summaryrefslogtreecommitdiff
path: root/src/openvpn/cryptoapi.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
commit3a2bbdb05ca6a6996e424c9fb225cb0d53804125 (patch)
treef29063da5bec4caf3853d49a22a09c8619eebd21 /src/openvpn/cryptoapi.c
parentd53dba59e78da865c4fe820386ff2f4f76925f3b (diff)
New upstream version 2.4.0upstream/2.4.0
Diffstat (limited to 'src/openvpn/cryptoapi.c')
-rw-r--r--src/openvpn/cryptoapi.c479
1 files changed, 282 insertions, 197 deletions
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index e107bd3..69a5a32 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -68,32 +68,32 @@
#endif
/* Size of an SSL signature: MD5+SHA1 */
-#define SSL_SIG_LENGTH 36
+#define SSL_SIG_LENGTH 36
/* try to funnel any Windows/CryptoAPI error messages to OpenSSL ERR_... */
-#define ERR_LIB_CRYPTOAPI (ERR_LIB_USER + 69) /* 69 is just a number... */
+#define ERR_LIB_CRYPTOAPI (ERR_LIB_USER + 69) /* 69 is just a number... */
#define CRYPTOAPIerr(f) err_put_ms_error(GetLastError(), (f), __FILE__, __LINE__)
-#define CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE 100
-#define CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE 101
+#define CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE 100
+#define CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE 101
#define CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY 102
-#define CRYPTOAPI_F_CRYPT_CREATE_HASH 103
-#define CRYPTOAPI_F_CRYPT_GET_HASH_PARAM 104
-#define CRYPTOAPI_F_CRYPT_SET_HASH_PARAM 105
-#define CRYPTOAPI_F_CRYPT_SIGN_HASH 106
-#define CRYPTOAPI_F_LOAD_LIBRARY 107
-#define CRYPTOAPI_F_GET_PROC_ADDRESS 108
-
-static ERR_STRING_DATA CRYPTOAPI_str_functs[] = {
- { ERR_PACK(ERR_LIB_CRYPTOAPI, 0, 0), "microsoft cryptoapi"},
- { ERR_PACK(0, CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE, 0), "CertOpenSystemStore" },
- { ERR_PACK(0, CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE, 0), "CertFindCertificateInStore" },
+#define CRYPTOAPI_F_CRYPT_CREATE_HASH 103
+#define CRYPTOAPI_F_CRYPT_GET_HASH_PARAM 104
+#define CRYPTOAPI_F_CRYPT_SET_HASH_PARAM 105
+#define CRYPTOAPI_F_CRYPT_SIGN_HASH 106
+#define CRYPTOAPI_F_LOAD_LIBRARY 107
+#define CRYPTOAPI_F_GET_PROC_ADDRESS 108
+
+static ERR_STRING_DATA CRYPTOAPI_str_functs[] = {
+ { ERR_PACK(ERR_LIB_CRYPTOAPI, 0, 0), "microsoft cryptoapi"},
+ { ERR_PACK(0, CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE, 0), "CertOpenSystemStore" },
+ { ERR_PACK(0, CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE, 0), "CertFindCertificateInStore" },
{ ERR_PACK(0, CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY, 0), "CryptAcquireCertificatePrivateKey" },
- { ERR_PACK(0, CRYPTOAPI_F_CRYPT_CREATE_HASH, 0), "CryptCreateHash" },
- { ERR_PACK(0, CRYPTOAPI_F_CRYPT_GET_HASH_PARAM, 0), "CryptGetHashParam" },
- { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SET_HASH_PARAM, 0), "CryptSetHashParam" },
- { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SIGN_HASH, 0), "CryptSignHash" },
- { ERR_PACK(0, CRYPTOAPI_F_LOAD_LIBRARY, 0), "LoadLibrary" },
- { ERR_PACK(0, CRYPTOAPI_F_GET_PROC_ADDRESS, 0), "GetProcAddress" },
+ { ERR_PACK(0, CRYPTOAPI_F_CRYPT_CREATE_HASH, 0), "CryptCreateHash" },
+ { ERR_PACK(0, CRYPTOAPI_F_CRYPT_GET_HASH_PARAM, 0), "CryptGetHashParam" },
+ { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SET_HASH_PARAM, 0), "CryptSetHashParam" },
+ { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SIGN_HASH, 0), "CryptSignHash" },
+ { ERR_PACK(0, CRYPTOAPI_F_LOAD_LIBRARY, 0), "LoadLibrary" },
+ { ERR_PACK(0, CRYPTOAPI_F_GET_PROC_ADDRESS, 0), "GetProcAddress" },
{ 0, NULL }
};
@@ -104,76 +104,94 @@ typedef struct _CAPI_DATA {
BOOL free_crypt_prov;
} CAPI_DATA;
-static char *ms_error_text(DWORD ms_err)
+static char *
+ms_error_text(DWORD ms_err)
{
LPVOID lpMsgBuf = NULL;
char *rv = NULL;
FormatMessage(
- FORMAT_MESSAGE_ALLOCATE_BUFFER |
- FORMAT_MESSAGE_FROM_SYSTEM |
- FORMAT_MESSAGE_IGNORE_INSERTS,
