[164] | 1 | /* crl.c
|
---|
| 2 | *
|
---|
| 3 | * Copyright (C) 2006-2015 wolfSSL Inc.
|
---|
| 4 | *
|
---|
| 5 | * This file is part of wolfSSL. (formerly known as CyaSSL)
|
---|
| 6 | *
|
---|
| 7 | * wolfSSL is free software; you can redistribute it and/or modify
|
---|
| 8 | * it under the terms of the GNU General Public License as published by
|
---|
| 9 | * the Free Software Foundation; either version 2 of the License, or
|
---|
| 10 | * (at your option) any later version.
|
---|
| 11 | *
|
---|
| 12 | * wolfSSL is distributed in the hope that it will be useful,
|
---|
| 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
| 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
| 15 | * GNU General Public License for more details.
|
---|
| 16 | *
|
---|
| 17 | * You should have received a copy of the GNU General Public License
|
---|
| 18 | * along with this program; if not, write to the Free Software
|
---|
| 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
|
---|
| 20 | */
|
---|
| 21 |
|
---|
| 22 | /* Name change compatibility layer no longer needs included here */
|
---|
| 23 |
|
---|
| 24 | #ifdef HAVE_CONFIG_H
|
---|
| 25 | #include <config.h>
|
---|
| 26 | #endif
|
---|
| 27 |
|
---|
| 28 | #include <wolfssl/wolfcrypt/settings.h>
|
---|
| 29 |
|
---|
| 30 | #ifndef WOLFCRYPT_ONLY
|
---|
| 31 | #ifdef HAVE_CRL
|
---|
| 32 |
|
---|
| 33 | #include <wolfssl/internal.h>
|
---|
| 34 | #include <wolfssl/error-ssl.h>
|
---|
| 35 |
|
---|
| 36 | #ifndef NO_FILESYSTEM
|
---|
| 37 | #include <dirent.h>
|
---|
| 38 | #include <sys/stat.h>
|
---|
| 39 | #endif
|
---|
| 40 |
|
---|
| 41 | #include <string.h>
|
---|
| 42 |
|
---|
| 43 | #ifdef HAVE_CRL_MONITOR
|
---|
| 44 | static int StopMonitor(int mfd);
|
---|
| 45 | #endif
|
---|
| 46 |
|
---|
| 47 |
|
---|
| 48 | /* Initialze CRL members */
|
---|
| 49 | int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
|
---|
| 50 | {
|
---|
| 51 | WOLFSSL_ENTER("InitCRL");
|
---|
| 52 |
|
---|
| 53 | crl->cm = cm;
|
---|
| 54 | crl->crlList = NULL;
|
---|
| 55 | crl->monitors[0].path = NULL;
|
---|
| 56 | crl->monitors[1].path = NULL;
|
---|
| 57 | #ifdef HAVE_CRL_MONITOR
|
---|
| 58 | crl->tid = 0;
|
---|
| 59 | crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
|
---|
| 60 | #endif
|
---|
| 61 | if (InitMutex(&crl->crlLock) != 0)
|
---|
| 62 | return BAD_MUTEX_E;
|
---|
| 63 |
|
---|
| 64 | return 0;
|
---|
| 65 | }
|
---|
| 66 |
|
---|
| 67 |
|
---|
| 68 | /* Initialze CRL Entry */
|
---|
| 69 | static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
|
---|
| 70 | {
|
---|
| 71 | WOLFSSL_ENTER("InitCRL_Entry");
|
---|
| 72 |
|
---|
| 73 | XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
|
---|
| 74 | /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
|
---|
| 75 | * copy the hash here if needed for optimized comparisons */
|
---|
| 76 | XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
|
---|
| 77 | XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
|
---|
| 78 | crle->lastDateFormat = dcrl->lastDateFormat;
|
---|
| 79 | crle->nextDateFormat = dcrl->nextDateFormat;
|
---|
| 80 |
|
---|
| 81 | crle->certs = dcrl->certs; /* take ownsership */
|
---|
| 82 | dcrl->certs = NULL;
|
---|
| 83 | crle->totalCerts = dcrl->totalCerts;
|
---|
| 84 |
|
---|
| 85 | return 0;
|
---|
| 86 | }
|
---|
| 87 |
|
---|
| 88 |
|
---|
| 89 | /* Free all CRL Entry resources */
|
---|
| 90 | static void FreeCRL_Entry(CRL_Entry* crle)
