[Openvpn-devel] Log cert serial no if it is revoked

Mon, 24 Aug 2015 17:08:19 +0000 

Hi.

Author: Boris Lytochkin <lytbo...@yandex-team.ru>
Sponsored-by: Yandex LLC

Log serial number of revoked certificate

In most of situations admin of OpenVPN server needs to know which particular 
certificate is used by client.
In the case when certificate is OK, environment variable can be used for that but once it is revoked no user scripts are invoked so there is no way to get serial number: only subject is printed in logs. Patch attached addresses this issue logging certificate directly on the line with certificate subject. 

Tested with OpenSSL but PolarSSL should be good too.

Signed-off-by Boris Lytochkin <lytbo...@yandex-team.ru>

--
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671


diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 81b2e38..0a3cbe6 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -585,6 +585,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, 
const char *subject)
   BIO *in=NULL;
   int n,i;
   result_t retval = FAILURE;
+  struct gc_arena gc = gc_new();
 
   in = BIO_new_file (crl_file, "r");
 
@@ -609,7 +610,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, 
const char *subject)
   for (i = 0; i < n; i++) {
     revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), 
i);
     if (ASN1_INTEGER_cmp(revoked->serialNumber, 
X509_get_serialNumber(peer_cert)) == 0) {
-      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject);
+      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", 
subject, backend_x509_get_serial_hex(peer_cert, &gc));
       goto end;
     }
   }
@@ -618,6 +619,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, 
const char *subject)
   msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
 
 end:
+  gc_free(&gc);
   BIO_free(in);
   if (crl)
     X509_CRL_free (crl);
diff --git a/src/openvpn/ssl_verify_polarssl.c 
b/src/openvpn/ssl_verify_polarssl.c
index 2edf21d..14730f2 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -373,6 +373,7 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const 
char *subject)
 {
   result_t retval = FAILURE;
   x509_crl crl = {0};
+  struct gc_arena gc = gc_new();
 
   int polar_retval = x509_crl_parse_file(&crl, crl_file);
   if (polar_retval != 0)
@@ -394,7 +395,7 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const 
char *subject)
 
   if (0 != x509_crt_revoked(cert, &crl))
     {
-      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED", subject);
+      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", 
subject, backend_x509_get_serial_hex(cert, &gc));
       goto end;
     }
 
@@ -402,6 +403,7 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const 
char *subject)
   msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
 
 end:
+  gc_free(&gc);
   x509_crl_free(&crl);
   return retval;
 }

Reply via email to