- NULL, ms_err,
- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
- (LPTSTR) &lpMsgBuf, 0, NULL);
- if (lpMsgBuf) {
- char *p;
- rv = string_alloc(lpMsgBuf, NULL);
- LocalFree(lpMsgBuf);
- /* trim to the left */
- if (rv)
- for (p = rv + strlen(rv) - 1; p >= rv; p--) {
- if (isspace(*p))
- *p = '\0';
- else
- break;
- }
+ FORMAT_MESSAGE_ALLOCATE_BUFFER
+ |FORMAT_MESSAGE_FROM_SYSTEM
+ |FORMAT_MESSAGE_IGNORE_INSERTS,
+ NULL, ms_err,
+ MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
+ (LPTSTR) &lpMsgBuf, 0, NULL);
+ if (lpMsgBuf)
+ {
+ char *p;
+ rv = string_alloc(lpMsgBuf, NULL);
+ LocalFree(lpMsgBuf);
+ /* trim to the left */
+ if (rv)
+ {
+ for (p = rv + strlen(rv) - 1; p >= rv; p--) {
+ if (isspace(*p))
+ {
+ *p = '\0';
+ }
+ else
+ {
+ break;
+ }
+ }
+ }
}
return rv;
}
-static void err_put_ms_error(DWORD ms_err, int func, const char *file, int line)
+static void
+err_put_ms_error(DWORD ms_err, int func, const char *file, int line)
{
static int init = 0;
-# define ERR_MAP_SZ 16
+#define ERR_MAP_SZ 16
static struct {
- int err;
- DWORD ms_err; /* I don't think we get more than 16 *different* errors */
+ int err;
+ DWORD ms_err; /* I don't think we get more than 16 *different* errors */
} err_map[ERR_MAP_SZ]; /* in here, before we give up the whole thing... */
int i;
if (ms_err == 0)
- /* 0 is not an error */
- return;
- if (!init) {
- ERR_load_strings(ERR_LIB_CRYPTOAPI, CRYPTOAPI_str_functs);
- memset(&err_map, 0, sizeof(err_map));
- init++;
+ {
+ /* 0 is not an error */
+ return;
+ }
+ if (!init)
+ {
+ ERR_load_strings(ERR_LIB_CRYPTOAPI, CRYPTOAPI_str_functs);
+ memset(&err_map, 0, sizeof(err_map));
+ init++;
}
/* since MS error codes are 32 bit, and the ones in the ERR_... system is
* only 12, we must have a mapping table between them. */
for (i = 0; i < ERR_MAP_SZ; i++) {
- if (err_map[i].ms_err == ms_err) {
- ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
- break;
- } else if (err_map[i].ms_err == 0 ) {
- /* end of table, add new entry */
- ERR_STRING_DATA *esd = calloc(2, sizeof(*esd));
- if (esd == NULL)
- break;
- err_map[i].ms_err = ms_err;
- err_map[i].err = esd->error = i + 100;
- esd->string = ms_error_text(ms_err);
- check_malloc_return(esd->string);
- ERR_load_strings(ERR_LIB_CRYPTOAPI, esd);
- ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
- break;
- }
+ if (err_map[i].ms_err == ms_err)
+ {
+ ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
+ break;
+ }
+ else if (err_map[i].ms_err == 0)
+ {
+ /* end of table, add new entry */
+ ERR_STRING_DATA *esd = calloc(2, sizeof(*esd));
+ if (esd == NULL)
+ {
+ break;
+ }
+ err_map[i].ms_err = ms_err;
+ err_map[i].err = esd->error = i + 100;
+ esd->string = ms_error_text(ms_err);
+ check_malloc_return(esd->string);
+ ERR_load_strings(ERR_LIB_CRYPTOAPI, esd);
+ ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
+ break;
+ }
}
}
/* encrypt */
-static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+static int
+rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
{
/* I haven't been able to trigger this one, but I want to know if it happens... */
assert(0);
@@ -182,7 +200,8 @@ static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, R
}
/* verify arbitrary data */
-static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+static int
+rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
{
/* I haven't been able to trigger this one, but I want to know if it happens... */
assert(0);
@@ -191,68 +210,78 @@ static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, R
}
/* sign arbitrary data */
-static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+static int
+rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
{
CAPI_DATA *cd = (CAPI_DATA *) rsa->meth->app_data;
HCRYPTHASH hash;
DWORD hash_size, len, i;
unsigned char *buf;
- if (cd == NULL) {
- RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER);
- return 0;
+ if (cd == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
