wolfSSL - wolfSSL SSL/TLS library, support up to TLS1.3

Users » wolfSSL » Code » wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/crl.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Committer:: wolfSSL
Date:: Tue Aug 22 10:48:22 2017 +0000
Revision:: 13:f67a6c6013ca

wolfSSL3.12.0 with TLS1.3

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	13:f67a6c6013ca	1	/* crl.c
wolfSSL	13:f67a6c6013ca	2	*
wolfSSL	13:f67a6c6013ca	3	* Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL	13:f67a6c6013ca	4	*
wolfSSL	13:f67a6c6013ca	5	* This file is part of wolfSSL.
wolfSSL	13:f67a6c6013ca	6	*
wolfSSL	13:f67a6c6013ca	7	* wolfSSL is free software; you can redistribute it and/or modify
wolfSSL	13:f67a6c6013ca	8	* it under the terms of the GNU General Public License as published by
wolfSSL	13:f67a6c6013ca	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	13:f67a6c6013ca	10	* (at your option) any later version.
wolfSSL	13:f67a6c6013ca	11	*
wolfSSL	13:f67a6c6013ca	12	* wolfSSL is distributed in the hope that it will be useful,
wolfSSL	13:f67a6c6013ca	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	13:f67a6c6013ca	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	13:f67a6c6013ca	15	* GNU General Public License for more details.
wolfSSL	13:f67a6c6013ca	16	*
wolfSSL	13:f67a6c6013ca	17	* You should have received a copy of the GNU General Public License
wolfSSL	13:f67a6c6013ca	18	* along with this program; if not, write to the Free Software
wolfSSL	13:f67a6c6013ca	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL	13:f67a6c6013ca	20	*/
wolfSSL	13:f67a6c6013ca	21
wolfSSL	13:f67a6c6013ca	22
wolfSSL	13:f67a6c6013ca	23	/* Name change compatibility layer no longer needs included here */
wolfSSL	13:f67a6c6013ca	24
wolfSSL	13:f67a6c6013ca	25	#ifdef HAVE_CONFIG_H
wolfSSL	13:f67a6c6013ca	26	#include <config.h>
wolfSSL	13:f67a6c6013ca	27	#endif
wolfSSL	13:f67a6c6013ca	28
wolfSSL	13:f67a6c6013ca	29	#include <wolfssl/wolfcrypt/settings.h>
wolfSSL	13:f67a6c6013ca	30
wolfSSL	13:f67a6c6013ca	31	#ifndef WOLFCRYPT_ONLY
wolfSSL	13:f67a6c6013ca	32	#ifdef HAVE_CRL
wolfSSL	13:f67a6c6013ca	33
wolfSSL	13:f67a6c6013ca	34	#include <wolfssl/internal.h>
wolfSSL	13:f67a6c6013ca	35	#include <wolfssl/error-ssl.h>
wolfSSL	13:f67a6c6013ca	36
wolfSSL	13:f67a6c6013ca	37	#include <string.h>
wolfSSL	13:f67a6c6013ca	38
wolfSSL	13:f67a6c6013ca	39	#ifdef HAVE_CRL_MONITOR
wolfSSL	13:f67a6c6013ca	40	#if (defined(__MACH__) \|\| defined(__FreeBSD__) \|\| defined(__linux__))
wolfSSL	13:f67a6c6013ca	41	static int StopMonitor(int mfd);
wolfSSL	13:f67a6c6013ca	42	#else
wolfSSL	13:f67a6c6013ca	43	#error "CRL monitor only currently supported on linux or mach"
wolfSSL	13:f67a6c6013ca	44	#endif
wolfSSL	13:f67a6c6013ca	45	#endif /* HAVE_CRL_MONITOR */
wolfSSL	13:f67a6c6013ca	46
wolfSSL	13:f67a6c6013ca	47
wolfSSL	13:f67a6c6013ca	48	/* Initialize CRL members */
wolfSSL	13:f67a6c6013ca	49	int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
wolfSSL	13:f67a6c6013ca	50	{
wolfSSL	13:f67a6c6013ca	51	WOLFSSL_ENTER("InitCRL");
wolfSSL	13:f67a6c6013ca	52
wolfSSL	13:f67a6c6013ca	53	crl->heap = cm->heap;
wolfSSL	13:f67a6c6013ca	54	crl->cm = cm;
wolfSSL	13:f67a6c6013ca	55	crl->crlList = NULL;
wolfSSL	13:f67a6c6013ca	56	crl->monitors[0].path = NULL;
wolfSSL	13:f67a6c6013ca	57	crl->monitors[1].path = NULL;
wolfSSL	13:f67a6c6013ca	58	#ifdef HAVE_CRL_MONITOR
wolfSSL	13:f67a6c6013ca	59	crl->tid = 0;
wolfSSL	13:f67a6c6013ca	60	crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
wolfSSL	13:f67a6c6013ca	61	crl->setup = 0; /* thread setup done predicate */
wolfSSL	13:f67a6c6013ca	62	if (pthread_cond_init(&crl->cond, 0) != 0) {
wolfSSL	13:f67a6c6013ca	63	WOLFSSL_MSG("Pthread condition init failed");
wolfSSL	13:f67a6c6013ca	64	return BAD_COND_E;
wolfSSL	13:f67a6c6013ca	65	}
wolfSSL	13:f67a6c6013ca	66	#endif
wolfSSL	13:f67a6c6013ca	67	if (wc_InitMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	68	WOLFSSL_MSG("Init Mutex failed");
wolfSSL	13:f67a6c6013ca	69	return BAD_MUTEX_E;
wolfSSL	13:f67a6c6013ca	70	}
wolfSSL	13:f67a6c6013ca	71
wolfSSL	13:f67a6c6013ca	72	return 0;
wolfSSL	13:f67a6c6013ca	73	}
wolfSSL	13:f67a6c6013ca	74
wolfSSL	13:f67a6c6013ca	75
wolfSSL	13:f67a6c6013ca	76	/* Initialize CRL Entry */
wolfSSL	13:f67a6c6013ca	77	static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
wolfSSL	13:f67a6c6013ca	78	int verified, void* heap)
wolfSSL	13:f67a6c6013ca	79	{
wolfSSL	13:f67a6c6013ca	80	WOLFSSL_ENTER("InitCRL_Entry");
wolfSSL	13:f67a6c6013ca	81
wolfSSL	13:f67a6c6013ca	82	XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
wolfSSL	13:f67a6c6013ca	83	/* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
wolfSSL	13:f67a6c6013ca	84	* copy the hash here if needed for optimized comparisons */
wolfSSL	13:f67a6c6013ca	85	XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
wolfSSL	13:f67a6c6013ca	86	XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
wolfSSL	13:f67a6c6013ca	87	crle->lastDateFormat = dcrl->lastDateFormat;
wolfSSL	13:f67a6c6013ca	88	crle->nextDateFormat = dcrl->nextDateFormat;
wolfSSL	13:f67a6c6013ca	89
wolfSSL	13:f67a6c6013ca	90	crle->certs = dcrl->certs; /* take ownsership */
wolfSSL	13:f67a6c6013ca	91	dcrl->certs = NULL;
wolfSSL	13:f67a6c6013ca	92	crle->totalCerts = dcrl->totalCerts;
wolfSSL	13:f67a6c6013ca	93	crle->verified = verified;
wolfSSL	13:f67a6c6013ca	94	if (!verified) {
wolfSSL	13:f67a6c6013ca	95	crle->tbsSz = dcrl->sigIndex - dcrl->certBegin;
wolfSSL	13:f67a6c6013ca	96	crle->signatureSz = dcrl->sigLength;
wolfSSL	13:f67a6c6013ca	97	crle->signatureOID = dcrl->signatureOID;
wolfSSL	13:f67a6c6013ca	98	crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap,
wolfSSL	13:f67a6c6013ca	99	DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	100	if (crle->toBeSigned == NULL)
wolfSSL	13:f67a6c6013ca	101	return -1;
wolfSSL	13:f67a6c6013ca	102	crle->signature = (byte*)XMALLOC(crle->signatureSz, heap,
wolfSSL	13:f67a6c6013ca	103	DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	104	if (crle->signature == NULL) {
wolfSSL	13:f67a6c6013ca	105	XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	106	return -1;
wolfSSL	13:f67a6c6013ca	107	}
wolfSSL	13:f67a6c6013ca	108	XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
wolfSSL	13:f67a6c6013ca	109	XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
wolfSSL	13:f67a6c6013ca	110	#if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL	13:f67a6c6013ca	111	crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
wolfSSL	13:f67a6c6013ca	112	if (crle->extAuthKeyIdSet)
