1 | /* crl.c
|
---|
2 | *
|
---|
3 | * Copyright (C) 2006-2015 wolfSSL Inc.
|
---|
4 | *
|
---|
5 | * This file is part of wolfSSL. (formerly known as CyaSSL)
|
---|
6 | *
|
---|
7 | * wolfSSL is free software; you can redistribute it and/or modify
|
---|
8 | * it under the terms of the GNU General Public License as published by
|
---|
9 | * the Free Software Foundation; either version 2 of the License, or
|
---|
10 | * (at your option) any later version.
|
---|
11 | *
|
---|
12 | * wolfSSL is distributed in the hope that it will be useful,
|
---|
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
15 | * GNU General Public License for more details.
|
---|
16 | *
|
---|
17 | * You should have received a copy of the GNU General Public License
|
---|
18 | * along with this program; if not, write to the Free Software
|
---|
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
|
---|
20 | */
|
---|
21 |
|
---|
22 | /* Name change compatibility layer no longer needs included here */
|
---|
23 |
|
---|
24 | #ifdef HAVE_CONFIG_H
|
---|
25 | #include <config.h>
|
---|
26 | #endif
|
---|
27 |
|
---|
28 | #include <wolfssl/wolfcrypt/settings.h>
|
---|
29 |
|
---|
30 | #ifndef WOLFCRYPT_ONLY
|
---|
31 | #ifdef HAVE_CRL
|
---|
32 |
|
---|
33 | #include <wolfssl/internal.h>
|
---|
34 | #include <wolfssl/error-ssl.h>
|
---|
35 |
|
---|
36 | #ifndef NO_FILESYSTEM
|
---|
37 | #include <dirent.h>
|
---|
38 | #include <sys/stat.h>
|
---|
39 | #endif
|
---|
40 |
|
---|
41 | #include <string.h>
|
---|
42 |
|
---|
43 | #ifdef HAVE_CRL_MONITOR
|
---|
44 | static int StopMonitor(int mfd);
|
---|
45 | #endif
|
---|
46 |
|
---|
47 |
|
---|
48 | /* Initialze CRL members */
|
---|
49 | int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
|
---|
50 | {
|
---|
51 | WOLFSSL_ENTER("InitCRL");
|
---|
52 |
|
---|
53 | crl->cm = cm;
|
---|
54 | crl->crlList = NULL;
|
---|
55 | crl->monitors[0].path = NULL;
|
---|
56 | crl->monitors[1].path = NULL;
|
---|
57 | #ifdef HAVE_CRL_MONITOR
|
---|
58 | crl->tid = 0;
|
---|
59 | crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
|
---|
60 | #endif
|
---|
61 | if (InitMutex(&crl->crlLock) != 0)
|
---|
62 | return BAD_MUTEX_E;
|
---|
63 |
|
---|
64 | return 0;
|
---|
65 | }
|
---|
66 |
|
---|
67 |
|
---|
68 | /* Initialze CRL Entry */
|
---|
69 | static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
|
---|
70 | {
|
---|
71 | WOLFSSL_ENTER("InitCRL_Entry");
|
---|
72 |
|
---|
73 | XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
|
---|
74 | /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
|
---|
75 | * copy the hash here if needed for optimized comparisons */
|
---|
76 | XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
|
---|
77 | XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
|
---|
78 | crle->lastDateFormat = dcrl->lastDateFormat;
|
---|
79 | crle->nextDateFormat = dcrl->nextDateFormat;
|
---|
80 |
|
---|
81 | crle->certs = dcrl->certs; /* take ownsership */
|
---|
82 | dcrl->certs = NULL;
|
---|
83 | crle->totalCerts = dcrl->totalCerts;
|
---|
84 |
|
---|
85 | return 0;
|
---|
86 | }
|
---|
87 |
|
---|
88 |
|
---|
89 | /* Free all CRL Entry resources */
|
---|
90 | static void FreeCRL_Entry(CRL_Entry* crle)
