From patchwork Mon Feb 10 07:35:41 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 988
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP id WIosAAWjQV5SFQAAIUCqbw
	for <patchwork@openvpn.net>; Mon, 10 Feb 2020 13:37:57 -0500
Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6])
	by director8.mail.ord1d.rsapps.net with LMTP id OKOYOwSjQV5yCwAAfY0hYg
	; Mon, 10 Feb 2020 13:37:57 -0500
Received: from smtp16.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy14.mail.ord1d.rsapps.net with LMTP id mOs2OwSjQV5yGwAAtEH5vw
	; Mon, 10 Feb 2020 13:37:56 -0500
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp16.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: 7422db8a-4c34-11ea-90c5-525400ca3ad5-1-1
Received: from [216.105.38.7] ([216.105.38.7:44134]
 helo=lists.sourceforge.net)
	by smtp16.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 20/30-09646-403A14E5; Mon, 10 Feb 2020 13:37:56 -0500
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1j1DvS-0006LO-I4; Mon, 10 Feb 2020 18:36:54 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1j1DvQ-0006L3-8B
 for openvpn-devel@lists.sourceforge.net; Mon, 10 Feb 2020 18:36:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=; b=Qhi9v95twDYnIkbg4+tFi6bwNH
 r3hJgW+2lEb0mUzj3LxsZVwqrS92t4APcZpqP4Ca/gwZEmixvg0mRqvqD2c95oxbo5ZcT9/hbYtno
 ul9RX2Kyy2a1kKe+FnaQuot61BFpCFU8udGpMd2LMhx0QqC5dBZZDiLbcdM1fkjmSUro=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=; b=itiJerwn1cT1J8JzGLQe+BlccK
 sVAr6T+D/HQK8f/accnTTLjVoBDe6I6URLCOElOq6FKCWrVp1xl5MTzeDMaOlaK8XyJ66L1cUSFmV
 M4RPxsMiuyrWqDHjiWWvwu4kRanP266dvhLZiUjRjvY406cTJ0m+BRQOQBB/E3du4CmQ=;
Received: from mail-qt1-f171.google.com ([209.85.160.171])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2)
 id 1j1DvO-007ngs-Re
 for openvpn-devel@lists.sourceforge.net; Mon, 10 Feb 2020 18:36:52 +0000
Received: by mail-qt1-f171.google.com with SMTP id d9so5877847qte.12
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 10 Feb 2020 10:36:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=;
 b=dtTISGztpBwNr1vLT+QAIXnBMV5hR0RYFFB8B8npfD0D8FzhcnGPTuowQhJuwKWA4b
 H3YUQ6kIxOjqFy4UIwP4JmiNAGddjOD68FGEUPe0KTfusIMVD72WyJebCHzZHH3XWvex
 1bu8Zo+D7QjQ13GkghG7BWc/WzLYQ5+zpMVqOpc0gLp0LZD+fswnQqF6UilD1TBXiXGC
 O0VMnsJrOs787AqFGgC+xUAhqw42E/HajorfXTe71qbrJ3kXivJGbdjbkMwUafH+Z1cm
 UyuBwaEsL3oTpRGsstq00+Nz/69jqA07sTXoYdCjyjpFc0/uJ+6uyGksVXVN+5RZOGMv
 /9gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=;
 b=sJQGgQ7iDlUU9p0fZrVunAcI4cJ+bH46F+JRCokird1uZsOpnrElNf8z5UzAmjICab
 tFj/cWMtAm25SjmMOyzcP96bqSXs5dXZGJBgqeHM1uWK6IJ0H5a4YpcyMOJsgVqwUlJb
 PRZkOS51t6mG5u6XumjrndwfPwTDLnYhhC3CF/urdN8X/OUHdeYjbYBpMRgPyMNxeaiS
 P9XgKgPWzkUZ5gQ25Vm5POFwaE9wrs5seS6Z3zW5W3IDUux2QzG7I8Hqe8AbZseFXkwM
 UXpei81J+BE5j7xmr1BVgRGmNuY0uMiBaI/g5SGeMy5V5YKXITzQujuoWmJJTg6xws7W
 JK9w==
X-Gm-Message-State: APjAAAXs+BzjtHWeCXZ/lNlEwfy8VPCxOUe8pXaUOMgVKiZEe4fcKAzY
 mFDe1YJVsKyj/HtROGGZ9yrVict1
X-Google-Smtp-Source: 
 APXvYqysDuunM/2TLjZOnMuJhHOJXfcAF762DeYV6XQSfAXoSfpPR4EWGIC2tAz8KXEr/nzWZpR4PA==
X-Received: by 2002:ac8:6b53:: with SMTP id x19mr6032925qts.220.1581359804635;
 Mon, 10 Feb 2020 10:36:44 -0800 (PST)
Received: from saturn.home.sansel.ca
 (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21])
 by smtp.gmail.com with ESMTPSA id g18sm565381qki.13.2020.02.10.10.36.43
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Mon, 10 Feb 2020 10:36:44 -0800 (PST)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 10 Feb 2020 13:35:41 -0500
Message-Id: <1581359742-30511-1-git-send-email-selva.nair@gmail.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1522729843-28878-1-git-send-email-selva.nair@gmail.com>
References: <1522729843-28878-1-git-send-email-selva.nair@gmail.com>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (selva.nair[at]gmail.com)
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.160.171 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
 trust [209.85.160.171 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
X-Headers-End: 1j1DvO-007ngs-Re
Subject: [Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows
 certificate store
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.

