From patchwork Mon Feb 10 07:35:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 988 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WIosAAWjQV5SFQAAIUCqbw for ; Mon, 10 Feb 2020 13:37:57 -0500 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id OKOYOwSjQV5yCwAAfY0hYg ; Mon, 10 Feb 2020 13:37:57 -0500 Received: from smtp16.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id mOs2OwSjQV5yGwAAtEH5vw ; Mon, 10 Feb 2020 13:37:56 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7422db8a-4c34-11ea-90c5-525400ca3ad5-1-1 Received: from [216.105.38.7] ([216.105.38.7:44134] helo=lists.sourceforge.net) by smtp16.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 20/30-09646-403A14E5; Mon, 10 Feb 2020 13:37:56 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1j1DvS-0006LO-I4; Mon, 10 Feb 2020 18:36:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1j1DvQ-0006L3-8B for openvpn-devel@lists.sourceforge.net; Mon, 10 Feb 2020 18:36:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=; b=Qhi9v95twDYnIkbg4+tFi6bwNH r3hJgW+2lEb0mUzj3LxsZVwqrS92t4APcZpqP4Ca/gwZEmixvg0mRqvqD2c95oxbo5ZcT9/hbYtno ul9RX2Kyy2a1kKe+FnaQuot61BFpCFU8udGpMd2LMhx0QqC5dBZZDiLbcdM1fkjmSUro=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=; b=itiJerwn1cT1J8JzGLQe+BlccK sVAr6T+D/HQK8f/accnTTLjVoBDe6I6URLCOElOq6FKCWrVp1xl5MTzeDMaOlaK8XyJ66L1cUSFmV M4RPxsMiuyrWqDHjiWWvwu4kRanP266dvhLZiUjRjvY406cTJ0m+BRQOQBB/E3du4CmQ=; Received: from mail-qt1-f171.google.com ([209.85.160.171]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1j1DvO-007ngs-Re for openvpn-devel@lists.sourceforge.net; Mon, 10 Feb 2020 18:36:52 +0000 Received: by mail-qt1-f171.google.com with SMTP id d9so5877847qte.12 for ; Mon, 10 Feb 2020 10:36:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=; b=dtTISGztpBwNr1vLT+QAIXnBMV5hR0RYFFB8B8npfD0D8FzhcnGPTuowQhJuwKWA4b H3YUQ6kIxOjqFy4UIwP4JmiNAGddjOD68FGEUPe0KTfusIMVD72WyJebCHzZHH3XWvex 1bu8Zo+D7QjQ13GkghG7BWc/WzLYQ5+zpMVqOpc0gLp0LZD+fswnQqF6UilD1TBXiXGC O0VMnsJrOs787AqFGgC+xUAhqw42E/HajorfXTe71qbrJ3kXivJGbdjbkMwUafH+Z1cm UyuBwaEsL3oTpRGsstq00+Nz/69jqA07sTXoYdCjyjpFc0/uJ+6uyGksVXVN+5RZOGMv /9gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9FYWSqVFpSOFLJfIUhaw6yWhvDXjjkF2I/oXmng5MKs=; b=sJQGgQ7iDlUU9p0fZrVunAcI4cJ+bH46F+JRCokird1uZsOpnrElNf8z5UzAmjICab tFj/cWMtAm25SjmMOyzcP96bqSXs5dXZGJBgqeHM1uWK6IJ0H5a4YpcyMOJsgVqwUlJb PRZkOS51t6mG5u6XumjrndwfPwTDLnYhhC3CF/urdN8X/OUHdeYjbYBpMRgPyMNxeaiS P9XgKgPWzkUZ5gQ25Vm5POFwaE9wrs5seS6Z3zW5W3IDUux2QzG7I8Hqe8AbZseFXkwM UXpei81J+BE5j7xmr1BVgRGmNuY0uMiBaI/g5SGeMy5V5YKXITzQujuoWmJJTg6xws7W JK9w== X-Gm-Message-State: APjAAAXs+BzjtHWeCXZ/lNlEwfy8VPCxOUe8pXaUOMgVKiZEe4fcKAzY mFDe1YJVsKyj/HtROGGZ9yrVict1 X-Google-Smtp-Source: APXvYqysDuunM/2TLjZOnMuJhHOJXfcAF762DeYV6XQSfAXoSfpPR4EWGIC2tAz8KXEr/nzWZpR4PA== X-Received: by 2002:ac8:6b53:: with SMTP id x19mr6032925qts.220.1581359804635; Mon, 10 Feb 2020 10:36:44 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id g18sm565381qki.13.2020.02.10.10.36.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Feb 2020 10:36:44 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Feb 2020 13:35:41 -0500 Message-Id: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1522729843-28878-1-git-send-email-selva.nair@gmail.com> References: <1522729843-28878-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.160.171 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.160.