wolf SSL
/
wolfSSL-TLS13-Beta
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
src/crl.c@0:d92f9d21154c, 2015-06-26 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 26 00:39:20 2015 +0000
- Revision:
- 0:d92f9d21154c
wolfSSL 3.6.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| wolfSSL | 0:d92f9d21154c | 1 | /* crl.c |
| wolfSSL | 0:d92f9d21154c | 2 | * |
| wolfSSL | 0:d92f9d21154c | 3 | * Copyright (C) 2006-2015 wolfSSL Inc. |
| wolfSSL | 0:d92f9d21154c | 4 | * |
| wolfSSL | 0:d92f9d21154c | 5 | * This file is part of wolfSSL. (formerly known as CyaSSL) |
| wolfSSL | 0:d92f9d21154c | 6 | * |
| wolfSSL | 0:d92f9d21154c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
| wolfSSL | 0:d92f9d21154c | 8 | * it under the terms of the GNU General Public License as published by |
| wolfSSL | 0:d92f9d21154c | 9 | * the Free Software Foundation; either version 2 of the License, or |
| wolfSSL | 0:d92f9d21154c | 10 | * (at your option) any later version. |
| wolfSSL | 0:d92f9d21154c | 11 | * |
| wolfSSL | 0:d92f9d21154c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
| wolfSSL | 0:d92f9d21154c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| wolfSSL | 0:d92f9d21154c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| wolfSSL | 0:d92f9d21154c | 15 | * GNU General Public License for more details. |
| wolfSSL | 0:d92f9d21154c | 16 | * |
| wolfSSL | 0:d92f9d21154c | 17 | * You should have received a copy of the GNU General Public License |
| wolfSSL | 0:d92f9d21154c | 18 | * along with this program; if not, write to the Free Software |
| wolfSSL | 0:d92f9d21154c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
| wolfSSL | 0:d92f9d21154c | 20 | */ |
| wolfSSL | 0:d92f9d21154c | 21 | |
| wolfSSL | 0:d92f9d21154c | 22 | /* Name change compatibility layer no longer needs included here */ |
| wolfSSL | 0:d92f9d21154c | 23 | |
| wolfSSL | 0:d92f9d21154c | 24 | #ifdef HAVE_CONFIG_H |
| wolfSSL | 0:d92f9d21154c | 25 | #include <config.h> |
| wolfSSL | 0:d92f9d21154c | 26 | #endif |
| wolfSSL | 0:d92f9d21154c | 27 | |
| wolfSSL | 0:d92f9d21154c | 28 | #include <wolfssl/wolfcrypt/settings.h> |
| wolfSSL | 0:d92f9d21154c | 29 | |
| wolfSSL | 0:d92f9d21154c | 30 | #ifdef HAVE_CRL |
| wolfSSL | 0:d92f9d21154c | 31 | |
| wolfSSL | 0:d92f9d21154c | 32 | #include <wolfssl/internal.h> |
| wolfSSL | 0:d92f9d21154c | 33 | #include <wolfssl/error-ssl.h> |
| wolfSSL | 0:d92f9d21154c | 34 | |
| wolfSSL | 0:d92f9d21154c | 35 | #include <dirent.h> |
| wolfSSL | 0:d92f9d21154c | 36 | #include <sys/stat.h> |
| wolfSSL | 0:d92f9d21154c | 37 | #include <string.h> |
| wolfSSL | 0:d92f9d21154c | 38 | |
| wolfSSL | 0:d92f9d21154c | 39 | #ifdef HAVE_CRL_MONITOR |
| wolfSSL | 0:d92f9d21154c | 40 | static int StopMonitor(int mfd); |
| wolfSSL | 0:d92f9d21154c | 41 | #endif |
| wolfSSL | 0:d92f9d21154c | 42 | |
| wolfSSL | 0:d92f9d21154c | 43 | |
| wolfSSL | 0:d92f9d21154c | 44 | /* Initialze CRL members */ |
| wolfSSL | 0:d92f9d21154c | 45 | int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm) |
| wolfSSL | 0:d92f9d21154c | 46 | { |
| wolfSSL | 0:d92f9d21154c | 47 | WOLFSSL_ENTER("InitCRL"); |
| wolfSSL | 0:d92f9d21154c | 48 | |
| wolfSSL | 0:d92f9d21154c | 49 | crl->cm = cm; |
| wolfSSL | 0:d92f9d21154c | 50 | crl->crlList = NULL; |
| wolfSSL | 0:d92f9d21154c | 51 | crl->monitors[0].path = NULL; |
| wolfSSL | 0:d92f9d21154c | 52 | crl->monitors[1].path = NULL; |
| wolfSSL | 0:d92f9d21154c | 53 | #ifdef HAVE_CRL_MONITOR |
| wolfSSL | 0:d92f9d21154c | 54 | crl->tid = 0; |
| wolfSSL | 0:d92f9d21154c | 55 | crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */ |
| wolfSSL | 0:d92f9d21154c | 56 | #endif |
| wolfSSL | 0:d92f9d21154c | 57 | if (InitMutex(&crl->crlLock) != 0) |
| wolfSSL | 0:d92f9d21154c | 58 | return BAD_MUTEX_E; |
| wolfSSL | 0:d92f9d21154c | 59 | |
| wolfSSL | 0:d92f9d21154c | 60 | return 0; |
| wolfSSL | 0:d92f9d21154c | 61 | } |
| wolfSSL | 0:d92f9d21154c | 62 | |
| wolfSSL | 0:d92f9d21154c | 63 | |
| wolfSSL | 0:d92f9d21154c | 64 | /* Initialze CRL Entry */ |
| wolfSSL | 0:d92f9d21154c | 65 | static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl) |
| wolfSSL | 0:d92f9d21154c | 66 | { |
| wolfSSL | 0:d92f9d21154c | 67 | WOLFSSL_ENTER("InitCRL_Entry"); |
| wolfSSL | 0:d92f9d21154c | 68 | |
| wolfSSL | 0:d92f9d21154c | 69 | XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); |
| wolfSSL | 0:d92f9d21154c | 70 | /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); |
| wolfSSL | 0:d92f9d21154c | 71 | * copy the hash here if needed for optimized comparisons */ |
| wolfSSL | 0:d92f9d21154c | 72 | XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); |
| wolfSSL | 0:d92f9d21154c | 73 | XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); |
| wolfSSL | 0:d92f9d21154c | 74 | crle->lastDateFormat = dcrl->lastDateFormat; |
| wolfSSL | 0:d92f9d21154c | 75 | crle->nextDateFormat = dcrl->nextDateFormat; |
| wolfSSL | 0:d92f9d21154c | 76 | |
| wolfSSL | 0:d92f9d21154c | 77 | crle->certs = dcrl->certs; /* take ownsership */ |
| wolfSSL | 0:d92f9d21154c | 78 | dcrl->certs = NULL; |
| wolfSSL | 0:d92f9d21154c | 79 | crle->totalCerts = dcrl->totalCerts; |
| wolfSSL | 0:d92f9d21154c | 80 | |
| wolfSSL | 0:d92f9d21154c | 81 | return 0; |
| wolfSSL | 0:d92f9d21154c | 82 | } |
| wolfSSL | 0:d92f9d21154c | 83 | |
| wolfSSL | 0:d92f9d21154c | 84 | |
| wolfSSL | 0:d92f9d21154c | 85 | /* Free all CRL Entry resources */ |
| wolfSSL | 0:d92f9d21154c | 86 | static void FreeCRL_Entry(CRL_Entry* crle) |
| wolfSSL | 0:d92f9d21154c | 87 | { |
