wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/crl.c@17:a5f916481144, 2020-06-05 (annotated)

Committer:
wolfSSL
Date:
Fri Jun 05 00:11:07 2020 +0000
Revision:
17:a5f916481144
Parent:
16:8e0d178b1d1e 
wolfSSL 4.4.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 15:117db924cf7c 1 /* crl.c
wolfSSL 15:117db924cf7c 2 *
wolfSSL 16:8e0d178b1d1e 3 * Copyright (C) 2006-2020 wolfSSL Inc.
wolfSSL 15:117db924cf7c 4 *
wolfSSL 15:117db924cf7c 5 * This file is part of wolfSSL.
wolfSSL 15:117db924cf7c 6 *
wolfSSL 15:117db924cf7c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 15:117db924cf7c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 15:117db924cf7c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 15:117db924cf7c 10 * (at your option) any later version.
wolfSSL 15:117db924cf7c 11 *
wolfSSL 15:117db924cf7c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 15:117db924cf7c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 15:117db924cf7c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 15:117db924cf7c 15 * GNU General Public License for more details.
wolfSSL 15:117db924cf7c 16 *
wolfSSL 15:117db924cf7c 17 * You should have received a copy of the GNU General Public License
wolfSSL 15:117db924cf7c 18 * along with this program; if not, write to the Free Software
wolfSSL 15:117db924cf7c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 15:117db924cf7c 20 */
wolfSSL 15:117db924cf7c 21
wolfSSL 15:117db924cf7c 22
wolfSSL 15:117db924cf7c 23 /* Name change compatibility layer no longer needs included here */
wolfSSL 15:117db924cf7c 24
wolfSSL 15:117db924cf7c 25 #ifdef HAVE_CONFIG_H
wolfSSL 15:117db924cf7c 26 #include <config.h>
wolfSSL 15:117db924cf7c 27 #endif
wolfSSL 15:117db924cf7c 28
wolfSSL 15:117db924cf7c 29 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 15:117db924cf7c 30
wolfSSL 15:117db924cf7c 31 #ifndef WOLFCRYPT_ONLY
wolfSSL 15:117db924cf7c 32 #ifdef HAVE_CRL
wolfSSL 15:117db924cf7c 33
wolfSSL 15:117db924cf7c 34 #include <wolfssl/internal.h>
wolfSSL 15:117db924cf7c 35 #include <wolfssl/error-ssl.h>
wolfSSL 15:117db924cf7c 36
wolfSSL 15:117db924cf7c 37 #include <string.h>
wolfSSL 15:117db924cf7c 38
wolfSSL 15:117db924cf7c 39 #ifdef HAVE_CRL_MONITOR
wolfSSL 15:117db924cf7c 40 #if (defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__))
wolfSSL 15:117db924cf7c 41 static int StopMonitor(int mfd);
wolfSSL 15:117db924cf7c 42 #else
wolfSSL 15:117db924cf7c 43 #error "CRL monitor only currently supported on linux or mach"
wolfSSL 15:117db924cf7c 44 #endif
wolfSSL 15:117db924cf7c 45 #endif /* HAVE_CRL_MONITOR */
wolfSSL 15:117db924cf7c 46
wolfSSL 15:117db924cf7c 47
wolfSSL 15:117db924cf7c 48 /* Initialize CRL members */
wolfSSL 15:117db924cf7c 49 int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
wolfSSL 15:117db924cf7c 50 {
wolfSSL 15:117db924cf7c 51 WOLFSSL_ENTER("InitCRL");
wolfSSL 15:117db924cf7c 52 if(cm != NULL)
wolfSSL 15:117db924cf7c 53 crl->heap = cm->heap;
wolfSSL 15:117db924cf7c 54 else
wolfSSL 15:117db924cf7c 55 crl->heap = NULL;
wolfSSL 15:117db924cf7c 56 crl->cm = cm;
wolfSSL 15:117db924cf7c 57 crl->crlList = NULL;
wolfSSL 15:117db924cf7c 58 crl->monitors[0].path = NULL;
wolfSSL 15:117db924cf7c 59 crl->monitors[1].path = NULL;
wolfSSL 15:117db924cf7c 60 #ifdef HAVE_CRL_MONITOR
wolfSSL 15:117db924cf7c 61 crl->tid = 0;
wolfSSL 15:117db924cf7c 62 crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
wolfSSL 15:117db924cf7c 63 crl->setup = 0; /* thread setup done predicate */
wolfSSL 15:117db924cf7c 64 if (pthread_cond_init(&crl->cond, 0) != 0) {
wolfSSL 15:117db924cf7c 65 WOLFSSL_MSG("Pthread condition init failed");
wolfSSL 15:117db924cf7c 66 return BAD_COND_E;
wolfSSL 15:117db924cf7c 67 }
wolfSSL 15:117db924cf7c 68 #endif
wolfSSL 15:117db924cf7c 69 if (wc_InitMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 70 WOLFSSL_MSG("Init Mutex failed");
wolfSSL 15:117db924cf7c 71 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 72 }
wolfSSL 15:117db924cf7c 73
wolfSSL 15:117db924cf7c 74 return 0;
wolfSSL 15:117db924cf7c 75 }
wolfSSL 15:117db924cf7c 76
wolfSSL 15:117db924cf7c 77
wolfSSL 15:117db924cf7c 78 /* Initialize CRL Entry */
wolfSSL 15:117db924cf7c 79 static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
wolfSSL 15:117db924cf7c 80 int verified, void* heap)
wolfSSL 15:117db924cf7c 81 {
wolfSSL 15:117db924cf7c 82 WOLFSSL_ENTER("InitCRL_Entry");
wolfSSL 15:117db924cf7c 83
wolfSSL 15:117db924cf7c 84 XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
wolfSSL 15:117db924cf7c 85 /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
wolfSSL 16:8e0d178b1d1e 86 * copy the hash here if needed for optimized comparisons */
wolfSSL 15:117db924cf7c 87 XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
wolfSSL 15:117db924cf7c 88 XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
wolfSSL 15:117db924cf7c 89 crle->lastDateFormat = dcrl->lastDateFormat;
wolfSSL 15:117db924cf7c 90 crle->nextDateFormat = dcrl->nextDateFormat;
wolfSSL 15:117db924cf7c 91
wolfSSL 15:117db924cf7c 92 crle->certs = dcrl->certs; /* take ownsership */
wolfSSL 15:117db924cf7c 93 dcrl->certs = NULL;
wolfSSL 15:117db924cf7c 94 crle->totalCerts = dcrl->totalCerts;
wolfSSL 15:117db924cf7c 95 crle->verified = verified;
wolfSSL 15:117db924cf7c 96 if (!verified) {
wolfSSL 15:117db924cf7c 97 crle->tbsSz = dcrl->sigIndex - dcrl->certBegin;
wolfSSL 15:117db924cf7c 98 crle->signatureSz = dcrl->sigLength;
wolfSSL 15:117db924cf7c 99 crle->signatureOID = dcrl->signatureOID;
wolfSSL 15:117db924cf7c 100 crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap,
wolfSSL 15:117db924cf7c 101 DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 102 if (crle->toBeSigned == NULL)
wolfSSL 15:117db924cf7c 103 return -1;
wolfSSL 15:117db924cf7c 104 crle->signature = (byte*)XMALLOC(crle->signatureSz, heap,
wolfSSL 15:117db924cf7c 105 DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 106 if (crle->signature == NULL) {
wolfSSL 15:117db924cf7c 107 XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 108 return -1;
wolfSSL 15:117db924cf7c 109 }
wolfSSL 15:117db924cf7c 110 XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
wolfSSL 15:117db924cf7c 111 XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
wolfSSL 16:8e0d178b1d1e 112 #ifndef NO_SKID
wolfSSL 15:117db924cf7c 113 crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
wolfSSL 15:117db924cf7c 114 if (crle->extAuthKeyIdSet)
wolfSSL 15:117db924cf7c 115 XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
wolfSSL 15:117db924cf7c 116 #endif
wolfSSL 15:117db924cf7c 117 }
wolfSSL 15:117db924cf7c 118 else {
