On 9/27/07, Faidon Liambotis <parav...@debian.org> wrote:
> Alon, ping?

Oh... missed your post.
Please don't keep change the subject line.
And replay all to every correction.

> I'd really like to have this patch merged this time.
> If you don't, just say so, so it can get merged.

Only James can merge patches...
I only review this as I can help you improve it.

> If you have any more comments or objections, just say so so I can fix them.

Some more notes:
1. For CertGetCertificateChain() you should use the following flags:
CERT_CHAIN_REVOCATION_CHECK_CHAIN
So that CA may suicide.

2. CertVerifyCertificateChainPolicy()

PolicyPara extra should be set:
fdwChecks should be SECURITY_FLAG_IGNORE_CERT_CN_INVALID
as we check subject name within OpenVPN.

dwAuthType should be AUTHTYPE_CLIENT or AUTHTYPE_SERVER depending on
the configuration. I think that peer-to-peer should be
AUTHTYPE_SERVER.

3. I am not sure you require:
ChainPara.RequestedUsage = <something>
Have you tried to leave it zero?

4. I guess a cleaner code would load crypt32.dll once in the module,
moving the LoadLibrary and GetProcAddress to a single function,
calling it from initialization code.
Also if you already mess with this module, I guess a cleanup code
should be added to free the library during termination... :)

Best Regards,
Alon Bar-Lev.

Reply via email to