wolfSSL	13:f67a6c6013ca	113	XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
wolfSSL	13:f67a6c6013ca	114	#endif
wolfSSL	13:f67a6c6013ca	115	}
wolfSSL	13:f67a6c6013ca	116	else {
wolfSSL	13:f67a6c6013ca	117	crle->toBeSigned = NULL;
wolfSSL	13:f67a6c6013ca	118	crle->signature = NULL;
wolfSSL	13:f67a6c6013ca	119	}
wolfSSL	13:f67a6c6013ca	120
wolfSSL	13:f67a6c6013ca	121	(void)verified;
wolfSSL	13:f67a6c6013ca	122
wolfSSL	13:f67a6c6013ca	123	return 0;
wolfSSL	13:f67a6c6013ca	124	}
wolfSSL	13:f67a6c6013ca	125
wolfSSL	13:f67a6c6013ca	126
wolfSSL	13:f67a6c6013ca	127	/* Free all CRL Entry resources */
wolfSSL	13:f67a6c6013ca	128	static void FreeCRL_Entry(CRL_Entry* crle, void* heap)
wolfSSL	13:f67a6c6013ca	129	{
wolfSSL	13:f67a6c6013ca	130	RevokedCert* tmp = crle->certs;
wolfSSL	13:f67a6c6013ca	131	RevokedCert* next;
wolfSSL	13:f67a6c6013ca	132
wolfSSL	13:f67a6c6013ca	133	WOLFSSL_ENTER("FreeCRL_Entry");
wolfSSL	13:f67a6c6013ca	134
wolfSSL	13:f67a6c6013ca	135	while (tmp) {
wolfSSL	13:f67a6c6013ca	136	next = tmp->next;
wolfSSL	13:f67a6c6013ca	137	XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
wolfSSL	13:f67a6c6013ca	138	tmp = next;
wolfSSL	13:f67a6c6013ca	139	}
wolfSSL	13:f67a6c6013ca	140	if (crle->signature != NULL)
wolfSSL	13:f67a6c6013ca	141	XFREE(crle->signature, heap, DYNAMIC_TYPE_REVOKED);
wolfSSL	13:f67a6c6013ca	142	if (crle->toBeSigned != NULL)
wolfSSL	13:f67a6c6013ca	143	XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_REVOKED);
wolfSSL	13:f67a6c6013ca	144
wolfSSL	13:f67a6c6013ca	145	(void)heap;
wolfSSL	13:f67a6c6013ca	146	}
wolfSSL	13:f67a6c6013ca	147
wolfSSL	13:f67a6c6013ca	148
wolfSSL	13:f67a6c6013ca	149
wolfSSL	13:f67a6c6013ca	150	/* Free all CRL resources */
wolfSSL	13:f67a6c6013ca	151	void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
wolfSSL	13:f67a6c6013ca	152	{
wolfSSL	13:f67a6c6013ca	153	CRL_Entry* tmp = crl->crlList;
wolfSSL	13:f67a6c6013ca	154
wolfSSL	13:f67a6c6013ca	155	WOLFSSL_ENTER("FreeCRL");
wolfSSL	13:f67a6c6013ca	156
wolfSSL	13:f67a6c6013ca	157	if (crl->monitors[0].path)
wolfSSL	13:f67a6c6013ca	158	XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL	13:f67a6c6013ca	159
wolfSSL	13:f67a6c6013ca	160	if (crl->monitors[1].path)
wolfSSL	13:f67a6c6013ca	161	XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL	13:f67a6c6013ca	162
wolfSSL	13:f67a6c6013ca	163	while(tmp) {
wolfSSL	13:f67a6c6013ca	164	CRL_Entry* next = tmp->next;
wolfSSL	13:f67a6c6013ca	165	FreeCRL_Entry(tmp, crl->heap);
wolfSSL	13:f67a6c6013ca	166	XFREE(tmp, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	167	tmp = next;
wolfSSL	13:f67a6c6013ca	168	}
wolfSSL	13:f67a6c6013ca	169
wolfSSL	13:f67a6c6013ca	170	#ifdef HAVE_CRL_MONITOR
wolfSSL	13:f67a6c6013ca	171	if (crl->tid != 0) {
wolfSSL	13:f67a6c6013ca	172	WOLFSSL_MSG("stopping monitor thread");
wolfSSL	13:f67a6c6013ca	173	if (StopMonitor(crl->mfd) == 0)
wolfSSL	13:f67a6c6013ca	174	pthread_join(crl->tid, NULL);
wolfSSL	13:f67a6c6013ca	175	else {
wolfSSL	13:f67a6c6013ca	176	WOLFSSL_MSG("stop monitor failed");
wolfSSL	13:f67a6c6013ca	177	}
wolfSSL	13:f67a6c6013ca	178	}
wolfSSL	13:f67a6c6013ca	179	pthread_cond_destroy(&crl->cond);
wolfSSL	13:f67a6c6013ca	180	#endif
wolfSSL	13:f67a6c6013ca	181	wc_FreeMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	182	if (dynamic) /* free self */
wolfSSL	13:f67a6c6013ca	183	XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL);
wolfSSL	13:f67a6c6013ca	184	}
wolfSSL	13:f67a6c6013ca	185
wolfSSL	13:f67a6c6013ca	186
wolfSSL	13:f67a6c6013ca	187	static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry)
wolfSSL	13:f67a6c6013ca	188	{
wolfSSL	13:f67a6c6013ca	189	CRL_Entry* crle;
wolfSSL	13:f67a6c6013ca	190	int foundEntry = 0;
wolfSSL	13:f67a6c6013ca	191	int ret = 0;
wolfSSL	13:f67a6c6013ca	192
wolfSSL	13:f67a6c6013ca	193	if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	194	WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL	13:f67a6c6013ca	195	return BAD_MUTEX_E;
wolfSSL	13:f67a6c6013ca	196	}
wolfSSL	13:f67a6c6013ca	197
wolfSSL	13:f67a6c6013ca	198	crle = crl->crlList;
wolfSSL	13:f67a6c6013ca	199
wolfSSL	13:f67a6c6013ca	200	while (crle) {
wolfSSL	13:f67a6c6013ca	201	if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) {
wolfSSL	13:f67a6c6013ca	202	int doNextDate = 1;
wolfSSL	13:f67a6c6013ca	203
wolfSSL	13:f67a6c6013ca	204	WOLFSSL_MSG("Found CRL Entry on list");
wolfSSL	13:f67a6c6013ca	205
wolfSSL	13:f67a6c6013ca	206	if (crle->verified == 0) {
wolfSSL	13:f67a6c6013ca	207	Signer* ca;
wolfSSL	13:f67a6c6013ca	208	#if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL	13:f67a6c6013ca	209	byte extAuthKeyId[KEYID_SIZE]
wolfSSL	13:f67a6c6013ca	210	#endif
wolfSSL	13:f67a6c6013ca	211	byte issuerHash[CRL_DIGEST_SIZE];
wolfSSL	13:f67a6c6013ca	212	byte* tbs = NULL;
wolfSSL	13:f67a6c6013ca	213	word32 tbsSz = crle->tbsSz;
wolfSSL	13:f67a6c6013ca	214	byte* sig = NULL;
wolfSSL	13:f67a6c6013ca	215	word32 sigSz = crle->signatureSz;
wolfSSL	13:f67a6c6013ca	216	word32 sigOID = crle->signatureOID;
wolfSSL	13:f67a6c6013ca	217	SignatureCtx sigCtx;
wolfSSL	13:f67a6c6013ca	218
wolfSSL	13:f67a6c6013ca	219	tbs = (byte*)XMALLOC(tbsSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	220	if (tbs == NULL) {
wolfSSL	13:f67a6c6013ca	221	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	222	return MEMORY_E;
wolfSSL	13:f67a6c6013ca	223	}
wolfSSL	13:f67a6c6013ca	224	sig = (byte*)XMALLOC(sigSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	225	if (sig == NULL) {
wolfSSL	13:f67a6c6013ca	226	XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	227	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	228	return MEMORY_E;
wolfSSL	13:f67a6c6013ca	229	}
wolfSSL	13:f67a6c6013ca	230
wolfSSL	13:f67a6c6013ca	231	XMEMCPY(tbs, crle->toBeSigned, tbsSz);
wolfSSL	13:f67a6c6013ca	232	XMEMCPY(sig, crle->signature, sigSz);
wolfSSL	13:f67a6c6013ca	233	#if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL	13:f67a6c6013ca	234	XMEMCMPY(extAuthKeyId, crle->extAuthKeyId,
wolfSSL	13:f67a6c6013ca	235	sizeof(extAuthKeyId));
wolfSSL	13:f67a6c6013ca	236	#endif
wolfSSL	13:f67a6c6013ca	237	XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));
wolfSSL	13:f67a6c6013ca	238
wolfSSL	13:f67a6c6013ca	239	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	240
wolfSSL	13:f67a6c6013ca	241	#if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL	13:f67a6c6013ca	242	if (crle->extAuthKeyIdSet)
wolfSSL	13:f67a6c6013ca	243	ca = GetCA(crl->cm, extAuthKeyId);
wolfSSL	13:f67a6c6013ca	244	if (ca == NULL)
