feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

renumbered new error codes and dynamic data types

Browse Source
This commit is contained in:
John Safranek
2012-05-24 14:36:40 -07:00
parent e8e575fd58 baddc07300
commit 0a31dc3a37
17 changed files with 362 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.am
View File

@ -21,10 +21,6 @@ exampledir = $(docdir)/@PACKAGE@/example
example_DATA=
EXTRA_DIST+= $(example_DATA)
certsdir = $(sysconfdir)/ssl/certs
certs_DATA=
EXTRA_DIST+= $(certs_DATA)
EXTRA_DIST+= $(doc_DATA)
ACLOCAL_AMFLAGS= -I m4 --install

5
certs/crl/include.am
View File

@ -2,12 +2,11 @@
# All paths should be given relative to the root
#
certs_DATA+= \
EXTRA_DIST += \
certs/crl/crl.pem \
certs/crl/cliCrl.pem
certs_DATA+= \
EXTRA_DIST += \
certs/crl/crl.revoked
EXTRA_DIST+= ${certs_DATA}

5
certs/include.am
View File

@ -2,7 +2,7 @@
# All paths should be given relative to the root
#
certs_DATA+= \
EXTRA_DIST += \
certs/ca-cert.pem \
certs/ca-key.pem \
certs/client-cert.pem \
@ -23,7 +23,7 @@ certs_DATA+= \
certs/server-keyPkcs8Enc.pem \
certs/server-keyPkcs8.pem
certs_DATA+= \
EXTRA_DIST += \
certs/ca-key.der \
certs/client-cert.der \
certs/client-key.der \
@ -32,7 +32,6 @@ certs_DATA+= \
certs/dsa2048.der \
certs/ecc-key.der
EXTRA_DIST+= ${certs_DATA}
doc_DATA+= certs/taoCert.txt

2
configure.ac
View File

@ -500,7 +500,7 @@ AC_ARG_ENABLE(crl,
if test "$ENABLED_CRL" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL -DHAVE_CRL_MONITOR"
fi
AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"])

18
ctaocrypt/src/asn.c
View File

@ -1538,7 +1538,7 @@ static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
/* like atoi but only use first byte */
/* Make sure before and after dates are valid */
static int ValidateDate(const byte* date, byte format, int dateType)
int ValidateDate(const byte* date, byte format, int dateType)
{
time_t ltime;
struct tm certTime;
@ -4652,15 +4652,16 @@ static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
/* Get raw Date only, no processing, 0 on success */
static int GetBasicDate(const byte* source, word32* idx, byte* date, int maxIdx)
static int GetBasicDate(const byte* source, word32* idx, byte* date,
byte* format, int maxIdx)
{
int length;
byte b = source[*idx];
CYASSL_ENTER("GetBasicDate");
*format = source[*idx];
*idx += 1;
if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME)
return ASN_TIME_E;
if (GetLength(source, idx, &length, maxIdx) < 0)
@ -4815,12 +4816,17 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
return ASN_PARSE_E;
if (GetBasicDate(buff, &idx, dcrl->lastDate, sz) < 0)
if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
return ASN_PARSE_E;
if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0)
if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
return ASN_PARSE_E;
if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
CYASSL_MSG("CRL after date is no longer valid");
return ASN_AFTER_DATE_E;
}
if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
if (GetSequence(buff, &idx, &len, sz) < 0)
return ASN_PARSE_E;

3
cyassl/ctaocrypt/asn.h
View File

@ -297,6 +297,7 @@ CYASSL_LOCAL void FreeSigners(Signer*, void*);
CYASSL_LOCAL int ToTraditional(byte* buffer, word32 length);
CYASSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*, int);
CYASSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
#ifdef HAVE_ECC
/* ASN sig helpers */
@ -436,6 +437,8 @@ struct DecodedCRL {
byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte lastDateFormat; /* format of last date */
byte nextDateFormat; /* format of next date */
RevokedCert* certs; /* revoked cert list */
int totalCerts; /* number on list */
};

5
cyassl/ctaocrypt/types.h
View File

@ -206,8 +206,9 @@ enum {
DYNAMIC_TYPE_REVOKED = 23,
DYNAMIC_TYPE_CRL_ENTRY = 24,
DYNAMIC_TYPE_CERT_MANAGER = 25,
DYNAMIC_TYPE_CERT_STATUS = 26, /* OCSP Certificate Status */
DYNAMIC_TYPE_OCSP_ENTRY = 27 /* OCSP CA Entry */
DYNAMIC_TYPE_CRL_MONITOR = 26,
DYNAMIC_TYPE_OCSP_STATUS = 27,
DYNAMIC_TYPE_OCSP_ENTRY = 28
};
/* stack protection */