| wolfSSL | 0:d92f9d21154c | 88 | RevokedCert* tmp = crle->certs; |
| wolfSSL | 0:d92f9d21154c | 89 | |
| wolfSSL | 0:d92f9d21154c | 90 | WOLFSSL_ENTER("FreeCRL_Entry"); |
| wolfSSL | 0:d92f9d21154c | 91 | |
| wolfSSL | 0:d92f9d21154c | 92 | while(tmp) { |
| wolfSSL | 0:d92f9d21154c | 93 | RevokedCert* next = tmp->next; |
| wolfSSL | 0:d92f9d21154c | 94 | XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED); |
| wolfSSL | 0:d92f9d21154c | 95 | tmp = next; |
| wolfSSL | 0:d92f9d21154c | 96 | } |
| wolfSSL | 0:d92f9d21154c | 97 | } |
| wolfSSL | 0:d92f9d21154c | 98 | |
| wolfSSL | 0:d92f9d21154c | 99 | |
| wolfSSL | 0:d92f9d21154c | 100 | |
| wolfSSL | 0:d92f9d21154c | 101 | /* Free all CRL resources */ |
| wolfSSL | 0:d92f9d21154c | 102 | void FreeCRL(WOLFSSL_CRL* crl, int dynamic) |
| wolfSSL | 0:d92f9d21154c | 103 | { |
| wolfSSL | 0:d92f9d21154c | 104 | CRL_Entry* tmp = crl->crlList; |
| wolfSSL | 0:d92f9d21154c | 105 | |
| wolfSSL | 0:d92f9d21154c | 106 | WOLFSSL_ENTER("FreeCRL"); |
| wolfSSL | 0:d92f9d21154c | 107 | |
| wolfSSL | 0:d92f9d21154c | 108 | if (crl->monitors[0].path) |
| wolfSSL | 0:d92f9d21154c | 109 | XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR); |
| wolfSSL | 0:d92f9d21154c | 110 | |
| wolfSSL | 0:d92f9d21154c | 111 | if (crl->monitors[1].path) |
| wolfSSL | 0:d92f9d21154c | 112 | XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR); |
| wolfSSL | 0:d92f9d21154c | 113 | |
| wolfSSL | 0:d92f9d21154c | 114 | while(tmp) { |
| wolfSSL | 0:d92f9d21154c | 115 | CRL_Entry* next = tmp->next; |
| wolfSSL | 0:d92f9d21154c | 116 | FreeCRL_Entry(tmp); |
| wolfSSL | 0:d92f9d21154c | 117 | XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY); |
| wolfSSL | 0:d92f9d21154c | 118 | tmp = next; |
| wolfSSL | 0:d92f9d21154c | 119 | } |
| wolfSSL | 0:d92f9d21154c | 120 | |
| wolfSSL | 0:d92f9d21154c | 121 | #ifdef HAVE_CRL_MONITOR |
| wolfSSL | 0:d92f9d21154c | 122 | if (crl->tid != 0) { |
| wolfSSL | 0:d92f9d21154c | 123 | WOLFSSL_MSG("stopping monitor thread"); |
| wolfSSL | 0:d92f9d21154c | 124 | if (StopMonitor(crl->mfd) == 0) |
| wolfSSL | 0:d92f9d21154c | 125 | pthread_join(crl->tid, NULL); |
| wolfSSL | 0:d92f9d21154c | 126 | else { |
| wolfSSL | 0:d92f9d21154c | 127 | WOLFSSL_MSG("stop monitor failed, cancel instead"); |
| wolfSSL | 0:d92f9d21154c | 128 | pthread_cancel(crl->tid); |
| wolfSSL | 0:d92f9d21154c | 129 | } |
| wolfSSL | 0:d92f9d21154c | 130 | } |
| wolfSSL | 0:d92f9d21154c | 131 | #endif |
| wolfSSL | 0:d92f9d21154c | 132 | FreeMutex(&crl->crlLock); |
| wolfSSL | 0:d92f9d21154c | 133 | if (dynamic) /* free self */ |
| wolfSSL | 0:d92f9d21154c | 134 | XFREE(crl, NULL, DYNAMIC_TYPE_CRL); |
| wolfSSL | 0:d92f9d21154c | 135 | } |
| wolfSSL | 0:d92f9d21154c | 136 | |
| wolfSSL | 0:d92f9d21154c | 137 | |
| wolfSSL | 0:d92f9d21154c | 138 | /* Is the cert ok with CRL, return 0 on success */ |
| wolfSSL | 0:d92f9d21154c | 139 | int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) |
| wolfSSL | 0:d92f9d21154c | 140 | { |
| wolfSSL | 0:d92f9d21154c | 141 | CRL_Entry* crle; |
| wolfSSL | 0:d92f9d21154c | 142 | int foundEntry = 0; |
| wolfSSL | 0:d92f9d21154c | 143 | int ret = 0; |
| wolfSSL | 0:d92f9d21154c | 144 | |
| wolfSSL | 0:d92f9d21154c | 145 | WOLFSSL_ENTER("CheckCertCRL"); |
| wolfSSL | 0:d92f9d21154c | 146 | |
| wolfSSL | 0:d92f9d21154c | 147 | if (LockMutex(&crl->crlLock) != 0) { |
| wolfSSL | 0:d92f9d21154c | 148 | WOLFSSL_MSG("LockMutex failed"); |
| wolfSSL | 0:d92f9d21154c | 149 | return BAD_MUTEX_E; |
| wolfSSL | 0:d92f9d21154c | 150 | } |
| wolfSSL | 0:d92f9d21154c | 151 | |
| wolfSSL | 0:d92f9d21154c | 152 | crle = crl->crlList; |
| wolfSSL | 0:d92f9d21154c | 153 | |
| wolfSSL | 0:d92f9d21154c | 154 | while (crle) { |
| wolfSSL | 0:d92f9d21154c | 155 | if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) { |
| wolfSSL | 0:d92f9d21154c | 156 | WOLFSSL_MSG("Found CRL Entry on list"); |
| wolfSSL | 0:d92f9d21154c | 157 | WOLFSSL_MSG("Checking next date validity"); |
| wolfSSL | 0:d92f9d21154c | 158 | |
| wolfSSL | 0:d92f9d21154c | 159 | if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) { |
| wolfSSL | 0:d92f9d21154c | 160 | WOLFSSL_MSG("CRL next date is no longer valid"); |
| wolfSSL | 0:d92f9d21154c | 161 | ret = ASN_AFTER_DATE_E; |
| wolfSSL | 0:d92f9d21154c | 162 | } |
| wolfSSL | 0:d92f9d21154c | 163 | else |
| wolfSSL | 0:d92f9d21154c | 164 | foundEntry = 1; |
| wolfSSL | 0:d92f9d21154c | 165 | break; |
| wolfSSL | 0:d92f9d21154c | 166 | } |
| wolfSSL | 0:d92f9d21154c | 167 | crle = crle->next; |
| wolfSSL | 0:d92f9d21154c | 168 | } |
| wolfSSL | 0:d92f9d21154c | 169 | |
| wolfSSL | 0:d92f9d21154c | 170 | if (foundEntry) { |
| wolfSSL | 0:d92f9d21154c | 171 | RevokedCert* rc = crle->certs; |
| wolfSSL | 0:d92f9d21154c | 172 | |
| wolfSSL | 0:d92f9d21154c | 173 | while (rc) { |
| wolfSSL | 0:d92f9d21154c | 174 | if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { |
| wolfSSL | 0:d92f9d21154c | 175 | WOLFSSL_MSG("Cert revoked"); |
| wolfSSL | 0:d92f9d21154c | 176 | ret = CRL_CERT_REVOKED; |
| wolfSSL | 0:d92f9d21154c | 177 | break; |
| wolfSSL | 0:d92f9d21154c | 178 | } |
| wolfSSL | 0:d92f9d21154c | 179 | rc = rc->next; |
| wolfSSL | 0:d92f9d21154c | 180 | } |
| wolfSSL | 0:d92f9d21154c | 181 | } |
| wolfSSL | 0:d92f9d21154c | 182 | |
| wolfSSL | 0:d92f9d21154c | 183 | UnLockMutex(&crl->crlLock); |
| wolfSSL | 0:d92f9d21154c | 184 | |
| wolfSSL | 0:d92f9d21154c | 185 | if (foundEntry == 0) { |
| wolfSSL | 0:d92f9d21154c | 186 | WOLFSSL_MSG("Couldn't find CRL for status check"); |