wolfSSL	13:f67a6c6013ca	245	ca = GetCAByName(crl->cm, issuerHash);
wolfSSL	13:f67a6c6013ca	246	#else /* NO_SKID */
wolfSSL	13:f67a6c6013ca	247	ca = GetCA(crl->cm, issuerHash);
wolfSSL	13:f67a6c6013ca	248	#endif /* NO_SKID */
wolfSSL	13:f67a6c6013ca	249	if (ca == NULL) {
wolfSSL	13:f67a6c6013ca	250	WOLFSSL_MSG("Did NOT find CRL issuer CA");
wolfSSL	13:f67a6c6013ca	251	return ASN_CRL_NO_SIGNER_E;
wolfSSL	13:f67a6c6013ca	252	}
wolfSSL	13:f67a6c6013ca	253
wolfSSL	13:f67a6c6013ca	254	ret = VerifyCRL_Signature(&sigCtx, tbs, tbsSz, sig, sigSz,
wolfSSL	13:f67a6c6013ca	255	sigOID, ca, crl->heap);
wolfSSL	13:f67a6c6013ca	256
wolfSSL	13:f67a6c6013ca	257	XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	258	XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	259
wolfSSL	13:f67a6c6013ca	260	if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	261	WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL	13:f67a6c6013ca	262	return BAD_MUTEX_E;
wolfSSL	13:f67a6c6013ca	263	}
wolfSSL	13:f67a6c6013ca	264
wolfSSL	13:f67a6c6013ca	265	crle = crl->crlList;
wolfSSL	13:f67a6c6013ca	266	while (crle) {
wolfSSL	13:f67a6c6013ca	267	if (XMEMCMP(crle->issuerHash, cert->issuerHash,
wolfSSL	13:f67a6c6013ca	268	CRL_DIGEST_SIZE) == 0) {
wolfSSL	13:f67a6c6013ca	269
wolfSSL	13:f67a6c6013ca	270	if (ret == 0)
wolfSSL	13:f67a6c6013ca	271	crle->verified = 1;
wolfSSL	13:f67a6c6013ca	272	else
wolfSSL	13:f67a6c6013ca	273	crle->verified = ret;
wolfSSL	13:f67a6c6013ca	274
wolfSSL	13:f67a6c6013ca	275	XFREE(crle->toBeSigned, crl->heap,
wolfSSL	13:f67a6c6013ca	276	DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	277	crle->toBeSigned = NULL;
wolfSSL	13:f67a6c6013ca	278	XFREE(crle->signature, crl->heap,
wolfSSL	13:f67a6c6013ca	279	DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	280	crle->signature = NULL;
wolfSSL	13:f67a6c6013ca	281	break;
wolfSSL	13:f67a6c6013ca	282	}
wolfSSL	13:f67a6c6013ca	283	crle = crle->next;
wolfSSL	13:f67a6c6013ca	284	}
wolfSSL	13:f67a6c6013ca	285	if (crle == NULL \|\| crle->verified < 0)
wolfSSL	13:f67a6c6013ca	286	break;
wolfSSL	13:f67a6c6013ca	287	}
wolfSSL	13:f67a6c6013ca	288	else if (crle->verified < 0) {
wolfSSL	13:f67a6c6013ca	289	WOLFSSL_MSG("Cannot use CRL as it didn't verify");
wolfSSL	13:f67a6c6013ca	290	ret = crle->verified;
wolfSSL	13:f67a6c6013ca	291	break;
wolfSSL	13:f67a6c6013ca	292	}
wolfSSL	13:f67a6c6013ca	293
wolfSSL	13:f67a6c6013ca	294	WOLFSSL_MSG("Checking next date validity");
wolfSSL	13:f67a6c6013ca	295
wolfSSL	13:f67a6c6013ca	296	#ifdef WOLFSSL_NO_CRL_NEXT_DATE
wolfSSL	13:f67a6c6013ca	297	if (crle->nextDateFormat == ASN_OTHER_TYPE)
wolfSSL	13:f67a6c6013ca	298	doNextDate = 0; /* skip */
wolfSSL	13:f67a6c6013ca	299	#endif
wolfSSL	13:f67a6c6013ca	300
wolfSSL	13:f67a6c6013ca	301	if (doNextDate) {
wolfSSL	13:f67a6c6013ca	302	#ifndef NO_ASN_TIME
wolfSSL	13:f67a6c6013ca	303	if (!ValidateDate(crle->nextDate,crle->nextDateFormat, AFTER)) {
wolfSSL	13:f67a6c6013ca	304	WOLFSSL_MSG("CRL next date is no longer valid");
wolfSSL	13:f67a6c6013ca	305	ret = ASN_AFTER_DATE_E;
wolfSSL	13:f67a6c6013ca	306	}
wolfSSL	13:f67a6c6013ca	307	#endif
wolfSSL	13:f67a6c6013ca	308	}
wolfSSL	13:f67a6c6013ca	309	if (ret == 0) {
wolfSSL	13:f67a6c6013ca	310	foundEntry = 1;
wolfSSL	13:f67a6c6013ca	311	}
wolfSSL	13:f67a6c6013ca	312	break;
wolfSSL	13:f67a6c6013ca	313	}
wolfSSL	13:f67a6c6013ca	314	crle = crle->next;
wolfSSL	13:f67a6c6013ca	315	}
wolfSSL	13:f67a6c6013ca	316
wolfSSL	13:f67a6c6013ca	317	if (foundEntry) {
wolfSSL	13:f67a6c6013ca	318	RevokedCert* rc = crle->certs;
wolfSSL	13:f67a6c6013ca	319
wolfSSL	13:f67a6c6013ca	320	while (rc) {
wolfSSL	13:f67a6c6013ca	321	if (rc->serialSz == cert->serialSz &&
wolfSSL	13:f67a6c6013ca	322	XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
wolfSSL	13:f67a6c6013ca	323	WOLFSSL_MSG("Cert revoked");
wolfSSL	13:f67a6c6013ca	324	ret = CRL_CERT_REVOKED;
wolfSSL	13:f67a6c6013ca	325	break;
wolfSSL	13:f67a6c6013ca	326	}
wolfSSL	13:f67a6c6013ca	327	rc = rc->next;
wolfSSL	13:f67a6c6013ca	328	}
wolfSSL	13:f67a6c6013ca	329	}
wolfSSL	13:f67a6c6013ca	330
wolfSSL	13:f67a6c6013ca	331	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	332
wolfSSL	13:f67a6c6013ca	333	*pFoundEntry = foundEntry;
wolfSSL	13:f67a6c6013ca	334
wolfSSL	13:f67a6c6013ca	335	return ret;
wolfSSL	13:f67a6c6013ca	336	}
wolfSSL	13:f67a6c6013ca	337
wolfSSL	13:f67a6c6013ca	338	/* Is the cert ok with CRL, return 0 on success */
wolfSSL	13:f67a6c6013ca	339	int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
wolfSSL	13:f67a6c6013ca	340	{
wolfSSL	13:f67a6c6013ca	341	int foundEntry = 0;
wolfSSL	13:f67a6c6013ca	342	int ret = 0;
wolfSSL	13:f67a6c6013ca	343
wolfSSL	13:f67a6c6013ca	344	WOLFSSL_ENTER("CheckCertCRL");
wolfSSL	13:f67a6c6013ca	345
wolfSSL	13:f67a6c6013ca	346	ret = CheckCertCRLList(crl, cert, &foundEntry);
wolfSSL	13:f67a6c6013ca	347
wolfSSL	13:f67a6c6013ca	348	#ifdef HAVE_CRL_IO
wolfSSL	13:f67a6c6013ca	349	if (foundEntry == 0) {
wolfSSL	13:f67a6c6013ca	350	/* perform embedded lookup */
wolfSSL	13:f67a6c6013ca	351	if (crl->crlIOCb) {
wolfSSL	13:f67a6c6013ca	352	ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo,
wolfSSL	13:f67a6c6013ca	353	cert->extCrlInfoSz);
wolfSSL	13:f67a6c6013ca	354	if (ret == WOLFSSL_CBIO_ERR_WANT_READ) {
wolfSSL	13:f67a6c6013ca	355	ret = WANT_READ;
wolfSSL	13:f67a6c6013ca	356	}
wolfSSL	13:f67a6c6013ca	357	else if (ret >= 0) {
wolfSSL	13:f67a6c6013ca	358	/* try again */
wolfSSL	13:f67a6c6013ca	359	ret = CheckCertCRLList(crl, cert, &foundEntry);
wolfSSL	13:f67a6c6013ca	360	}
wolfSSL	13:f67a6c6013ca	361	}
wolfSSL	13:f67a6c6013ca	362	}
wolfSSL	13:f67a6c6013ca	363	#endif
wolfSSL	13:f67a6c6013ca	364
wolfSSL	13:f67a6c6013ca	365	if (foundEntry == 0) {
wolfSSL	13:f67a6c6013ca	366	WOLFSSL_MSG("Couldn't find CRL for status check");
wolfSSL	13:f67a6c6013ca	367	ret = CRL_MISSING;
wolfSSL	13:f67a6c6013ca	368
wolfSSL	13:f67a6c6013ca	369	if (crl->cm->cbMissingCRL) {
wolfSSL	13:f67a6c6013ca	370	char url[256];
wolfSSL	13:f67a6c6013ca	371
wolfSSL	13:f67a6c6013ca	372	WOLFSSL_MSG("Issuing missing CRL callback");
wolfSSL	13:f67a6c6013ca	373	url[0] = '\0';
wolfSSL	13:f67a6c6013ca	374	if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
wolfSSL	13:f67a6c6013ca	375	XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
wolfSSL	13:f67a6c6013ca	376	url[cert->extCrlInfoSz] = '\0';
wolfSSL	13:f67a6c6013ca	377	}
wolfSSL	13:f67a6c6013ca	378	else {
wolfSSL	13:f67a6c6013ca	379	WOLFSSL_MSG("CRL url too long");
wolfSSL	13:f67a6c6013ca	380	}
wolfSSL	13:f67a6c6013ca	381