|
---|
91 | {
|
---|
92 | RevokedCert* tmp = crle->certs;
|
---|
93 |
|
---|
94 | WOLFSSL_ENTER("FreeCRL_Entry");
|
---|
95 |
|
---|
96 | while(tmp) {
|
---|
97 | RevokedCert* next = tmp->next;
|
---|
98 | XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
|
---|
99 | tmp = next;
|
---|
100 | }
|
---|
101 | }
|
---|
102 |
|
---|
103 |
|
---|
104 |
|
---|
105 | /* Free all CRL resources */
|
---|
106 | void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
|
---|
107 | {
|
---|
108 | CRL_Entry* tmp = crl->crlList;
|
---|
109 |
|
---|
110 | WOLFSSL_ENTER("FreeCRL");
|
---|
111 |
|
---|
112 | if (crl->monitors[0].path)
|
---|
113 | XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
|
---|
114 |
|
---|
115 | if (crl->monitors[1].path)
|
---|
116 | XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
|
---|
117 |
|
---|
118 | while(tmp) {
|
---|
119 | CRL_Entry* next = tmp->next;
|
---|
120 | FreeCRL_Entry(tmp);
|
---|
121 | XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
122 | tmp = next;
|
---|
123 | }
|
---|
124 |
|
---|
125 | #ifdef HAVE_CRL_MONITOR
|
---|
126 | if (crl->tid != 0) {
|
---|
127 | WOLFSSL_MSG("stopping monitor thread");
|
---|
128 | if (StopMonitor(crl->mfd) == 0)
|
---|
129 | pthread_join(crl->tid, NULL);
|
---|
130 | else {
|
---|
131 | WOLFSSL_MSG("stop monitor failed, cancel instead");
|
---|
132 | pthread_cancel(crl->tid);
|
---|
133 | }
|
---|
134 | }
|
---|
135 | #endif
|
---|
136 | FreeMutex(&crl->crlLock);
|
---|
137 | if (dynamic) /* free self */
|
---|
138 | XFREE(crl, NULL, DYNAMIC_TYPE_CRL);
|
---|
139 | }
|
---|
140 |
|
---|
141 |
|
---|
142 | /* Is the cert ok with CRL, return 0 on success */
|
---|
143 | int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
|
---|
144 | {
|
---|
145 | CRL_Entry* crle;
|
---|
146 | int foundEntry = 0;
|
---|
147 | int ret = 0;
|
---|
148 |
|
---|
149 | WOLFSSL_ENTER("CheckCertCRL");
|
---|
150 |
|
---|
151 | if (LockMutex(&crl->crlLock) != 0) {
|
---|
152 | WOLFSSL_MSG("LockMutex failed");
|
---|
153 | return BAD_MUTEX_E;
|
---|
154 | }
|
---|
155 |
|
---|
156 | crle = crl->crlList;
|
---|
157 |
|
---|
158 | while (crle) {
|
---|
159 | if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) {
|
---|
160 | int doNextDate = 1;
|
---|
161 |
|
---|
162 | WOLFSSL_MSG("Found CRL Entry on list");
|
---|
163 | WOLFSSL_MSG("Checking next date validity");
|
---|
164 |
|
---|
165 | #ifdef WOLFSSL_NO_CRL_NEXT_DATE
|
---|
166 | if (crle->nextDateFormat == ASN_OTHER_TYPE)
|
---|
167 | doNextDate = 0; /* skip */
|
---|
168 | #endif
|
---|
169 |
|
---|
170 | if (doNextDate && !ValidateDate(crle->nextDate,
|
---|
171 | crle->nextDateFormat, AFTER)) {
|
---|
172 | WOLFSSL_MSG("CRL next date is no longer valid");
|
---|
173 | ret = ASN_AFTER_DATE_E;
|
---|
174 | }
|
---|
175 | else
|
---|
176 | foundEntry = 1;
|
---|
177 | break;
|
---|
178 | }
|
---|
179 | crle = crle->next;
|
---|
180 | }
|
---|
181 |
|
---|
182 | if (foundEntry) {
|
---|
183 | RevokedCert* rc = crle->certs;
|
---|
184 |
|
---|
185 | while (rc) {
|
---|
186 | if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
|
---|
187 | WOLFSSL_MSG("Cert revoked");
|
---|
188 | ret = CRL_CERT_REVOKED;
|
---|
189 | break;
|
