wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
src/crl.c@17:a5f916481144, 2020-06-05 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 05 00:11:07 2020 +0000
- Revision:
- 17:a5f916481144
- Parent:
- 16:8e0d178b1d1e
wolfSSL 4.4.0
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 15:117db924cf7c | 1 | /* crl.c |
wolfSSL | 15:117db924cf7c | 2 | * |
wolfSSL | 16:8e0d178b1d1e | 3 | * Copyright (C) 2006-2020 wolfSSL Inc. |
wolfSSL | 15:117db924cf7c | 4 | * |
wolfSSL | 15:117db924cf7c | 5 | * This file is part of wolfSSL. |
wolfSSL | 15:117db924cf7c | 6 | * |
wolfSSL | 15:117db924cf7c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 15:117db924cf7c | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 15:117db924cf7c | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 15:117db924cf7c | 10 | * (at your option) any later version. |
wolfSSL | 15:117db924cf7c | 11 | * |
wolfSSL | 15:117db924cf7c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 15:117db924cf7c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 15:117db924cf7c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 15:117db924cf7c | 15 | * GNU General Public License for more details. |
wolfSSL | 15:117db924cf7c | 16 | * |
wolfSSL | 15:117db924cf7c | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 15:117db924cf7c | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 15:117db924cf7c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 15:117db924cf7c | 20 | */ |
wolfSSL | 15:117db924cf7c | 21 | |
wolfSSL | 15:117db924cf7c | 22 | |
wolfSSL | 15:117db924cf7c | 23 | /* Name change compatibility layer no longer needs included here */ |
wolfSSL | 15:117db924cf7c | 24 | |
wolfSSL | 15:117db924cf7c | 25 | #ifdef HAVE_CONFIG_H |
wolfSSL | 15:117db924cf7c | 26 | #include <config.h> |
wolfSSL | 15:117db924cf7c | 27 | #endif |
wolfSSL | 15:117db924cf7c | 28 | |
wolfSSL | 15:117db924cf7c | 29 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 15:117db924cf7c | 30 | |
wolfSSL | 15:117db924cf7c | 31 | #ifndef WOLFCRYPT_ONLY |
wolfSSL | 15:117db924cf7c | 32 | #ifdef HAVE_CRL |
wolfSSL | 15:117db924cf7c | 33 | |
wolfSSL | 15:117db924cf7c | 34 | #include <wolfssl/internal.h> |
wolfSSL | 15:117db924cf7c | 35 | #include <wolfssl/error-ssl.h> |
wolfSSL | 15:117db924cf7c | 36 | |
wolfSSL | 15:117db924cf7c | 37 | #include <string.h> |
wolfSSL | 15:117db924cf7c | 38 | |
wolfSSL | 15:117db924cf7c | 39 | #ifdef HAVE_CRL_MONITOR |
wolfSSL | 15:117db924cf7c | 40 | #if (defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__)) |
wolfSSL | 15:117db924cf7c | 41 | static int StopMonitor(int mfd); |
wolfSSL | 15:117db924cf7c | 42 | #else |
wolfSSL | 15:117db924cf7c | 43 | #error "CRL monitor only currently supported on linux or mach" |
wolfSSL | 15:117db924cf7c | 44 | #endif |
wolfSSL | 15:117db924cf7c | 45 | #endif /* HAVE_CRL_MONITOR */ |
wolfSSL | 15:117db924cf7c | 46 | |
wolfSSL | 15:117db924cf7c | 47 | |
wolfSSL | 15:117db924cf7c | 48 | /* Initialize CRL members */ |
wolfSSL | 15:117db924cf7c | 49 | int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm) |
wolfSSL | 15:117db924cf7c | 50 | { |
wolfSSL | 15:117db924cf7c | 51 | WOLFSSL_ENTER("InitCRL"); |
wolfSSL | 15:117db924cf7c | 52 | if(cm != NULL) |
wolfSSL | 15:117db924cf7c | 53 | crl->heap = cm->heap; |
wolfSSL | 15:117db924cf7c | 54 | else |
wolfSSL | 15:117db924cf7c | 55 | crl->heap = NULL; |
wolfSSL | 15:117db924cf7c | 56 | crl->cm = cm; |
wolfSSL | 15:117db924cf7c | 57 | crl->crlList = NULL; |
wolfSSL | 15:117db924cf7c | 58 | crl->monitors[0].path = NULL; |
wolfSSL | 15:117db924cf7c | 59 | crl->monitors[1].path = NULL; |
wolfSSL | 15:117db924cf7c | 60 | #ifdef HAVE_CRL_MONITOR |
wolfSSL | 15:117db924cf7c | 61 | crl->tid = 0; |
wolfSSL | 15:117db924cf7c | 62 | crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */ |
wolfSSL | 15:117db924cf7c | 63 | crl->setup = 0; /* thread setup done predicate */ |
wolfSSL | 15:117db924cf7c | 64 | if (pthread_cond_init(&crl->cond, 0) != 0) { |
wolfSSL | 15:117db924cf7c | 65 | WOLFSSL_MSG("Pthread condition init failed"); |
wolfSSL | 15:117db924cf7c | 66 | return BAD_COND_E; |
wolfSSL | 15:117db924cf7c | 67 | } |
wolfSSL | 15:117db924cf7c | 68 | #endif |
wolfSSL | 15:117db924cf7c | 69 | if (wc_InitMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 70 | WOLFSSL_MSG("Init Mutex failed"); |
wolfSSL | 15:117db924cf7c | 71 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 72 | } |
wolfSSL | 15:117db924cf7c | 73 | |
wolfSSL | 15:117db924cf7c | 74 | return 0; |
wolfSSL | 15:117db924cf7c | 75 | } |
wolfSSL | 15:117db924cf7c | 76 | |
wolfSSL | 15:117db924cf7c | 77 | |
wolfSSL | 15:117db924cf7c | 78 | /* Initialize CRL Entry */ |
wolfSSL | 15:117db924cf7c | 79 | static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, |
wolfSSL | 15:117db924cf7c | 80 | int verified, void* heap) |
wolfSSL | 15:117db924cf7c | 81 | { |
wolfSSL | 15:117db924cf7c | 82 | WOLFSSL_ENTER("InitCRL_Entry"); |
wolfSSL | 15:117db924cf7c | 83 | |
wolfSSL | 15:117db924cf7c | 84 | XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); |
wolfSSL | 15:117db924cf7c | 85 | /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); |
wolfSSL | 16:8e0d178b1d1e | 86 | * copy the hash here if needed for optimized comparisons */ |
wolfSSL | 15:117db924cf7c | 87 | XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); |
wolfSSL | 15:117db924cf7c | 88 | XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); |
wolfSSL | 15:117db924cf7c | 89 | crle->lastDateFormat = dcrl->lastDateFormat; |
wolfSSL | 15:117db924cf7c | 90 | crle->nextDateFormat = dcrl->nextDateFormat; |
wolfSSL | 15:117db924cf7c | 91 | |
wolfSSL | 15:117db924cf7c | 92 | crle->certs = dcrl->certs; /* take ownsership */ |
wolfSSL | 15:117db924cf7c | 93 | dcrl->certs = NULL; |
wolfSSL | 15:117db924cf7c | 94 | crle->totalCerts = dcrl->totalCerts; |
wolfSSL | 15:117db924cf7c | 95 | crle->verified = verified; |
wolfSSL | 15:117db924cf7c | 96 | if (!verified) { |
wolfSSL | 15:117db924cf7c | 97 | crle->tbsSz = dcrl->sigIndex - dcrl->certBegin; |
wolfSSL | 15:117db924cf7c | 98 | crle->signatureSz = dcrl->sigLength; |
wolfSSL | 15:117db924cf7c | 99 | crle->signatureOID = dcrl->signatureOID; |
wolfSSL | 15:117db924cf7c | 100 | crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap, |
wolfSSL | 15:117db924cf7c | 101 | DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 102 | if (crle->toBeSigned == NULL) |
wolfSSL | 15:117db924cf7c | 103 | return -1; |
wolfSSL | 15:117db924cf7c | 104 | crle->signature = (byte*)XMALLOC(crle->signatureSz, heap, |
wolfSSL | 15:117db924cf7c | 105 | DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 106 | if (crle->signature == NULL) { |
wolfSSL | 15:117db924cf7c | 107 | XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 108 | return -1; |
wolfSSL | 15:117db924cf7c | 109 | } |
wolfSSL | 15:117db924cf7c | 110 | XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz); |
wolfSSL | 15:117db924cf7c | 111 | XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz); |
wolfSSL | 16:8e0d178b1d1e | 112 | #ifndef NO_SKID |
wolfSSL | 15:117db924cf7c | 113 | crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet; |
wolfSSL | 15:117db924cf7c | 114 | if (crle->extAuthKeyIdSet) |
wolfSSL | 15:117db924cf7c | 115 | XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE); |
wolfSSL | 15:117db924cf7c | 116 | #endif |
wolfSSL | 15:117db924cf7c | 117 | } |
wolfSSL | 15:117db924cf7c | 118 | else { |
wolfSSL | 15:117db924cf7c | 119 | crle->toBeSigned = NULL; |
wolfSSL | 15:117db924cf7c | 120 | crle->signature = NULL; |
wolfSSL | 15:117db924cf7c | 121 | } |
wolfSSL | 15:117db924cf7c | 122 | |
