3 * Copyright (C) 2006-2015 wolfSSL Inc.
5 * This file is part of wolfSSL. (formerly known as CyaSSL)
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
22 /* Name change compatibility layer no longer needs included here */
28 #include <wolfssl/wolfcrypt/settings.h>
32 #include <wolfssl/internal.h>
33 #include <wolfssl/error-ssl.h>
39 #ifdef HAVE_CRL_MONITOR
40 static int StopMonitor(int mfd);
44 /* Initialze CRL members */
45 int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
47 WOLFSSL_ENTER("InitCRL");
51 crl->monitors[0].path = NULL;
52 crl->monitors[1].path = NULL;
53 #ifdef HAVE_CRL_MONITOR
55 crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
57 if (InitMutex(&crl->crlLock) != 0)
64 /* Initialze CRL Entry */
65 static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
67 WOLFSSL_ENTER("InitCRL_Entry");
69 XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
70 /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
71 * copy the hash here if needed for optimized comparisons */
72 XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
73 XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
74 crle->lastDateFormat = dcrl->lastDateFormat;
75 crle->nextDateFormat = dcrl->nextDateFormat;
77 crle->certs = dcrl->certs; /* take ownsership */
79 crle->totalCerts = dcrl->totalCerts;
85 /* Free all CRL Entry resources */
86 static void FreeCRL_Entry(CRL_Entry* crle)
88 RevokedCert* tmp = crle->certs;
90 WOLFSSL_ENTER("FreeCRL_Entry");
93 RevokedCert* next = tmp->next;
94 XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
101 /* Free all CRL resources */
102 void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
104 CRL_Entry* tmp = crl->crlList;
106 WOLFSSL_ENTER("FreeCRL");
108 if (crl->monitors[0].path)
109 XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
111 if (crl->monitors[1].path)
112 XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
115 CRL_Entry* next = tmp->next;
117 XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY);
121 #ifdef HAVE_CRL_MONITOR
123 WOLFSSL_MSG("stopping monitor thread");
124 if (StopMonitor(crl->mfd) == 0)
125 pthread_join(crl->tid, NULL);
127 WOLFSSL_MSG("stop monitor failed, cancel instead");
128 pthread_cancel(crl->tid);
132 FreeMutex(&crl->crlLock);
133 if (dynamic) /* free self */
134 XFREE(crl, NULL, DYNAMIC_TYPE_CRL);
138 /* Is the cert ok with CRL, return 0 on success */
139 int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
145 WOLFSSL_ENTER("CheckCertCRL");
147 if (LockMutex(&crl->crlLock) != 0) {
148 WOLFSSL_MSG("LockMutex failed");
155 if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) {
156 WOLFSSL_MSG("Found CRL Entry on list");
157 WOLFSSL_MSG("Checking next date validity");
159 if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) {
160 WOLFSSL_MSG("CRL next date is no longer valid");
161 ret = ASN_AFTER_DATE_E;
171 RevokedCert* rc = crle->certs;
174 if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
175 WOLFSSL_MSG("Cert revoked");
176 ret = CRL_CERT_REVOKED;
183 UnLockMutex(&crl->crlLock);
185 if (foundEntry == 0) {
186 WOLFSSL_MSG("Couldn't find CRL for status check");
188 if (crl->cm->cbMissingCRL) {
191 WOLFSSL_MSG("Issuing missing CRL callback");
193 if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
194 XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
195 url[cert->extCrlInfoSz] = '\0';
198 WOLFSSL_MSG("CRL url too long");
200 crl->cm->cbMissingCRL(url);
209 /* Add Decoded CRL, 0 on success */
210 static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
214 WOLFSSL_ENTER("AddCRL");
216 crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY);
218 WOLFSSL_MSG("alloc CRL Entry failed");
222 if (InitCRL_Entry(crle, dcrl) < 0) {
223 WOLFSSL_MSG("Init CRL Entry failed");
224 XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
228 if (LockMutex(&crl->crlLock) != 0) {
229 WOLFSSL_MSG("LockMutex failed");
231 XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
234 crle->next = crl->crlList;
236 UnLockMutex(&crl->crlLock);
242 /* Load CRL File of type, SSL_SUCCESS on ok */
243 int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
245 int ret = SSL_SUCCESS;
246 const byte* myBuffer = buff; /* if DER ok, otherwise switch */
