But I don’t understand, how I can use it?
For example, the “Remarks” section of the BCryptOpenAlgorithmProvider page mentions “How to use BCrypt API in the kernel”. However, I couldn’t find similar information about the SSL API (e.g, SslOpenProvider)
If I try to include the “sslprovider.h” file (from the CNG SDK) in my driver project, I can’t build the project.
Because the header “sslprovider.h” includes "wincrypt.h ", which is only used in user-mode…
I can’t remember that we installed a dedicated CNG Dev kit, should already be part of the Visual Studio setup.
Include bcrypt.h (C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\shared\bcrypt.h) in your source and cng.lib (C:\Program Files (x86)\Windows Kits\10\lib\10.0.26100.0\km\x64\cng.lib) for your linker.
GNG and SSPI are not the same. They aren’t even really related and neither has anything directly to do with SSL (TLS)
SSPI is an interface for authentication. Usually Kerberos or NTLM, it can use other authentication methods. the authentication payload may be carried by any protocol including HTTPS
CNG is a set of APIs for ‘next generation’ encryption protocols. It is a refactored version of the crypto API broken into two parts - a ‘long term’ part that deals with certificates and keys that get stored and reused over long periods of time. And an ephemeral part where the keys are generated but not stored and then used immediatly
TLS is a transport protocol for HTTP and similar requests that can used either, both or neither of these API sets
you probably have a larger goal. more specific advise could likely be elicited by enunciating more about it
But SSPI uses an SSL-provider (via SChannel) (e.g. article “Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn”)
And CNG includes SSL-provider (e.g. article “CNG SSL Provider Functions - Win32 apps | Microsoft Learn”).
The CNG SDK provides development tools (headers/libs) for “BCrypt/NCrypt/SSL providers.” (in user-mode and kernel-mode).
Using Ghidra, I saw that SSL functions are in cng.sys
I would like to develop an SSL-provider in kernel-mode.
But I don't understand how I can implement SSL funcrions, because "sslprovider.h" (from CNG SDK) includes "wincrypt.h" (which is only used in user-mode).
The SSPI documentation is some of the most confusing on all of MSDN. That’s partly because of the design of the API where BLOB input parameters must contain data in formats that are specific to the provider.
Callers are expected to have some means to communicate the BLOBs from client to server, and are supposed to choose a provider that is consistent with the way that they are able to provide the input, and the sequence in which they can make the calls.
That means could be SSL / TLS. Another proprietary network protocol. Maybe a serial port or a pipe. It could even be anything.
The basic call sequence is the same for every type of provider and every way of sending the data. The client and server loop and ping pong blobs of data until InitializeSecurityContext and AcceptSecurityContext either report completion or an error.
One of the possible credential providers is SCHANNEL. That’s the only relationship this API has to SCHANNEL.
CNG is a suite of crypto functions for key management, data encryption / decryption, and data hashing. It is divided into the B functions and N functions for ephemeral and long term operations. It also contains a section with ‘SSL’ functions that group sequences of common actions together
It is unclear what type of program you are trying to develop. A program that uses SSL / TLS like a browser or webserver? A credential provider that could be used by one of those programs? A cryptographic algorithm provider that could be used by either of those kinds? Something else?
I implemented CNG providers (BCrypt API and NCrypt API) as user-mode as kernel-mode.
I implemented SSL functions in user-mode and I implemented SSPI API (I talk about InitSecurityInterface).
I have registered this in the OS. I can use it from WinAPI (I see, how WinAPI call my module).
My main goal now is to create a VPN service.
In my ideas I have to:
create a service in user-mode, that connects to the server and performs a handshake (TLS)
create a ndis-driver in kernel-mode, that encrypts/decrypts packets
I think I should implement the SSL functions in kernel mode.
This way the ndis-driver can call SSL to encrypt/decrypt packets.
Am I right?
Maybe I don't quite understand the architecture...
Can you recommend anything to me?
Okay, you are trying to create a new VPN provider.
Presumably, SSTP isn’t sufficient for your needs, and you want to create yet another TLS based VPN?
I’m not sure why you would want to to that, but assuming you do, this doesn’t have anything directly to do with either the CNG API or SSPI. Though you will probably want to consume both APIs. You don’t have to of course. You don’t need to rely on the system to supply encryption or authentication support from Microsoft or 3rd party supplied modules. But most system administrators would expect you to
Th have only a cursory knowledge of this part of of NDIS
