From patchwork Sat Jan 28 22:34:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3018 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2226844dyk; Sat, 28 Jan 2023 14:35:07 -0800 (PST) X-Google-Smtp-Source: AMrXdXsQQhZlzFXgf5JZYBbAUXdeiE1uNuKQwPgF0bT1jgdlzV1Y6zbgyV0dmwcQPX+ojlfov1bt X-Received: by 2002:a17:902:aa97:b0:189:a6be:85db with SMTP id d23-20020a170902aa9700b00189a6be85dbmr44664195plr.39.1674945307548; Sat, 28 Jan 2023 14:35:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674945307; cv=none; d=google.com; s=arc-20160816; b=XvZIpaZjldH85Uv96YUNNqGbz6ZNVxLtrKcN+NJOxCktZeJeYMvb5oOYyuMz4XzAOe wujdL1eH3vNPrbpriVDKfFYeb+TmFLkIw5EkcUvwchCVFbkG9FxfhyN0IZYT9lycgs3l Z9Ywf3y20I1+EeOAEJG5XBg9bsahZGR+n8tfD6I2Or9MTYAzr8VlIB84eK+erDOqzNfO nOoxTWRVjcTNlPrL3YaW2Q2+efktc60LI2eKzizCreGcuBinK7GL8rLaRQwvAdh8qWb8 W32sHAxckkNZSKVDGYLUdaU7bGo4wBC1TE6wv5niUcN0C9bQXYKn4qV1ztS3Qe+3jK1M B07w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Ha2gwcBKOJlkzSCI6+HLZSYqCcCiGoHQj88Mz1K7D1E=; b=jg939VQaC9muZ5GC4P2P1/CcT7aLOmyMylIDsxHMpq7iMkTxhYi3NNn/DpM1eJxKkj ZBwNOEAxlq0YAYy2GAONlBN6GMASV+poA2uADJsO336w5ZNK4NTpSV5Yd3/2Lc1KoB7R EaDZEiWd1Q7MUfkHxSJ7rK9+jr1tPrSXrClXhnVmd+IvfRUrkdy0wdCG2yDphPs0gxz4 AZ2QpLxFg0Q6+nMwIkoG2C0KsswJMAUiLkzI5HxLPKwGR93hDK1qD7rc0zXwfsf78QY6 UscSwDmc5H4val3/Ga7s8iYfMkkK9F/RsC/o9iZfdR7BuI1D5GMpOORrs2ByWY+vsFOZ La0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="F2fNpRy/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EgiY9lcg; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=J5NfluZV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id w17-20020a170902e89100b001949ad4bd39si9783771plg.45.2023.01.28.14.35.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2023 14:35:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="F2fNpRy/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EgiY9lcg; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=J5NfluZV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pLtmf-0007d3-74; Sat, 28 Jan 2023 22:34:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pLtmb-0007cs-EX for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=F2fNpRy/PSO9RpKY/dg2+nmUQ6 55snh2WNgS5x98cUcc28tP63rYUkr1URvyUWl9q96yXczW5byedLL5C39KGTFRKgYLzdhhiTrV7Ez zrlawOFIoqc0ytgiPHgyTQyo7X2b83vP9Te9XzKpiVPQPL9Wyw2pMt1Tt6sZb+xofCP4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=EgiY9lcg3MDOQT5a8aqZe4P+pb tm6GToy0OwJLsrXyxrPNYc3rqe4sF1tc7n4YY03kNdD0av03wJeFg1+jHiLKFnpDZykWAbclH/2K2 IhAPw1BXUcHmi6s3jhoMXnVaN2uN3cZq2lQ7J7urdi0h5hmcLvzB3GdAyV07YxGL5CxU=; Received: from mail-io1-f53.google.com ([209.85.166.53]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pLtmV-001xws-CE for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:47 +0000 Received: by mail-io1-f53.google.com with SMTP id b4so1609089ioj.0 for ; Sat, 28 Jan 2023 14:34:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=J5NfluZV167wNZM7Zy/hOmFQWSFjq16WOsOYcPk00z00+pkJJCsknA7TArASn52VH5 K8sD1CTlfSW2k6td24TCiRHVDKwthL35s7+QUT5CeX1DGGtCKgV51O0BvSj43vIExDiz MpmRoDJ/sencInqsXp64MHWWsf8vhSHamcJFTHz9eTUKn8V9dWVVychZuyxOZlUeFCLo Gs97Px1baBerH/puijZ1OCrVHNmwk5rPRnb44IwX/rRTM0vn70nrgRlHcPan6NX3Psg+ zrAaUPFdaA5GrkHHs23Y/5UyKPmtzvwkY7FkTVtie6dnr239Ykni5yhd9XClEPnPk53X T3kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=pzyDJpG1LDhiDFJmwzDLY0ALmQ9TxGS9Pl/RJoeJyDbvZbXX6wBZiUtXxBjKaUkrkv zj4Go/Ulm56K3SxLc9V8jXrW4+Gjt8wtqhtO/GpVHXZetZEiNKbRsLawcllpJfwCAx6M gQcwbyBBxuBePkFo74IE/SKZj7jC5zBMpMPKuX97NgLqi3I0gTVOijtqqYoSe1zSydLz fzrMfNJusvB/uIUT5S3kkFJQVjHMFwxp+vkkQ6xJGhTigmM+112MlLaLx+jej0vGTWmq jW4UAUUP/nU4jMNraOzi3QIeJNy255S7xkWyWE4HI4j6+CSEwyyXtHYQzq+m8nol/zvb +VAw== X-Gm-Message-State: AO0yUKVKdDLRMJ46LhGzo7Y+oEy4O14N6F1de5fZ/LF4M9m2pwo9JGcu dJZcbBgEe72a5rRWJ6NIA88A/CGf7II= X-Received: by 2002:a5e:dc04:0:b0:718:2903:780f with SMTP id b4-20020a5edc04000000b007182903780fmr366730iok.2.1674945276864; Sat, 28 Jan 2023 14:34:36 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id ay25-20020a5d9d99000000b006bba42f7822sm103930iob.52.2023.01.28.14.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Jan 2023 14:34:36 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jan 2023 17:34:18 -0500 Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230128223421.2207802-1-selva.nair@gmail.com> References: <20230128223421.2207802-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:" where is matched as a substring of the issuer (CA) name in the certificate. Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.53 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pLtmV-001xws-CE Subject: [Openvpn-devel] [PATCH 1/4] Option --cryptoapicert: support issuer name as a selector X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1756307450530752517?= X-GMAIL-MSGID: =?utf-8?q?1756307450530752517?