}
- if (padding != RSA_PKCS1_PADDING) {
- /* AFAICS, CryptSignHash() *always* uses PKCS1 padding. */
- RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
- return 0;
+ if (padding != RSA_PKCS1_PADDING)
+ {
+ /* AFAICS, CryptSignHash() *always* uses PKCS1 padding. */
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+ return 0;
}
/* Unfortunately, there is no "CryptSign()" function in CryptoAPI, that would
* be way to straightforward for M$, I guess... So we have to do it this
* tricky way instead, by creating a "Hash", and load the already-made hash
* from 'from' into it. */
/* For now, we only support NID_md5_sha1 */
- if (flen != SSL_SIG_LENGTH) {
- RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_INVALID_MESSAGE_LENGTH);
- return 0;
+ if (flen != SSL_SIG_LENGTH)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_INVALID_MESSAGE_LENGTH);
+ return 0;
}
- if (!CryptCreateHash(cd->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash)) {
- CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_CREATE_HASH);
- return 0;
+ if (!CryptCreateHash(cd->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash))
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_CREATE_HASH);
+ return 0;
}
len = sizeof(hash_size);
- if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len, 0)) {
- CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_GET_HASH_PARAM);
+ if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len, 0))
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_GET_HASH_PARAM);
CryptDestroyHash(hash);
- return 0;
+ return 0;
}
- if ((int) hash_size != flen) {
- RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_INVALID_MESSAGE_LENGTH);
+ if ((int) hash_size != flen)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_INVALID_MESSAGE_LENGTH);
CryptDestroyHash(hash);
- return 0;
+ return 0;
}
- if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) {
- CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_SET_HASH_PARAM);
+ if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0))
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_SET_HASH_PARAM);
CryptDestroyHash(hash);
- return 0;
+ return 0;
}
len = RSA_size(rsa);
buf = malloc(len);
- if (buf == NULL) {
- RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
+ if (buf == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
CryptDestroyHash(hash);
- return 0;
+ return 0;
}
- if (!CryptSignHash(hash, cd->key_spec, NULL, 0, buf, &len)) {
- CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_SIGN_HASH);
+ if (!CryptSignHash(hash, cd->key_spec, NULL, 0, buf, &len))
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_SIGN_HASH);
CryptDestroyHash(hash);
free(buf);
- return 0;
+ return 0;
}
/* and now, we have to reverse the byte-order in the result from CryptSignHash()... */
for (i = 0; i < len; i++)
- to[i] = buf[len - i - 1];
+ to[i] = buf[len - i - 1];
free(buf);
CryptDestroyHash(hash);
@@ -260,7 +289,8 @@ static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to,
}
/* decrypt */
-static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+static int
+rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
{
/* I haven't been able to trigger this one, but I want to know if it happens... */
assert(0);
@@ -269,30 +299,39 @@ static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to,
}
/* called at RSA_new */
-static int init(RSA *rsa)
+static int
+init(RSA *rsa)
{
return 0;
}
/* called at RSA_free */
-static int finish(RSA *rsa)
+static int
+finish(RSA *rsa)
{
CAPI_DATA *cd = (CAPI_DATA *) rsa->meth->app_data;
if (cd == NULL)
- return 0;
+ {
+ return 0;
+ }
if (cd->crypt_prov && cd->free_crypt_prov)
- CryptReleaseContext(cd->crypt_prov, 0);
+ {
+ CryptReleaseContext(cd->crypt_prov, 0);
+ }
if (cd->cert_context)
- CertFreeCertificateContext(cd->cert_context);
+ {
+ CertFreeCertificateContext(cd->cert_context);
+ }
free(rsa->meth->app_data);
free((char *) rsa->meth);