8
cyassl/error.h
View File

@ -95,9 +95,11 @@ enum CyaSSL_ErrorCodes {
OCSP_CERT_REVOKED = -260, /* OCSP Certificate revoked */
CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */
CRL_MISSING = -262, /* CRL Not loaded */
OCSP_NEED_URL = -263, /* OCSP need an URL for lookup */
OCSP_CERT_UNKNOWN = -264, /* OCSP responder doesn't know */
OCSP_LOOKUP_FAIL = -265, /* OCSP lookup not successful */
MONITOR_RUNNING_E = -263, /* CRL Monitor already running */
THREAD_CREATE_E = -264, /* Thread Create Error */
OCSP_NEED_URL = -265, /* OCSP need an URL for lookup */
OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */
OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */
/* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */

15
cyassl/internal.h
View File

@ -633,16 +633,31 @@ struct CRL_Entry {
byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte lastDateFormat; /* last date format */
byte nextDateFormat; /* next date format */
RevokedCert* certs; /* revoked cert list */
int totalCerts; /* number on list */
};
typedef struct CRL_Monitor CRL_Monitor;
/* CRL directory monitor */
struct CRL_Monitor {
char* path; /* full dir path, if valid pointer we're using */
int type; /* PEM or ASN1 type */
};
/* CyaSSL CRL controller */
struct CYASSL_CRL {
CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */
CRL_Entry* crlList; /* our CRL list */
CyaSSL_Mutex crlLock; /* CRL list lock */
CRL_Monitor monitors[2]; /* PEM and DER possible */
#ifdef HAVE_CRL_MONITOR
pthread_t tid; /* monitoring thread */
#endif
};

3
cyassl/ssl.h
View File

@ -807,7 +807,8 @@ CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx);
CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int);
CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL);
#define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */
#define CYASSL_CRL_START_MON 0x02 /* start monitoring flag */
#ifdef CYASSL_CALLBACKS

2
cyassl/test.h
View File

@ -577,7 +577,7 @@ static int myVerify(int preverify, CYASSL_X509_STORE_CTX* store)
#ifdef HAVE_CRL
static void CRL_CallBack(char* url)
static void CRL_CallBack(const char* url)
{
printf("CRL callback url = %s\n", url);
}

2
examples/client/client.c
View File

@ -208,7 +208,7 @@ void client_test(void* args)
ssl = CyaSSL_new(ctx);
CyaSSL_set_fd(ssl, sockfd);
#ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0);
CyaSSL_EnableCRL(ssl, CYASSL_CRL_CHECKALL);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif

6
examples/server/server.c
View File

@ -147,6 +147,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif /* NO_FILESYSTEM */
ssl = SSL_new(ctx);
#ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR |
CYASSL_CRL_START_MON);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif
tcp_accept(&sockfd, &clientfd, (func_args*)args);
#ifndef CYASSL_DTLS
CloseSocket(sockfd);

