From patchwork Sat Jan 28 22:34:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3020 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2226840dyk; Sat, 28 Jan 2023 14:35:07 -0800 (PST) X-Google-Smtp-Source: AMrXdXv0xgD9vfWTvJ0LVb6N4KgC7700vmEEUIaCaoOR52LmIyWgAGfaZiH1yKzbZkGgWrlPiLiy X-Received: by 2002:a17:902:6bc6:b0:194:9c69:290c with SMTP id m6-20020a1709026bc600b001949c69290cmr40116901plt.67.1674945307453; Sat, 28 Jan 2023 14:35:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674945307; cv=none; d=google.com; s=arc-20160816; b=tMgnHu/PJVS1PiLHKfjti8v5nG20+cIRPvXlJOPKbffs/bmN/bTdsUTO3KM9NkRYjo ja63HWk85RkWr2ZT2XWfXbDw1VAkwvYxncDQoWq1Y4y4z+PPBADIHoIr7YXDp57AZdq5 DAcoYRubmvtl49nx267qLOOyld4uXKjucFCAQWEDEeUmOj/ueFvhvJgW/eXNokZiTLR7 H54vA9r4u+/vQk465g5FJIdG0crAhPdhUcOX9QL0r6XczrKTkAhoIpzdfuy9xmC1ttyV bJ/y1ZXl8P6ZX/WmKtpDuwYcvNm7waHyu4qaIsoPNiDjSwIyxyOx7+Da8VqjtnNJvtam Q6qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=RcPWBDIpht06rpM1zmPj/RULu6K/X5kR5RdkyEWegUE=; b=squz7Y2xLhdkIEuSRtgYo/WYw+TQd+nvornDamviWaO43EmeovQBJU6MbI9vooWCbl 1/ZiC8UCf1cUeBkb2W8E+PnO0QX7bDvRC4JvpnSCJUMr5SX192MLpgVxGz/Yn9BOhPWE hAqYCtG2TV0Ygzs1qieRTX4mSjBLqa6SdP8Q0sWXqhtn3R3cOXMJOm3cInXSu3x8IyO0 388gaWveM2GJs/UWG80Tq7/0838TCU0647SAItHrdeSMJ4hJYqGMZQSwMtb9fnP+HZv1 ogY+Wh6sjZCttsFxVx2ronJwDlxkaDCAEqKcIvTgXgv/eYNSVOIAnWa4zv8suaN7Roro DVlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OlINQfHF; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gEFdgbCs; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=ZAXLhaJ1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id i70-20020a638749000000b004ce83ad3030si7985781pge.269.2023.01.28.14.35.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2023 14:35:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OlINQfHF; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gEFdgbCs; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=ZAXLhaJ1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pLtmc-0001bi-5I; Sat, 28 Jan 2023 22:34:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pLtmZ-0001bW-Vg for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=OlINQfHFwSO/vzRo3idN2/irtx npxTBIKmnYKwjxqrA09WB8Nl/hhTGjMg190iAiVW9F8ecDUQETrHxUi7H4rjvX0RDcti7zJAk5gMb fzUZClUQR60xMSX8L0j1wk2v0oN2B1Eser0yRzEXMdf0MqjvlwQjo8Pwun5n8xn0DeRY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=gEFdgbCs3WeO88LG2ROT1F1UfT USvdmrXZ6W/ScbQPUbJj2ksuuMS44FvF67CKZNZveFrp9NP5YGaA2yLxssB3s4fsjr4poKluuNjuR Bcj89aPB+aYGdPiEngXGyRWGIzQB+Ppre8q0tqyo8zWWYt/p1BrLdNi6rEGjNHi5P2PY=; Received: from mail-io1-f48.google.com ([209.85.166.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pLtmW-001xwv-3B for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:47 +0000 Received: by mail-io1-f48.google.com with SMTP id v2so707756iol.4 for ; Sat, 28 Jan 2023 14:34:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=ZAXLhaJ1zz9E+C8hoVbGQu5UKdHatOca33CYLBwPKz4YqpjnzGfS5T/9fD8SebQXhG 4HiPwl2Tu/RTVQlOMvvKVkMlaN+N4phwuZvT6m+xBtOjeLlexpYtN9Kx6T/9SWIkB6ox 5OoF3/41AB9eHXA7AoYCLszG471pRTghaHE/DrsxyYsp99gWd/tuiogsdOzk/ZuXeZ31 d/nmN+Mx6Se9iH5gZVg5XLOlEd3HUjy250oH1mGZcCSdJSP4zAMlBNV3dWb8JcjIZi4q HL0JAC8Y44Fr7Bty39qHdKVAb1SLotBFB+ViAzSwYaJWFpLTPZ9/vScEXfZWM8gAVNdL qV5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=mbu3Ld2EWjN2HVCJU6UJTJgVT+0lSdtMNewwEMTEOLRHp53I5I1J+Tn0w+kdCqnB8q GGhUJ+LK7IhT/+WBehSmEIxNASj3q9/JDBYgIT4i0N91IhYfiM9PrCUle3lIDDI75w/X 21zndvoGRxn+IS5dPW2VS4gmILnHcnUZEI6JKuyhplfL1rot36VFBoWHzWZXD8Z2xez+ gkrr2/V33tSGruKjW3S5cGBv8/EbgMD56LrO5GtAyXumOWfc/Dn80W1Pno7SpZlhOTvg 5rR+gEXHW7fJ5my7GjUx0gfJL3Vj1i8shSLmSF8E6ZfSguDe8OIKMuIE5M8tO1ErQpcm 5EHQ== X-Gm-Message-State: AFqh2kpMcDPd/I8JxXbO8h4EknS/Wp4T4iOLSU/HttgqHEeMJHuM/STj r58tl7THSLXpsCZLG0kMsweTt90UCAc= X-Received: by 2002:a6b:7a4c:0:b0:704:eeae:67c7 with SMTP id k12-20020a6b7a4c000000b00704eeae67c7mr5976511iop.2.1674945278313; Sat, 28 Jan 2023 14:34:38 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id ay25-20020a5d9d99000000b006bba42f7822sm103930iob.52.2023.01.28.14.34.