| wolfSSL | 0:d92f9d21154c | 187 | ret = CRL_MISSING; |
| wolfSSL | 0:d92f9d21154c | 188 | if (crl->cm->cbMissingCRL) { |
| wolfSSL | 0:d92f9d21154c | 189 | char url[256]; |
| wolfSSL | 0:d92f9d21154c | 190 | |
| wolfSSL | 0:d92f9d21154c | 191 | WOLFSSL_MSG("Issuing missing CRL callback"); |
| wolfSSL | 0:d92f9d21154c | 192 | url[0] = '\0'; |
| wolfSSL | 0:d92f9d21154c | 193 | if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) { |
| wolfSSL | 0:d92f9d21154c | 194 | XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz); |
| wolfSSL | 0:d92f9d21154c | 195 | url[cert->extCrlInfoSz] = '\0'; |
| wolfSSL | 0:d92f9d21154c | 196 | } |
| wolfSSL | 0:d92f9d21154c | 197 | else { |
| wolfSSL | 0:d92f9d21154c | 198 | WOLFSSL_MSG("CRL url too long"); |
| wolfSSL | 0:d92f9d21154c | 199 | } |
| wolfSSL | 0:d92f9d21154c | 200 | crl->cm->cbMissingCRL(url); |
| wolfSSL | 0:d92f9d21154c | 201 | } |
| wolfSSL | 0:d92f9d21154c | 202 | } |
| wolfSSL | 0:d92f9d21154c | 203 | |
| wolfSSL | 0:d92f9d21154c | 204 | |
| wolfSSL | 0:d92f9d21154c | 205 | return ret; |
| wolfSSL | 0:d92f9d21154c | 206 | } |
| wolfSSL | 0:d92f9d21154c | 207 | |
| wolfSSL | 0:d92f9d21154c | 208 | |
| wolfSSL | 0:d92f9d21154c | 209 | /* Add Decoded CRL, 0 on success */ |
| wolfSSL | 0:d92f9d21154c | 210 | static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl) |
| wolfSSL | 0:d92f9d21154c | 211 | { |
| wolfSSL | 0:d92f9d21154c | 212 | CRL_Entry* crle; |
| wolfSSL | 0:d92f9d21154c | 213 | |
| wolfSSL | 0:d92f9d21154c | 214 | WOLFSSL_ENTER("AddCRL"); |
| wolfSSL | 0:d92f9d21154c | 215 | |
| wolfSSL | 0:d92f9d21154c | 216 | crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY); |
| wolfSSL | 0:d92f9d21154c | 217 | if (crle == NULL) { |
| wolfSSL | 0:d92f9d21154c | 218 | WOLFSSL_MSG("alloc CRL Entry failed"); |
| wolfSSL | 0:d92f9d21154c | 219 | return -1; |
| wolfSSL | 0:d92f9d21154c | 220 | } |
| wolfSSL | 0:d92f9d21154c | 221 | |
| wolfSSL | 0:d92f9d21154c | 222 | if (InitCRL_Entry(crle, dcrl) < 0) { |
| wolfSSL | 0:d92f9d21154c | 223 | WOLFSSL_MSG("Init CRL Entry failed"); |
| wolfSSL | 0:d92f9d21154c | 224 | XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY); |
| wolfSSL | 0:d92f9d21154c | 225 | return -1; |
| wolfSSL | 0:d92f9d21154c | 226 | } |
| wolfSSL | 0:d92f9d21154c | 227 | |
| wolfSSL | 0:d92f9d21154c | 228 | if (LockMutex(&crl->crlLock) != 0) { |
| wolfSSL | 0:d92f9d21154c | 229 | WOLFSSL_MSG("LockMutex failed"); |
| wolfSSL | 0:d92f9d21154c | 230 | FreeCRL_Entry(crle); |
| wolfSSL | 0:d92f9d21154c | 231 | XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY); |
| wolfSSL | 0:d92f9d21154c | 232 | return BAD_MUTEX_E; |
| wolfSSL | 0:d92f9d21154c | 233 | } |
| wolfSSL | 0:d92f9d21154c | 234 | crle->next = crl->crlList; |
| wolfSSL | 0:d92f9d21154c | 235 | crl->crlList = crle; |
| wolfSSL | 0:d92f9d21154c | 236 | UnLockMutex(&crl->crlLock); |
| wolfSSL | 0:d92f9d21154c | 237 | |
| wolfSSL | 0:d92f9d21154c | 238 | return 0; |
| wolfSSL | 0:d92f9d21154c | 239 | } |
| wolfSSL | 0:d92f9d21154c | 240 | |
| wolfSSL | 0:d92f9d21154c | 241 | |
| wolfSSL | 0:d92f9d21154c | 242 | /* Load CRL File of type, SSL_SUCCESS on ok */ |
| wolfSSL | 0:d92f9d21154c | 243 | int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) |
| wolfSSL | 0:d92f9d21154c | 244 | { |
| wolfSSL | 0:d92f9d21154c | 245 | int ret = SSL_SUCCESS; |
| wolfSSL | 0:d92f9d21154c | 246 | const byte* myBuffer = buff; /* if DER ok, otherwise switch */ |
| wolfSSL | 0:d92f9d21154c | 247 | buffer der; |
| wolfSSL | 0:d92f9d21154c | 248 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 249 | DecodedCRL* dcrl; |
| wolfSSL | 0:d92f9d21154c | 250 | #else |
| wolfSSL | 0:d92f9d21154c | 251 | DecodedCRL dcrl[1]; |
| wolfSSL | 0:d92f9d21154c | 252 | #endif |
| wolfSSL | 0:d92f9d21154c | 253 | |
| wolfSSL | 0:d92f9d21154c | 254 | der.buffer = NULL; |
| wolfSSL | 0:d92f9d21154c | 255 | |
| wolfSSL | 0:d92f9d21154c | 256 | WOLFSSL_ENTER("BufferLoadCRL"); |
| wolfSSL | 0:d92f9d21154c | 257 | |
| wolfSSL | 0:d92f9d21154c | 258 | if (crl == NULL || buff == NULL || sz == 0) |
| wolfSSL | 0:d92f9d21154c | 259 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 260 | |
| wolfSSL | 0:d92f9d21154c | 261 | if (type == SSL_FILETYPE_PEM) { |
| wolfSSL | 0:d92f9d21154c | 262 | int eccKey = 0; /* not used */ |
| wolfSSL | 0:d92f9d21154c | 263 | EncryptedInfo info; |
| wolfSSL | 0:d92f9d21154c | 264 | info.ctx = NULL; |
| wolfSSL | 0:d92f9d21154c | 265 | |
| wolfSSL | 0:d92f9d21154c | 266 | ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey); |
| wolfSSL | 0:d92f9d21154c | 267 | if (ret == 0) { |
| wolfSSL | 0:d92f9d21154c | 268 | myBuffer = der.buffer; |
| wolfSSL | 0:d92f9d21154c | 269 | sz = der.length; |
| wolfSSL | 0:d92f9d21154c | 270 | } |
| wolfSSL | 0:d92f9d21154c | 271 | else { |
| wolfSSL | 0:d92f9d21154c | 272 | WOLFSSL_MSG("Pem to Der failed"); |
| wolfSSL | 0:d92f9d21154c | 273 | return -1; |
| wolfSSL | 0:d92f9d21154c | 274 | } |
| wolfSSL | 0:d92f9d21154c | 275 | } |
| wolfSSL | 0:d92f9d21154c | 276 | |
| wolfSSL | 0:d92f9d21154c | 277 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 278 | dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 279 | if (dcrl == NULL) { |
| wolfSSL | 0:d92f9d21154c | 280 | if (der.buffer) |
| wolfSSL | 0:d92f9d21154c | 281 | XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); |
| wolfSSL | 0:d92f9d21154c | 282 | |
| wolfSSL | 0:d92f9d21154c | 283 | return MEMORY_E; |
| wolfSSL | 0:d92f9d21154c | 284 | } |
| wolfSSL | 0:d92f9d21154c | 285 | #endif |
| wolfSSL | 0:d92f9d21154c | 286 | |
| wolfSSL | 0:d92f9d21154c | 287 | InitDecodedCRL(dcrl); |
| wolfSSL | 0:d92f9d21154c | 288 | ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm); |
| wolfSSL | 0:d92f9d21154c | 289 | if (ret != 0) { |
| wolfSSL | 0:d92f9d21154c | 290 | WOLFSSL_MSG("ParseCRL error"); |
| wolfSSL | 0:d92f9d21154c | 291 | } |
| wolfSSL | 0:d92f9d21154c | 292 | else { |
| wolfSSL | 0:d92f9d21154c | 293 | ret = AddCRL(crl, dcrl); |
| wolfSSL | 0:d92f9d21154c | 294 | if (ret != 0) { |
| wolfSSL | 0:d92f9d21154c | 295 | WOLFSSL_MSG("AddCRL error"); |
| wolfSSL | 0:d92f9d21154c | 296 | } |
| wolfSSL | 0:d92f9d21154c | 297 | } |
| wolfSSL | 0:d92f9d21154c | 298 | |
| wolfSSL | 0:d92f9d21154c | 299 | FreeDecodedCRL(dcrl); |
| wolfSSL | 0:d92f9d21154c | 300 | |
| wolfSSL | 0:d92f9d21154c | 301 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 302 | XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 303 | #endif |
| wolfSSL | 0:d92f9d21154c | 304 | |
| wolfSSL | 0:d92f9d21154c | 305 | if (der.buffer) |
| wolfSSL | 0:d92f9d21154c | 306 | XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); |
| wolfSSL | 0:d92f9d21154c | 307 | |
| wolfSSL | 0:d92f9d21154c | 308 | return ret ? ret : SSL_SUCCESS; /* convert 0 to SSL_SUCCESS */ |
| wolfSSL | 0:d92f9d21154c | 309 | } |
| wolfSSL | 0:d92f9d21154c | 310 | |
| wolfSSL | 0:d92f9d21154c | 311 | |
| wolfSSL | 0:d92f9d21154c | 312 | #ifdef HAVE_CRL_MONITOR |
| wolfSSL | 0:d92f9d21154c | 313 | |
| wolfSSL | 0:d92f9d21154c | 314 | |
| wolfSSL | 0:d92f9d21154c | 315 | /* read in new CRL entries and save new list */ |
| wolfSSL | 0:d92f9d21154c | 316 | static int SwapLists(WOLFSSL_CRL* crl) |
| wolfSSL | 0:d92f9d21154c | 317 | { |
| wolfSSL | 0:d92f9d21154c | 318 | int ret; |
| wolfSSL | 0:d92f9d21154c | 319 | CRL_Entry* newList; |
| wolfSSL | 0:d92f9d21154c | 320 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 321 | WOLFSSL_CRL* tmp; |
| wolfSSL | 0:d92f9d21154c | 322 | #else |
| wolfSSL | 0:d92f9d21154c | 323 | WOLFSSL_CRL tmp[1]; |
| wolfSSL | 0:d92f9d21154c | 324 | #endif |
| wolfSSL | 0:d92f9d21154c | 325 | |
| wolfSSL | 0:d92f9d21154c | 326 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 327 | tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 328 | if (tmp == NULL) |
| wolfSSL | 0:d92f9d21154c | 329 | return MEMORY_E; |
| wolfSSL | 0:d92f9d21154c | 330 | #endif |
| wolfSSL | 0:d92f9d21154c | 331 | |
| wolfSSL | 0:d92f9d21154c | 332 | if (InitCRL(tmp, crl->cm) < 0) { |
| wolfSSL | 0:d92f9d21154c | 333 | WOLFSSL_MSG("Init tmp CRL failed"); |
| wolfSSL | 0:d92f9d21154c | 334 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 335 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 336 | #endif |
| wolfSSL | 0:d92f9d21154c | 337 | return -1; |
| wolfSSL | 0:d92f9d21154c | 338 | } |
| wolfSSL | 0:d92f9d21154c | 339 | |
| wolfSSL | 0:d92f9d21154c | 340 | if (crl->monitors[0].path) { |
| wolfSSL | 0:d92f9d21154c | 341 | ret = LoadCRL(tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0); |
| wolfSSL | 0:d92f9d21154c | 342 | if (ret != SSL_SUCCESS) { |
| wolfSSL | 0:d92f9d21154c | 343 | WOLFSSL_MSG("PEM LoadCRL on dir change failed"); |
| wolfSSL | 0:d92f9d21154c | 344 | FreeCRL(tmp, 0); |
| wolfSSL | 0:d92f9d21154c | 345 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 346 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 347 | #endif |
| wolfSSL | 0:d92f9d21154c | 348 | return -1; |
| wolfSSL | 0:d92f9d21154c | 349 | } |
| wolfSSL | 0:d92f9d21154c | 350 | } |
| wolfSSL | 0:d92f9d21154c | 351 | |
| wolfSSL | 0:d92f9d21154c | 352 | if (crl->monitors[1].path) { |
| wolfSSL | 0:d92f9d21154c | 353 | ret = LoadCRL(tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0); |
| wolfSSL | 0:d92f9d21154c | 354 | if (ret != SSL_SUCCESS) { |
| wolfSSL | 0:d92f9d21154c | 355 | WOLFSSL_MSG("DER LoadCRL on dir change failed"); |
| wolfSSL | 0:d92f9d21154c | 356 | FreeCRL(tmp, 0); |
| wolfSSL | 0:d92f9d21154c | 357 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 358 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 359 | #endif |
| wolfSSL | 0:d92f9d21154c | 360 | return -1; |
| wolfSSL | 0:d92f9d21154c | 361 | } |
| wolfSSL | 0:d92f9d21154c | 362 | } |
| wolfSSL | 0:d92f9d21154c | 363 | |
| wolfSSL | 0:d92f9d21154c | 364 | if (LockMutex(&crl->crlLock) != 0) { |
| wolfSSL | 0:d92f9d21154c | 365 | WOLFSSL_MSG("LockMutex failed"); |
| wolfSSL | 0:d92f9d21154c | 366 | FreeCRL(tmp, 0); |
| wolfSSL | 0:d92f9d21154c | 367 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 368 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 369 | #endif |
| wolfSSL | 0:d92f9d21154c | 370 | return -1; |
| wolfSSL | 0:d92f9d21154c | 371 | } |
| wolfSSL | 0:d92f9d21154c | 372 | |
| wolfSSL | 0:d92f9d21154c | 373 | newList = tmp->crlList; |
| wolfSSL | 0:d92f9d21154c | 374 | |
| wolfSSL | 0:d92f9d21154c | 375 | /* swap lists */ |
| wolfSSL | 0:d92f9d21154c | 376 | tmp->crlList = crl->crlList; |
| wolfSSL | 0:d92f9d21154c | 377 | crl->crlList = newList; |
| wolfSSL | 0:d92f9d21154c | 378 | |
| wolfSSL | 0:d92f9d21154c | 379 | UnLockMutex(&crl->crlLock); |
| wolfSSL | 0:d92f9d21154c | 380 | |
| wolfSSL | 0:d92f9d21154c | 381 | FreeCRL(tmp, 0); |
| wolfSSL | 0:d92f9d21154c | 382 | |
| wolfSSL | 0:d92f9d21154c | 383 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 384 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 385 | #endif |
| wolfSSL | 0:d92f9d21154c | 386 | |
| wolfSSL | 0:d92f9d21154c | 387 | return 0; |
| wolfSSL | 0:d92f9d21154c | 388 | } |
| wolfSSL | 0:d92f9d21154c | 389 | |
| wolfSSL | 0:d92f9d21154c | 390 | |
| wolfSSL | 0:d92f9d21154c | 391 | #if (defined(__MACH__) || defined(__FreeBSD__)) |
| wolfSSL | 0:d92f9d21154c | 392 | |
| wolfSSL | 0:d92f9d21154c | 393 | #include <sys/types.h> |
| wolfSSL | 0:d92f9d21154c | 394 | #include <sys/event.h> |
| wolfSSL | 0:d92f9d21154c | 395 | #include <sys/time.h> |
| wolfSSL | 0:d92f9d21154c | 396 | #include <fcntl.h> |
| wolfSSL | 0:d92f9d21154c | 397 | #include <unistd.h> |
| wolfSSL | 0:d92f9d21154c | 398 | |
| wolfSSL | 0:d92f9d21154c | 399 | #ifdef __MACH__ |
| wolfSSL | 0:d92f9d21154c | 400 | #define XEVENT_MODE O_EVTONLY |
| wolfSSL | 0:d92f9d21154c | 401 | #elif defined(__FreeBSD__) |
| wolfSSL | 0:d92f9d21154c | 402 | #define XEVENT_MODE EVFILT_VNODE |
| wolfSSL | 0:d92f9d21154c | 403 | #endif |
| wolfSSL | 0:d92f9d21154c | 404 | |
| wolfSSL | 0:d92f9d21154c | 405 | |
| wolfSSL | 0:d92f9d21154c | 406 | /* we need a unique kqueue user filter fd for crl in case user is doing custom |
| wolfSSL | 0:d92f9d21154c | 407 | * events too */ |
| wolfSSL | 0:d92f9d21154c | 408 | #ifndef CRL_CUSTOM_FD |
| wolfSSL | 0:d92f9d21154c | 409 | #define CRL_CUSTOM_FD 123456 |
| wolfSSL | 0:d92f9d21154c | 410 | #endif |
| wolfSSL | 0:d92f9d21154c | 411 | |
| wolfSSL | 0:d92f9d21154c | 412 | |
| wolfSSL | 0:d92f9d21154c | 413 | /* shutdown monitor thread, 0 on success */ |
| wolfSSL | 0:d92f9d21154c | 414 | static int StopMonitor(int mfd) |
| wolfSSL | 0:d92f9d21154c | 415 | { |
| wolfSSL | 0:d92f9d21154c | 416 | struct kevent change; |
| wolfSSL | 0:d92f9d21154c | 417 | |
| wolfSSL | 0:d92f9d21154c | 418 | /* trigger custom shutdown */ |
| wolfSSL | 0:d92f9d21154c | 419 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL); |
| wolfSSL | 0:d92f9d21154c | 420 | if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) { |
| wolfSSL | 0:d92f9d21154c | 421 | WOLFSSL_MSG("kevent trigger customer event failed"); |
| wolfSSL | 0:d92f9d21154c | 422 | return -1; |
| wolfSSL | 0:d92f9d21154c | 423 | } |
| wolfSSL | 0:d92f9d21154c | 424 | |
| wolfSSL | 0:d92f9d21154c | 425 | return 0; |
| wolfSSL | 0:d92f9d21154c | 426 | } |
| wolfSSL | 0:d92f9d21154c | 427 | |
| wolfSSL | 0:d92f9d21154c | 428 | |
| wolfSSL | 0:d92f9d21154c | 429 | /* OS X monitoring */ |
| wolfSSL | 0:d92f9d21154c | 430 | static void* DoMonitor(void* arg) |
| wolfSSL | 0:d92f9d21154c | 431 | { |
| wolfSSL | 0:d92f9d21154c | 432 | int fPEM, fDER; |
| wolfSSL | 0:d92f9d21154c | 433 | struct kevent change; |
| wolfSSL | 0:d92f9d21154c | 434 | |
| wolfSSL | 0:d92f9d21154c | 435 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg; |
| wolfSSL | 0:d92f9d21154c | 436 | |
| wolfSSL | 0:d92f9d21154c | 437 | WOLFSSL_ENTER("DoMonitor"); |
| wolfSSL | 0:d92f9d21154c | 438 | |
| wolfSSL | 0:d92f9d21154c | 439 | crl->mfd = kqueue(); |
| wolfSSL | 0:d92f9d21154c | 440 | if (crl->mfd == -1) { |
| wolfSSL | 0:d92f9d21154c | 441 | WOLFSSL_MSG("kqueue failed"); |
| wolfSSL | 0:d92f9d21154c | 442 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 443 | } |
| wolfSSL | 0:d92f9d21154c | 444 | |
| wolfSSL | 0:d92f9d21154c | 445 | /* listen for custom shutdown event */ |
| wolfSSL | 0:d92f9d21154c | 446 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL); |
| wolfSSL | 0:d92f9d21154c | 447 | if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) { |
| wolfSSL | 0:d92f9d21154c | 448 | WOLFSSL_MSG("kevent monitor customer event failed"); |
| wolfSSL | 0:d92f9d21154c | 449 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 450 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 451 | } |
| wolfSSL | 0:d92f9d21154c | 452 | |
| wolfSSL | 0:d92f9d21154c | 453 | fPEM = -1; |
| wolfSSL | 0:d92f9d21154c | 454 | fDER = -1; |
| wolfSSL | 0:d92f9d21154c | 455 | |
| wolfSSL | 0:d92f9d21154c | 456 | if (crl->monitors[0].path) { |
| wolfSSL | 0:d92f9d21154c | 457 | fPEM = open(crl->monitors[0].path, XEVENT_MODE); |
| wolfSSL | 0:d92f9d21154c | 458 | if (fPEM == -1) { |
| wolfSSL | 0:d92f9d21154c | 459 | WOLFSSL_MSG("PEM event dir open failed"); |
| wolfSSL | 0:d92f9d21154c | 460 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 461 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 462 | } |
| wolfSSL | 0:d92f9d21154c | 463 | } |
| wolfSSL | 0:d92f9d21154c | 464 | |
| wolfSSL | 0:d92f9d21154c | 465 | if (crl->monitors[1].path) { |
| wolfSSL | 0:d92f9d21154c | 466 | fDER = open(crl->monitors[1].path, XEVENT_MODE); |
| wolfSSL | 0:d92f9d21154c | 467 | if (fDER == -1) { |
| wolfSSL | 0:d92f9d21154c | 468 | WOLFSSL_MSG("DER event dir open failed"); |
| wolfSSL | 0:d92f9d21154c | 469 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 470 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 471 | } |
| wolfSSL | 0:d92f9d21154c | 472 | } |
| wolfSSL | 0:d92f9d21154c | 473 | |
| wolfSSL | 0:d92f9d21154c | 474 | if (fPEM != -1) |
| wolfSSL | 0:d92f9d21154c | 475 | EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, |
| wolfSSL | 0:d92f9d21154c | 476 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); |
| wolfSSL | 0:d92f9d21154c | 477 | |
| wolfSSL | 0:d92f9d21154c | 478 | if (fDER != -1) |
| wolfSSL | 0:d92f9d21154c | 479 | EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, |
| wolfSSL | 0:d92f9d21154c | 480 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); |
| wolfSSL | 0:d92f9d21154c | 481 | |
| wolfSSL | 0:d92f9d21154c | 482 | for (;;) { |
| wolfSSL | 0:d92f9d21154c | 483 | struct kevent event; |
| wolfSSL | 0:d92f9d21154c | 484 | int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL); |
| wolfSSL | 0:d92f9d21154c | 485 | |
| wolfSSL | 0:d92f9d21154c | 486 | WOLFSSL_MSG("Got kevent"); |
| wolfSSL | 0:d92f9d21154c | 487 | |
| wolfSSL | 0:d92f9d21154c | 488 | if (numEvents == -1) { |
| wolfSSL | 0:d92f9d21154c | 489 | WOLFSSL_MSG("kevent problem, continue"); |
| wolfSSL | 0:d92f9d21154c | 490 | continue; |
| wolfSSL | 0:d92f9d21154c | 491 | } |
| wolfSSL | 0:d92f9d21154c | 492 | |
| wolfSSL | 0:d92f9d21154c | 493 | if (event.filter == EVFILT_USER) { |
| wolfSSL | 0:d92f9d21154c | 494 | WOLFSSL_MSG("Got user shutdown event, breaking out"); |
| wolfSSL | 0:d92f9d21154c | 495 | break; |
| wolfSSL | 0:d92f9d21154c | 496 | } |
| wolfSSL | 0:d92f9d21154c | 497 | |
| wolfSSL | 0:d92f9d21154c | 498 | if (SwapLists(crl) < 0) { |
| wolfSSL | 0:d92f9d21154c | 499 | WOLFSSL_MSG("SwapLists problem, continue"); |
| wolfSSL | 0:d92f9d21154c | 500 | } |
| wolfSSL | 0:d92f9d21154c | 501 | } |
| wolfSSL | 0:d92f9d21154c | 502 | |
| wolfSSL | 0:d92f9d21154c | 503 | if (fPEM != -1) |
| wolfSSL | 0:d92f9d21154c | 504 | close(fPEM); |
| wolfSSL | 0:d92f9d21154c | 505 | if (fDER != -1) |
| wolfSSL | 0:d92f9d21154c | 506 | close(fDER); |
| wolfSSL | 0:d92f9d21154c | 507 | |
| wolfSSL | 0:d92f9d21154c | 508 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 509 | |
| wolfSSL | 0:d92f9d21154c | 510 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 511 | } |
| wolfSSL | 0:d92f9d21154c | 512 | |
| wolfSSL | 0:d92f9d21154c | 513 | |
| wolfSSL | 0:d92f9d21154c | 514 | #elif defined(__linux__) |
| wolfSSL | 0:d92f9d21154c | 515 | |
| wolfSSL | 0:d92f9d21154c | 516 | #include <sys/types.h> |
| wolfSSL | 0:d92f9d21154c | 517 | #include <sys/inotify.h> |
| wolfSSL | 0:d92f9d21154c | 518 | #include <sys/eventfd.h> |
| wolfSSL | 0:d92f9d21154c | 519 | #include <unistd.h> |
| wolfSSL | 0:d92f9d21154c | 520 | |
| wolfSSL | 0:d92f9d21154c | 521 | |
| wolfSSL | 0:d92f9d21154c | 522 | #ifndef max |
| wolfSSL | 0:d92f9d21154c | 523 | static INLINE int max(int a, int b) |
| wolfSSL | 0:d92f9d21154c | 524 | { |
| wolfSSL | 0:d92f9d21154c | 525 | return a > b ? a : b; |
| wolfSSL | 0:d92f9d21154c | 526 | } |
| wolfSSL | 0:d92f9d21154c | 527 | #endif /* max */ |
| wolfSSL | 0:d92f9d21154c | 528 | |
| wolfSSL | 0:d92f9d21154c | 529 | |
| wolfSSL | 0:d92f9d21154c | 530 | /* shutdown monitor thread, 0 on success */ |
| wolfSSL | 0:d92f9d21154c | 531 | static int StopMonitor(int mfd) |
| wolfSSL | 0:d92f9d21154c | 532 | { |
| wolfSSL | 0:d92f9d21154c | 533 | word64 w64 = 1; |
| wolfSSL | 0:d92f9d21154c | 534 | |
| wolfSSL | 0:d92f9d21154c | 535 | /* write to our custom event */ |
| wolfSSL | 0:d92f9d21154c | 536 | if (write(mfd, &w64, sizeof(w64)) < 0) { |
| wolfSSL | 0:d92f9d21154c | 537 | WOLFSSL_MSG("StopMonitor write failed"); |
| wolfSSL | 0:d92f9d21154c | 538 | return -1; |
| wolfSSL | 0:d92f9d21154c | 539 | } |
| wolfSSL | 0:d92f9d21154c | 540 | |
| wolfSSL | 0:d92f9d21154c | 541 | return 0; |
| wolfSSL | 0:d92f9d21154c | 542 | } |
| wolfSSL | 0:d92f9d21154c | 543 | |
| wolfSSL | 0:d92f9d21154c | 544 | |
| wolfSSL | 0:d92f9d21154c | 545 | /* linux monitoring */ |
| wolfSSL | 0:d92f9d21154c | 546 | static void* DoMonitor(void* arg) |
| wolfSSL | 0:d92f9d21154c | 547 | { |
| wolfSSL | 0:d92f9d21154c | 548 | int notifyFd; |
| wolfSSL | 0:d92f9d21154c | 549 | int wd = -1; |
| wolfSSL | 0:d92f9d21154c | 550 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg; |
| wolfSSL | 0:d92f9d21154c | 551 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 552 | char* buff; |
| wolfSSL | 0:d92f9d21154c | 553 | #else |
| wolfSSL | 0:d92f9d21154c | 554 | char buff[8192]; |
| wolfSSL | 0:d92f9d21154c | 555 | #endif |
| wolfSSL | 0:d92f9d21154c | 556 | |
| wolfSSL | 0:d92f9d21154c | 557 | WOLFSSL_ENTER("DoMonitor"); |
| wolfSSL | 0:d92f9d21154c | 558 | |
| wolfSSL | 0:d92f9d21154c | 559 | crl->mfd = eventfd(0, 0); /* our custom shutdown event */ |
| wolfSSL | 0:d92f9d21154c | 560 | if (crl->mfd < 0) { |
| wolfSSL | 0:d92f9d21154c | 561 | WOLFSSL_MSG("eventfd failed"); |
| wolfSSL | 0:d92f9d21154c | 562 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 563 | } |
| wolfSSL | 0:d92f9d21154c | 564 | |
| wolfSSL | 0:d92f9d21154c | 565 | notifyFd = inotify_init(); |
| wolfSSL | 0:d92f9d21154c | 566 | if (notifyFd < 0) { |
| wolfSSL | 0:d92f9d21154c | 567 | WOLFSSL_MSG("inotify failed"); |
| wolfSSL | 0:d92f9d21154c | 568 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 569 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 570 | } |
| wolfSSL | 0:d92f9d21154c | 571 | |
| wolfSSL | 0:d92f9d21154c | 572 | if (crl->monitors[0].path) { |
| wolfSSL | 0:d92f9d21154c | 573 | wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE | |
| wolfSSL | 0:d92f9d21154c | 574 | IN_DELETE); |
| wolfSSL | 0:d92f9d21154c | 575 | if (wd < 0) { |
| wolfSSL | 0:d92f9d21154c | 576 | WOLFSSL_MSG("PEM notify add watch failed"); |
| wolfSSL | 0:d92f9d21154c | 577 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 578 | close(notifyFd); |
| wolfSSL | 0:d92f9d21154c | 579 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 580 | } |
| wolfSSL | 0:d92f9d21154c | 581 | } |
| wolfSSL | 0:d92f9d21154c | 582 | |
| wolfSSL | 0:d92f9d21154c | 583 | if (crl->monitors[1].path) { |
| wolfSSL | 0:d92f9d21154c | 584 | wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE | |
| wolfSSL | 0:d92f9d21154c | 585 | IN_DELETE); |
| wolfSSL | 0:d92f9d21154c | 586 | if (wd < 0) { |
| wolfSSL | 0:d92f9d21154c | 587 | WOLFSSL_MSG("DER notify add watch failed"); |
