1 | /* crl.c
|
---|
2 | *
|
---|
3 | * Copyright (C) 2006-2020 wolfSSL Inc.
|
---|
4 | *
|
---|
5 | * This file is part of wolfSSL.
|
---|
6 | *
|
---|
7 | * wolfSSL is free software; you can redistribute it and/or modify
|
---|
8 | * it under the terms of the GNU General Public License as published by
|
---|
9 | * the Free Software Foundation; either version 2 of the License, or
|
---|
10 | * (at your option) any later version.
|
---|
11 | *
|
---|
12 | * wolfSSL is distributed in the hope that it will be useful,
|
---|
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
15 | * GNU General Public License for more details.
|
---|
16 | *
|
---|
17 | * You should have received a copy of the GNU General Public License
|
---|
18 | * along with this program; if not, write to the Free Software
|
---|
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
---|
20 | */
|
---|
21 |
|
---|
22 |
|
---|
23 | /* Name change compatibility layer no longer needs included here */
|
---|
24 |
|
---|
25 | #ifdef HAVE_CONFIG_H
|
---|
26 | #include <config.h>
|
---|
27 | #endif
|
---|
28 |
|
---|
29 | #include <wolfssl/wolfcrypt/settings.h>
|
---|
30 |
|
---|
31 | #ifndef WOLFCRYPT_ONLY
|
---|
32 | #ifdef HAVE_CRL
|
---|
33 |
|
---|
34 | #include <wolfssl/internal.h>
|
---|
35 | #include <wolfssl/error-ssl.h>
|
---|
36 |
|
---|
37 | #ifndef WOLFSSL_LINUXKM
|
---|
38 | #include <string.h>
|
---|
39 | #endif
|
---|
40 |
|
---|
41 | #ifdef HAVE_CRL_MONITOR
|
---|
42 | #if (defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__))
|
---|
43 | static int StopMonitor(int mfd);
|
---|
44 | #else
|
---|
45 | #error "CRL monitor only currently supported on linux or mach"
|
---|
46 | #endif
|
---|
47 | #endif /* HAVE_CRL_MONITOR */
|
---|
48 |
|
---|
49 |
|
---|
50 | /* Initialize CRL members */
|
---|
51 | int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
|
---|
52 | {
|
---|
53 | WOLFSSL_ENTER("InitCRL");
|
---|
54 | if(cm != NULL)
|
---|
55 | crl->heap = cm->heap;
|
---|
56 | else
|
---|
57 | crl->heap = NULL;
|
---|
58 | crl->cm = cm;
|
---|
59 | crl->crlList = NULL;
|
---|
60 | crl->monitors[0].path = NULL;
|
---|
61 | crl->monitors[1].path = NULL;
|
---|
62 | #ifdef HAVE_CRL_MONITOR
|
---|
63 | crl->tid = 0;
|
---|
64 | crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
|
---|
65 | crl->setup = 0; /* thread setup done predicate */
|
---|
66 | if (pthread_cond_init(&crl->cond, 0) != 0) {
|
---|
67 | WOLFSSL_MSG("Pthread condition init failed");
|
---|
68 | return BAD_COND_E;
|
---|
69 | }
|
---|
70 | #endif
|
---|
71 | if (wc_InitMutex(&crl->crlLock) != 0) {
|
---|
72 | WOLFSSL_MSG("Init Mutex failed");
|
---|
73 | return BAD_MUTEX_E;
|
---|
74 | }
|
---|
75 |
|
---|
76 | return 0;
|
---|
77 | }
|
---|
78 |
|
---|
79 |
|
---|
80 | /* Initialize CRL Entry */
|
---|
81 | static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
|
---|
82 | int verified, void* heap)
|
---|
83 | {
|
---|
84 | WOLFSSL_ENTER("InitCRL_Entry");
|
---|
85 |
|
---|
86 | XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
|
---|
87 | /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
|
---|
88 | * copy the hash here if needed for optimized comparisons */
|
---|
89 | XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
|
---|
90 | XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
|
---|
91 | crle->lastDateFormat = dcrl->lastDateFormat;
|
---|
92 | crle->nextDateFormat = dcrl->nextDateFormat;
|
---|
93 |
|
---|
94 | crle->certs = dcrl->certs; /* take ownsership */
|
---|
95 | dcrl->certs = NULL;
|
---|
96 | crle->totalCerts = dcrl->totalCerts;
|
---|
97 | crle->verified = verified;
|
---|
98 | if (!verified) {
|
---|
99 | crle->tbsSz = dcrl->sigIndex - dcrl->certBegin;
|
---|
100 | crle->signatureSz = dcrl->sigLength;
|
---|
101 | crle->signatureOID = dcrl->signatureOID;
|
---|
102 | crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap,
|
---|
103 | DYNAMIC_TYPE_CRL_ENTRY);
|
---|
104 | if (crle->toBeSigned == NULL)
|
---|
105 | return -1;
|
---|
106 | crle->signature = (byte*)XMALLOC(crle->signatureSz, heap,
|
---|
107 | DYNAMIC_TYPE_CRL_ENTRY);
|
---|
108 | if (crle->signature == NULL) {
|
---|
109 | XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
110 | return -1;
|
---|
111 | }
|
---|
112 | XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
|
---|
113 | XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
|
---|
114 | #ifndef NO_SKID
|
---|
115 | crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
|
---|
116 | if (crle->extAuthKeyIdSet)
|
---|
117 | XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
|
---|
118 | #endif
|
---|
119 | }
|
---|
120 | else {
|
---|
121 | crle->toBeSigned = NULL;
|
---|
122 | crle->signature = NULL;
|
---|
123 | }
|
---|
124 |
|
---|
125 | (void)verified;
|
---|
126 | (void)heap;
|
---|
127 |
|
---|
128 | return 0;
|
---|
129 | }
|
---|
130 |
|
---|
131 |
|
---|
132 | /* Free all CRL Entry resources */
|
---|
133 | static void FreeCRL_Entry(CRL_Entry* crle, void* heap)
|
---|
134 | {
|
---|
135 | RevokedCert* tmp = crle->certs;
|
---|
136 | RevokedCert* next;
|
---|
137 |
|
---|
138 | WOLFSSL_ENTER("FreeCRL_Entry");
|
---|
139 |
|
---|
140 | while (tmp) {
|
---|
141 | next = tmp->next;
|
---|
142 | XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
|
---|
143 | tmp = next;
|
---|
144 | }
|
---|
145 | if (crle->signature != NULL)
|
---|
146 | XFREE(crle->signature, heap, DYNAMIC_TYPE_REVOKED);
|
---|
147 | if (crle->toBeSigned != NULL)
|
---|
148 | XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_REVOKED);
|
---|
149 |
|
---|
150 | (void)heap;
|
---|
151 | }
|
---|
152 |
|
---|
153 |
|
---|
154 |