= From: Selva Nair - Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:" where is matched as a substring of the issuer (CA) name in the certificate. Partial case-insensitive matching against the "issuer name" is used. Here "issuer name" is a text representation of the RDN's separated by commas. E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA". See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR as "FindType" for more details. As the order of RDN's is not well-defined[*] and type names like "OU" or "CN" are not included, its best to match against a single attribute like the CN of the issuer: E.g., --cryptoapicert "ISSUER:Acme Root" [*] Windows appears to order RDN's in the reverse order to which its written in the certificate but do not rely on this. Signed-off-by: Selva Nair Acked-by: Gert Doering --- doc/man-sections/windows-options.rst | 13 +++++++++++-- src/openvpn/cryptoapi.c | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index 368f7b19..e87291f4 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -41,13 +41,22 @@ Windows-Specific Options cryptoapicert "SUBJ:Peter Runestig" - To select a certificate, based on certificate's thumbprint: + To select a certificate, based on certificate's thumbprint (SHA1 hash): :: cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." The thumbprint hex string can easily be copy-and-pasted from the Windows - Certificate Store GUI. + Certificate Store GUI. The embedded spaces in the hex string are optional. + + To select a certificate based on a substring in certificate's + issuer name: + :: + + cryptoapicert "ISSUER:Sample CA" + + The first non-expired certificate found in the user's store or the + machine store that matches the select-string is used. --dhcp-release Ask Windows to release the TAP adapter lease on shutdown. This option diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 661a9a6d..39eeec1b 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -459,6 +459,11 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) find_param = wide_string(cert_prop + 5, &gc); find_type = CERT_FIND_SUBJECT_STR_W; } + else if (!strncmp(cert_prop, "ISSUER:", 7)) + { + find_param = wide_string(cert_prop + 7, &gc); + find_type = CERT_FIND_ISSUER_STR_W; + } else if (!strncmp(cert_prop, "THUMB:", 6)) { const char *p; From patchwork Sat Jan 28 22:34:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3020 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2226840dyk; Sat, 28 Jan 2023 14:35:07 -0800 (PST) X-Google-Smtp-Source: AMrXdXv0xgD9vfWTvJ0LVb6N4KgC7700vmEEUIaCaoOR52LmIyWgAGfaZiH1yKzbZkGgWrlPiLiy X-Received: by 2002:a17:902:6bc6:b0:194:9c69:290c with SMTP id m6-20020a1709026bc600b001949c69290cmr40116901plt.67.1674945307453; Sat, 28 Jan 2023 14:35:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674945307; cv=none; d=google.com; s=arc-20160816; b=tMgnHu/PJVS1PiLHKfjti8v5nG20+cIRPvXlJOPKbffs/bmN/bTdsUTO3KM9NkRYjo ja63HWk85RkWr2ZT2XWfXbDw1VAkwvYxncDQoWq1Y4y4z+PPBADIHoIr7YXDp57AZdq5 DAcoYRubmvtl49nx267qLOOyld4uXKjucFCAQWEDEeUmOj/ueFvhvJgW/eXNokZiTLR7 H54vA9r4u+/vQk465g5FJIdG0crAhPdhUcOX9QL0r6XczrKTkAhoIpzdfuy9xmC1ttyV bJ/y1ZXl8P6ZX/WmKtpDuwYcvNm7waHyu4qaIsoPNiDjSwIyxyOx7+Da8VqjtnNJvtam Q6qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=RcPWBDIpht06rpM1zmPj/RULu6K/X5kR5RdkyEWegUE=; b=squz7Y2xLhdkIEuSRtgYo/WYw+TQd+nvornDamviWaO43EmeovQBJU6MbI9vooWCbl 1/ZiC8UCf1cUeBkb2W8E+PnO0QX7bDvRC4JvpnSCJUMr5SX192MLpgVxGz/Yn9BOhPWE hAqYCtG2TV0Ygzs1qieRTX4mSjBLqa6SdP8Q0sWXqhtn3R3cOXMJOm3cInXSu3x8IyO0 388gaWveM2GJs/UWG80Tq7/0838TCU0647SAItHrdeSMJ4hJYqGMZQSwMtb9fnP+HZv1 ogY+Wh6sjZCttsFxVx2ronJwDlxkaDCAEqKcIvTgXgv/eYNSVOIAnWa4zv8suaN7Roro DVlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OlINQfHF; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gEFdgbCs; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=ZAXLhaJ1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id i70-20020a638749000000b004ce83ad3030si7985781pge.269.2023.01.28.14.35.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2023 14:35:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OlINQfHF; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gEFdgbCs; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=ZAXLhaJ1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pLtmc-0001bi-5I; Sat, 28 Jan 2023 22:34:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pLtmZ-0001bW-Vg for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=OlINQfHFwSO/vzRo3idN2/irtx npxTBIKmnYKwjxqrA09WB8Nl/hhTGjMg190iAiVW9F8ecDUQETrHxUi7H4rjvX0RDcti7zJAk5gMb fzUZClUQR60xMSX8L0j1wk2v0oN2B1Eser0yRzEXMdf0MqjvlwQjo8Pwun5n8xn0DeRY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=gEFdgbCs3WeO88LG2ROT1F1UfT USvdmrXZ6W/ScbQPUbJj2ksuuMS44FvF67CKZNZveFrp9NP5YGaA2yLxssB3s4fsjr4poKluuNjuR Bcj89aPB+aYGdPiEngXGyRWGIzQB+Ppre8q0tqyo8zWWYt/p1BrLdNi6rEGjNHi5P2PY=; Received: from mail-io1-f48.google.com ([209.85.166.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pLtmW-001xwv-3B for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:47 +0000 Received: by mail-io1-f48.google.com with SMTP id v2so707756iol.4 for ; Sat, 28 Jan 2023 14:34:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=ZAXLhaJ1zz9E+C8hoVbGQu5UKdHatOca33CYLBwPKz4YqpjnzGfS5T/9fD8SebQXhG 4HiPwl2Tu/RTVQlOMvvKVkMlaN+N4phwuZvT6m+xBtOjeLlexpYtN9Kx6T/9SWIkB6ox 5OoF3/41AB9eHXA7AoYCLszG471pRTghaHE/DrsxyYsp99gWd/tuiogsdOzk/ZuXeZ31 d/nmN+Mx6Se9iH5gZVg5XLOlEd3HUjy250oH1mGZcCSdJSP4zAMlBNV3dWb8JcjIZi4q HL0JAC8Y44Fr7Bty39qHdKVAb1SLotBFB+ViAzSwYaJWFpLTPZ9/vScEXfZWM8gAVNdL qV5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=76PMJPNsKbBzIn47K6Z6dlfd+M962WIPZ3aR73gmC9A=; b=mbu3Ld2EWjN2HVCJU6UJTJgVT+0lSdtMNewwEMTEOLRHp53I5I1J+Tn0w+kdCqnB8q GGhUJ+LK7IhT/+WBehSmEIxNASj3q9/JDBYgIT4i0N91IhYfiM9PrCUle3lIDDI75w/X 21zndvoGRxn+IS5dPW2VS4gmILnHcnUZEI6JKuyhplfL1rot36VFBoWHzWZXD8Z2xez+ gkrr2/V33tSGruKjW3S5cGBv8/EbgMD56LrO5GtAyXumOWfc/Dn80W1Pno7SpZlhOTvg 5rR+gEXHW7fJ5my7GjUx0gfJL3Vj1i8shSLmSF8E6ZfSguDe8OIKMuIE5M8tO1ErQpcm 5EHQ== X-Gm-Message-State: AFqh2kpMcDPd/I8JxXbO8h4EknS/Wp4T4iOLSU/HttgqHEeMJHuM/STj r58tl7THSLXpsCZLG0kMsweTt90UCAc= X-Received: by 2002:a6b:7a4c:0:b0:704:eeae:67c7 with SMTP id k12-20020a6b7a4c000000b00704eeae67c7mr5976511iop.2.1674945278313; Sat, 28 Jan 2023 14:34:38 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id ay25-20020a5d9d99000000b006bba42f7822sm103930iob.52.2023.01.28.14.34.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Jan 2023 14:34:37 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jan 2023 17:34:19 -0500 Message-Id: <20230128223421.2207802-3-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230128223421.2207802-1-selva.nair@gmail.com> References: <20230128223421.2207802-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - With various ways of specifying the selector-string to the "--cryptoapicert" option, its not immediately obvious which certificate gets selected from the store. Log it. The "name" logged is a friendly name (if present), or a representative element of the subject (usually the common-name). Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.48 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.48 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pLtmW-001xwv-3B Subject: [Openvpn-devel] [PATCH 2/4] cyryptapi.c: log the selected certificate's name X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1756307450712170785?= X-GMAIL-MSGID: =?utf-8?q?1756307450712170785?= From: Selva Nair - With various ways of specifying the selector-string to the "--cryptoapicert" option, its not immediately obvious which certificate gets selected from the store. Log it. The "name" logged is a friendly name (if present), or a representative element of the subject (usually the common-name). Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/cryptoapi.c | 29 +++++++++++++++++++++++++++++ src/openvpn/win32-util.c | 15 +++++++++++++++ src/openvpn/win32-util.h | 3 +++ 3 files changed, 47 insertions(+) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 39eeec1b..e3c0bc99 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -939,12 +939,31 @@ xkey_cng_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned c #endif /* HAVE_XKEY_PROVIDER */ +static char * +get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) +{ + DWORD len = CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, NULL, 0); + char *name = NULL; + if (len) + { + wchar_t *wname = gc_malloc(len*sizeof(wchar_t), false, gc); + if (!wname + || CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, wname, len) == 0) + { + return NULL; + } + name = utf16to8(wname, gc); + } + return name; +} + int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) { HCERTSTORE cs; X509 *cert = NULL; CAPI_DATA *cd = calloc(1, sizeof(*cd)); + struct gc_arena gc = gc_new(); if (cd == NULL) { @@ -979,6 +998,13 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) } } + /* try to log the "name" of the selected certificate */ + char *cert_name = get_cert_name(cd->cert_context, &gc); + if (cert_name) + { + msg(D_LOW, "cryptapicert: using certificate with name <%s>", cert_name); + } + /* cert_context->pbCertEncoded is the cert X509 DER encoded. */ cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, cd->cert_context->cbCertEncoded); @@ -1022,6 +1048,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); SSL_CTX_use_PrivateKey(ssl_ctx, privkey); + gc_free(&gc); return 1; /* do not free cd -- its kept by xkey provider */ #else /* ifdef HAVE_XKEY_PROVIDER */ @@ -1047,12 +1074,14 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) goto err; } CAPI_DATA_free(cd); /* this will do a ref_count-- */ + gc_free(gc); return 1; #endif /* HAVE_XKEY_PROVIDER */ err: CAPI_DATA_free(cd); + gc_free(&gc); return 0; } #endif /* _WIN32 */ diff --git a/src/openvpn/win32-util.c b/src/openvpn/win32-util.c index 35f2a311..32f7a00b 100644 --- a/src/openvpn/win32-util.c +++ b/src/openvpn/win32-util.c @@ -48,6 +48,21 @@ wide_string(const char *utf8, struct gc_arena *gc) return ucs16; } +char * +utf16to8(const wchar_t *utf16, struct gc_arena *gc) +{ + char *utf8 = NULL; + int n = WideCharToMultiByte(CP_UTF8, 0, utf16, -1, NULL, 0, NULL, NULL); + if (n > 0) + { + utf8 = gc_malloc(n, true, gc); + if (utf8) + { + WideCharToMultiByte(CP_UTF8, 0, utf16, -1, utf8, n, NULL, NULL); + } + } + return utf8; +} /* * Return true if filename is safe to be used on Windows, diff --git a/src/openvpn/win32-util.h b/src/openvpn/win32-util.h index b24242c8..ac37979f 100644 --- a/src/openvpn/win32-util.h +++ b/src/openvpn/win32-util.h @@ -34,6 +34,9 @@ /* Convert a string from UTF-8 to UCS-2 */ WCHAR *wide_string(const char *utf8, struct gc_arena *gc); +/* Convert a string from UTF-16 to UTF-8 */ +char *utf16to8(const wchar_t *utf16, struct gc_arena *gc); + /* return true if filename is safe to be used on Windows */ bool win_safe_filename(const char *fn); From patchwork Sat Jan 28 22:34:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3021 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2227028dyk; Sat, 28 Jan 2023 14:35:36 -0800 (PST) X-Google-Smtp-Source: AK7set+y7VtyWsk2ocDLL8VT0B9yfBVAioHqCJEiHN3MIK08Ic3sRPfX2oVMaZQP5H4nZ0xYkIBn X-Received: by 2002:a05:6a20:47e1:b0:bc:59c5:6a41 with SMTP id ey33-20020a056a2047e100b000bc59c56a41mr3105559pzb.36.1674945336144; Sat, 28 Jan 2023 14:35:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674945336; cv=none; d=google.com; s=arc-20160816; b=T4SAWomeqH3uWH30rDskHwEuzAiAZCkDZ80gc0nFsDwMLm3jlEBoG3IjNYpqEMriU9 KG88kMEXJMuu2K6teYk7ebvfWrkUG37HCFGBDTqRCchkbSEPFsSue7DIsSkoJURD1QSs P6pHss+PX7VDySlpSJ4gVZyZCknuwwVEVpryVyAJgCOj/ScF4SzgAWiYTt1Jctw4mEQ+ Fp5qmfq8hinLVkgkHXQrqG7dGRz0PY4rzy3btp5/OdcfsxoAR5Bgo82y8Zxq+QXV66X1 