rsa->meth = NULL;
return 1;
}
-static const CERT_CONTEXT *find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
+static const CERT_CONTEXT *
+find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
{
/* Find, and use, the desired certificate from the store. The
* 'cert_prop' certificate search string can look like this:
@@ -302,50 +341,68 @@ static const CERT_CONTEXT *find_certificate_in_store(const char *cert_prop, HCER
*/
const CERT_CONTEXT *rv = NULL;
- if (!strncmp(cert_prop, "SUBJ:", 5)) {
- /* skip the tag */
- cert_prop += 5;
- rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
-
- } else if (!strncmp(cert_prop, "THUMB:", 6)) {
- unsigned char hash[255];
- char *p;
- int i, x = 0;
- CRYPT_HASH_BLOB blob;
-
- /* skip the tag */
- cert_prop += 6;
- for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
- if (*p >= '0' && *p <= '9')
- x = (*p - '0') << 4;
- else if (*p >= 'A' && *p <= 'F')
- x = (*p - 'A' + 10) << 4;
- else if (*p >= 'a' && *p <= 'f')
- x = (*p - 'a' + 10) << 4;
- if (!*++p) /* unexpected end of string */
- break;
- if (*p >= '0' && *p <= '9')
- x += *p - '0';
- else if (*p >= 'A' && *p <= 'F')
- x += *p - 'A' + 10;
- else if (*p >= 'a' && *p <= 'f')
- x += *p - 'a' + 10;
- hash[i] = x;
- /* skip any space(s) between hex numbers */
- for (p++; *p && *p == ' '; p++);
- }
- blob.cbData = i;
- blob.pbData = (unsigned char *) &hash;
- rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- 0, CERT_FIND_HASH, &blob, NULL);
+ if (!strncmp(cert_prop, "SUBJ:", 5))
+ {
+ /* skip the tag */
+ cert_prop += 5;
+ rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
+
+ }
+ else if (!strncmp(cert_prop, "THUMB:", 6))
+ {
+ unsigned char hash[255];
+ char *p;
+ int i, x = 0;
+ CRYPT_HASH_BLOB blob;
+
+ /* skip the tag */
+ cert_prop += 6;
+ for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
+ if (*p >= '0' && *p <= '9')
+ {
+ x = (*p - '0') << 4;
+ }
+ else if (*p >= 'A' && *p <= 'F')
+ {
+ x = (*p - 'A' + 10) << 4;
+ }
+ else if (*p >= 'a' && *p <= 'f')
+ {
+ x = (*p - 'a' + 10) << 4;
+ }
+ if (!*++p) /* unexpected end of string */
+ {
+ break;
+ }
+ if (*p >= '0' && *p <= '9')
+ {
+ x += *p - '0';
+ }
+ else if (*p >= 'A' && *p <= 'F')
+ {
+ x += *p - 'A' + 10;
+ }
+ else if (*p >= 'a' && *p <= 'f')
+ {
+ x += *p - 'a' + 10;
+ }
+ hash[i] = x;
+ /* skip any space(s) between hex numbers */
+ for (p++; *p && *p == ' '; p++) ;
+ }
+ blob.cbData = i;
+ blob.pbData = (unsigned char *) &hash;
+ rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ 0, CERT_FIND_HASH, &blob, NULL);
}
return rv;
}
-int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
+int
+SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
{
HCERTSTORE cs;
X509 *cert = NULL;
@@ -353,50 +410,57 @@ int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
CAPI_DATA *cd = calloc(1, sizeof(*cd));
RSA_METHOD *my_rsa_method = calloc(1, sizeof(*my_rsa_method));
- if (cd == NULL || my_rsa_method == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE);
- goto err;
+ if (cd == NULL || my_rsa_method == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE);
+ goto err;
}
/* search CURRENT_USER first, then LOCAL_MACHINE */
- cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER |
- CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
- if (cs == NULL) {
- CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE);
- goto err;
+ cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER
+ |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
+ if (cs == NULL)
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE);
+ goto err;
}
cd->cert_context = find_certificate_in_store(cert_prop, cs);
CertCloseStore(cs, 0);
- if (!cd->cert_context) {
- cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE |
- CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
- if (cs == NULL) {
- CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE);
- goto err;
- }
