Re: [Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates

2007-01-04 Thread Faidon Liambotis 
Hi,
Thank you for your comments.

Alon Bar-Lev wrote:
> On 1/3/07, Faidon Liambotis  wrote:
>> Ok, here's another try, even though I didn't get any comments on the
>> first one :-)
>>
>> This is a totally different approach; the previous one was flawed in at
>> least two aspects:
> 
> This is better.
> But you should use CertVerifyCertificateChainPolicy in order to verify
> chain, you should have two policies, one for server and one for
> client...
I've thought about it but didn't implement it because the only policy I
could think of was the nsCertType checking which is already being done
by OpenSSL if the user requested it.

> I think you can remove the global variable you added to ssl.c and put
> it in the session.
True, I will fix this.

Regards,
Faidon

Re: [Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates

2007-01-03 Thread Alon Bar-Lev 

On 1/3/07, Faidon Liambotis  wrote:

Ok, here's another try, even though I didn't get any comments on the
first one :-)

This is a totally different approach; the previous one was flawed in at
least two aspects:


This is better.
But you should use CertVerifyCertificateChainPolicy in order to verify
chain, you should have two policies, one for server and one for
client...

I think you can remove the global variable you added to ssl.c and put
it in the session.

Another thing... I think the MinGW specific code should be dropped, I
know it was in the previous source... But there should be no problem
in creating one code which runs on both.

Best Regards,
Alon Bar-Lev.

[Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates

2007-01-02 Thread Faidon Liambotis 
Ok, here's another try, even though I didn't get any comments on the
first one :-)

This is a totally different approach; the previous one was flawed in at
least two aspects:
- A certificate signed by an CA stored in the "Intermediate CA store"
but not trusted would be considered acceptable by OpenVPN.
- There wasn't any CRL checking.

This time, instead of importing CryptoAPI stores into OpenSSL, I'm using
CryptoAPI functions to actually check for the trust status of the
certificate in OpenSSL's verify callback. This way, we are submitting
the server's certificate to the same criteria as any other native
Windows (i.e. non-OpenSSL) application would.

As always, the patch has been compile and runtime tested. No manpage
documentation yet -even though it's fairly obvious-, I'm still waiting for
comments.

Best regards,
Faidon

diff -Nurp openvpn-2.1_rc1/cryptoapi.c openvpn-2.1_rc1-void/cryptoapi.c
--- openvpn-2.1_rc1/cryptoapi.c Mon Oct 16 01:30:21 2006
+++ openvpn-2.1_rc1-void/cryptoapi.cWed Jan  3 09:09:52 2007
@@ -48,6 +48,8 @@
 static HINSTANCE crypt32dll = NULL;
 static BOOL WINAPI (*CryptAcquireCertificatePrivateKey) (PCCERT_CONTEXT pCert, 
DWORD dwFlags,
 void *pvReserved, HCRYPTPROV *phCryptProv, DWORD *pdwKeySpec, BOOL 
*pfCallerFreeProv) = NULL;
+static PCCERT_CONTEXT WINAPI (*CertCreateCertificateContext) (DWORD 
dwCertEncodingType,
+ const BYTE *pbCertEncoded, DWORD cbCertEncoded) = NULL;
 #endif

 /* Size of an SSL signature: MD5+SHA1 */
@@ -65,6 +67,8 @@ static BOOL WINAPI (*CryptAcquireCertifi
 #define CRYPTOAPI_F_CRYPT_SIGN_HASH106
 #define CRYPTOAPI_F_LOAD_LIBRARY   107
 #define CRYPTOAPI_F_GET_PROC_ADDRESS   108
+#define CRYPTOAPI_F_CERT_CREATE_CERT_CONTEXT   109
+#define CRYPTOAPI_F_CERT_GET_CERT_CHAIN110

 static ERR_STRING_DATA CRYPTOAPI_str_functs[] ={
 { ERR_PACK(ERR_LIB_CRYPTOAPI, 0, 0),   
"microsoft cryptoapi"},
@@ -77,6 +81,8 @@ static ERR_STRING_DATA CRYPTOAPI_str_fun
 { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SIGN_HASH, 0), 
"CryptSignHash" },
 { ERR_PACK(0, CRYPTOAPI_F_LOAD_LIBRARY, 0),
"LoadLibrary" },
 { ERR_PACK(0, CRYPTOAPI_F_GET_PROC_ADDRESS, 0),
"GetProcAddress" },
+{ ERR_PACK(0, CRYPTOAPI_F_CERT_CREATE_CERT_CONTEXT, 0),
"CertCreateCertificateContext" },
+{ ERR_PACK(0, CRYPTOAPI_F_CERT_GET_CERT_CHAIN, 0), 
"CertGetCertificateChain" },
 { 0, NULL }
 };

@@ -364,7 +370,7 @@ int SSL_CTX_use_CryptoAPI_certificate(SS
 }

 /* cert_context->pbCertEncoded is the cert X509 DER encoded. */
-cert = d2i_X509(NULL, (unsigned char **) >cert_context->pbCertEncoded,
+cert = d2i_X509(NULL, (const unsigned char **) 
>cert_context->pbCertEncoded,
cd->cert_context->cbCertEncoded);
 if (cert == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_ASN1_LIB);
@@ -460,4 +466,82 @@ int SSL_CTX_use_CryptoAPI_certificate(SS
}
 }
 return 0;
+}
+
+int CryptoAPI_verify_certificate(X509 *x509)
+{
+  int ret = -1;
+  int len;
+  unsigned char *buf = NULL;
+
+  PCCERT_CONTEXT pCertContext = NULL;
+  PCCERT_CHAIN_CONTEXT pChainContext = NULL;
+  CERT_ENHKEY_USAGE EnhkeyUsage;
+  CERT_USAGE_MATCH CertUsage;  
+  CERT_CHAIN_PARA ChainPara;
+
+  /* Convert from internal X509 format to DER */
+  len = i2d_X509(x509, );
+  if (len < 0) {
+   SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_ASN1_LIB);
+   goto err;
+  }
+
+#ifdef __MINGW32_VERSION
+/* MinGW w32api is incomplete when it comes to CryptoAPI, as per version 
3.1
+ * anyway. This is a hack around that problem. */
+if (crypt32dll == NULL) {
+   crypt32dll = LoadLibrary("crypt32");
+   if (crypt32dll == NULL) {
+   CRYPTOAPIerr(CRYPTOAPI_F_LOAD_LIBRARY);
+   goto err;
+   }
+}
+if (CertCreateCertificateContext == NULL) {
+   CertCreateCertificateContext = GetProcAddress(crypt32dll,
+   "CertCreateCertificateContext");
+   if (CertCreateCertificateContext == NULL) {
+   CRYPTOAPIerr(CRYPTOAPI_F_GET_PROC_ADDRESS);
+   goto err;
+   }
+}
+#endif
+
+  /* Create a certificate context based on the above certificate */
+  pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING | 
PKCS_7_ASN_ENCODING,
+   buf, len);
+  if (pCertContext == NULL) {
+   CRYPTOAPIerr(CRYPTOAPI_F_CERT_CREATE_CERT_CONTEXT);
+   goto err;
+  }
+
+  /* Create an empty issuer list */
+  EnhkeyUsage.cUsageIdentifier = 0;
+  EnhkeyUsage.rgpszUsageIdentifier = NULL;
+  CertUsage.dwType = USAGE_MATCH_TYPE_AND;
+  CertUsage.Usage  = EnhkeyUsage;
+
+  /* Searching and matching criteria to be used when building the chain */
+  ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
+  ChainPara.RequestedUsage = CertUsage;
+
+