|
---|
| 91 | {
|
---|
| 92 | RevokedCert* tmp = crle->certs;
|
---|
| 93 |
|
---|
| 94 | WOLFSSL_ENTER("FreeCRL_Entry");
|
---|
| 95 |
|
---|
| 96 | while(tmp) {
|
---|
| 97 | RevokedCert* next = tmp->next;
|
---|
| 98 | XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
|
---|
| 99 | tmp = next;
|
---|
| 100 | }
|
---|
| 101 | }
|
---|
| 102 |
|
---|
| 103 |
|
---|
| 104 |
|
---|
| 105 | /* Free all CRL resources */
|
---|
| 106 | void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
|
---|
| 107 | {
|
---|
| 108 | CRL_Entry* tmp = crl->crlList;
|
---|
| 109 |
|
---|
| 110 | WOLFSSL_ENTER("FreeCRL");
|
---|
| 111 |
|
---|
| 112 | if (crl->monitors[0].path)
|
---|
| 113 | XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
|
---|
| 114 |
|
---|
| 115 | if (crl->monitors[1].path)
|
---|
| 116 | XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
|
---|
| 117 |
|
---|
| 118 | while(tmp) {
|
---|
| 119 | CRL_Entry* next = tmp->next;
|
---|
| 120 | FreeCRL_Entry(tmp);
|
---|
| 121 | XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
| 122 | tmp = next;
|
---|
| 123 | }
|
---|
| 124 |
|
---|
| 125 | #ifdef HAVE_CRL_MONITOR
|
---|
| 126 | if (crl->tid != 0) {
|
---|
| 127 | WOLFSSL_MSG("stopping monitor thread");
|
---|
| 128 | if (StopMonitor(crl->mfd) == 0)
|
---|
| 129 | pthread_join(crl->tid, NULL);
|
---|
| 130 | else {
|
---|
| 131 | WOLFSSL_MSG("stop monitor failed, cancel instead");
|
---|
| 132 | pthread_cancel(crl->tid);
|
---|
| 133 | }
|
---|
| 134 | }
|
---|
| 135 | #endif
|
---|
| 136 | FreeMutex(&crl->crlLock);
|
---|
| 137 | if (dynamic) /* free self */
|
---|
| 138 | XFREE(crl, NULL, DYNAMIC_TYPE_CRL);
|
---|
| 139 | }
|
---|
| 140 |
|
---|
| 141 |
|
---|
| 142 | /* Is the cert ok with CRL, return 0 on success */
|
---|
| 143 | int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
|
---|
| 144 | {
|
---|
| 145 | CRL_Entry* crle;
|
---|
| 146 | int foundEntry = 0;
|
---|
| 147 | int ret = 0;
|
---|
| 148 |
|
---|
| 149 | WOLFSSL_ENTER("CheckCertCRL");
|
---|
| 150 |
|
---|
| 151 | if (LockMutex(&crl->crlLock) != 0) {
|
---|
| 152 | WOLFSSL_MSG("LockMutex failed");
|
---|
| 153 | return BAD_MUTEX_E;
|
---|
| 154 | }
|
---|
| 155 |
|
---|
| 156 | crle = crl->crlList;
|
---|
| 157 |
|
---|
| 158 | while (crle) {
|
---|
| 159 | if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) {
|
---|
| 160 | int doNextDate = 1;
|
---|
| 161 |
|
---|
| 162 | WOLFSSL_MSG("Found CRL Entry on list");
|
---|
| 163 | WOLFSSL_MSG("Checking next date validity");
|
---|
| 164 |
|
---|
| 165 | #ifdef WOLFSSL_NO_CRL_NEXT_DATE
|
---|
| 166 | if (crle->nextDateFormat == ASN_OTHER_TYPE)
|
---|
| 167 | doNextDate = 0; /* skip */
|
---|
| 168 | #endif
|
---|
| 169 |
|
---|
| 170 | if (doNextDate && !ValidateDate(crle->nextDate,
|
---|
| 171 | crle->nextDateFormat, AFTER)) {
|
---|
| 172 | WOLFSSL_MSG("CRL next date is no longer valid");
|
---|
| 173 | ret = ASN_AFTER_DATE_E;
|
---|
| 174 | }
|
---|
| 175 | else
|
---|
| 176 | foundEntry = 1;
|
---|
| 177 | break;
|
---|
| 178 | }
|
---|
| 179 | crle = crle->next;
|
---|
| 180 | }
|
---|
| 181 |
|
---|
| 182 | if (foundEntry) {
|
---|
| 183 | RevokedCert* rc = crle->certs;
|
---|
| 184 |
|
---|
| 185 | while (rc) {
|
---|
| 186 | if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
|
---|
| 187 | WOLFSSL_MSG("Cert revoked");
|
---|
| 188 | ret = CRL_CERT_REVOKED;
|
---|
| 189 | break;
|
---|
| 190 | }
|
---|
| 191 | rc = rc->next;