- cd->cert_context = find_certificate_in_store(cert_prop, cs);
- CertCloseStore(cs, 0);
- if (cd->cert_context == NULL) {
- CRYPTOAPIerr(CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE);
- goto err;
- }
+ if (!cd->cert_context)
+ {
+ cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE
+ |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY");
+ if (cs == NULL)
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE);
+ goto err;
+ }
+ cd->cert_context = find_certificate_in_store(cert_prop, cs);
+ CertCloseStore(cs, 0);
+ if (cd->cert_context == NULL)
+ {
+ CRYPTOAPIerr(CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE);
+ goto err;
+ }
}
/* cert_context->pbCertEncoded is the cert X509 DER encoded. */
cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded,
- cd->cert_context->cbCertEncoded);
- if (cert == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_ASN1_LIB);
- goto err;
+ cd->cert_context->cbCertEncoded);
+ if (cert == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_ASN1_LIB);
+ goto err;
}
/* set up stuff to use the private key */
if (!CryptAcquireCertificatePrivateKey(cd->cert_context, CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
- NULL, &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov)) {
- /* if we don't have a smart card reader here, and we try to access a
- * smart card certificate, we get:
- * "Error 1223: The operation was canceled by the user." */
- CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY);
- goto err;
+ NULL, &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
+ {
+ /* if we don't have a smart card reader here, and we try to access a
+ * smart card certificate, we get:
+ * "Error 1223: The operation was canceled by the user." */
+ CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY);
+ goto err;
}
/* here we don't need to do CryptGetUserKey() or anything; all necessary key
* info is in cd->cert_context, and then, in cd->crypt_prov. */
@@ -412,15 +476,18 @@ int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
my_rsa_method->app_data = (char *) cd;
rsa = RSA_new();
- if (rsa == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE);
- goto err;
+ if (rsa == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE);
+ goto err;
}
/* cert->cert_info->key->pkey is NULL until we call SSL_CTX_use_certificate(),
* so we do it here then... */
if (!SSL_CTX_use_certificate(ssl_ctx, cert))
- goto err;
+ {
+ goto err;
+ }
/* the public key */
pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
/* SSL_CTX_use_certificate() increased the reference count in 'cert', so
@@ -433,36 +500,54 @@ int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
rsa->n = BN_dup(pub_rsa->n);
rsa->flags |= RSA_FLAG_EXT_PKEY;
if (!RSA_set_method(rsa, my_rsa_method))
- goto err;
+ {
+ goto err;
+ }
if (!SSL_CTX_use_RSAPrivateKey(ssl_ctx, rsa))
- goto err;
+ {
+ goto err;
+ }
/* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so
- * we decrease it here with RSA_free(), or it will never be cleaned up. */
+ * we decrease it here with RSA_free(), or it will never be cleaned up. */
RSA_free(rsa);
return 1;
- err:
+err:
if (cert)
- X509_free(cert);
+ {
+ X509_free(cert);
+ }
if (rsa)
- RSA_free(rsa);
- else {
- if (my_rsa_method)
- free(my_rsa_method);
- if (cd) {
- if (cd->free_crypt_prov && cd->crypt_prov)
- CryptReleaseContext(cd->crypt_prov, 0);
- if (cd->cert_context)
- CertFreeCertificateContext(cd->cert_context);
- free(cd);
- }
+ {
+ RSA_free(rsa);
+ }
+ else
+ {
+ if (my_rsa_method)
+ {
+ free(my_rsa_method);
+ }
+ if (cd)
+ {
+ if (cd->free_crypt_prov && cd->crypt_prov)
+ {
+ CryptReleaseContext(cd->crypt_prov, 0);
+ }
+ if (cd->cert_context)
+ {
+ CertFreeCertificateContext(cd->cert_context);
+ }
+ free(cd);
+ }
}
return 0;
}
-#else
+#else /* ifdef ENABLE_CRYPTOAPI */
#ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */
-static void dummy (void) {}
+static void
+dummy(void) {
+}
#endif
-#endif /* _WIN32 */
+#endif /* _WIN32 */