wolfSSL | 15:117db924cf7c | 123 | (void)verified; |
wolfSSL | 16:8e0d178b1d1e | 124 | (void)heap; |
wolfSSL | 15:117db924cf7c | 125 | |
wolfSSL | 15:117db924cf7c | 126 | return 0; |
wolfSSL | 15:117db924cf7c | 127 | } |
wolfSSL | 15:117db924cf7c | 128 | |
wolfSSL | 15:117db924cf7c | 129 | |
wolfSSL | 15:117db924cf7c | 130 | /* Free all CRL Entry resources */ |
wolfSSL | 15:117db924cf7c | 131 | static void FreeCRL_Entry(CRL_Entry* crle, void* heap) |
wolfSSL | 15:117db924cf7c | 132 | { |
wolfSSL | 15:117db924cf7c | 133 | RevokedCert* tmp = crle->certs; |
wolfSSL | 15:117db924cf7c | 134 | RevokedCert* next; |
wolfSSL | 15:117db924cf7c | 135 | |
wolfSSL | 15:117db924cf7c | 136 | WOLFSSL_ENTER("FreeCRL_Entry"); |
wolfSSL | 15:117db924cf7c | 137 | |
wolfSSL | 15:117db924cf7c | 138 | while (tmp) { |
wolfSSL | 15:117db924cf7c | 139 | next = tmp->next; |
wolfSSL | 15:117db924cf7c | 140 | XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 15:117db924cf7c | 141 | tmp = next; |
wolfSSL | 15:117db924cf7c | 142 | } |
wolfSSL | 15:117db924cf7c | 143 | if (crle->signature != NULL) |
wolfSSL | 15:117db924cf7c | 144 | XFREE(crle->signature, heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 15:117db924cf7c | 145 | if (crle->toBeSigned != NULL) |
wolfSSL | 15:117db924cf7c | 146 | XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 15:117db924cf7c | 147 | |
wolfSSL | 15:117db924cf7c | 148 | (void)heap; |
wolfSSL | 15:117db924cf7c | 149 | } |
wolfSSL | 15:117db924cf7c | 150 | |
wolfSSL | 15:117db924cf7c | 151 | |
wolfSSL | 15:117db924cf7c | 152 | |
wolfSSL | 15:117db924cf7c | 153 | /* Free all CRL resources */ |
wolfSSL | 15:117db924cf7c | 154 | void FreeCRL(WOLFSSL_CRL* crl, int dynamic) |
wolfSSL | 15:117db924cf7c | 155 | { |
wolfSSL | 15:117db924cf7c | 156 | CRL_Entry* tmp = crl->crlList; |
wolfSSL | 15:117db924cf7c | 157 | |
wolfSSL | 15:117db924cf7c | 158 | WOLFSSL_ENTER("FreeCRL"); |
wolfSSL | 15:117db924cf7c | 159 | if (crl->monitors[0].path) |
wolfSSL | 15:117db924cf7c | 160 | XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR); |
wolfSSL | 15:117db924cf7c | 161 | |
wolfSSL | 15:117db924cf7c | 162 | if (crl->monitors[1].path) |
wolfSSL | 15:117db924cf7c | 163 | XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR); |
wolfSSL | 15:117db924cf7c | 164 | |
wolfSSL | 15:117db924cf7c | 165 | while(tmp) { |
wolfSSL | 15:117db924cf7c | 166 | CRL_Entry* next = tmp->next; |
wolfSSL | 15:117db924cf7c | 167 | FreeCRL_Entry(tmp, crl->heap); |
wolfSSL | 15:117db924cf7c | 168 | XFREE(tmp, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 169 | tmp = next; |
wolfSSL | 15:117db924cf7c | 170 | } |
wolfSSL | 15:117db924cf7c | 171 | |
wolfSSL | 15:117db924cf7c | 172 | #ifdef HAVE_CRL_MONITOR |
wolfSSL | 15:117db924cf7c | 173 | if (crl->tid != 0) { |
wolfSSL | 15:117db924cf7c | 174 | WOLFSSL_MSG("stopping monitor thread"); |
wolfSSL | 15:117db924cf7c | 175 | if (StopMonitor(crl->mfd) == 0) |
wolfSSL | 15:117db924cf7c | 176 | pthread_join(crl->tid, NULL); |
wolfSSL | 15:117db924cf7c | 177 | else { |
wolfSSL | 15:117db924cf7c | 178 | WOLFSSL_MSG("stop monitor failed"); |
wolfSSL | 15:117db924cf7c | 179 | } |
wolfSSL | 15:117db924cf7c | 180 | } |
wolfSSL | 15:117db924cf7c | 181 | pthread_cond_destroy(&crl->cond); |
wolfSSL | 15:117db924cf7c | 182 | #endif |
wolfSSL | 15:117db924cf7c | 183 | wc_FreeMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 184 | if (dynamic) /* free self */ |
wolfSSL | 15:117db924cf7c | 185 | XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL); |
wolfSSL | 15:117db924cf7c | 186 | } |
wolfSSL | 15:117db924cf7c | 187 | |
wolfSSL | 15:117db924cf7c | 188 | |
wolfSSL | 15:117db924cf7c | 189 | static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry) |
wolfSSL | 15:117db924cf7c | 190 | { |
wolfSSL | 15:117db924cf7c | 191 | CRL_Entry* crle; |
wolfSSL | 15:117db924cf7c | 192 | int foundEntry = 0; |
wolfSSL | 15:117db924cf7c | 193 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 194 | |
wolfSSL | 15:117db924cf7c | 195 | if (wc_LockMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 196 | WOLFSSL_MSG("wc_LockMutex failed"); |
wolfSSL | 15:117db924cf7c | 197 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 198 | } |
wolfSSL | 15:117db924cf7c | 199 | |
wolfSSL | 15:117db924cf7c | 200 | crle = crl->crlList; |
wolfSSL | 15:117db924cf7c | 201 | |
wolfSSL | 15:117db924cf7c | 202 | while (crle) { |
wolfSSL | 15:117db924cf7c | 203 | if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) { |
wolfSSL | 15:117db924cf7c | 204 | WOLFSSL_MSG("Found CRL Entry on list"); |
wolfSSL | 15:117db924cf7c | 205 | |
wolfSSL | 15:117db924cf7c | 206 | if (crle->verified == 0) { |
wolfSSL | 16:8e0d178b1d1e | 207 | Signer* ca = NULL; |
wolfSSL | 16:8e0d178b1d1e | 208 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 209 | byte extAuthKeyId[KEYID_SIZE]; |
wolfSSL | 15:117db924cf7c | 210 | #endif |
wolfSSL | 15:117db924cf7c | 211 | byte issuerHash[CRL_DIGEST_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 212 | byte* tbs; |
wolfSSL | 15:117db924cf7c | 213 | word32 tbsSz = crle->tbsSz; |
wolfSSL | 15:117db924cf7c | 214 | byte* sig = NULL; |
wolfSSL | 15:117db924cf7c | 215 | word32 sigSz = crle->signatureSz; |
wolfSSL | 15:117db924cf7c | 216 | word32 sigOID = crle->signatureOID; |
wolfSSL | 15:117db924cf7c | 217 | SignatureCtx sigCtx; |
wolfSSL | 15:117db924cf7c | 218 | |
wolfSSL | 15:117db924cf7c | 219 | tbs = (byte*)XMALLOC(tbsSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 220 | if (tbs == NULL) { |
wolfSSL | 15:117db924cf7c | 221 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 222 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 223 | } |
wolfSSL | 15:117db924cf7c | 224 | sig = (byte*)XMALLOC(sigSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 225 | if (sig == NULL) { |
wolfSSL | 15:117db924cf7c | 226 | XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 227 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 228 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 229 | } |
wolfSSL | 15:117db924cf7c | 230 | |
wolfSSL | 15:117db924cf7c | 231 | XMEMCPY(tbs, crle->toBeSigned, tbsSz); |
wolfSSL | 15:117db924cf7c | 232 | XMEMCPY(sig, crle->signature, sigSz); |
wolfSSL | 16:8e0d178b1d1e | 233 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 234 | XMEMCPY(extAuthKeyId, crle->extAuthKeyId, |
wolfSSL | 15:117db924cf7c | 235 | sizeof(extAuthKeyId)); |
wolfSSL | 15:117db924cf7c | 236 | #endif |
wolfSSL | 15:117db924cf7c | 237 | XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash)); |
wolfSSL | 15:117db924cf7c | 238 | |
wolfSSL | 15:117db924cf7c | 239 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 240 | |
wolfSSL | 16:8e0d178b1d1e | 241 | #ifndef NO_SKID |
wolfSSL | 15:117db924cf7c | 242 | if (crle->extAuthKeyIdSet) |
wolfSSL | 15:117db924cf7c | 243 | ca = GetCA(crl->cm, extAuthKeyId); |
wolfSSL | 15:117db924cf7c | 244 | if (ca == NULL) |
wolfSSL | 15:117db924cf7c | 245 | ca = GetCAByName(crl->cm, issuerHash); |
wolfSSL | 15:117db924cf7c | 246 | #else /* NO_SKID */ |
wolfSSL | 15:117db924cf7c | 247 | ca = GetCA(crl->cm, issuerHash); |
wolfSSL | 15:117db924cf7c | 248 | #endif /* NO_SKID */ |
wolfSSL | 15:117db924cf7c | 249 | if (ca == NULL) { |
wolfSSL | 15:117db924cf7c | 250 | XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 251 | XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 252 | WOLFSSL_MSG("Did NOT find CRL issuer CA"); |
wolfSSL | 15:117db924cf7c | 253 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 15:117db924cf7c | 254 | } |
wolfSSL | 15:117db924cf7c | 255 | |
