Peter 'Luna' Runestig has put together a Crypto API patch which tries to access user-based certificate/key pairs even when OpenVPN is running as a service.
Given that Peter can't test this patch himself, it would be great if someone who uses this feature would volunteer to do some testing and report back to the list. I've built a drop-in replacement for openvpn.exe (2.0-rc8) with the patch applied: http://openvpn.net/beta/ca3/ openvpn.exe -- this file is usually in \\Program Files\OpenVPN\bin openvpn.exe.asc -- GnuPG signature of above file Thanks, James On Sun, 16 Jan 2005, Peter 'Luna' Runestig wrote: > On 2005-01-16 03:12, James Yonan wrote: > > Looks like CERT_SYSTEM_STORE_USERS is undefined in the MinGW environment. > > > > gcc -g -O2 -Wall -Wno-unused-function -Wno-unused-variable -mno-cygwin > > -I/c/src/ > > openssl-0.9.7e/include -I/c/src/lzo-1.08/include -c cryptoapi.c -o > > cryptoapi.o > > cryptoapi.c: In function `SSL_CTX_use_CryptoAPI_certificate': > > cryptoapi.c:366: `CERT_SYSTEM_STORE_USERS' undeclared (first use in this > > function) > > cryptoapi.c:366: (Each undeclared identifier is reported only once > > cryptoapi.c:366: for each function it appears in.) > > make: *** [cryptoapi.o] Error 1 > > > > James > > Maybe this is better? > > --- cryptoapi-2.0_rc7.c 2004-12-02 00:16:36.000000000 +0100 > +++ cryptoapi.c 2005-01-16 10:24:03.942438400 +0100 > @@ -1,5 +1,5 @@ > /* > - * Copyright (c) 2004 Peter 'Luna' Runestig <pe...@runestig.com> > + * Copyright (c) 2004, 05 Peter 'Luna' Runestig <pe...@runestig.com> > * All rights reserved. > * > * Redistribution and use in source and binary forms, with or without modifi- > @@ -41,7 +41,9 @@ > #define CALG_SSL3_SHAMD5 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SSL3SHAMD5) > #define CERT_SYSTEM_STORE_LOCATION_SHIFT 16 > #define CERT_SYSTEM_STORE_CURRENT_USER_ID 1 > +#define CERT_SYSTEM_STORE_USERS_ID 6 > #define CERT_SYSTEM_STORE_CURRENT_USER (CERT_SYSTEM_STORE_CURRENT_USER_ID << > CERT_SYSTEM_STORE_LOCATION_SHIFT) > +#define CERT_SYSTEM_STORE_USERS (CERT_SYSTEM_STORE_USERS_ID << > CERT_SYSTEM_STORE_LOCATION_SHIFT) > #define CERT_STORE_READONLY_FLAG 0x00008000 > #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000 > #define CRYPT_ACQUIRE_COMPARE_KEY_FLAG 0x00000004 > @@ -339,7 +341,8 @@ > SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE); > goto err; > } > - /* search CURRENT_USER first, then LOCAL_MACHINE */ > + /* search for the wanted certificate in different parts of the system > store: > + * search HKEY_CURRENT_USER first... */ > cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, > CERT_SYSTEM_STORE_CURRENT_USER | > CERT_STORE_OPEN_EXISTING_FLAG | > CERT_STORE_READONLY_FLAG, L"MY"); > if (cs == NULL) { > @@ -349,6 +352,7 @@ > cd->cert_context = find_certificate_in_store(cert_prop, cs); > CertCloseStore(cs, 0); > if (!cd->cert_context) { > + /* ...then HKEY_LOCAL_MACHINE... */ > cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, > CERT_SYSTEM_STORE_LOCAL_MACHINE | > CERT_STORE_OPEN_EXISTING_FLAG | > CERT_STORE_READONLY_FLAG, L"MY"); > if (cs == NULL) { > @@ -357,6 +361,18 @@ > } > cd->cert_context = find_certificate_in_store(cert_prop, cs); > CertCloseStore(cs, 0); > + } > + if (!cd->cert_context) { > + /* ...then HKEY_USERS... */ > + /* TODO: Maybe only try this if we're running as SYSTEM? */ > + cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, > CERT_SYSTEM_STORE_USERS | > + CERT_STORE_OPEN_EXISTING_FLAG | > CERT_STORE_READONLY_FLAG, L"MY"); > + if (cs == NULL) { > + CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE); > + goto err; > + } > + cd->cert_context = find_certificate_in_store(cert_prop, cs); > + CertCloseStore(cs, 0); > if (cd->cert_context == NULL) { > CRYPTOAPIerr(CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE); > goto err; > > > -- > Peter 'Luna' Runestig (fd. Altberg), Sweden <pe...@runestig.com> > PGP Key ID: 0xD07BBE13 > Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13 > AOL Instant Messenger Screen name: PRunestig > Yahoo! Messenger profile name: altberg >