|
---|
155 | /* Free all CRL resources */
|
---|
156 | void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
|
---|
157 | {
|
---|
158 | CRL_Entry* tmp = crl->crlList;
|
---|
159 |
|
---|
160 | WOLFSSL_ENTER("FreeCRL");
|
---|
161 | if (crl->monitors[0].path)
|
---|
162 | XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
|
---|
163 |
|
---|
164 | if (crl->monitors[1].path)
|
---|
165 | XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
|
---|
166 |
|
---|
167 | while(tmp) {
|
---|
168 | CRL_Entry* next = tmp->next;
|
---|
169 | FreeCRL_Entry(tmp, crl->heap);
|
---|
170 | XFREE(tmp, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
171 | tmp = next;
|
---|
172 | }
|
---|
173 |
|
---|
174 | #ifdef HAVE_CRL_MONITOR
|
---|
175 | if (crl->tid != 0) {
|
---|
176 | WOLFSSL_MSG("stopping monitor thread");
|
---|
177 | if (StopMonitor(crl->mfd) == 0)
|
---|
178 | pthread_join(crl->tid, NULL);
|
---|
179 | else {
|
---|
180 | WOLFSSL_MSG("stop monitor failed");
|
---|
181 | }
|
---|
182 | }
|
---|
183 | pthread_cond_destroy(&crl->cond);
|
---|
184 | #endif
|
---|
185 | wc_FreeMutex(&crl->crlLock);
|
---|
186 | if (dynamic) /* free self */
|
---|
187 | XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL);
|
---|
188 | }
|
---|
189 |
|
---|
190 |
|
---|
191 | static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry)
|
---|
192 | {
|
---|
193 | CRL_Entry* crle;
|
---|
194 | int foundEntry = 0;
|
---|
195 | int ret = 0;
|
---|
196 |
|
---|
197 | if (wc_LockMutex(&crl->crlLock) != 0) {
|
---|
198 | WOLFSSL_MSG("wc_LockMutex failed");
|
---|
199 | return BAD_MUTEX_E;
|
---|
200 | }
|
---|
201 |
|
---|
202 | crle = crl->crlList;
|
---|
203 |
|
---|
204 | while (crle) {
|
---|
205 | if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) {
|
---|
206 | WOLFSSL_MSG("Found CRL Entry on list");
|
---|
207 |
|
---|
208 | if (crle->verified == 0) {
|
---|
209 | Signer* ca = NULL;
|
---|
210 | #ifndef NO_SKID
|
---|
211 | byte extAuthKeyId[KEYID_SIZE];
|
---|
212 | #endif
|
---|
213 | byte issuerHash[CRL_DIGEST_SIZE];
|
---|
214 | byte* tbs;
|
---|
215 | word32 tbsSz = crle->tbsSz;
|
---|
216 | byte* sig = NULL;
|
---|
217 | word32 sigSz = crle->signatureSz;
|
---|
218 | word32 sigOID = crle->signatureOID;
|
---|
219 | SignatureCtx sigCtx;
|
---|
220 |
|
---|
221 | tbs = (byte*)XMALLOC(tbsSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
222 | if (tbs == NULL) {
|
---|
223 | wc_UnLockMutex(&crl->crlLock);
|
---|
224 | return MEMORY_E;
|
---|
225 | }
|
---|
226 | sig = (byte*)XMALLOC(sigSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
227 | if (sig == NULL) {
|
---|
228 | XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
229 | wc_UnLockMutex(&crl->crlLock);
|
---|
230 | return MEMORY_E;
|
---|
231 | }
|
---|
232 |
|
---|
233 | XMEMCPY(tbs, crle->toBeSigned, tbsSz);
|
---|
234 | XMEMCPY(sig, crle->signature, sigSz);
|
---|
235 | #ifndef NO_SKID
|
---|
236 | XMEMCPY(extAuthKeyId, crle->extAuthKeyId,
|
---|
237 | sizeof(extAuthKeyId));
|
---|
238 | #endif
|
---|
239 | XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));
|
---|
240 |
|
---|
241 | wc_UnLockMutex(&crl->crlLock);
|
---|
242 |
|
---|
243 | #ifndef NO_SKID
|
---|
244 | if (crle->extAuthKeyIdSet)
|
---|
245 | ca = GetCA(crl->cm, extAuthKeyId);
|
---|
246 | if (ca == NULL)
|
---|
247 | ca = GetCAByName(crl->cm, issuerHash);
|
---|
248 | #else /* NO_SKID */
|
---|
249 | ca = GetCA(crl->cm, issuerHash);
|
---|
250 | #endif /* NO_SKID */
|
---|
251 | if (ca == NULL) {
|
---|
252 | XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
253 | XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
254 | WOLFSSL_MSG("Did NOT find CRL issuer CA");
|
---|
255 | return ASN_CRL_NO_SIGNER_E;
|
---|
256 | }
|
---|
257 |
|
---|
258 | ret = VerifyCRL_Signature(&sigCtx, tbs, tbsSz, sig, sigSz,
|
---|
259 | sigOID, ca, crl->heap);
|
---|
260 |
|
---|
261 | XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
262 | XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
263 |
|
---|
264 | if (wc_LockMutex(&crl->crlLock) != 0) {
|
---|
265 | WOLFSSL_MSG("wc_LockMutex failed");
|
---|
266 | return BAD_MUTEX_E;
|
---|
267 | }
|
---|
268 |
|
---|
269 | crle = crl->crlList;
|
---|
270 | while (crle) {
|
---|
271 | if (XMEMCMP(crle->issuerHash, cert->issuerHash,
|
---|
272 | CRL_DIGEST_SIZE) == 0) {
|
---|
273 |
|
---|
274 | if (ret == 0)
|
---|
275 | crle->verified = 1;
|
---|
276 | else
|
---|
277 | crle->verified = ret;
|
---|
278 |
|
---|
279 | XFREE(crle->toBeSigned, crl->heap,
|
---|
280 | DYNAMIC_TYPE_CRL_ENTRY);
|
---|
281 | crle->toBeSigned = NULL;
|
---|
282 | XFREE(crle->signature, crl->heap,
|
---|
283 | DYNAMIC_TYPE_CRL_ENTRY);
|
---|
284 | crle->signature = NULL;
|
---|
285 | break;
|
---|
286 | }
|
---|
287 | crle = crle->next;
|
---|
288 | }
|
---|
289 | if (crle == NULL || crle->verified < 0)
|
---|
290 | break;
|
---|
291 | }
|
---|
292 | else if (crle->verified < 0) {
|
---|
293 | WOLFSSL_MSG("Cannot use CRL as it didn't verify");
|
---|
294 | ret = crle->verified;
|
---|
295 | break;
|
---|
296 | }
|
---|
297 |
|
---|
298 | WOLFSSL_MSG("Checking next date validity");
|
---|
299 |
|
---|
300 | #ifdef WOLFSSL_NO_CRL_NEXT_DATE
|
---|
301 | if (crle->nextDateFormat != ASN_OTHER_TYPE)
|
---|
302 | #endif
|
---|
303 | {
|
---|
304 | #ifndef NO_ASN_TIME
|
---|
305 | if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) {
|
---|
306 | WOLFSSL_MSG("CRL next date is no longer valid");
|
---|
307 | ret = ASN_AFTER_DATE_E;
|
---|
308 | }
|
---|
309 | #endif
|
---|
310 | }
|
---|
311 | if (ret == 0) {
|
---|
312 | foundEntry = 1;
|
---|
313 | }
|
---|
314 | break;
|