|
---|
| 192 | }
|
---|
| 193 | }
|
---|
| 194 |
|
---|
| 195 | UnLockMutex(&crl->crlLock);
|
---|
| 196 |
|
---|
| 197 | if (foundEntry == 0) {
|
---|
| 198 | WOLFSSL_MSG("Couldn't find CRL for status check");
|
---|
| 199 | ret = CRL_MISSING;
|
---|
| 200 | if (crl->cm->cbMissingCRL) {
|
---|
| 201 | char url[256];
|
---|
| 202 |
|
---|
| 203 | WOLFSSL_MSG("Issuing missing CRL callback");
|
---|
| 204 | url[0] = '\0';
|
---|
| 205 | if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
|
---|
| 206 | XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
|
---|
| 207 | url[cert->extCrlInfoSz] = '\0';
|
---|
| 208 | }
|
---|
| 209 | else {
|
---|
| 210 | WOLFSSL_MSG("CRL url too long");
|
---|
| 211 | }
|
---|
| 212 | crl->cm->cbMissingCRL(url);
|
---|
| 213 | }
|
---|
| 214 | }
|
---|
| 215 |
|
---|
| 216 |
|
---|
| 217 | return ret;
|
---|
| 218 | }
|
---|
| 219 |
|
---|
| 220 |
|
---|
| 221 | /* Add Decoded CRL, 0 on success */
|
---|
| 222 | static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
|
---|
| 223 | {
|
---|
| 224 | CRL_Entry* crle;
|
---|
| 225 |
|
---|
| 226 | WOLFSSL_ENTER("AddCRL");
|
---|
| 227 |
|
---|
| 228 | crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
| 229 | if (crle == NULL) {
|
---|
| 230 | WOLFSSL_MSG("alloc CRL Entry failed");
|
---|
| 231 | return -1;
|
---|
| 232 | }
|
---|
| 233 |
|
---|
| 234 | if (InitCRL_Entry(crle, dcrl) < 0) {
|
---|
| 235 | WOLFSSL_MSG("Init CRL Entry failed");
|
---|
| 236 | XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
| 237 | return -1;
|
---|
| 238 | }
|
---|
| 239 |
|
---|
| 240 | if (LockMutex(&crl->crlLock) != 0) {
|
---|
| 241 | WOLFSSL_MSG("LockMutex failed");
|
---|
| 242 | FreeCRL_Entry(crle);
|
---|
| 243 | XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
| 244 | return BAD_MUTEX_E;
|
---|
| 245 | }
|
---|
| 246 | crle->next = crl->crlList;
|
---|
| 247 | crl->crlList = crle;
|
---|
| 248 | UnLockMutex(&crl->crlLock);
|
---|
| 249 |
|
---|
| 250 | return 0;
|
---|
| 251 | }
|
---|
| 252 |
|
---|
| 253 |
|
---|
| 254 | /* Load CRL File of type, SSL_SUCCESS on ok */
|
---|
| 255 | int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
|
---|
| 256 | {
|
---|
| 257 | int ret = SSL_SUCCESS;
|
---|
| 258 | const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
---|
| 259 | buffer der;
|
---|
| 260 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 261 | DecodedCRL* dcrl;
|
---|
| 262 | #else
|
---|
| 263 | DecodedCRL dcrl[1];
|
---|
| 264 | #endif
|
---|
| 265 |
|
---|
| 266 | der.buffer = NULL;
|
---|
| 267 |
|
---|
| 268 | WOLFSSL_ENTER("BufferLoadCRL");
|
---|
| 269 |
|
---|
| 270 | if (crl == NULL || buff == NULL || sz == 0)
|
---|
| 271 | return BAD_FUNC_ARG;
|
---|
| 272 |
|
---|
| 273 | if (type == SSL_FILETYPE_PEM) {
|
---|
| 274 | int eccKey = 0; /* not used */
|
---|
| 275 | EncryptedInfo info;
|
---|
| 276 | info.ctx = NULL;
|
---|
| 277 |
|
---|
| 278 | ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
---|
| 279 | if (ret == 0) {
|
---|
| 280 | myBuffer = der.buffer;
|
---|
| 281 | sz = der.length;
|
---|
| 282 | }
|
---|
| 283 | else {
|
---|
| 284 | WOLFSSL_MSG("Pem to Der failed");
|
---|
| 285 | return -1;
|
---|
| 286 | }
|
---|
| 287 | }
|
---|
| 288 |
|
---|
| 289 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 290 | dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 291 | if (dcrl == NULL) {
|
---|
| 292 | if (der.buffer)
|
---|