wolfSSL 15:117db924cf7c 119 crle->toBeSigned = NULL;
wolfSSL 15:117db924cf7c 120 crle->signature = NULL;
wolfSSL 15:117db924cf7c 121 }
wolfSSL 15:117db924cf7c 122
wolfSSL 15:117db924cf7c 123 (void)verified;
wolfSSL 16:8e0d178b1d1e 124 (void)heap;
wolfSSL 15:117db924cf7c 125
wolfSSL 15:117db924cf7c 126 return 0;
wolfSSL 15:117db924cf7c 127 }
wolfSSL 15:117db924cf7c 128
wolfSSL 15:117db924cf7c 129
wolfSSL 15:117db924cf7c 130 /* Free all CRL Entry resources */
wolfSSL 15:117db924cf7c 131 static void FreeCRL_Entry(CRL_Entry* crle, void* heap)
wolfSSL 15:117db924cf7c 132 {
wolfSSL 15:117db924cf7c 133 RevokedCert* tmp = crle->certs;
wolfSSL 15:117db924cf7c 134 RevokedCert* next;
wolfSSL 15:117db924cf7c 135
wolfSSL 15:117db924cf7c 136 WOLFSSL_ENTER("FreeCRL_Entry");
wolfSSL 15:117db924cf7c 137
wolfSSL 15:117db924cf7c 138 while (tmp) {
wolfSSL 15:117db924cf7c 139 next = tmp->next;
wolfSSL 15:117db924cf7c 140 XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
wolfSSL 15:117db924cf7c 141 tmp = next;
wolfSSL 15:117db924cf7c 142 }
wolfSSL 15:117db924cf7c 143 if (crle->signature != NULL)
wolfSSL 15:117db924cf7c 144 XFREE(crle->signature, heap, DYNAMIC_TYPE_REVOKED);
wolfSSL 15:117db924cf7c 145 if (crle->toBeSigned != NULL)
wolfSSL 15:117db924cf7c 146 XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_REVOKED);
wolfSSL 15:117db924cf7c 147
wolfSSL 15:117db924cf7c 148 (void)heap;
wolfSSL 15:117db924cf7c 149 }
wolfSSL 15:117db924cf7c 150
wolfSSL 15:117db924cf7c 151
wolfSSL 15:117db924cf7c 152
wolfSSL 15:117db924cf7c 153 /* Free all CRL resources */
wolfSSL 15:117db924cf7c 154 void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
wolfSSL 15:117db924cf7c 155 {
wolfSSL 15:117db924cf7c 156 CRL_Entry* tmp = crl->crlList;
wolfSSL 15:117db924cf7c 157
wolfSSL 15:117db924cf7c 158 WOLFSSL_ENTER("FreeCRL");
wolfSSL 15:117db924cf7c 159 if (crl->monitors[0].path)
wolfSSL 15:117db924cf7c 160 XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL 15:117db924cf7c 161
wolfSSL 15:117db924cf7c 162 if (crl->monitors[1].path)
wolfSSL 15:117db924cf7c 163 XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL 15:117db924cf7c 164
wolfSSL 15:117db924cf7c 165 while(tmp) {
wolfSSL 15:117db924cf7c 166 CRL_Entry* next = tmp->next;
wolfSSL 15:117db924cf7c 167 FreeCRL_Entry(tmp, crl->heap);
wolfSSL 15:117db924cf7c 168 XFREE(tmp, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 169 tmp = next;
wolfSSL 15:117db924cf7c 170 }
wolfSSL 15:117db924cf7c 171
wolfSSL 15:117db924cf7c 172 #ifdef HAVE_CRL_MONITOR
wolfSSL 15:117db924cf7c 173 if (crl->tid != 0) {
wolfSSL 15:117db924cf7c 174 WOLFSSL_MSG("stopping monitor thread");
wolfSSL 15:117db924cf7c 175 if (StopMonitor(crl->mfd) == 0)
wolfSSL 15:117db924cf7c 176 pthread_join(crl->tid, NULL);
wolfSSL 15:117db924cf7c 177 else {
wolfSSL 15:117db924cf7c 178 WOLFSSL_MSG("stop monitor failed");
wolfSSL 15:117db924cf7c 179 }
wolfSSL 15:117db924cf7c 180 }
wolfSSL 15:117db924cf7c 181 pthread_cond_destroy(&crl->cond);
wolfSSL 15:117db924cf7c 182 #endif
wolfSSL 15:117db924cf7c 183 wc_FreeMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 184 if (dynamic) /* free self */
wolfSSL 15:117db924cf7c 185 XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL);
wolfSSL 15:117db924cf7c 186 }
wolfSSL 15:117db924cf7c 187
wolfSSL 15:117db924cf7c 188
wolfSSL 15:117db924cf7c 189 static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry)
wolfSSL 15:117db924cf7c 190 {
wolfSSL 15:117db924cf7c 191 CRL_Entry* crle;
wolfSSL 15:117db924cf7c 192 int foundEntry = 0;
wolfSSL 15:117db924cf7c 193 int ret = 0;
wolfSSL 15:117db924cf7c 194
wolfSSL 15:117db924cf7c 195 if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 196 WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL 15:117db924cf7c 197 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 198 }
wolfSSL 15:117db924cf7c 199
wolfSSL 15:117db924cf7c 200 crle = crl->crlList;
wolfSSL 15:117db924cf7c 201
wolfSSL 15:117db924cf7c 202 while (crle) {
wolfSSL 15:117db924cf7c 203 if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) {
wolfSSL 15:117db924cf7c 204 WOLFSSL_MSG("Found CRL Entry on list");
wolfSSL 15:117db924cf7c 205
wolfSSL 15:117db924cf7c 206 if (crle->verified == 0) {
wolfSSL 16:8e0d178b1d1e 207 Signer* ca = NULL;
wolfSSL 16:8e0d178b1d1e 208 #ifndef NO_SKID
wolfSSL 16:8e0d178b1d1e 209 byte extAuthKeyId[KEYID_SIZE];
wolfSSL 15:117db924cf7c 210 #endif
wolfSSL 15:117db924cf7c 211 byte issuerHash[CRL_DIGEST_SIZE];
wolfSSL 16:8e0d178b1d1e 212 byte* tbs;
wolfSSL 15:117db924cf7c 213 word32 tbsSz = crle->tbsSz;
wolfSSL 15:117db924cf7c 214 byte* sig = NULL;
wolfSSL 15:117db924cf7c 215 word32 sigSz = crle->signatureSz;
wolfSSL 15:117db924cf7c 216 word32 sigOID = crle->signatureOID;
wolfSSL 15:117db924cf7c 217 SignatureCtx sigCtx;
wolfSSL 15:117db924cf7c 218
wolfSSL 15:117db924cf7c 219 tbs = (byte*)XMALLOC(tbsSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 220 if (tbs == NULL) {
wolfSSL 15:117db924cf7c 221 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 222 return MEMORY_E;
wolfSSL 15:117db924cf7c 223 }
wolfSSL 15:117db924cf7c 224 sig = (byte*)XMALLOC(sigSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 225 if (sig == NULL) {
wolfSSL 15:117db924cf7c 226 XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 227 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 228 return MEMORY_E;
wolfSSL 15:117db924cf7c 229 }
wolfSSL 15:117db924cf7c 230
wolfSSL 15:117db924cf7c 231 XMEMCPY(tbs, crle->toBeSigned, tbsSz);
wolfSSL 15:117db924cf7c 232 XMEMCPY(sig, crle->signature, sigSz);
wolfSSL 16:8e0d178b1d1e 233 #ifndef NO_SKID
wolfSSL 16:8e0d178b1d1e 234 XMEMCPY(extAuthKeyId, crle->extAuthKeyId,
wolfSSL 15:117db924cf7c 235 sizeof(extAuthKeyId));
wolfSSL 15:117db924cf7c 236 #endif
wolfSSL 15:117db924cf7c 237 XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));
wolfSSL 15:117db924cf7c 238
wolfSSL 15:117db924cf7c 239 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 240
wolfSSL 16:8e0d178b1d1e 241 #ifndef NO_SKID
wolfSSL 15:117db924cf7c 242 if (crle->extAuthKeyIdSet)
wolfSSL 15:117db924cf7c 243 ca = GetCA(crl->cm, extAuthKeyId);
wolfSSL 15:117db924cf7c 244 if (ca == NULL)
wolfSSL 15:117db924cf7c 245 ca = GetCAByName(crl->cm, issuerHash);
wolfSSL 15:117db924cf7c 246 #else /* NO_SKID */
wolfSSL 15:117db924cf7c 247 ca = GetCA(crl->cm, issuerHash);
wolfSSL 15:117db924cf7c 248 #endif /* NO_SKID */
wolfSSL 15:117db924cf7c 249 if (ca == NULL) {
wolfSSL 15:117db924cf7c 250 XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 251 XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 252 WOLFSSL_MSG("Did NOT find CRL issuer CA");