---|
315 | }
|
---|
316 | crle = crle->next;
|
---|
317 | }
|
---|
318 |
|
---|
319 | if (foundEntry) {
|
---|
320 | RevokedCert* rc = crle->certs;
|
---|
321 |
|
---|
322 | while (rc) {
|
---|
323 | if (rc->serialSz == cert->serialSz &&
|
---|
324 | XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
|
---|
325 | WOLFSSL_MSG("Cert revoked");
|
---|
326 | ret = CRL_CERT_REVOKED;
|
---|
327 | break;
|
---|
328 | }
|
---|
329 | rc = rc->next;
|
---|
330 | }
|
---|
331 | }
|
---|
332 |
|
---|
333 | wc_UnLockMutex(&crl->crlLock);
|
---|
334 |
|
---|
335 | *pFoundEntry = foundEntry;
|
---|
336 |
|
---|
337 | return ret;
|
---|
338 | }
|
---|
339 |
|
---|
340 | /* Is the cert ok with CRL, return 0 on success */
|
---|
341 | int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
|
---|
342 | {
|
---|
343 | int foundEntry = 0;
|
---|
344 | int ret = 0;
|
---|
345 |
|
---|
346 | WOLFSSL_ENTER("CheckCertCRL");
|
---|
347 |
|
---|
348 | ret = CheckCertCRLList(crl, cert, &foundEntry);
|
---|
349 |
|
---|
350 | #ifdef HAVE_CRL_IO
|
---|
351 | if (foundEntry == 0) {
|
---|
352 | /* perform embedded lookup */
|
---|
353 | if (crl->crlIOCb) {
|
---|
354 | ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo,
|
---|
355 | cert->extCrlInfoSz);
|
---|
356 | if (ret == WOLFSSL_CBIO_ERR_WANT_READ) {
|
---|
357 | ret = WANT_READ;
|
---|
358 | }
|
---|
359 | else if (ret >= 0) {
|
---|
360 | /* try again */
|
---|
361 | ret = CheckCertCRLList(crl, cert, &foundEntry);
|
---|
362 | }
|
---|
363 | }
|
---|
364 | }
|
---|
365 | #endif
|
---|
366 |
|
---|
367 | if (foundEntry == 0) {
|
---|
368 | WOLFSSL_MSG("Couldn't find CRL for status check");
|
---|
369 | ret = CRL_MISSING;
|
---|
370 |
|
---|
371 | if (crl->cm->cbMissingCRL) {
|
---|
372 | char url[256];
|
---|
373 |
|
---|
374 | WOLFSSL_MSG("Issuing missing CRL callback");
|
---|
375 | url[0] = '\0';
|
---|
376 | if (cert->extCrlInfo) {
|
---|
377 | if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
|
---|
378 | XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
|
---|
379 | url[cert->extCrlInfoSz] = '\0';
|
---|
380 | }
|
---|
381 | else {
|
---|
382 | WOLFSSL_MSG("CRL url too long");
|
---|
383 | }
|
---|
384 | }
|
---|
385 |
|
---|
386 | crl->cm->cbMissingCRL(url);
|
---|
387 | }
|
---|
388 | }
|
---|
389 |
|
---|
390 | return ret;
|
---|
391 | }
|
---|
392 |
|
---|
393 |
|
---|
394 | /* Add Decoded CRL, 0 on success */
|
---|
395 | static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
|
---|
396 | int verified)
|
---|
397 | {
|
---|
398 | CRL_Entry* crle;
|
---|
399 |
|
---|
400 | WOLFSSL_ENTER("AddCRL");
|
---|
401 |
|
---|
402 | crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
403 | if (crle == NULL) {
|
---|
404 | WOLFSSL_MSG("alloc CRL Entry failed");
|
---|
405 | return -1;
|
---|
406 | }
|
---|
407 |
|
---|
408 | if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) {
|
---|
409 | WOLFSSL_MSG("Init CRL Entry failed");
|
---|
410 | XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
411 | return -1;
|
---|
412 | }
|
---|
413 |
|
---|
414 | if (wc_LockMutex(&crl->crlLock) != 0) {
|
---|
415 | WOLFSSL_MSG("wc_LockMutex failed");
|
---|
416 | FreeCRL_Entry(crle, crl->heap);
|
---|
417 | XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
418 | return BAD_MUTEX_E;
|
---|
419 | }
|
---|
420 | crle->next = crl->crlList;
|
---|
421 | crl->crlList = crle;
|
---|
422 | wc_UnLockMutex(&crl->crlLock);
|
---|
423 |
|
---|
424 | return 0;
|
---|
425 | }
|
---|
426 |
|
---|
427 |
|
---|
428 | /* Load CRL File of type, WOLFSSL_SUCCESS on ok */
|
---|
429 | int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
|
---|
430 | int verify)
|
---|
431 | {
|
---|
432 | int ret = WOLFSSL_SUCCESS;
|
---|
433 | const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
---|
434 | DerBuffer* der = NULL;
|
---|
435 | #ifdef WOLFSSL_SMALL_STACK
|
---|
436 | DecodedCRL* dcrl;
|
---|
437 | #else
|
---|
438 | DecodedCRL dcrl[1];
|
---|
439 | #endif
|
---|
440 |
|
---|
441 | WOLFSSL_ENTER("BufferLoadCRL");
|
---|
442 |
|
---|
443 | if (crl == NULL || buff == NULL || sz == 0)
|
---|
444 | return BAD_FUNC_ARG;
|
---|
445 |
|
---|
446 | if (type == WOLFSSL_FILETYPE_PEM) {
|
---|
447 | #ifdef WOLFSSL_PEM_TO_DER
|
---|
448 | ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, NULL, NULL);
|
---|
449 | if (ret == 0) {
|
---|
450 | myBuffer = der->buffer;
|
---|
451 | sz = der->length;
|
---|
452 | }
|
---|
453 | else {
|
---|
454 | WOLFSSL_MSG("Pem to Der failed");
|
---|
455 | FreeDer(&der);
|
---|
456 | return -1;
|
---|
457 | }
|
---|
458 | #else
|
---|
459 | ret = NOT_COMPILED_IN;
|
---|
460 | #endif
|
---|
461 | }
|
---|
462 |
|
---|
463 | #ifdef WOLFSSL_SMALL_STACK
|
---|
464 | dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
465 | if (dcrl == NULL) {
|
---|
466 | FreeDer(&der);
|
---|
467 | return MEMORY_E;
|
---|
468 | }
|
---|
469 | #endif
|
---|
470 |
|
---|
471 | InitDecodedCRL(dcrl, crl->heap);
|
---|
472 | ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
|
---|
473 | if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) {
|
---|
474 | WOLFSSL_MSG("ParseCRL error");
|
---|
475 | }
|
---|
476 | else {
|
---|
477 | ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E);
|
---|
478 | if (ret != 0) {
|
---|
479 | WOLFSSL_MSG("AddCRL error");
|
---|
480 | }
|
---|
481 | }
|
---|
482 |
|
---|
483 | FreeDecodedCRL(dcrl);
|
---|
484 |
|
---|
485 | #ifdef WOLFSSL_SMALL_STACK
|
---|
486 | XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
487 | #endif
|
---|
488 |
|
---|
489 | FreeDer(&der);
|
---|
490 |
|
---|
491 | return ret ? ret : WOLFSSL_SUCCESS; /* convert 0 to WOLFSSL_SUCCESS */
|
---|
492 | }
|
---|
493 |
|
---|
494 | #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL)
|
---|
495 | /* helper function to create a new dynamic WOLFSSL_X509_CRL structure */
|
---|
496 | static WOLFSSL_X509_CRL* wolfSSL_X509_crl_new(WOLFSSL_CERT_MANAGER* cm)
|
---|
497 | {
|
---|
498 | WOLFSSL_X509_CRL* ret;
|
---|
499 |
|
---|
500 | ret = (WOLFSSL_X509_CRL*)XMALLOC(sizeof(WOLFSSL_X509_CRL), cm->heap,
|
---|
501 | DYNAMIC_TYPE_CRL);
|
---|
502 | if (ret != NULL) {
|
---|
503 | if (InitCRL(ret, cm) < 0) {
|
---|
504 | WOLFSSL_MSG("Unable to initialize new CRL structure");
|
---|
505 | XFREE(ret, cm->heap, DYNAMIC_TYPE_CRL);
|
---|
506 | ret = NULL;
|
---|
507 | }
|
---|
508 | }
|
---|
509 | return ret;
|
---|
510 | }
|
---|
511 |
|
---|
512 |
|
---|
513 | /* returns head of copied list that was alloc'd */
|
---|
514 | static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
|
---|
515 | {
|
---|
516 | RevokedCert* head = NULL;
|
---|
517 | RevokedCert* current = in;
|
---|
518 | RevokedCert* prev = NULL;
|
---|
519 | while (current) {
|
---|
520 | RevokedCert* tmp = (RevokedCert*)XMALLOC(sizeof(RevokedCert), heap,
|
---|
521 | DYNAMIC_TYPE_REVOKED);
|
---|
522 | if (tmp != NULL) {
|
---|
523 | XMEMCPY(tmp->serialNumber, current->serialNumber,
|
---|
524 | EXTERNAL_SERIAL_SIZE);
|
---|
525 | tmp->serialSz = current->serialSz;
|
---|
526 | tmp->next = NULL;
|
---|
527 | if (prev != NULL)
|
---|
528 | prev->next = tmp;
|
---|
529 | if (head == NULL)
|
---|
530 | head = tmp;
|
---|
531 | prev = tmp;
|
---|
532 | }
|
---|
533 | else {
|
---|
534 | WOLFSSL_MSG("Failed to allocate new RevokedCert structure");
|
---|
535 | /* free up any existing list */
|
---|
536 | while (head != NULL) {
|
---|
537 | current = head;
|
---|
538 | head = head->next;
|
---|
539 | XFREE(current, heap, DYNAMIC_TYPE_REVOKED);
|
---|
540 | }
|
---|
541 | return NULL;
|
---|
542 | }
|
---|
543 | current = current->next;
|
---|
544 | }
|
---|
545 |
|
---|
546 | (void)heap;
|
---|
547 | return head;
|
---|
548 | }
|
---|
549 |
|
---|
550 |
|
---|
551 | /* returns a deep copy of ent on success and null on fail */
|
---|
552 | static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap)
|
---|
553 | {
|
---|
554 | CRL_Entry *dupl;
|
---|
555 |
|
---|
556 | dupl = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
557 | if (dupl == NULL) {
|
---|
558 | WOLFSSL_MSG("alloc CRL Entry failed");
|
---|
559 | return NULL;
|
---|
560 | }
|
---|
561 | XMEMSET(dupl, 0, sizeof(CRL_Entry));
|
---|
562 |
|
---|
563 | XMEMCPY(dupl->issuerHash, ent->issuerHash, CRL_DIGEST_SIZE);
|
---|
564 | XMEMCPY(dupl->lastDate, ent->lastDate, MAX_DATE_SIZE);
|
---|
565 | XMEMCPY(dupl->nextDate, ent->nextDate, MAX_DATE_SIZE);
|
---|
566 | dupl->lastDateFormat = ent->lastDateFormat;
|
---|
567 | dupl->nextDateFormat = ent->nextDateFormat;
|
---|
568 | dupl->certs = DupRevokedCertList(ent->certs, heap);
|
---|
569 |
|
---|
570 | dupl->totalCerts = ent->totalCerts;
|
---|
571 | dupl->verified = ent->verified;
|
---|
572 |
|
---|
573 | if (!ent->verified) {
|
---|
574 | dupl->tbsSz = ent->tbsSz;
|
---|
575 | dupl->signatureSz = ent->signatureSz;
|
---|
576 | dupl->signatureOID = ent->signatureOID;
|
---|
577 | dupl->toBeSigned = (byte*)XMALLOC(dupl->tbsSz, heap,
|
---|
578 | DYNAMIC_TYPE_CRL_ENTRY);
|
---|
579 | if (dupl->toBeSigned == NULL) {
|
---|
580 | FreeCRL_Entry(dupl, heap);
|
---|
581 | XFREE(dupl, heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
582 | return NULL;
|
---|
583 | }
|
---|
584 |
|
---|
585 | dupl->signature = (byte*)XMALLOC(dupl->signatureSz, heap,
|
---|
586 | DYNAMIC_TYPE_CRL_ENTRY);
|
---|
587 | if (dupl->signature == NULL) {
|
---|
588 | FreeCRL_Entry(dupl, heap);
|
---|
589 | XFREE(dupl, heap, DYNAMIC_TYPE_CRL_ENTRY);
|
---|
590 | return NULL;
|
---|
591 | }
|
---|
592 | XMEMCPY(dupl->toBeSigned, ent->toBeSigned, dupl->tbsSz);
|
---|
593 | XMEMCPY(dupl->signature, ent->signature, dupl->signatureSz);
|
---|
594 | #ifndef NO_SKID
|
---|
595 | dupl->extAuthKeyIdSet = ent->extAuthKeyIdSet;
|
---|
596 | if (dupl->extAuthKeyIdSet)
|
---|
597 | XMEMCPY(dupl->extAuthKeyId, ent->extAuthKeyId, KEYID_SIZE);
|
---|
598 | #endif
|
---|
599 | }
|
---|
600 | else {
|
---|
601 | dupl->toBeSigned = NULL;
|
---|
602 | dupl->tbsSz = 0;
|
---|
603 | dupl->signature = NULL;
|
---|
604 | dupl->signatureSz = 0;
|
---|
605 | }
|
---|
606 |
|
---|
607 | return dupl;
|
---|
608 | }
|
---|
609 |
|
---|
610 |
|
---|
611 | /* returns the head of a deep copy of the list on success and null on fail */
|
---|
612 | static CRL_Entry* DupCRL_list(CRL_Entry* crl, void* heap)
|
---|
613 | {
|
---|
614 | CRL_Entry* current;
|
---|
615 | CRL_Entry* head = NULL;
|
---|
616 | CRL_Entry* prev = NULL;
|
---|
617 |
|
---|
618 | current = crl;
|
---|
619 | while (current != NULL) {
|
---|
620 | CRL_Entry* tmp = DupCRL_Entry(current, heap);
|
---|
621 | if (tmp != NULL) {
|
---|
622 | tmp->next = NULL;
|
---|
623 | if (head == NULL)
|
---|
624 | head = tmp;
|
---|
625 | if (prev != NULL)
|
---|
626 | prev->next = tmp;
|
---|
627 | prev = tmp;
|
---|
628 | }
|
---|
629 | else {
|
---|
630 | WOLFSSL_MSG("Failed to allocate new CRL_Entry structure");
|
---|
631 | /* free up any existing list */
|
---|
632 | while (head != NULL) {
|
---|
633 | current = head;
|
---|
634 | head = head->next;
|
---|
635 | FreeCRL_Entry(current, heap);
|
---|
636 | }
|
---|
637 |
|
---|
638 | return NULL;
|
---|
639 | }
|
---|
640 | current = current->next;
|
---|
641 | }
|
---|
642 | return head;
|
---|
643 | }
|
---|
644 |
|
---|
645 |
|
---|
646 | /* Duplicates everything except the parent cm pointed to.
|
---|
647 | * Expects that Init has already been done to 'dupl'
|
---|
648 | * return 0 on success */
|
---|
649 | static int DupX509_CRL(WOLFSSL_X509_CRL *dupl, const WOLFSSL_X509_CRL* crl)
|
---|
650 | {
|
---|
651 | if (dupl == NULL || crl == NULL) {
|
---|
652 | return BAD_FUNC_ARG;
|
---|
653 | }
|
---|
654 |
|
---|
655 | if (crl->monitors[0].path) {
|
---|
656 | int pathSz = (int)XSTRLEN(crl->monitors[0].path) + 1;
|
---|
657 | dupl->monitors[0].path = (char*)XMALLOC(pathSz, dupl->heap,
|
---|
658 | DYNAMIC_TYPE_CRL_MONITOR);
|
---|
659 | if (dupl->monitors[0].path != NULL) {
|
---|
660 | XSTRNCPY(dupl->monitors[0].path, crl->monitors[0].path, pathSz);
|
---|
661 | }
|
---|
662 | else {
|
---|
663 | return MEMORY_E;
|
---|
664 | }
|
---|
665 | }
|
---|
666 |
|
---|
667 | if (crl->monitors[1].path) {
|
---|
668 | int pathSz = (int)XSTRLEN(crl->monitors[1].path) + 1;
|
---|
669 | dupl->monitors[1].path = (char*)XMALLOC(pathSz, dupl->heap,
|
---|
670 | DYNAMIC_TYPE_CRL_MONITOR);
|
---|
671 | if (dupl->monitors[1].path != NULL) {
|
---|
672 | XSTRNCPY(dupl->monitors[1].path, crl->monitors[1].path, pathSz);
|
---|
673 | }
|
---|
674 | else {
|
---|
675 | if (dupl->monitors[0].path != NULL) {
|
---|
676 | XFREE(dupl->monitors[0].path, dupl->heap,
|
---|
677 | DYNAMIC_TYPE_CRL_MONITOR);
|
---|
678 | }
|
---|
679 | return MEMORY_E;
|
---|
680 | }
|
---|
681 | }
|
---|
682 |
|
---|
683 | dupl->crlList = DupCRL_list(crl->crlList, dupl->heap);
|
---|
684 | #ifdef HAVE_CRL_IO
|
---|
685 | dupl->crlIOCb = crl->crlIOCb;
|
---|
686 | #endif
|
---|
687 |
|
---|
688 | return 0;
|
---|
689 | }
|
---|
690 |
|
---|
691 | /* returns WOLFSSL_SUCCESS on success. Does not take ownership of newcrl */
|
---|
692 | int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl)
|
---|
693 | {
|
---|
694 | CRL_Entry *crle;
|
---|
695 | WOLFSSL_X509_CRL *crl;
|
---|
696 |
|
---|
697 | WOLFSSL_ENTER("wolfSSL_X509_STORE_add_crl");
|
---|
698 | if (store == NULL || newcrl == NULL || store->cm == NULL)
|
---|
699 | return BAD_FUNC_ARG;
|
---|
700 |
|
---|
701 | if (store->cm->crl == NULL) {
|
---|
702 | crl = wolfSSL_X509_crl_new(store->cm);
|
---|
703 | if (DupX509_CRL(crl, newcrl) != 0) {
|
---|
704 | FreeCRL(crl, 1);
|
---|
705 | return WOLFSSL_FAILURE;
|
---|
706 | }
|
---|
707 | store->crl = store->cm->crl = crl;
|
---|
708 | if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL)
|
---|
709 | != WOLFSSL_SUCCESS) {
|
---|
710 | WOLFSSL_MSG("wolfSSL_CertManagerEnableCRL error");
|
---|
711 | return WOLFSSL_FAILURE;
|
---|
712 | }
|
---|
713 | return WOLFSSL_SUCCESS;
|
---|
714 | }
|
---|
715 |
|
---|
716 | /* find tail of current list and add new list */
|
---|
717 | crl = store->cm->crl;
|
---|
718 | crle = crl->crlList;
|
---|
719 | if (newcrl->crlList != NULL) {
|
---|
720 | CRL_Entry *tail = crle;
|
---|
721 | CRL_Entry *toAdd;
|
---|
722 |
|
---|
723 | if (wc_LockMutex(&crl->crlLock) != 0)
|
---|
724 | {
|
---|
725 | WOLFSSL_MSG("wc_LockMutex failed");
|
---|
726 | return BAD_MUTEX_E;
|
---|
727 | }
|
---|
728 |
|
---|
729 | toAdd = DupCRL_list(newcrl->crlList, crl->heap);
|
---|
730 | if (tail == NULL) {
|
---|
731 | crl->crlList = toAdd;
|
---|
732 | }
|
---|
733 | else {
|
---|
734 | while (tail->next != NULL) tail = tail->next;
|
---|
735 | tail->next = toAdd;
|
---|
736 | }
|
---|
737 | wc_UnLockMutex(&crl->crlLock);
|
---|
738 | }
|
---|
739 |
|
---|
740 | if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL)
|
---|
741 | != WOLFSSL_SUCCESS) {
|
---|
742 | WOLFSSL_MSG("wolfSSL_CertManagerEnableCRL error");
|
---|
743 | return WOLFSSL_FAILURE;
|
---|
744 | }
|
---|
745 |
|
---|
746 | WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS);
|
---|
747 |
|
---|
748 | return WOLFSSL_SUCCESS;
|
---|
749 | }
|
---|
750 | #endif
|
---|
751 |
|
---|
752 | #ifdef HAVE_CRL_MONITOR
|
---|
753 |
|
---|
754 |
|
---|
755 | /* Signal Monitor thread is setup, save status to setup flag, 0 on success */
|
---|
756 | static int SignalSetup(WOLFSSL_CRL* crl, int status)
|
---|
757 | {
|
---|
758 | int ret;
|
---|
759 |
|
---|
760 | /* signal to calling thread we're setup */
|
---|
761 | if (wc_LockMutex(&crl->crlLock) != 0) {
|
---|
762 | WOLFSSL_MSG("wc_LockMutex crlLock failed");
|
---|
763 | return BAD_MUTEX_E;
|
---|
764 | }
|
---|
765 |
|
---|
766 | crl->setup = status;
|
---|
767 | ret = pthread_cond_signal(&crl->cond);
|
---|
768 |
|
---|
769 | wc_UnLockMutex(&crl->crlLock);
|
---|
770 |
|
---|
771 | if (ret != 0)
|
---|
772 | return BAD_COND_E;
|
---|
773 |
|
---|
774 | return 0;
|
---|
775 | }
|
---|
776 |
|
---|
777 |
|
---|
778 | /* read in new CRL entries and save new list */
|
---|
779 | static int SwapLists(WOLFSSL_CRL* crl)
|
---|
780 | {
|
---|
781 | int ret;
|
---|
782 | CRL_Entry* newList;
|
---|
783 | #ifdef WOLFSSL_SMALL_STACK
|
---|
784 | WOLFSSL_CRL* tmp;
|
---|
785 | #else
|
---|
786 | WOLFSSL_CRL tmp[1];
|
---|
787 | #endif
|
---|
788 |
|
---|
789 | #ifdef WOLFSSL_SMALL_STACK
|
---|
790 | tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
791 | if (tmp == NULL)
|
---|
792 | return MEMORY_E;
|
---|
793 | #endif
|
---|
794 |
|
---|
795 | if (InitCRL(tmp, crl->cm) < 0) {
|
---|
796 | WOLFSSL_MSG("Init tmp CRL failed");
|
---|
797 | #ifdef WOLFSSL_SMALL_STACK
|
---|
798 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
799 | #endif
|
---|
800 | return -1;
|
---|
801 | }
|
---|
802 |
|
---|
803 | if (crl->monitors[0].path) {
|
---|
804 | ret = LoadCRL(tmp, crl->monitors[0].path, WOLFSSL_FILETYPE_PEM, 0);
|
---|
805 | if (ret != WOLFSSL_SUCCESS) {
|
---|
806 | WOLFSSL_MSG("PEM LoadCRL on dir change failed");
|
---|
807 | FreeCRL(tmp, 0);
|
---|
808 | #ifdef WOLFSSL_SMALL_STACK
|
---|
809 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
810 | #endif
|
---|
811 | return -1;
|
---|
812 | }
|
---|
813 | }
|
---|
814 |
|
---|
815 | if (crl->monitors[1].path) {
|
---|
816 | ret = LoadCRL(tmp, crl->monitors[1].path, WOLFSSL_FILETYPE_ASN1, 0);
|
---|
817 | if (ret != WOLFSSL_SUCCESS) {
|
---|
818 | WOLFSSL_MSG("DER LoadCRL on dir change failed");
|
---|
819 | FreeCRL(tmp, 0);
|
---|
820 | #ifdef WOLFSSL_SMALL_STACK
|
---|
821 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
822 | #endif
|
---|
823 | return -1;
|
---|
824 | }
|
---|
825 | }
|
---|
826 |
|
---|
827 | if (wc_LockMutex(&crl->crlLock) != 0) {
|
---|
828 | WOLFSSL_MSG("wc_LockMutex failed");
|
---|
829 | FreeCRL(tmp, 0);
|
---|
830 | #ifdef WOLFSSL_SMALL_STACK
|
---|
831 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
832 | #endif
|
---|
833 | return -1;
|
---|
834 | }
|
---|
835 |
|
---|
836 | newList = tmp->crlList;
|
---|
837 |
|
---|
838 | /* swap lists */
|
---|
839 | tmp->crlList = crl->crlList;
|
---|
840 | crl->crlList = newList;
|
---|
841 |
|
---|
842 | wc_UnLockMutex(&crl->crlLock);
|
---|
843 |
|
---|
844 | FreeCRL(tmp, 0);
|
---|
845 |
|
---|
846 | #ifdef WOLFSSL_SMALL_STACK
|
---|
847 | XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
848 | #endif
|
---|
849 |
|
---|
850 | return 0;
|
---|
851 | }
|
---|
852 |
|
---|
853 |
|
---|
854 | #if (defined(__MACH__) || defined(__FreeBSD__))
|
---|
855 |
|
---|
856 | #include <sys/types.h>
|
---|
857 | #include <sys/event.h>
|
---|
858 | #include <sys/time.h>
|
---|
859 | #include <fcntl.h>
|
---|
860 | #include <unistd.h>
|
---|
861 |
|
---|
862 | #ifdef __MACH__
|
---|
863 | #define XEVENT_MODE O_EVTONLY
|
---|
864 | #elif defined(__FreeBSD__)
|
---|
865 | #define XEVENT_MODE EVFILT_VNODE
|
---|
866 | #endif
|
---|
867 |
|
---|
868 |
|
---|
869 | /* we need a unique kqueue user filter fd for crl in case user is doing custom
|
---|
870 | * events too */
|
---|
871 | #ifndef CRL_CUSTOM_FD
|
---|
872 | #define CRL_CUSTOM_FD 123456
|
---|
873 | #endif
|
---|
874 |
|
---|
875 |
|
---|
876 | /* shutdown monitor thread, 0 on success */
|
---|
877 | static int StopMonitor(int mfd)
|
---|
878 | {
|
---|
879 | struct kevent change;
|
---|
880 |
|
---|
881 | /* trigger custom shutdown */
|
---|
882 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL);
|
---|
883 | if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) {
|
---|
884 | WOLFSSL_MSG("kevent trigger customer event failed");
|
---|
885 | return -1;
|
---|
886 | }
|
---|
887 |
|
---|
888 | return 0;
|
---|
889 | }
|
---|
890 |
|
---|
891 |
|
---|
892 | /* OS X monitoring */
|
---|
893 | static void* DoMonitor(void* arg)
|
---|
894 | {
|
---|
895 | int fPEM, fDER;
|
---|
896 | struct kevent change;
|
---|
897 |
|
---|
898 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
|
---|
899 |
|
---|
900 | WOLFSSL_ENTER("DoMonitor");
|
---|
901 |
|
---|
902 | crl->mfd = kqueue();
|
---|
903 | if (crl->mfd == -1) {
|
---|
904 | WOLFSSL_MSG("kqueue failed");
|
---|
905 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
906 | return NULL;
|
---|
907 | }
|
---|
908 |
|
---|
909 | /* listen for custom shutdown event */
|
---|
910 | EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
|
---|
911 | if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
|
---|
912 | WOLFSSL_MSG("kevent monitor customer event failed");
|
---|
913 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
914 | close(crl->mfd);
|
---|
915 | return NULL;
|
---|
916 | }
|
---|
917 |
|
---|
918 | fPEM = -1;
|
---|
919 | fDER = -1;
|
---|
920 |
|
---|
921 | if (crl->monitors[0].path) {
|
---|
922 | fPEM = open(crl->monitors[0].path, XEVENT_MODE);
|
---|
923 | if (fPEM == -1) {
|
---|
924 | WOLFSSL_MSG("PEM event dir open failed");
|
---|
925 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
926 | close(crl->mfd);
|
---|
927 | return NULL;
|
---|
928 | }
|
---|
929 | }
|
---|
930 |
|
---|
931 | if (crl->monitors[1].path) {
|
---|
932 | fDER = open(crl->monitors[1].path, XEVENT_MODE);
|
---|
933 | if (fDER == -1) {
|
---|
934 | WOLFSSL_MSG("DER event dir open failed");
|
---|
935 | if (fPEM != -1)
|
---|
936 | close(fPEM);
|
---|
937 | close(crl->mfd);
|
---|
938 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
939 | return NULL;
|
---|
940 | }
|
---|
941 | }
|
---|
942 |
|
---|
943 | if (fPEM != -1)
|
---|
944 | EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
|
---|
945 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
|
---|
946 |
|
---|
947 | if (fDER != -1)
|
---|
948 | EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
|
---|
949 | NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
|
---|
950 |
|
---|
951 | /* signal to calling thread we're setup */
|
---|
952 | if (SignalSetup(crl, 1) != 0) {
|
---|
953 | if (fPEM != -1)
|
---|
954 | close(fPEM);
|
---|
955 | if (fDER != -1)
|
---|
956 | close(fDER);
|
---|
957 | close(crl->mfd);
|
---|
958 | return NULL;
|
---|
959 | }
|
---|
960 |
|
---|
961 | for (;;) {
|
---|
962 | struct kevent event;
|
---|
963 | int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
|
---|
964 |
|
---|
965 | WOLFSSL_MSG("Got kevent");
|
---|
966 |
|
---|
967 | if (numEvents == -1) {
|
---|
968 | WOLFSSL_MSG("kevent problem, continue");
|
---|
969 | continue;
|
---|
970 | }
|
---|
971 |
|
---|
972 | if (event.filter == EVFILT_USER) {
|
---|
973 | WOLFSSL_MSG("Got user shutdown event, breaking out");
|
---|
974 | break;
|
---|
975 | }
|
---|
976 |
|
---|
977 | if (SwapLists(crl) < 0) {
|
---|
978 | WOLFSSL_MSG("SwapLists problem, continue");
|
---|
979 | }
|
---|
980 | }
|
---|
981 |
|
---|
982 | if (fPEM != -1)
|
---|
983 | close(fPEM);
|
---|
984 | if (fDER != -1)
|
---|
985 | close(fDER);
|
---|
986 |
|
---|
987 | close(crl->mfd);
|
---|
988 |
|
---|
989 | return NULL;
|
---|
990 | }
|
---|
991 |
|
---|
992 |
|
---|
993 | #elif defined(__linux__)
|
---|
994 |
|
---|
995 | #include <sys/types.h>
|
---|
996 | #include <sys/inotify.h>
|
---|
997 | #include <sys/eventfd.h>
|
---|
998 | #include <unistd.h>
|
---|
999 |
|
---|
1000 |
|
---|
1001 | #ifndef max
|
---|
1002 | static WC_INLINE int max(int a, int b)
|
---|
1003 | {
|
---|
1004 | return a > b ? a : b;
|
---|
1005 | }
|
---|
1006 | #endif /* max */
|
---|
1007 |
|
---|
1008 |
|
---|
1009 | /* shutdown monitor thread, 0 on success */
|
---|
1010 | static int StopMonitor(int mfd)
|
---|
1011 | {
|
---|
1012 | word64 w64 = 1;
|
---|
1013 |
|
---|
1014 | /* write to our custom event */
|
---|
1015 | if (write(mfd, &w64, sizeof(w64)) < 0) {
|
---|
1016 | WOLFSSL_MSG("StopMonitor write failed");
|
---|
1017 | return -1;
|
---|
1018 | }
|
---|
1019 |
|
---|
1020 | return 0;
|
---|
1021 | }
|
---|
1022 |
|
---|
1023 |
|
---|
1024 | /* linux monitoring */
|
---|
1025 | static void* DoMonitor(void* arg)
|
---|
1026 | {
|
---|
1027 | int notifyFd;
|
---|
1028 | int wd = -1;
|
---|
1029 | WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
|
---|
1030 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1031 | char* buff;
|
---|
1032 | #else
|
---|
1033 | char buff[8192];
|
---|
1034 | #endif
|
---|
1035 |
|
---|
1036 | WOLFSSL_ENTER("DoMonitor");
|
---|
1037 |
|
---|
1038 | crl->mfd = eventfd(0, 0); /* our custom shutdown event */
|
---|
1039 | if (crl->mfd < 0) {
|
---|
1040 | WOLFSSL_MSG("eventfd failed");
|
---|
1041 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
1042 | return NULL;
|
---|
1043 | }
|
---|
1044 |
|
---|
1045 | notifyFd = inotify_init();
|
---|
1046 | if (notifyFd < 0) {
|
---|
1047 | WOLFSSL_MSG("inotify failed");
|
---|
1048 | close(crl->mfd);
|
---|
1049 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
1050 | return NULL;
|
---|
1051 | }
|
---|
1052 |
|
---|
1053 | if (crl->monitors[0].path) {
|
---|
1054 | wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
|
---|
1055 | IN_DELETE);
|
---|
1056 | if (wd < 0) {
|
---|
1057 | WOLFSSL_MSG("PEM notify add watch failed");
|
---|
1058 | close(crl->mfd);
|
---|
1059 | close(notifyFd);
|
---|
1060 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
1061 | return NULL;
|
---|
1062 | }
|
---|
1063 | }
|
---|
1064 |
|
---|
1065 | if (crl->monitors[1].path) {
|
---|
1066 | wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
|
---|
1067 | IN_DELETE);
|
---|
1068 | if (wd < 0) {
|
---|
1069 | WOLFSSL_MSG("DER notify add watch failed");
|
---|
1070 | close(crl->mfd);
|
---|
1071 | close(notifyFd);
|
---|
1072 | SignalSetup(crl, MONITOR_SETUP_E);
|
---|
1073 | return NULL;
|
---|
1074 | }
|
---|
1075 | }
|
---|
1076 |
|
---|
1077 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1078 | buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
1079 | if (buff == NULL)
|
---|
1080 | return NULL;
|
---|
1081 | #endif
|
---|
1082 |
|
---|
1083 | /* signal to calling thread we're setup */
|
---|
1084 | if (SignalSetup(crl, 1) != 0) {
|
---|
1085 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1086 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
1087 | #endif
|
---|
1088 |
|
---|
1089 | if (wd > 0)
|
---|
1090 | inotify_rm_watch(notifyFd, wd);
|
---|
1091 | close(crl->mfd);
|
---|
1092 | close(notifyFd);
|
---|
1093 | return NULL;
|
---|
1094 | }
|
---|
1095 |
|
---|
1096 | for (;;) {
|
---|
1097 | fd_set readfds;
|
---|
1098 | int result;
|
---|
1099 | int length;
|
---|
1100 |
|
---|
1101 | FD_ZERO(&readfds);
|
---|
1102 | FD_SET(notifyFd, &readfds);
|
---|
1103 | FD_SET(crl->mfd, &readfds);
|
---|
1104 |
|
---|
1105 | result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL);
|
---|
1106 |
|
---|
1107 | WOLFSSL_MSG("Got notify event");
|
---|
1108 |
|
---|
1109 | if (result < 0) {
|
---|
1110 | WOLFSSL_MSG("select problem, continue");
|
---|
1111 | continue;
|
---|
1112 | }
|
---|
1113 |
|
---|
1114 | if (FD_ISSET(crl->mfd, &readfds)) {
|
---|
1115 | word64 r64;
|
---|
1116 | int rlen;
|
---|
1117 |
|
---|
1118 | WOLFSSL_MSG("got custom shutdown event, breaking out");
|
---|
1119 |
|
---|
1120 | /* read out the bytes written to the event to clean up */
|
---|
1121 | rlen = (int) read(crl->mfd, &r64, sizeof(r64));
|
---|
1122 | if (rlen < 0) {
|
---|
1123 | WOLFSSL_MSG("read custom event failure");
|
---|
1124 | }
|
---|
1125 |
|
---|
1126 | break;
|
---|
1127 | }
|
---|
1128 |
|
---|
1129 | length = (int) read(notifyFd, buff, 8192);
|
---|
1130 | if (length < 0) {
|
---|
1131 | WOLFSSL_MSG("notify read problem, continue");
|
---|
1132 | continue;
|
---|
1133 | }
|
---|
1134 |
|
---|
1135 | if (SwapLists(crl) < 0) {
|
---|
1136 | WOLFSSL_MSG("SwapLists problem, continue");
|
---|
1137 | }
|
---|
1138 | }
|
---|
1139 |
|
---|
1140 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1141 | XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
1142 | #endif
|
---|
1143 |
|
---|
1144 | if (wd > 0)
|
---|
1145 | inotify_rm_watch(notifyFd, wd);
|
---|
1146 | close(crl->mfd);
|
---|
1147 | close(notifyFd);
|
---|
1148 |
|
---|
1149 | return NULL;
|
---|
1150 | }
|
---|
1151 |
|
---|
1152 | #endif /* MACH or linux */
|
---|
1153 |
|
---|
1154 |
|
---|
1155 | /* Start Monitoring the CRL path(s) in a thread */
|
---|
1156 | static int StartMonitorCRL(WOLFSSL_CRL* crl)
|
---|
1157 | {
|
---|
1158 | int ret = WOLFSSL_SUCCESS;
|
---|
1159 |
|
---|
1160 | WOLFSSL_ENTER("StartMonitorCRL");
|
---|
1161 |
|
---|
1162 | if (crl == NULL)
|
---|
1163 | return BAD_FUNC_ARG;
|
---|
1164 |
|
---|
1165 | if (crl->tid != 0) {
|
---|
1166 | WOLFSSL_MSG("Monitor thread already running");
|
---|
1167 | return ret; /* that's ok, someone already started */
|
---|
1168 | }
|
---|
1169 |
|
---|
1170 | if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) {