aDQJHFp52B7+iG7ewKMbYmN9M5baZGU6Bfz/xuHpPggmrInT6FffMQnLAdyxH/vFa/58 o0Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=C5pjyn5OFzfS1pMDOHFj5U2PWveDvesUtgYLbbri+pI=; b=qo8ty7sAJiwhoU+mPsUqK5xnvMse0BV7eYFuCs9eCPGhJQizaHlKzDrZ33+ij0aO2u 46WJLuXFwcS0e1bcU0a3Wjfw+muV92971emrRTlz+Cap6Lriny5HKuJYKMijAI9nMLsc Q52FGqm0nKTIoalXbesEJSgHQGiUDHhJQi4U3xMtVZKv0mEtmQfS/xQnfFu1UdTD/pCO OgfP3+t3z+PhmNsjV83PhrQETsB+rjQg5NLOwOhAkLsmvrJxph9i3SOTmW/kMliMaKg0 ZYMnrGKSb/lWJLB5kjLuzHOLi/MrpWIXw0f8gjIP892iFuIbPa7jPoMvYn6VsxTFLRAh eRXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="dElSVj/S"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=i5nURhUF; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=WIC7waY8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id z11-20020a637e0b000000b00477ca5b5617si7756786pgc.147.2023.01.28.14.35.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2023 14:35:36 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="dElSVj/S"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=i5nURhUF; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=WIC7waY8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pLtmc-0001bp-K6; Sat, 28 Jan 2023 22:34:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pLtmb-0001bc-Ai for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sAQDuS4hsjIn7rb7z9QwdhiOSugcFbVAe3V+JZRIKDI=; b=dElSVj/SvdMjJHgReVpci7ID6V LZTcAfxyzI29EetREY4OgyEKjzd+44rU8Opqnh88ywY6ljdXJyxxqimvlsV9No64LfKASbJMSkrtp 8XB/Vi7JJ/bezBFbIRCkHRuhENtjMTNV13u2JwMxBQjx8+6+0p/RWC30VlCdY05sscHg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sAQDuS4hsjIn7rb7z9QwdhiOSugcFbVAe3V+JZRIKDI=; b=i5nURhUFcdxFu4gE8ZMWPb+eyC lJPDZL4LFWPdCg8kqiHNd1dbShNDga3n6RTf0thjHXOvm49cgaG7dBNiTxxKi7VtEifageE1bqi16 PzZMr96CyoJDv+85OMR+3s/Ck5hQL1HXFLNgPn4UVCSVw2Q9oO75nWL/805Hm60BO4rA=; Received: from mail-io1-f54.google.com ([209.85.166.54]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pLtmX-001xwx-DP for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:48 +0000 Received: by mail-io1-f54.google.com with SMTP id e204so3246966iof.1 for ; Sat, 28 Jan 2023 14:34:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sAQDuS4hsjIn7rb7z9QwdhiOSugcFbVAe3V+JZRIKDI=; b=WIC7waY8480V3VuRKF0eXSIb5luxjLj3/8b3e/C6Viz4tyPvNkpB7HVU5w4QSQbXar tiTFojhClQkUIj3tOPHDvs9gASOxcA8BBbMnBtRXjn8ATXtlK0pT2C/+BhmZZn9jjHDI aK9APweSsPJOcp9UlnL5wfsbxghYb9Dub7FvGGnhptzhfKzLMuTOBv/w53u48wLI5Yfg kZ9SejoLeO+2Q75WQYys1mMzXUOKRUrU7zqZq+qy4t0tl33PuzushuEC3h01OstMxZN1 kyXVS7J6H1qCn62LlPUt4OdY+k4uR8Gaj8QWFp7CdveaQl1iAo5qrasWWXIllJNvE7o3 W9Aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sAQDuS4hsjIn7rb7z9QwdhiOSugcFbVAe3V+JZRIKDI=; b=ja2/5AYd6nFJgrpCIUG1+aUfNYBJXPV3VlN3K96ycvwJ2izHOOtxXVYJTBDoFhZlW+ UlSSzZixFUSMsev7+wx/g6/SkDqwwEIHcWCfTUwAQLVU4OKyTJsGE0fwLVpdDQLoGeY9 EWj4iqAMjUh28aaO8o+yUEkeI/IEtIegqRJDYORT2SXB3MZH07bWiIOcgKVPZT9WSbVC ADDrRUOXuqAfSpSp77u815ADNlmk/57/W6ky6ECJHrYrXNc4XdNR7gTYGuIqITv3oavx 6aeVBfQgZKPWehIrqIMmU9XTtoe5pr7b46Padu/TjZDr0+y5jvw7a3ZhFRLwADHhxAQg uoXg== X-Gm-Message-State: AFqh2krZDgBsHGqqJwZw745HAm96vqPeOvHQWocykkm8wizxpNzrjDms 5k/Cwiz9ZqpQIRKXp3Po16kWaOTtXnc= X-Received: by 2002:a5d:875a:0:b0:707:d0c0:1bd6 with SMTP id k26-20020a5d875a000000b00707d0c01bd6mr3140570iol.1.1674945279421; Sat, 28 Jan 2023 14:34:39 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id ay25-20020a5d9d99000000b006bba42f7822sm103930iob.52.2023.01.28.14.34.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Jan 2023 14:34:39 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jan 2023 17:34:20 -0500 Message-Id: <20230128223421.2207802-4-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230128223421.2207802-1-selva.nair@gmail.com> References: <20230128223421.2207802-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert Note: Ideally we should also make ENABLE_CRYPTOAPI conditional on HAVE_XKEY_PROVIDER but that looks hard unless we can agree to move HAVE_XKEY_PROVIDER to configure/config.h. Or move ENABLE_CRYPTOAPI [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.54 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.54 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pLtmX-001xwx-DP Subject: [Openvpn-devel] [PATCH 3/4] cryptoapi.c: remove pre OpenSSL-3.01 support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1756307480657846923?= X-GMAIL-MSGID: =?utf-8?q?1756307480657846923?= From: Selva Nair - Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert Note: Ideally we should also make ENABLE_CRYPTOAPI conditional on HAVE_XKEY_PROVIDER but that looks hard unless we can agree to move HAVE_XKEY_PROVIDER to configure/config.h. Or move ENABLE_CRYPTOAPI out of syshead.h ? Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 555 +--------------------------------------- src/openvpn/options.c | 2 +- 2 files changed, 11 insertions(+), 546 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index e3c0bc99..6ff4fcb5 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -55,17 +55,17 @@ #include "xkey_common.h" #ifndef HAVE_XKEY_PROVIDER -/* index for storing external data in EC_KEY: < 0 means uninitialized */ -static int ec_data_idx = -1; -/* Global EVP_PKEY_METHOD used to override the sign operation */ -static EVP_PKEY_METHOD *pmethod; -static int (*default_pkey_sign_init) (EVP_PKEY_CTX *ctx); -static int (*default_pkey_sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, - size_t *siglen, const unsigned char *tbs, size_t tbslen); -#else /* ifndef HAVE_XKEY_PROVIDER */ +int +SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) +{ + msg(M_NONFATAL, "ERROR: cryptoapicert not supported in this version"); + return 0; +} + +#else /* HAVE_XKEY_PROVIDER */ + static XKEY_EXTERNAL_SIGN_fn xkey_cng_sign; -#endif /* HAVE_XKEY_PROVIDER */ typedef struct _CAPI_DATA { const CERT_CONTEXT *cert_context; @@ -146,127 +146,6 @@ CAPI_DATA_free(CAPI_DATA *cd) free(cd); } -#ifndef HAVE_XKEY_PROVIDER - -/* Translate OpenSSL padding type to CNG padding type - * Returns 0 for unknown/unsupported padding. - */ -static DWORD -cng_padding_type(int padding) -{ - DWORD pad = 0; - - switch (padding) - { - case RSA_NO_PADDING: - break; - - case RSA_PKCS1_PADDING: - pad = BCRYPT_PAD_PKCS1; - break; - - case RSA_PKCS1_PSS_PADDING: - pad = BCRYPT_PAD_PSS; - break; - - default: - msg(M_WARN|M_INFO, "cryptoapicert: unknown OpenSSL padding type %d.", - padding); - } - - return pad; -} - -/** - * Sign the hash in 'from' using NCryptSignHash(). This requires an NCRYPT - * key handle in cd->crypt_prov. On return the signature is in 'to'. Returns - * the length of the signature or 0 on error. - * This is used only for RSA and padding should be BCRYPT_PAD_PKCS1 or - * BCRYPT_PAD_PSS. - * If the hash_algo is not NULL, PKCS #1 DigestInfo header gets added - * to |from|, else it is signed as is. Use NULL for MD5 + SHA1 hash used - * in TLS 1.1 and earlier. - * In case of PSS padding, |saltlen| should specify the size of salt to use. - * If |to| is NULL returns the required buffer size. - */ -static int -priv_enc_CNG(const CAPI_DATA *cd, const wchar_t *hash_algo, const unsigned char *from, - int flen, unsigned char *to, int tlen, DWORD padding, DWORD saltlen) -{ - NCRYPT_KEY_HANDLE hkey = cd->crypt_prov; - DWORD len = 0; - ASSERT(cd->key_spec == CERT_NCRYPT_KEY_SPEC); - - DWORD status; - - msg(D_LOW, "Signing hash using CNG: data size = %d padding = %lu", flen, padding); - - if (padding == BCRYPT_PAD_PKCS1) - { - BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo}; - status = NCryptSignHash(hkey, &padinfo, (BYTE *)from, flen, - to, tlen, &len, padding); - } - else if (padding == BCRYPT_PAD_PSS) - { - BCRYPT_PSS_PADDING_INFO padinfo = {hash_algo, saltlen}; - status = NCryptSignHash(hkey, &padinfo, (BYTE *)from, flen, - to, tlen, &len, padding); - } - else - { - msg(M_NONFATAL, "Error in cryptoapicert: Unknown padding type"); - return 0; - } - - if (status != ERROR_SUCCESS) - { - SetLastError(status); - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: NCryptSignHash failed"); - len = 0; - } - - /* Unlike CAPI, CNG signature is in big endian order. No reversing needed. */ - return len; -} - -/* called at RSA_free */ -static int -rsa_finish(RSA *rsa) -{ - const RSA_METHOD *rsa_meth = RSA_get_method(rsa); - CAPI_DATA *cd = (CAPI_DATA *) RSA_meth_get0_app_data(rsa_meth); - - if (cd == NULL) - { - return 0; - } - CAPI_DATA_free(cd); - RSA_meth_free((RSA_METHOD *) rsa_meth); - return 1; -} - -static EC_KEY_METHOD *ec_method = NULL; - -/** EC_KEY_METHOD callback: called when the key is freed */ -static void -ec_finish(EC_KEY *ec) -{ - EC_KEY_METHOD_free(ec_method); - ec_method = NULL; - CAPI_DATA *cd = EC_KEY_get_ex_data(ec, ec_data_idx); - CAPI_DATA_free(cd); - EC_KEY_set_ex_data(ec, ec_data_idx, NULL); -} - -/** EC_KEY_METHOD callback sign_setup(): we do nothing here */ -static int -ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) -{ - return 1; -} -#endif /* HAVE_XKEY_PROVIDER */ - /** * Helper to convert ECDSA signature returned by NCryptSignHash * to an ECDSA_SIG structure. @@ -301,141 +180,6 @@ err: return NULL; } -#ifndef HAVE_XKEY_PROVIDER - -/** EC_KEY_METHOD callback sign_sig(): sign and return an ECDSA_SIG pointer. */ -static ECDSA_SIG * -ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, - const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *ec) -{ - ECDSA_SIG *ecsig = NULL; - CAPI_DATA *cd = (CAPI_DATA *)EC_KEY_get_ex_data(ec, ec_data_idx); - - ASSERT(cd->key_spec == CERT_NCRYPT_KEY_SPEC); - - NCRYPT_KEY_HANDLE hkey = cd->crypt_prov; - BYTE buf[512]; /* large enough buffer for signature to avoid malloc */ - DWORD len = _countof(buf); - - msg(D_LOW, "Cryptoapi: signing hash using EC key: data size = %d", dgstlen); - - DWORD status = NCryptSignHash(hkey, NULL, (BYTE *)dgst, dgstlen, (BYTE *)buf, len, &len, 0); - if (status != ERROR_SUCCESS) - { - SetLastError(status); - msg(M_NONFATAL|M_ERRNO, "Error in cryptoapticert: NCryptSignHash failed"); - } - else - { - /* NCryptSignHash returns r, s concatenated in buf[] */ - ecsig = ecdsa_bin2sig(buf, len); - } - return ecsig; -} - -/** EC_KEY_METHOD callback sign(): sign and return a DER encoded signature */ -static int -ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, - unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) -{ - ECDSA_SIG *s; - - *siglen = 0; - s = ecdsa_sign_sig(dgst, dgstlen, NULL, NULL, ec); - if (s == NULL) - { - return 0; - } - - /* convert internal signature structure 's' to DER encoded byte array in sig */ - int len = i2d_ECDSA_SIG(s, NULL); - if (len > ECDSA_size(ec)) - { - ECDSA_SIG_free(s); - msg(M_NONFATAL, "Error in cryptoapicert: DER encoded ECDSA signature is too long (%d bytes)", len); - return 0; - } - *siglen = i2d_ECDSA_SIG(s, &sig); - ECDSA_SIG_free(s); - - return 1; -} - -static int -ssl_ctx_set_eckey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) -{ - EC_KEY *ec = NULL; - EVP_PKEY *privkey = NULL; - - /* create a method struct with