248 #ifdef WOLFSSL_SMALL_STACK
256 WOLFSSL_ENTER("BufferLoadCRL");
258 if (crl == NULL || buff == NULL || sz == 0)
261 if (type == SSL_FILETYPE_PEM) {
262 int eccKey = 0; /* not used */
266 ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
268 myBuffer = der.buffer;
272 WOLFSSL_MSG("Pem to Der failed");
277 #ifdef WOLFSSL_SMALL_STACK
278 dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
281 XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
287 InitDecodedCRL(dcrl);
288 ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
290 WOLFSSL_MSG("ParseCRL error");
293 ret = AddCRL(crl, dcrl);
295 WOLFSSL_MSG("AddCRL error");
299 FreeDecodedCRL(dcrl);
301 #ifdef WOLFSSL_SMALL_STACK
302 XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
306 XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
308 return ret ? ret : SSL_SUCCESS; /* convert 0 to SSL_SUCCESS */
312 #ifdef HAVE_CRL_MONITOR
315 /* read in new CRL entries and save new list */
316 static int SwapLists(WOLFSSL_CRL* crl)
320 #ifdef WOLFSSL_SMALL_STACK
326 #ifdef WOLFSSL_SMALL_STACK
327 tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER);
332 if (InitCRL(tmp, crl->cm) < 0) {
333 WOLFSSL_MSG("Init tmp CRL failed");
334 #ifdef WOLFSSL_SMALL_STACK
335 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
340 if (crl->monitors[0].path) {
341 ret = LoadCRL(tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0);
342 if (ret != SSL_SUCCESS) {
343 WOLFSSL_MSG("PEM LoadCRL on dir change failed");
345 #ifdef WOLFSSL_SMALL_STACK
346 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
352 if (crl->monitors[1].path) {
353 ret = LoadCRL(tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0);
354 if (ret != SSL_SUCCESS) {
355 WOLFSSL_MSG("DER LoadCRL on dir change failed");
357 #ifdef WOLFSSL_SMALL_STACK
358 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
364 if (LockMutex(&crl->crlLock) != 0) {
365 WOLFSSL_MSG("LockMutex failed");
367 #ifdef WOLFSSL_SMALL_STACK
368 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
373 newList = tmp->crlList;
376 tmp->crlList = crl->crlList;
377 crl->crlList = newList;
379 UnLockMutex(&crl->crlLock);
383 #ifdef WOLFSSL_SMALL_STACK
384 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
391 #if (defined(__MACH__) || defined(__FreeBSD__))
393 #include <sys/types.h>
394 #include <sys/event.h>
395 #include <sys/time.h>
400 #define XEVENT_MODE O_EVTONLY
401 #elif defined(__FreeBSD__)
402 #define XEVENT_MODE EVFILT_VNODE
406 /* we need a unique kqueue user filter fd for crl in case user is doing custom
408 #ifndef CRL_CUSTOM_FD
409 #define CRL_CUSTOM_FD 123456
413 /* shutdown monitor thread, 0 on success */
414 static int StopMonitor(int mfd)
416 struct kevent change;
418 /* trigger custom shutdown */
419 EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, 0, NOTE_TRIGGER, 0, NULL);
420 if (kevent(mfd, &change, 1, NULL, 0, NULL) < 0) {
421 WOLFSSL_MSG("kevent trigger customer event failed");
429 /* OS X monitoring */
430 static void* DoMonitor(void* arg)
433 struct kevent change;
435 WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
437 WOLFSSL_ENTER("DoMonitor");
440 if (crl->mfd == -1) {
441 WOLFSSL_MSG("kqueue failed");
445 /* listen for custom shutdown event */
446 EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
447 if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
448 WOLFSSL_MSG("kevent monitor customer event failed");
456 if (crl->monitors[0].path) {
457 fPEM = open(crl->monitors[0].path, XEVENT_MODE);
459 WOLFSSL_MSG("PEM event dir open failed");
465 if (crl->monitors[1].path) {
466 fDER = open(crl->monitors[1].path, XEVENT_MODE);
468 WOLFSSL_MSG("DER event dir open failed");
475 EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
476 NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
479 EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
480 NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
484 int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
486 WOLFSSL_MSG("Got kevent");
488 if (numEvents == -1) {
489 WOLFSSL_MSG("kevent problem, continue");
493 if (event.filter == EVFILT_USER) {
494 WOLFSSL_MSG("Got user shutdown event, breaking out");
498 if (SwapLists(crl) < 0) {