wolfSSL	13:f67a6c6013ca	382	crl->cm->cbMissingCRL(url);
wolfSSL	13:f67a6c6013ca	383	}
wolfSSL	13:f67a6c6013ca	384	}
wolfSSL	13:f67a6c6013ca	385
wolfSSL	13:f67a6c6013ca	386	return ret;
wolfSSL	13:f67a6c6013ca	387	}
wolfSSL	13:f67a6c6013ca	388
wolfSSL	13:f67a6c6013ca	389
wolfSSL	13:f67a6c6013ca	390	/* Add Decoded CRL, 0 on success */
wolfSSL	13:f67a6c6013ca	391	static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
wolfSSL	13:f67a6c6013ca	392	int verified)
wolfSSL	13:f67a6c6013ca	393	{
wolfSSL	13:f67a6c6013ca	394	CRL_Entry* crle;
wolfSSL	13:f67a6c6013ca	395
wolfSSL	13:f67a6c6013ca	396	WOLFSSL_ENTER("AddCRL");
wolfSSL	13:f67a6c6013ca	397
wolfSSL	13:f67a6c6013ca	398	crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	399	if (crle == NULL) {
wolfSSL	13:f67a6c6013ca	400	WOLFSSL_MSG("alloc CRL Entry failed");
wolfSSL	13:f67a6c6013ca	401	return -1;
wolfSSL	13:f67a6c6013ca	402	}
wolfSSL	13:f67a6c6013ca	403
wolfSSL	13:f67a6c6013ca	404	if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) {
wolfSSL	13:f67a6c6013ca	405	WOLFSSL_MSG("Init CRL Entry failed");
wolfSSL	13:f67a6c6013ca	406	XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	407	return -1;
wolfSSL	13:f67a6c6013ca	408	}
wolfSSL	13:f67a6c6013ca	409
wolfSSL	13:f67a6c6013ca	410	if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	411	WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL	13:f67a6c6013ca	412	FreeCRL_Entry(crle, crl->heap);
wolfSSL	13:f67a6c6013ca	413	XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wolfSSL	13:f67a6c6013ca	414	return BAD_MUTEX_E;
wolfSSL	13:f67a6c6013ca	415	}
wolfSSL	13:f67a6c6013ca	416	crle->next = crl->crlList;
wolfSSL	13:f67a6c6013ca	417	crl->crlList = crle;
wolfSSL	13:f67a6c6013ca	418	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	419
wolfSSL	13:f67a6c6013ca	420	return 0;
wolfSSL	13:f67a6c6013ca	421	}
wolfSSL	13:f67a6c6013ca	422
wolfSSL	13:f67a6c6013ca	423
wolfSSL	13:f67a6c6013ca	424	/* Load CRL File of type, SSL_SUCCESS on ok */
wolfSSL	13:f67a6c6013ca	425	int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
wolfSSL	13:f67a6c6013ca	426	int noVerify)
wolfSSL	13:f67a6c6013ca	427	{
wolfSSL	13:f67a6c6013ca	428	int ret = SSL_SUCCESS;
wolfSSL	13:f67a6c6013ca	429	const byte* myBuffer = buff; /* if DER ok, otherwise switch */
wolfSSL	13:f67a6c6013ca	430	DerBuffer* der = NULL;
wolfSSL	13:f67a6c6013ca	431	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	432	DecodedCRL* dcrl;
wolfSSL	13:f67a6c6013ca	433	#else
wolfSSL	13:f67a6c6013ca	434	DecodedCRL dcrl[1];
wolfSSL	13:f67a6c6013ca	435	#endif
wolfSSL	13:f67a6c6013ca	436
wolfSSL	13:f67a6c6013ca	437	WOLFSSL_ENTER("BufferLoadCRL");
wolfSSL	13:f67a6c6013ca	438
wolfSSL	13:f67a6c6013ca	439	if (crl == NULL \|\| buff == NULL \|\| sz == 0)
wolfSSL	13:f67a6c6013ca	440	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	441
wolfSSL	13:f67a6c6013ca	442	if (type == SSL_FILETYPE_PEM) {
wolfSSL	13:f67a6c6013ca	443	int eccKey = 0; /* not used */
wolfSSL	13:f67a6c6013ca	444	EncryptedInfo info;
wolfSSL	13:f67a6c6013ca	445	info.ctx = NULL;
wolfSSL	13:f67a6c6013ca	446
wolfSSL	13:f67a6c6013ca	447	ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
wolfSSL	13:f67a6c6013ca	448	if (ret == 0) {
wolfSSL	13:f67a6c6013ca	449	myBuffer = der->buffer;
wolfSSL	13:f67a6c6013ca	450	sz = der->length;
wolfSSL	13:f67a6c6013ca	451	}
wolfSSL	13:f67a6c6013ca	452	else {
wolfSSL	13:f67a6c6013ca	453	WOLFSSL_MSG("Pem to Der failed");
wolfSSL	13:f67a6c6013ca	454	FreeDer(&der);
wolfSSL	13:f67a6c6013ca	455	return -1;
wolfSSL	13:f67a6c6013ca	456	}
wolfSSL	13:f67a6c6013ca	457	}
wolfSSL	13:f67a6c6013ca	458
wolfSSL	13:f67a6c6013ca	459	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	460	dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	461	if (dcrl == NULL) {
wolfSSL	13:f67a6c6013ca	462	FreeDer(&der);
wolfSSL	13:f67a6c6013ca	463	return MEMORY_E;
wolfSSL	13:f67a6c6013ca	464	}
wolfSSL	13:f67a6c6013ca	465	#endif
wolfSSL	13:f67a6c6013ca	466
wolfSSL	13:f67a6c6013ca	467	InitDecodedCRL(dcrl, crl->heap);
wolfSSL	13:f67a6c6013ca	468	ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
wolfSSL	13:f67a6c6013ca	469	if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && noVerify)) {
wolfSSL	13:f67a6c6013ca	470	WOLFSSL_MSG("ParseCRL error");
wolfSSL	13:f67a6c6013ca	471	}
wolfSSL	13:f67a6c6013ca	472	else {
wolfSSL	13:f67a6c6013ca	473	ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E);
wolfSSL	13:f67a6c6013ca	474	if (ret != 0) {
wolfSSL	13:f67a6c6013ca	475	WOLFSSL_MSG("AddCRL error");
wolfSSL	13:f67a6c6013ca	476	}
wolfSSL	13:f67a6c6013ca	477	}
wolfSSL	13:f67a6c6013ca	478
wolfSSL	13:f67a6c6013ca	479	FreeDecodedCRL(dcrl);
wolfSSL	13:f67a6c6013ca	480
wolfSSL	13:f67a6c6013ca	481	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	482	XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	483	#endif
wolfSSL	13:f67a6c6013ca	484
wolfSSL	13:f67a6c6013ca	485	FreeDer(&der);
wolfSSL	13:f67a6c6013ca	486
wolfSSL	13:f67a6c6013ca	487	return ret ? ret : SSL_SUCCESS; /* convert 0 to SSL_SUCCESS */
wolfSSL	13:f67a6c6013ca	488	}
wolfSSL	13:f67a6c6013ca	489
wolfSSL	13:f67a6c6013ca	490
wolfSSL	13:f67a6c6013ca	491	#ifdef HAVE_CRL_MONITOR
wolfSSL	13:f67a6c6013ca	492
wolfSSL	13:f67a6c6013ca	493
wolfSSL	13:f67a6c6013ca	494	/* Signal Monitor thread is setup, save status to setup flag, 0 on success */
wolfSSL	13:f67a6c6013ca	495	static int SignalSetup(WOLFSSL_CRL* crl, int status)
wolfSSL	13:f67a6c6013ca	496	{
wolfSSL	13:f67a6c6013ca	497	int ret;
wolfSSL	13:f67a6c6013ca	498
wolfSSL	13:f67a6c6013ca	499	/* signal to calling thread we're setup */
wolfSSL	13:f67a6c6013ca	500	if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	501	WOLFSSL_MSG("wc_LockMutex crlLock failed");
wolfSSL	13:f67a6c6013ca	502	return BAD_MUTEX_E;
wolfSSL	13:f67a6c6013ca	503	}
wolfSSL	13:f67a6c6013ca	504
wolfSSL	13:f67a6c6013ca	505	crl->setup = status;
wolfSSL	13:f67a6c6013ca	506	ret = pthread_cond_signal(&crl->cond);
wolfSSL	13:f67a6c6013ca	507
wolfSSL	13:f67a6c6013ca	508	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	509
wolfSSL	13:f67a6c6013ca	510	if (ret != 0)
wolfSSL	13:f67a6c6013ca	511	return BAD_COND_E;
wolfSSL	13:f67a6c6013ca	512
wolfSSL	13:f67a6c6013ca	513	return 0;
wolfSSL	13:f67a6c6013ca	514	}
wolfSSL	13:f67a6c6013ca	515
wolfSSL	13:f67a6c6013ca	516
wolfSSL	13:f67a6c6013ca	517	/* read in new CRL entries and save new list */
wolfSSL	13:f67a6c6013ca	518	static int SwapLists(WOLFSSL_CRL* crl)
wolfSSL	13:f67a6c6013ca	519	{
wolfSSL	13:f67a6c6013ca	520	int ret;
wolfSSL	13:f67a6c6013ca	521	CRL_Entry* newList;
