From patchwork Sun Mar 11 14:17:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 269 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id O8FaBrzVpVrmVgAAIUCqbw for ; Sun, 11 Mar 2018 21:19:56 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id o7goBrzVpVodFQAAfY0hYg ; Sun, 11 Mar 2018 21:19:56 -0400 Received: from smtp12.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTP id GEL6BbzVpVr+QAAAsk8m8w ; Sun, 11 Mar 2018 21:19:56 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 78c442f6-2593-11e8-962f-bc305bf03e5c-1-1 Received: from [216.105.38.7] ([216.105.38.7:41818] helo=lists.sourceforge.net) by smtp12.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B9/F0-04137-BB5D5AA5; Sun, 11 Mar 2018 21:19:55 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1evC6f-0000ch-3y; Mon, 12 Mar 2018 01:18:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1evC6d-0000cZ-O8 for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 01:18:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=; b=c1gG+r0ChC4J9Z0trBfg3fC/fR vRpJeYiSmO4213hAlEXlkRC0UAVAZks0YglrX6rfKluo6N5f+zSpQrTJuSxERnhxxd5QulaXWr5fr Y9hBgDpaLRTL+h+jbQpW9FEOLuusWEwgBmw1kgsKfNdapIh70o04NtzCoC6dU+SqUunI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=; b=Wl43HuaIpcHgKytFZdiWzBnl3g Qcwqk41ZGNFMsarec9247k4w6MfxorLchiuHrtcSICo9wcCmlwqgXLzE5GM9GssmsJYMXASnXlrsw hLdD6FUxixWRTh3hE6uV37zF/DLC5DuyzvMaCa8YAEpkEOpsJfjr3R3nbuaxTYaXIJrY=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=mail-io0-f195.google.com) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1evC6R-005lBe-0K for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 01:18:27 +0000 Received: by mail-io0-f195.google.com with SMTP id l12so9490678ioc.10 for ; Sun, 11 Mar 2018 18:18:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=; b=KZw+2o6CQSVLifmQbh2AwGGQ5ZOR3ffhH6tW5FrBVWg7N4QkY89hshZGQWwglPbd3Y XRIC19DwzR0HFcovE4N8E9eUAYrlnIRfQaCSn6H8Ex98RnEcGLcT4lf1W4AIP7Tp9zTS xGIWCAZ/OLweTCqcTBpDWdcaPKOl2egJ/D+1cTROanNVb1c4XfyyUR+ij147See6Uoba XgnjBIk7pNxx8jJyYL7mv8YFKJnqgX+v1+lxcjBHbroAJndNRn9Wtf4PwSgCV+uqsAuU WQo2kypaFxb9vvqv2DOFltlsB8ZmSiHCrX3L5wWj7u0coZZ48q/thnQqPJ6Fgn0oIIQs bQwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=; b=bOgqCUgi6kfuOtBDI6munuD4MBIAlqby9CcWMy+VIfdUi8s/tZDHDAmUgpL/8TPn6R AAjqegetFWkMZyWjBf3Tn+9SkTwQinPjwtjaiDNnWoNgQ8j9kuxQ8T4hxsDjGIb7AzB0 oVH3XiGRtBfSJewAVYGBAv/kU+q2630a/WTr4uaL87kgEsutTHEUX0Jff+ulb6iqpkyO oZVI+BZQeYBC66o+zSaGrdKh7forNc9YNoD2HCD60gFOEEiOU6MqQIq2XVxtINIhXbUT PHD+EID0uD0dY0J+3Df1LEJNbh1kTKc3z6kpQzFVVxOGt0gcjZANNPu3gA/avu60MtM4 Zvxw== X-Gm-Message-State: AElRT7ERx6Y9ffMi0r8m8HPXcvD5ACwWNdS/7+pRQ/aDDGMhhpgRAvHp p0nrYlPa/RUmH2XuvWn/WzP7yPWq X-Google-Smtp-Source: AG47ELuIxizhHyvJfNemuqZvkCFEuCJ9rbcVdkHZdMcPvuM0RBdixph+wCY3aNrmNr2uFelLnupskw== X-Received: by 10.107.135.39 with SMTP id j39mr7316377iod.160.1520817489191; Sun, 11 Mar 2018 18:18:09 -0700 (PDT) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id g62sm3017184iod.3.2018.03.11.18.18.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 11 Mar 2018 18:18:08 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 11 Mar 2018 21:17:58 -0400 Message-Id: <1520817479-17203-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [99.228.215.92 listed in zen.spamhaus.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.6 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1evC6R-005lBe-0K Subject: [Openvpn-devel] [PATCH 1/2] Skip expired certificates in Windows certificate store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-Suspicious-Flag: YES X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect, if only expired certificates are found, the connection fails. Also remove some unnecessary casts. Tested on Windows 10. Trac #966 Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 41 ++++++++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 11b971f..a579854 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -601,27 +601,31 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) * SUBJ: * THUMB:, e.g. * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 + * The first matching certificate that has not expired is returned. */ const CERT_CONTEXT *rv = NULL; + DWORD find_type; + const void *find_param; + unsigned char hash[255]; + CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - cert_prop += 5; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL); - + find_param = cert_prop + 5; + find_type = CERT_FIND_SUBJECT_STR_A; } else if (!strncmp(cert_prop, "THUMB:", 6)) { - unsigned char hash[255]; - char *p; + const char *p; int i, x = 0; - CRYPT_HASH_BLOB blob; + find_type = CERT_FIND_HASH; + find_param = &blob; /* skip the tag */ cert_prop += 6; - for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) { + for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++) + { if (*p >= '0' && *p <= '9') { x = (*p - '0') << 4; @@ -636,6 +640,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } if (!*++p) /* unexpected end of string */ { + msg(M_WARN, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop); + return NULL; break; } if (*p >= '0' && *p <= '9') @@ -657,10 +663,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } } blob.cbData = i; - blob.pbData = (unsigned char *) &hash; + } + while(true) + { + int validity = 1; + /* this frees previous rv, if not NULL */ rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_HASH, &blob, NULL); - + 0, find_type, find_param, rv); + if (rv) + { + validity = CertVerifyTimeValidity(NULL, rv->pCertInfo); + } + if (!rv || validity == 0) + { + break; + } + msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.", + validity < 0 ? "not yet valid" : "that has expired"); } return rv;