default callbacks filled in */ - ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); - if (!ec_method) - { - goto err; - } - - /* We only need to set finish among init methods, and sign methods */ - EC_KEY_METHOD_set_init(ec_method, NULL, ec_finish, NULL, NULL, NULL, NULL); - EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); - - ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); - if (!ec) - { - goto err; - } - if (!EC_KEY_set_method(ec, ec_method)) - { - goto err; - } - - /* get an index to store cd as external data */ - if (ec_data_idx < 0) - { - ec_data_idx = EC_KEY_get_ex_new_index(0, "cryptapicert ec key", NULL, NULL, NULL); - if (ec_data_idx < 0) - { - goto err; - } - } - EC_KEY_set_ex_data(ec, ec_data_idx, cd); - - /* cd assigned to ec as ex_data, increase its refcount */ - cd->ref_count++; - - privkey = EVP_PKEY_new(); - if (!EVP_PKEY_assign_EC_KEY(privkey, ec)) - { - EC_KEY_free(ec); - goto err; - } - /* from here on ec will get freed with privkey */ - - if (!SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) - { - goto err; - } - EVP_PKEY_free(privkey); /* this will dn_ref or free ec as well */ - return 1; - -err: - if (privkey) - { - EVP_PKEY_free(privkey); - } - else if (ec) - { - EC_KEY_free(ec); - } - if (ec_method) /* do always set ec_method = NULL after freeing it */ - { - EC_KEY_METHOD_free(ec_method); - ec_method = NULL; - } - return 0; -} - -#endif /* !HAVE_XKEY_PROVIDER */ - static const CERT_CONTEXT * find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) { @@ -541,254 +285,6 @@ out: return rv; } -#ifndef HAVE_XKEY_PROVIDER - -static const CAPI_DATA * -retrieve_capi_data(EVP_PKEY *pkey) -{ - const CAPI_DATA *cd = NULL; - - if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_RSA) - { - RSA *rsa = EVP_PKEY_get0_RSA(pkey); - if (rsa) - { - cd = (CAPI_DATA *)RSA_meth_get0_app_data(RSA_get_method(rsa)); - } - } - return cd; -} - -static int -pkey_rsa_sign_init(EVP_PKEY_CTX *ctx) -{ - msg(D_LOW, "cryptoapicert: enter pkey_rsa_sign_init"); - - EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx); - - if (pkey && retrieve_capi_data(pkey)) - { - return 1; /* Return success */ - } - else if (default_pkey_sign_init) /* Not our key. Call the default method */ - { - return default_pkey_sign_init(ctx); - } - return 1; -} - -/** - * Implementation of EVP_PKEY_sign() using CNG: sign the digest in |tbs| - * and save the the signature in |sig| and its size in |*siglen|. - * If |sig| is NULL the required buffer size is returned in |*siglen|. - * Returns value is 1 on success, 0 or a negative integer on error. - */ -static int -pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen) -{ - EVP_PKEY *pkey = NULL; - const CAPI_DATA *cd = NULL; - EVP_MD *md = NULL; - const wchar_t *alg = NULL; - - int padding = 0; - int hashlen = 0; - int saltlen = 0; - - pkey = EVP_PKEY_CTX_get0_pkey(ctx); - if (pkey) - { - cd = retrieve_capi_data(pkey); - } - - /* - * We intercept all sign requests, not just the one's for our key. - * Check the key and call the saved OpenSSL method for unknown keys. - */ - if (!pkey || !cd) - { - if (default_pkey_sign) - { - return default_pkey_sign(ctx, sig, siglen, tbs, tbslen); - } - else /* This should not happen */ - { - msg(M_FATAL, "Error in cryptoapicert: Unknown key and no default sign operation to fallback on"); - return -1; - } - } - - if (!EVP_PKEY_CTX_get_rsa_padding(ctx, &padding)) - { - padding = RSA_PKCS1_PADDING; /* Default padding for RSA */ - } - - if (EVP_PKEY_CTX_get_signature_md(ctx, &md)) - { - hashlen = EVP_MD_size(md); - alg = cng_hash_algo(EVP_MD_type(md)); - - /* - * alg == NULL indicates legacy MD5+SHA1 hash, else alg should be a valid - * digest algorithm. - */ - if (alg && wcscmp(alg, L"UNKNOWN") == 0) - { - msg(M_NONFATAL, "Error in cryptoapicert: Unknown hash algorithm <%d>", EVP_MD_type(md)); - return -1; - } - } - else - { - msg(M_NONFATAL, "Error in cryptoapicert: could not determine the signature digest algorithm"); - return -1; - } - - if (tbslen != (size_t)hashlen) - { - msg(M_NONFATAL, "Error in cryptoapicert: data size does not match hash"); - return -1; - } - - /* If padding is PSS, determine parameters to pass to CNG */ - if (padding == RSA_PKCS1_PSS_PADDING) - { - /* - * Ensure the digest type for signature and mask generation match. - * In CNG there is no option to specify separate hash functions for - * the two, but OpenSSL supports it. However, I have not seen the - * two being different in practice. Also the recommended practice is - * to use the same for both (rfc 8017 sec 8.1). - */ - EVP_MD *mgf1md; - if (!EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, &mgf1md) - || EVP_MD_type(mgf1md) != EVP_MD_type(md)) - { - msg(M_NONFATAL, "Error in cryptoapicert: Unknown MGF1 digest type or does" - " not match the signature digest type."); - return -1; - } - - if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, &saltlen)) - { - msg(M_WARN|M_INFO, "cryptoapicert: unable to get the salt length from context." - " Using the default value."); - saltlen = -1; - } - - /* - * In OpenSSL saltlen = -1 indicates to use the size of the digest as - * size of the salt. A value of -2 or -3 indicates maximum salt length - * that will fit. See RSA_padding_add_PKCS1_PSS_mgf1() of OpenSSL. - */ - if (saltlen == -1) - { - saltlen = hashlen; - } - else if (saltlen < 0) - { - const RSA *rsa = EVP_PKEY_get0_RSA(pkey); - saltlen = RSA_size(rsa) - hashlen - 2; /* max salt length for RSASSA-PSS */ - if (RSA_bits(rsa) &0x7) /* number of bits in the key not a multiple of 8 */ - { - saltlen--; - } - } - - if (saltlen < 0) - { - msg(M_NONFATAL, "Error in cryptoapicert: invalid salt length (%d). Digest too large for keysize?", saltlen); - return -1; - } - msg(D_LOW, "cryptoapicert: PSS padding using saltlen = %d", saltlen); - } - - msg(D_LOW, "cryptoapicert: calling priv_enc_CNG with alg = %ls", alg); - *siglen = priv_enc_CNG(cd, alg, tbs, (int)tbslen, sig, (int)*siglen, - cng_padding_type(padding), (DWORD)saltlen); - - return (*siglen == 0) ? 