---|
190 | }
|
---|
191 | rc = rc->next;
|
---|
192 | }
|
---|
193 | }
|
---|
194 |
|
---|
195 | UnLockMutex(&crl->crlLock);
|
---|
196 |
|
---|
197 | if (foundEntry == 0) {
|
---|
198 | WOLFSSL_MSG("Couldn't find CRL for status check");
|
---|
199 | ret = CRL_MISSING;
|
---|
200 | if (crl->cm->cbMissingCRL) {
|
---|
201 | char url[256];
|
---|
202 |
|
---|
203 | WOLFSSL_MSG("Issuing missing CRL callback");
|
---|
204 | url[0] = '\0';
|
---|
205 | if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
|
---|
206 | XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
|
---|
207 | url[cert->extCrlInfoSz] = '\0';
|
---|
208 | }
|
---|
209 | else {
|
---|
210 | WOLFSSL_MSG("CRL url too long");
|
---|
211 | }
|
---|
212 | crl->cm->cbMissingCRL(url);
|
---|
213 | }
|
---|
214 | }
|
---|
215 |
|
---|
216 |
|
---|
217 | return ret;
|
---|
218 | }
|
---|
219 |
|
---|
220 |
|
---|
221 | /* Add Decoded CRL, 0 on success */
|
---|
222 | static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
|
---|
223 | {
|
---|
224 | CRL_Entry* crle;
|
---|
225 |
|
---|
226 | WOLFSSL_ENTER("AddCRL");
|
---|
227 |
|
---|
228 | crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
229 | if (crle == NULL) {
|
---|
230 | WOLFSSL_MSG("alloc CRL Entry failed");
|
---|
231 | return -1;
|
---|
232 | }
|
---|
233 |
|
---|
234 | if (InitCRL_Entry(crle, dcrl) < 0) {
|
---|
235 | WOLFSSL_MSG("Init CRL Entry failed");
|
---|
236 | XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
237 | return -1;
|
---|
238 | }
|
---|
239 |
|
---|
240 | if (LockMutex(&crl->crlLock) != 0) {
|
---|
241 | WOLFSSL_MSG("LockMutex failed");
|
---|
242 | FreeCRL_Entry(crle);
|
---|
243 | XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
244 | return BAD_MUTEX_E;
|
---|
245 | }
|
---|
246 | crle->next = crl->crlList;
|
---|
247 | crl->crlList = crle;
|
---|
248 | UnLockMutex(&crl->crlLock);
|
---|
249 |
|
---|
250 | return 0;
|
---|
251 | }
|
---|
252 |
|
---|
253 |
|
---|
254 | /* Load CRL File of type, SSL_SUCCESS on ok */
|
---|
255 | int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
|
---|
256 | {
|
---|
257 | int ret = SSL_SUCCESS;
|
---|
258 | const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
---|
259 | buffer der;
|
---|
260 | #ifdef WOLFSSL_SMALL_STACK
|
---|
261 | DecodedCRL* dcrl;
|
---|
262 | #else
|
---|
263 | DecodedCRL dcrl[1];
|
---|
264 | #endif
|
---|
265 |
|
---|
266 | der.buffer = NULL;
|
---|
267 |
|
---|
268 | WOLFSSL_ENTER("BufferLoadCRL");
|
---|
269 |
|
---|
270 | if (crl == NULL || buff == NULL || sz == 0)
|
---|
271 | return BAD_FUNC_ARG;
|
---|
272 |
|
---|
273 | if (type == SSL_FILETYPE_PEM) {
|
---|
274 | int eccKey = 0; /* not used */
|
---|
275 | EncryptedInfo info;
|
---|
276 | info.ctx = NULL;
|
---|
277 |
|
---|
278 | ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
---|
279 | if (ret == 0) {
|
---|
280 | myBuffer = der.buffer;
|
---|
281 | sz = der.length;
|
---|
282 | }
|
---|
283 | else {
|
---|
284 | WOLFSSL_MSG("Pem to Der failed");
|
---|
285 | return -1;
|
---|
286 | }
|
---|
287 | }
|
---|
288 |
|
---|
289 | #ifdef WOLFSSL_SMALL_STACK
|
---|
290 | dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
291 | if (dcrl == NULL) {
|
---|
292 | if (der.buffer)
|
---|
293 | XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
---|
294 |
|
---|
295 | return MEMORY_E;
|
---|
296 | }
|
---|
297 | #endif
|
---|
298 |
|
---|
299 | InitDecodedCRL(dcrl);
|
---|
300 | ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
|
---|
301 | if (ret != 0) {
|
---|
302 | WOLFSSL_MSG("ParseCRL error");
|
---|
303 | }
|
---|
304 | else {
|
---|
305 | ret = AddCRL(crl, dcrl);
|
---|
306 | if (ret != 0) {
|
---|
307 | WOLFSSL_MSG("AddCRL error");
|
---|
308 | }
|
---|
309 | }
|
---|
310 |
|
---|
311 | FreeDecodedCRL(dcrl);
|
---|
312 |
|
---|
313 | #ifdef WOLFSSL_SMALL_STACK
|
---|
314 | XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
315 | #endif
|
---|
316 |
|
---|
317 | if (der.buffer)
|
---|
318 | XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
---|
319 |
|
---|
320 | return ret ? ret : SSL_SUCCESS; /* convert 0 to SSL_SUCCESS */
|
---|
321 | }
|
---|
322 |
|
---|
323 |
|
---|
324 | #ifdef HAVE_CRL_MONITOR
|
---|
325 |
|
---|
326 |
|
---|
327 | /* read in new CRL entries and save new list */
|
---|
328 | static int SwapLists(WOLFSSL_CRL* crl)
|
---|
329 | {
|
---|
330 | int ret;
|
---|
331 | CRL_Entry* newList;
|
---|
332 | #ifdef WOLFSSL_SMALL_STACK
|
---|
333 | WOLFSSL_CRL* tmp;
|
---|
334 | #else
|
---|
335 | WOLFSSL_CRL tmp[1];
|
---|
336 | #endif
|
---|
337 |
|
---|
338 | #ifdef WOLFSSL_SMALL_STACK
|
---|
339 | tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
340 | if (tmp == NULL)
|
---|
341 | return MEMORY_E;
|
---|
342 | #endif
|
---|
343 |
|
---|
344 | if (InitCRL(tmp, crl->cm) < 0) {
|
---|
345 | WOLFSSL_MSG("Init tmp CRL failed");
|
---|
346 | #ifdef WOLFSSL_SMALL_STACK
|
---|
347 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
348 | #endif
|
---|
349 | return -1;
|
---|
350 | }
|
---|
351 |
|
---|
352 | if (crl->monitors[0].path) {
|
---|
353 | ret = LoadCRL(tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0);
|
---|
354 | if (ret != SSL_SUCCESS) {
|
---|
355 | WOLFSSL_MSG("PEM LoadCRL on dir change failed");
|
---|
356 | FreeCRL(tmp, 0);
|
---|
357 | #ifdef WOLFSSL_SMALL_STACK
|
---|
358 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
359 | #endif
|
---|
360 | return -1;
|
---|
361 | }
|
---|
362 | }
|
---|
363 |
|
---|
364 | if (crl->monitors[1].path) {
|
---|
365 | ret = LoadCRL(tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0);
|
---|
366 | if (ret != SSL_SUCCESS) {
|
---|
367 | WOLFSSL_MSG("DER LoadCRL on dir change failed");
|
---|
368 | FreeCRL(tmp, 0);
|
---|
369 | #ifdef WOLFSSL_SMALL_STACK
|
---|
370 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
371 | #endif
|
---|
372 | return -1;
|
---|
373 | }
|
---|
374 | }
|
---|
375 |
|
---|
376 | if (LockMutex(&crl->crlLock) != 0) {
|
---|
377 | WOLFSSL_MSG("LockMutex failed");
|
---|
378 | FreeCRL(tmp, 0);
|
---|
379 | #ifdef WOLFSSL_SMALL_STACK
|
---|
380 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
381 | #endif
|
---|
382 | return -1;
|
---|
383 | }
|
---|
384 |
|
---|
385 | newList = tmp->crlList;
|
---|
386 |
|
---|
387 | /* swap lists */
|
---|
388 | tmp->crlList = crl->crlList;
|
---|
389 | crl->crlList = newList;
|
---|
390 |
|
---|
391 | UnLockMutex(&crl->crlLock);
|
---|
392 |
|
---|
393 | FreeCRL(tmp, 0);
|
---|
394 |
|
---|
395 | #ifdef WOLFSSL_SMALL_STACK
|
---|
396 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
397 | #endif
|
---|
398 |
|
---|
399 | return 0;
|
---|
400 | }
|
---|
401 |
|
---|
402 |
|
---|
403 | #if (defined(__MACH__) || defined(__FreeBSD__))
|
---|
404 |
|
---|
405 | #include <sys/types.h>
|
---|
406 | #include <sys/event.h>
|
---|
407 | #include <sys/time.h>
|
---|
408 | #include <fcntl.h>
|
---|
409 | #include <unistd.h>
|
---|
410 |
|
---|
411 | #ifdef __MACH__
|
---|
412 | #define XEVENT_MODE O_EVTONLY
|
---|
413 | #elif defined(__FreeBSD__)
|
---|
414 | #define XEVENT_MODE EVFILT_VNODE
|
---|
415 | #endif
|
---|
416 |
|
---|
417 |
|
---|
418 | /* we need a unique kqueue user filter fd for crl in case user is doing custom
|
---|
419 | * events too */
|
---|
420 | #ifndef CRL_CUSTOM_FD
|
---|
421 | #define CRL_CUSTOM_FD 123456
|
---|
422 | #endif
|
---|
423 |
|
---|
424 |
|
---|
425 | /* shutdown monitor thread, 0 on success */
|
---|
426 | static int StopMonitor(int mfd)
|
---|
427 | {
|
---|
428 | struct kevent change;
|
---|
429 |
|
---|
430 | /* trigger custom shutdown */
|
---|
431 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL);
|
---|
432 | if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) {
|
---|
433 | WOLFSSL_MSG("kevent trigger customer event failed");
|
---|
434 | return -1;
|
---|
435 | }
|
---|
436 |
|
---|
437 | return 0;
|
---|
438 | }
|
---|
439 |
|
---|
440 |
|
---|
441 | /* OS X monitoring */
|
---|
442 | static void* DoMonitor(void* arg)
|
---|
443 | {
|
---|
444 | int fPEM, fDER;
|
---|
445 | struct kevent change;
|
---|
446 |
|
---|
447 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
|
---|
448 |
|
---|
449 | WOLFSSL_ENTER("DoMonitor");
|
---|
450 |
|
---|
451 | crl->mfd = kqueue();
|
---|
452 | if (crl->mfd == -1) {
|
---|
453 | WOLFSSL_MSG("kqueue failed");
|
---|
454 | return NULL;
|
---|
455 | }
|
---|
456 |
|
---|
457 | /* listen for custom shutdown event */
|
---|
458 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
|
---|
459 | if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
|
---|
460 | WOLFSSL_MSG("kevent monitor customer event failed");
|
---|
461 | close(crl->mfd);
|
---|
462 | return NULL;
|
---|
463 | }
|
---|
464 |
|
---|
465 | fPEM = -1;
|
---|
466 | fDER = -1;
|
---|
467 |
|
---|
468 | if (crl->monitors[0].path) {
|
---|
469 | fPEM = open(crl->monitors[0].path, XEVENT_MODE);
|
---|
470 | if (fPEM == -1) {
|
---|
471 | WOLFSSL_MSG("PEM event dir open failed");
|
---|
472 | close(crl->mfd);
|
---|
473 | return NULL;
|
---|
474 | }
|
---|
475 | }
|
---|
476 |
|
---|
477 | if (crl->monitors[1].path) {
|
---|
478 | fDER = open(crl->monitors[1].path, XEVENT_MODE);
|
---|
479 | if (fDER == -1) {
|
---|
480 | WOLFSSL_MSG("DER event dir open failed");
|
---|
481 | close(crl->mfd);
|
---|
482 | return NULL;
|
---|
483 | }
|
---|
484 | }
|
---|
485 |
|
---|
486 | if (fPEM != -1)
|
---|
487 | EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
|
---|
488 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
|
---|
489 |
|
---|
490 | if (fDER != -1)
|
---|
491 | EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
|
---|
