[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-devel] Re: Openvpn future: probably certificate problems...


  • Subject: Re: [Openvpn-devel] Re: Openvpn future: probably certificate problems...
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Mon, 17 Jan 2005 15:41:50 -0700 (MST)

Peter 'Luna' Runestig has put together a Crypto API patch which tries to 
access user-based certificate/key pairs even when OpenVPN is running as a 
service.

Given that Peter can't test this patch himself, it would be great if
someone who uses this feature would volunteer to do some testing and
report back to the list.

I've built a drop-in replacement for openvpn.exe (2.0-rc8) with the patch
applied:

http://openvpn.net/beta/ca3/

  openvpn.exe -- this file is usually in \\Program Files\OpenVPN\bin
  openvpn.exe.asc -- GnuPG signature of above file

Thanks,
James 

On Sun, 16 Jan 2005, Peter 'Luna' Runestig wrote:

> On 2005-01-16 03:12, James Yonan wrote:
> > Looks like CERT_SYSTEM_STORE_USERS is undefined in the MinGW environment.
> > 
> > gcc -g -O2 -Wall -Wno-unused-function -Wno-unused-variable -mno-cygwin -I/c/src/
> > openssl-0.9.7e/include -I/c/src/lzo-1.08/include -c cryptoapi.c -o cryptoapi.o
> > cryptoapi.c: In function `SSL_CTX_use_CryptoAPI_certificate':
> > cryptoapi.c:366: `CERT_SYSTEM_STORE_USERS' undeclared (first use in this function)
> > cryptoapi.c:366: (Each undeclared identifier is reported only once
> > cryptoapi.c:366: for each function it appears in.)
> > make: *** [cryptoapi.o] Error 1
> > 
> > James
> 
> Maybe this is better?
> 
> --- cryptoapi-2.0_rc7.c	2004-12-02 00:16:36.000000000 +0100
> +++ cryptoapi.c	2005-01-16 10:24:03.942438400 +0100
> @@ -1,5 +1,5 @@
>  /*
> - * Copyright (c) 2004 Peter 'Luna' Runestig <peter@xxxxxxxxxxxx>
> + * Copyright (c) 2004, 05 Peter 'Luna' Runestig <peter@xxxxxxxxxxxx>
>   * All rights reserved.
>   *
>   * Redistribution and use in source and binary forms, with or without modifi-
> @@ -41,7 +41,9 @@
>  #define CALG_SSL3_SHAMD5 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SSL3SHAMD5)
>  #define CERT_SYSTEM_STORE_LOCATION_SHIFT 16
>  #define CERT_SYSTEM_STORE_CURRENT_USER_ID 1
> +#define CERT_SYSTEM_STORE_USERS_ID 6
>  #define CERT_SYSTEM_STORE_CURRENT_USER (CERT_SYSTEM_STORE_CURRENT_USER_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
> +#define CERT_SYSTEM_STORE_USERS (CERT_SYSTEM_STORE_USERS_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
>  #define CERT_STORE_READONLY_FLAG 0x00008000
>  #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
>  #define CRYPT_ACQUIRE_COMPARE_KEY_FLAG 0x00000004
> @@ -339,7 +341,8 @@
>  	SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE);
>  	goto err;
>      }
> -    /* search CURRENT_USER first, then LOCAL_MACHINE */
> +    /* search for the wanted certificate in different parts of the system store:
> +     * search HKEY_CURRENT_USER first... */
>      cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER |
>  		       CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
>      if (cs == NULL) {
> @@ -349,6 +352,7 @@
>      cd->cert_context = find_certificate_in_store(cert_prop, cs);
>      CertCloseStore(cs, 0);
>      if (!cd->cert_context) {
> +	/* ...then HKEY_LOCAL_MACHINE... */
>  	cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE |
>  			   CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
>  	if (cs == NULL) {
> @@ -357,6 +361,18 @@
>  	}
>  	cd->cert_context = find_certificate_in_store(cert_prop, cs);
>  	CertCloseStore(cs, 0);
> +    }
> +    if (!cd->cert_context) {
> +	/* ...then HKEY_USERS... */
> +	/* TODO: Maybe only try this if we're running as SYSTEM? */
> +	cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_USERS |
> +			   CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
> +	if (cs == NULL) {
> +	    CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE);
> +	    goto err;
> +	}
> +	cd->cert_context = find_certificate_in_store(cert_prop, cs);
> +	CertCloseStore(cs, 0);
>  	if (cd->cert_context == NULL) {
>  	    CRYPTOAPIerr(CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE);
>  	    goto err;
> 
> 
> -- 
> Peter 'Luna' Runestig (fd. Altberg), Sweden <peter@xxxxxxxxxxxx>
> PGP Key ID: 0xD07BBE13
> Fingerprint: 7B5C 1F48 2997 C061 DE4B  42EA CB99 A35C D07B BE13
> AOL Instant Messenger Screen name: PRunestig
> Yahoo! Messenger profile name: altberg
> 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-devel