wolfSSL | 15:117db924cf7c | 256 | ret = VerifyCRL_Signature(&sigCtx, tbs, tbsSz, sig, sigSz, |
wolfSSL | 15:117db924cf7c | 257 | sigOID, ca, crl->heap); |
wolfSSL | 15:117db924cf7c | 258 | |
wolfSSL | 15:117db924cf7c | 259 | XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 260 | XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 261 | |
wolfSSL | 15:117db924cf7c | 262 | if (wc_LockMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 263 | WOLFSSL_MSG("wc_LockMutex failed"); |
wolfSSL | 15:117db924cf7c | 264 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 265 | } |
wolfSSL | 15:117db924cf7c | 266 | |
wolfSSL | 15:117db924cf7c | 267 | crle = crl->crlList; |
wolfSSL | 15:117db924cf7c | 268 | while (crle) { |
wolfSSL | 15:117db924cf7c | 269 | if (XMEMCMP(crle->issuerHash, cert->issuerHash, |
wolfSSL | 15:117db924cf7c | 270 | CRL_DIGEST_SIZE) == 0) { |
wolfSSL | 15:117db924cf7c | 271 | |
wolfSSL | 15:117db924cf7c | 272 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 273 | crle->verified = 1; |
wolfSSL | 15:117db924cf7c | 274 | else |
wolfSSL | 15:117db924cf7c | 275 | crle->verified = ret; |
wolfSSL | 15:117db924cf7c | 276 | |
wolfSSL | 15:117db924cf7c | 277 | XFREE(crle->toBeSigned, crl->heap, |
wolfSSL | 15:117db924cf7c | 278 | DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 279 | crle->toBeSigned = NULL; |
wolfSSL | 15:117db924cf7c | 280 | XFREE(crle->signature, crl->heap, |
wolfSSL | 15:117db924cf7c | 281 | DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 282 | crle->signature = NULL; |
wolfSSL | 15:117db924cf7c | 283 | break; |
wolfSSL | 15:117db924cf7c | 284 | } |
wolfSSL | 15:117db924cf7c | 285 | crle = crle->next; |
wolfSSL | 15:117db924cf7c | 286 | } |
wolfSSL | 15:117db924cf7c | 287 | if (crle == NULL || crle->verified < 0) |
wolfSSL | 15:117db924cf7c | 288 | break; |
wolfSSL | 15:117db924cf7c | 289 | } |
wolfSSL | 15:117db924cf7c | 290 | else if (crle->verified < 0) { |
wolfSSL | 15:117db924cf7c | 291 | WOLFSSL_MSG("Cannot use CRL as it didn't verify"); |
wolfSSL | 15:117db924cf7c | 292 | ret = crle->verified; |
wolfSSL | 15:117db924cf7c | 293 | break; |
wolfSSL | 15:117db924cf7c | 294 | } |
wolfSSL | 15:117db924cf7c | 295 | |
wolfSSL | 15:117db924cf7c | 296 | WOLFSSL_MSG("Checking next date validity"); |
wolfSSL | 15:117db924cf7c | 297 | |
wolfSSL | 16:8e0d178b1d1e | 298 | #ifdef WOLFSSL_NO_CRL_NEXT_DATE |
wolfSSL | 16:8e0d178b1d1e | 299 | if (crle->nextDateFormat != ASN_OTHER_TYPE) |
wolfSSL | 16:8e0d178b1d1e | 300 | #endif |
wolfSSL | 16:8e0d178b1d1e | 301 | { |
wolfSSL | 15:117db924cf7c | 302 | #ifndef NO_ASN_TIME |
wolfSSL | 16:8e0d178b1d1e | 303 | if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) { |
wolfSSL | 15:117db924cf7c | 304 | WOLFSSL_MSG("CRL next date is no longer valid"); |
wolfSSL | 15:117db924cf7c | 305 | ret = ASN_AFTER_DATE_E; |
wolfSSL | 15:117db924cf7c | 306 | } |
wolfSSL | 15:117db924cf7c | 307 | #endif |
wolfSSL | 15:117db924cf7c | 308 | } |
wolfSSL | 15:117db924cf7c | 309 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 310 | foundEntry = 1; |
wolfSSL | 15:117db924cf7c | 311 | } |
wolfSSL | 15:117db924cf7c | 312 | break; |
wolfSSL | 15:117db924cf7c | 313 | } |
wolfSSL | 15:117db924cf7c | 314 | crle = crle->next; |
wolfSSL | 15:117db924cf7c | 315 | } |
wolfSSL | 15:117db924cf7c | 316 | |
wolfSSL | 15:117db924cf7c | 317 | if (foundEntry) { |
wolfSSL | 15:117db924cf7c | 318 | RevokedCert* rc = crle->certs; |
wolfSSL | 15:117db924cf7c | 319 | |
wolfSSL | 15:117db924cf7c | 320 | while (rc) { |
wolfSSL | 15:117db924cf7c | 321 | if (rc->serialSz == cert->serialSz && |
wolfSSL | 15:117db924cf7c | 322 | XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { |
wolfSSL | 15:117db924cf7c | 323 | WOLFSSL_MSG("Cert revoked"); |
wolfSSL | 15:117db924cf7c | 324 | ret = CRL_CERT_REVOKED; |
wolfSSL | 15:117db924cf7c | 325 | break; |
wolfSSL | 15:117db924cf7c | 326 | } |
wolfSSL | 15:117db924cf7c | 327 | rc = rc->next; |
wolfSSL | 15:117db924cf7c | 328 | } |
wolfSSL | 15:117db924cf7c | 329 | } |
wolfSSL | 15:117db924cf7c | 330 | |
wolfSSL | 15:117db924cf7c | 331 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 332 | |
wolfSSL | 15:117db924cf7c | 333 | *pFoundEntry = foundEntry; |
wolfSSL | 15:117db924cf7c | 334 | |
wolfSSL | 15:117db924cf7c | 335 | return ret; |
wolfSSL | 15:117db924cf7c | 336 | } |
wolfSSL | 15:117db924cf7c | 337 | |
wolfSSL | 15:117db924cf7c | 338 | /* Is the cert ok with CRL, return 0 on success */ |
wolfSSL | 15:117db924cf7c | 339 | int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 340 | { |
wolfSSL | 15:117db924cf7c | 341 | int foundEntry = 0; |
wolfSSL | 15:117db924cf7c | 342 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 343 | |
wolfSSL | 15:117db924cf7c | 344 | WOLFSSL_ENTER("CheckCertCRL"); |
wolfSSL | 15:117db924cf7c | 345 | |
wolfSSL | 15:117db924cf7c | 346 | ret = CheckCertCRLList(crl, cert, &foundEntry); |
wolfSSL | 15:117db924cf7c | 347 | |
wolfSSL | 15:117db924cf7c | 348 | #ifdef HAVE_CRL_IO |
wolfSSL | 15:117db924cf7c | 349 | if (foundEntry == 0) { |
wolfSSL | 15:117db924cf7c | 350 | /* perform embedded lookup */ |
wolfSSL | 15:117db924cf7c | 351 | if (crl->crlIOCb) { |
wolfSSL | 15:117db924cf7c | 352 | ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo, |
wolfSSL | 15:117db924cf7c | 353 | cert->extCrlInfoSz); |
wolfSSL | 15:117db924cf7c | 354 | if (ret == WOLFSSL_CBIO_ERR_WANT_READ) { |
wolfSSL | 15:117db924cf7c | 355 | ret = WANT_READ; |
wolfSSL | 15:117db924cf7c | 356 | } |
wolfSSL | 15:117db924cf7c | 357 | else if (ret >= 0) { |
wolfSSL | 15:117db924cf7c | 358 | /* try again */ |
wolfSSL | 15:117db924cf7c | 359 | ret = CheckCertCRLList(crl, cert, &foundEntry); |
wolfSSL | 15:117db924cf7c | 360 | } |
wolfSSL | 15:117db924cf7c | 361 | } |
wolfSSL | 15:117db924cf7c | 362 | } |
wolfSSL | 15:117db924cf7c | 363 | #endif |
wolfSSL | 15:117db924cf7c | 364 | |
wolfSSL | 15:117db924cf7c | 365 | if (foundEntry == 0) { |
wolfSSL | 15:117db924cf7c | 366 | WOLFSSL_MSG("Couldn't find CRL for status check"); |
wolfSSL | 15:117db924cf7c | 367 | ret = CRL_MISSING; |
wolfSSL | 15:117db924cf7c | 368 | |
wolfSSL | 15:117db924cf7c | 369 | if (crl->cm->cbMissingCRL) { |
wolfSSL | 15:117db924cf7c | 370 | char url[256]; |
wolfSSL | 15:117db924cf7c | 371 | |
wolfSSL | 15:117db924cf7c | 372 | WOLFSSL_MSG("Issuing missing CRL callback"); |
wolfSSL | 15:117db924cf7c | 373 | url[0] = '\0'; |
wolfSSL | 15:117db924cf7c | 374 | if (cert->extCrlInfo) { |
wolfSSL | 15:117db924cf7c | 375 | if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) { |
wolfSSL | 15:117db924cf7c | 376 | XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz); |
wolfSSL | 15:117db924cf7c | 377 | url[cert->extCrlInfoSz] = '\0'; |
wolfSSL | 15:117db924cf7c | 378 | } |
wolfSSL | 15:117db924cf7c | 379 | else { |
wolfSSL | 15:117db924cf7c | 380 | WOLFSSL_MSG("CRL url too long"); |
wolfSSL | 15:117db924cf7c | 381 | } |
wolfSSL | 15:117db924cf7c | 382 | } |
wolfSSL | 15:117db924cf7c | 383 | |
wolfSSL | 15:117db924cf7c | 384 | crl->cm->cbMissingCRL(url); |
wolfSSL | 15:117db924cf7c | 385 | } |
wolfSSL | 15:117db924cf7c | 386 | } |
wolfSSL | 15:117db924cf7c | 387 | |
wolfSSL | 15:117db924cf7c | 388 | return ret; |
wolfSSL | 15:117db924cf7c | 389 | } |
wolfSSL | 15:117db924cf7c | 390 | |
wolfSSL | 15:117db924cf7c | 391 | |
wolfSSL | 15:117db924cf7c | 392 | /* Add Decoded CRL, 0 on success */ |
wolfSSL | 15:117db924cf7c | 393 | static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, |
wolfSSL | 15:117db924cf7c | 394 | int verified) |
wolfSSL | 15:117db924cf7c | 395 | { |
wolfSSL | 15:117db924cf7c | 396 | CRL_Entry* crle; |
wolfSSL | 15:117db924cf7c | 397 | |