wolfSSL 15:117db924cf7c 253 return ASN_CRL_NO_SIGNER_E;
wolfSSL 15:117db924cf7c 254 }
wolfSSL 15:117db924cf7c 255
wolfSSL 15:117db924cf7c 256 ret = VerifyCRL_Signature(&sigCtx, tbs, tbsSz, sig, sigSz,
wolfSSL 15:117db924cf7c 257 sigOID, ca, crl->heap);
wolfSSL 15:117db924cf7c 258
wolfSSL 15:117db924cf7c 259 XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 260 XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 261
wolfSSL 15:117db924cf7c 262 if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 263 WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL 15:117db924cf7c 264 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 265 }
wolfSSL 15:117db924cf7c 266
wolfSSL 15:117db924cf7c 267 crle = crl->crlList;
wolfSSL 15:117db924cf7c 268 while (crle) {
wolfSSL 15:117db924cf7c 269 if (XMEMCMP(crle->issuerHash, cert->issuerHash,
wolfSSL 15:117db924cf7c 270 CRL_DIGEST_SIZE) == 0) {
wolfSSL 15:117db924cf7c 271
wolfSSL 15:117db924cf7c 272 if (ret == 0)
wolfSSL 15:117db924cf7c 273 crle->verified = 1;
wolfSSL 15:117db924cf7c 274 else
wolfSSL 15:117db924cf7c 275 crle->verified = ret;
wolfSSL 15:117db924cf7c 276
wolfSSL 15:117db924cf7c 277 XFREE(crle->toBeSigned, crl->heap,
wolfSSL 15:117db924cf7c 278 DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 279 crle->toBeSigned = NULL;
wolfSSL 15:117db924cf7c 280 XFREE(crle->signature, crl->heap,
wolfSSL 15:117db924cf7c 281 DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 282 crle->signature = NULL;
wolfSSL 15:117db924cf7c 283 break;
wolfSSL 15:117db924cf7c 284 }
wolfSSL 15:117db924cf7c 285 crle = crle->next;
wolfSSL 15:117db924cf7c 286 }
wolfSSL 15:117db924cf7c 287 if (crle == NULL || crle->verified < 0)
wolfSSL 15:117db924cf7c 288 break;
wolfSSL 15:117db924cf7c 289 }
wolfSSL 15:117db924cf7c 290 else if (crle->verified < 0) {
wolfSSL 15:117db924cf7c 291 WOLFSSL_MSG("Cannot use CRL as it didn't verify");
wolfSSL 15:117db924cf7c 292 ret = crle->verified;
wolfSSL 15:117db924cf7c 293 break;
wolfSSL 15:117db924cf7c 294 }
wolfSSL 15:117db924cf7c 295
wolfSSL 15:117db924cf7c 296 WOLFSSL_MSG("Checking next date validity");
wolfSSL 15:117db924cf7c 297
wolfSSL 16:8e0d178b1d1e 298 #ifdef WOLFSSL_NO_CRL_NEXT_DATE
wolfSSL 16:8e0d178b1d1e 299 if (crle->nextDateFormat != ASN_OTHER_TYPE)
wolfSSL 16:8e0d178b1d1e 300 #endif
wolfSSL 16:8e0d178b1d1e 301 {
wolfSSL 15:117db924cf7c 302 #ifndef NO_ASN_TIME
wolfSSL 16:8e0d178b1d1e 303 if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) {
wolfSSL 15:117db924cf7c 304 WOLFSSL_MSG("CRL next date is no longer valid");
wolfSSL 15:117db924cf7c 305 ret = ASN_AFTER_DATE_E;
wolfSSL 15:117db924cf7c 306 }
wolfSSL 15:117db924cf7c 307 #endif
wolfSSL 15:117db924cf7c 308 }
wolfSSL 15:117db924cf7c 309 if (ret == 0) {
wolfSSL 15:117db924cf7c 310 foundEntry = 1;
wolfSSL 15:117db924cf7c 311 }
wolfSSL 15:117db924cf7c 312 break;
wolfSSL 15:117db924cf7c 313 }
wolfSSL 15:117db924cf7c 314 crle = crle->next;
wolfSSL 15:117db924cf7c 315 }
wolfSSL 15:117db924cf7c 316
wolfSSL 15:117db924cf7c 317 if (foundEntry) {
wolfSSL 15:117db924cf7c 318 RevokedCert* rc = crle->certs;
wolfSSL 15:117db924cf7c 319
wolfSSL 15:117db924cf7c 320 while (rc) {
wolfSSL 15:117db924cf7c 321 if (rc->serialSz == cert->serialSz &&
wolfSSL 15:117db924cf7c 322 XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
wolfSSL 15:117db924cf7c 323 WOLFSSL_MSG("Cert revoked");
wolfSSL 15:117db924cf7c 324 ret = CRL_CERT_REVOKED;
wolfSSL 15:117db924cf7c 325 break;
wolfSSL 15:117db924cf7c 326 }
wolfSSL 15:117db924cf7c 327 rc = rc->next;
wolfSSL 15:117db924cf7c 328 }
wolfSSL 15:117db924cf7c 329 }
wolfSSL 15:117db924cf7c 330
wolfSSL 15:117db924cf7c 331 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 332
wolfSSL 15:117db924cf7c 333 *pFoundEntry = foundEntry;
wolfSSL 15:117db924cf7c 334
wolfSSL 15:117db924cf7c 335 return ret;
wolfSSL 15:117db924cf7c 336 }
wolfSSL 15:117db924cf7c 337
wolfSSL 15:117db924cf7c 338 /* Is the cert ok with CRL, return 0 on success */
wolfSSL 15:117db924cf7c 339 int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
wolfSSL 15:117db924cf7c 340 {
wolfSSL 15:117db924cf7c 341 int foundEntry = 0;
wolfSSL 15:117db924cf7c 342 int ret = 0;
wolfSSL 15:117db924cf7c 343
wolfSSL 15:117db924cf7c 344 WOLFSSL_ENTER("CheckCertCRL");
wolfSSL 15:117db924cf7c 345
wolfSSL 15:117db924cf7c 346 ret = CheckCertCRLList(crl, cert, &foundEntry);
wolfSSL 15:117db924cf7c 347
wolfSSL 15:117db924cf7c 348 #ifdef HAVE_CRL_IO
wolfSSL 15:117db924cf7c 349 if (foundEntry == 0) {
wolfSSL 15:117db924cf7c 350 /* perform embedded lookup */
wolfSSL 15:117db924cf7c 351 if (crl->crlIOCb) {
wolfSSL 15:117db924cf7c 352 ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo,
wolfSSL 15:117db924cf7c 353 cert->extCrlInfoSz);
wolfSSL 15:117db924cf7c 354 if (ret == WOLFSSL_CBIO_ERR_WANT_READ) {
wolfSSL 15:117db924cf7c 355 ret = WANT_READ;
wolfSSL 15:117db924cf7c 356 }
wolfSSL 15:117db924cf7c 357 else if (ret >= 0) {
wolfSSL 15:117db924cf7c 358 /* try again */
wolfSSL 15:117db924cf7c 359 ret = CheckCertCRLList(crl, cert, &foundEntry);
wolfSSL 15:117db924cf7c 360 }
wolfSSL 15:117db924cf7c 361 }
wolfSSL 15:117db924cf7c 362 }
wolfSSL 15:117db924cf7c 363 #endif
wolfSSL 15:117db924cf7c 364
wolfSSL 15:117db924cf7c 365 if (foundEntry == 0) {
wolfSSL 15:117db924cf7c 366 WOLFSSL_MSG("Couldn't find CRL for status check");
wolfSSL 15:117db924cf7c 367 ret = CRL_MISSING;
wolfSSL 15:117db924cf7c 368
wolfSSL 15:117db924cf7c 369 if (crl->cm->cbMissingCRL) {
wolfSSL 15:117db924cf7c 370 char url[256];
wolfSSL 15:117db924cf7c 371
wolfSSL 15:117db924cf7c 372 WOLFSSL_MSG("Issuing missing CRL callback");
wolfSSL 15:117db924cf7c 373 url[0] = '\0';
wolfSSL 15:117db924cf7c 374 if (cert->extCrlInfo) {
wolfSSL 15:117db924cf7c 375 if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
wolfSSL 15:117db924cf7c 376 XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
wolfSSL 15:117db924cf7c 377 url[cert->extCrlInfoSz] = '\0';
wolfSSL 15:117db924cf7c 378 }
wolfSSL 15:117db924cf7c 379 else {
wolfSSL 15:117db924cf7c 380 WOLFSSL_MSG("CRL url too long");
wolfSSL 15:117db924cf7c 381 }
wolfSSL 15:117db924cf7c 382 }
wolfSSL 15:117db924cf7c 383
wolfSSL 15:117db924cf7c 384 crl->cm->cbMissingCRL(url);
wolfSSL 15:117db924cf7c 385 }
wolfSSL 15:117db924cf7c 386 }
wolfSSL 15:117db924cf7c 387
wolfSSL 15:117db924cf7c 388 return ret;
wolfSSL 15:117db924cf7c 389 }
wolfSSL 15:117db924cf7c 390
wolfSSL 15:117db924cf7c 391
wolfSSL 15:117db924cf7c 392 /* Add Decoded CRL, 0 on success */
wolfSSL 15:117db924cf7c 393 static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
wolfSSL 15:117db924cf7c 394 int verified)
wolfSSL 15:117db924cf7c 395 {