492 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
|
---|
493 |
|
---|
494 | for (;;) {
|
---|
495 | struct kevent event;
|
---|
496 | int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
|
---|
497 |
|
---|
498 | WOLFSSL_MSG("Got kevent");
|
---|
499 |
|
---|
500 | if (numEvents == -1) {
|
---|
501 | WOLFSSL_MSG("kevent problem, continue");
|
---|
502 | continue;
|
---|
503 | }
|
---|
504 |
|
---|
505 | if (event.filter == EVFILT_USER) {
|
---|
506 | WOLFSSL_MSG("Got user shutdown event, breaking out");
|
---|
507 | break;
|
---|
508 | }
|
---|
509 |
|
---|
510 | if (SwapLists(crl) < 0) {
|
---|
511 | WOLFSSL_MSG("SwapLists problem, continue");
|
---|
512 | }
|
---|
513 | }
|
---|
514 |
|
---|
515 | if (fPEM != -1)
|
---|
516 | close(fPEM);
|
---|
517 | if (fDER != -1)
|
---|
518 | close(fDER);
|
---|
519 |
|
---|
520 | close(crl->mfd);
|
---|
521 |
|
---|
522 | return NULL;
|
---|
523 | }
|
---|
524 |
|
---|
525 |
|
---|
526 | #elif defined(__linux__)
|
---|
527 |
|
---|
528 | #include <sys/types.h>
|
---|
529 | #include <sys/inotify.h>
|
---|
530 | #include <sys/eventfd.h>
|
---|
531 | #include <unistd.h>
|
---|
532 |
|
---|
533 |
|
---|
534 | #ifndef max
|
---|
535 | static INLINE int max(int a, int b)
|
---|
536 | {
|
---|
537 | return a > b ? a : b;
|
---|
538 | }
|
---|
539 | #endif /* max */
|
---|
540 |
|
---|
541 |
|
---|
542 | /* shutdown monitor thread, 0 on success */
|
---|
543 | static int StopMonitor(int mfd)
|
---|
544 | {
|
---|
545 | word64 w64 = 1;
|
---|
546 |
|
---|
547 | /* write to our custom event */
|
---|
548 | if (write(mfd, &w64, sizeof(w64)) < 0) {
|
---|
549 | WOLFSSL_MSG("StopMonitor write failed");
|
---|
550 | return -1;
|
---|
551 | }
|
---|
552 |
|
---|
553 | return 0;
|
---|
554 | }
|
---|
555 |
|
---|
556 |
|
---|
557 | /* linux monitoring */
|
---|
558 | static void* DoMonitor(void* arg)
|
---|
559 | {
|
---|
560 | int notifyFd;
|
---|
561 | int wd = -1;
|
---|
562 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
|
---|
563 | #ifdef WOLFSSL_SMALL_STACK
|
---|
564 | char* buff;
|
---|
565 | #else
|
---|
566 | char buff[8192];
|
---|
567 | #endif
|
---|
568 |
|
---|
569 | WOLFSSL_ENTER("DoMonitor");
|
---|
570 |
|
---|
571 | crl->mfd = eventfd(0, 0); /* our custom shutdown event */
|
---|
572 | if (crl->mfd < 0) {
|
---|
573 | WOLFSSL_MSG("eventfd failed");
|
---|
574 | return NULL;
|
---|
575 | }
|
---|
576 |
|
---|
577 | notifyFd = inotify_init();
|
---|
578 | if (notifyFd < 0) {
|
---|
579 | WOLFSSL_MSG("inotify failed");
|
---|
580 | close(crl->mfd);
|
---|
581 | return NULL;
|
---|
582 | }
|
---|
583 |
|
---|
584 | if (crl->monitors[0].path) {
|
---|
585 | wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
|
---|
586 | IN_DELETE);
|
---|
587 | if (wd < 0) {
|
---|
588 | WOLFSSL_MSG("PEM notify add watch failed");
|
---|
589 | close(crl->mfd);
|
---|
590 | close(notifyFd);
|
---|
591 | return NULL;
|
---|
592 | }
|
---|
593 | }
|
---|
594 |
|
---|
595 | if (crl->monitors[1].path) {
|
---|
596 | wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
|
---|
597 | IN_DELETE);
|
---|
598 | if (wd < 0) {
|
---|
599 | WOLFSSL_MSG("DER notify add watch failed");
|
---|
600 | close(crl->mfd);
|
---|
601 | close(notifyFd);