wolfSSL | 15:117db924cf7c | 398 | WOLFSSL_ENTER("AddCRL"); |
wolfSSL | 15:117db924cf7c | 399 | |
wolfSSL | 15:117db924cf7c | 400 | crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 401 | if (crle == NULL) { |
wolfSSL | 15:117db924cf7c | 402 | WOLFSSL_MSG("alloc CRL Entry failed"); |
wolfSSL | 15:117db924cf7c | 403 | return -1; |
wolfSSL | 15:117db924cf7c | 404 | } |
wolfSSL | 15:117db924cf7c | 405 | |
wolfSSL | 15:117db924cf7c | 406 | if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) { |
wolfSSL | 15:117db924cf7c | 407 | WOLFSSL_MSG("Init CRL Entry failed"); |
wolfSSL | 15:117db924cf7c | 408 | XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 409 | return -1; |
wolfSSL | 15:117db924cf7c | 410 | } |
wolfSSL | 15:117db924cf7c | 411 | |
wolfSSL | 15:117db924cf7c | 412 | if (wc_LockMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 413 | WOLFSSL_MSG("wc_LockMutex failed"); |
wolfSSL | 15:117db924cf7c | 414 | FreeCRL_Entry(crle, crl->heap); |
wolfSSL | 15:117db924cf7c | 415 | XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); |
wolfSSL | 15:117db924cf7c | 416 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 417 | } |
wolfSSL | 15:117db924cf7c | 418 | crle->next = crl->crlList; |
wolfSSL | 15:117db924cf7c | 419 | crl->crlList = crle; |
wolfSSL | 15:117db924cf7c | 420 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 421 | |
wolfSSL | 15:117db924cf7c | 422 | return 0; |
wolfSSL | 15:117db924cf7c | 423 | } |
wolfSSL | 15:117db924cf7c | 424 | |
wolfSSL | 15:117db924cf7c | 425 | |
wolfSSL | 15:117db924cf7c | 426 | /* Load CRL File of type, WOLFSSL_SUCCESS on ok */ |
wolfSSL | 15:117db924cf7c | 427 | int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, |
wolfSSL | 16:8e0d178b1d1e | 428 | int verify) |
wolfSSL | 15:117db924cf7c | 429 | { |
wolfSSL | 15:117db924cf7c | 430 | int ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 431 | const byte* myBuffer = buff; /* if DER ok, otherwise switch */ |
wolfSSL | 15:117db924cf7c | 432 | DerBuffer* der = NULL; |
wolfSSL | 15:117db924cf7c | 433 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 434 | DecodedCRL* dcrl; |
wolfSSL | 15:117db924cf7c | 435 | #else |
wolfSSL | 15:117db924cf7c | 436 | DecodedCRL dcrl[1]; |
wolfSSL | 15:117db924cf7c | 437 | #endif |
wolfSSL | 15:117db924cf7c | 438 | |
wolfSSL | 15:117db924cf7c | 439 | WOLFSSL_ENTER("BufferLoadCRL"); |
wolfSSL | 15:117db924cf7c | 440 | |
wolfSSL | 15:117db924cf7c | 441 | if (crl == NULL || buff == NULL || sz == 0) |
wolfSSL | 15:117db924cf7c | 442 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 443 | |
wolfSSL | 15:117db924cf7c | 444 | if (type == WOLFSSL_FILETYPE_PEM) { |
wolfSSL | 15:117db924cf7c | 445 | #ifdef WOLFSSL_PEM_TO_DER |
wolfSSL | 15:117db924cf7c | 446 | ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, NULL, NULL); |
wolfSSL | 15:117db924cf7c | 447 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 448 | myBuffer = der->buffer; |
wolfSSL | 15:117db924cf7c | 449 | sz = der->length; |
wolfSSL | 15:117db924cf7c | 450 | } |
wolfSSL | 15:117db924cf7c | 451 | else { |
wolfSSL | 15:117db924cf7c | 452 | WOLFSSL_MSG("Pem to Der failed"); |
wolfSSL | 15:117db924cf7c | 453 | FreeDer(&der); |
wolfSSL | 15:117db924cf7c | 454 | return -1; |
wolfSSL | 15:117db924cf7c | 455 | } |
wolfSSL | 15:117db924cf7c | 456 | #else |
wolfSSL | 15:117db924cf7c | 457 | ret = NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 458 | #endif |
wolfSSL | 15:117db924cf7c | 459 | } |
wolfSSL | 15:117db924cf7c | 460 | |
wolfSSL | 15:117db924cf7c | 461 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 462 | dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 463 | if (dcrl == NULL) { |
wolfSSL | 15:117db924cf7c | 464 | FreeDer(&der); |
wolfSSL | 15:117db924cf7c | 465 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 466 | } |
wolfSSL | 15:117db924cf7c | 467 | #endif |
wolfSSL | 15:117db924cf7c | 468 | |
wolfSSL | 15:117db924cf7c | 469 | InitDecodedCRL(dcrl, crl->heap); |
wolfSSL | 15:117db924cf7c | 470 | ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm); |
wolfSSL | 16:8e0d178b1d1e | 471 | if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) { |
wolfSSL | 15:117db924cf7c | 472 | WOLFSSL_MSG("ParseCRL error"); |
wolfSSL | 15:117db924cf7c | 473 | } |
wolfSSL | 15:117db924cf7c | 474 | else { |
wolfSSL | 15:117db924cf7c | 475 | ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E); |
wolfSSL | 15:117db924cf7c | 476 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 477 | WOLFSSL_MSG("AddCRL error"); |
wolfSSL | 15:117db924cf7c | 478 | } |
wolfSSL | 15:117db924cf7c | 479 | } |
wolfSSL | 15:117db924cf7c | 480 | |
wolfSSL | 15:117db924cf7c | 481 | FreeDecodedCRL(dcrl); |
wolfSSL | 15:117db924cf7c | 482 | |
wolfSSL | 15:117db924cf7c | 483 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 484 | XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 485 | #endif |
wolfSSL | 15:117db924cf7c | 486 | |
wolfSSL | 15:117db924cf7c | 487 | FreeDer(&der); |
wolfSSL | 15:117db924cf7c | 488 | |
wolfSSL | 15:117db924cf7c | 489 | return ret ? ret : WOLFSSL_SUCCESS; /* convert 0 to WOLFSSL_SUCCESS */ |
wolfSSL | 15:117db924cf7c | 490 | } |
wolfSSL | 15:117db924cf7c | 491 | |
wolfSSL | 15:117db924cf7c | 492 | #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) |
wolfSSL | 15:117db924cf7c | 493 | int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl) |
wolfSSL | 15:117db924cf7c | 494 | { |
wolfSSL | 15:117db924cf7c | 495 | CRL_Entry *crle; |
wolfSSL | 15:117db924cf7c | 496 | WOLFSSL_CRL *crl; |
wolfSSL | 15:117db924cf7c | 497 | |
wolfSSL | 15:117db924cf7c | 498 | WOLFSSL_ENTER("wolfSSL_X509_STORE_add_crl"); |
wolfSSL | 15:117db924cf7c | 499 | if (store == NULL || newcrl == NULL) |
wolfSSL | 15:117db924cf7c | 500 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 501 | |
wolfSSL | 15:117db924cf7c | 502 | crl = store->crl; |
wolfSSL | 15:117db924cf7c | 503 | crle = newcrl->crlList; |
wolfSSL | 15:117db924cf7c | 504 | |
wolfSSL | 15:117db924cf7c | 505 | if (wc_LockMutex(&crl->crlLock) != 0) |
wolfSSL | 15:117db924cf7c | 506 | { |
wolfSSL | 15:117db924cf7c | 507 | WOLFSSL_MSG("wc_LockMutex failed"); |
wolfSSL | 15:117db924cf7c | 508 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 509 | } |
wolfSSL | 15:117db924cf7c | 510 | crle->next = crl->crlList; |
wolfSSL | 15:117db924cf7c | 511 | crl->crlList = crle; |
wolfSSL | 15:117db924cf7c | 512 | newcrl->crlList = NULL; |
wolfSSL | 15:117db924cf7c | 513 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 514 | |
wolfSSL | 15:117db924cf7c | 515 | WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS); |
wolfSSL | 16:8e0d178b1d1e | 516 | |
wolfSSL | 15:117db924cf7c | 517 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 518 | } |
wolfSSL | 15:117db924cf7c | 519 | #endif |
wolfSSL | 15:117db924cf7c | 520 | |
wolfSSL | 15:117db924cf7c | 521 | #ifdef HAVE_CRL_MONITOR |
wolfSSL | 15:117db924cf7c | 522 | |
wolfSSL | 15:117db924cf7c | 523 | |
wolfSSL | 15:117db924cf7c | 524 | /* Signal Monitor thread is setup, save status to setup flag, 0 on success */ |
wolfSSL | 15:117db924cf7c | 525 | static int SignalSetup(WOLFSSL_CRL* crl, int status) |
wolfSSL | 15:117db924cf7c | 526 | { |
wolfSSL | 15:117db924cf7c | 527 | int ret; |
wolfSSL | 15:117db924cf7c | 528 | |
wolfSSL | 15:117db924cf7c | 529 | /* signal to calling thread we're setup */ |
wolfSSL | 15:117db924cf7c | 530 | if (wc_LockMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 531 | WOLFSSL_MSG("wc_LockMutex crlLock failed"); |
wolfSSL | 15:117db924cf7c | 532 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 533 | } |
wolfSSL | 15:117db924cf7c | 534 | |