302
src/crl.c
View File

@ -40,6 +40,11 @@ int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm)
crl->cm = cm;
crl->crlList = NULL;
crl->monitors[0].path = NULL;
crl->monitors[1].path = NULL;
#ifdef HAVE_CRL_MONITOR
crl->tid = 0;
#endif
if (InitMutex(&crl->crlLock) != 0)
return BAD_MUTEX_ERROR;
@ -56,6 +61,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE);
XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
crle->lastDateFormat = dcrl->lastDateFormat;
crle->nextDateFormat = dcrl->nextDateFormat;
crle->certs = dcrl->certs; /* take ownsership */
dcrl->certs = NULL;
@ -88,6 +95,12 @@ void FreeCRL(CYASSL_CRL* crl)
CYASSL_ENTER("FreeCRL");
if (crl->monitors[0].path)
XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
if (crl->monitors[1].path)
XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
while(tmp) {
CRL_Entry* next = tmp->next;
FreeCRL_Entry(tmp);
@ -95,6 +108,12 @@ void FreeCRL(CYASSL_CRL* crl)
tmp = next;
}
#ifdef HAVE_CRL_MONITOR
if (crl->tid != 0) {
CYASSL_MSG("Canceling monitor thread");
pthread_cancel(crl->tid);
}
#endif
FreeMutex(&crl->crlLock);
}
@ -102,27 +121,34 @@ void FreeCRL(CYASSL_CRL* crl)
/* Is the cert ok with CRL, return 0 on success */
int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert)
{
CRL_Entry* crle;
int foundEntry = 0;
int revoked = 0;
int ret = 0;
CRL_Entry* crle;
int foundEntry = 0;
int revoked = 0;
int ret = 0;
CYASSL_ENTER("CheckCertCRL");
CYASSL_ENTER("CheckCertCRL");
if (LockMutex(&crl->crlLock) != 0) {
CYASSL_MSG("LockMutex failed");
return BAD_MUTEX_ERROR;
}
if (LockMutex(&crl->crlLock) != 0) {
CYASSL_MSG("LockMutex failed");
return BAD_MUTEX_ERROR;
}
crle = crl->crlList;
crle = crl->crlList;
while (crle) {
if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) {
CYASSL_MSG("Found CRL Entry on list");
foundEntry = 1;
break;
CYASSL_MSG("Checking next date validity");
if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) {
CYASSL_MSG("CRL next date is no longer valid");
ret = ASN_AFTER_DATE_E;
}
else
foundEntry = 1;
break;
}
crle = crle->next;
crle = crle->next;
}
if (foundEntry) {
@ -251,6 +277,227 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type)
}
#ifdef HAVE_CRL_MONITOR
/* read in new CRL entries and save new list */
static int SwapLists(CYASSL_CRL* crl)
{
int ret;
CYASSL_CRL tmp;
CRL_Entry* newList;
if (InitCRL(&tmp, crl->cm) < 0) {
CYASSL_MSG("Init tmp CRL failed");
return -1;
}
if (crl->monitors[0].path) {
ret = LoadCRL(&tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0);
if (ret != SSL_SUCCESS) {
CYASSL_MSG("PEM LoadCRL on dir change failed");
FreeCRL(&tmp);
return -1;
}
}
if (crl->monitors[1].path) {
ret = LoadCRL(&tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0);
if (ret != SSL_SUCCESS) {
CYASSL_MSG("DER LoadCRL on dir change failed");
FreeCRL(&tmp);
return -1;
}
}
if (LockMutex(&crl->crlLock) != 0) {
CYASSL_MSG("LockMutex failed");
FreeCRL(&tmp);
return -1;
}
newList = tmp.crlList;
/* swap lists */
tmp.crlList = crl->crlList;
crl->crlList = newList;
UnLockMutex(&crl->crlLock);
FreeCRL(&tmp);
return 0;
}
#ifdef __MACH__
#include <sys/event.h>
#include <sys/time.h>
#include <fcntl.h>
/* OS X monitoring */
static void* DoMonitor(void* arg)
{
int fPEM, fDER, kq;
struct kevent change;
CYASSL_CRL* crl = (CYASSL_CRL*)arg;
CYASSL_ENTER("DoMonitor");
kq = kqueue();
if (kq == -1) {
CYASSL_MSG("kqueue failed");
return NULL;
}
fPEM = -1;
fDER = -1;
if (crl->monitors[0].path) {
fPEM = open(crl->monitors[0].path, O_EVTONLY);
if (fPEM == -1) {
CYASSL_MSG("PEM event dir open failed");
return NULL;
}
}
if (crl->monitors[1].path) {
fDER = open(crl->monitors[1].path, O_EVTONLY);
if (fDER == -1) {
CYASSL_MSG("DER event dir open failed");
return NULL;
}
}
if (fPEM != -1)
EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
if (fDER != -1)
EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
for (;;) {
struct kevent event;
int numEvents = kevent(kq, &change, 1, &event, 1, NULL);
CYASSL_MSG("Got kevent");
if (numEvents == -1) {
CYASSL_MSG("kevent problem, continue");
continue;
}
if (SwapLists(crl) < 0) {
CYASSL_MSG("SwapLists problem, continue");
}
}
return NULL;
}
#elif __linux__
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
/* linux monitoring */
static void* DoMonitor(void* arg)
{
int notifyFd;
int wd;
CYASSL_CRL* crl = (CYASSL_CRL*)arg;
CYASSL_ENTER("DoMonitor");
notifyFd = inotify_init();
if (notifyFd < 0) {
CYASSL_MSG("inotify failed");
return NULL;
}
if (crl->monitors[0].path) {
wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
IN_DELETE);
if (wd < 0) {
CYASSL_MSG("PEM notify add watch failed");
return NULL;
}
}
if (crl->monitors[1].path) {
wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
IN_DELETE);
if (wd < 0) {
CYASSL_MSG("DER notify add watch failed");
return NULL;
}
}
for (;;) {
char buffer[8192];
int length = read(notifyFd, buffer, sizeof(buffer));
CYASSL_MSG("Got notify event");
if (length < 0) {
CYASSL_MSG("notify read problem, continue");
continue;
}
if (SwapLists(crl) < 0) {
CYASSL_MSG("SwapLists problem, continue");
}
}
return NULL;
}
#endif /* MACH or linux */
/* Start Monitoring the CRL path(s) in a thread */
int StartMonitorCRL(CYASSL_CRL* crl)
{
pthread_attr_t attr;
CYASSL_ENTER("StartMonitorCRL");
if (crl == NULL)
return BAD_FUNC_ARG;
if (crl->tid != 0) {
CYASSL_MSG("Monitor thread already running");
return MONITOR_RUNNING_E;
}
pthread_attr_init(&attr);
if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) {
CYASSL_MSG("Thread creation error");
return THREAD_CREATE_E;
}
return SSL_SUCCESS;
}
#else /* HAVE_CRL_MONITOR */
int StartMonitorCRL(CYASSL_CRL* crl)
{
return NOT_COMPILED_IN;
}
#endif /* HAVE_CRL_MONITOR */
/* Load CRL path files of type, SSL_SUCCESS on ok */
int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
{
@ -267,7 +514,7 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
CYASSL_MSG("opendir path crl load failed");
return BAD_PATH_ERROR;
}
while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) {
while ( (entry = readdir(dir)) != NULL) {
if (entry->d_type & DT_REG) {
char name[MAX_FILENAME_SZ];
@ -291,15 +538,36 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
XSTRNCAT(name, "/", 1);
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
ret = ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl);
if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
!= SSL_SUCCESS) {
CYASSL_MSG("CRL file load failed, continuing");
}
}
}
if (monitor) {
if (monitor & CYASSL_CRL_MONITOR) {
CYASSL_MSG("monitor path requested");
if (type == SSL_FILETYPE_PEM) {
crl->monitors[0].path = strdup(path);
crl->monitors[0].type = SSL_FILETYPE_PEM;
if (crl->monitors[0].path == NULL)
ret = MEMORY_E;
} else {
crl->monitors[1].path = strdup(path);
crl->monitors[1].type = SSL_FILETYPE_ASN1;
if (crl->monitors[1].path == NULL)
ret = MEMORY_E;
}
if (monitor & CYASSL_CRL_START_MON) {
CYASSL_MSG("start monitoring requested");
ret = StartMonitorCRL(crl);
}
}
return SSL_SUCCESS;
return ret;
}
#endif /* HAVE_CRL */