|
---|
602 | return NULL;
|
---|
603 | }
|
---|
604 | }
|
---|
605 |
|
---|
606 | #ifdef WOLFSSL_SMALL_STACK
|
---|
607 | buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
608 | if (buff == NULL)
|
---|
609 | return NULL;
|
---|
610 | #endif
|
---|
611 |
|
---|
612 | for (;;) {
|
---|
613 | fd_set readfds;
|
---|
614 | int result;
|
---|
615 | int length;
|
---|
616 |
|
---|
617 | FD_ZERO(&readfds);
|
---|
618 | FD_SET(notifyFd, &readfds);
|
---|
619 | FD_SET(crl->mfd, &readfds);
|
---|
620 |
|
---|
621 | result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL);
|
---|
622 |
|
---|
623 | WOLFSSL_MSG("Got notify event");
|
---|
624 |
|
---|
625 | if (result < 0) {
|
---|
626 | WOLFSSL_MSG("select problem, continue");
|
---|
627 | continue;
|
---|
628 | }
|
---|
629 |
|
---|
630 | if (FD_ISSET(crl->mfd, &readfds)) {
|
---|
631 | WOLFSSL_MSG("got custom shutdown event, breaking out");
|
---|
632 | break;
|
---|
633 | }
|
---|
634 |
|
---|
635 | length = read(notifyFd, buff, 8192);
|
---|
636 | if (length < 0) {
|
---|
637 | WOLFSSL_MSG("notify read problem, continue");
|
---|
638 | continue;
|
---|
639 | }
|
---|
640 |
|
---|
641 | if (SwapLists(crl) < 0) {
|
---|
642 | WOLFSSL_MSG("SwapLists problem, continue");
|
---|
643 | }
|
---|
644 | }
|
---|
645 |
|
---|
646 | #ifdef WOLFSSL_SMALL_STACK
|
---|
647 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
648 | #endif
|
---|
649 |
|
---|
650 | if (wd > 0)
|
---|
651 | inotify_rm_watch(notifyFd, wd);
|
---|
652 | close(crl->mfd);
|
---|
653 | close(notifyFd);
|
---|
654 |
|
---|
655 | return NULL;
|
---|
656 | }
|
---|
657 |
|
---|
658 |
|
---|
659 | #else
|
---|
660 |
|
---|
661 | #error "CRL monitor only currently supported on linux or mach"
|
---|
662 |
|
---|
663 | #endif /* MACH or linux */
|
---|
664 |
|
---|
665 |
|
---|
666 | /* Start Monitoring the CRL path(s) in a thread */
|
---|
667 | static int StartMonitorCRL(WOLFSSL_CRL* crl)
|
---|
668 | {
|
---|
669 | pthread_attr_t attr;
|
---|
670 |
|
---|
671 | WOLFSSL_ENTER("StartMonitorCRL");
|
---|
672 |
|
---|
673 | if (crl == NULL)
|
---|
674 | return BAD_FUNC_ARG;
|
---|
675 |
|
---|
676 | if (crl->tid != 0) {
|
---|
677 | WOLFSSL_MSG("Monitor thread already running");
|
---|
678 | return MONITOR_RUNNING_E;
|
---|
679 | }
|
---|
680 |
|
---|
681 | pthread_attr_init(&attr);
|
---|
682 |
|
---|
683 | if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) {
|
---|
684 | WOLFSSL_MSG("Thread creation error");
|
---|
685 | return THREAD_CREATE_E;
|
---|
686 | }
|
---|
687 |
|
---|
688 | return SSL_SUCCESS;
|
---|
689 | }
|
---|
690 |
|
---|
691 |
|
---|
692 | #else /* HAVE_CRL_MONITOR */
|
---|
693 |
|
---|
694 | #ifndef NO_FILESYSTEM
|
---|
695 |
|
---|
696 | static int StartMonitorCRL(WOLFSSL_CRL* crl)
|
---|
697 | {
|
---|
698 | (void)crl;
|
---|
699 |
|
---|
700 | WOLFSSL_ENTER("StartMonitorCRL");
|
---|
701 | WOLFSSL_MSG("Not compiled in");
|
---|
702 |
|
---|
703 | return NOT_COMPILED_IN;
|
---|
704 | }
|
---|
705 |
|
---|
706 | #endif /* NO_FILESYSTEM */
|
---|
707 |
|
---|
708 | #endif /* HAVE_CRL_MONITOR */
|
---|
709 |
|
---|
710 | #ifndef NO_FILESYSTEM
|
---|
711 |
|
---|
712 | /* Load CRL path files of type, SSL_SUCCESS on ok */