wolfSSL | 15:117db924cf7c | 535 | crl->setup = status; |
wolfSSL | 15:117db924cf7c | 536 | ret = pthread_cond_signal(&crl->cond); |
wolfSSL | 15:117db924cf7c | 537 | |
wolfSSL | 15:117db924cf7c | 538 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 539 | |
wolfSSL | 15:117db924cf7c | 540 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 541 | return BAD_COND_E; |
wolfSSL | 15:117db924cf7c | 542 | |
wolfSSL | 15:117db924cf7c | 543 | return 0; |
wolfSSL | 15:117db924cf7c | 544 | } |
wolfSSL | 15:117db924cf7c | 545 | |
wolfSSL | 15:117db924cf7c | 546 | |
wolfSSL | 15:117db924cf7c | 547 | /* read in new CRL entries and save new list */ |
wolfSSL | 15:117db924cf7c | 548 | static int SwapLists(WOLFSSL_CRL* crl) |
wolfSSL | 15:117db924cf7c | 549 | { |
wolfSSL | 15:117db924cf7c | 550 | int ret; |
wolfSSL | 15:117db924cf7c | 551 | CRL_Entry* newList; |
wolfSSL | 15:117db924cf7c | 552 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 553 | WOLFSSL_CRL* tmp; |
wolfSSL | 15:117db924cf7c | 554 | #else |
wolfSSL | 15:117db924cf7c | 555 | WOLFSSL_CRL tmp[1]; |
wolfSSL | 15:117db924cf7c | 556 | #endif |
wolfSSL | 15:117db924cf7c | 557 | |
wolfSSL | 15:117db924cf7c | 558 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 559 | tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 560 | if (tmp == NULL) |
wolfSSL | 15:117db924cf7c | 561 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 562 | #endif |
wolfSSL | 15:117db924cf7c | 563 | |
wolfSSL | 15:117db924cf7c | 564 | if (InitCRL(tmp, crl->cm) < 0) { |
wolfSSL | 15:117db924cf7c | 565 | WOLFSSL_MSG("Init tmp CRL failed"); |
wolfSSL | 15:117db924cf7c | 566 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 567 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 568 | #endif |
wolfSSL | 15:117db924cf7c | 569 | return -1; |
wolfSSL | 15:117db924cf7c | 570 | } |
wolfSSL | 15:117db924cf7c | 571 | |
wolfSSL | 15:117db924cf7c | 572 | if (crl->monitors[0].path) { |
wolfSSL | 15:117db924cf7c | 573 | ret = LoadCRL(tmp, crl->monitors[0].path, WOLFSSL_FILETYPE_PEM, 0); |
wolfSSL | 15:117db924cf7c | 574 | if (ret != WOLFSSL_SUCCESS) { |
wolfSSL | 15:117db924cf7c | 575 | WOLFSSL_MSG("PEM LoadCRL on dir change failed"); |
wolfSSL | 15:117db924cf7c | 576 | FreeCRL(tmp, 0); |
wolfSSL | 15:117db924cf7c | 577 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 578 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 579 | #endif |
wolfSSL | 15:117db924cf7c | 580 | return -1; |
wolfSSL | 15:117db924cf7c | 581 | } |
wolfSSL | 15:117db924cf7c | 582 | } |
wolfSSL | 15:117db924cf7c | 583 | |
wolfSSL | 15:117db924cf7c | 584 | if (crl->monitors[1].path) { |
wolfSSL | 15:117db924cf7c | 585 | ret = LoadCRL(tmp, crl->monitors[1].path, WOLFSSL_FILETYPE_ASN1, 0); |
wolfSSL | 15:117db924cf7c | 586 | if (ret != WOLFSSL_SUCCESS) { |
wolfSSL | 15:117db924cf7c | 587 | WOLFSSL_MSG("DER LoadCRL on dir change failed"); |
wolfSSL | 15:117db924cf7c | 588 | FreeCRL(tmp, 0); |
wolfSSL | 15:117db924cf7c | 589 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 590 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 591 | #endif |
wolfSSL | 15:117db924cf7c | 592 | return -1; |
wolfSSL | 15:117db924cf7c | 593 | } |
wolfSSL | 15:117db924cf7c | 594 | } |
wolfSSL | 15:117db924cf7c | 595 | |
wolfSSL | 15:117db924cf7c | 596 | if (wc_LockMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 597 | WOLFSSL_MSG("wc_LockMutex failed"); |
wolfSSL | 15:117db924cf7c | 598 | FreeCRL(tmp, 0); |
wolfSSL | 15:117db924cf7c | 599 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 600 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 601 | #endif |
wolfSSL | 15:117db924cf7c | 602 | return -1; |
wolfSSL | 15:117db924cf7c | 603 | } |
wolfSSL | 15:117db924cf7c | 604 | |
wolfSSL | 15:117db924cf7c | 605 | newList = tmp->crlList; |
wolfSSL | 15:117db924cf7c | 606 | |
wolfSSL | 15:117db924cf7c | 607 | /* swap lists */ |
wolfSSL | 15:117db924cf7c | 608 | tmp->crlList = crl->crlList; |
wolfSSL | 15:117db924cf7c | 609 | crl->crlList = newList; |
wolfSSL | 15:117db924cf7c | 610 | |
wolfSSL | 15:117db924cf7c | 611 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 612 | |
wolfSSL | 15:117db924cf7c | 613 | FreeCRL(tmp, 0); |
wolfSSL | 15:117db924cf7c | 614 | |
wolfSSL | 15:117db924cf7c | 615 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 616 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 617 | #endif |
wolfSSL | 15:117db924cf7c | 618 | |
wolfSSL | 15:117db924cf7c | 619 | return 0; |
wolfSSL | 15:117db924cf7c | 620 | } |
wolfSSL | 15:117db924cf7c | 621 | |
wolfSSL | 15:117db924cf7c | 622 | |
wolfSSL | 15:117db924cf7c | 623 | #if (defined(__MACH__) || defined(__FreeBSD__)) |
wolfSSL | 15:117db924cf7c | 624 | |
wolfSSL | 15:117db924cf7c | 625 | #include <sys/types.h> |
wolfSSL | 15:117db924cf7c | 626 | #include <sys/event.h> |
wolfSSL | 15:117db924cf7c | 627 | #include <sys/time.h> |
wolfSSL | 15:117db924cf7c | 628 | #include <fcntl.h> |
wolfSSL | 15:117db924cf7c | 629 | #include <unistd.h> |
wolfSSL | 15:117db924cf7c | 630 | |
wolfSSL | 15:117db924cf7c | 631 | #ifdef __MACH__ |
wolfSSL | 15:117db924cf7c | 632 | #define XEVENT_MODE O_EVTONLY |
wolfSSL | 15:117db924cf7c | 633 | #elif defined(__FreeBSD__) |
wolfSSL | 15:117db924cf7c | 634 | #define XEVENT_MODE EVFILT_VNODE |
wolfSSL | 15:117db924cf7c | 635 | #endif |
wolfSSL | 15:117db924cf7c | 636 | |
wolfSSL | 15:117db924cf7c | 637 | |
wolfSSL | 15:117db924cf7c | 638 | /* we need a unique kqueue user filter fd for crl in case user is doing custom |
wolfSSL | 15:117db924cf7c | 639 | * events too */ |
wolfSSL | 15:117db924cf7c | 640 | #ifndef CRL_CUSTOM_FD |
wolfSSL | 15:117db924cf7c | 641 | #define CRL_CUSTOM_FD 123456 |
wolfSSL | 15:117db924cf7c | 642 | #endif |
wolfSSL | 15:117db924cf7c | 643 | |
wolfSSL | 15:117db924cf7c | 644 | |
wolfSSL | 15:117db924cf7c | 645 | /* shutdown monitor thread, 0 on success */ |
wolfSSL | 15:117db924cf7c | 646 | static int StopMonitor(int mfd) |
wolfSSL | 15:117db924cf7c | 647 | { |
wolfSSL | 15:117db924cf7c | 648 | struct kevent change; |
wolfSSL | 15:117db924cf7c | 649 | |
wolfSSL | 15:117db924cf7c | 650 | /* trigger custom shutdown */ |
wolfSSL | 15:117db924cf7c | 651 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL); |
wolfSSL | 15:117db924cf7c | 652 | if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) { |
wolfSSL | 15:117db924cf7c | 653 | WOLFSSL_MSG("kevent trigger customer event failed"); |
wolfSSL | 15:117db924cf7c | 654 | return -1; |
wolfSSL | 15:117db924cf7c | 655 | } |
wolfSSL | 15:117db924cf7c | 656 | |
wolfSSL | 15:117db924cf7c | 657 | return 0; |
wolfSSL | 15:117db924cf7c | 658 | } |
wolfSSL | 15:117db924cf7c | 659 | |
wolfSSL | 15:117db924cf7c | 660 | |
wolfSSL | 15:117db924cf7c | 661 | /* OS X monitoring */ |
wolfSSL | 15:117db924cf7c | 662 | static void* DoMonitor(void* arg) |
wolfSSL | 15:117db924cf7c | 663 | { |
wolfSSL | 15:117db924cf7c | 664 | int fPEM, fDER; |
wolfSSL | 15:117db924cf7c | 665 | struct kevent change; |
wolfSSL | 15:117db924cf7c | 666 | |
wolfSSL | 15:117db924cf7c | 667 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg; |
wolfSSL | 15:117db924cf7c | 668 | |
wolfSSL | 15:117db924cf7c | 669 | WOLFSSL_ENTER("DoMonitor"); |
wolfSSL | 15:117db924cf7c | 670 | |
wolfSSL | 15:117db924cf7c | 671 | crl->mfd = kqueue(); |
wolfSSL | 15:117db924cf7c | 672 | if (crl->mfd == -1) { |
wolfSSL | 15:117db924cf7c | 673 | WOLFSSL_MSG("kqueue failed"); |
wolfSSL | 15:117db924cf7c | 674 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 675 | return NULL; |
wolfSSL | 15:117db924cf7c | 676 | } |
wolfSSL | 15:117db924cf7c | 677 | |