wolfSSL 15:117db924cf7c 396 CRL_Entry* crle;
wolfSSL 15:117db924cf7c 397
wolfSSL 15:117db924cf7c 398 WOLFSSL_ENTER("AddCRL");
wolfSSL 15:117db924cf7c 399
wolfSSL 15:117db924cf7c 400 crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 401 if (crle == NULL) {
wolfSSL 15:117db924cf7c 402 WOLFSSL_MSG("alloc CRL Entry failed");
wolfSSL 15:117db924cf7c 403 return -1;
wolfSSL 15:117db924cf7c 404 }
wolfSSL 15:117db924cf7c 405
wolfSSL 15:117db924cf7c 406 if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) {
wolfSSL 15:117db924cf7c 407 WOLFSSL_MSG("Init CRL Entry failed");
wolfSSL 15:117db924cf7c 408 XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 409 return -1;
wolfSSL 15:117db924cf7c 410 }
wolfSSL 15:117db924cf7c 411
wolfSSL 15:117db924cf7c 412 if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 413 WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL 15:117db924cf7c 414 FreeCRL_Entry(crle, crl->heap);
wolfSSL 15:117db924cf7c 415 XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL 15:117db924cf7c 416 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 417 }
wolfSSL 15:117db924cf7c 418 crle->next = crl->crlList;
wolfSSL 15:117db924cf7c 419 crl->crlList = crle;
wolfSSL 15:117db924cf7c 420 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 421
wolfSSL 15:117db924cf7c 422 return 0;
wolfSSL 15:117db924cf7c 423 }
wolfSSL 15:117db924cf7c 424
wolfSSL 15:117db924cf7c 425
wolfSSL 15:117db924cf7c 426 /* Load CRL File of type, WOLFSSL_SUCCESS on ok */
wolfSSL 15:117db924cf7c 427 int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
wolfSSL 16:8e0d178b1d1e 428 int verify)
wolfSSL 15:117db924cf7c 429 {
wolfSSL 15:117db924cf7c 430 int ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 431 const byte* myBuffer = buff; /* if DER ok, otherwise switch */
wolfSSL 15:117db924cf7c 432 DerBuffer* der = NULL;
wolfSSL 15:117db924cf7c 433 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 434 DecodedCRL* dcrl;
wolfSSL 15:117db924cf7c 435 #else
wolfSSL 15:117db924cf7c 436 DecodedCRL dcrl[1];
wolfSSL 15:117db924cf7c 437 #endif
wolfSSL 15:117db924cf7c 438
wolfSSL 15:117db924cf7c 439 WOLFSSL_ENTER("BufferLoadCRL");
wolfSSL 15:117db924cf7c 440
wolfSSL 15:117db924cf7c 441 if (crl == NULL || buff == NULL || sz == 0)
wolfSSL 15:117db924cf7c 442 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 443
wolfSSL 15:117db924cf7c 444 if (type == WOLFSSL_FILETYPE_PEM) {
wolfSSL 15:117db924cf7c 445 #ifdef WOLFSSL_PEM_TO_DER
wolfSSL 15:117db924cf7c 446 ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, NULL, NULL);
wolfSSL 15:117db924cf7c 447 if (ret == 0) {
wolfSSL 15:117db924cf7c 448 myBuffer = der->buffer;
wolfSSL 15:117db924cf7c 449 sz = der->length;
wolfSSL 15:117db924cf7c 450 }
wolfSSL 15:117db924cf7c 451 else {
wolfSSL 15:117db924cf7c 452 WOLFSSL_MSG("Pem to Der failed");
wolfSSL 15:117db924cf7c 453 FreeDer(&der);
wolfSSL 15:117db924cf7c 454 return -1;
wolfSSL 15:117db924cf7c 455 }
wolfSSL 15:117db924cf7c 456 #else
wolfSSL 15:117db924cf7c 457 ret = NOT_COMPILED_IN;
wolfSSL 15:117db924cf7c 458 #endif
wolfSSL 15:117db924cf7c 459 }
wolfSSL 15:117db924cf7c 460
wolfSSL 15:117db924cf7c 461 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 462 dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 463 if (dcrl == NULL) {
wolfSSL 15:117db924cf7c 464 FreeDer(&der);
wolfSSL 15:117db924cf7c 465 return MEMORY_E;
wolfSSL 15:117db924cf7c 466 }
wolfSSL 15:117db924cf7c 467 #endif
wolfSSL 15:117db924cf7c 468
wolfSSL 15:117db924cf7c 469 InitDecodedCRL(dcrl, crl->heap);
wolfSSL 15:117db924cf7c 470 ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
wolfSSL 16:8e0d178b1d1e 471 if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) {
wolfSSL 15:117db924cf7c 472 WOLFSSL_MSG("ParseCRL error");
wolfSSL 15:117db924cf7c 473 }
wolfSSL 15:117db924cf7c 474 else {
wolfSSL 15:117db924cf7c 475 ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E);
wolfSSL 15:117db924cf7c 476 if (ret != 0) {
wolfSSL 15:117db924cf7c 477 WOLFSSL_MSG("AddCRL error");
wolfSSL 15:117db924cf7c 478 }
wolfSSL 15:117db924cf7c 479 }
wolfSSL 15:117db924cf7c 480
wolfSSL 15:117db924cf7c 481 FreeDecodedCRL(dcrl);
wolfSSL 15:117db924cf7c 482
wolfSSL 15:117db924cf7c 483 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 484 XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 485 #endif
wolfSSL 15:117db924cf7c 486
wolfSSL 15:117db924cf7c 487 FreeDer(&der);
wolfSSL 15:117db924cf7c 488
wolfSSL 15:117db924cf7c 489 return ret ? ret : WOLFSSL_SUCCESS; /* convert 0 to WOLFSSL_SUCCESS */
wolfSSL 15:117db924cf7c 490 }
wolfSSL 15:117db924cf7c 491
wolfSSL 15:117db924cf7c 492 #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL)
wolfSSL 15:117db924cf7c 493 int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl)
wolfSSL 15:117db924cf7c 494 {
wolfSSL 15:117db924cf7c 495 CRL_Entry *crle;
wolfSSL 15:117db924cf7c 496 WOLFSSL_CRL *crl;
wolfSSL 15:117db924cf7c 497
wolfSSL 15:117db924cf7c 498 WOLFSSL_ENTER("wolfSSL_X509_STORE_add_crl");
wolfSSL 15:117db924cf7c 499 if (store == NULL || newcrl == NULL)
wolfSSL 15:117db924cf7c 500 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 501
wolfSSL 15:117db924cf7c 502 crl = store->crl;
wolfSSL 15:117db924cf7c 503 crle = newcrl->crlList;
wolfSSL 15:117db924cf7c 504
wolfSSL 15:117db924cf7c 505 if (wc_LockMutex(&crl->crlLock) != 0)
wolfSSL 15:117db924cf7c 506 {
wolfSSL 15:117db924cf7c 507 WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL 15:117db924cf7c 508 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 509 }
wolfSSL 15:117db924cf7c 510 crle->next = crl->crlList;
wolfSSL 15:117db924cf7c 511 crl->crlList = crle;
wolfSSL 15:117db924cf7c 512 newcrl->crlList = NULL;
wolfSSL 15:117db924cf7c 513 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 514
wolfSSL 15:117db924cf7c 515 WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS);
wolfSSL 16:8e0d178b1d1e 516
wolfSSL 15:117db924cf7c 517 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 518 }
wolfSSL 15:117db924cf7c 519 #endif
wolfSSL 15:117db924cf7c 520
wolfSSL 15:117db924cf7c 521 #ifdef HAVE_CRL_MONITOR
wolfSSL 15:117db924cf7c 522
wolfSSL 15:117db924cf7c 523
wolfSSL 15:117db924cf7c 524 /* Signal Monitor thread is setup, save status to setup flag, 0 on success */
wolfSSL 15:117db924cf7c 525 static int SignalSetup(WOLFSSL_CRL* crl, int status)
wolfSSL 15:117db924cf7c 526 {
wolfSSL 15:117db924cf7c 527 int ret;
wolfSSL 15:117db924cf7c 528
wolfSSL 15:117db924cf7c 529 /* signal to calling thread we're setup */
wolfSSL 15:117db924cf7c 530 if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 531 WOLFSSL_MSG("wc_LockMutex crlLock failed");