|
---|
713 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
|
---|
714 | {
|
---|
715 | struct dirent* entry;
|
---|
716 | DIR dir;
|
---|
717 | int ret = SSL_SUCCESS;
|
---|
718 | #ifdef WOLFSSL_SMALL_STACK
|
---|
719 | char* name;
|
---|
720 | #else
|
---|
721 | char name[MAX_FILENAME_SZ];
|
---|
722 | #endif
|
---|
723 |
|
---|
724 | WOLFSSL_ENTER("LoadCRL");
|
---|
725 | if (crl == NULL)
|
---|
726 | return BAD_FUNC_ARG;
|
---|
727 |
|
---|
728 | ret = f_opendir(&dir, path);
|
---|
729 | if (ret != FR_OK) {
|
---|
730 | WOLFSSL_MSG("opendir path crl load failed");
|
---|
731 | return BAD_PATH_ERROR;
|
---|
732 | }
|
---|
733 |
|
---|
734 | #ifdef WOLFSSL_SMALL_STACK
|
---|
735 | name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
736 | if (name == NULL)
|
---|
737 | return MEMORY_E;
|
---|
738 | #endif
|
---|
739 |
|
---|
740 | while ( (entry = f_readdir(&dir)) != NULL) {
|
---|
741 | struct stat s;
|
---|
742 |
|
---|
743 | XMEMSET(name, 0, MAX_FILENAME_SZ);
|
---|
744 | XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
|
---|
745 | XSTRNCAT(name, "/", 1);
|
---|
746 | XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
|
---|
747 |
|
---|
748 | if (stat(name, &s) != 0) {
|
---|
749 | WOLFSSL_MSG("stat on name failed");
|
---|
750 | continue;
|
---|
751 | }
|
---|
752 | if (s.st_mode & S_IFREG) {
|
---|
753 |
|
---|
754 | if (type == SSL_FILETYPE_PEM) {
|
---|
755 | if (strstr(entry->d_name, ".pem") == NULL) {
|
---|
756 | WOLFSSL_MSG("not .pem file, skipping");
|
---|
757 | continue;
|
---|
758 | }
|
---|
759 | }
|
---|
760 | else {
|
---|
761 | if (strstr(entry->d_name, ".der") == NULL &&
|
---|
762 | strstr(entry->d_name, ".crl") == NULL) {
|
---|
763 |
|
---|
764 | WOLFSSL_MSG("not .der or .crl file, skipping");
|
---|
765 | continue;
|
---|
766 | }
|
---|
767 | }
|
---|
768 |
|
---|
769 | if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
|
---|
770 | != SSL_SUCCESS) {
|
---|
771 | WOLFSSL_MSG("CRL file load failed, continuing");
|
---|
772 | }
|
---|
773 | }
|
---|
774 | }
|
---|
775 |
|
---|
776 | #ifdef WOLFSSL_SMALL_STACK
|
---|
777 | XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
778 | #endif
|
---|
779 |
|
---|
780 | if (monitor & WOLFSSL_CRL_MONITOR) {
|
---|
781 | WOLFSSL_MSG("monitor path requested");
|
---|
782 |
|
---|
783 | if (type == SSL_FILETYPE_PEM) {
|
---|
784 | crl->monitors[0].path = strdup(path);
|
---|
785 | crl->monitors[0].type = SSL_FILETYPE_PEM;
|
---|
786 | if (crl->monitors[0].path == NULL)
|
---|
787 | ret = MEMORY_E;
|
---|
788 | } else {
|
---|
789 | crl->monitors[1].path = strdup(path);
|
---|
790 | crl->monitors[1].type = SSL_FILETYPE_ASN1;
|
---|
791 | if (crl->monitors[1].path == NULL)
|
---|
792 | ret = MEMORY_E;
|
---|
793 | }
|
---|
794 |
|
---|
795 | if (monitor & WOLFSSL_CRL_START_MON) {
|
---|
796 | WOLFSSL_MSG("start monitoring requested");
|
---|
797 |
|
---|
798 | ret = StartMonitorCRL(crl);
|
---|
799 | }
|
---|
800 | }
|
---|
801 |
|
---|
802 | f_closedir(&dir);
|
---|
803 |
|
---|
804 | return ret;
|
---|
805 | }
|
---|
806 |
|
---|
807 | #endif /* NO_FILESYSTEM */
|
---|
808 |
|
---|
809 | #endif /* HAVE_CRL */
|
---|
810 | #endif /* !WOLFCRYPT_ONLY */
|
---|