wolfSSL | 15:117db924cf7c | 678 | /* listen for custom shutdown event */ |
wolfSSL | 15:117db924cf7c | 679 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL); |
wolfSSL | 15:117db924cf7c | 680 | if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) { |
wolfSSL | 15:117db924cf7c | 681 | WOLFSSL_MSG("kevent monitor customer event failed"); |
wolfSSL | 15:117db924cf7c | 682 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 683 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 684 | return NULL; |
wolfSSL | 15:117db924cf7c | 685 | } |
wolfSSL | 15:117db924cf7c | 686 | |
wolfSSL | 15:117db924cf7c | 687 | fPEM = -1; |
wolfSSL | 15:117db924cf7c | 688 | fDER = -1; |
wolfSSL | 15:117db924cf7c | 689 | |
wolfSSL | 15:117db924cf7c | 690 | if (crl->monitors[0].path) { |
wolfSSL | 15:117db924cf7c | 691 | fPEM = open(crl->monitors[0].path, XEVENT_MODE); |
wolfSSL | 15:117db924cf7c | 692 | if (fPEM == -1) { |
wolfSSL | 15:117db924cf7c | 693 | WOLFSSL_MSG("PEM event dir open failed"); |
wolfSSL | 15:117db924cf7c | 694 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 695 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 696 | return NULL; |
wolfSSL | 15:117db924cf7c | 697 | } |
wolfSSL | 15:117db924cf7c | 698 | } |
wolfSSL | 15:117db924cf7c | 699 | |
wolfSSL | 15:117db924cf7c | 700 | if (crl->monitors[1].path) { |
wolfSSL | 15:117db924cf7c | 701 | fDER = open(crl->monitors[1].path, XEVENT_MODE); |
wolfSSL | 15:117db924cf7c | 702 | if (fDER == -1) { |
wolfSSL | 15:117db924cf7c | 703 | WOLFSSL_MSG("DER event dir open failed"); |
wolfSSL | 15:117db924cf7c | 704 | if (fPEM != -1) |
wolfSSL | 15:117db924cf7c | 705 | close(fPEM); |
wolfSSL | 15:117db924cf7c | 706 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 707 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 708 | return NULL; |
wolfSSL | 15:117db924cf7c | 709 | } |
wolfSSL | 15:117db924cf7c | 710 | } |
wolfSSL | 15:117db924cf7c | 711 | |
wolfSSL | 15:117db924cf7c | 712 | if (fPEM != -1) |
wolfSSL | 15:117db924cf7c | 713 | EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, |
wolfSSL | 15:117db924cf7c | 714 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); |
wolfSSL | 15:117db924cf7c | 715 | |
wolfSSL | 15:117db924cf7c | 716 | if (fDER != -1) |
wolfSSL | 15:117db924cf7c | 717 | EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, |
wolfSSL | 15:117db924cf7c | 718 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); |
wolfSSL | 15:117db924cf7c | 719 | |
wolfSSL | 15:117db924cf7c | 720 | /* signal to calling thread we're setup */ |
wolfSSL | 15:117db924cf7c | 721 | if (SignalSetup(crl, 1) != 0) { |
wolfSSL | 15:117db924cf7c | 722 | if (fPEM != -1) |
wolfSSL | 15:117db924cf7c | 723 | close(fPEM); |
wolfSSL | 15:117db924cf7c | 724 | if (fDER != -1) |
wolfSSL | 15:117db924cf7c | 725 | close(fDER); |
wolfSSL | 15:117db924cf7c | 726 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 727 | return NULL; |
wolfSSL | 15:117db924cf7c | 728 | } |
wolfSSL | 15:117db924cf7c | 729 | |
wolfSSL | 15:117db924cf7c | 730 | for (;;) { |
wolfSSL | 15:117db924cf7c | 731 | struct kevent event; |
wolfSSL | 15:117db924cf7c | 732 | int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL); |
wolfSSL | 15:117db924cf7c | 733 | |
wolfSSL | 15:117db924cf7c | 734 | WOLFSSL_MSG("Got kevent"); |
wolfSSL | 15:117db924cf7c | 735 | |
wolfSSL | 15:117db924cf7c | 736 | if (numEvents == -1) { |
wolfSSL | 15:117db924cf7c | 737 | WOLFSSL_MSG("kevent problem, continue"); |
wolfSSL | 15:117db924cf7c | 738 | continue; |
wolfSSL | 15:117db924cf7c | 739 | } |
wolfSSL | 15:117db924cf7c | 740 | |
wolfSSL | 15:117db924cf7c | 741 | if (event.filter == EVFILT_USER) { |
wolfSSL | 15:117db924cf7c | 742 | WOLFSSL_MSG("Got user shutdown event, breaking out"); |
wolfSSL | 15:117db924cf7c | 743 | break; |
wolfSSL | 15:117db924cf7c | 744 | } |
wolfSSL | 15:117db924cf7c | 745 | |
wolfSSL | 15:117db924cf7c | 746 | if (SwapLists(crl) < 0) { |
wolfSSL | 15:117db924cf7c | 747 | WOLFSSL_MSG("SwapLists problem, continue"); |
wolfSSL | 15:117db924cf7c | 748 | } |
wolfSSL | 15:117db924cf7c | 749 | } |
wolfSSL | 15:117db924cf7c | 750 | |
wolfSSL | 15:117db924cf7c | 751 | if (fPEM != -1) |
wolfSSL | 15:117db924cf7c | 752 | close(fPEM); |
wolfSSL | 15:117db924cf7c | 753 | if (fDER != -1) |
wolfSSL | 15:117db924cf7c | 754 | close(fDER); |
wolfSSL | 15:117db924cf7c | 755 | |
wolfSSL | 15:117db924cf7c | 756 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 757 | |
wolfSSL | 15:117db924cf7c | 758 | return NULL; |
wolfSSL | 15:117db924cf7c | 759 | } |
wolfSSL | 15:117db924cf7c | 760 | |
wolfSSL | 15:117db924cf7c | 761 | |
wolfSSL | 15:117db924cf7c | 762 | #elif defined(__linux__) |
wolfSSL | 15:117db924cf7c | 763 | |
wolfSSL | 15:117db924cf7c | 764 | #include <sys/types.h> |
wolfSSL | 15:117db924cf7c | 765 | #include <sys/inotify.h> |
wolfSSL | 15:117db924cf7c | 766 | #include <sys/eventfd.h> |
wolfSSL | 15:117db924cf7c | 767 | #include <unistd.h> |
wolfSSL | 15:117db924cf7c | 768 | |
wolfSSL | 15:117db924cf7c | 769 | |
wolfSSL | 15:117db924cf7c | 770 | #ifndef max |
wolfSSL | 15:117db924cf7c | 771 | static WC_INLINE int max(int a, int b) |
wolfSSL | 15:117db924cf7c | 772 | { |
wolfSSL | 15:117db924cf7c | 773 | return a > b ? a : b; |
wolfSSL | 15:117db924cf7c | 774 | } |
wolfSSL | 15:117db924cf7c | 775 | #endif /* max */ |
wolfSSL | 15:117db924cf7c | 776 | |
wolfSSL | 15:117db924cf7c | 777 | |
wolfSSL | 15:117db924cf7c | 778 | /* shutdown monitor thread, 0 on success */ |
wolfSSL | 15:117db924cf7c | 779 | static int StopMonitor(int mfd) |
wolfSSL | 15:117db924cf7c | 780 | { |
wolfSSL | 15:117db924cf7c | 781 | word64 w64 = 1; |
wolfSSL | 15:117db924cf7c | 782 | |
wolfSSL | 15:117db924cf7c | 783 | /* write to our custom event */ |
wolfSSL | 15:117db924cf7c | 784 | if (write(mfd, &w64, sizeof(w64)) < 0) { |
wolfSSL | 15:117db924cf7c | 785 | WOLFSSL_MSG("StopMonitor write failed"); |
wolfSSL | 15:117db924cf7c | 786 | return -1; |
wolfSSL | 15:117db924cf7c | 787 | } |
wolfSSL | 15:117db924cf7c | 788 | |
wolfSSL | 15:117db924cf7c | 789 | return 0; |
wolfSSL | 15:117db924cf7c | 790 | } |
wolfSSL | 15:117db924cf7c | 791 | |
wolfSSL | 15:117db924cf7c | 792 | |
wolfSSL | 15:117db924cf7c | 793 | /* linux monitoring */ |
wolfSSL | 15:117db924cf7c | 794 | static void* DoMonitor(void* arg) |
wolfSSL | 15:117db924cf7c | 795 | { |
wolfSSL | 15:117db924cf7c | 796 | int notifyFd; |
wolfSSL | 15:117db924cf7c | 797 | int wd = -1; |
wolfSSL | 15:117db924cf7c | 798 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg; |
wolfSSL | 15:117db924cf7c | 799 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 800 | char* buff; |
wolfSSL | 15:117db924cf7c | 801 | #else |
wolfSSL | 15:117db924cf7c | 802 | char buff[8192]; |
wolfSSL | 15:117db924cf7c | 803 | #endif |
wolfSSL | 15:117db924cf7c | 804 | |
wolfSSL | 15:117db924cf7c | 805 | WOLFSSL_ENTER("DoMonitor"); |
wolfSSL | 15:117db924cf7c | 806 | |
wolfSSL | 15:117db924cf7c | 807 | crl->mfd = eventfd(0, 0); /* our custom shutdown event */ |
wolfSSL | 15:117db924cf7c | 808 | if (crl->mfd < 0) { |
wolfSSL | 15:117db924cf7c | 809 | WOLFSSL_MSG("eventfd failed"); |
wolfSSL | 15:117db924cf7c | 810 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 811 | return NULL; |
wolfSSL | 15:117db924cf7c | 812 | } |
wolfSSL | 15:117db924cf7c | 813 | |
wolfSSL | 15:117db924cf7c | 814 | notifyFd = inotify_init(); |
wolfSSL | 15:117db924cf7c | 815 | if (notifyFd < 0) { |
wolfSSL | 15:117db924cf7c | 816 | WOLFSSL_MSG("inotify failed"); |
wolfSSL | 15:117db924cf7c | 817 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 818 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 819 | return NULL; |