wolfSSL 15:117db924cf7c 532 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 533 }
wolfSSL 15:117db924cf7c 534
wolfSSL 15:117db924cf7c 535 crl->setup = status;
wolfSSL 15:117db924cf7c 536 ret = pthread_cond_signal(&crl->cond);
wolfSSL 15:117db924cf7c 537
wolfSSL 15:117db924cf7c 538 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 539
wolfSSL 15:117db924cf7c 540 if (ret != 0)
wolfSSL 15:117db924cf7c 541 return BAD_COND_E;
wolfSSL 15:117db924cf7c 542
wolfSSL 15:117db924cf7c 543 return 0;
wolfSSL 15:117db924cf7c 544 }
wolfSSL 15:117db924cf7c 545
wolfSSL 15:117db924cf7c 546
wolfSSL 15:117db924cf7c 547 /* read in new CRL entries and save new list */
wolfSSL 15:117db924cf7c 548 static int SwapLists(WOLFSSL_CRL* crl)
wolfSSL 15:117db924cf7c 549 {
wolfSSL 15:117db924cf7c 550 int ret;
wolfSSL 15:117db924cf7c 551 CRL_Entry* newList;
wolfSSL 15:117db924cf7c 552 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 553 WOLFSSL_CRL* tmp;
wolfSSL 15:117db924cf7c 554 #else
wolfSSL 15:117db924cf7c 555 WOLFSSL_CRL tmp[1];
wolfSSL 15:117db924cf7c 556 #endif
wolfSSL 15:117db924cf7c 557
wolfSSL 15:117db924cf7c 558 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 559 tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 560 if (tmp == NULL)
wolfSSL 15:117db924cf7c 561 return MEMORY_E;
wolfSSL 15:117db924cf7c 562 #endif
wolfSSL 15:117db924cf7c 563
wolfSSL 15:117db924cf7c 564 if (InitCRL(tmp, crl->cm) < 0) {
wolfSSL 15:117db924cf7c 565 WOLFSSL_MSG("Init tmp CRL failed");
wolfSSL 15:117db924cf7c 566 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 567 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 568 #endif
wolfSSL 15:117db924cf7c 569 return -1;
wolfSSL 15:117db924cf7c 570 }
wolfSSL 15:117db924cf7c 571
wolfSSL 15:117db924cf7c 572 if (crl->monitors[0].path) {
wolfSSL 15:117db924cf7c 573 ret = LoadCRL(tmp, crl->monitors[0].path, WOLFSSL_FILETYPE_PEM, 0);
wolfSSL 15:117db924cf7c 574 if (ret != WOLFSSL_SUCCESS) {
wolfSSL 15:117db924cf7c 575 WOLFSSL_MSG("PEM LoadCRL on dir change failed");
wolfSSL 15:117db924cf7c 576 FreeCRL(tmp, 0);
wolfSSL 15:117db924cf7c 577 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 578 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 579 #endif
wolfSSL 15:117db924cf7c 580 return -1;
wolfSSL 15:117db924cf7c 581 }
wolfSSL 15:117db924cf7c 582 }
wolfSSL 15:117db924cf7c 583
wolfSSL 15:117db924cf7c 584 if (crl->monitors[1].path) {
wolfSSL 15:117db924cf7c 585 ret = LoadCRL(tmp, crl->monitors[1].path, WOLFSSL_FILETYPE_ASN1, 0);
wolfSSL 15:117db924cf7c 586 if (ret != WOLFSSL_SUCCESS) {
wolfSSL 15:117db924cf7c 587 WOLFSSL_MSG("DER LoadCRL on dir change failed");
wolfSSL 15:117db924cf7c 588 FreeCRL(tmp, 0);
wolfSSL 15:117db924cf7c 589 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 590 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 591 #endif
wolfSSL 15:117db924cf7c 592 return -1;
wolfSSL 15:117db924cf7c 593 }
wolfSSL 15:117db924cf7c 594 }
wolfSSL 15:117db924cf7c 595
wolfSSL 15:117db924cf7c 596 if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 597 WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL 15:117db924cf7c 598 FreeCRL(tmp, 0);
wolfSSL 15:117db924cf7c 599 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 600 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 601 #endif
wolfSSL 15:117db924cf7c 602 return -1;
wolfSSL 15:117db924cf7c 603 }
wolfSSL 15:117db924cf7c 604
wolfSSL 15:117db924cf7c 605 newList = tmp->crlList;
wolfSSL 15:117db924cf7c 606
wolfSSL 15:117db924cf7c 607 /* swap lists */
wolfSSL 15:117db924cf7c 608 tmp->crlList = crl->crlList;
wolfSSL 15:117db924cf7c 609 crl->crlList = newList;
wolfSSL 15:117db924cf7c 610
wolfSSL 15:117db924cf7c 611 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 612
wolfSSL 15:117db924cf7c 613 FreeCRL(tmp, 0);
wolfSSL 15:117db924cf7c 614
wolfSSL 15:117db924cf7c 615 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 616 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 617 #endif
wolfSSL 15:117db924cf7c 618
wolfSSL 15:117db924cf7c 619 return 0;
wolfSSL 15:117db924cf7c 620 }
wolfSSL 15:117db924cf7c 621
wolfSSL 15:117db924cf7c 622
wolfSSL 15:117db924cf7c 623 #if (defined(__MACH__) || defined(__FreeBSD__))
wolfSSL 15:117db924cf7c 624
wolfSSL 15:117db924cf7c 625 #include <sys/types.h>
wolfSSL 15:117db924cf7c 626 #include <sys/event.h>
wolfSSL 15:117db924cf7c 627 #include <sys/time.h>
wolfSSL 15:117db924cf7c 628 #include <fcntl.h>
wolfSSL 15:117db924cf7c 629 #include <unistd.h>
wolfSSL 15:117db924cf7c 630
wolfSSL 15:117db924cf7c 631 #ifdef __MACH__
wolfSSL 15:117db924cf7c 632 #define XEVENT_MODE O_EVTONLY
wolfSSL 15:117db924cf7c 633 #elif defined(__FreeBSD__)
wolfSSL 15:117db924cf7c 634 #define XEVENT_MODE EVFILT_VNODE
wolfSSL 15:117db924cf7c 635 #endif
wolfSSL 15:117db924cf7c 636
wolfSSL 15:117db924cf7c 637
wolfSSL 15:117db924cf7c 638 /* we need a unique kqueue user filter fd for crl in case user is doing custom
wolfSSL 15:117db924cf7c 639 * events too */
wolfSSL 15:117db924cf7c 640 #ifndef CRL_CUSTOM_FD
wolfSSL 15:117db924cf7c 641 #define CRL_CUSTOM_FD 123456
wolfSSL 15:117db924cf7c 642 #endif
wolfSSL 15:117db924cf7c 643
wolfSSL 15:117db924cf7c 644
wolfSSL 15:117db924cf7c 645 /* shutdown monitor thread, 0 on success */
wolfSSL 15:117db924cf7c 646 static int StopMonitor(int mfd)
wolfSSL 15:117db924cf7c 647 {
wolfSSL 15:117db924cf7c 648 struct kevent change;
wolfSSL 15:117db924cf7c 649
wolfSSL 15:117db924cf7c 650 /* trigger custom shutdown */
wolfSSL 15:117db924cf7c 651 EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL);
wolfSSL 15:117db924cf7c 652 if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) {
wolfSSL 15:117db924cf7c 653 WOLFSSL_MSG("kevent trigger customer event failed");
wolfSSL 15:117db924cf7c 654 return -1;
wolfSSL 15:117db924cf7c 655 }
wolfSSL 15:117db924cf7c 656
wolfSSL 15:117db924cf7c 657 return 0;
wolfSSL 15:117db924cf7c 658 }
wolfSSL 15:117db924cf7c 659
wolfSSL 15:117db924cf7c 660
wolfSSL 15:117db924cf7c 661 /* OS X monitoring */
wolfSSL 15:117db924cf7c 662 static void* DoMonitor(void* arg)
wolfSSL 15:117db924cf7c 663 {
wolfSSL 15:117db924cf7c 664 int fPEM, fDER;
wolfSSL 15:117db924cf7c 665 struct kevent change;
wolfSSL 15:117db924cf7c 666
wolfSSL 15:117db924cf7c 667 WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
wolfSSL 15:117db924cf7c 668
wolfSSL 15:117db924cf7c 669 WOLFSSL_ENTER("DoMonitor");
wolfSSL 15:117db924cf7c 670
wolfSSL 15:117db924cf7c 671 crl->mfd = kqueue();
wolfSSL 15:117db924cf7c 672 if (crl->mfd == -1) {
wolfSSL 15:117db924cf7c 673 WOLFSSL_MSG("kqueue failed");
wolfSSL 15:117db924cf7c 674 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 675 return NULL;
