diff --git a/Makefile.am b/Makefile.am index 95d4ead56..836266530 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,10 +21,6 @@ exampledir = $(docdir)/@PACKAGE@/example example_DATA= EXTRA_DIST+= $(example_DATA) -certsdir = $(sysconfdir)/ssl/certs -certs_DATA= -EXTRA_DIST+= $(certs_DATA) - EXTRA_DIST+= $(doc_DATA) ACLOCAL_AMFLAGS= -I m4 --install diff --git a/certs/crl/include.am b/certs/crl/include.am index b6d05261d..2f4a20ba9 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -2,12 +2,11 @@ # All paths should be given relative to the root # -certs_DATA+= \ +EXTRA_DIST += \ certs/crl/crl.pem \ certs/crl/cliCrl.pem -certs_DATA+= \ +EXTRA_DIST += \ certs/crl/crl.revoked -EXTRA_DIST+= ${certs_DATA} diff --git a/certs/include.am b/certs/include.am index b32c2aaf0..a027c57b4 100644 --- a/certs/include.am +++ b/certs/include.am @@ -2,7 +2,7 @@ # All paths should be given relative to the root # -certs_DATA+= \ +EXTRA_DIST += \ certs/ca-cert.pem \ certs/ca-key.pem \ certs/client-cert.pem \ @@ -23,7 +23,7 @@ certs_DATA+= \ certs/server-keyPkcs8Enc.pem \ certs/server-keyPkcs8.pem -certs_DATA+= \ +EXTRA_DIST += \ certs/ca-key.der \ certs/client-cert.der \ certs/client-key.der \ @@ -32,7 +32,6 @@ certs_DATA+= \ certs/dsa2048.der \ certs/ecc-key.der -EXTRA_DIST+= ${certs_DATA} doc_DATA+= certs/taoCert.txt diff --git a/configure.ac b/configure.ac index ff8a15b3d..7a99cb230 100644 --- a/configure.ac +++ b/configure.ac @@ -500,7 +500,7 @@ AC_ARG_ENABLE(crl, if test "$ENABLED_CRL" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" + AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL -DHAVE_CRL_MONITOR" fi AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"]) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index e55c8f1e3..18d27cdad 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1538,7 +1538,7 @@ static INLINE int DateLessThan(const struct tm* a, const struct tm* b) /* like atoi but only use first byte */ /* Make sure before and after dates are valid */ -static int ValidateDate(const byte* date, byte format, int dateType) +int ValidateDate(const byte* date, byte format, int dateType) { time_t ltime; struct tm certTime; @@ -4652,15 +4652,16 @@ static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx) /* Get raw Date only, no processing, 0 on success */ -static int GetBasicDate(const byte* source, word32* idx, byte* date, int maxIdx) +static int GetBasicDate(const byte* source, word32* idx, byte* date, + byte* format, int maxIdx) { int length; - byte b = source[*idx]; CYASSL_ENTER("GetBasicDate"); + *format = source[*idx]; *idx += 1; - if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) + if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME) return ASN_TIME_E; if (GetLength(source, idx, &length, maxIdx) < 0) @@ -4815,12 +4816,17 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) return ASN_PARSE_E; - if (GetBasicDate(buff, &idx, dcrl->lastDate, sz) < 0) + if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) return ASN_PARSE_E; - if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0) + if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) return ASN_PARSE_E; + if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { + CYASSL_MSG("CRL after date is no longer valid"); + return ASN_AFTER_DATE_E; + } + if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { if (GetSequence(buff, &idx, &len, sz) < 0) return ASN_PARSE_E; diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 68a60d831..c0efa7506 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -297,6 +297,7 @@ CYASSL_LOCAL void FreeSigners(Signer*, void*); CYASSL_LOCAL int ToTraditional(byte* buffer, word32 length); CYASSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*, int); +CYASSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); #ifdef HAVE_ECC /* ASN sig helpers */ @@ -436,6 +437,8 @@ struct DecodedCRL { byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte lastDateFormat; /* format of last date */ + byte nextDateFormat; /* format of next date */ RevokedCert* certs; /* revoked cert list */ int totalCerts; /* number on list */ }; diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index f9a2306ce..084078803 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -206,8 +206,9 @@ enum { DYNAMIC_TYPE_REVOKED = 23, DYNAMIC_TYPE_CRL_ENTRY = 24, DYNAMIC_TYPE_CERT_MANAGER = 25, - DYNAMIC_TYPE_CERT_STATUS = 26, /* OCSP Certificate Status */ - DYNAMIC_TYPE_OCSP_ENTRY = 27 /* OCSP CA Entry */ + DYNAMIC_TYPE_CRL_MONITOR = 26, + DYNAMIC_TYPE_OCSP_STATUS = 27, + DYNAMIC_TYPE_OCSP_ENTRY = 28 }; /* stack protection */ diff --git a/cyassl/error.h b/cyassl/error.h index b95c780b1..8909df6a3 100644 --- a/cyassl/error.h +++ b/cyassl/error.h @@ -95,9 +95,11 @@ enum CyaSSL_ErrorCodes { OCSP_CERT_REVOKED = -260, /* OCSP Certificate revoked */ CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */ CRL_MISSING = -262, /* CRL Not loaded */ - OCSP_NEED_URL = -263, /* OCSP need an URL for lookup */ - OCSP_CERT_UNKNOWN = -264, /* OCSP responder doesn't know */ - OCSP_LOOKUP_FAIL = -265, /* OCSP lookup not successful */ + MONITOR_RUNNING_E = -263, /* CRL Monitor already running */ + THREAD_CREATE_E = -264, /* Thread Create Error */ + OCSP_NEED_URL = -265, /* OCSP need an URL for lookup */ + OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */ + OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ diff --git a/cyassl/internal.h b/cyassl/internal.h index f584a7bca..4a37329e8 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -633,16 +633,31 @@ struct CRL_Entry { byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte lastDateFormat; /* last date format */ + byte nextDateFormat; /* next date format */ RevokedCert* certs; /* revoked cert list */ int totalCerts; /* number on list */ }; +typedef struct CRL_Monitor CRL_Monitor; + +/* CRL directory monitor */ +struct CRL_Monitor { + char* path; /* full dir path, if valid pointer we're using */ + int type; /* PEM or ASN1 type */ +}; + + /* CyaSSL CRL controller */ struct CYASSL_CRL { CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */ CRL_Entry* crlList; /* our CRL list */ CyaSSL_Mutex crlLock; /* CRL list lock */ + CRL_Monitor monitors[2]; /* PEM and DER possible */ +#ifdef HAVE_CRL_MONITOR + pthread_t tid; /* monitoring thread */ +#endif }; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 22ece6d13..702486e38 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -807,7 +807,8 @@ CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); - +#define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */ +#define CYASSL_CRL_START_MON 0x02 /* start monitoring flag */ #ifdef CYASSL_CALLBACKS diff --git a/cyassl/test.h b/cyassl/test.h index d68ad64b7..8e682fb71 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -577,7 +577,7 @@ static int myVerify(int preverify, CYASSL_X509_STORE_CTX* store) #ifdef HAVE_CRL -static void CRL_CallBack(char* url) +static void CRL_CallBack(const char* url) { printf("CRL callback url = %s\n", url); } diff --git a/examples/client/client.c b/examples/client/client.c index 7e5abcdb9..9d72f904d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -208,7 +208,7 @@ void client_test(void* args) ssl = CyaSSL_new(ctx); CyaSSL_set_fd(ssl, sockfd); #ifdef HAVE_CRL - CyaSSL_EnableCRL(ssl, 0); + CyaSSL_EnableCRL(ssl, CYASSL_CRL_CHECKALL); CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0); CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); #endif diff --git a/examples/server/server.c b/examples/server/server.c index c7fe1f965..c3630d4e8 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -147,6 +147,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif /* NO_FILESYSTEM */ ssl = SSL_new(ctx); +#ifdef HAVE_CRL + CyaSSL_EnableCRL(ssl, 0); + CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR | + CYASSL_CRL_START_MON); + CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); +#endif tcp_accept(&sockfd, &clientfd, (func_args*)args); #ifndef CYASSL_DTLS CloseSocket(sockfd); diff --git a/src/crl.c b/src/crl.c index f7e13ed92..46e53a3f0 