This makes it possible to update certifiates in store without having
to delete old ones. As a side effect, if only expired certificates are
found, the connection fails.

Also remove some unnecessary casts.

Tested on Windows 10.
Trac #966

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
v3: nudging again with a rebase to master

 src/openvpn/cryptoapi.c | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 2f2eee7..3b70c33 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
      * SUBJ:<certificate substring to match>
      * THUMB:<certificate thumbprint hex value>, e.g.
      *     THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+     * The first matching certificate that has not expired is returned.
      */
     const CERT_CONTEXT *rv = NULL;
+    DWORD find_type;
+    const void *find_param;
+    unsigned char hash[255];
+    CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
 
     if (!strncmp(cert_prop, "SUBJ:", 5))
     {
         /* skip the tag */
-        cert_prop += 5;
-        rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                        0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
-
+        find_param = cert_prop + 5;
+        find_type = CERT_FIND_SUBJECT_STR_A;
     }
     else if (!strncmp(cert_prop, "THUMB:", 6))
     {
-        unsigned char hash[255];
-        char *p;
+        const char *p;
         int i, x = 0;
-        CRYPT_HASH_BLOB blob;
+        find_type = CERT_FIND_HASH;
+        find_param = &blob;
 
         /* skip the tag */
         cert_prop += 6;
-        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
+        for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
         {
             if (*p >= '0' && *p <= '9')
             {
@@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             }
             if (!*++p)  /* unexpected end of string */
             {
-                break;
+                msg(M_WARN, "WARNING: cryptoapicert: error parsing <THUMB:%s>.", cert_prop);
+                return NULL;
             }
             if (*p >= '0' && *p <= '9')
             {
@@ -796,10 +800,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             }
         }
         blob.cbData = i;
-        blob.pbData = (unsigned char *) &hash;
+    }
+    while(true)
+    {
+        int validity = 1;
+        /* this frees previous rv, if not NULL */
         rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                        0, CERT_FIND_HASH, &blob, NULL);
-
+                                        0, find_type, find_param, rv);
+        if (rv)
+        {
+            validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+        }
+        if (!rv || validity == 0)
+        {
+            break;
+        }
+        msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.",
+            validity < 0 ? "not yet valid" : "that has expired");
     }
 
     return rv;