From patchwork Sun Mar 11 14:17:58 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 269
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 O8FaBrzVpVrmVgAAIUCqbw
	for <patchwork@openvpn.net>; Sun, 11 Mar 2018 21:19:56 -0400
Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6])
	by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 o7goBrzVpVodFQAAfY0hYg
	; Sun, 11 Mar 2018 21:19:56 -0400
Received: from smtp12.gate.ord1c ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy20.mail.ord1d.rsapps.net with LMTP id GEL6BbzVpVr+QAAAsk8m8w
	; Sun, 11 Mar 2018 21:19:56 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp12.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Classification-ID: 78c442f6-2593-11e8-962f-bc305bf03e5c-1-1
Received: from [216.105.38.7] ([216.105.38.7:41818]
 helo=lists.sourceforge.net)
	by smtp12.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id B9/F0-04137-BB5D5AA5; Sun, 11 Mar 2018 21:19:55 -0400
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1evC6f-0000ch-3y; Mon, 12 Mar 2018 01:18:29 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1evC6d-0000cZ-O8
 for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 01:18:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=; b=c1gG+r0ChC4J9Z0trBfg3fC/fR
 vRpJeYiSmO4213hAlEXlkRC0UAVAZks0YglrX6rfKluo6N5f+zSpQrTJuSxERnhxxd5QulaXWr5fr
 Y9hBgDpaLRTL+h+jbQpW9FEOLuusWEwgBmw1kgsKfNdapIh70o04NtzCoC6dU+SqUunI=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=; b=Wl43HuaIpcHgKytFZdiWzBnl3g
 Qcwqk41ZGNFMsarec9247k4w6MfxorLchiuHrtcSICo9wcCmlwqgXLzE5GM9GssmsJYMXASnXlrsw
 hLdD6FUxixWRTh3hE6uV37zF/DLC5DuyzvMaCa8YAEpkEOpsJfjr3R3nbuaxTYaXIJrY=;
Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201]
 helo=mail-io0-f195.google.com)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1evC6R-005lBe-0K
 for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 01:18:27 +0000
Received: by mail-io0-f195.google.com with SMTP id l12so9490678ioc.10
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 11 Mar 2018 18:18:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id;
 bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=;
 b=KZw+2o6CQSVLifmQbh2AwGGQ5ZOR3ffhH6tW5FrBVWg7N4QkY89hshZGQWwglPbd3Y
 XRIC19DwzR0HFcovE4N8E9eUAYrlnIRfQaCSn6H8Ex98RnEcGLcT4lf1W4AIP7Tp9zTS
 xGIWCAZ/OLweTCqcTBpDWdcaPKOl2egJ/D+1cTROanNVb1c4XfyyUR+ij147See6Uoba
 XgnjBIk7pNxx8jJyYL7mv8YFKJnqgX+v1+lxcjBHbroAJndNRn9Wtf4PwSgCV+uqsAuU
 WQo2kypaFxb9vvqv2DOFltlsB8ZmSiHCrX3L5wWj7u0coZZ48q/thnQqPJ6Fgn0oIIQs
 bQwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=ZfoByzo78AKSLZhqHNeLK9LpuuP6IlgTuThYq5D+THc=;
 b=bOgqCUgi6kfuOtBDI6munuD4MBIAlqby9CcWMy+VIfdUi8s/tZDHDAmUgpL/8TPn6R
 AAjqegetFWkMZyWjBf3Tn+9SkTwQinPjwtjaiDNnWoNgQ8j9kuxQ8T4hxsDjGIb7AzB0
 oVH3XiGRtBfSJewAVYGBAv/kU+q2630a/WTr4uaL87kgEsutTHEUX0Jff+ulb6iqpkyO
 oZVI+BZQeYBC66o+zSaGrdKh7forNc9YNoD2HCD60gFOEEiOU6MqQIq2XVxtINIhXbUT
 PHD+EID0uD0dY0J+3Df1LEJNbh1kTKc3z6kpQzFVVxOGt0gcjZANNPu3gA/avu60MtM4
 Zvxw==
X-Gm-Message-State: AElRT7ERx6Y9ffMi0r8m8HPXcvD5ACwWNdS/7+pRQ/aDDGMhhpgRAvHp
 p0nrYlPa/RUmH2XuvWn/WzP7yPWq
X-Google-Smtp-Source: 
 AG47ELuIxizhHyvJfNemuqZvkCFEuCJ9rbcVdkHZdMcPvuM0RBdixph+wCY3aNrmNr2uFelLnupskw==
X-Received: by 10.107.135.39 with SMTP id j39mr7316377iod.160.1520817489191;
 Sun, 11 Mar 2018 18:18:09 -0700 (PDT)
Received: from saturn.home.sansel.ca
 (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92])
 by smtp.gmail.com with ESMTPSA id g62sm3017184iod.3.2018.03.11.18.18.08
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Sun, 11 Mar 2018 18:18:08 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 11 Mar 2018 21:17:58 -0400
Message-Id: <1520817479-17203-1-git-send-email-selva.nair@gmail.com>
X-Mailer: git-send-email 2.1.4
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (selva.nair[at]gmail.com)
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [99.228.215.92 listed in zen.spamhaus.org]
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.6 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1evC6R-005lBe-0K
Subject: [Openvpn-devel] [PATCH 1/2] Skip expired certificates in Windows
 certificate store
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-Suspicious-Flag: YES
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.