wolfSSL	13:f67a6c6013ca	522	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	523	WOLFSSL_CRL* tmp;
wolfSSL	13:f67a6c6013ca	524	#else
wolfSSL	13:f67a6c6013ca	525	WOLFSSL_CRL tmp[1];
wolfSSL	13:f67a6c6013ca	526	#endif
wolfSSL	13:f67a6c6013ca	527
wolfSSL	13:f67a6c6013ca	528	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	529	tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	530	if (tmp == NULL)
wolfSSL	13:f67a6c6013ca	531	return MEMORY_E;
wolfSSL	13:f67a6c6013ca	532	#endif
wolfSSL	13:f67a6c6013ca	533
wolfSSL	13:f67a6c6013ca	534	if (InitCRL(tmp, crl->cm) < 0) {
wolfSSL	13:f67a6c6013ca	535	WOLFSSL_MSG("Init tmp CRL failed");
wolfSSL	13:f67a6c6013ca	536	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	537	XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	538	#endif
wolfSSL	13:f67a6c6013ca	539	return -1;
wolfSSL	13:f67a6c6013ca	540	}
wolfSSL	13:f67a6c6013ca	541
wolfSSL	13:f67a6c6013ca	542	if (crl->monitors[0].path) {
wolfSSL	13:f67a6c6013ca	543	ret = LoadCRL(tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0);
wolfSSL	13:f67a6c6013ca	544	if (ret != SSL_SUCCESS) {
wolfSSL	13:f67a6c6013ca	545	WOLFSSL_MSG("PEM LoadCRL on dir change failed");
wolfSSL	13:f67a6c6013ca	546	FreeCRL(tmp, 0);
wolfSSL	13:f67a6c6013ca	547	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	548	XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	549	#endif
wolfSSL	13:f67a6c6013ca	550	return -1;
wolfSSL	13:f67a6c6013ca	551	}
wolfSSL	13:f67a6c6013ca	552	}
wolfSSL	13:f67a6c6013ca	553
wolfSSL	13:f67a6c6013ca	554	if (crl->monitors[1].path) {
wolfSSL	13:f67a6c6013ca	555	ret = LoadCRL(tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0);
wolfSSL	13:f67a6c6013ca	556	if (ret != SSL_SUCCESS) {
wolfSSL	13:f67a6c6013ca	557	WOLFSSL_MSG("DER LoadCRL on dir change failed");
wolfSSL	13:f67a6c6013ca	558	FreeCRL(tmp, 0);
wolfSSL	13:f67a6c6013ca	559	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	560	XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	561	#endif
wolfSSL	13:f67a6c6013ca	562	return -1;
wolfSSL	13:f67a6c6013ca	563	}
wolfSSL	13:f67a6c6013ca	564	}
wolfSSL	13:f67a6c6013ca	565
wolfSSL	13:f67a6c6013ca	566	if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	567	WOLFSSL_MSG("wc_LockMutex failed");
wolfSSL	13:f67a6c6013ca	568	FreeCRL(tmp, 0);
wolfSSL	13:f67a6c6013ca	569	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	570	XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	571	#endif
wolfSSL	13:f67a6c6013ca	572	return -1;
wolfSSL	13:f67a6c6013ca	573	}
wolfSSL	13:f67a6c6013ca	574
wolfSSL	13:f67a6c6013ca	575	newList = tmp->crlList;
wolfSSL	13:f67a6c6013ca	576
wolfSSL	13:f67a6c6013ca	577	/* swap lists */
wolfSSL	13:f67a6c6013ca	578	tmp->crlList = crl->crlList;
wolfSSL	13:f67a6c6013ca	579	crl->crlList = newList;
wolfSSL	13:f67a6c6013ca	580
wolfSSL	13:f67a6c6013ca	581	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	582
wolfSSL	13:f67a6c6013ca	583	FreeCRL(tmp, 0);
wolfSSL	13:f67a6c6013ca	584
wolfSSL	13:f67a6c6013ca	585	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	586	XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	587	#endif
wolfSSL	13:f67a6c6013ca	588
wolfSSL	13:f67a6c6013ca	589	return 0;
wolfSSL	13:f67a6c6013ca	590	}
wolfSSL	13:f67a6c6013ca	591
wolfSSL	13:f67a6c6013ca	592
wolfSSL	13:f67a6c6013ca	593	#if (defined(__MACH__) \|\| defined(__FreeBSD__))
wolfSSL	13:f67a6c6013ca	594
wolfSSL	13:f67a6c6013ca	595	#include <sys/types.h>
wolfSSL	13:f67a6c6013ca	596	#include <sys/event.h>
wolfSSL	13:f67a6c6013ca	597	#include <sys/time.h>
wolfSSL	13:f67a6c6013ca	598	#include <fcntl.h>
wolfSSL	13:f67a6c6013ca	599	#include <unistd.h>
wolfSSL	13:f67a6c6013ca	600
wolfSSL	13:f67a6c6013ca	601	#ifdef __MACH__
wolfSSL	13:f67a6c6013ca	602	#define XEVENT_MODE O_EVTONLY
wolfSSL	13:f67a6c6013ca	603	#elif defined(__FreeBSD__)
wolfSSL	13:f67a6c6013ca	604	#define XEVENT_MODE EVFILT_VNODE
wolfSSL	13:f67a6c6013ca	605	#endif
wolfSSL	13:f67a6c6013ca	606
wolfSSL	13:f67a6c6013ca	607
wolfSSL	13:f67a6c6013ca	608	/* we need a unique kqueue user filter fd for crl in case user is doing custom
wolfSSL	13:f67a6c6013ca	609	* events too */
wolfSSL	13:f67a6c6013ca	610	#ifndef CRL_CUSTOM_FD
wolfSSL	13:f67a6c6013ca	611	#define CRL_CUSTOM_FD 123456
wolfSSL	13:f67a6c6013ca	612	#endif
wolfSSL	13:f67a6c6013ca	613
wolfSSL	13:f67a6c6013ca	614
wolfSSL	13:f67a6c6013ca	615	/* shutdown monitor thread, 0 on success */
wolfSSL	13:f67a6c6013ca	616	static int StopMonitor(int mfd)
wolfSSL	13:f67a6c6013ca	617	{
wolfSSL	13:f67a6c6013ca	618	struct kevent change;
wolfSSL	13:f67a6c6013ca	619
wolfSSL	13:f67a6c6013ca	620	/* trigger custom shutdown */
wolfSSL	13:f67a6c6013ca	621	EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL);
wolfSSL	13:f67a6c6013ca	622	if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) {
wolfSSL	13:f67a6c6013ca	623	WOLFSSL_MSG("kevent trigger customer event failed");
wolfSSL	13:f67a6c6013ca	624	return -1;
wolfSSL	13:f67a6c6013ca	625	}
wolfSSL	13:f67a6c6013ca	626
wolfSSL	13:f67a6c6013ca	627	return 0;
wolfSSL	13:f67a6c6013ca	628	}
wolfSSL	13:f67a6c6013ca	629
wolfSSL	13:f67a6c6013ca	630
wolfSSL	13:f67a6c6013ca	631	/* OS X monitoring */
wolfSSL	13:f67a6c6013ca	632	static void* DoMonitor(void* arg)
wolfSSL	13:f67a6c6013ca	633	{
wolfSSL	13:f67a6c6013ca	634	int fPEM, fDER;
wolfSSL	13:f67a6c6013ca	635	struct kevent change;
wolfSSL	13:f67a6c6013ca	636
wolfSSL	13:f67a6c6013ca	637	WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
wolfSSL	13:f67a6c6013ca	638
wolfSSL	13:f67a6c6013ca	639	WOLFSSL_ENTER("DoMonitor");
wolfSSL	13:f67a6c6013ca	640
wolfSSL	13:f67a6c6013ca	641	crl->mfd = kqueue();
wolfSSL	13:f67a6c6013ca	642	if (crl->mfd == -1) {
wolfSSL	13:f67a6c6013ca	643	WOLFSSL_MSG("kqueue failed");
wolfSSL	13:f67a6c6013ca	644	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	645	return NULL;
wolfSSL	13:f67a6c6013ca	646	}
wolfSSL	13:f67a6c6013ca	647
wolfSSL	13:f67a6c6013ca	648	/* listen for custom shutdown event */
wolfSSL	13:f67a6c6013ca	649	EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
wolfSSL	13:f67a6c6013ca	650	if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
wolfSSL	13:f67a6c6013ca	651	WOLFSSL_MSG("kevent monitor customer event failed");
wolfSSL	13:f67a6c6013ca	652	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	653	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	654	return NULL;
wolfSSL	13:f67a6c6013ca	655	}
wolfSSL	13:f67a6c6013ca	656
wolfSSL	13:f67a6c6013ca	657	fPEM = -1;
wolfSSL	13:f67a6c6013ca	658	fDER = -1;
wolfSSL	13:f67a6c6013ca	659