| 293 | XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
---|
| 294 |
|
---|
| 295 | return MEMORY_E;
|
---|
| 296 | }
|
---|
| 297 | #endif
|
---|
| 298 |
|
---|
| 299 | InitDecodedCRL(dcrl);
|
---|
| 300 | ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
|
---|
| 301 | if (ret != 0) {
|
---|
| 302 | WOLFSSL_MSG("ParseCRL error");
|
---|
| 303 | }
|
---|
| 304 | else {
|
---|
| 305 | ret = AddCRL(crl, dcrl);
|
---|
| 306 | if (ret != 0) {
|
---|
| 307 | WOLFSSL_MSG("AddCRL error");
|
---|
| 308 | }
|
---|
| 309 | }
|
---|
| 310 |
|
---|
| 311 | FreeDecodedCRL(dcrl);
|
---|
| 312 |
|
---|
| 313 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 314 | XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 315 | #endif
|
---|
| 316 |
|
---|
| 317 | if (der.buffer)
|
---|
| 318 | XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
---|
| 319 |
|
---|
| 320 | return ret ? ret : SSL_SUCCESS; /* convert 0 to SSL_SUCCESS */
|
---|
| 321 | }
|
---|
| 322 |
|
---|
| 323 |
|
---|
| 324 | #ifdef HAVE_CRL_MONITOR
|
---|
| 325 |
|
---|
| 326 |
|
---|
| 327 | /* read in new CRL entries and save new list */
|
---|
| 328 | static int SwapLists(WOLFSSL_CRL* crl)
|
---|
| 329 | {
|
---|
| 330 | int ret;
|
---|
| 331 | CRL_Entry* newList;
|
---|
| 332 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 333 | WOLFSSL_CRL* tmp;
|
---|
| 334 | #else
|
---|
| 335 | WOLFSSL_CRL tmp[1];
|
---|
| 336 | #endif
|
---|
| 337 |
|
---|
| 338 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 339 | tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 340 | if (tmp == NULL)
|
---|
| 341 | return MEMORY_E;
|
---|
| 342 | #endif
|
---|
| 343 |
|
---|
| 344 | if (InitCRL(tmp, crl->cm) < 0) {
|
---|
| 345 | WOLFSSL_MSG("Init tmp CRL failed");
|
---|
| 346 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 347 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 348 | #endif
|
---|
| 349 | return -1;
|
---|
| 350 | }
|
---|
| 351 |
|
---|
| 352 | if (crl->monitors[0].path) {
|
---|
| 353 | ret = LoadCRL(tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0);
|
---|
| 354 | if (ret != SSL_SUCCESS) {
|
---|
| 355 | WOLFSSL_MSG("PEM LoadCRL on dir change failed");
|
---|
| 356 | FreeCRL(tmp, 0);
|
---|
| 357 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 358 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 359 | #endif
|
---|
| 360 | return -1;
|
---|
| 361 | }
|
---|
| 362 | }
|
---|
| 363 |
|
---|
| 364 | if (crl->monitors[1].path) {
|
---|
| 365 | ret = LoadCRL(tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0);
|
---|
| 366 | if (ret != SSL_SUCCESS) {
|
---|
| 367 | WOLFSSL_MSG("DER LoadCRL on dir change failed");
|
---|
| 368 | FreeCRL(tmp, 0);
|
---|
| 369 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 370 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 371 | #endif
|
---|
| 372 | return -1;
|
---|
| 373 | }
|
---|
| 374 | }
|
---|
| 375 |
|
---|
| 376 | if (LockMutex(&crl->crlLock) != 0) {
|
---|
| 377 | WOLFSSL_MSG("LockMutex failed");
|
---|
| 378 | FreeCRL(tmp, 0);
|
---|
| 379 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 380 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 381 | #endif
|
---|
| 382 | return -1;
|
---|
| 383 | }
|
---|
| 384 |
|
---|
| 385 | newList = tmp->crlList;
|
---|
| 386 |
|
---|
| 387 | /* swap lists */
|
---|
| 388 | tmp->crlList = crl->crlList;
|
---|
| 389 | crl->crlList = newList;
|
---|
| 390 |
|
---|
| 391 | UnLockMutex(&crl->crlLock);
|
---|
| 392 |
|
---|
| 393 | FreeCRL(tmp, 0);
|
---|
| 394 |
|
---|
| 395 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 396 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 397 | #endif
|
---|
| 398 |
|
---|
| 399 | return 0;
|
---|
| 400 | }
|
---|
| 401 |
|
---|
| 402 |
|
---|
| 403 | #if (defined(__MACH__) || defined(__FreeBSD__))
|
---|
| 404 |
|
---|
| 405 | #include <sys/types.h>
|
---|
| 406 | #include <sys/event.h>
|
---|
| 407 | #include <sys/time.h>
|
---|
| 408 | #include <fcntl.h>
|
---|
| 409 | #include <unistd.h>
|
---|
| 410 |
|
---|
| 411 | #ifdef __MACH__
|
---|
| 412 | #define XEVENT_MODE O_EVTONLY
|
---|
| 413 | #elif defined(__FreeBSD__)
|
---|
| 414 | #define XEVENT_MODE EVFILT_VNODE
|
---|
| 415 | #endif
|
---|
| 416 |
|
---|
| 417 |
|
---|
| 418 | /* we need a unique kqueue user filter fd for crl in case user is doing custom
|
---|
| 419 | * events too */
|
---|
| 420 | #ifndef CRL_CUSTOM_FD
|
---|
| 421 | #define CRL_CUSTOM_FD 123456
|
---|
| 422 | #endif
|
---|
| 423 |
|
---|
| 424 |
|
---|
| 425 | /* shutdown monitor thread, 0 on success */
|
---|
| 426 | static int StopMonitor(int mfd)
|
---|
| 427 | {
|
---|
| 428 | struct kevent change;
|
---|
| 429 |
|
---|
| 430 | /* trigger custom shutdown */
|
---|
| 431 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL);
|
---|
| 432 | if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) {
|
---|
| 433 | WOLFSSL_MSG("kevent trigger customer event failed");
|
---|
| 434 | return -1;
|
---|
| 435 | }
|
---|
| 436 |
|
---|
| 437 | return 0;
|
---|
| 438 | }
|
---|
| 439 |
|
---|
| 440 |
|
---|
| 441 | /* OS X monitoring */
|
---|
| 442 | static void* DoMonitor(void* arg)
|
---|
| 443 | {
|
---|
| 444 | int fPEM, fDER;
|
---|
| 445 | struct kevent change;
|
---|
| 446 |
|
---|
| 447 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
|
---|
| 448 |
|
---|
| 449 | WOLFSSL_ENTER("DoMonitor");
|
---|
| 450 |
|
---|
| 451 | crl->mfd = kqueue();
|
---|
| 452 | if (crl->mfd == -1) {
|
---|
| 453 | WOLFSSL_MSG("kqueue failed");
|
---|
| 454 | return NULL;
|
---|
| 455 | }
|
---|
| 456 |
|
---|
| 457 | /* listen for custom shutdown event */
|
---|
| 458 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
|
---|
| 459 | if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
|
---|
| 460 | WOLFSSL_MSG("kevent monitor customer event failed");
|
---|
| 461 | close(crl->mfd);
|
---|
| 462 | return NULL;
|
---|
| 463 | }
|
---|
| 464 |
|
---|
| 465 | fPEM = -1;
|
---|
| 466 | fDER = -1;
|
---|
| 467 |
|
---|
| 468 | if (crl->monitors[0].path) {
|
---|
| 469 | fPEM = open(crl->monitors[0].path, XEVENT_MODE);
|
---|
| 470 | if (fPEM == -1) {
|
---|
| 471 | WOLFSSL_MSG("PEM event dir open failed");
|
---|
| 472 | close(crl->mfd);
|
---|
| 473 | return NULL;
|
---|
| 474 | }
|
---|
| 475 | }
|
---|
| 476 |
|
---|
| 477 | if (crl->monitors[1].path) {
|
---|
| 478 | fDER = open(crl->monitors[1].path, XEVENT_MODE);
|
---|
| 479 | if (fDER == -1) {
|
---|
| 480 | WOLFSSL_MSG("DER event dir open failed");
|
---|
| 481 | close(crl->mfd);
|
---|
| 482 | return NULL;
|
---|
| 483 | }
|
---|
| 484 | }
|
---|
| 485 |
|
---|
| 486 | if (fPEM != -1)
|
---|
| 487 | EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
|
---|
| 488 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
|
---|
| 489 |
|
---|
| 490 | if (fDER != -1)
|
---|
| 491 | EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
|
---|
