From patchwork Wed Feb 12 04:06:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 990 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SHKEJbIURF5fNwAAIUCqbw for ; Wed, 12 Feb 2020 10:07:30 -0500 Received: from proxy20.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id OBjdIrIURF7tKQAAalYnBA ; Wed, 12 Feb 2020 10:07:30 -0500 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3b.rsapps.net with LMTP id QASVHLIURF7vWwAAcDxLoQ ; Wed, 12 Feb 2020 10:07:30 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 62e287aa-4da9-11ea-8f61-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:56376] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 62/AB-15205-1B4144E5; Wed, 12 Feb 2020 10:07:30 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1j1taz-0000NN-DY; Wed, 12 Feb 2020 15:06:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1j1tax-0000NF-IJ for openvpn-devel@lists.sourceforge.net; Wed, 12 Feb 2020 15:06:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=YK2RwV9R2ALzld9Jxt2xrtT4Vy 10f0TkEwlbsZVAjJvteYbVKsz4BjG85fsTUYsx3rSN+Szp5jhD6n45miDY5ya2c9ZX2HIg98PiSsH j0/9LoUfWSbwZZP8PYhRIWdxrm2pZiXFJTSeeC0gzyuukA49aHC90i1Mm8NAMeM8PYGI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=cJiC3/x6VM5A987aNlsw2IHPVc wYF0ikE8OS6paQdX+z6Lpoup43P+CitBfUeyk1XzO/b0sLj0po/VYvmM6vpOYd2eDLRkgag4zGvMp FAMC+zsX3ApGx3GjAQPvMLoOKDJ85RY3++Fa66Fx/TwZMcMem2VnamlqoPwFAeAyzi8Y=; Received: from mail-qk1-f195.google.com ([209.85.222.195]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1j1tav-001PSV-9a for openvpn-devel@lists.sourceforge.net; Wed, 12 Feb 2020 15:06:31 +0000 Received: by mail-qk1-f195.google.com with SMTP id d11so2314985qko.8 for ; Wed, 12 Feb 2020 07:06:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=RhzOkdRWs8QAKdDX0FMbuRjFIVT5F2h5xze2PR75IjC9v9WuZQlVj/qK372rZCz23i 4Fpj1RCbgMF+Oory+uBg/2koASxglAbZY75sSdjxdEfl9TIN+lMFuvdriyV+XatghBRv BZIFeJL/BiQx5LXj1xEwZ+aJBLtRJXROzcv6DHj22dIwcN3dzCjNCVY76wSMBerYMnhF ZY3/Jmzfug/EUQ4OH3gRcaW0fJPM3EYVOW311nRdY/24lvx3ftureFTSro8XP4fMAZiA 3eT4F6iJSGcsKXWAZC9+LhmPGIRPkFQb7mYPrPP9We1BPePapI5TLdiChi4g8ZTYNCeM X9Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=kd1pkR+wiaGxFbFv+SakQ1dfSD6IrmCwu/j9hGdglBw=; b=IuCH6c6izIz4UjxJWFPfEOPb6Ic3VB5rc+K4sa0UcMSUVq5cIql9CklnJBpb5Z/l/v pRTTykLi4lDw6AaLkw0G4nOFAPj0x3sbPAiKromWX5IfjAqvvWj7w/u5sLMpXJ6RGp/J 3//T4BjS833lD68WIPA/QkXhfxB+I4nALlWAqQ9aWMGKWypSjd0V/n7MgrTUq+68DV7G PVpWo9NLE0Pv1ZyX+9LP/NaQewvV4xEAGxnmjFnu+R1wfUQnpFt42nE1+TK+nwWSiRL+ gdtxPSduj8f4MAT1tnXUNXrjPRQu65i56WVD9S4fYGKpoLT8Zx+uFw6viDGkkDfk9B4b gDxA== X-Gm-Message-State: APjAAAXSukPcfB9V8dAooP4tgO//bSryWK36cndre/rk9Cj6gzrQS4Ta 20Rcumq+n3it0gxe163OsFA5glx9 X-Google-Smtp-Source: APXvYqxH3DoJY2oaaeWx+11Tm+eAXzs7BTxvCGS8dybC14VsHu+iuw4tVUhQRbqP8EXbAgbLXO+hHg== X-Received: by 2002:a05:620a:1641:: with SMTP id c1mr2010825qko.69.1581519982823; Wed, 12 Feb 2020 07:06:22 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id h14sm321646qke.99.2020.02.12.07.06.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Feb 2020 07:06:21 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Feb 2020 10:06:06 -0500 Message-Id: <1581519967-16950-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> References: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.195 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.195 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1j1tav-001PSV-9a Subject: [Openvpn-devel] [PATCH v4 1/2] Skip expired certificates in Windows certificate store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect, if only expired certificates are found, the connection fails. Also remove some unnecessary casts. Tested on Windows 10. Trac #966 v4: Handle the case when an unknown certificate specification is passed to find_certificate_in_store(). Note: Warnings printed from find_certificate_in_store() could show up multiple times as its called for each certificate store. This could be improved in a future patch. Signed-off-by: Selva Nair Acked-by: Lev Stipakov --- src/openvpn/cryptoapi.