WPA Supplicant and SChannel with EAP-TLS

Newpol, Rich rnewpol
Wed May 26 07:23:17 PDT 2010


All,

I am trying to get the tls_schannel.c module to work with a DeviceScape
supplicant build. The network requires a client certificate, which I
have in PFX form. The first thing I noticed about the code is that there
doesn't seem to be any support for client certificates (I found the
header comment "TODO: add support for EAP-TLS (client cert/key conf" as
well ! )

 

Anyway, I added some code to use PFXImportCertStore to get the
certificate credential handle, but when I try to use the credential with
InitializeSecurityContext, I actually get a ARM processor exception
(Misaligned Datatype). Other CryptoAPI calls I make on this credential
handle seem to work OK.

 

Now the exception might be a side effect of something else I am doing
wrong, but my real question is, does anybody on here have any experience
with CryptoAPI and using client certificates on WinCE that might be able
to help?

 

Here is a code fragment of the steps I am taking (var types and error
handling omitted for clarity):

 

 

    // first open the PFX file

    hPemFile = CreateFile(pfxFilename, ...);

    pfxBufLength = GetFileSize(hPemFile,NULL);

    // allocate a buffer to hold the file content

    pfxBuf = (unsigned char*)malloc(pfxBufLength);

    // read the content to the buffer

    ReadFile(hPemFile, pfxBuf, pfxBufLength, &bytesRead, NULL);

    // now proceed to import PFX content

    certBlob.pbData = pfxBuf;

    certBlob.cbData = pfxBufLength;

    // Create temporary store

    hCertStore1 = PFXImportCertStore(&certBlob, passwordW,
CRYPT_EXPORTABLE);

    // Get the certificate context

    pCertContext = CertEnumCertificatesInStore(hCertStore1,
pCertContext);

    // try to use this certificate

    memset(&conn->schannel_cred, 0, sizeof(conn->schannel_cred));

    conn->schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;

    conn->schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1;

    algs[0] = CALG_RSA_KEYX;

    conn->schannel_cred.cSupportedAlgs = 1;

    conn->schannel_cred.palgSupportedAlgs = algs;

    conn->schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;

    conn->schannel_cred.cCreds     = 1;

    conn->schannel_cred.paCred     = &pCertContext;

    status = global->sspi->AcquireCredentialsHandle(

                  NULL, UNISP_NAME, SECPKG_CRED_OUTBOUND, NULL,

                  &conn->schannel_cred, NULL, NULL, &conn->creds,
&ts_expiry);

     sspi_flags = ISC_REQ_REPLAY_DETECT |

                      ISC_REQ_CONFIDENTIALITY |

                      ISC_RET_EXTENDED_ERROR |

                      ISC_REQ_ALLOCATE_MEMORY |

                      ISC_REQ_MANUAL_CRED_VALIDATION;

 

      outbufs[0].pvBuffer = NULL;

      outbufs[0].BufferType = SECBUFFER_TOKEN;

      outbufs[0].cbBuffer = 0;

 

      outbuf.cBuffers = 1;

      outbuf.pBuffers = outbufs;

      outbuf.ulVersion = SECBUFFER_VERSION;

 

       //

       /**** THIS CALL GOES BOOM **********/

//

       status = global->sspi->InitializeSecurityContext(

                      &conn->creds, NULL, NULL, sspi_flags, 0,

                      SECURITY_NATIVE_DREP, NULL, 0, &conn->context,

                      &outbuf, &sspi_flags_out, &ts_expiry);

 

Thanks in advance,

Rich

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20100526/4b360c2b/attachment-0001.htm 



More information about the Hostap mailing list