| 492 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
|
---|
| 493 |
|
---|
| 494 | for (;;) {
|
---|
| 495 | struct kevent event;
|
---|
| 496 | int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
|
---|
| 497 |
|
---|
| 498 | WOLFSSL_MSG("Got kevent");
|
---|
| 499 |
|
---|
| 500 | if (numEvents == -1) {
|
---|
| 501 | WOLFSSL_MSG("kevent problem, continue");
|
---|
| 502 | continue;
|
---|
| 503 | }
|
---|
| 504 |
|
---|
| 505 | if (event.filter == EVFILT_USER) {
|
---|
| 506 | WOLFSSL_MSG("Got user shutdown event, breaking out");
|
---|
| 507 | break;
|
---|
| 508 | }
|
---|
| 509 |
|
---|
| 510 | if (SwapLists(crl) < 0) {
|
---|
| 511 | WOLFSSL_MSG("SwapLists problem, continue");
|
---|
| 512 | }
|
---|
| 513 | }
|
---|
| 514 |
|
---|
| 515 | if (fPEM != -1)
|
---|
| 516 | close(fPEM);
|
---|
| 517 | if (fDER != -1)
|
---|
| 518 | close(fDER);
|
---|
| 519 |
|
---|
| 520 | close(crl->mfd);
|
---|
| 521 |
|
---|
| 522 | return NULL;
|
---|
| 523 | }
|
---|
| 524 |
|
---|
| 525 |
|
---|
| 526 | #elif defined(__linux__)
|
---|
| 527 |
|
---|
| 528 | #include <sys/types.h>
|
---|
| 529 | #include <sys/inotify.h>
|
---|
| 530 | #include <sys/eventfd.h>
|
---|
| 531 | #include <unistd.h>
|
---|
| 532 |
|
---|
| 533 |
|
---|
| 534 | #ifndef max
|
---|
| 535 | static INLINE int max(int a, int b)
|
---|
| 536 | {
|
---|
| 537 | return a > b ? a : b;
|
---|
| 538 | }
|
---|
| 539 | #endif /* max */
|
---|
| 540 |
|
---|
| 541 |
|
---|
| 542 | /* shutdown monitor thread, 0 on success */
|
---|
| 543 | static int StopMonitor(int mfd)
|
---|
| 544 | {
|
---|
| 545 | word64 w64 = 1;
|
---|
| 546 |
|
---|
| 547 | /* write to our custom event */
|
---|
| 548 | if (write(mfd, &w64, sizeof(w64)) < 0) {
|
---|
| 549 | WOLFSSL_MSG("StopMonitor write failed");
|
---|
| 550 | return -1;
|
---|
| 551 | }
|
---|
| 552 |
|
---|
| 553 | return 0;
|
---|
| 554 | }
|
---|
| 555 |
|
---|
| 556 |
|
---|
| 557 | /* linux monitoring */
|
---|
| 558 | static void* DoMonitor(void* arg)
|
---|
| 559 | {
|
---|
| 560 | int notifyFd;
|
---|
| 561 | int wd = -1;
|
---|
| 562 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
|
---|
| 563 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 564 | char* buff;
|
---|
| 565 | #else
|
---|
| 566 | char buff[8192];
|
---|
| 567 | #endif
|
---|
| 568 |
|
---|
| 569 | WOLFSSL_ENTER("DoMonitor");
|
---|
| 570 |
|
---|
| 571 | crl->mfd = eventfd(0, 0); /* our custom shutdown event */
|
---|
| 572 | if (crl->mfd < 0) {
|
---|
| 573 | WOLFSSL_MSG("eventfd failed");
|
---|
| 574 | return NULL;
|
---|
| 575 | }
|
---|
| 576 |
|
---|
| 577 | notifyFd = inotify_init();
|
---|
| 578 | if (notifyFd < 0) {
|
---|
| 579 | WOLFSSL_MSG("inotify failed");
|
---|
| 580 | close(crl->mfd);
|
---|
| 581 | return NULL;
|
---|
| 582 | }
|
---|
| 583 |
|
---|
| 584 | if (crl->monitors[0].path) {
|
---|
| 585 | wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
|
---|
| 586 | IN_DELETE);
|
---|
| 587 | if (wd < 0) {
|
---|
| 588 | WOLFSSL_MSG("PEM notify add watch failed");
|
---|
| 589 | close(crl->mfd);
|
---|
| 590 | close(notifyFd);
|
---|
| 591 | return NULL;
|
---|
| 592 | }
|
---|
| 593 | }
|
---|
| 594 |
|
---|
| 595 | if (crl->monitors[1].path) {
|
---|
| 596 | wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
|
---|
| 597 | IN_DELETE);
|
---|
| 598 | if (wd < 0) {
|
---|
| 599 | WOLFSSL_MSG("DER notify add watch failed");
|
---|
| 600 | close(crl->mfd);
|
---|
| 601 | close(notifyFd);
|
---|
| 602 | return NULL;
|
---|
| 603 | }
|
---|
| 604 | }
|
---|
| 605 |
|
---|
| 606 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 607 | buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 608 | if (buff == NULL)
|
---|
| 609 | return NULL;
|
---|
| 610 | #endif
|
---|
| 611 |
|
---|
| 612 | for (;;) {
|
---|
| 613 | fd_set readfds;
|
---|
| 614 | int result;
|
---|
| 615 | int length;
|
---|
| 616 |
|
---|
| 617 | FD_ZERO(&readfds);
|
---|
| 618 | FD_SET(notifyFd, &readfds);
|
---|
| 619 | FD_SET(crl->mfd, &readfds);
|
---|
| 620 |
|
---|
| 621 | result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL);
|
---|
| 622 |
|
---|
| 623 | WOLFSSL_MSG("Got notify event");
|
---|
| 624 |
|
---|
| 625 | if (result < 0) {
|
---|
| 626 | WOLFSSL_MSG("select problem, continue");
|
---|
| 627 | continue;
|
---|
| 628 | }
|
---|
| 629 |
|
---|
| 630 | if (FD_ISSET(crl->mfd, &readfds)) {
|
---|
| 631 | WOLFSSL_MSG("got custom shutdown event, breaking out");
|
---|
| 632 | break;
|
---|
| 633 | }
|
---|
| 634 |
|
---|
| 635 | length = read(notifyFd, buff, 8192);
|
---|
| 636 | if (length < 0) {
|
---|
| 637 | WOLFSSL_MSG("notify read problem, continue");
|
---|
| 638 | continue;
|
---|
| 639 | }
|
---|
| 640 |
|
---|
| 641 | if (SwapLists(crl) < 0) {
|
---|
| 642 | WOLFSSL_MSG("SwapLists problem, continue");
|
---|
| 643 | }
|
---|
| 644 | }
|
---|
| 645 |
|
---|
| 646 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 647 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 648 | #endif
|
---|
| 649 |
|
---|
| 650 | if (wd > 0)
|
---|
| 651 | inotify_rm_watch(notifyFd, wd);
|
---|
| 652 | close(crl->mfd);
|
---|
| 653 | close(notifyFd);
|
---|
| 654 |
|
---|
| 655 | return NULL;
|
---|
| 656 | }
|
---|
| 657 |
|
---|
| 658 |
|
---|
| 659 | #else
|
---|
| 660 |
|
---|
| 661 | #error "CRL monitor only currently supported on linux or mach"
|
---|
| 662 |
|
---|
| 663 | #endif /* MACH or linux */
|
---|
| 664 |
|
---|
| 665 |
|
---|
| 666 | /* Start Monitoring the CRL path(s) in a thread */
|
---|
| 667 | static int StartMonitorCRL(WOLFSSL_CRL* crl)
|
---|
| 668 | {
|
---|
| 669 | pthread_attr_t attr;
|
---|
| 670 |
|
---|
| 671 | WOLFSSL_ENTER("StartMonitorCRL");
|
---|
| 672 |
|
---|
| 673 | if (crl == NULL)
|
---|
| 674 | return BAD_FUNC_ARG;
|
---|
| 675 |
|
---|
| 676 | if (crl->tid != 0) {
|
---|
| 677 | WOLFSSL_MSG("Monitor thread already running");
|
---|
| 678 | return MONITOR_RUNNING_E;
|
---|
| 679 | }
|
---|
| 680 |
|
---|
| 681 | pthread_attr_init(&attr);
|
---|
| 682 |
|
---|
| 683 | if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) {
|
---|
| 684 | WOLFSSL_MSG("Thread creation error");
|
---|
| 685 | return THREAD_CREATE_E;
|
---|
| 686 | }
|
---|
| 687 |
|
---|
| 688 | return SSL_SUCCESS;
|
---|
| 689 | }
|
---|
| 690 |
|
---|
| 691 |
|
---|
| 692 | #else /* HAVE_CRL_MONITOR */
|
---|
| 693 |
|
---|
| 694 | #ifndef NO_FILESYSTEM
|
---|
| 695 |
|
---|
| 696 | static int StartMonitorCRL(WOLFSSL_CRL* crl)
|
---|
| 697 | {
|
---|
| 698 | (void)crl;
|
---|
| 699 |
|
---|
| 700 | WOLFSSL_ENTER("StartMonitorCRL");
|
---|
| 701 | WOLFSSL_MSG("Not compiled in");
|
---|
| 702 |
|
---|
| 703 | return NOT_COMPILED_IN;
|
---|
| 704 | }
|
---|
| 705 |
|
---|
| 706 | #endif /* NO_FILESYSTEM */
|
---|
| 707 |
|
---|
| 708 | #endif /* HAVE_CRL_MONITOR */
|
---|
| 709 |
|
---|
| 710 | #ifndef NO_FILESYSTEM
|
---|
| 711 |
|
---|
| 712 | /* Load CRL path files of type, SSL_SUCCESS on ok */