This makes it possible to update certifiates in store without having
to delete old ones. As a side effect, if only expired certificates are
found, the connection fails.

Also remove some unnecessary casts.

Tested on Windows 10.
Trac #966

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpn/cryptoapi.c | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 11b971f..a579854 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -601,27 +601,31 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
      * SUBJ:<certificate substring to match>
      * THUMB:<certificate thumbprint hex value>, e.g.
      *     THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+     * The first matching certificate that has not expired is returned.
      */
     const CERT_CONTEXT *rv = NULL;
+    DWORD find_type;
+    const void *find_param;
+    unsigned char hash[255];
+    CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
 
     if (!strncmp(cert_prop, "SUBJ:", 5))
     {
         /* skip the tag */
-        cert_prop += 5;
-        rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                        0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
-
+        find_param = cert_prop + 5;
+        find_type = CERT_FIND_SUBJECT_STR_A;
     }
     else if (!strncmp(cert_prop, "THUMB:", 6))
     {
-        unsigned char hash[255];
-        char *p;
+        const char *p;
         int i, x = 0;
-        CRYPT_HASH_BLOB blob;
+        find_type = CERT_FIND_HASH;
+        find_param = &blob;
 
         /* skip the tag */
         cert_prop += 6;
-        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
+        for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
+        {
             if (*p >= '0' && *p <= '9')
             {
                 x = (*p - '0') << 4;
@@ -636,6 +640,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             }
             if (!*++p)  /* unexpected end of string */
             {
+                msg(M_WARN, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop);
+                return NULL;
                 break;
             }
             if (*p >= '0' && *p <= '9')
@@ -657,10 +663,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             }
         }
         blob.cbData = i;
-        blob.pbData = (unsigned char *) &hash;
+    }
+    while(true)
+    {
+        int validity = 1;
+        /* this frees previous rv, if not NULL */
         rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                        0, CERT_FIND_HASH, &blob, NULL);
-
+                                        0, find_type, find_param, rv);
+        if (rv)
+        {
+            validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+        }
+        if (!rv || validity == 0)
+        {
+            break;
+        }
+        msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.",
+            validity < 0 ? "not yet valid" : "that has expired");
     }
 
     return rv;