wolfSSL 15:117db924cf7c 676 }
wolfSSL 15:117db924cf7c 677
wolfSSL 15:117db924cf7c 678 /* listen for custom shutdown event */
wolfSSL 15:117db924cf7c 679 EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
wolfSSL 15:117db924cf7c 680 if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
wolfSSL 15:117db924cf7c 681 WOLFSSL_MSG("kevent monitor customer event failed");
wolfSSL 15:117db924cf7c 682 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 683 close(crl->mfd);
wolfSSL 15:117db924cf7c 684 return NULL;
wolfSSL 15:117db924cf7c 685 }
wolfSSL 15:117db924cf7c 686
wolfSSL 15:117db924cf7c 687 fPEM = -1;
wolfSSL 15:117db924cf7c 688 fDER = -1;
wolfSSL 15:117db924cf7c 689
wolfSSL 15:117db924cf7c 690 if (crl->monitors[0].path) {
wolfSSL 15:117db924cf7c 691 fPEM = open(crl->monitors[0].path, XEVENT_MODE);
wolfSSL 15:117db924cf7c 692 if (fPEM == -1) {
wolfSSL 15:117db924cf7c 693 WOLFSSL_MSG("PEM event dir open failed");
wolfSSL 15:117db924cf7c 694 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 695 close(crl->mfd);
wolfSSL 15:117db924cf7c 696 return NULL;
wolfSSL 15:117db924cf7c 697 }
wolfSSL 15:117db924cf7c 698 }
wolfSSL 15:117db924cf7c 699
wolfSSL 15:117db924cf7c 700 if (crl->monitors[1].path) {
wolfSSL 15:117db924cf7c 701 fDER = open(crl->monitors[1].path, XEVENT_MODE);
wolfSSL 15:117db924cf7c 702 if (fDER == -1) {
wolfSSL 15:117db924cf7c 703 WOLFSSL_MSG("DER event dir open failed");
wolfSSL 15:117db924cf7c 704 if (fPEM != -1)
wolfSSL 15:117db924cf7c 705 close(fPEM);
wolfSSL 15:117db924cf7c 706 close(crl->mfd);
wolfSSL 15:117db924cf7c 707 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 708 return NULL;
wolfSSL 15:117db924cf7c 709 }
wolfSSL 15:117db924cf7c 710 }
wolfSSL 15:117db924cf7c 711
wolfSSL 15:117db924cf7c 712 if (fPEM != -1)
wolfSSL 15:117db924cf7c 713 EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
wolfSSL 15:117db924cf7c 714 NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
wolfSSL 15:117db924cf7c 715
wolfSSL 15:117db924cf7c 716 if (fDER != -1)
wolfSSL 15:117db924cf7c 717 EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
wolfSSL 15:117db924cf7c 718 NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
wolfSSL 15:117db924cf7c 719
wolfSSL 15:117db924cf7c 720 /* signal to calling thread we're setup */
wolfSSL 15:117db924cf7c 721 if (SignalSetup(crl, 1) != 0) {
wolfSSL 15:117db924cf7c 722 if (fPEM != -1)
wolfSSL 15:117db924cf7c 723 close(fPEM);
wolfSSL 15:117db924cf7c 724 if (fDER != -1)
wolfSSL 15:117db924cf7c 725 close(fDER);
wolfSSL 15:117db924cf7c 726 close(crl->mfd);
wolfSSL 15:117db924cf7c 727 return NULL;
wolfSSL 15:117db924cf7c 728 }
wolfSSL 15:117db924cf7c 729
wolfSSL 15:117db924cf7c 730 for (;;) {
wolfSSL 15:117db924cf7c 731 struct kevent event;
wolfSSL 15:117db924cf7c 732 int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
wolfSSL 15:117db924cf7c 733
wolfSSL 15:117db924cf7c 734 WOLFSSL_MSG("Got kevent");
wolfSSL 15:117db924cf7c 735
wolfSSL 15:117db924cf7c 736 if (numEvents == -1) {
wolfSSL 15:117db924cf7c 737 WOLFSSL_MSG("kevent problem, continue");
wolfSSL 15:117db924cf7c 738 continue;
wolfSSL 15:117db924cf7c 739 }
wolfSSL 15:117db924cf7c 740
wolfSSL 15:117db924cf7c 741 if (event.filter == EVFILT_USER) {
wolfSSL 15:117db924cf7c 742 WOLFSSL_MSG("Got user shutdown event, breaking out");
wolfSSL 15:117db924cf7c 743 break;
wolfSSL 15:117db924cf7c 744 }
wolfSSL 15:117db924cf7c 745
wolfSSL 15:117db924cf7c 746 if (SwapLists(crl) < 0) {
wolfSSL 15:117db924cf7c 747 WOLFSSL_MSG("SwapLists problem, continue");
wolfSSL 15:117db924cf7c 748 }
wolfSSL 15:117db924cf7c 749 }
wolfSSL 15:117db924cf7c 750
wolfSSL 15:117db924cf7c 751 if (fPEM != -1)
wolfSSL 15:117db924cf7c 752 close(fPEM);
wolfSSL 15:117db924cf7c 753 if (fDER != -1)
wolfSSL 15:117db924cf7c 754 close(fDER);
wolfSSL 15:117db924cf7c 755
wolfSSL 15:117db924cf7c 756 close(crl->mfd);
wolfSSL 15:117db924cf7c 757
wolfSSL 15:117db924cf7c 758 return NULL;
wolfSSL 15:117db924cf7c 759 }
wolfSSL 15:117db924cf7c 760
wolfSSL 15:117db924cf7c 761
wolfSSL 15:117db924cf7c 762 #elif defined(__linux__)
wolfSSL 15:117db924cf7c 763
wolfSSL 15:117db924cf7c 764 #include <sys/types.h>
wolfSSL 15:117db924cf7c 765 #include <sys/inotify.h>
wolfSSL 15:117db924cf7c 766 #include <sys/eventfd.h>
wolfSSL 15:117db924cf7c 767 #include <unistd.h>
wolfSSL 15:117db924cf7c 768
wolfSSL 15:117db924cf7c 769
wolfSSL 15:117db924cf7c 770 #ifndef max
wolfSSL 15:117db924cf7c 771 static WC_INLINE int max(int a, int b)
wolfSSL 15:117db924cf7c 772 {
wolfSSL 15:117db924cf7c 773 return a > b ? a : b;
wolfSSL 15:117db924cf7c 774 }
wolfSSL 15:117db924cf7c 775 #endif /* max */
wolfSSL 15:117db924cf7c 776
wolfSSL 15:117db924cf7c 777
wolfSSL 15:117db924cf7c 778 /* shutdown monitor thread, 0 on success */
wolfSSL 15:117db924cf7c 779 static int StopMonitor(int mfd)
wolfSSL 15:117db924cf7c 780 {
wolfSSL 15:117db924cf7c 781 word64 w64 = 1;
wolfSSL 15:117db924cf7c 782
wolfSSL 15:117db924cf7c 783 /* write to our custom event */
wolfSSL 15:117db924cf7c 784 if (write(mfd, &w64, sizeof(w64)) < 0) {
wolfSSL 15:117db924cf7c 785 WOLFSSL_MSG("StopMonitor write failed");
wolfSSL 15:117db924cf7c 786 return -1;
wolfSSL 15:117db924cf7c 787 }
wolfSSL 15:117db924cf7c 788
wolfSSL 15:117db924cf7c 789 return 0;
wolfSSL 15:117db924cf7c 790 }
wolfSSL 15:117db924cf7c 791
wolfSSL 15:117db924cf7c 792
wolfSSL 15:117db924cf7c 793 /* linux monitoring */
wolfSSL 15:117db924cf7c 794 static void* DoMonitor(void* arg)
wolfSSL 15:117db924cf7c 795 {
wolfSSL 15:117db924cf7c 796 int notifyFd;
wolfSSL 15:117db924cf7c 797 int wd = -1;
wolfSSL 15:117db924cf7c 798 WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
wolfSSL 15:117db924cf7c 799 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 800 char* buff;
wolfSSL 15:117db924cf7c 801 #else
wolfSSL 15:117db924cf7c 802 char buff[8192];
wolfSSL 15:117db924cf7c 803 #endif
wolfSSL 15:117db924cf7c 804
wolfSSL 15:117db924cf7c 805 WOLFSSL_ENTER("DoMonitor");
wolfSSL 15:117db924cf7c 806
wolfSSL 15:117db924cf7c 807 crl->mfd = eventfd(0, 0); /* our custom shutdown event */
wolfSSL 15:117db924cf7c 808 if (crl->mfd < 0) {
wolfSSL 15:117db924cf7c 809 WOLFSSL_MSG("eventfd failed");
wolfSSL 15:117db924cf7c 810 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 811 return NULL;
wolfSSL 15:117db924cf7c 812 }
wolfSSL 15:117db924cf7c 813
wolfSSL 15:117db924cf7c 814 notifyFd = inotify_init();
wolfSSL 15:117db924cf7c 815 if (notifyFd < 0) {
wolfSSL 15:117db924cf7c 816 WOLFSSL_MSG("inotify failed");
wolfSSL 15:117db924cf7c 817 close(crl->mfd);
wolfSSL 15:117db924cf7c 818 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 819 return NULL;