|
---|
| 713 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
|
---|
| 714 | {
|
---|
| 715 | struct dirent* entry;
|
---|
| 716 | DIR dir;
|
---|
| 717 | int ret = SSL_SUCCESS;
|
---|
| 718 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 719 | char* name;
|
---|
| 720 | #else
|
---|
| 721 | char name[MAX_FILENAME_SZ];
|
---|
| 722 | #endif
|
---|
| 723 |
|
---|
| 724 | WOLFSSL_ENTER("LoadCRL");
|
---|
| 725 | if (crl == NULL)
|
---|
| 726 | return BAD_FUNC_ARG;
|
---|
| 727 |
|
---|
| 728 | ret = f_opendir(&dir, path);
|
---|
| 729 | if (ret != FR_OK) {
|
---|
| 730 | WOLFSSL_MSG("opendir path crl load failed");
|
---|
| 731 | return BAD_PATH_ERROR;
|
---|
| 732 | }
|
---|
| 733 |
|
---|
| 734 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 735 | name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 736 | if (name == NULL)
|
---|
| 737 | return MEMORY_E;
|
---|
| 738 | #endif
|
---|
| 739 |
|
---|
| 740 | while ( (entry = f_readdir(&dir)) != NULL) {
|
---|
| 741 | struct stat s;
|
---|
| 742 |
|
---|
| 743 | XMEMSET(name, 0, MAX_FILENAME_SZ);
|
---|
| 744 | XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
|
---|
| 745 | XSTRNCAT(name, "/", 1);
|
---|
| 746 | XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
|
---|
| 747 |
|
---|
| 748 | if (stat(name, &s) != 0) {
|
---|
| 749 | WOLFSSL_MSG("stat on name failed");
|
---|
| 750 | continue;
|
---|
| 751 | }
|
---|
| 752 | if (s.st_mode & S_IFREG) {
|
---|
| 753 |
|
---|
| 754 | if (type == SSL_FILETYPE_PEM) {
|
---|
| 755 | if (strstr(entry->d_name, ".pem") == NULL) {
|
---|
| 756 | WOLFSSL_MSG("not .pem file, skipping");
|
---|
| 757 | continue;
|
---|
| 758 | }
|
---|
| 759 | }
|
---|
| 760 | else {
|
---|
| 761 | if (strstr(entry->d_name, ".der") == NULL &&
|
---|
| 762 | strstr(entry->d_name, ".crl") == NULL) {
|
---|
| 763 |
|
---|
| 764 | WOLFSSL_MSG("not .der or .crl file, skipping");
|
---|
| 765 | continue;
|
---|
| 766 | }
|
---|
| 767 | }
|
---|
| 768 |
|
---|
| 769 | if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
|
---|
| 770 | != SSL_SUCCESS) {
|
---|
| 771 | WOLFSSL_MSG("CRL file load failed, continuing");
|
---|
| 772 | }
|
---|
| 773 | }
|
---|
| 774 | }
|
---|
| 775 |
|
---|
| 776 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 777 | XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 778 | #endif
|
---|
| 779 |
|
---|
| 780 | if (monitor & WOLFSSL_CRL_MONITOR) {
|
---|
| 781 | WOLFSSL_MSG("monitor path requested");
|
---|
| 782 |
|
---|
| 783 | if (type == SSL_FILETYPE_PEM) {
|
---|
| 784 | crl->monitors[0].path = strdup(path);
|
---|
| 785 | crl->monitors[0].type = SSL_FILETYPE_PEM;
|
---|
| 786 | if (crl->monitors[0].path == NULL)
|
---|
| 787 | ret = MEMORY_E;
|
---|
| 788 | } else {
|
---|
| 789 | crl->monitors[1].path = strdup(path);
|
---|
| 790 | crl->monitors[1].type = SSL_FILETYPE_ASN1;
|
---|
| 791 | if (crl->monitors[1].path == NULL)
|
---|
| 792 | ret = MEMORY_E;
|
---|
| 793 | }
|
---|
| 794 |
|
---|
| 795 | if (monitor & WOLFSSL_CRL_START_MON) {
|
---|
| 796 | WOLFSSL_MSG("start monitoring requested");
|
---|
| 797 |
|
---|
| 798 | ret = StartMonitorCRL(crl);
|
---|
| 799 | }
|
---|
| 800 | }
|
---|
| 801 |
|
---|
| 802 | f_closedir(&dir);
|
---|
| 803 |
|
---|
| 804 | return ret;
|
---|
| 805 | }
|
---|
| 806 |
|
---|
| 807 | #endif /* NO_FILESYSTEM */
|
---|
| 808 |
|
---|
| 809 | #endif /* HAVE_CRL */
|
---|
| 810 | #endif /* !WOLFCRYPT_ONLY */
|
---|