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 2f2eee7..b9f1328 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) * SUBJ: * THUMB:, e.g. * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 + * The first matching certificate that has not expired is returned. */ const CERT_CONTEXT *rv = NULL; + DWORD find_type; + const void *find_param; + unsigned char hash[255]; + CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - cert_prop += 5; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL); - + find_param = cert_prop + 5; + find_type = CERT_FIND_SUBJECT_STR_A; } else if (!strncmp(cert_prop, "THUMB:", 6)) { - unsigned char hash[255]; - char *p; + const char *p; int i, x = 0; - CRYPT_HASH_BLOB blob; + find_type = CERT_FIND_HASH; + find_param = &blob; /* skip the tag */ cert_prop += 6; - for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) + for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++) { if (*p >= '0' && *p <= '9') { @@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } if (!*++p) /* unexpected end of string */ { - break; + msg(M_WARN, "WARNING: cryptoapicert: error parsing .", cert_prop); + return NULL; } if (*p >= '0' && *p <= '9') { @@ -796,10 +800,28 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } } blob.cbData = i; - blob.pbData = (unsigned char *) &hash; - rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_HASH, &blob, NULL); + } + else { + msg(M_WARN, "WARNING: cryptoapicert: unsupported certificate specification <%s>", cert_prop); + return NULL; + } + while(true) + { + int validity = 1; + /* this frees previous rv, if not NULL */ + rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + 0, find_type, find_param, rv); + if (rv) + { + validity = CertVerifyTimeValidity(NULL, rv->pCertInfo); + } + if (!rv || validity == 0) + { + break; + } + msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.", + validity < 0 ? "not yet valid" : "that has expired"); } return rv; From patchwork Wed Feb 12 04:06:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 991 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id OMadE8UURF6sDgAAIUCqbw for ; Wed, 12 Feb 2020 10:07:49 -0500 Received: from proxy7.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id gEBeE8UURF7HbAAAovjBpQ ; Wed, 12 Feb 2020 10:07:49 -0500 Received: from smtp38.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1c.rsapps.net with LMTP id yEK1EsQURF6RVwAAknS3pQ ; Wed, 12 Feb 2020 10:07:49 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 6d7f8636-4da9-11ea-b110-5452007bdf16-1-1 Received: from [216.105.38.7] ([216.105.38.7:38586] helo=lists.sourceforge.net) by smtp38.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 20/C5-19939-3C4144E5; Wed, 12 Feb 2020 10:07:47 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1j1tbM-0006eg-MH; Wed, 12 Feb 2020 15:06:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1j1tbK-0006eO-On for openvpn-devel@lists.sourceforge.net; Wed, 12 Feb 2020 15:06:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dqEQOasGUP4E3gBftoS4r2xEY3dYruVwlgGxxvaS7Pw=; b=A6r2+kGlYh8LNA2/whhJtXLwXp z3TSx2q6MxPTO0aQNdM2PvJzEhmM/5G0t0t6/F5UIWAPB6fE3NrkjDW4lAgCWqepmzcc9OZpRB9QS dI9LLaLTQEwucosJjrKuagcsI/5gVS9IVKz3BT4xyqL1SjjTGi5M6tB5j6Dqjgav0v7U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dqEQOasGUP4E3gBftoS4r2xEY3dYruVwlgGxxvaS7Pw=; b=KNOyXL2hs0OpQ24EQeqnXvrPyc bUSU8UC1ApsV5NPKV/DFD53nY89T7FECB31DU3LnB7yJ7+FKWQnUtCXEmzrJYSlhtl2pK7obd2lmk bxwAL3tF4d3IJwi3A2UTMLE0JXH4tsNws3ippiy8HvRLpBNT4/pMPmOlnRxfdRgLaa5o=; Received: from mail-qk1-f194.google.com ([209.85.222.194]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1j1tbI-009hFQ-Rd for openvpn-devel@lists.sourceforge.net; Wed, 12 Feb 2020 15:06:54 +0000 