[Openvpn-devel,v4,2/2] Allow unicode search string in --cryptoapicert option

Message ID 1581519967-16950-2-git-send-email-selva.nair@gmail.com
State New
Headers show
Series
  • [Openvpn-devel,v4,1/2] Skip expired certificates in Windows certificate store
Related show

Commit Message

Selva Nair Feb. 12, 2020, 3:06 p.m.
From: Selva Nair <selva.nair@gmail.com>

Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
v4: matched to v4 of 1/2 

 src/openvpn/cryptoapi.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

Comments

Lev Stipakov Feb. 13, 2020, 6:44 p.m. | #1
Build and tested on Windows 10 - a cert with non-ASCII chars (äää) got
picked.

Acked-by: Lev Stipakov <lstipakov@gmail.com>
<div dir="ltr"><div dir="ltr">Build and tested on Windows 10 - a cert with non-ASCII chars (äää) got picked.  <br></div><div><br></div>Acked-by: Lev Stipakov &lt;<a href="mailto:lstipakov@gmail.com">lstipakov@gmail.com</a>&gt;</div>
Gert Doering Feb. 13, 2020, 7:54 p.m. | #2
Your patch has been applied to the master branch.

Same as for ther other patch, no review, just MinGW test build (passes).

commit aa6affe6df811db11577847366a569def0a3e314
Author: Selva Nair
Date:   Wed Feb 12 10:06:07 2020 -0500

     Allow unicode search string in --cryptoapicert option

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Lev Stipakov <lstipakov@gmail.com>
     Message-Id: <1581519967-16950-2-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19405.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index b9f1328..1bf74fc 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -51,6 +51,7 @@ 
 
 #include "buffer.h"
 #include "openssl_compat.h"
+#include "win32.h"
 
 /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while
  * MinGW32-w64 defines all macros used. This is a hack around that problem.
@@ -746,12 +747,13 @@  find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
     const void *find_param;
     unsigned char hash[255];
     CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
+    struct gc_arena gc = gc_new();
 
     if (!strncmp(cert_prop, "SUBJ:", 5))
     {
         /* skip the tag */
-        find_param = cert_prop + 5;
-        find_type = CERT_FIND_SUBJECT_STR_A;
+        find_param = wide_string(cert_prop + 5, &gc);
+        find_type = CERT_FIND_SUBJECT_STR_W;
     }
     else if (!strncmp(cert_prop, "THUMB:", 6))
     {
@@ -779,7 +781,7 @@  find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             if (!*++p)  /* unexpected end of string */
             {
                 msg(M_WARN, "WARNING: cryptoapicert: error parsing <THUMB:%s>.", cert_prop);
-                return NULL;
+                goto out;
             }
             if (*p >= '0' && *p <= '9')
             {
@@ -803,7 +805,7 @@  find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
     }
     else {
         msg(M_WARN, "WARNING: cryptoapicert: unsupported certificate specification <%s>", cert_prop);
-        return NULL;
+        goto out;
     }
 
     while(true)
@@ -824,6 +826,8 @@  find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             validity < 0 ? "not yet valid" : "that has expired");
     }
 
+out:
+    gc_free(&gc);
     return rv;
 }