|
---|
1171 | WOLFSSL_MSG("Thread creation error");
|
---|
1172 | return THREAD_CREATE_E;
|
---|
1173 | }
|
---|
1174 |
|
---|
1175 | /* wait for setup to complete */
|
---|
1176 | if (wc_LockMutex(&crl->crlLock) != 0) {
|
---|
1177 | WOLFSSL_MSG("wc_LockMutex crlLock error");
|
---|
1178 | return BAD_MUTEX_E;
|
---|
1179 | }
|
---|
1180 |
|
---|
1181 | while (crl->setup == 0) {
|
---|
1182 | if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) {
|
---|
1183 | ret = BAD_COND_E;
|
---|
1184 | break;
|
---|
1185 | }
|
---|
1186 | }
|
---|
1187 |
|
---|
1188 | if (crl->setup < 0)
|
---|
1189 | ret = crl->setup; /* store setup error */
|
---|
1190 |
|
---|
1191 | wc_UnLockMutex(&crl->crlLock);
|
---|
1192 |
|
---|
1193 | if (ret < 0) {
|
---|
1194 | WOLFSSL_MSG("DoMonitor setup failure");
|
---|
1195 | crl->tid = 0; /* thread already done */
|
---|
1196 | }
|
---|
1197 |
|
---|
1198 | return ret;
|
---|
1199 | }
|
---|
1200 |
|
---|
1201 |
|
---|
1202 | #else /* HAVE_CRL_MONITOR */
|
---|
1203 |
|
---|
1204 | #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
---|
1205 |
|
---|
1206 | static int StartMonitorCRL(WOLFSSL_CRL* crl)
|
---|
1207 | {
|
---|
1208 | (void)crl;
|
---|
1209 |
|
---|
1210 | WOLFSSL_ENTER("StartMonitorCRL");
|
---|
1211 | WOLFSSL_MSG("Not compiled in");
|
---|
1212 |
|
---|
1213 | return NOT_COMPILED_IN;
|
---|
1214 | }
|
---|
1215 |
|
---|
1216 | #endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */
|
---|
1217 |
|
---|
1218 | #endif /* HAVE_CRL_MONITOR */
|
---|
1219 |
|
---|
1220 | #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
---|
1221 |
|
---|
1222 | /* Load CRL path files of type, WOLFSSL_SUCCESS on ok */
|
---|
1223 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
|
---|
1224 | {
|
---|
1225 | int ret = WOLFSSL_SUCCESS;
|
---|
1226 | char* name = NULL;
|
---|
1227 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1228 | ReadDirCtx* readCtx = NULL;
|
---|
1229 | #else
|
---|
1230 | ReadDirCtx readCtx[1];
|
---|
1231 | #endif
|
---|
1232 |
|
---|
1233 | WOLFSSL_ENTER("LoadCRL");
|
---|
1234 | if (crl == NULL)
|
---|
1235 | return BAD_FUNC_ARG;
|
---|
1236 |
|
---|
1237 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1238 | readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), crl->heap,
|
---|
1239 | DYNAMIC_TYPE_TMP_BUFFER);
|
---|
1240 | if (readCtx == NULL)
|
---|
1241 | return MEMORY_E;
|
---|
1242 | #endif
|
---|
1243 |
|
---|
1244 | /* try to load each regular file in path */
|
---|
1245 | ret = wc_ReadDirFirst(readCtx, path, &name);
|
---|
1246 | while (ret == 0 && name) {
|
---|
1247 | int skip = 0;
|
---|
1248 | if (type == WOLFSSL_FILETYPE_PEM) {
|
---|
1249 | if (XSTRSTR(name, ".pem") == NULL) {
|
---|
1250 | WOLFSSL_MSG("not .pem file, skipping");
|
---|
1251 | skip = 1;
|
---|
1252 | }
|
---|
1253 | }
|
---|
1254 | else {
|
---|
1255 | if (XSTRSTR(name, ".der") == NULL &&
|
---|
1256 | XSTRSTR(name, ".crl") == NULL)
|
---|
1257 | {
|
---|
1258 | WOLFSSL_MSG("not .der or .crl file, skipping");
|
---|
1259 | skip = 1;
|
---|
1260 | }
|
---|
1261 | }
|
---|
1262 |
|
---|
1263 | if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl,
|
---|
1264 | VERIFY) != WOLFSSL_SUCCESS) {
|
---|
1265 | WOLFSSL_MSG("CRL file load failed, continuing");
|
---|
1266 | }
|
---|
1267 |
|
---|
1268 | ret = wc_ReadDirNext(readCtx, path, &name);
|
---|
1269 | }
|
---|
1270 | wc_ReadDirClose(readCtx);
|
---|
1271 | ret = WOLFSSL_SUCCESS; /* load failures not reported, for backwards compat */
|
---|
1272 |
|
---|
1273 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1274 | XFREE(readCtx, crl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
1275 | #endif
|
---|
1276 |
|
---|
1277 | if (monitor & WOLFSSL_CRL_MONITOR) {
|
---|
1278 | word32 pathLen;
|
---|
1279 | char* pathBuf;
|
---|
1280 |
|
---|
1281 | WOLFSSL_MSG("monitor path requested");
|
---|
1282 |
|
---|
1283 | pathLen = (word32)XSTRLEN(path);
|
---|
1284 | pathBuf = (char*)XMALLOC(pathLen+1, crl->heap,DYNAMIC_TYPE_CRL_MONITOR);
|
---|
1285 | if (pathBuf) {
|
---|
1286 | XSTRNCPY(pathBuf, path, pathLen+1);
|
---|
1287 |
|
---|
1288 | if (type == WOLFSSL_FILETYPE_PEM) {
|
---|
1289 | /* free old path before setting a new one */
|
---|
1290 | if (crl->monitors[0].path) {
|
---|
1291 | XFREE(crl->monitors[0].path, crl->heap,
|
---|
1292 | DYNAMIC_TYPE_CRL_MONITOR);
|
---|
1293 | }
|
---|
1294 | crl->monitors[0].path = pathBuf;
|
---|
1295 | crl->monitors[0].type = WOLFSSL_FILETYPE_PEM;
|
---|
1296 | } else {
|
---|
1297 | /* free old path before setting a new one */
|
---|
1298 | if (crl->monitors[1].path) {
|
---|
1299 | XFREE(crl->monitors[1].path, crl->heap,
|
---|
1300 | DYNAMIC_TYPE_CRL_MONITOR);
|
---|
1301 | }
|
---|
1302 | crl->monitors[1].path = pathBuf;
|
---|
1303 | crl->monitors[1].type = WOLFSSL_FILETYPE_ASN1;
|
---|
1304 | }
|
---|
1305 |
|
---|
1306 | if (monitor & WOLFSSL_CRL_START_MON) {
|
---|
1307 | WOLFSSL_MSG("start monitoring requested");
|
---|
1308 |
|
---|
1309 | ret = StartMonitorCRL(crl);
|
---|
1310 | }
|
---|
1311 | }
|
---|
1312 | else {
|
---|
1313 | ret = MEMORY_E;
|
---|
1314 | }
|
---|
1315 | }
|
---|
1316 |
|
---|
1317 | return ret;
|
---|
1318 | }
|
---|
1319 |
|
---|
1320 | #else
|
---|
1321 | int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
|
---|
1322 | {
|
---|
1323 | (void)crl;
|
---|
1324 | (void)path;
|
---|
1325 | (void)type;
|
---|
1326 | (void)monitor;
|
---|
1327 |
|
---|
1328 | /* stub for scenario where file system is not supported */
|
---|
1329 | return NOT_COMPILED_IN;
|
---|
1330 | }
|
---|
1331 | #endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */
|
---|
1332 |
|
---|
1333 | #endif /* HAVE_CRL */
|
---|
1334 | #endif /* !WOLFCRYPT_ONLY */
|
---|