Received: by mail-qk1-f194.google.com with SMTP id w15so2334988qkf.6 for ; Wed, 12 Feb 2020 07:06:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dqEQOasGUP4E3gBftoS4r2xEY3dYruVwlgGxxvaS7Pw=; b=IxqArp3TNsX4VO6927GgLrtH3i4Q9OwgHNmELV7GEf+u5hejNQ2NjbTtVP7odkmax3 w3yahfKZ/kBSQATZu0zTdo4HU4Jw8s7QVsZOj8kbDjgvi5C+FU3Es4LZkH21bNJCIba8 NP1FrqWHO6gPmKgc230GUxnCkjG0v56/Tf+t7HmgjLyHPZwcSjgjgs0KlqVTkEAdJOsd RHFAWzGiKmVZdAMxycKTkNnE718Zh1SfF8F90ynr3lHD5RBdFKt/ltfLBcjdS+sWxnwJ PxnVMfkp14HVpd3BgYmK6wgRoLZf0EiYtzHr3lV/GIo3k1cf4g2Bo37EtEHw/w2qI3Ry IibQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dqEQOasGUP4E3gBftoS4r2xEY3dYruVwlgGxxvaS7Pw=; b=MPE90ZWWAvXg1nrVmxLAULZU+Zru2wMvkDq2pnc6bUqqecrG+c2yIjCcJEplEhz360 nq528qFpStx6ONEBBoKcl8oOHFEETaYQxLTmRr3IDDvlwHwQjizOgy8IDXajVXdomY+8 69Gx1W9qRhyVrNjd4RzpCrS2T2nxnftxoik5bo0E8FcRgj4MoOX/FadK8kyI1zNY2e3W VZcTfD/gSrxrrMa+cLZy1yh8cekXWzVTeW2XNLzb5eHb9j3WOQz0a7ZSGGgroy4LhA0K 6LDpjmP9wG2VlmsxoVtftnJsBXnLDpRfFWSyjCSQzLMQSkdI0rzQRoiGeq56SzH/eBq1 w4vw== X-Gm-Message-State: APjAAAXZm9BfS/9kk9E57T6g69y4acjRxkPKZ8xlzZrq56+lA9pvI1XN iksHTVRGRdyq5jjtLPlobKhDRjxL X-Google-Smtp-Source: APXvYqywDrvNMwONNQIESehSK6UPr7E9M+bhE93bhGnSVA+MrEXp6KAA1tWCpHKGBMogR8EJ9I8XMw== X-Received: by 2002:a05:620a:12c6:: with SMTP id e6mr10649286qkl.135.1581520006510; Wed, 12 Feb 2020 07:06:46 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id h14sm321646qke.99.2020.02.12.07.06.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Feb 2020 07:06:45 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Feb 2020 10:06:07 -0500 Message-Id: <1581519967-16950-2-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1581519967-16950-1-git-send-email-selva.nair@gmail.com> References: <1581359742-30511-1-git-send-email-selva.nair@gmail.com> <1581519967-16950-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.194 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.194 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1j1tbI-009hFQ-Rd Subject: [Openvpn-devel] [PATCH v4 2/2] Allow unicode search string in --cryptoapicert option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Currently when the certificate is specified as "SUBJ:foo", the string foo is assumed to be ascii. Change that and interpret it as utf-8, convert to a wide string, and flag it as unicode in CertFindCertifcateInStore(). Signed-off-by: Selva Nair Acked-by: Lev Stipakov --- v4: matched to v4 of 1/2 src/openvpn/cryptoapi.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index b9f1328..1bf74fc 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -51,6 +51,7 @@ #include "buffer.h" #include "openssl_compat.h" +#include "win32.h" /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while * MinGW32-w64 defines all macros used. This is a hack around that problem. @@ -746,12 +747,13 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) const void *find_param; unsigned char hash[255]; CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash}; + struct gc_arena gc = gc_new(); if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ - find_param = cert_prop + 5; - find_type = CERT_FIND_SUBJECT_STR_A; + find_param = wide_string(cert_prop + 5, &gc); + find_type = CERT_FIND_SUBJECT_STR_W; } else if (!strncmp(cert_prop, "THUMB:", 6)) { @@ -779,7 +781,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) if (!*++p) /* unexpected end of string */ { msg(M_WARN, "WARNING: cryptoapicert: error parsing .", cert_prop); - return NULL; + goto out; } if (*p >= '0' && *p <= '9') { @@ -803,7 +805,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } else { msg(M_WARN, "WARNING: cryptoapicert: unsupported certificate specification <%s>", cert_prop); - return NULL; + goto out; } while(true) @@ -824,6 +826,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) validity < 0 ? "not yet valid" : "that has expired"); } +out: + gc_free(&gc); return rv; }