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1j1DvO-007ngs-Re Subject: [Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect, if only expired certificates are found, the connection fails. Also remove some unnecessary casts. Tested on Windows 10. Trac #966 Signed-off-by: Selva Nair --- v3: nudging again with a rebase to master src/openvpn/cryptoapi.c | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 2f2eee7..3b70c33 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) * SUBJ: * THUMB:, e.g. * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 + * The first matching certificate that has not expired is returned. */ const CERT_CONTEXT *rv = NULL; + DWORD find_type; + const void *find_param; + unsigned char hash[255]; + CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - cert_prop += 5; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL); - + find_param = cert_prop + 5; + find_type = CERT_FIND_SUBJECT_STR_A; } else if (!strncmp(cert_prop, "THUMB:", 6)) { - unsigned char hash[255]; - char *p; + const char *p; int i, x = 0; - CRYPT_HASH_BLOB blob; + find_type = CERT_FIND_HASH; + find_param = &blob; /* skip the tag */ cert_prop += 6; - for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) + for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++) { if (*p >= '0' && *p <= '9') { @@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } if (!*++p) /* unexpected end of string */ { - break; + msg(M_WARN, "WARNING: cryptoapicert: error parsing .", cert_prop); + return NULL; } if (*p >= '0' && *p <= '9') { @@ -796,10 +800,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } } blob.cbData = i; - blob.pbData = (unsigned char *) &hash; + } + while(true) + { + int validity = 1; + /* this frees previous rv, if not NULL */ rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_HASH, &blob, NULL); - + 0, find_type, find_param, rv); + if (rv) + { + validity = CertVerifyTimeValidity(NULL, rv->pCertInfo); + } + if (!rv || validity == 0) + { + break; + } + msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.", + validity < 0 ? "not yet valid" : "that has expired"); } return rv; From patchwork Mon Feb 10 07:35:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 989 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4OH2FAmjQV59DQAAIUCqbw for ; Mon, 10 Feb 2020 13:38:01 -0500 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id GMnIFAmjQV7mCwAAfY0hYg ; Mon, 10 Feb 2020 13:38:01 -0500 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTP id kLKKFAmjQV7cLgAAsk8m8w ; Mon, 10 Feb 2020 13:38:01 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 76b7a09c-4c34-11ea-b270-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:59714] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 01/84-13675-803A14E5; Mon, 10 Feb 2020 13:38:00 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1j1Dvd-00068L-IA; Mon, 10 Feb 2020 18:37:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1j1Dvb-000689-H9 for openvpn-devel@lists.sourceforge.net; Mon, 10 Feb 2020 18:37:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=foS/BIiLzFsM/Yo7fSc7bBxQi+buEZftOhjp6gIWiTk=; b=fm2eyCV37cYzsssBs0KLO3slZD Fd1CvXDZL3HtsyGFdR/DDvhH4rMUE7xRabEgl0wBphbhw0rRYM+6WzCpDYDt4ngT70wmh0R9hcFyS xGAUumPIfAWtri8yKvULvugTqbeaB2fApy2B5MNQPCtqpKXJabwgodsiK251vGoxenrE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=foS/BIiLzFsM/Yo7fSc7bBxQi+buEZftOhjp6gIWiTk=; b=hhnGO2dEQMuca8dv+bWcIaTnlI PuwQqPjO3jWUABO0odYPtI40J1/LxShCatEPazPqskJDyRIHIfSN92f3vIPllZ+lhblbEm1dF/z4T VqhRSAALVCoV60u6Pluocale8b96pM4xvy2PfkkKgJ3PDXMQJTgYuvgICGBNHCDasCLE=; Received: from mail-qv1-f66.google.com ([209.85.219.66]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1j1DvX-007nh6-UR for openvpn-devel@lists.sourceforge.net; Mon, 10 Feb 2020 18:37:03 +0000 Received: by mail-qv1-f66.google.com with SMTP id db9so3667339qvb.3 for ; Mon, 10 Feb 2020 10:36:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=foS/BIiLzFsM/Yo7fSc7bBxQi+buEZftOhjp6gIWiTk=; b=ggKOwUvxW3tJ+cxwtnXplFGknJKBbKrE1XzuoZT0f9+fNNLPwcEeoCB1lpzZVH7jz7 0UPA017PP2M2vZwRSJ9eMoN4eoVtZ5Am3xKVDkNCHvXXwUQGM7nOMqLQUAnUrnlVlauh owoMd9gtx7qxwTcnvqYuQRp1Wb7iE1LcVCwXOaUvnMZdOyKx6qh6mEJAbHHIUOMnZgDC 677L8HflARGRKTdjF10jeowvzj17ciS+ptqLIbNqoIE6Y8exu90N5Ol2bVBltBEn4xss FNwnaFD4r0WB/h5iHA7LyU4bhK3HQPlN7Yh9Hy1Ui9pQ83VQeZa7Qb4mJ5YrlAw1nwC6 kV7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=foS/BIiLzFsM/Yo7fSc7bBxQi+buEZftOhjp6gIWiTk=; b=pB908P063DP6xR9YVQMR4fOgOhGkk48kJS0GpD+uYqSceCh4JreFEiAVhQzwewB53A 3bsSe9T6m6UHSXWmD7d802lhJhWkQ1/7OMDn1SVJV6OkJ/hKh/UkXvDL/DQB/kikzTrx nRkwptoTW3ij10dGWC0Lc0M5O9IWvTLADE5obxJtV87e0pWgI71WXJ8jxJ457z1BEh3e G4ujHZfRE44rM7usT0YBBJ1roKl5abtIsQEIZLdeI//tjxVxdCOOLxgbnT074wd0JJbE NDI/8FdYABSVIVtY+nwsTwh9ln6lCwcQCM1buCmFhT4iK6M2GSFrIt/0fSuJCBXlS5Gs ZCjw== X-Gm-Message-State: APjAAAU+7x3DDFiU8zMg3EQaAwCrKluhpqNNrukyROQy/RPEqajZ96Po xU3bvvxeGAk90N65a6HyS7dwQxSO X-Google-Smtp-Source: APXvYqzqvJw8ImREG0CPQeR9XvuHhFTpOqfOmLcZy/I0iBAbUcPszBSnn0vkYjH5Xar+2TFe0+6vtA== X-Received: by 2002:a0c:ed32:: with SMTP id u18mr11359298qvq.2.1581359813790; Mon, 10 Feb 2020 10:36:53 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id g18sm565381qki.13.2020.02.10.10.36.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Feb 2020 10:36:53 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Feb 2020 13:35:42 -0500 Message-Id: <1581359742-30511-2-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> References: <1522729843-28878-1-git-send-email-selva.nair@gmail.com> <1581359742-30511-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.219.66 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.219.66 listed in list.dnswl.org] X-Headers-End: 1j1DvX-007nh6-UR Subject: [Openvpn-devel] [PATCH 2/2 v3] Allow unicode search string in --cryptoapicert option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Currently when the certificate is specified as "SUBJ:foo", the string foo is assumed to be ascii. Change that and interpret it as utf-8, convert to a wide string, and flag it as unicode in CertFindCertifcateInStore(). Signed-off-by: Selva Nair --- v3: nudging again, with a rebase to master src/openvpn/cryptoapi.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 3b70c33..acae96f 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -51,6 +51,7 @@ #include "buffer.h" #include "openssl_compat.h" +#include "win32.h" /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while * MinGW32-w64 defines all macros used. This is a hack around that problem. @@ -746,12 +747,13 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) const void *find_param; unsigned char hash[255]; CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; + struct gc_arena gc = gc_new(); if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - find_param = cert_prop + 5; - find_type = CERT_FIND_SUBJECT_STR_A; + find_param = wide_string(cert_prop + 5, &gc); + find_type = CERT_FIND_SUBJECT_STR_W; } else if (!strncmp(cert_prop, "THUMB:", 6)) { @@ -779,7 +781,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) if (!*++p) /* unexpected end of string */ { msg(M_WARN, "WARNING: cryptoapicert: error parsing .", cert_prop); - return NULL; + goto out; } if (*p >= '0' && *p <= '9') { @@ -819,6 +821,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) validity < 0 ? "not yet valid" : "that has expired"); } +out: + gc_free(&gc); return rv; }