| wolfSSL | 0:d92f9d21154c | 588 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 589 | close(notifyFd); |
| wolfSSL | 0:d92f9d21154c | 590 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 591 | } |
| wolfSSL | 0:d92f9d21154c | 592 | } |
| wolfSSL | 0:d92f9d21154c | 593 | |
| wolfSSL | 0:d92f9d21154c | 594 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 595 | buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 596 | if (buff == NULL) |
| wolfSSL | 0:d92f9d21154c | 597 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 598 | #endif |
| wolfSSL | 0:d92f9d21154c | 599 | |
| wolfSSL | 0:d92f9d21154c | 600 | for (;;) { |
| wolfSSL | 0:d92f9d21154c | 601 | fd_set readfds; |
| wolfSSL | 0:d92f9d21154c | 602 | int result; |
| wolfSSL | 0:d92f9d21154c | 603 | int length; |
| wolfSSL | 0:d92f9d21154c | 604 | |
| wolfSSL | 0:d92f9d21154c | 605 | FD_ZERO(&readfds); |
| wolfSSL | 0:d92f9d21154c | 606 | FD_SET(notifyFd, &readfds); |
| wolfSSL | 0:d92f9d21154c | 607 | FD_SET(crl->mfd, &readfds); |
| wolfSSL | 0:d92f9d21154c | 608 | |
| wolfSSL | 0:d92f9d21154c | 609 | result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL); |
| wolfSSL | 0:d92f9d21154c | 610 | |
| wolfSSL | 0:d92f9d21154c | 611 | WOLFSSL_MSG("Got notify event"); |
| wolfSSL | 0:d92f9d21154c | 612 | |
| wolfSSL | 0:d92f9d21154c | 613 | if (result < 0) { |
| wolfSSL | 0:d92f9d21154c | 614 | WOLFSSL_MSG("select problem, continue"); |
| wolfSSL | 0:d92f9d21154c | 615 | continue; |
| wolfSSL | 0:d92f9d21154c | 616 | } |
| wolfSSL | 0:d92f9d21154c | 617 | |
| wolfSSL | 0:d92f9d21154c | 618 | if (FD_ISSET(crl->mfd, &readfds)) { |
| wolfSSL | 0:d92f9d21154c | 619 | WOLFSSL_MSG("got custom shutdown event, breaking out"); |
| wolfSSL | 0:d92f9d21154c | 620 | break; |
| wolfSSL | 0:d92f9d21154c | 621 | } |
| wolfSSL | 0:d92f9d21154c | 622 | |
| wolfSSL | 0:d92f9d21154c | 623 | length = read(notifyFd, buff, 8192); |
| wolfSSL | 0:d92f9d21154c | 624 | if (length < 0) { |
| wolfSSL | 0:d92f9d21154c | 625 | WOLFSSL_MSG("notify read problem, continue"); |
| wolfSSL | 0:d92f9d21154c | 626 | continue; |
| wolfSSL | 0:d92f9d21154c | 627 | } |
| wolfSSL | 0:d92f9d21154c | 628 | |
| wolfSSL | 0:d92f9d21154c | 629 | if (SwapLists(crl) < 0) { |
| wolfSSL | 0:d92f9d21154c | 630 | WOLFSSL_MSG("SwapLists problem, continue"); |
| wolfSSL | 0:d92f9d21154c | 631 | } |
| wolfSSL | 0:d92f9d21154c | 632 | } |
| wolfSSL | 0:d92f9d21154c | 633 | |
| wolfSSL | 0:d92f9d21154c | 634 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 635 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 636 | #endif |
| wolfSSL | 0:d92f9d21154c | 637 | |
| wolfSSL | 0:d92f9d21154c | 638 | if (wd > 0) |
| wolfSSL | 0:d92f9d21154c | 639 | inotify_rm_watch(notifyFd, wd); |
| wolfSSL | 0:d92f9d21154c | 640 | close(crl->mfd); |
| wolfSSL | 0:d92f9d21154c | 641 | close(notifyFd); |
| wolfSSL | 0:d92f9d21154c | 642 | |
| wolfSSL | 0:d92f9d21154c | 643 | return NULL; |
| wolfSSL | 0:d92f9d21154c | 644 | } |
| wolfSSL | 0:d92f9d21154c | 645 | |
| wolfSSL | 0:d92f9d21154c | 646 | |
| wolfSSL | 0:d92f9d21154c | 647 | #else |
| wolfSSL | 0:d92f9d21154c | 648 | |
| wolfSSL | 0:d92f9d21154c | 649 | #error "CRL monitor only currently supported on linux or mach" |
| wolfSSL | 0:d92f9d21154c | 650 | |
| wolfSSL | 0:d92f9d21154c | 651 | #endif /* MACH or linux */ |
| wolfSSL | 0:d92f9d21154c | 652 | |
| wolfSSL | 0:d92f9d21154c | 653 | |
| wolfSSL | 0:d92f9d21154c | 654 | /* Start Monitoring the CRL path(s) in a thread */ |
| wolfSSL | 0:d92f9d21154c | 655 | static int StartMonitorCRL(WOLFSSL_CRL* crl) |
| wolfSSL | 0:d92f9d21154c | 656 | { |
| wolfSSL | 0:d92f9d21154c | 657 | pthread_attr_t attr; |
| wolfSSL | 0:d92f9d21154c | 658 | |
| wolfSSL | 0:d92f9d21154c | 659 | WOLFSSL_ENTER("StartMonitorCRL"); |
| wolfSSL | 0:d92f9d21154c | 660 | |
| wolfSSL | 0:d92f9d21154c | 661 | if (crl == NULL) |
| wolfSSL | 0:d92f9d21154c | 662 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 663 | |
| wolfSSL | 0:d92f9d21154c | 664 | if (crl->tid != 0) { |
| wolfSSL | 0:d92f9d21154c | 665 | WOLFSSL_MSG("Monitor thread already running"); |
| wolfSSL | 0:d92f9d21154c | 666 | return MONITOR_RUNNING_E; |
| wolfSSL | 0:d92f9d21154c | 667 | } |
| wolfSSL | 0:d92f9d21154c | 668 | |
| wolfSSL | 0:d92f9d21154c | 669 | pthread_attr_init(&attr); |
| wolfSSL | 0:d92f9d21154c | 670 | |
| wolfSSL | 0:d92f9d21154c | 671 | if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) { |
| wolfSSL | 0:d92f9d21154c | 672 | WOLFSSL_MSG("Thread creation error"); |
| wolfSSL | 0:d92f9d21154c | 673 | return THREAD_CREATE_E; |
| wolfSSL | 0:d92f9d21154c | 674 | } |
| wolfSSL | 0:d92f9d21154c | 675 | |
| wolfSSL | 0:d92f9d21154c | 676 | return SSL_SUCCESS; |
| wolfSSL | 0:d92f9d21154c | 677 | } |
| wolfSSL | 0:d92f9d21154c | 678 | |
| wolfSSL | 0:d92f9d21154c | 679 | |
| wolfSSL | 0:d92f9d21154c | 680 | #else /* HAVE_CRL_MONITOR */ |
| wolfSSL | 0:d92f9d21154c | 681 | |
| wolfSSL | 0:d92f9d21154c | 682 | static int StartMonitorCRL(WOLFSSL_CRL* crl) |
| wolfSSL | 0:d92f9d21154c | 683 | { |
| wolfSSL | 0:d92f9d21154c | 684 | (void)crl; |
| wolfSSL | 0:d92f9d21154c | 685 | |
| wolfSSL | 0:d92f9d21154c | 686 | WOLFSSL_ENTER("StartMonitorCRL"); |
| wolfSSL | 0:d92f9d21154c | 687 | WOLFSSL_MSG("Not compiled in"); |
| wolfSSL | 0:d92f9d21154c | 688 | |
| wolfSSL | 0:d92f9d21154c | 689 | return NOT_COMPILED_IN; |
| wolfSSL | 0:d92f9d21154c | 690 | } |
| wolfSSL | 0:d92f9d21154c | 691 | |
| wolfSSL | 0:d92f9d21154c | 692 | #endif /* HAVE_CRL_MONITOR */ |