wolfSSL	13:f67a6c6013ca	660	if (crl->monitors[0].path) {
wolfSSL	13:f67a6c6013ca	661	fPEM = open(crl->monitors[0].path, XEVENT_MODE);
wolfSSL	13:f67a6c6013ca	662	if (fPEM == -1) {
wolfSSL	13:f67a6c6013ca	663	WOLFSSL_MSG("PEM event dir open failed");
wolfSSL	13:f67a6c6013ca	664	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	665	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	666	return NULL;
wolfSSL	13:f67a6c6013ca	667	}
wolfSSL	13:f67a6c6013ca	668	}
wolfSSL	13:f67a6c6013ca	669
wolfSSL	13:f67a6c6013ca	670	if (crl->monitors[1].path) {
wolfSSL	13:f67a6c6013ca	671	fDER = open(crl->monitors[1].path, XEVENT_MODE);
wolfSSL	13:f67a6c6013ca	672	if (fDER == -1) {
wolfSSL	13:f67a6c6013ca	673	WOLFSSL_MSG("DER event dir open failed");
wolfSSL	13:f67a6c6013ca	674	if (fPEM != -1)
wolfSSL	13:f67a6c6013ca	675	close(fPEM);
wolfSSL	13:f67a6c6013ca	676	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	677	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	678	return NULL;
wolfSSL	13:f67a6c6013ca	679	}
wolfSSL	13:f67a6c6013ca	680	}
wolfSSL	13:f67a6c6013ca	681
wolfSSL	13:f67a6c6013ca	682	if (fPEM != -1)
wolfSSL	13:f67a6c6013ca	683	EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD \| EV_ENABLE \| EV_ONESHOT,
wolfSSL	13:f67a6c6013ca	684	NOTE_DELETE \| NOTE_EXTEND \| NOTE_WRITE \| NOTE_ATTRIB, 0, 0);
wolfSSL	13:f67a6c6013ca	685
wolfSSL	13:f67a6c6013ca	686	if (fDER != -1)
wolfSSL	13:f67a6c6013ca	687	EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD \| EV_ENABLE \| EV_ONESHOT,
wolfSSL	13:f67a6c6013ca	688	NOTE_DELETE \| NOTE_EXTEND \| NOTE_WRITE \| NOTE_ATTRIB, 0, 0);
wolfSSL	13:f67a6c6013ca	689
wolfSSL	13:f67a6c6013ca	690	/* signal to calling thread we're setup */
wolfSSL	13:f67a6c6013ca	691	if (SignalSetup(crl, 1) != 0) {
wolfSSL	13:f67a6c6013ca	692	if (fPEM != -1)
wolfSSL	13:f67a6c6013ca	693	close(fPEM);
wolfSSL	13:f67a6c6013ca	694	if (fDER != -1)
wolfSSL	13:f67a6c6013ca	695	close(fDER);
wolfSSL	13:f67a6c6013ca	696	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	697	return NULL;
wolfSSL	13:f67a6c6013ca	698	}
wolfSSL	13:f67a6c6013ca	699
wolfSSL	13:f67a6c6013ca	700	for (;;) {
wolfSSL	13:f67a6c6013ca	701	struct kevent event;
wolfSSL	13:f67a6c6013ca	702	int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
wolfSSL	13:f67a6c6013ca	703
wolfSSL	13:f67a6c6013ca	704	WOLFSSL_MSG("Got kevent");
wolfSSL	13:f67a6c6013ca	705
wolfSSL	13:f67a6c6013ca	706	if (numEvents == -1) {
wolfSSL	13:f67a6c6013ca	707	WOLFSSL_MSG("kevent problem, continue");
wolfSSL	13:f67a6c6013ca	708	continue;
wolfSSL	13:f67a6c6013ca	709	}
wolfSSL	13:f67a6c6013ca	710
wolfSSL	13:f67a6c6013ca	711	if (event.filter == EVFILT_USER) {
wolfSSL	13:f67a6c6013ca	712	WOLFSSL_MSG("Got user shutdown event, breaking out");
wolfSSL	13:f67a6c6013ca	713	break;
wolfSSL	13:f67a6c6013ca	714	}
wolfSSL	13:f67a6c6013ca	715
wolfSSL	13:f67a6c6013ca	716	if (SwapLists(crl) < 0) {
wolfSSL	13:f67a6c6013ca	717	WOLFSSL_MSG("SwapLists problem, continue");
wolfSSL	13:f67a6c6013ca	718	}
wolfSSL	13:f67a6c6013ca	719	}
wolfSSL	13:f67a6c6013ca	720
wolfSSL	13:f67a6c6013ca	721	if (fPEM != -1)
wolfSSL	13:f67a6c6013ca	722	close(fPEM);
wolfSSL	13:f67a6c6013ca	723	if (fDER != -1)
wolfSSL	13:f67a6c6013ca	724	close(fDER);
wolfSSL	13:f67a6c6013ca	725
wolfSSL	13:f67a6c6013ca	726	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	727
wolfSSL	13:f67a6c6013ca	728	return NULL;
wolfSSL	13:f67a6c6013ca	729	}
wolfSSL	13:f67a6c6013ca	730
wolfSSL	13:f67a6c6013ca	731
wolfSSL	13:f67a6c6013ca	732	#elif defined(__linux__)
wolfSSL	13:f67a6c6013ca	733
wolfSSL	13:f67a6c6013ca	734	#include <sys/types.h>
wolfSSL	13:f67a6c6013ca	735	#include <sys/inotify.h>
wolfSSL	13:f67a6c6013ca	736	#include <sys/eventfd.h>
wolfSSL	13:f67a6c6013ca	737	#include <unistd.h>
wolfSSL	13:f67a6c6013ca	738
wolfSSL	13:f67a6c6013ca	739
wolfSSL	13:f67a6c6013ca	740	#ifndef max
wolfSSL	13:f67a6c6013ca	741	static INLINE int max(int a, int b)
wolfSSL	13:f67a6c6013ca	742	{
wolfSSL	13:f67a6c6013ca	743	return a > b ? a : b;
wolfSSL	13:f67a6c6013ca	744	}
wolfSSL	13:f67a6c6013ca	745	#endif /* max */
wolfSSL	13:f67a6c6013ca	746
wolfSSL	13:f67a6c6013ca	747
wolfSSL	13:f67a6c6013ca	748	/* shutdown monitor thread, 0 on success */
wolfSSL	13:f67a6c6013ca	749	static int StopMonitor(int mfd)
wolfSSL	13:f67a6c6013ca	750	{
wolfSSL	13:f67a6c6013ca	751	word64 w64 = 1;
wolfSSL	13:f67a6c6013ca	752
wolfSSL	13:f67a6c6013ca	753	/* write to our custom event */
wolfSSL	13:f67a6c6013ca	754	if (write(mfd, &w64, sizeof(w64)) < 0) {
wolfSSL	13:f67a6c6013ca	755	WOLFSSL_MSG("StopMonitor write failed");
wolfSSL	13:f67a6c6013ca	756	return -1;
wolfSSL	13:f67a6c6013ca	757	}
wolfSSL	13:f67a6c6013ca	758
wolfSSL	13:f67a6c6013ca	759	return 0;
wolfSSL	13:f67a6c6013ca	760	}
wolfSSL	13:f67a6c6013ca	761
wolfSSL	13:f67a6c6013ca	762
wolfSSL	13:f67a6c6013ca	763	/* linux monitoring */
wolfSSL	13:f67a6c6013ca	764	static void* DoMonitor(void* arg)
wolfSSL	13:f67a6c6013ca	765	{
wolfSSL	13:f67a6c6013ca	766	int notifyFd;
wolfSSL	13:f67a6c6013ca	767	int wd = -1;
wolfSSL	13:f67a6c6013ca	768	WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
wolfSSL	13:f67a6c6013ca	769	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	770	char* buff;
wolfSSL	13:f67a6c6013ca	771	#else
wolfSSL	13:f67a6c6013ca	772	char buff[8192];
wolfSSL	13:f67a6c6013ca	773	#endif
wolfSSL	13:f67a6c6013ca	774
wolfSSL	13:f67a6c6013ca	775	WOLFSSL_ENTER("DoMonitor");
wolfSSL	13:f67a6c6013ca	776
wolfSSL	13:f67a6c6013ca	777	crl->mfd = eventfd(0, 0); /* our custom shutdown event */
wolfSSL	13:f67a6c6013ca	778	if (crl->mfd < 0) {
wolfSSL	13:f67a6c6013ca	779	WOLFSSL_MSG("eventfd failed");
wolfSSL	13:f67a6c6013ca	780	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	781	return NULL;
wolfSSL	13:f67a6c6013ca	782	}
wolfSSL	13:f67a6c6013ca	783
wolfSSL	13:f67a6c6013ca	784	notifyFd = inotify_init();
wolfSSL	13:f67a6c6013ca	785	if (notifyFd < 0) {
wolfSSL	13:f67a6c6013ca	786	WOLFSSL_MSG("inotify failed");
wolfSSL	13:f67a6c6013ca	787	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	788	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	789	return NULL;
wolfSSL	13:f67a6c6013ca	790	}
wolfSSL	13:f67a6c6013ca	791
wolfSSL	13:f67a6c6013ca	792	if (crl->monitors[0].path) {
wolfSSL	13:f67a6c6013ca	793	wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE \|
wolfSSL	13:f67a6c6013ca	794	IN_DELETE);
wolfSSL	13:f67a6c6013ca	795	if (wd < 0) {
wolfSSL	13:f67a6c6013ca	796	WOLFSSL_MSG("PEM notify add watch failed");
wolfSSL	13:f67a6c6013ca	797	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	798	close(notifyFd);