2
src/include.am
View File

@ -72,5 +72,7 @@ endif
if BUILD_CRL
src_libcyassl_la_SOURCES += src/crl.c
src_libcyassl_la_CFLAGS += $(PTHREAD_CFLAGS)
src_libcyassl_la_LIBADD += $(PTHREAD_LIBS)
endif

26
src/internal.c
View File

@ -1628,11 +1628,9 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
ssl->ctx->cm);
if (ret == 0 && dCert.isCA == 0) {
CYASSL_MSG("Chain cert is not a CA, not adding as one");
(void)ret;
}
else if (ret == 0 && ssl->options.verifyNone) {
CYASSL_MSG("Chain cert not verified by option, not adding as CA");
(void)ret;
}
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) {
buffer add;
@ -1651,13 +1649,22 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
}
else if (ret != 0) {
CYASSL_MSG("Failed to verify CA from chain");
(void)ret;
}
else {
CYASSL_MSG("Verified CA from chain and already had it");
(void)ret;
}
#ifdef HAVE_CRL
if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
CYASSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
if (ret != 0) {
CYASSL_MSG("\tCRL check not ok");
}
}
#endif /* HAVE_CRL */
if (ret != 0 && anyError == 0)
anyError = ret; /* save error from last time */
@ -1705,7 +1712,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
#endif
#ifdef HAVE_CRL
if (ssl->ctx->cm->crlEnabled) {
if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
CYASSL_MSG("Doing Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
if (ret != 0) {
@ -3530,6 +3538,14 @@ void SetErrorString(int error, char* str)
XSTRNCPY(str, "CRL missing, not loaded", max);
break;
case MONITOR_RUNNING_E:
XSTRNCPY(str, "CRL monitor already running", max);
break;
case THREAD_CREATE_E:
XSTRNCPY(str, "Thread creation problem", max);
break;
case OCSP_NEED_URL:
XSTRNCPY(str, "OCSP need URL", max);
break;

2
src/ssl.c
View File

@ -1474,7 +1474,7 @@ int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER* cm, byte* der, int sz)
int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb)
{
CYASSL_ENTER("CyaSSL_CertManagerLoadCRL");
CYASSL_ENTER("CyaSSL_CertManagerSetCRL_Cb");
if (cm == NULL)
return BAD_FUNC_ARG;