0 : 1; -} - -static int -ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) -{ - RSA *rsa = NULL; - RSA_METHOD *my_rsa_method = NULL; - EVP_PKEY *privkey = NULL; - int ret = 0; - - my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method", - RSA_METHOD_FLAG_NO_CHECK); - check_malloc_return(my_rsa_method); - RSA_meth_set_finish(my_rsa_method, rsa_finish); /* we use this callback to cleanup CAPI_DATA */ - RSA_meth_set0_app_data(my_rsa_method, cd); - - /* pmethod is global -- initialize only if NULL */ - if (!pmethod) - { - pmethod = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0); - if (!pmethod) - { - msg(M_NONFATAL, "Error in cryptoapicert: failed to create EVP_PKEY_METHOD"); - return 0; - } - const EVP_PKEY_METHOD *default_pmethod = EVP_PKEY_meth_find(EVP_PKEY_RSA); - EVP_PKEY_meth_copy(pmethod, default_pmethod); - - /* We want to override only sign_init() and sign() */ - EVP_PKEY_meth_set_sign(pmethod, pkey_rsa_sign_init, pkey_rsa_sign); - EVP_PKEY_meth_add0(pmethod); - - /* Keep a copy of the default sign and sign_init methods */ - - EVP_PKEY_meth_get_sign(default_pmethod, &default_pkey_sign_init, - &default_pkey_sign); - } - - rsa = EVP_PKEY_get1_RSA(pkey); - - RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); - if (!RSA_set_method(rsa, my_rsa_method)) - { - goto cleanup; - } - my_rsa_method = NULL; /* we do not want to free it in cleanup */ - cd->ref_count++; /* with method, cd gets assigned to the key as well */ - - privkey = EVP_PKEY_new(); - if (!EVP_PKEY_assign_RSA(privkey, rsa)) - { - goto cleanup; - } - rsa = NULL; /* privkey has taken ownership */ - - if (!SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) - { - goto cleanup; - } - ret = 1; - -cleanup: - if (rsa) - { - RSA_free(rsa); - } - if (my_rsa_method) - { - RSA_meth_free(my_rsa_method); - } - if (privkey) - { - EVP_PKEY_free(privkey); - } - - return ret; -} - -#else /* HAVE_XKEY_PROVIDER */ - /** Sign hash in tbs using EC key in cd and NCryptSignHash */ static int xkey_cng_ec_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsigned char *tbs, @@ -937,8 +433,6 @@ xkey_cng_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned c } } -#endif /* HAVE_XKEY_PROVIDER */ - static char * get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) { @@ -1043,45 +537,16 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) X509_free(cert); cert = NULL; -#ifdef HAVE_XKEY_PROVIDER - EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); SSL_CTX_use_PrivateKey(ssl_ctx, privkey); gc_free(&gc); return 1; /* do not free cd -- its kept by xkey provider */ -#else /* ifdef HAVE_XKEY_PROVIDER */ - - if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) - { - if (!ssl_ctx_set_rsakey(ssl_ctx, cd, pkey)) - { - goto err; - } - } - else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) - { - if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey)) - { - goto err; - } - } - else - { - msg(M_WARN|M_INFO, "WARNING: cryptoapicert: key type <%d> not supported", - EVP_PKEY_id(pkey)); - goto err; - } - CAPI_DATA_free(cd); /* this will do a ref_count-- */ - gc_free(gc); - return 1; - -#endif /* HAVE_XKEY_PROVIDER */ - err: CAPI_DATA_free(cd); gc_free(&gc); return 0; } +#endif /* HAVE_XKEY_PROVIDER */ #endif /* _WIN32 */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f24af3d7..e18b3b39 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8864,7 +8864,7 @@ add_option(struct options *options, listend->next = newlist; } } -#ifdef ENABLE_CRYPTOAPI +#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER) else if (streq(p[0], "cryptoapicert") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); From patchwork Sat Jan 28 22:34:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3019 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2226845dyk; Sat, 28 Jan 2023 14:35:07 -0800 (PST) X-Google-Smtp-Source: AK7set/luAWO0/26f2nDyB6UTaN/EhyFioWryfxbknmoKwAYuVZQ8ed3jUcrrGmVf3kCLEUnjEPi X-Received: by 2002:a17:902:ec82:b0:196:125a:e4b8 with SMTP id x2-20020a170902ec8200b00196125ae4b8mr24678911plg.12.1674945307775; Sat, 28 Jan 2023 14:35:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674945307; cv=none; d=google.com; s=arc-20160816; b=wbRLoZ+l9v3ys8UMevFqhtTHmgAg76RChkEcUzkAfXxlROx+kNKroBVWtE8acVXYJK 6Fm7febAASj1UWolK6rrOHRv+q8sM6EmIG+JOIcQUXJtF6JwyKdns9MAX3QUvA4lLZWl TiGsIdhwYNDUu6vFhRj46fsLHtvMwaO472k60ParATZWY8mS4mt7s/yfBxKDf27xLq+g UPmR5Kl8WakXGHNSpkFdLsE5CebCfEiBzbcGeyKGgfyh7zvX9uAXuYqJTMkKbGAB6Yhf pgXb9u1HokikB0W6hJYcXQpmi9GRJIbnq1cCAqplhvZsRHRSmxOhDOpY06ESxWrGrxIu ZUgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=D0le9hT0NOi1WX5SFo6mKa54C7jgg2wI7NnHSKXJgkU=; b=NiYYzxm1OQRaifBdFHQXYXwIPlbQ2TpXhCE0unsXeX6Ts/cze4F6kd3XjmnpU1ihL0 /slZNMEQL5qqUsfuRJaMuitGrrqUECu5doAt//kz0opHbO+ch7VaVAEeLN+kL/tFUQ7O vri4pCf5zQTC3Wh3KqEIogLiuWF01CGafbdu5r8exgS0LmyJGqjLfVC0BmwVqwgf/66k Rq8cOAE72nZDgrmRXZ1msCoTU9wwRHZ4yRFFJj0NwL42+Jl+yyN2wQOHysUBMbXk3blJ q12vWD2IaH4zmothv22a+J8tCmzc6lcHjbUp+EhYNAm5cVIefI8Mt3o5w4rl2jL9gaJh PVJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Jl3IHgVJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MTqo1Yts; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=KdZeAOsv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id j8-20020a170903024800b00195f4f578fasi9519511plh.564.2023.01.28.14.35.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2023 14:35:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Jl3IHgVJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MTqo1Yts; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=KdZeAOsv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pLtmc-0000oJ-PJ; Sat, 28 Jan 2023 22:34:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pLtmb-0000o9-BT for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gVUd4i6/87rT/WLSigg4fCZ9T4LLIWkOI0GFHCYp6Pw=; b=Jl3IHgVJfp+7aRePiO97B/Zd55 cmwJEKYX/XFcLQp1nh4HF/pTUmuYGhOYtp/dJuSnwCyNSjn2vmoKRvUVYJpnf6VFGV293AezUDohA 8ZGmhbkpY+6/qUNInvon/dl5gxEFjQqydcP3Zb/VTmhedCDlEGTfn5B0IRWGEPiwrJIk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gVUd4i6/87rT/WLSigg4fCZ9T4LLIWkOI0GFHCYp6Pw=; b=MTqo1YtsZCuZ0Hpoe9Mp8EQi/S 9I5dSWovAyuw8hgrkU17PM2qUd5xnwzQ3bVk945gkWz232hF/YSPen5EE4DaAYYcH6T2BNwQ/eMFn j7v3v+3k2vzOAhmJWd+6HFiMFsOU0x8fncicU+Mmo6FPr9w/l6DcLktDp4H7k/523hMc=; Received: from mail-io1-f41.google.com ([209.85.166.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pLtmY-00059b-2e for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:48 +0000 Received: by mail-io1-f41.google.com with SMTP id e2so522198iot.11 for ; Sat, 28 Jan 2023 14:34:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gVUd4i6/87rT/WLSigg4fCZ9T4LLIWkOI0GFHCYp6Pw=; b=KdZeAOsvIuy8WWgP3/AFlTWDdJLW7QIwXWr98E8ZXRRL+R30wSm62P4WTVRLMqrfxe UR3detQc/FrTPIs3OqSqAt++o6Dh6d3S2dK/FDpwEGDlFb6KntbXw/S7OYV+GUoHwMRL JS1xdTTSgSGjkcAdCYYCki5SRFfbdQSX/uqEcdU3wQLMjMrA6UbD6+U6u46NfpLpGlMo 6vuZ7V63unxqxFEwRojTJsSXAwJkk0rqLPobWMqByec3gcz1+F9TLzPSTPi18IHadM4p bQYk92YOl8sqWsKdyBSDN1WW4903stkrh9B6NnT+41K3QiGtT3dO7FHhEHF4SCoYWVi4 OeIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gVUd4i6/87rT/WLSigg4fCZ9T4LLIWkOI0GFHCYp6Pw=; b=qnmsPSnxOY/VK8BmU470hoCRUOvpPATjcOkere0QSUyGwMjwGenrzXQyp9P01PTcPz Zq2cC3FOD1w9O+TRk6e4HSkNWm0Ke4jWF15LAsc6wOQ/i9M5+1xCK7xgKXw1WfH+5I9N 32PlCsdIVV5Vm+xpPoNIPXWwsFyDVn3PvucZqsZHttm/wRhjCcjTCCgGY3nuwCxK3dzA Dw9cmJzFYaysMfA1uETf5h1o6fMOB67uXpQ5NPA73LqwZYRxrKKSAXqJatmK/ecU2i40 6+k9fjiHhCKx9MZglSlgjetZ9CCoePLIFkunyd/LxM2tb106rHoeyLcIwKmGv7l4/ugV iI8A== X-Gm-Message-State: AFqh2krnq7QNyYv/wrcDBAn8Ovrnm29vQuVDDdfAIFOPxhzjFr7J5mkI 10ngnMUVYC6IzvSUoWnckTgw35K3zmU= X-Received: by 2002:a6b:7a4c:0:b0:704:eeae:67c7 with SMTP id k12-20020a6b7a4c000000b00704eeae67c7mr5976527iop.2.1674945281086; Sat, 28 Jan 2023 14:34:41 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id ay25-20020a5d9d99000000b006bba42f7822sm103930iob.52.2023.01.28.14.34.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Jan 2023 14:34:40 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jan 2023 17:34:21 -0500 Message-Id: <20230128223421.2207802-5-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230128223421.2207802-1-selva.nair@gmail.com> References: <20230128223421.2207802-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 44 +++++++++++ 1 file changed, 12 insertions(+), 32 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 6ff4fcb5..9fd5aea9 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -210, 49 +210,29 @@ find_certificate_in_sto [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.41 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.41 listed in wl.mailspike.net] X-Headers-End: 1pLtmY-00059b-2e Subject: [Openvpn-devel] [PATCH 4/4] cryptoapi.c: simplify parsing of thumbprint hex string X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1756307451283930813?= X-GMAIL-MSGID: =?utf-8?q?1756307451283930813?= From: Selva Nair Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 44 +++++++++++------------------------------ 1 file changed, 12 insertions(+), 32 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 6ff4fcb5..9fd5aea9 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -210,49 +210,29 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } else if (!strncmp(cert_prop, "THUMB:", 6)) { - const char *p; - int i, x = 0; find_type = CERT_FIND_HASH; find_param = &blob; - /* skip the tag */ - cert_prop += 6; - for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++) + int i = 0; + + for (const char *p = cert_prop + 6; *p && i < sizeof(hash); p += 2) { - if (*p >= '0' && *p <= '9') - { - x = (*p - '0') << 4; - } - else if (*p >= 'A' && *p <= 'F') + /* skip spaces */ + while (*p == ' ') { - x = (*p - 'A' + 10) << 4; + p++; } - else if (*p >= 'a' && *p <= 'f') + if (!*p) /* ending with spaces is not an error */ { - x = (*p - 'a' + 10) << 4; + break; } - if (!*++p) /* unexpected end of string */ + + if (!isxdigit(p[0]) || !isxdigit(p[1]) + || sscanf(p, "%2hhx", &hash[i++]) != 1) { - msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing .", cert_prop); + msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop); goto out; } - if (*p >= '0' && *p <= '9') - { - x += *p - '0'; - } - else if (*p >= 'A' && *p <= 'F') - { - x += *p - 'A' + 10; - } - else if (*p >= 'a' && *p <= 'f') - { - x += *p - 'a' + 10; - } - hash[i] = x; - /* skip any space(s) between hex numbers */ - for (p++; *p && *p == ' '; p++) - { - } } blob.cbData = i; }