    eap_ctx.eap_config.password = (u8 *) os_strdup("password");
    eap_ctx.eap_config.password_len = 8;
    eap_ctx.eap_config.ca_cert = (u8 *) os_strdup("ca.pem");

In eap_example_server.c are loaded as:

    tparams.ca_cert = "ca.pem";
    tparams.client_cert = "server.pem";
    tparams.private_key = "server.key";
    tparams.private_key_passwd = "whatever";

This someway works. Then I changed the code to point to my certs:

    peer:

    eap_ctx.eap_config.identity = (u8 *) os_strdup("user");
    eap_ctx.eap_config.identity_len = 4;
    eap_ctx.eap_config.password = (u8 *) os_strdup("password");
    eap_ctx.eap_config.password_len = 8;
    eap_ctx.eap_config.ca_cert = (u8 *)
os_strdup("/home/douglas/DougTesteWPA/certificates/cacert.pem");

   server:

    tparams.ca_cert = "/home/douglas/DougTesteWPA/certificates/cacert.pem";
    tparams.client_cert =
"/home/douglas/DougTesteWPA/certificates/server_keycert.pem";
    tparams.private_key =
"/home/douglas/DougTesteWPA/certificates/server_keycert.pem";
    tparams.private_key_passwd = "doug";

This also works, but the strange is:

1-)  I can change private_key_passwd to any password and the authentication
still works!!!  This password must be the same used to create the cacert,
right?

2-) I can change the server cacert to any other cacert and the
authentication still works!!! In TLS/TTLS all Ca's must be the same, right?

If I change server cert/key or the client ca, the authentication fails. Its
seems that I only must have the client cacert and the server cert/key
(derived from the client cacert) to authentication works. Then its seems
that server cacert and private_key_passwd are not necessary.
The strange is that authentication works. The phase 2 is working normally.
If I change the mschapv2 user/password from server or client, authentication
fails. Then all is ok.

Someone knows what is happening?

Thanks....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080625/9d64ec7b/attachment.htm