From patchwork Mon Jul 27 07:17:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Grishenko X-Patchwork-Id: 1340 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id CDBZABYQH18cHwAAIUCqbw for ; Mon, 27 Jul 2020 13:34:14 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id iAUsABYQH1/PaQAApN4f7A (envelope-from ) for ; Mon, 27 Jul 2020 13:34:14 -0400 Received: from smtp19.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTP id iFddOxUQH18RNAAAHz/atg ; Mon, 27 Jul 2020 13:34:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=yandex-team.ru; dmarc=fail (p=none; dis=none) header.from=yandex-team.ru X-Suspicious-Flag: YES X-Classification-ID: 62dbafc6-d02f-11ea-bc76-bc305bf036e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:54586] helo=lists.sourceforge.net) by smtp19.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5D/78-05066-5101F1F5; Mon, 27 Jul 2020 13:34:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k070A-0002q3-O0; Mon, 27 Jul 2020 17:33:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k0708-0002pr-SB for openvpn-devel@lists.sourceforge.net; Mon, 27 Jul 2020 17:33:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qvSp723KFgwp4jD6+bSdyZdWHx8R697WhHFI5qIPzRA=; b=ePqu1/5ZR1deu55YEVt3Pl2CWj 6MyOu2j+MMcDcXSh1oHphbEuqWEAHFnzGXe4tKkNmUCMEPiB0ePILQ70nuXFq/RKknBqnTuIGQDFK OpE/U04Q90a/Edc++8jKgvORHl/d3//CTazyXZeTTXyUMdy4K7IRrFLdhBhAO2qbrbj8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qvSp723KFgwp4jD6+bSdyZdWHx8R697WhHFI5qIPzRA=; b=WQfDf3p/oRbZzKlX6aV8BT0+eh xe167SEPpl6n17IU3JmgQLWbz3IlxIpQAYNDuLMeRo7MNnTubTVQjjLiPSJcev1K9wmlpzWnnMc7w o/xTBwjzKF6pXjVXHYeXyCGINkLdWjsfv03bqHuqRkTyJkxETJwyzAbHp+PI6sDI60Dk=; Received: from forwardcorp1j.mail.yandex.net ([5.45.199.163]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k0703-004HqL-OE for openvpn-devel@lists.sourceforge.net; Mon, 27 Jul 2020 17:33:24 +0000 Received: from vla1-fdfb804fb3f3.qloud-c.yandex.net (vla1-fdfb804fb3f3.qloud-c.yandex.net [IPv6:2a02:6b8:c0d:3199:0:640:fdfb:804f]) by forwardcorp1j.mail.yandex.net (Yandex) with ESMTP id 1C2122E0DF5 for ; Mon, 27 Jul 2020 20:18:01 +0300 (MSK) Received: from vla5-58875c36c028.qloud-c.yandex.net (vla5-58875c36c028.qloud-c.yandex.net [2a02:6b8:c18:340b:0:640:5887:5c36]) by vla1-fdfb804fb3f3.qloud-c.yandex.net (mxbackcorp/Yandex) with ESMTP id imjVKtRyEt-I0tSKvps; Mon, 27 Jul 2020 20:18:01 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1595870281; bh=qvSp723KFgwp4jD6+bSdyZdWHx8R697WhHFI5qIPzRA=; h=Message-Id:Date:Subject:To:From; b=NfTM/1Y1KURkq/XzB8HGy+koot6TOxY2sZM/AhiByDeDG0HqPQRMlY/+4i8Iu8lsO FkkMQIdu628aHcu7oW7DqspJB0E6cO5wJAio/jUDzfKn6OWQDljWqf72OMgWt/ziSS cE8GyybWfArP4SLwliaqxkyHvzkqajKtPhGedMR4= Received: from unknown (unknown [178.154.214.38]) by vla5-58875c36c028.qloud-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id B8FnI8pnt5-I0jW3ttk; Mon, 27 Jul 2020 20:18:00 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) From: Vladislav Grishenko To: openvpn-devel@lists.sourceforge.net Date: Mon, 27 Jul 2020 22:17:50 +0500 Message-Id: <20200727171750.26657-1-themiron@yandex-team.ru> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1k0703-004HqL-OE Subject: [Openvpn-devel] [PATCH] Log serial number of revoked certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As it appears commit 767e4c56becbfeea525e4695a810593f373883cd "Log serial number of revoked certificate" hasn't survive refactoring of CRL handling. In most of situations admin of OpenVPN server needs to know which particular certificate is used by client. In the case when certificate is valid, environment variable can be used for that but once it is revoked, no user scripts are invoked so there is no way to get serial number, only subject is logged. Let's log certificate serial in case it is revoked and additionally log certificate depth & subject in crl-verify "dir" mode for better consistency with crl file (non-dir) mode. Signed-off-by: Vladislav Grishenko --- src/openvpn/ssl_verify.c | 7 ++++--- src/openvpn/ssl_verify_mbedtls.c | 5 +++-- src/openvpn/ssl_verify_openssl.c | 5 +++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 844bc57d..07745514 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -599,7 +599,7 @@ cleanup: * check peer cert against CRL directory */ static result_t -verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) +verify_check_crl_dir(const char *crl_dir, int cert_depth, openvpn_x509_cert_t *cert, char *subject) { result_t ret = FAILURE; char fn[256]; @@ -616,7 +616,8 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) fd = platform_open(fn, O_RDONLY, 0); if (fd >= 0) { - msg(D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); + msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked", + cert_depth, subject, serial); goto cleanup; } @@ -758,7 +759,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) { - if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) + if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert_depth, cert, subject)) { goto cleanup; } diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index fd31bbbd..e9982e41 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -68,6 +68,7 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, int ret = 0; char errstr[512] = { 0 }; char *subject = x509_get_subject(cert, &gc); + char *serial = backend_x509_get_serial(cert, &gc); ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags); if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr), @@ -82,8 +83,8 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, if (subject) { - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s", - cert_depth, subject, errstr); + msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s", + cert_depth, subject, serial ? serial : "", errstr); } else { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index ff14db23..20095cf7 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -71,6 +71,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc); + char *serial = backend_x509_get_serial(current_cert, &gc); if (!subject) { @@ -89,10 +90,10 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } /* Remote site specified a certificate, but it's not correct */ - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", + msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s, serial=%s", X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), - subject); + subject, serial ? serial : ""); ERR_clear_error();