wolfSSL 15:117db924cf7c 820 }
wolfSSL 15:117db924cf7c 821
wolfSSL 15:117db924cf7c 822 if (crl->monitors[0].path) {
wolfSSL 15:117db924cf7c 823 wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
wolfSSL 15:117db924cf7c 824 IN_DELETE);
wolfSSL 15:117db924cf7c 825 if (wd < 0) {
wolfSSL 15:117db924cf7c 826 WOLFSSL_MSG("PEM notify add watch failed");
wolfSSL 15:117db924cf7c 827 close(crl->mfd);
wolfSSL 15:117db924cf7c 828 close(notifyFd);
wolfSSL 15:117db924cf7c 829 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 830 return NULL;
wolfSSL 15:117db924cf7c 831 }
wolfSSL 15:117db924cf7c 832 }
wolfSSL 15:117db924cf7c 833
wolfSSL 15:117db924cf7c 834 if (crl->monitors[1].path) {
wolfSSL 15:117db924cf7c 835 wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
wolfSSL 15:117db924cf7c 836 IN_DELETE);
wolfSSL 15:117db924cf7c 837 if (wd < 0) {
wolfSSL 15:117db924cf7c 838 WOLFSSL_MSG("DER notify add watch failed");
wolfSSL 15:117db924cf7c 839 close(crl->mfd);
wolfSSL 15:117db924cf7c 840 close(notifyFd);
wolfSSL 15:117db924cf7c 841 SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL 15:117db924cf7c 842 return NULL;
wolfSSL 15:117db924cf7c 843 }
wolfSSL 15:117db924cf7c 844 }
wolfSSL 15:117db924cf7c 845
wolfSSL 15:117db924cf7c 846 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 847 buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 848 if (buff == NULL)
wolfSSL 15:117db924cf7c 849 return NULL;
wolfSSL 15:117db924cf7c 850 #endif
wolfSSL 15:117db924cf7c 851
wolfSSL 15:117db924cf7c 852 /* signal to calling thread we're setup */
wolfSSL 15:117db924cf7c 853 if (SignalSetup(crl, 1) != 0) {
wolfSSL 15:117db924cf7c 854 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 855 XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 856 #endif
wolfSSL 15:117db924cf7c 857
wolfSSL 15:117db924cf7c 858 if (wd > 0)
wolfSSL 15:117db924cf7c 859 inotify_rm_watch(notifyFd, wd);
wolfSSL 15:117db924cf7c 860 close(crl->mfd);
wolfSSL 15:117db924cf7c 861 close(notifyFd);
wolfSSL 15:117db924cf7c 862 return NULL;
wolfSSL 15:117db924cf7c 863 }
wolfSSL 15:117db924cf7c 864
wolfSSL 15:117db924cf7c 865 for (;;) {
wolfSSL 15:117db924cf7c 866 fd_set readfds;
wolfSSL 15:117db924cf7c 867 int result;
wolfSSL 15:117db924cf7c 868 int length;
wolfSSL 15:117db924cf7c 869
wolfSSL 15:117db924cf7c 870 FD_ZERO(&readfds);
wolfSSL 15:117db924cf7c 871 FD_SET(notifyFd, &readfds);
wolfSSL 15:117db924cf7c 872 FD_SET(crl->mfd, &readfds);
wolfSSL 15:117db924cf7c 873
wolfSSL 15:117db924cf7c 874 result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL);
wolfSSL 15:117db924cf7c 875
wolfSSL 15:117db924cf7c 876 WOLFSSL_MSG("Got notify event");
wolfSSL 15:117db924cf7c 877
wolfSSL 15:117db924cf7c 878 if (result < 0) {
wolfSSL 15:117db924cf7c 879 WOLFSSL_MSG("select problem, continue");
wolfSSL 15:117db924cf7c 880 continue;
wolfSSL 15:117db924cf7c 881 }
wolfSSL 15:117db924cf7c 882
wolfSSL 15:117db924cf7c 883 if (FD_ISSET(crl->mfd, &readfds)) {
wolfSSL 15:117db924cf7c 884 WOLFSSL_MSG("got custom shutdown event, breaking out");
wolfSSL 15:117db924cf7c 885 break;
wolfSSL 15:117db924cf7c 886 }
wolfSSL 15:117db924cf7c 887
wolfSSL 15:117db924cf7c 888 length = (int) read(notifyFd, buff, 8192);
wolfSSL 15:117db924cf7c 889 if (length < 0) {
wolfSSL 15:117db924cf7c 890 WOLFSSL_MSG("notify read problem, continue");
wolfSSL 15:117db924cf7c 891 continue;
wolfSSL 15:117db924cf7c 892 }
wolfSSL 15:117db924cf7c 893
wolfSSL 15:117db924cf7c 894 if (SwapLists(crl) < 0) {
wolfSSL 15:117db924cf7c 895 WOLFSSL_MSG("SwapLists problem, continue");
wolfSSL 15:117db924cf7c 896 }
wolfSSL 15:117db924cf7c 897 }
wolfSSL 15:117db924cf7c 898
wolfSSL 15:117db924cf7c 899 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 900 XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 901 #endif
wolfSSL 15:117db924cf7c 902
wolfSSL 15:117db924cf7c 903 if (wd > 0)
wolfSSL 15:117db924cf7c 904 inotify_rm_watch(notifyFd, wd);
wolfSSL 15:117db924cf7c 905 close(crl->mfd);
wolfSSL 15:117db924cf7c 906 close(notifyFd);
wolfSSL 15:117db924cf7c 907
wolfSSL 15:117db924cf7c 908 return NULL;
wolfSSL 15:117db924cf7c 909 }
wolfSSL 15:117db924cf7c 910
wolfSSL 15:117db924cf7c 911 #endif /* MACH or linux */
wolfSSL 15:117db924cf7c 912
wolfSSL 15:117db924cf7c 913
wolfSSL 15:117db924cf7c 914 /* Start Monitoring the CRL path(s) in a thread */
wolfSSL 15:117db924cf7c 915 static int StartMonitorCRL(WOLFSSL_CRL* crl)
wolfSSL 15:117db924cf7c 916 {
wolfSSL 15:117db924cf7c 917 int ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 918
wolfSSL 15:117db924cf7c 919 WOLFSSL_ENTER("StartMonitorCRL");
wolfSSL 15:117db924cf7c 920
wolfSSL 15:117db924cf7c 921 if (crl == NULL)
wolfSSL 15:117db924cf7c 922 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 923
wolfSSL 15:117db924cf7c 924 if (crl->tid != 0) {
wolfSSL 15:117db924cf7c 925 WOLFSSL_MSG("Monitor thread already running");
wolfSSL 15:117db924cf7c 926 return ret; /* that's ok, someone already started */
wolfSSL 15:117db924cf7c 927 }
wolfSSL 15:117db924cf7c 928
wolfSSL 15:117db924cf7c 929 if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) {
wolfSSL 15:117db924cf7c 930 WOLFSSL_MSG("Thread creation error");
wolfSSL 15:117db924cf7c 931 return THREAD_CREATE_E;
wolfSSL 15:117db924cf7c 932 }
wolfSSL 15:117db924cf7c 933
wolfSSL 15:117db924cf7c 934 /* wait for setup to complete */
wolfSSL 15:117db924cf7c 935 if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 936 WOLFSSL_MSG("wc_LockMutex crlLock error");
wolfSSL 15:117db924cf7c 937 return BAD_MUTEX_E;
wolfSSL 15:117db924cf7c 938 }
wolfSSL 15:117db924cf7c 939
wolfSSL 15:117db924cf7c 940 while (crl->setup == 0) {
wolfSSL 15:117db924cf7c 941 if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) {
wolfSSL 15:117db924cf7c 942 ret = BAD_COND_E;
wolfSSL 15:117db924cf7c 943 break;
wolfSSL 15:117db924cf7c 944 }
wolfSSL 15:117db924cf7c 945 }
wolfSSL 15:117db924cf7c 946
wolfSSL 15:117db924cf7c 947 if (crl->setup < 0)
wolfSSL 15:117db924cf7c 948 ret = crl->setup; /* store setup error */
wolfSSL 15:117db924cf7c 949
wolfSSL 15:117db924cf7c 950 wc_UnLockMutex(&crl->crlLock);
wolfSSL 15:117db924cf7c 951
wolfSSL 15:117db924cf7c 952 if (ret < 0) {
wolfSSL 15:117db924cf7c 953 WOLFSSL_MSG("DoMonitor setup failure");
wolfSSL 15:117db924cf7c 954 crl->tid = 0; /* thread already done */
wolfSSL 15:117db924cf7c 955 }
wolfSSL 15:117db924cf7c 956
wolfSSL 15:117db924cf7c 957 return ret;
wolfSSL 15:117db924cf7c 958 }
wolfSSL 15:117db924cf7c 959
wolfSSL 15:117db924cf7c 960
wolfSSL 15:117db924cf7c 961 #else /* HAVE_CRL_MONITOR */
wolfSSL 15:117db924cf7c 962
wolfSSL 15:117db924cf7c 963 #ifndef NO_FILESYSTEM