wolfSSL	13:f67a6c6013ca	799	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	800	return NULL;
wolfSSL	13:f67a6c6013ca	801	}
wolfSSL	13:f67a6c6013ca	802	}
wolfSSL	13:f67a6c6013ca	803
wolfSSL	13:f67a6c6013ca	804	if (crl->monitors[1].path) {
wolfSSL	13:f67a6c6013ca	805	wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE \|
wolfSSL	13:f67a6c6013ca	806	IN_DELETE);
wolfSSL	13:f67a6c6013ca	807	if (wd < 0) {
wolfSSL	13:f67a6c6013ca	808	WOLFSSL_MSG("DER notify add watch failed");
wolfSSL	13:f67a6c6013ca	809	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	810	close(notifyFd);
wolfSSL	13:f67a6c6013ca	811	SignalSetup(crl, MONITOR_SETUP_E);
wolfSSL	13:f67a6c6013ca	812	return NULL;
wolfSSL	13:f67a6c6013ca	813	}
wolfSSL	13:f67a6c6013ca	814	}
wolfSSL	13:f67a6c6013ca	815
wolfSSL	13:f67a6c6013ca	816	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	817	buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	818	if (buff == NULL)
wolfSSL	13:f67a6c6013ca	819	return NULL;
wolfSSL	13:f67a6c6013ca	820	#endif
wolfSSL	13:f67a6c6013ca	821
wolfSSL	13:f67a6c6013ca	822	/* signal to calling thread we're setup */
wolfSSL	13:f67a6c6013ca	823	if (SignalSetup(crl, 1) != 0) {
wolfSSL	13:f67a6c6013ca	824	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	825	XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	826	#endif
wolfSSL	13:f67a6c6013ca	827
wolfSSL	13:f67a6c6013ca	828	if (wd > 0)
wolfSSL	13:f67a6c6013ca	829	inotify_rm_watch(notifyFd, wd);
wolfSSL	13:f67a6c6013ca	830	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	831	close(notifyFd);
wolfSSL	13:f67a6c6013ca	832	return NULL;
wolfSSL	13:f67a6c6013ca	833	}
wolfSSL	13:f67a6c6013ca	834
wolfSSL	13:f67a6c6013ca	835	for (;;) {
wolfSSL	13:f67a6c6013ca	836	fd_set readfds;
wolfSSL	13:f67a6c6013ca	837	int result;
wolfSSL	13:f67a6c6013ca	838	int length;
wolfSSL	13:f67a6c6013ca	839
wolfSSL	13:f67a6c6013ca	840	FD_ZERO(&readfds);
wolfSSL	13:f67a6c6013ca	841	FD_SET(notifyFd, &readfds);
wolfSSL	13:f67a6c6013ca	842	FD_SET(crl->mfd, &readfds);
wolfSSL	13:f67a6c6013ca	843
wolfSSL	13:f67a6c6013ca	844	result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL);
wolfSSL	13:f67a6c6013ca	845
wolfSSL	13:f67a6c6013ca	846	WOLFSSL_MSG("Got notify event");
wolfSSL	13:f67a6c6013ca	847
wolfSSL	13:f67a6c6013ca	848	if (result < 0) {
wolfSSL	13:f67a6c6013ca	849	WOLFSSL_MSG("select problem, continue");
wolfSSL	13:f67a6c6013ca	850	continue;
wolfSSL	13:f67a6c6013ca	851	}
wolfSSL	13:f67a6c6013ca	852
wolfSSL	13:f67a6c6013ca	853	if (FD_ISSET(crl->mfd, &readfds)) {
wolfSSL	13:f67a6c6013ca	854	WOLFSSL_MSG("got custom shutdown event, breaking out");
wolfSSL	13:f67a6c6013ca	855	break;
wolfSSL	13:f67a6c6013ca	856	}
wolfSSL	13:f67a6c6013ca	857
wolfSSL	13:f67a6c6013ca	858	length = (int) read(notifyFd, buff, 8192);
wolfSSL	13:f67a6c6013ca	859	if (length < 0) {
wolfSSL	13:f67a6c6013ca	860	WOLFSSL_MSG("notify read problem, continue");
wolfSSL	13:f67a6c6013ca	861	continue;
wolfSSL	13:f67a6c6013ca	862	}
wolfSSL	13:f67a6c6013ca	863
wolfSSL	13:f67a6c6013ca	864	if (SwapLists(crl) < 0) {
wolfSSL	13:f67a6c6013ca	865	WOLFSSL_MSG("SwapLists problem, continue");
wolfSSL	13:f67a6c6013ca	866	}
wolfSSL	13:f67a6c6013ca	867	}
wolfSSL	13:f67a6c6013ca	868
wolfSSL	13:f67a6c6013ca	869	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	870	XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	871	#endif
wolfSSL	13:f67a6c6013ca	872
wolfSSL	13:f67a6c6013ca	873	if (wd > 0)
wolfSSL	13:f67a6c6013ca	874	inotify_rm_watch(notifyFd, wd);
wolfSSL	13:f67a6c6013ca	875	close(crl->mfd);
wolfSSL	13:f67a6c6013ca	876	close(notifyFd);
wolfSSL	13:f67a6c6013ca	877
wolfSSL	13:f67a6c6013ca	878	return NULL;
wolfSSL	13:f67a6c6013ca	879	}
wolfSSL	13:f67a6c6013ca	880
wolfSSL	13:f67a6c6013ca	881	#endif /* MACH or linux */
wolfSSL	13:f67a6c6013ca	882
wolfSSL	13:f67a6c6013ca	883
wolfSSL	13:f67a6c6013ca	884	/* Start Monitoring the CRL path(s) in a thread */
wolfSSL	13:f67a6c6013ca	885	static int StartMonitorCRL(WOLFSSL_CRL* crl)
wolfSSL	13:f67a6c6013ca	886	{
wolfSSL	13:f67a6c6013ca	887	int ret = SSL_SUCCESS;
wolfSSL	13:f67a6c6013ca	888
wolfSSL	13:f67a6c6013ca	889	WOLFSSL_ENTER("StartMonitorCRL");
wolfSSL	13:f67a6c6013ca	890
wolfSSL	13:f67a6c6013ca	891	if (crl == NULL)
wolfSSL	13:f67a6c6013ca	892	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	893
wolfSSL	13:f67a6c6013ca	894	if (crl->tid != 0) {
wolfSSL	13:f67a6c6013ca	895	WOLFSSL_MSG("Monitor thread already running");
wolfSSL	13:f67a6c6013ca	896	return ret; /* that's ok, someone already started */
wolfSSL	13:f67a6c6013ca	897	}
wolfSSL	13:f67a6c6013ca	898
wolfSSL	13:f67a6c6013ca	899	if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) {
wolfSSL	13:f67a6c6013ca	900	WOLFSSL_MSG("Thread creation error");
wolfSSL	13:f67a6c6013ca	901	return THREAD_CREATE_E;
wolfSSL	13:f67a6c6013ca	902	}
wolfSSL	13:f67a6c6013ca	903
wolfSSL	13:f67a6c6013ca	904	/* wait for setup to complete */
wolfSSL	13:f67a6c6013ca	905	if (wc_LockMutex(&crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	906	WOLFSSL_MSG("wc_LockMutex crlLock error");
wolfSSL	13:f67a6c6013ca	907	return BAD_MUTEX_E;
wolfSSL	13:f67a6c6013ca	908	}
wolfSSL	13:f67a6c6013ca	909
wolfSSL	13:f67a6c6013ca	910	while (crl->setup == 0) {
wolfSSL	13:f67a6c6013ca	911	if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) {
wolfSSL	13:f67a6c6013ca	912	ret = BAD_COND_E;
wolfSSL	13:f67a6c6013ca	913	break;
wolfSSL	13:f67a6c6013ca	914	}
wolfSSL	13:f67a6c6013ca	915	}
wolfSSL	13:f67a6c6013ca	916
wolfSSL	13:f67a6c6013ca	917	if (crl->setup < 0)
wolfSSL	13:f67a6c6013ca	918	ret = crl->setup; /* store setup error */
wolfSSL	13:f67a6c6013ca	919
wolfSSL	13:f67a6c6013ca	920	wc_UnLockMutex(&crl->crlLock);
wolfSSL	13:f67a6c6013ca	921
wolfSSL	13:f67a6c6013ca	922	if (ret < 0) {
wolfSSL	13:f67a6c6013ca	923	WOLFSSL_MSG("DoMonitor setup failure");
wolfSSL	13:f67a6c6013ca	924	crl->tid = 0; /* thread already done */
wolfSSL	13:f67a6c6013ca	925	}
wolfSSL	13:f67a6c6013ca	926
wolfSSL	13:f67a6c6013ca	927	return ret;
wolfSSL	13:f67a6c6013ca	928	}
wolfSSL	13:f67a6c6013ca	929
wolfSSL	13:f67a6c6013ca	930
wolfSSL	13:f67a6c6013ca	931	#else /* HAVE_CRL_MONITOR */
wolfSSL	13:f67a6c6013ca	932
wolfSSL	13:f67a6c6013ca	933	#ifndef NO_FILESYSTEM
wolfSSL	13:f67a6c6013ca	934
wolfSSL	13:f67a6c6013ca	935	static int StartMonitorCRL(WOLFSSL_CRL* crl)
wolfSSL	13:f67a6c6013ca	936	{
wolfSSL	13:f67a6c6013ca	937	(void)crl;
wolfSSL	13:f67a6c6013ca	938
wolfSSL	13:f67a6c6013ca	939	WOLFSSL_ENTER("StartMonitorCRL");
wolfSSL	13:f67a6c6013ca	940	WOLFSSL_MSG("Not compiled in");