wolfSSL | 15:117db924cf7c | 820 | } |
wolfSSL | 15:117db924cf7c | 821 | |
wolfSSL | 15:117db924cf7c | 822 | if (crl->monitors[0].path) { |
wolfSSL | 15:117db924cf7c | 823 | wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE | |
wolfSSL | 15:117db924cf7c | 824 | IN_DELETE); |
wolfSSL | 15:117db924cf7c | 825 | if (wd < 0) { |
wolfSSL | 15:117db924cf7c | 826 | WOLFSSL_MSG("PEM notify add watch failed"); |
wolfSSL | 15:117db924cf7c | 827 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 828 | close(notifyFd); |
wolfSSL | 15:117db924cf7c | 829 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 830 | return NULL; |
wolfSSL | 15:117db924cf7c | 831 | } |
wolfSSL | 15:117db924cf7c | 832 | } |
wolfSSL | 15:117db924cf7c | 833 | |
wolfSSL | 15:117db924cf7c | 834 | if (crl->monitors[1].path) { |
wolfSSL | 15:117db924cf7c | 835 | wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE | |
wolfSSL | 15:117db924cf7c | 836 | IN_DELETE); |
wolfSSL | 15:117db924cf7c | 837 | if (wd < 0) { |
wolfSSL | 15:117db924cf7c | 838 | WOLFSSL_MSG("DER notify add watch failed"); |
wolfSSL | 15:117db924cf7c | 839 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 840 | close(notifyFd); |
wolfSSL | 15:117db924cf7c | 841 | SignalSetup(crl, MONITOR_SETUP_E); |
wolfSSL | 15:117db924cf7c | 842 | return NULL; |
wolfSSL | 15:117db924cf7c | 843 | } |
wolfSSL | 15:117db924cf7c | 844 | } |
wolfSSL | 15:117db924cf7c | 845 | |
wolfSSL | 15:117db924cf7c | 846 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 847 | buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 848 | if (buff == NULL) |
wolfSSL | 15:117db924cf7c | 849 | return NULL; |
wolfSSL | 15:117db924cf7c | 850 | #endif |
wolfSSL | 15:117db924cf7c | 851 | |
wolfSSL | 15:117db924cf7c | 852 | /* signal to calling thread we're setup */ |
wolfSSL | 15:117db924cf7c | 853 | if (SignalSetup(crl, 1) != 0) { |
wolfSSL | 15:117db924cf7c | 854 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 855 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 856 | #endif |
wolfSSL | 15:117db924cf7c | 857 | |
wolfSSL | 15:117db924cf7c | 858 | if (wd > 0) |
wolfSSL | 15:117db924cf7c | 859 | inotify_rm_watch(notifyFd, wd); |
wolfSSL | 15:117db924cf7c | 860 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 861 | close(notifyFd); |
wolfSSL | 15:117db924cf7c | 862 | return NULL; |
wolfSSL | 15:117db924cf7c | 863 | } |
wolfSSL | 15:117db924cf7c | 864 | |
wolfSSL | 15:117db924cf7c | 865 | for (;;) { |
wolfSSL | 15:117db924cf7c | 866 | fd_set readfds; |
wolfSSL | 15:117db924cf7c | 867 | int result; |
wolfSSL | 15:117db924cf7c | 868 | int length; |
wolfSSL | 15:117db924cf7c | 869 | |
wolfSSL | 15:117db924cf7c | 870 | FD_ZERO(&readfds); |
wolfSSL | 15:117db924cf7c | 871 | FD_SET(notifyFd, &readfds); |
wolfSSL | 15:117db924cf7c | 872 | FD_SET(crl->mfd, &readfds); |
wolfSSL | 15:117db924cf7c | 873 | |
wolfSSL | 15:117db924cf7c | 874 | result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL); |
wolfSSL | 15:117db924cf7c | 875 | |
wolfSSL | 15:117db924cf7c | 876 | WOLFSSL_MSG("Got notify event"); |
wolfSSL | 15:117db924cf7c | 877 | |
wolfSSL | 15:117db924cf7c | 878 | if (result < 0) { |
wolfSSL | 15:117db924cf7c | 879 | WOLFSSL_MSG("select problem, continue"); |
wolfSSL | 15:117db924cf7c | 880 | continue; |
wolfSSL | 15:117db924cf7c | 881 | } |
wolfSSL | 15:117db924cf7c | 882 | |
wolfSSL | 15:117db924cf7c | 883 | if (FD_ISSET(crl->mfd, &readfds)) { |
wolfSSL | 15:117db924cf7c | 884 | WOLFSSL_MSG("got custom shutdown event, breaking out"); |
wolfSSL | 15:117db924cf7c | 885 | break; |
wolfSSL | 15:117db924cf7c | 886 | } |
wolfSSL | 15:117db924cf7c | 887 | |
wolfSSL | 15:117db924cf7c | 888 | length = (int) read(notifyFd, buff, 8192); |
wolfSSL | 15:117db924cf7c | 889 | if (length < 0) { |
wolfSSL | 15:117db924cf7c | 890 | WOLFSSL_MSG("notify read problem, continue"); |
wolfSSL | 15:117db924cf7c | 891 | continue; |
wolfSSL | 15:117db924cf7c | 892 | } |
wolfSSL | 15:117db924cf7c | 893 | |
wolfSSL | 15:117db924cf7c | 894 | if (SwapLists(crl) < 0) { |
wolfSSL | 15:117db924cf7c | 895 | WOLFSSL_MSG("SwapLists problem, continue"); |
wolfSSL | 15:117db924cf7c | 896 | } |
wolfSSL | 15:117db924cf7c | 897 | } |
wolfSSL | 15:117db924cf7c | 898 | |
wolfSSL | 15:117db924cf7c | 899 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 900 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 901 | #endif |
wolfSSL | 15:117db924cf7c | 902 | |
wolfSSL | 15:117db924cf7c | 903 | if (wd > 0) |
wolfSSL | 15:117db924cf7c | 904 | inotify_rm_watch(notifyFd, wd); |
wolfSSL | 15:117db924cf7c | 905 | close(crl->mfd); |
wolfSSL | 15:117db924cf7c | 906 | close(notifyFd); |
wolfSSL | 15:117db924cf7c | 907 | |
wolfSSL | 15:117db924cf7c | 908 | return NULL; |
wolfSSL | 15:117db924cf7c | 909 | } |
wolfSSL | 15:117db924cf7c | 910 | |
wolfSSL | 15:117db924cf7c | 911 | #endif /* MACH or linux */ |
wolfSSL | 15:117db924cf7c | 912 | |
wolfSSL | 15:117db924cf7c | 913 | |
wolfSSL | 15:117db924cf7c | 914 | /* Start Monitoring the CRL path(s) in a thread */ |
wolfSSL | 15:117db924cf7c | 915 | static int StartMonitorCRL(WOLFSSL_CRL* crl) |
wolfSSL | 15:117db924cf7c | 916 | { |
wolfSSL | 15:117db924cf7c | 917 | int ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 918 | |
wolfSSL | 15:117db924cf7c | 919 | WOLFSSL_ENTER("StartMonitorCRL"); |
wolfSSL | 15:117db924cf7c | 920 | |
wolfSSL | 15:117db924cf7c | 921 | if (crl == NULL) |
wolfSSL | 15:117db924cf7c | 922 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 923 | |
wolfSSL | 15:117db924cf7c | 924 | if (crl->tid != 0) { |
wolfSSL | 15:117db924cf7c | 925 | WOLFSSL_MSG("Monitor thread already running"); |
wolfSSL | 15:117db924cf7c | 926 | return ret; /* that's ok, someone already started */ |
wolfSSL | 15:117db924cf7c | 927 | } |
wolfSSL | 15:117db924cf7c | 928 | |
wolfSSL | 15:117db924cf7c | 929 | if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) { |
wolfSSL | 15:117db924cf7c | 930 | WOLFSSL_MSG("Thread creation error"); |
wolfSSL | 15:117db924cf7c | 931 | return THREAD_CREATE_E; |
wolfSSL | 15:117db924cf7c | 932 | } |
wolfSSL | 15:117db924cf7c | 933 | |
wolfSSL | 15:117db924cf7c | 934 | /* wait for setup to complete */ |
wolfSSL | 15:117db924cf7c | 935 | if (wc_LockMutex(&crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 936 | WOLFSSL_MSG("wc_LockMutex crlLock error"); |
wolfSSL | 15:117db924cf7c | 937 | return BAD_MUTEX_E; |
wolfSSL | 15:117db924cf7c | 938 | } |
wolfSSL | 15:117db924cf7c | 939 | |
wolfSSL | 15:117db924cf7c | 940 | while (crl->setup == 0) { |
wolfSSL | 15:117db924cf7c | 941 | if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) { |
wolfSSL | 15:117db924cf7c | 942 | ret = BAD_COND_E; |
wolfSSL | 15:117db924cf7c | 943 | break; |
wolfSSL | 15:117db924cf7c | 944 | } |
wolfSSL | 15:117db924cf7c | 945 | } |
wolfSSL | 15:117db924cf7c | 946 | |
wolfSSL | 15:117db924cf7c | 947 | if (crl->setup < 0) |
wolfSSL | 15:117db924cf7c | 948 | ret = crl->setup; /* store setup error */ |
wolfSSL | 15:117db924cf7c | 949 | |
wolfSSL | 15:117db924cf7c | 950 | wc_UnLockMutex(&crl->crlLock); |
wolfSSL | 15:117db924cf7c | 951 | |
wolfSSL | 15:117db924cf7c | 952 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 953 | WOLFSSL_MSG("DoMonitor setup failure"); |
wolfSSL | 15:117db924cf7c | 954 | crl->tid = 0; /* thread already done */ |
wolfSSL | 15:117db924cf7c | 955 | } |
wolfSSL | 15:117db924cf7c | 956 | |
wolfSSL | 15:117db924cf7c | 957 | return ret; |
wolfSSL | 15:117db924cf7c | 958 | } |
wolfSSL | 15:117db924cf7c | 959 | |
wolfSSL | 15:117db924cf7c | 960 | |
wolfSSL | 15:117db924cf7c | 961 | #else /* HAVE_CRL_MONITOR */ |
