From patchwork Thu Aug 15 22:27:30 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kristof Provost via Openvpn-devel
 <openvpn-devel@lists.sourceforge.net>
X-Patchwork-Id: 812
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director9.mail.ord1d.rsapps.net ([172.27.255.57])
	by backend30.mail.ord1d.rsapps.net with LMTP id qDV4CQtuVl1wYgAAIUCqbw
	for <patchwork@openvpn.net>; Fri, 16 Aug 2019 04:49:15 -0400
Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.57])
	by director9.mail.ord1d.rsapps.net with LMTP id 6BpqBgtuVl0IUQAAalYnBA
	; Fri, 16 Aug 2019 04:49:15 -0400
Received: from smtp16.gate.iad3a ([172.27.255.57])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy14.mail.iad3a.rsapps.net with LMTP id KDFmOwpuVl3RZgAA1+b4IQ
	; Fri, 16 Aug 2019 04:49:14 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp16.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net"; dkim=pass header.d=lists.sourceforge.net;
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dmarc=pass (p=none; dis=none) header.from=lists.sourceforge.net
X-Suspicious-Flag: NO
X-Classification-ID: b905b6a0-c002-11e9-bce7-5254004ee196-1-1
Received: from [216.105.38.7] ([216.105.38.7:58888]
 helo=lists.sourceforge.net)
	by smtp16.gate.iad3a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id E2/CF-04785-A0E665D5; Fri, 16 Aug 2019 04:49:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Type:Cc:Reply-To:From:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:Message-ID:Date:To:Sender:Content-Transfer-Encoding:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=zOxr+ZOGTYQgGQNjLncuCa9XgI9srhxWvlV5kUndCLQ=; b=KPdp6Ym9ES8bCs/Y4Ni/WJxCed
	SHi2ofZUA6tpMqcu+r2OY34zuJpYYLiYuMJ9xOu3N5fdzoEdg773Uc1EwaSAM2lQ2Wz6wt3p5UcLQ
	bCprdsW60JEG+gPDk1+UxXUvzq3uQjemK31Mwy6vnl2fK0WNziym7G1W8GfzzRn+emHc=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1hyXuD-0002DS-70; Fri, 16 Aug 2019 08:48:17 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <rolf.fokkens@target-holding.nl>) id 1hyXuB-0002D4-1t
 for openvpn-devel@lists.sourceforge.net; Fri, 16 Aug 2019 08:48:15 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=MIME-Version:Content-Type:Message-ID:Date:Subject:
 CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Y0T3W1q5uuCI5WOJCwwfyqQjbhtR6IMFOZy6IAD72y8=; b=PNRMlMDGKWrimXfeZ1XJ6Mzg5d
 5j0zVypcgQdjtw4ArptelsGDdJ+7/GKCN+dtX2g9TRqCziyPjpdgy60f47QjwwLaejLUMt5QvREIR
 OoWxrxbxWW+meQA/8qdr9OZGTlHcXOn39+0NietywuzUsPrO1ucuP/chcqk0MY6NdPYM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=MIME-Version:Content-Type:Message-ID:Date:Subject:CC:To:From:Sender:
 Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date
 :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=Y0T3W1q5uuCI5WOJCwwfyqQjbhtR6IMFOZy6IAD72y8=; b=Z
 DKpE3OtLFQFk0kwoDTjmCjZB9MqrOzbeJqbpnMsqi+IC2pZvNWWj1M1u+EJRX0qDMtcdgn12308nv
 FIe0VyGaUUoIQUv54hWm4zjChDbmnYCmZ/RZTE/BEeZeIVMLo81vQ8UPAgazahfmO8p1z6FNogwmW
 /FXT9yN9ibjG98D4=;
Received: from edge1.exchange-login.net ([93.94.224.194]
 helo=owa.exchange-login.net)
 by sfi-mx-3.v28.lw.sourceforge.com with esmtps
 (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.90_1) id 1hyXu1-005fiZ-49
 for openvpn-devel@lists.sourceforge.net; Fri, 16 Aug 2019 08:48:14 +0000
Received: from HC1.hosted.exchange-login.net (93.94.224.200) by
 edge1.hosted.exchange-login.net (93.94.224.194) with Microsoft SMTP Server
 (TLS) id 14.3.468.0; Fri, 16 Aug 2019 10:27:31 +0200
Received: from MBX1.hosted.exchange-login.net ([fe80::a957:8775:7bf4:6581]) by
 hc1.hosted.exchange-login.net ([2002:5d5e:e0c8::5d5e:e0c8]) with
 mapi id 14.03.0468.000; Fri, 16 Aug 2019 10:27:31 +0200
To: "openvpn-devel@lists.sourceforge.net"
 <openvpn-devel@lists.sourceforge.net>
Thread-Topic: Patch:  Export NotBefore and NotAfter items to the environment
 in client-connect
Thread-Index: AQHVVAxx4co68Gquzkq/9hO7GCSedA==
Date: Fri, 16 Aug 2019 08:27:30 +0000
Message-ID: <65530ded0938659345877e870f49d2ad4b9768ae.camel@target-holding.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
user-agent: Evolution 3.32.4 (3.32.4-1.fc30) 
MIME-Version: 1.0
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1hyXu1-005fiZ-49
Subject: [Openvpn-devel] Patch: Export NotBefore and NotAfter items to the
 environment in client-connect
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
X-Patchwork-Original-From: Rolf Fokkens via Openvpn-devel
 <openvpn-devel@lists.sourceforge.net>
From: Kristof Provost via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Reply-To: Rolf Fokkens <rolf.fokkens@target-holding.nl>
Cc: Valentin Bajrami <valentin.bajrami@target-holding.nl>,
 Jasper Siero <jasper.siero@target-holding.nl>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