wolfSSL 15:117db924cf7c 964
wolfSSL 15:117db924cf7c 965 static int StartMonitorCRL(WOLFSSL_CRL* crl)
wolfSSL 15:117db924cf7c 966 {
wolfSSL 15:117db924cf7c 967 (void)crl;
wolfSSL 15:117db924cf7c 968
wolfSSL 15:117db924cf7c 969 WOLFSSL_ENTER("StartMonitorCRL");
wolfSSL 15:117db924cf7c 970 WOLFSSL_MSG("Not compiled in");
wolfSSL 15:117db924cf7c 971
wolfSSL 15:117db924cf7c 972 return NOT_COMPILED_IN;
wolfSSL 15:117db924cf7c 973 }
wolfSSL 15:117db924cf7c 974
wolfSSL 15:117db924cf7c 975 #endif /* NO_FILESYSTEM */
wolfSSL 15:117db924cf7c 976
wolfSSL 15:117db924cf7c 977 #endif /* HAVE_CRL_MONITOR */
wolfSSL 15:117db924cf7c 978
wolfSSL 15:117db924cf7c 979 #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
wolfSSL 15:117db924cf7c 980
wolfSSL 15:117db924cf7c 981 /* Load CRL path files of type, WOLFSSL_SUCCESS on ok */
wolfSSL 15:117db924cf7c 982 int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
wolfSSL 15:117db924cf7c 983 {
wolfSSL 15:117db924cf7c 984 int ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 985 char* name = NULL;
wolfSSL 15:117db924cf7c 986 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 987 ReadDirCtx* readCtx = NULL;
wolfSSL 15:117db924cf7c 988 #else
wolfSSL 15:117db924cf7c 989 ReadDirCtx readCtx[1];
wolfSSL 15:117db924cf7c 990 #endif
wolfSSL 15:117db924cf7c 991
wolfSSL 15:117db924cf7c 992 WOLFSSL_ENTER("LoadCRL");
wolfSSL 15:117db924cf7c 993 if (crl == NULL)
wolfSSL 15:117db924cf7c 994 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 995
wolfSSL 15:117db924cf7c 996 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 997 readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), crl->heap,
wolfSSL 15:117db924cf7c 998 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 999 if (readCtx == NULL)
wolfSSL 15:117db924cf7c 1000 return MEMORY_E;
wolfSSL 15:117db924cf7c 1001 #endif
wolfSSL 15:117db924cf7c 1002
wolfSSL 15:117db924cf7c 1003 /* try to load each regular file in path */
wolfSSL 15:117db924cf7c 1004 ret = wc_ReadDirFirst(readCtx, path, &name);
wolfSSL 15:117db924cf7c 1005 while (ret == 0 && name) {
wolfSSL 15:117db924cf7c 1006 int skip = 0;
wolfSSL 15:117db924cf7c 1007 if (type == WOLFSSL_FILETYPE_PEM) {
wolfSSL 15:117db924cf7c 1008 if (XSTRSTR(name, ".pem") == NULL) {
wolfSSL 15:117db924cf7c 1009 WOLFSSL_MSG("not .pem file, skipping");
wolfSSL 15:117db924cf7c 1010 skip = 1;
wolfSSL 15:117db924cf7c 1011 }
wolfSSL 15:117db924cf7c 1012 }
wolfSSL 15:117db924cf7c 1013 else {
wolfSSL 15:117db924cf7c 1014 if (XSTRSTR(name, ".der") == NULL &&
wolfSSL 15:117db924cf7c 1015 XSTRSTR(name, ".crl") == NULL)
wolfSSL 15:117db924cf7c 1016 {
wolfSSL 15:117db924cf7c 1017 WOLFSSL_MSG("not .der or .crl file, skipping");
wolfSSL 15:117db924cf7c 1018 skip = 1;
wolfSSL 15:117db924cf7c 1019 }
wolfSSL 15:117db924cf7c 1020 }
wolfSSL 15:117db924cf7c 1021
wolfSSL 16:8e0d178b1d1e 1022 if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl,
wolfSSL 16:8e0d178b1d1e 1023 VERIFY) != WOLFSSL_SUCCESS) {
wolfSSL 15:117db924cf7c 1024 WOLFSSL_MSG("CRL file load failed, continuing");
wolfSSL 15:117db924cf7c 1025 }
wolfSSL 15:117db924cf7c 1026
wolfSSL 15:117db924cf7c 1027 ret = wc_ReadDirNext(readCtx, path, &name);
wolfSSL 15:117db924cf7c 1028 }
wolfSSL 15:117db924cf7c 1029 wc_ReadDirClose(readCtx);
wolfSSL 15:117db924cf7c 1030 ret = WOLFSSL_SUCCESS; /* load failures not reported, for backwards compat */
wolfSSL 15:117db924cf7c 1031
wolfSSL 15:117db924cf7c 1032 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1033 XFREE(readCtx, crl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 1034 #endif
wolfSSL 15:117db924cf7c 1035
wolfSSL 15:117db924cf7c 1036 if (monitor & WOLFSSL_CRL_MONITOR) {
wolfSSL 15:117db924cf7c 1037 word32 pathLen;
wolfSSL 15:117db924cf7c 1038 char* pathBuf;
wolfSSL 15:117db924cf7c 1039
wolfSSL 15:117db924cf7c 1040 WOLFSSL_MSG("monitor path requested");
wolfSSL 15:117db924cf7c 1041
wolfSSL 15:117db924cf7c 1042 pathLen = (word32)XSTRLEN(path);
wolfSSL 15:117db924cf7c 1043 pathBuf = (char*)XMALLOC(pathLen+1, crl->heap,DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL 15:117db924cf7c 1044 if (pathBuf) {
wolfSSL 16:8e0d178b1d1e 1045 XSTRNCPY(pathBuf, path, pathLen+1);
wolfSSL 15:117db924cf7c 1046
wolfSSL 15:117db924cf7c 1047 if (type == WOLFSSL_FILETYPE_PEM) {
wolfSSL 15:117db924cf7c 1048 /* free old path before setting a new one */
wolfSSL 15:117db924cf7c 1049 if (crl->monitors[0].path) {
wolfSSL 15:117db924cf7c 1050 XFREE(crl->monitors[0].path, crl->heap,
wolfSSL 15:117db924cf7c 1051 DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL 15:117db924cf7c 1052 }
wolfSSL 15:117db924cf7c 1053 crl->monitors[0].path = pathBuf;
wolfSSL 15:117db924cf7c 1054 crl->monitors[0].type = WOLFSSL_FILETYPE_PEM;
wolfSSL 15:117db924cf7c 1055 } else {
wolfSSL 15:117db924cf7c 1056 /* free old path before setting a new one */
wolfSSL 15:117db924cf7c 1057 if (crl->monitors[1].path) {
wolfSSL 15:117db924cf7c 1058 XFREE(crl->monitors[1].path, crl->heap,
wolfSSL 15:117db924cf7c 1059 DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL 15:117db924cf7c 1060 }
wolfSSL 15:117db924cf7c 1061 crl->monitors[1].path = pathBuf;
wolfSSL 15:117db924cf7c 1062 crl->monitors[1].type = WOLFSSL_FILETYPE_ASN1;
wolfSSL 15:117db924cf7c 1063 }
wolfSSL 15:117db924cf7c 1064
wolfSSL 15:117db924cf7c 1065 if (monitor & WOLFSSL_CRL_START_MON) {
wolfSSL 15:117db924cf7c 1066 WOLFSSL_MSG("start monitoring requested");
wolfSSL 15:117db924cf7c 1067
wolfSSL 15:117db924cf7c 1068 ret = StartMonitorCRL(crl);
wolfSSL 15:117db924cf7c 1069 }
wolfSSL 15:117db924cf7c 1070 }
wolfSSL 15:117db924cf7c 1071 else {
wolfSSL 15:117db924cf7c 1072 ret = MEMORY_E;
wolfSSL 15:117db924cf7c 1073 }
wolfSSL 15:117db924cf7c 1074 }
wolfSSL 15:117db924cf7c 1075
wolfSSL 15:117db924cf7c 1076 return ret;
wolfSSL 15:117db924cf7c 1077 }
wolfSSL 15:117db924cf7c 1078
wolfSSL 15:117db924cf7c 1079 #else
wolfSSL 15:117db924cf7c 1080 int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
wolfSSL 15:117db924cf7c 1081 {
wolfSSL 15:117db924cf7c 1082 (void)crl;
wolfSSL 15:117db924cf7c 1083 (void)path;
wolfSSL 15:117db924cf7c 1084 (void)type;
wolfSSL 15:117db924cf7c 1085 (void)monitor;
wolfSSL 15:117db924cf7c 1086
wolfSSL 15:117db924cf7c 1087 /* stub for scenario where file system is not supported */
wolfSSL 15:117db924cf7c 1088 return NOT_COMPILED_IN;
wolfSSL 15:117db924cf7c 1089 }
wolfSSL 15:117db924cf7c 1090 #endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */
wolfSSL 15:117db924cf7c 1091
wolfSSL 15:117db924cf7c 1092 #endif /* HAVE_CRL */
wolfSSL 15:117db924cf7c 1093 #endif /* !WOLFCRYPT_ONLY */
wolfSSL 15:117db924cf7c 1094