wolfSSL | 15:117db924cf7c | 962 | |
wolfSSL | 15:117db924cf7c | 963 | #ifndef NO_FILESYSTEM |
wolfSSL | 15:117db924cf7c | 964 | |
wolfSSL | 15:117db924cf7c | 965 | static int StartMonitorCRL(WOLFSSL_CRL* crl) |
wolfSSL | 15:117db924cf7c | 966 | { |
wolfSSL | 15:117db924cf7c | 967 | (void)crl; |
wolfSSL | 15:117db924cf7c | 968 | |
wolfSSL | 15:117db924cf7c | 969 | WOLFSSL_ENTER("StartMonitorCRL"); |
wolfSSL | 15:117db924cf7c | 970 | WOLFSSL_MSG("Not compiled in"); |
wolfSSL | 15:117db924cf7c | 971 | |
wolfSSL | 15:117db924cf7c | 972 | return NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 973 | } |
wolfSSL | 15:117db924cf7c | 974 | |
wolfSSL | 15:117db924cf7c | 975 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 15:117db924cf7c | 976 | |
wolfSSL | 15:117db924cf7c | 977 | #endif /* HAVE_CRL_MONITOR */ |
wolfSSL | 15:117db924cf7c | 978 | |
wolfSSL | 15:117db924cf7c | 979 | #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) |
wolfSSL | 15:117db924cf7c | 980 | |
wolfSSL | 15:117db924cf7c | 981 | /* Load CRL path files of type, WOLFSSL_SUCCESS on ok */ |
wolfSSL | 15:117db924cf7c | 982 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) |
wolfSSL | 15:117db924cf7c | 983 | { |
wolfSSL | 15:117db924cf7c | 984 | int ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 985 | char* name = NULL; |
wolfSSL | 15:117db924cf7c | 986 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 987 | ReadDirCtx* readCtx = NULL; |
wolfSSL | 15:117db924cf7c | 988 | #else |
wolfSSL | 15:117db924cf7c | 989 | ReadDirCtx readCtx[1]; |
wolfSSL | 15:117db924cf7c | 990 | #endif |
wolfSSL | 15:117db924cf7c | 991 | |
wolfSSL | 15:117db924cf7c | 992 | WOLFSSL_ENTER("LoadCRL"); |
wolfSSL | 15:117db924cf7c | 993 | if (crl == NULL) |
wolfSSL | 15:117db924cf7c | 994 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 995 | |
wolfSSL | 15:117db924cf7c | 996 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 997 | readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), crl->heap, |
wolfSSL | 15:117db924cf7c | 998 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 999 | if (readCtx == NULL) |
wolfSSL | 15:117db924cf7c | 1000 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1001 | #endif |
wolfSSL | 15:117db924cf7c | 1002 | |
wolfSSL | 15:117db924cf7c | 1003 | /* try to load each regular file in path */ |
wolfSSL | 15:117db924cf7c | 1004 | ret = wc_ReadDirFirst(readCtx, path, &name); |
wolfSSL | 15:117db924cf7c | 1005 | while (ret == 0 && name) { |
wolfSSL | 15:117db924cf7c | 1006 | int skip = 0; |
wolfSSL | 15:117db924cf7c | 1007 | if (type == WOLFSSL_FILETYPE_PEM) { |
wolfSSL | 15:117db924cf7c | 1008 | if (XSTRSTR(name, ".pem") == NULL) { |
wolfSSL | 15:117db924cf7c | 1009 | WOLFSSL_MSG("not .pem file, skipping"); |
wolfSSL | 15:117db924cf7c | 1010 | skip = 1; |
wolfSSL | 15:117db924cf7c | 1011 | } |
wolfSSL | 15:117db924cf7c | 1012 | } |
wolfSSL | 15:117db924cf7c | 1013 | else { |
wolfSSL | 15:117db924cf7c | 1014 | if (XSTRSTR(name, ".der") == NULL && |
wolfSSL | 15:117db924cf7c | 1015 | XSTRSTR(name, ".crl") == NULL) |
wolfSSL | 15:117db924cf7c | 1016 | { |
wolfSSL | 15:117db924cf7c | 1017 | WOLFSSL_MSG("not .der or .crl file, skipping"); |
wolfSSL | 15:117db924cf7c | 1018 | skip = 1; |
wolfSSL | 15:117db924cf7c | 1019 | } |
wolfSSL | 15:117db924cf7c | 1020 | } |
wolfSSL | 15:117db924cf7c | 1021 | |
wolfSSL | 16:8e0d178b1d1e | 1022 | if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl, |
wolfSSL | 16:8e0d178b1d1e | 1023 | VERIFY) != WOLFSSL_SUCCESS) { |
wolfSSL | 15:117db924cf7c | 1024 | WOLFSSL_MSG("CRL file load failed, continuing"); |
wolfSSL | 15:117db924cf7c | 1025 | } |
wolfSSL | 15:117db924cf7c | 1026 | |
wolfSSL | 15:117db924cf7c | 1027 | ret = wc_ReadDirNext(readCtx, path, &name); |
wolfSSL | 15:117db924cf7c | 1028 | } |
wolfSSL | 15:117db924cf7c | 1029 | wc_ReadDirClose(readCtx); |
wolfSSL | 15:117db924cf7c | 1030 | ret = WOLFSSL_SUCCESS; /* load failures not reported, for backwards compat */ |
wolfSSL | 15:117db924cf7c | 1031 | |
wolfSSL | 15:117db924cf7c | 1032 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1033 | XFREE(readCtx, crl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 1034 | #endif |
wolfSSL | 15:117db924cf7c | 1035 | |
wolfSSL | 15:117db924cf7c | 1036 | if (monitor & WOLFSSL_CRL_MONITOR) { |
wolfSSL | 15:117db924cf7c | 1037 | word32 pathLen; |
wolfSSL | 15:117db924cf7c | 1038 | char* pathBuf; |
wolfSSL | 15:117db924cf7c | 1039 | |
wolfSSL | 15:117db924cf7c | 1040 | WOLFSSL_MSG("monitor path requested"); |
wolfSSL | 15:117db924cf7c | 1041 | |
wolfSSL | 15:117db924cf7c | 1042 | pathLen = (word32)XSTRLEN(path); |
wolfSSL | 15:117db924cf7c | 1043 | pathBuf = (char*)XMALLOC(pathLen+1, crl->heap,DYNAMIC_TYPE_CRL_MONITOR); |
wolfSSL | 15:117db924cf7c | 1044 | if (pathBuf) { |
wolfSSL | 16:8e0d178b1d1e | 1045 | XSTRNCPY(pathBuf, path, pathLen+1); |
wolfSSL | 15:117db924cf7c | 1046 | |
wolfSSL | 15:117db924cf7c | 1047 | if (type == WOLFSSL_FILETYPE_PEM) { |
wolfSSL | 15:117db924cf7c | 1048 | /* free old path before setting a new one */ |
wolfSSL | 15:117db924cf7c | 1049 | if (crl->monitors[0].path) { |
wolfSSL | 15:117db924cf7c | 1050 | XFREE(crl->monitors[0].path, crl->heap, |
wolfSSL | 15:117db924cf7c | 1051 | DYNAMIC_TYPE_CRL_MONITOR); |
wolfSSL | 15:117db924cf7c | 1052 | } |
wolfSSL | 15:117db924cf7c | 1053 | crl->monitors[0].path = pathBuf; |
wolfSSL | 15:117db924cf7c | 1054 | crl->monitors[0].type = WOLFSSL_FILETYPE_PEM; |
wolfSSL | 15:117db924cf7c | 1055 | } else { |
wolfSSL | 15:117db924cf7c | 1056 | /* free old path before setting a new one */ |
wolfSSL | 15:117db924cf7c | 1057 | if (crl->monitors[1].path) { |
wolfSSL | 15:117db924cf7c | 1058 | XFREE(crl->monitors[1].path, crl->heap, |
wolfSSL | 15:117db924cf7c | 1059 | DYNAMIC_TYPE_CRL_MONITOR); |
wolfSSL | 15:117db924cf7c | 1060 | } |
wolfSSL | 15:117db924cf7c | 1061 | crl->monitors[1].path = pathBuf; |
wolfSSL | 15:117db924cf7c | 1062 | crl->monitors[1].type = WOLFSSL_FILETYPE_ASN1; |
wolfSSL | 15:117db924cf7c | 1063 | } |
wolfSSL | 15:117db924cf7c | 1064 | |
wolfSSL | 15:117db924cf7c | 1065 | if (monitor & WOLFSSL_CRL_START_MON) { |
wolfSSL | 15:117db924cf7c | 1066 | WOLFSSL_MSG("start monitoring requested"); |
wolfSSL | 15:117db924cf7c | 1067 | |
wolfSSL | 15:117db924cf7c | 1068 | ret = StartMonitorCRL(crl); |
wolfSSL | 15:117db924cf7c | 1069 | } |
wolfSSL | 15:117db924cf7c | 1070 | } |
wolfSSL | 15:117db924cf7c | 1071 | else { |
wolfSSL | 15:117db924cf7c | 1072 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1073 | } |
wolfSSL | 15:117db924cf7c | 1074 | } |
wolfSSL | 15:117db924cf7c | 1075 | |
wolfSSL | 15:117db924cf7c | 1076 | return ret; |
wolfSSL | 15:117db924cf7c | 1077 | } |
wolfSSL | 15:117db924cf7c | 1078 | |
wolfSSL | 15:117db924cf7c | 1079 | #else |
wolfSSL | 15:117db924cf7c | 1080 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) |
wolfSSL | 15:117db924cf7c | 1081 | { |
wolfSSL | 15:117db924cf7c | 1082 | (void)crl; |
wolfSSL | 15:117db924cf7c | 1083 | (void)path; |
wolfSSL | 15:117db924cf7c | 1084 | (void)type; |
wolfSSL | 15:117db924cf7c | 1085 | (void)monitor; |
wolfSSL | 15:117db924cf7c | 1086 | |
wolfSSL | 15:117db924cf7c | 1087 | /* stub for scenario where file system is not supported */ |
wolfSSL | 15:117db924cf7c | 1088 | return NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 1089 | } |
wolfSSL | 15:117db924cf7c | 1090 | #endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ |
wolfSSL | 15:117db924cf7c | 1091 | |
wolfSSL | 15:117db924cf7c | 1092 | #endif /* HAVE_CRL */ |
wolfSSL | 15:117db924cf7c | 1093 | #endif /* !WOLFCRYPT_ONLY */ |
wolfSSL | 15:117db924cf7c | 1094 |