We're considering to use shorter-lived client certificates for our VPN
users. In an effort to prevent negative impact for our staff due to
expired certificates, we 'd like to keep track of imminent expiration
of certificates in the client-connect script (which we're using anyway
to check is the certificate matches the user id). Many certificate
attributes are passed to the script, but not the "NotAfter" and
"NotBefore" attributes.

The attached patch adds these to the mix.

Rolf

diff -ruN openvpn-2.4.7.orig/src/openvpn/ssl_verify.c openvpn-2.4.7/src/openvpn/ssl_verify.c
--- openvpn-2.4.7.orig/src/openvpn/ssl_verify.c	2019-02-20 13:28:23.000000000 +0100
+++ openvpn-2.4.7/src/openvpn/ssl_verify.c	2019-08-15 20:57:29.803381111 +0200
@@ -448,6 +448,25 @@
 }
 
 /*
+ * Export ASN1_TIME items to the environment
+ */
+static void
+setenv_ASN1_TIME(struct env_set *es, char *envname, int envnamesize,
+                 char *envprefix, int depth, const ASN1_TIME *asn1_time)
+{
+    char timestamp[32];
+    BIO *mem;
+
+    mem = BIO_new(BIO_s_mem());
+    if (ASN1_TIME_print (mem, asn1_time)) {
+        timestamp[BIO_read(mem, timestamp, sizeof(timestamp)-1)] = '\0';
+        openvpn_snprintf(envname, envnamesize, "%s_%d", envprefix, depth);
+        setenv_str(es, envname, timestamp);
+    }
+    BIO_free(mem);
+}
+
+/*
  * Export the subject, common_name, and raw certificate fields to the
  * environment for later verification by scripts and plugins.
  */
@@ -505,6 +524,12 @@
     openvpn_snprintf(envname, sizeof(envname), "tls_serial_hex_%d", cert_depth);
     setenv_str(es, envname, serial);
 
+    setenv_ASN1_TIME(es, envname, sizeof(envname), "tls_notbefore", cert_depth,
+		     X509_get_notBefore(peer_cert));
+
+    setenv_ASN1_TIME(es, envname, sizeof(envname), "tls_notafter", cert_depth,
+		     X509_get_notAfter(peer_cert));
+
     gc_free(&gc);
 }