From patchwork Sun Mar 11 14:17:59 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 270
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 M9SCAMTVpVojGwAAIUCqbw
	for <patchwork@openvpn.net>; Sun, 11 Mar 2018 21:20:04 -0400
Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6])
	by director10.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 s0U8AMTVpVrrNAAApN4f7A
	; Sun, 11 Mar 2018 21:20:04 -0400
Received: from smtp28.gate.ord1c ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy1.mail.ord1d.rsapps.net with LMTP id cGuEO8PVpVplVwAAasrz9Q
	; Sun, 11 Mar 2018 21:20:04 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp28.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Classification-ID: 7d432676-2593-11e8-88f0-842b2b6d9945-1-1
Received: from [216.105.38.7] ([216.105.38.7:31120]
 helo=lists.sourceforge.net)
	by smtp28.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 9E/50-18791-3C5D5AA5; Sun, 11 Mar 2018 21:20:03 -0400
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1evC6l-0000dI-7o; Mon, 12 Mar 2018 01:18:35 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1evC6j-0000dA-PH
 for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 01:18:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=DkTWSbmIg2Jz/CmCLuV3l1+gN5atA6OzeERm4xa3I2w=; b=PR7N4vO8r9/C3H2MMmHXu5yJ90
 U9BwEf/v22ZaSbfDsqxD96uSjZXQVXrUkmIznsOZ2H07Cs9XwKYANVeOE5WXOAU1tHPTWbhMCKmi1
 Cm+QPA1isrdZhu8gYv9LjVrOUVwxeGmQQUYkyvWt2yDOS85R45UkW94nuAtu+xLA+T6I=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=DkTWSbmIg2Jz/CmCLuV3l1+gN5atA6OzeERm4xa3I2w=; b=XCyqzHuU36zvS21EJD2JhR7jHl
 /Qe6h8/5fxLiEJuZRY9ob8Wrqns/OP01xzSUGDJX8eBwwz9o9KFoH2Zcetq6tdQIqD8yOynftnJvz
 pKf57TQMQMDfYqH8xHPf1QLwXiGd1+4HGRcSnZmoujIbTE8sxC05IaKjx/rS4RHRqUF0=;
Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201]
 helo=mail-io0-f195.google.com)
 by sfi-mx-3.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1evC6i-002Ve1-7Y
 for openvpn-devel@lists.sourceforge.net; Mon, 12 Mar 2018 01:18:33 +0000
Received: by mail-io0-f195.google.com with SMTP id d71so9512484iog.4
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 11 Mar 2018 18:18:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=DkTWSbmIg2Jz/CmCLuV3l1+gN5atA6OzeERm4xa3I2w=;
 b=S2XqNsE7bZ1J+QRsu3HtlpQOXPxLXTAF33TXm3iFc5c9455Z7iKwoCXi2YcPL6OxLU
 TBhfXqIZI4eJoZlP6B6ojDHZJ0YHoAFDYYdDXTUtJdhS0wivg93qEeo4t+vQgR1XW/O3
 UF7/XqW3e0fwNP/LoZov8peDLoLq/UmdjxlRIP+pji7WdUhAv6RQ50i3dz5TNX/0hvoB
 Agwy4VvFcGVeT99AGmiW6Q19XHueM2TrwaMYwFQAULVg8NmKKVQPRhU77ZlU/sPN0zbx
 n1fm2zj9O9FlSyVw3oBsk0347vDsBqh0l5DWmw91mOWiElMnLllcMo7cK23EUnpv6TGf
 bcRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=DkTWSbmIg2Jz/CmCLuV3l1+gN5atA6OzeERm4xa3I2w=;
 b=Grnun3/u1toqYbtJhgqlvZ/vjVZs9ykD3bzkCHboQgVD0Dl+tsKMiXPSjSdWVsfhBy
 Vuw4HOpdiC72YDk8QQI/eWvn7zpNpNJ1056EWwJcmLUiE30k8W08MTYGN5QGa92WDKrl
 Mckn+Hxc54Lwfa3ulIZExPZOQvY1Vsa86uDckhIwJQcun69AuUA2Mufw0Itp1TQYsVoY
 eVMSxn2O7T7kthF3qhpFPRy1/GJ5pzuvucnIkBX08nIvy/UywU7LWloQDCy1nwViSDHu
 TfkcXEj5/4Lcj8b/6WV78mCqvrHNUjcFmDk6ZI/+7u3KwxYDbw6Cqx7LaZMPeDS99Wp+
 B6TQ==
X-Gm-Message-State: AElRT7G9w9zL3PFOvn3MPCd9IOu65mxYNCM88ZSEUkZ/6Fo4k6+1xNXs
 K2XnKByaSV5SW7nOAjYXuRV8+jKe
X-Google-Smtp-Source: 
 AG47ELvyvzAcOYKpghPj39Wu5qtiNXSZSUL/OPmrSQH0zGxGUkyOk7IhxCq354+NpFc/S/9KGO/vVQ==
X-Received: by 10.107.90.25 with SMTP id o25mr3704051iob.137.1520817506588;
 Sun, 11 Mar 2018 18:18:26 -0700 (PDT)
Received: from saturn.home.sansel.ca
 (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92])
 by smtp.gmail.com with ESMTPSA id g62sm3017184iod.3.2018.03.11.18.18.25
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Sun, 11 Mar 2018 18:18:26 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 11 Mar 2018 21:17:59 -0400
Message-Id: <1520817479-17203-2-git-send-email-selva.nair@gmail.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1520817479-17203-1-git-send-email-selva.nair@gmail.com>
References: <1520817479-17203-1-git-send-email-selva.nair@gmail.com>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (selva.nair[at]gmail.com)
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [99.228.215.92 listed in zen.spamhaus.org]
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.3 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1evC6i-002Ve1-7Y
Subject: [Openvpn-devel] [PATCH 2/2] Allow unicode search string in
 --cryptoapicert option
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-Suspicious-Flag: YES
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpn/cryptoapi.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index a579854..ae4a01b 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -50,6 +50,7 @@
 
 #include "buffer.h"
 #include "openssl_compat.h"
+#include "win32.h"
 
 /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while
  * MinGW32-w64 defines all macros used. This is a hack around that problem.
@@ -608,12 +609,13 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
     const void *find_param;
     unsigned char hash[255];
     CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
+    struct gc_arena gc = gc_new();
 
     if (!strncmp(cert_prop, "SUBJ:", 5))
     {
         /* skip the tag */
-        find_param = cert_prop + 5;
-        find_type = CERT_FIND_SUBJECT_STR_A;
+        find_param = wide_string(cert_prop + 5, &gc);
+        find_type = CERT_FIND_SUBJECT_STR_W;
     }
     else if (!strncmp(cert_prop, "THUMB:", 6))
     {
@@ -641,8 +643,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             if (!*++p)  /* unexpected end of string */
             {
                 msg(M_WARN, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop);
-                return NULL;
-                break;
+                goto out;
             }
             if (*p >= '0' && *p <= '9')
             {
@@ -682,6 +683,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             validity < 0 ? "not yet valid" : "that has expired");
     }
 
+out:
+    gc_free(&gc);
     return rv;
 }