From patchwork Wed Feb 12 04:06:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 990 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SHKEJbIURF5fNwAAIUCqbw for ; Wed, 12 Feb 2020 10:07:30 -0500 Received: from proxy20.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id OBjdIrIURF7tKQAAalYnBA ; Wed, 12 Feb 2020 10:07:30 -0500 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3b.rsapps.net with LMTP id QASVHLIURF7vWwAAcDxLoQ ; Wed, 12 Feb 2020 10:07:30 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 62e287aa-4da9-11ea-8f61-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:56376] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 62/AB-15205-1B4144E5; Wed, 12 Feb 2020 10:07:30 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1j1taz-0000NN-DY; Wed, 12 Feb 2020 15:06:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1j1tax-0000NF-IJ for openvpn-devel@lists.sourceforge.net; Wed, 12 Feb 2020 15:06:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=YK2RwV9R2ALzld9Jxt2xrtT4Vy 10f0TkEwlbsZVAjJvteYbVKsz4BjG85fsTUYsx3rSN+Szp5jhD6n45miDY5ya2c9ZX2HIg98PiSsH j0/9LoUfWSbwZZP8PYhRIWdxrm2pZiXFJTSeeC0gzyuukA49aHC90i1Mm8NAMeM8PYGI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=cJiC3/x6VM5A987aNlsw2IHPVc wYF0ikE8OS6paQdX+z6Lpoup43P+CitBfUeyk1XzO/b0sLj0po/VYvmM6vpOYd2eDLRkgag4zGvMp FAMC+zsX3ApGx3GjAQPvMLoOKDJ85RY3++Fa66Fx/TwZMcMem2VnamlqoPwFAeAyzi8Y=; Received: from mail-qk1-f195.google.com ([209.85.222.195]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1j1tav-001PSV-9a for openvpn-devel@lists.sourceforge.net; Wed, 12 Feb 2020 15:06:31 +0000 Received: by mail-qk1-f195.google.com with SMTP id d11so2314985qko.8 for ; Wed, 12 Feb 2020 07:06:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=RhzOkdRWs8QAKdDX0FMbuRjFIVT5F2h5xze2PR75IjC9v9WuZQlVj/qK372rZCz23i 4Fpj1RCbgMF+Oory+uBg/2koASxglAbZY75sSdjxdEfl9TIN+lMFuvdriyV+XatghBRv BZIFeJL/BiQx5LXj1xEwZ+aJBLtRJXROzcv6DHj22dIwcN3dzCjNCVY76wSMBerYMnhF ZY3/Jmzfug/EUQ4OH3gRcaW0fJPM3EYVOW311nRdY/24lvx3ftureFTSro8XP4fMAZiA 3eT4F6iJSGcsKXWAZC9+LhmPGIRPkFQb7mYPrPP9We1BPePapI5TLdiChi4g8ZTYNCeM X9Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=IuCH6c6izIz4UjxJWFPfEOPb6Ic3VB5rc+K4sa0UcMSUVq5cIql9CklnJBpb5Z/l/v pRTTykLi4lDw6AaLkw0G4nOFAPj0x3sbPAiKromWX5IfjAqvvWj7w/u5sLMpXJ6RGp/J 3//T4BjS833lD68WIPA/QkXhfxB+I4nALlWAqQ9aWMGKWypSjd0V/n7MgrTUq+68DV7G PVpWo9NLE0Pv1ZyX+9LP/NaQewvV4xEAGxnmjFnu+R1wfUQnpFt42nE1+TK+nwWSiRL+ gdtxPSduj8f4MAT1tnXUNXrjPRQu65i56WVD9S4fYGKpoLT8Zx+uFw6viDGkkDfk9B4b gDxA== X-Gm-Message-State: APjAAAXSukPcfB9V8dAooP4tgO//bSryWK36cndre/rk9Cj6gzrQS4Ta 20Rcumq+n3it0gxe163OsFA5glx9 X-Google-Smtp-Source: APXvYqxH3DoJY2oaaeWx+11Tm+eAXzs7BTxvCGS8dybC14VsHu+iuw4tVUhQRbqP8EXbAgbLXO+hHg== X-Received: by 2002:a05:620a:1641:: with SMTP id c1mr2010825qko.69.1581519982823; Wed, 12 Feb 2020 07:06:22 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id h14sm321646qke.99.2020.02.12.07.06.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Feb 2020 07:06:21 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Feb 2020 10:06:06 -0500 Message-Id: <1581519967-16950-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> References: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.195 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.195 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1j1tav-001PSV-9a Subject: [Openvpn-devel] [PATCH v4 1/2] Skip expired certificates in Windows certificate store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect, if only expired certificates are found, the connection fails. Also remove some unnecessary casts. Tested on Windows 10. Trac #966 v4: Handle the case when an unknown certificate specification is passed to find_certificate_in_store(). Note: Warnings printed from find_certificate_in_store() could show up multiple times as its called for each certificate store. This could be improved in a future patch. Signed-off-by: Selva Nair Acked-by: Lev Stipakov --- src/openvpn/cryptoapi.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 2f2eee7..b9f1328 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) * SUBJ: * THUMB:, e.g. * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 + * The first matching certificate that has not expired is returned. */ const CERT_CONTEXT *rv = NULL; + DWORD find_type; + const void *find_param; + unsigned char hash[255]; + CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - cert_prop += 5; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL); - + find_param = cert_prop + 5; + find_type = CERT_FIND_SUBJECT_STR_A; } else if (!strncmp(cert_prop, "THUMB:", 6)) { - unsigned char hash[255]; - char *p; + const char *p; int i, x = 0; - CRYPT_HASH_BLOB blob; + find_type = CERT_FIND_HASH; + find_param = &blob; /* skip the tag */ cert_prop += 6; - for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) + for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++) { if (*p >= '0' && *p <= '9') { @@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } if (!*++p) /* unexpected end of string */ { - break; + msg(M_WARN, "WARNING: cryptoapicert: error parsing .", cert_prop); + return NULL; } if (*p >= '0' && *p <= '9') { @@ -796,10 +800,28 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } } blob.cbData = i; - blob.pbData = (unsigned char *) &hash; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_HASH, &blob, NULL); + } + else { + msg(M_WARN, "WARNING: cryptoapicert: unsupported certificate specification <%s>", cert_prop); + return NULL; + } + while(true) + { + int validity = 1; + /* this frees previous rv, if not NULL */ + rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + 0, find_type, find_param, rv); + if (rv) + { + validity = CertVerifyTimeValidity(NULL, rv->pCertInfo); + } + if (!rv || validity == 0) + { + break; + } + msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.", + validity < 0 ? "not yet valid" : "that has expired"); } return rv;