499 WOLFSSL_MSG("SwapLists problem, continue");
514 #elif defined(__linux__)
516 #include <sys/types.h>
517 #include <sys/inotify.h>
518 #include <sys/eventfd.h>
523 static INLINE int max(int a, int b)
525 return a > b ? a : b;
530 /* shutdown monitor thread, 0 on success */
531 static int StopMonitor(int mfd)
535 /* write to our custom event */
536 if (write(mfd, &w64, sizeof(w64)) < 0) {
537 WOLFSSL_MSG("StopMonitor write failed");
545 /* linux monitoring */
546 static void* DoMonitor(void* arg)
550 WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg;
551 #ifdef WOLFSSL_SMALL_STACK
557 WOLFSSL_ENTER("DoMonitor");
559 crl->mfd = eventfd(0, 0); /* our custom shutdown event */
561 WOLFSSL_MSG("eventfd failed");
565 notifyFd = inotify_init();
567 WOLFSSL_MSG("inotify failed");
572 if (crl->monitors[0].path) {
573 wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
576 WOLFSSL_MSG("PEM notify add watch failed");
583 if (crl->monitors[1].path) {
584 wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
587 WOLFSSL_MSG("DER notify add watch failed");
594 #ifdef WOLFSSL_SMALL_STACK
595 buff = (char*)XMALLOC(8192, NULL, DYNAMIC_TYPE_TMP_BUFFER);
606 FD_SET(notifyFd, &readfds);
607 FD_SET(crl->mfd, &readfds);
609 result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL);
611 WOLFSSL_MSG("Got notify event");
614 WOLFSSL_MSG("select problem, continue");
618 if (FD_ISSET(crl->mfd, &readfds)) {
619 WOLFSSL_MSG("got custom shutdown event, breaking out");
623 length = read(notifyFd, buff, 8192);
625 WOLFSSL_MSG("notify read problem, continue");
629 if (SwapLists(crl) < 0) {
630 WOLFSSL_MSG("SwapLists problem, continue");
634 #ifdef WOLFSSL_SMALL_STACK
635 XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
639 inotify_rm_watch(notifyFd, wd);
649 #error "CRL monitor only currently supported on linux or mach"
651 #endif /* MACH or linux */
654 /* Start Monitoring the CRL path(s) in a thread */
655 static int StartMonitorCRL(WOLFSSL_CRL* crl)
659 WOLFSSL_ENTER("StartMonitorCRL");
665 WOLFSSL_MSG("Monitor thread already running");
666 return MONITOR_RUNNING_E;
669 pthread_attr_init(&attr);
671 if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) {
672 WOLFSSL_MSG("Thread creation error");
673 return THREAD_CREATE_E;
680 #else /* HAVE_CRL_MONITOR */
682 static int StartMonitorCRL(WOLFSSL_CRL* crl)
686 WOLFSSL_ENTER("StartMonitorCRL");
687 WOLFSSL_MSG("Not compiled in");
689 return NOT_COMPILED_IN;
692 #endif /* HAVE_CRL_MONITOR */
695 /* Load CRL path files of type, SSL_SUCCESS on ok */
696 int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
698 struct dirent* entry;
700 int ret = SSL_SUCCESS;
701 #ifdef WOLFSSL_SMALL_STACK
704 char name[MAX_FILENAME_SZ];
707 WOLFSSL_ENTER("LoadCRL");
713 WOLFSSL_MSG("opendir path crl load failed");
714 return BAD_PATH_ERROR;
717 #ifdef WOLFSSL_SMALL_STACK
718 name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
723 while ( (entry = readdir(dir)) != NULL) {
726 XMEMSET(name, 0, MAX_FILENAME_SZ);
727 XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
728 XSTRNCAT(name, "/", 1);
729 XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
731 if (stat(name, &s) != 0) {
732 WOLFSSL_MSG("stat on name failed");
735 if (s.st_mode & S_IFREG) {
737 if (type == SSL_FILETYPE_PEM) {
738 if (strstr(entry->d_name, ".pem") == NULL) {
739 WOLFSSL_MSG("not .pem file, skipping");
744 if (strstr(entry->d_name, ".der") == NULL &&
745 strstr(entry->d_name, ".crl") == NULL) {
747 WOLFSSL_MSG("not .der or .crl file, skipping");
752 if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
754 WOLFSSL_MSG("CRL file load failed, continuing");
759 #ifdef WOLFSSL_SMALL_STACK
760 XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER);
763 if (monitor & WOLFSSL_CRL_MONITOR) {
764 WOLFSSL_MSG("monitor path requested");
766 if (type == SSL_FILETYPE_PEM) {
767 crl->monitors[0].path = strdup(path);
768 crl->monitors[0].type = SSL_FILETYPE_PEM;
769 if (crl->monitors[0].path == NULL)
772 crl->monitors[1].path = strdup(path);
773 crl->monitors[1].type = SSL_FILETYPE_ASN1;
774 if (crl->monitors[1].path == NULL)
778 if (monitor & WOLFSSL_CRL_START_MON) {
779 WOLFSSL_MSG("start monitoring requested");
781 ret = StartMonitorCRL(crl);
790 #endif /* HAVE_CRL */