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Jan 2023 14:34:37 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jan 2023 17:34:19 -0500 Message-Id: <20230128223421.2207802-3-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230128223421.2207802-1-selva.nair@gmail.com> References: <20230128223421.2207802-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - With various ways of specifying the selector-string to the "--cryptoapicert" option, its not immediately obvious which certificate gets selected from the store. Log it. The "name" logged is a friendly name (if present), or a representative element of the subject (usually the common-name). Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.48 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.48 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pLtmW-001xwv-3B Subject: [Openvpn-devel] [PATCH 2/4] cyryptapi.c: log the selected certificate's name X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1756307450712170785?= X-GMAIL-MSGID: =?utf-8?q?1756307450712170785?= From: Selva Nair - With various ways of specifying the selector-string to the "--cryptoapicert" option, its not immediately obvious which certificate gets selected from the store. Log it. The "name" logged is a friendly name (if present), or a representative element of the subject (usually the common-name). Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/cryptoapi.c | 29 +++++++++++++++++++++++++++++ src/openvpn/win32-util.c | 15 +++++++++++++++ src/openvpn/win32-util.h | 3 +++ 3 files changed, 47 insertions(+) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 39eeec1b..e3c0bc99 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -939,12 +939,31 @@ xkey_cng_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned c #endif /* HAVE_XKEY_PROVIDER */ +static char * +get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) +{ + DWORD len = CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, NULL, 0); + char *name = NULL; + if (len) + { + wchar_t *wname = gc_malloc(len*sizeof(wchar_t), false, gc); + if (!wname + || CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, wname, len) == 0) + { + return NULL; + } + name = utf16to8(wname, gc); + } + return name; +} + int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) { HCERTSTORE cs; X509 *cert = NULL; CAPI_DATA *cd = calloc(1, sizeof(*cd)); + struct gc_arena gc = gc_new(); if (cd == NULL) { @@ -979,6 +998,13 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) } } + /* try to log the "name" of the selected certificate */ + char *cert_name = get_cert_name(cd->cert_context, &gc); + if (cert_name) + { + msg(D_LOW, "cryptapicert: using certificate with name <%s>", cert_name); + } + /* cert_context->pbCertEncoded is the cert X509 DER encoded. */ cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, cd->cert_context->cbCertEncoded); @@ -1022,6 +1048,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); SSL_CTX_use_PrivateKey(ssl_ctx, privkey); + gc_free(&gc); return 1; /* do not free cd -- its kept by xkey provider */ #else /* ifdef HAVE_XKEY_PROVIDER */ @@ -1047,12 +1074,14 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) goto err; } CAPI_DATA_free(cd); /* this will do a ref_count-- */ + gc_free(gc); return 1; #endif /* HAVE_XKEY_PROVIDER */ err: CAPI_DATA_free(cd); + gc_free(&gc); return 0; } #endif /* _WIN32 */ diff --git a/src/openvpn/win32-util.c b/src/openvpn/win32-util.c index 35f2a311..32f7a00b 100644 --- a/src/openvpn/win32-util.c +++ b/src/openvpn/win32-util.c @@ -48,6 +48,21 @@ wide_string(const char *utf8, struct gc_arena *gc) return ucs16; } +char * +utf16to8(const wchar_t *utf16, struct gc_arena *gc) +{ + char *utf8 = NULL; + int n = WideCharToMultiByte(CP_UTF8, 0, utf16, -1, NULL, 0, NULL, NULL); + if (n > 0) + { + utf8 = gc_malloc(n, true, gc); + if (utf8) + { + WideCharToMultiByte(CP_UTF8, 0, utf16, -1, utf8, n, NULL, NULL); + } + } + return utf8; +} /* * Return true if filename is safe to be used on Windows, diff --git a/src/openvpn/win32-util.h b/src/openvpn/win32-util.h index b24242c8..ac37979f 100644 --- a/src/openvpn/win32-util.h +++ b/src/openvpn/win32-util.h @@ -34,6 +34,9 @@ /* Convert a string from UTF-8 to UCS-2 */ WCHAR *wide_string(const char *utf8, struct gc_arena *gc); +/* Convert a string from UTF-16 to UTF-8 */ +char *utf16to8(const wchar_t *utf16, struct gc_arena *gc); + /* return true if filename is safe to be used on Windows */ bool win_safe_filename(const char *fn);