From patchwork Mon Apr 2 18:30:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 287 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id Cx1eGNQDw1roIQAAIUCqbw for ; Tue, 03 Apr 2018 00:32:20 -0400 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net (Dovecot) with LMTP id e78BENQDw1qREwAAovjBpQ ; Tue, 03 Apr 2018 00:32:20 -0400 Received: from smtp8.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTP id MDP4F9QDw1rzagAAfSg8FQ ; Tue, 03 Apr 2018 00:32:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: fec417d0-36f7-11e8-9643-5254001e5a60-1-1 Received: from [216.105.38.7] ([216.105.38.7:1349] helo=lists.sourceforge.net) by smtp8.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AE/ED-20647-3D303CA5; Tue, 03 Apr 2018 00:32:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1f3DbF-00081N-7z; Tue, 03 Apr 2018 04:31:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1f3DbE-00081G-7g for openvpn-devel@lists.sourceforge.net; Tue, 03 Apr 2018 04:31:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=; b=UXYnJF8gTMIwi+VOjTJ1dmfEeL pWLmKFKnfCzNYEKHHyeZF1YeRKKVgT0pszZvlG+k/FXF6Uhq46W0MaVdkDR5xOfQh9bVi+jGB+Hea FYh3lUq098e2/IYYfvd9jfxKuKi0TFRJtjLjse2NewTzuDxMgRCuAcYdaadSa4JrdKtw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=; b=mfML1fvxd93nfirYergbCsgxNQ rPd1Wx9Ba9235ru76V69bt0xVz5/j/zLRLURc6YXaUCYEvRHAXFgqyImEzTSHp21kVREl8Aym1llc rHUY7RyILBE+o8KJ3y8ctYAGvoyYFDpDbD9m/JweR56kmvljOfnHjSbMqeyrkTsF9tXw=; Received: from mail-it0-f67.google.com ([209.85.214.67]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1f3DbC-009yW2-Jl for openvpn-devel@lists.sourceforge.net; Tue, 03 Apr 2018 04:31:12 +0000 Received: by mail-it0-f67.google.com with SMTP id h143-v6so21495160ita.4 for ; Mon, 02 Apr 2018 21:31:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=; b=p80I4Jl9405lBm1fq2Ic6cCRl0sihl42dE2uNLNIcegoVnghXYtmzBi4sCIKqvGHep leNmCy9fbU8HJD8FNMJTxUUtYaCkF6DEOngDSVozCkfhg5RgDZYACo7AXnULQmAAoD+V 0DXRofU06DLpuiw5iBkWeH4U9wq0CpZf3qepiVkchno2nXzwdO8QCJz0X73yXgRMswTV EX+6Rw76WFrwgdIFKvaYLVRwBFgsGivLPRCuGgdDLbhfScALbv2q8JgDWz/CMzpA8Lor NrijOXiZSfPUC6KqYFKx63BXDhKMLkqwX5ITl+3pKpl1uGEfnVyWX2f65VTnJs4yJUEq jsNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=; b=Vi/Ri2vv6yyVMm4hhDmNyA9to5+tkTlHw0uSkX6u9oEO3pcKNCOYs1/3l1ufdxfnQu 1Ih6E5Zq7GIPi1ElWbHIW6JKw9JAZAPXDeFPZvBDDL70SWUSnkHsXf9X3gxBoslwB5BI duRCBOYy0It0IN79WnUMhnBWfw+ZGCHFYK3qRjlR03HEHmVtjN/ziQqwOeHY7bkMEWab mefaJqGENM+U9gIzJcO3KuAeWSVoYxfNaEBaV56Bb/2PRqfR/p47OU62m/EnW3Aie/gE RN8CPzj2SKe23JM1UL4KvjZFBEZjpfJg4ekpofLjSUkRudqMQBS5YZbjfpozkSZxKYox LV8Q== X-Gm-Message-State: ALQs6tBTGTQTSR5CA44doT9Mth8mDLZxDqAgyO5PIf5Usa4rGdPaI6wU QA2Na+S1WLmt351XsdSmNAOO0WMT X-Google-Smtp-Source: AIpwx4/+L6RbofhmblfPz35OwTR8PEYaXs6YyMVFPT+qapvNR4kpobCL2SbbTEbYfsOXXw+H3UbvQQ== X-Received: by 2002:a24:5085:: with SMTP id m127-v6mr3745551itb.118.1522729864542; Mon, 02 Apr 2018 21:31:04 -0700 (PDT) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id a46-v6sm1176784itj.1.2018.04.02.21.31.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 02 Apr 2018 21:31:03 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 3 Apr 2018 00:30:42 -0400 Message-Id: <1522729843-28878-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1520817479-17203-1-git-send-email-selva.nair@gmail.com> References: <1520817479-17203-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.67 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.214.67 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1f3DbC-009yW2-Jl Subject: [Openvpn-devel] [PATCH v2 1/2] Skip expired certificates in Windows certificate store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect, if only expired certificates are found, the connection fails. Also remove some unnecessary casts. Tested on Windows 10. Trac #966 Signed-off-by: Selva Nair --- v2: remove the break after return src/openvpn/cryptoapi.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 11b971f..ec7569a 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -601,27 +601,31 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) * SUBJ: * THUMB:, e.g. * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 + * The first matching certificate that has not expired is returned. */ const CERT_CONTEXT *rv = NULL; + DWORD find_type; + const void *find_param; + unsigned char hash[255]; + CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - cert_prop += 5; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL); - + find_param = cert_prop + 5; + find_type = CERT_FIND_SUBJECT_STR_A; } else if (!strncmp(cert_prop, "THUMB:", 6)) { - unsigned char hash[255]; - char *p; + const char *p; int i, x = 0; - CRYPT_HASH_BLOB blob; + find_type = CERT_FIND_HASH; + find_param = &blob; /* skip the tag */ cert_prop += 6; - for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) { + for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++) + { if (*p >= '0' && *p <= '9') { x = (*p - '0') << 4; @@ -636,7 +640,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } if (!*++p) /* unexpected end of string */ { - break; + msg(M_WARN, "WARNING: cryptoapicert: error parsing .", cert_prop); + return NULL; } if (*p >= '0' && *p <= '9') { @@ -657,10 +662,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } } blob.cbData = i; - blob.pbData = (unsigned char *) &hash; + } + while(true) + { + int validity = 1; + /* this frees previous rv, if not NULL */ rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_HASH, &blob, NULL); - + 0, find_type, find_param, rv); + if (rv) + { + validity = CertVerifyTimeValidity(NULL, rv->pCertInfo); + } + if (!rv || validity == 0) + { + break; + } + msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.", + validity < 0 ? "not yet valid" : "that has expired"); } return rv;