wolfSSL	13:f67a6c6013ca	941
wolfSSL	13:f67a6c6013ca	942	return NOT_COMPILED_IN;
wolfSSL	13:f67a6c6013ca	943	}
wolfSSL	13:f67a6c6013ca	944
wolfSSL	13:f67a6c6013ca	945	#endif /* NO_FILESYSTEM */
wolfSSL	13:f67a6c6013ca	946
wolfSSL	13:f67a6c6013ca	947	#endif /* HAVE_CRL_MONITOR */
wolfSSL	13:f67a6c6013ca	948
wolfSSL	13:f67a6c6013ca	949	#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
wolfSSL	13:f67a6c6013ca	950
wolfSSL	13:f67a6c6013ca	951	/* Load CRL path files of type, SSL_SUCCESS on ok */
wolfSSL	13:f67a6c6013ca	952	int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
wolfSSL	13:f67a6c6013ca	953	{
wolfSSL	13:f67a6c6013ca	954	int ret = SSL_SUCCESS;
wolfSSL	13:f67a6c6013ca	955	char* name = NULL;
wolfSSL	13:f67a6c6013ca	956	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	957	ReadDirCtx* readCtx = NULL;
wolfSSL	13:f67a6c6013ca	958	#else
wolfSSL	13:f67a6c6013ca	959	ReadDirCtx readCtx[1];
wolfSSL	13:f67a6c6013ca	960	#endif
wolfSSL	13:f67a6c6013ca	961
wolfSSL	13:f67a6c6013ca	962	WOLFSSL_ENTER("LoadCRL");
wolfSSL	13:f67a6c6013ca	963	if (crl == NULL)
wolfSSL	13:f67a6c6013ca	964	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	965
wolfSSL	13:f67a6c6013ca	966	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	967	readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), crl->heap,
wolfSSL	13:f67a6c6013ca	968	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	969	if (readCtx == NULL)
wolfSSL	13:f67a6c6013ca	970	return MEMORY_E;
wolfSSL	13:f67a6c6013ca	971	#endif
wolfSSL	13:f67a6c6013ca	972
wolfSSL	13:f67a6c6013ca	973	/* try to load each regular file in path */
wolfSSL	13:f67a6c6013ca	974	ret = wc_ReadDirFirst(readCtx, path, &name);
wolfSSL	13:f67a6c6013ca	975	while (ret == 0 && name) {
wolfSSL	13:f67a6c6013ca	976	int skip = 0;
wolfSSL	13:f67a6c6013ca	977	if (type == SSL_FILETYPE_PEM) {
wolfSSL	13:f67a6c6013ca	978	if (XSTRSTR(name, ".pem") == NULL) {
wolfSSL	13:f67a6c6013ca	979	WOLFSSL_MSG("not .pem file, skipping");
wolfSSL	13:f67a6c6013ca	980	skip = 1;
wolfSSL	13:f67a6c6013ca	981	}
wolfSSL	13:f67a6c6013ca	982	}
wolfSSL	13:f67a6c6013ca	983	else {
wolfSSL	13:f67a6c6013ca	984	if (XSTRSTR(name, ".der") == NULL &&
wolfSSL	13:f67a6c6013ca	985	XSTRSTR(name, ".crl") == NULL)
wolfSSL	13:f67a6c6013ca	986	{
wolfSSL	13:f67a6c6013ca	987	WOLFSSL_MSG("not .der or .crl file, skipping");
wolfSSL	13:f67a6c6013ca	988	skip = 1;
wolfSSL	13:f67a6c6013ca	989	}
wolfSSL	13:f67a6c6013ca	990	}
wolfSSL	13:f67a6c6013ca	991
wolfSSL	13:f67a6c6013ca	992	if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
wolfSSL	13:f67a6c6013ca	993	!= SSL_SUCCESS) {
wolfSSL	13:f67a6c6013ca	994	WOLFSSL_MSG("CRL file load failed, continuing");
wolfSSL	13:f67a6c6013ca	995	}
wolfSSL	13:f67a6c6013ca	996
wolfSSL	13:f67a6c6013ca	997	ret = wc_ReadDirNext(readCtx, path, &name);
wolfSSL	13:f67a6c6013ca	998	}
wolfSSL	13:f67a6c6013ca	999	wc_ReadDirClose(readCtx);
wolfSSL	13:f67a6c6013ca	1000	ret = SSL_SUCCESS; /* load failures not reported, for backwards compat */
wolfSSL	13:f67a6c6013ca	1001
wolfSSL	13:f67a6c6013ca	1002	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	13:f67a6c6013ca	1003	XFREE(readCtx, crl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	13:f67a6c6013ca	1004	#endif
wolfSSL	13:f67a6c6013ca	1005
wolfSSL	13:f67a6c6013ca	1006	if (monitor & WOLFSSL_CRL_MONITOR) {
wolfSSL	13:f67a6c6013ca	1007	word32 pathLen;
wolfSSL	13:f67a6c6013ca	1008	char* pathBuf;
wolfSSL	13:f67a6c6013ca	1009
wolfSSL	13:f67a6c6013ca	1010	WOLFSSL_MSG("monitor path requested");
wolfSSL	13:f67a6c6013ca	1011
wolfSSL	13:f67a6c6013ca	1012	pathLen = (word32)XSTRLEN(path);
wolfSSL	13:f67a6c6013ca	1013	pathBuf = (char*)XMALLOC(pathLen+1, crl->heap,DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL	13:f67a6c6013ca	1014	if (pathBuf) {
wolfSSL	13:f67a6c6013ca	1015	XSTRNCPY(pathBuf, path, pathLen);
wolfSSL	13:f67a6c6013ca	1016	pathBuf[pathLen] = '\0'; /* Null Terminate */
wolfSSL	13:f67a6c6013ca	1017
wolfSSL	13:f67a6c6013ca	1018	if (type == SSL_FILETYPE_PEM) {
wolfSSL	13:f67a6c6013ca	1019	/* free old path before setting a new one */
wolfSSL	13:f67a6c6013ca	1020	if (crl->monitors[0].path) {
wolfSSL	13:f67a6c6013ca	1021	XFREE(crl->monitors[0].path, crl->heap,
wolfSSL	13:f67a6c6013ca	1022	DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL	13:f67a6c6013ca	1023	}
wolfSSL	13:f67a6c6013ca	1024	crl->monitors[0].path = pathBuf;
wolfSSL	13:f67a6c6013ca	1025	crl->monitors[0].type = SSL_FILETYPE_PEM;
wolfSSL	13:f67a6c6013ca	1026	} else {
wolfSSL	13:f67a6c6013ca	1027	/* free old path before setting a new one */
wolfSSL	13:f67a6c6013ca	1028	if (crl->monitors[1].path) {
wolfSSL	13:f67a6c6013ca	1029	XFREE(crl->monitors[1].path, crl->heap,
wolfSSL	13:f67a6c6013ca	1030	DYNAMIC_TYPE_CRL_MONITOR);
wolfSSL	13:f67a6c6013ca	1031	}
wolfSSL	13:f67a6c6013ca	1032	crl->monitors[1].path = pathBuf;
wolfSSL	13:f67a6c6013ca	1033	crl->monitors[1].type = SSL_FILETYPE_ASN1;
wolfSSL	13:f67a6c6013ca	1034	}
wolfSSL	13:f67a6c6013ca	1035
wolfSSL	13:f67a6c6013ca	1036	if (monitor & WOLFSSL_CRL_START_MON) {
wolfSSL	13:f67a6c6013ca	1037	WOLFSSL_MSG("start monitoring requested");
wolfSSL	13:f67a6c6013ca	1038
wolfSSL	13:f67a6c6013ca	1039	ret = StartMonitorCRL(crl);
wolfSSL	13:f67a6c6013ca	1040	}
wolfSSL	13:f67a6c6013ca	1041	}
wolfSSL	13:f67a6c6013ca	1042	else {
wolfSSL	13:f67a6c6013ca	1043	ret = MEMORY_E;
wolfSSL	13:f67a6c6013ca	1044	}
wolfSSL	13:f67a6c6013ca	1045	}
wolfSSL	13:f67a6c6013ca	1046
wolfSSL	13:f67a6c6013ca	1047	return ret;
wolfSSL	13:f67a6c6013ca	1048	}
wolfSSL	13:f67a6c6013ca	1049
wolfSSL	13:f67a6c6013ca	1050	#else
wolfSSL	13:f67a6c6013ca	1051	int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
wolfSSL	13:f67a6c6013ca	1052	{
wolfSSL	13:f67a6c6013ca	1053	(void)crl;
wolfSSL	13:f67a6c6013ca	1054	(void)path;
wolfSSL	13:f67a6c6013ca	1055	(void)type;
wolfSSL	13:f67a6c6013ca	1056	(void)monitor;
wolfSSL	13:f67a6c6013ca	1057
wolfSSL	13:f67a6c6013ca	1058	/* stub for scenario where file system is not supported */
wolfSSL	13:f67a6c6013ca	1059	return NOT_COMPILED_IN;
wolfSSL	13:f67a6c6013ca	1060	}
wolfSSL	13:f67a6c6013ca	1061	#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */
wolfSSL	13:f67a6c6013ca	1062
wolfSSL	13:f67a6c6013ca	1063	#endif /* HAVE_CRL */
wolfSSL	13:f67a6c6013ca	1064	#endif /* !WOLFCRYPT_ONLY */
wolfSSL	13:f67a6c6013ca	1065

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	26 Jun 2015
Imports:	673
Forks:	0
Commits:	18
Dependents:	29
Dependencies:	0
Followers:	21

src/crl.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning