From patchwork Mon Apr  2 18:30:42 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 287
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 Cx1eGNQDw1roIQAAIUCqbw
	for <patchwork@openvpn.net>; Tue, 03 Apr 2018 00:32:20 -0400
Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6])
	by director7.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 e78BENQDw1qREwAAovjBpQ
	; Tue, 03 Apr 2018 00:32:20 -0400
Received: from smtp8.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy10.mail.ord1d.rsapps.net with LMTP id MDP4F9QDw1rzagAAfSg8FQ
	; Tue, 03 Apr 2018 00:32:20 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp8.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: fec417d0-36f7-11e8-9643-5254001e5a60-1-1
Received: from [216.105.38.7] ([216.105.38.7:1349] helo=lists.sourceforge.net)
	by smtp8.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id AE/ED-20647-3D303CA5; Tue, 03 Apr 2018 00:32:20 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1f3DbF-00081N-7z; Tue, 03 Apr 2018 04:31:13 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1f3DbE-00081G-7g
 for openvpn-devel@lists.sourceforge.net; Tue, 03 Apr 2018 04:31:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=; b=UXYnJF8gTMIwi+VOjTJ1dmfEeL
 pWLmKFKnfCzNYEKHHyeZF1YeRKKVgT0pszZvlG+k/FXF6Uhq46W0MaVdkDR5xOfQh9bVi+jGB+Hea
 FYh3lUq098e2/IYYfvd9jfxKuKi0TFRJtjLjse2NewTzuDxMgRCuAcYdaadSa4JrdKtw=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=; b=mfML1fvxd93nfirYergbCsgxNQ
 rPd1Wx9Ba9235ru76V69bt0xVz5/j/zLRLURc6YXaUCYEvRHAXFgqyImEzTSHp21kVREl8Aym1llc
 rHUY7RyILBE+o8KJ3y8ctYAGvoyYFDpDbD9m/JweR56kmvljOfnHjSbMqeyrkTsF9tXw=;
Received: from mail-it0-f67.google.com ([209.85.214.67])
 by sfi-mx-4.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1f3DbC-009yW2-Jl
 for openvpn-devel@lists.sourceforge.net; Tue, 03 Apr 2018 04:31:12 +0000
Received: by mail-it0-f67.google.com with SMTP id h143-v6so21495160ita.4
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 02 Apr 2018 21:31:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=;
 b=p80I4Jl9405lBm1fq2Ic6cCRl0sihl42dE2uNLNIcegoVnghXYtmzBi4sCIKqvGHep
 leNmCy9fbU8HJD8FNMJTxUUtYaCkF6DEOngDSVozCkfhg5RgDZYACo7AXnULQmAAoD+V
 0DXRofU06DLpuiw5iBkWeH4U9wq0CpZf3qepiVkchno2nXzwdO8QCJz0X73yXgRMswTV
 EX+6Rw76WFrwgdIFKvaYLVRwBFgsGivLPRCuGgdDLbhfScALbv2q8JgDWz/CMzpA8Lor
 NrijOXiZSfPUC6KqYFKx63BXDhKMLkqwX5ITl+3pKpl1uGEfnVyWX2f65VTnJs4yJUEq
 jsNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=nvnNSa9YQFdttciUXP4of/9+i3EapdZWcy+sb8/ablw=;
 b=Vi/Ri2vv6yyVMm4hhDmNyA9to5+tkTlHw0uSkX6u9oEO3pcKNCOYs1/3l1ufdxfnQu
 1Ih6E5Zq7GIPi1ElWbHIW6JKw9JAZAPXDeFPZvBDDL70SWUSnkHsXf9X3gxBoslwB5BI
 duRCBOYy0It0IN79WnUMhnBWfw+ZGCHFYK3qRjlR03HEHmVtjN/ziQqwOeHY7bkMEWab
 mefaJqGENM+U9gIzJcO3KuAeWSVoYxfNaEBaV56Bb/2PRqfR/p47OU62m/EnW3Aie/gE
 RN8CPzj2SKe23JM1UL4KvjZFBEZjpfJg4ekpofLjSUkRudqMQBS5YZbjfpozkSZxKYox
 LV8Q==
X-Gm-Message-State: ALQs6tBTGTQTSR5CA44doT9Mth8mDLZxDqAgyO5PIf5Usa4rGdPaI6wU
 QA2Na+S1WLmt351XsdSmNAOO0WMT
X-Google-Smtp-Source: 
 AIpwx4/+L6RbofhmblfPz35OwTR8PEYaXs6YyMVFPT+qapvNR4kpobCL2SbbTEbYfsOXXw+H3UbvQQ==
X-Received: by 2002:a24:5085:: with SMTP id
 m127-v6mr3745551itb.118.1522729864542;
 Mon, 02 Apr 2018 21:31:04 -0700 (PDT)
Received: from saturn.home.sansel.ca
 (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92])
 by smtp.gmail.com with ESMTPSA id a46-v6sm1176784itj.1.2018.04.02.21.31.03
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Mon, 02 Apr 2018 21:31:03 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Tue,  3 Apr 2018 00:30:42 -0400
Message-Id: <1522729843-28878-1-git-send-email-selva.nair@gmail.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1520817479-17203-1-git-send-email-selva.nair@gmail.com>
References: <1520817479-17203-1-git-send-email-selva.nair@gmail.com>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (selva.nair[at]gmail.com)
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
 trust [209.85.214.67 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.214.67 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Headers-End: 1f3DbC-009yW2-Jl
Subject: [Openvpn-devel] [PATCH v2 1/2] Skip expired certificates in Windows
 certificate store
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.

This makes it possible to update certifiates in store without having
to delete old ones. As a side effect, if only expired certificates are
found, the connection fails.

Also remove some unnecessary casts.

Tested on Windows 10.
Trac #966

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
v2: remove the break after return 

 src/openvpn/cryptoapi.c | 42 ++++++++++++++++++++++++++++++------------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 11b971f..ec7569a 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -601,27 +601,31 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
      * SUBJ:<certificate substring to match>
      * THUMB:<certificate thumbprint hex value>, e.g.
      *     THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+     * The first matching certificate that has not expired is returned.
      */
     const CERT_CONTEXT *rv = NULL;
+    DWORD find_type;
+    const void *find_param;
+    unsigned char hash[255];
+    CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
 
     if (!strncmp(cert_prop, "SUBJ:", 5))
     {
         /* skip the tag */
-        cert_prop += 5;
-        rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                        0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
-
+        find_param = cert_prop + 5;
+        find_type = CERT_FIND_SUBJECT_STR_A;
     }
     else if (!strncmp(cert_prop, "THUMB:", 6))
     {
-        unsigned char hash[255];
-        char *p;
+        const char *p;
         int i, x = 0;
-        CRYPT_HASH_BLOB blob;
+        find_type = CERT_FIND_HASH;
+        find_param = &blob;
 
         /* skip the tag */
         cert_prop += 6;
-        for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
+        for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
+        {
             if (*p >= '0' && *p <= '9')
             {
                 x = (*p - '0') << 4;
@@ -636,7 +640,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             }
             if (!*++p)  /* unexpected end of string */
             {
-                break;
+                msg(M_WARN, "WARNING: cryptoapicert: error parsing <THUMB:%s>.", cert_prop);
+                return NULL;
             }
             if (*p >= '0' && *p <= '9')
             {
@@ -657,10 +662,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             }
         }
         blob.cbData = i;
-        blob.pbData = (unsigned char *) &hash;
+    }
+    while(true)
+    {
+        int validity = 1;
+        /* this frees previous rv, if not NULL */
         rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                        0, CERT_FIND_HASH, &blob, NULL);
-
+                                        0, find_type, find_param, rv);
+        if (rv)
+        {
+            validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+        }
+        if (!rv || validity == 0)
+        {
+            break;
+        }
+        msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.",
+            validity < 0 ? "not yet valid" : "that has expired");
     }
 
     return rv;

From patchwork Mon Apr  2 18:30:43 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 288
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 m3/2HtQDw1rdFgAAIUCqbw
	for <patchwork@openvpn.net>; Tue, 03 Apr 2018 00:32:20 -0400
Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6])
	by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 pyGtEdQDw1qsSwAAfY0hYg
	; Tue, 03 Apr 2018 00:32:20 -0400
Received: from smtp11.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy13.mail.ord1d.rsapps.net with LMTP id gBChHtQDw1ppSgAAgjf6aA
	; Tue, 03 Apr 2018 00:32:20 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp11.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: fec0e9b6-36f7-11e8-bc15-5254005f837b-1-1
Received: from [216.105.38.7] ([216.105.38.7:25810]
 helo=lists.sourceforge.net)
	by smtp11.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 4D/96-03820-3D303CA5; Tue, 03 Apr 2018 00:32:20 -0400
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1f3DbG-0001Sk-U9; Tue, 03 Apr 2018 04:31:14 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1f3DbG-0001SZ-5j
 for openvpn-devel@lists.sourceforge.net; Tue, 03 Apr 2018 04:31:14 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Ky1/ZnPnn0S4IXVStP53ur3EAGsXWY2X4ZiOY8ODMmQ=; b=VWEmG4WXysdNkKqqGBjd6rQpuo
 WqFX9Wo9u0WrUAF+GBfDCbcbj5dBXm3Yozr3L5NQwa9Jd6SQbbYOCHH8+WZiG3uB+GqhiLqoC5joq
 PRheqKAulscBtFyfQ6JPDw6zjDwNgcR+o1+/RDVFq/ysJOWELeQRcEA25gDKsxjWCEfQ=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=Ky1/ZnPnn0S4IXVStP53ur3EAGsXWY2X4ZiOY8ODMmQ=; b=JuSttJ79bdSutMu+9w/lthnGfv
 F8Ay2c1FcvHum8/eoMB2BI2LD9ZzVOd+Dl/nDxDySg/MQpUZ+IgZMX2C3Sxb6t3AH+tGH1XEpkXCd
 5CN3lBWnFZCXDfz4b9M80VlIYCzZZODIgyf+B94vi8ptwvEzwXhR2+aGkgZfJUqK9joE=;
Received: from mail-it0-f65.google.com ([209.85.214.65])
 by sfi-mx-4.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1f3DbE-009yW4-MV
 for openvpn-devel@lists.sourceforge.net; Tue, 03 Apr 2018 04:31:14 +0000
Received: by mail-it0-f65.google.com with SMTP id 71-v6so18988252ith.2
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 02 Apr 2018 21:31:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=Ky1/ZnPnn0S4IXVStP53ur3EAGsXWY2X4ZiOY8ODMmQ=;
 b=LwbD6O6YC3X+zRqVXSTuEWeJPUwu/AnPHepwepriO+jMScM8dlFr3Ia1HHMv5i7j8+
 yf8sURfCWOqVnrgIhuvnueNlgKZSR1CF3BvaiB50uY0efUV4Vtd9VnBQ/+8//XltTSZP
 XuUgrl+vTr+Qdeo7h3xPQ+v4skQiQ+cJpSqOLZ4uQubDsrLIoWCTaNFBjC5hwRKR/aPi
 CauqmPx3K5qOjpqHPDjhpBxgb5sYCZ8CL5DRJDWgAoVhXFFoS94nL9EvMJEksSDtWzib
 bCuSzhRdszXCWDbLqJgpM8YTg3xavFXzid+8DlX0qjsPpDIhEL2UVKOhGFMBT435ARSZ
 C17g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=Ky1/ZnPnn0S4IXVStP53ur3EAGsXWY2X4ZiOY8ODMmQ=;
 b=cSP92Q5CrzMIcYMe2Sti355CwIJpFVKxU7x0uXI6ex1E1UlVbDCHU6/u06/dnMWyCb
 qj1CLDjirmWv0/qqFIgxZNg8n+fMbCjE9M1/qX7Cua7bpJDZ7ma2ymYHEmMfzjRGhN9W
 Zxxw1ksPBT17FowglYbXYY7/3f3eHxIJzVbzTwBcDQVDXZ4aqPcds2jX/7WcvBbmsLvJ
 7ifBHY7x3wFM97W82TOlgkMZ5MPXzFoH6hb2rQemDtV8RFZhKHqUptqaLXjGaf74W+wW
 oIhg5hjPOrvwNnlQfw29vpHqgFoFEEgVZ9dxHx9tOPXxtyyz4SSH1SXaFWUgA16ac28F
 Gq6A==
X-Gm-Message-State: AElRT7GPZbh46MoDC21wknzwMmHSGU/HwWU2zzJ2qo66j3cFFl2WnS65
 gfK58jxvp9eEz8YDCow6kgpeTsuM
X-Google-Smtp-Source: 
 AIpwx496tTlfHhD7wnDnGk+KjfusGDVhNsSvliLAqvPlG1txajucnPymaaaeTMNZ6ZWGY3j0HrN1Rw==
X-Received: by 2002:a24:624b:: with SMTP id
 d72-v6mr3766300itc.70.1522729866843;
 Mon, 02 Apr 2018 21:31:06 -0700 (PDT)
Received: from saturn.home.sansel.ca
 (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92])
 by smtp.gmail.com with ESMTPSA id a46-v6sm1176784itj.1.2018.04.02.21.31.05
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Mon, 02 Apr 2018 21:31:06 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Tue,  3 Apr 2018 00:30:43 -0400
Message-Id: <1522729843-28878-2-git-send-email-selva.nair@gmail.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1522729843-28878-1-git-send-email-selva.nair@gmail.com>
References: <1520817479-17203-1-git-send-email-selva.nair@gmail.com>
 <1522729843-28878-1-git-send-email-selva.nair@gmail.com>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (selva.nair[at]gmail.com)
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
 trust [209.85.214.65 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.214.65 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Headers-End: 1f3DbE-009yW4-MV
Subject: [Openvpn-devel] [PATCH v2 2/2] Allow unicode search string in
 --cryptoapicert option
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
v2: rebased to v2 1/2 -- no code changes

 src/openvpn/cryptoapi.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index ec7569a..c78e608 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -50,6 +50,7 @@
 
 #include "buffer.h"
 #include "openssl_compat.h"
+#include "win32.h"
 
 /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while
  * MinGW32-w64 defines all macros used. This is a hack around that problem.
@@ -608,12 +609,13 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
     const void *find_param;
     unsigned char hash[255];
     CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
+    struct gc_arena gc = gc_new();
 
     if (!strncmp(cert_prop, "SUBJ:", 5))
     {
         /* skip the tag */
-        find_param = cert_prop + 5;
-        find_type = CERT_FIND_SUBJECT_STR_A;
+        find_param = wide_string(cert_prop + 5, &gc);
+        find_type = CERT_FIND_SUBJECT_STR_W;
     }
     else if (!strncmp(cert_prop, "THUMB:", 6))
     {
@@ -641,7 +643,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             if (!*++p)  /* unexpected end of string */
             {
                 msg(M_WARN, "WARNING: cryptoapicert: error parsing <THUMB:%s>.", cert_prop);
-                return NULL;
+                goto out;
             }
             if (*p >= '0' && *p <= '9')
             {
@@ -681,6 +683,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
             validity < 0 ? "not yet valid" : "that has expired");
     }
 
+out:
+    gc_free(&gc);
     return rv;
 }