| wolfSSL | 0:d92f9d21154c | 693 | |
| wolfSSL | 0:d92f9d21154c | 694 | |
| wolfSSL | 0:d92f9d21154c | 695 | /* Load CRL path files of type, SSL_SUCCESS on ok */ |
| wolfSSL | 0:d92f9d21154c | 696 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) |
| wolfSSL | 0:d92f9d21154c | 697 | { |
| wolfSSL | 0:d92f9d21154c | 698 | struct dirent* entry; |
| wolfSSL | 0:d92f9d21154c | 699 | DIR* dir; |
| wolfSSL | 0:d92f9d21154c | 700 | int ret = SSL_SUCCESS; |
| wolfSSL | 0:d92f9d21154c | 701 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 702 | char* name; |
| wolfSSL | 0:d92f9d21154c | 703 | #else |
| wolfSSL | 0:d92f9d21154c | 704 | char name[MAX_FILENAME_SZ]; |
| wolfSSL | 0:d92f9d21154c | 705 | #endif |
| wolfSSL | 0:d92f9d21154c | 706 | |
| wolfSSL | 0:d92f9d21154c | 707 | WOLFSSL_ENTER("LoadCRL"); |
| wolfSSL | 0:d92f9d21154c | 708 | if (crl == NULL) |
| wolfSSL | 0:d92f9d21154c | 709 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 710 | |
| wolfSSL | 0:d92f9d21154c | 711 | dir = opendir(path); |
| wolfSSL | 0:d92f9d21154c | 712 | if (dir == NULL) { |
| wolfSSL | 0:d92f9d21154c | 713 | WOLFSSL_MSG("opendir path crl load failed"); |
| wolfSSL | 0:d92f9d21154c | 714 | return BAD_PATH_ERROR; |
| wolfSSL | 0:d92f9d21154c | 715 | } |
| wolfSSL | 0:d92f9d21154c | 716 | |
| wolfSSL | 0:d92f9d21154c | 717 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 718 | name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 719 | if (name == NULL) |
| wolfSSL | 0:d92f9d21154c | 720 | return MEMORY_E; |
| wolfSSL | 0:d92f9d21154c | 721 | #endif |
| wolfSSL | 0:d92f9d21154c | 722 | |
| wolfSSL | 0:d92f9d21154c | 723 | while ( (entry = readdir(dir)) != NULL) { |
| wolfSSL | 0:d92f9d21154c | 724 | struct stat s; |
| wolfSSL | 0:d92f9d21154c | 725 | |
| wolfSSL | 0:d92f9d21154c | 726 | XMEMSET(name, 0, MAX_FILENAME_SZ); |
| wolfSSL | 0:d92f9d21154c | 727 | XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); |
| wolfSSL | 0:d92f9d21154c | 728 | XSTRNCAT(name, "/", 1); |
| wolfSSL | 0:d92f9d21154c | 729 | XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); |
| wolfSSL | 0:d92f9d21154c | 730 | |
| wolfSSL | 0:d92f9d21154c | 731 | if (stat(name, &s) != 0) { |
| wolfSSL | 0:d92f9d21154c | 732 | WOLFSSL_MSG("stat on name failed"); |
| wolfSSL | 0:d92f9d21154c | 733 | continue; |
| wolfSSL | 0:d92f9d21154c | 734 | } |
| wolfSSL | 0:d92f9d21154c | 735 | if (s.st_mode & S_IFREG) { |
| wolfSSL | 0:d92f9d21154c | 736 | |
| wolfSSL | 0:d92f9d21154c | 737 | if (type == SSL_FILETYPE_PEM) { |
| wolfSSL | 0:d92f9d21154c | 738 | if (strstr(entry->d_name, ".pem") == NULL) { |
| wolfSSL | 0:d92f9d21154c | 739 | WOLFSSL_MSG("not .pem file, skipping"); |
| wolfSSL | 0:d92f9d21154c | 740 | continue; |
| wolfSSL | 0:d92f9d21154c | 741 | } |
| wolfSSL | 0:d92f9d21154c | 742 | } |
| wolfSSL | 0:d92f9d21154c | 743 | else { |
| wolfSSL | 0:d92f9d21154c | 744 | if (strstr(entry->d_name, ".der") == NULL && |
| wolfSSL | 0:d92f9d21154c | 745 | strstr(entry->d_name, ".crl") == NULL) { |
| wolfSSL | 0:d92f9d21154c | 746 | |
| wolfSSL | 0:d92f9d21154c | 747 | WOLFSSL_MSG("not .der or .crl file, skipping"); |
| wolfSSL | 0:d92f9d21154c | 748 | continue; |
| wolfSSL | 0:d92f9d21154c | 749 | } |
| wolfSSL | 0:d92f9d21154c | 750 | } |
| wolfSSL | 0:d92f9d21154c | 751 | |
| wolfSSL | 0:d92f9d21154c | 752 | if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) |
| wolfSSL | 0:d92f9d21154c | 753 | != SSL_SUCCESS) { |
| wolfSSL | 0:d92f9d21154c | 754 | WOLFSSL_MSG("CRL file load failed, continuing"); |
| wolfSSL | 0:d92f9d21154c | 755 | } |
| wolfSSL | 0:d92f9d21154c | 756 | } |
| wolfSSL | 0:d92f9d21154c | 757 | } |
| wolfSSL | 0:d92f9d21154c | 758 | |
| wolfSSL | 0:d92f9d21154c | 759 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 0:d92f9d21154c | 760 | XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 0:d92f9d21154c | 761 | #endif |
| wolfSSL | 0:d92f9d21154c | 762 | |
| wolfSSL | 0:d92f9d21154c | 763 | if (monitor & WOLFSSL_CRL_MONITOR) { |
| wolfSSL | 0:d92f9d21154c | 764 | WOLFSSL_MSG("monitor path requested"); |
| wolfSSL | 0:d92f9d21154c | 765 | |
| wolfSSL | 0:d92f9d21154c | 766 | if (type == SSL_FILETYPE_PEM) { |
| wolfSSL | 0:d92f9d21154c | 767 | crl->monitors[0].path = strdup(path); |
| wolfSSL | 0:d92f9d21154c | 768 | crl->monitors[0].type = SSL_FILETYPE_PEM; |
| wolfSSL | 0:d92f9d21154c | 769 | if (crl->monitors[0].path == NULL) |
| wolfSSL | 0:d92f9d21154c | 770 | ret = MEMORY_E; |
| wolfSSL | 0:d92f9d21154c | 771 | } else { |
| wolfSSL | 0:d92f9d21154c | 772 | crl->monitors[1].path = strdup(path); |
| wolfSSL | 0:d92f9d21154c | 773 | crl->monitors[1].type = SSL_FILETYPE_ASN1; |
| wolfSSL | 0:d92f9d21154c | 774 | if (crl->monitors[1].path == NULL) |
| wolfSSL | 0:d92f9d21154c | 775 | ret = MEMORY_E; |
| wolfSSL | 0:d92f9d21154c | 776 | } |
| wolfSSL | 0:d92f9d21154c | 777 | |
| wolfSSL | 0:d92f9d21154c | 778 | if (monitor & WOLFSSL_CRL_START_MON) { |
| wolfSSL | 0:d92f9d21154c | 779 | WOLFSSL_MSG("start monitoring requested"); |
| wolfSSL | 0:d92f9d21154c | 780 | |
| wolfSSL | 0:d92f9d21154c | 781 | ret = StartMonitorCRL(crl); |
| wolfSSL | 0:d92f9d21154c | 782 | } |
| wolfSSL | 0:d92f9d21154c | 783 | } |
| wolfSSL | 0:d92f9d21154c | 784 | |
| wolfSSL | 0:d92f9d21154c | 785 | closedir(dir); |
| wolfSSL | 0:d92f9d21154c | 786 | |
| wolfSSL | 0:d92f9d21154c | 787 | return ret; |
| wolfSSL | 0:d92f9d21154c | 788 | } |
| wolfSSL | 0:d92f9d21154c | 789 | |
| wolfSSL | 0:d92f9d21154c | 790 | #endif /* HAVE_CRL */ |
| wolfSSL | 0:d92f9d21154c | 791 |