Log serial number of revoked certificate

In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is OK, environment variable can be used for
that but once it is revoked, no user scripts are invoked so there is
no way to get serial number: only subject is printed in logs.

So we log certificate serial in case it is revoked.

Sponsored-by: Yandex LLC
Signed-off-by: Boris Lytochkin <lytboris@yandex-team.ru>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <55FEBF7E.3010209@yandex-team.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10154

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 767e4c56becbfeea525e4695a810593f373883cd)

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index e1118d6236a5ac767e95ac91b4540b4b42a8dfea..309e8323ba74e08ed90090137f0641aab06efde6 100644 (file)
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -585,6 +585,8 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
   BIO *in=NULL;
   int n,i;
   result_t retval = FAILURE;
+  struct gc_arena gc = gc_new();
+  char *serial;
 
   in = BIO_new_file (crl_file, "r");
 
@@ -609,7 +611,8 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
   for (i = 0; i < n; i++) {
     revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
     if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)) == 0) {
-      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject);
+      serial = backend_x509_get_serial_hex(peer_cert, &gc);
+      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
       goto end;
     }
   }
@@ -618,6 +621,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
   msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
 
 end:
+  gc_free(&gc);
   BIO_free(in);
   if (crl)
     X509_CRL_free (crl);

diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index f8f9ab598ef3b5a6b22f1bf00571b55eb1466392..3a1ef48818ada6578fd37256e24c0fb108cebdc3 100644 (file)
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -413,6 +413,8 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject)
 {
   result_t retval = FAILURE;
   x509_crl crl = {0};
+  struct gc_arena gc = gc_new();
+  char *serial;
 
   int polar_retval = x509parse_crlfile(&crl, crl_file);
   if (polar_retval != 0)
@@ -434,7 +436,8 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject)
 
   if (0 != x509parse_revoked(cert, &crl))
     {
-      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED", subject);
+      serial = backend_x509_get_serial_hex(cert, &gc);
+      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
       goto end;
     }
 
@@ -442,6 +445,7 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject)
   msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
 
 end:
+  gc_free(&gc);
   x509_crl_free(&crl);
   return retval;
 }