From patchwork Wed Aug 5 00:23:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Grishenko X-Patchwork-Id: 1349 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.56]) by backend30.mail.ord1d.rsapps.net with LMTP id QG+jL+mIKl8LewAAIUCqbw for ; Wed, 05 Aug 2020 06:24:41 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.56]) by director12.mail.ord1d.rsapps.net with LMTP id GB9yLumIKl8nNAAAIasKDg (envelope-from ) for ; Wed, 05 Aug 2020 06:24:41 -0400 Received: from smtp10.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTP id 2MknJ+mIKl9zOQAAYaqY3Q ; Wed, 05 Aug 2020 06:24:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=yandex-team.ru; dmarc=fail (p=none; dis=none) header.from=yandex-team.ru X-Suspicious-Flag: YES X-Classification-ID: deefa14e-d705-11ea-9312-525400a8203f-1-1 Received: from [216.105.38.7] ([216.105.38.7:57622] helo=lists.sourceforge.net) by smtp10.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 74/53-14401-8E88A2F5; Wed, 05 Aug 2020 06:24:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k3GaV-0002Pg-Q9; Wed, 05 Aug 2020 10:23:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k3GaU-0002PT-3e for openvpn-devel@lists.sourceforge.net; Wed, 05 Aug 2020 10:23:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZFVcefwzOJ+NH7pArmxpNC/HWyNIDwQ2s+iK217fxGY=; b=daXX+K9x6a/+S7Rh6IZB6X3JvQ mP6Q5DNYdmjg+EKonZBPYUONVvnUwGmJphVz6LzDVo02tQnvJE0cBwcLIDjxeKBVQmzPVHFuQtE3h cQyM2uENwty6aNOtmHvvQ0hm8NU73FcRP8YpKQckAjw4GimdjGsJW/n42gv9hlqKkCJY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZFVcefwzOJ+NH7pArmxpNC/HWyNIDwQ2s+iK217fxGY=; b=SOllmwZ/QoQAT6uJluXOQi4b5c 2XvixfGoumPubNRrn7XJIHUNyjs/58frTW59b3VeFB3uJTM3F7i2KYqRzxRCJTgGuuj7XYtKrz/nO MYTmvYIhKEovp+fKJ8d3B9QSyenSCM7Dq6vVcPwDxU5mYsWhlydBQMp4I3qBkcA3bCAc=; Received: from forwardcorp1p.mail.yandex.net ([77.88.29.217]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k3GaQ-00EcxU-EW for openvpn-devel@lists.sourceforge.net; Wed, 05 Aug 2020 10:23:58 +0000 Received: from iva8-d077482f1536.qloud-c.yandex.net (iva8-d077482f1536.qloud-c.yandex.net [IPv6:2a02:6b8:c0c:2f26:0:640:d077:482f]) by forwardcorp1p.mail.yandex.net (Yandex) with ESMTP id 323E22E1591; Wed, 5 Aug 2020 13:23:39 +0300 (MSK) Received: from iva4-7c3d9abce76c.qloud-c.yandex.net (iva4-7c3d9abce76c.qloud-c.yandex.net [2a02:6b8:c0c:4e8e:0:640:7c3d:9abc]) by iva8-d077482f1536.qloud-c.yandex.net (mxbackcorp/Yandex) with ESMTP id eMepRKSbLL-NctuLXuY; Wed, 05 Aug 2020 13:23:39 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1596623019; bh=ZFVcefwzOJ+NH7pArmxpNC/HWyNIDwQ2s+iK217fxGY=; h=In-Reply-To:Message-Id:References:Date:Subject:To:From:Cc; b=aD31COVeqlUbBoLzK2jDuH5OxiFngFyiHCQ5ie7SIq4Aa4Rw6+biKUiScuCwVZ7S8 AGo0CuTH94ooDAtb4XCYFIPXyF8/7I3CvGf5Z0DEbJyKPO9a0ARCLZYVIEQI9Cw/wf RRdGiL0nimRUe0cfzF8pMS6HPgVXlCJzLwcWPDg4= Received: from unknown (unknown [178.154.219.33]) by iva4-7c3d9abce76c.qloud-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id rfAECyVqMx-NcjS69HC; Wed, 05 Aug 2020 13:23:38 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) From: Vladislav Grishenko To: openvpn-devel@lists.sourceforge.net Date: Wed, 5 Aug 2020 15:23:33 +0500 Message-Id: <20200805102333.3109-1-themiron@yandex-team.ru> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: yandex-team.ru] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1k3GaQ-00EcxU-EW Subject: [Openvpn-devel] [PATCH v2] Log serial number of revoked certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As it appears commit 767e4c56becbfeea525e4695a810593f373883cd "Log serial number of revoked certificate" hasn't survive refactoring of CRL handling. In most of situations admin of OpenVPN server needs to know which particular certificate is used by client. In the case when certificate is valid, environment variable can be used for that but once it is revoked, no user scripts are invoked so there is no way to get serial number, only subject is logged. Let's log certificate serial in case it is revoked and additionally log certificate depth & subject in crl-verify "dir" mode for better consistency with crl file (non-dir) mode. v2: log if serial is not availble, require it in crl-verify dir mode Signed-off-by: Vladislav Grishenko Acked-by: Lev Stipakov --- src/openvpn/ssl_verify.c | 14 +++++++++++--- src/openvpn/ssl_verify_mbedtls.c | 5 +++-- src/openvpn/ssl_verify_openssl.c | 5 +++-- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 844bc57d..97ccb93b 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -599,7 +599,8 @@ cleanup: * check peer cert against CRL directory */ static result_t -verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) +verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, + const char *subject, int cert_depth) { result_t ret = FAILURE; char fn[256]; @@ -607,6 +608,12 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) struct gc_arena gc = gc_new(); char *serial = backend_x509_get_serial(cert, &gc); + if (!serial) + { + msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available", + cert_depth, subject); + goto cleanup; + } if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) { @@ -616,7 +623,8 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) fd = platform_open(fn, O_RDONLY, 0); if (fd >= 0) { - msg(D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); + msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked", + cert_depth, subject, serial); goto cleanup; } @@ -758,7 +766,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) { - if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) + if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert, subject, cert_depth)) { goto cleanup; } diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index fd31bbbd..93891038 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -68,6 +68,7 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, int ret = 0; char errstr[512] = { 0 }; char *subject = x509_get_subject(cert, &gc); + char *serial = backend_x509_get_serial(cert, &gc); ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags); if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr), @@ -82,8 +83,8 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, if (subject) { - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s", - cert_depth, subject, errstr); + msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s", + cert_depth, subject, serial ? serial : "", errstr); } else { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index ff14db23..454efeec 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -71,6 +71,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc); + char *serial = backend_x509_get_serial(current_cert, &gc); if (!subject) { @@ -89,10 +90,10 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } /* Remote site specified a certificate, but it's not correct */ - msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", + msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s, serial=%s", X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), - subject); + subject, serial ? serial : ""); ERR_clear_error();