100644 --- a/src/crl.c +++ b/src/crl.c @@ -40,6 +40,11 @@ int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm) crl->cm = cm; crl->crlList = NULL; + crl->monitors[0].path = NULL; + crl->monitors[1].path = NULL; +#ifdef HAVE_CRL_MONITOR + crl->tid = 0; +#endif if (InitMutex(&crl->crlLock) != 0) return BAD_MUTEX_ERROR; @@ -56,6 +61,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl) XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE); XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); + crle->lastDateFormat = dcrl->lastDateFormat; + crle->nextDateFormat = dcrl->nextDateFormat; crle->certs = dcrl->certs; /* take ownsership */ dcrl->certs = NULL; @@ -88,6 +95,12 @@ void FreeCRL(CYASSL_CRL* crl) CYASSL_ENTER("FreeCRL"); + if (crl->monitors[0].path) + XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR); + + if (crl->monitors[1].path) + XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR); + while(tmp) { CRL_Entry* next = tmp->next; FreeCRL_Entry(tmp); @@ -95,6 +108,12 @@ void FreeCRL(CYASSL_CRL* crl) tmp = next; } +#ifdef HAVE_CRL_MONITOR + if (crl->tid != 0) { + CYASSL_MSG("Canceling monitor thread"); + pthread_cancel(crl->tid); + } +#endif FreeMutex(&crl->crlLock); } @@ -102,27 +121,34 @@ void FreeCRL(CYASSL_CRL* crl) /* Is the cert ok with CRL, return 0 on success */ int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert) { - CRL_Entry* crle; - int foundEntry = 0; - int revoked = 0; - int ret = 0; + CRL_Entry* crle; + int foundEntry = 0; + int revoked = 0; + int ret = 0; - CYASSL_ENTER("CheckCertCRL"); + CYASSL_ENTER("CheckCertCRL"); - if (LockMutex(&crl->crlLock) != 0) { - CYASSL_MSG("LockMutex failed"); - return BAD_MUTEX_ERROR; - } + if (LockMutex(&crl->crlLock) != 0) { + CYASSL_MSG("LockMutex failed"); + return BAD_MUTEX_ERROR; + } - crle = crl->crlList; + crle = crl->crlList; while (crle) { if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) { CYASSL_MSG("Found CRL Entry on list"); - foundEntry = 1; - break; + CYASSL_MSG("Checking next date validity"); + + if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) { + CYASSL_MSG("CRL next date is no longer valid"); + ret = ASN_AFTER_DATE_E; + } + else + foundEntry = 1; + break; } - crle = crle->next; + crle = crle->next; } if (foundEntry) { @@ -251,6 +277,227 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) } +#ifdef HAVE_CRL_MONITOR + + +/* read in new CRL entries and save new list */ +static int SwapLists(CYASSL_CRL* crl) +{ + int ret; + CYASSL_CRL tmp; + CRL_Entry* newList; + + if (InitCRL(&tmp, crl->cm) < 0) { + CYASSL_MSG("Init tmp CRL failed"); + return -1; + } + + if (crl->monitors[0].path) { + ret = LoadCRL(&tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0); + if (ret != SSL_SUCCESS) { + CYASSL_MSG("PEM LoadCRL on dir change failed"); + FreeCRL(&tmp); + return -1; + } + } + + if (crl->monitors[1].path) { + ret = LoadCRL(&tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0); + if (ret != SSL_SUCCESS) { + CYASSL_MSG("DER LoadCRL on dir change failed"); + FreeCRL(&tmp); + return -1; + } + } + + if (LockMutex(&crl->crlLock) != 0) { + CYASSL_MSG("LockMutex failed"); + FreeCRL(&tmp); + return -1; + } + + newList = tmp.crlList; + + /* swap lists */ + tmp.crlList = crl->crlList; + crl->crlList = newList; + + UnLockMutex(&crl->crlLock); + + FreeCRL(&tmp); + + return 0; +} + + +#ifdef __MACH__ + +#include +#include +#include + +/* OS X monitoring */ +static void* DoMonitor(void* arg) +{ + int fPEM, fDER, kq; + struct kevent change; + + CYASSL_CRL* crl = (CYASSL_CRL*)arg; + + CYASSL_ENTER("DoMonitor"); + + kq = kqueue(); + if (kq == -1) { + CYASSL_MSG("kqueue failed"); + return NULL; + } + + fPEM = -1; + fDER = -1; + + if (crl->monitors[0].path) { + fPEM = open(crl->monitors[0].path, O_EVTONLY); + if (fPEM == -1) { + CYASSL_MSG("PEM event dir open failed"); + return NULL; + } + } + + if (crl->monitors[1].path) { + fDER = open(crl->monitors[1].path, O_EVTONLY); + if (fDER == -1) { + CYASSL_MSG("DER event dir open failed"); + return NULL; + } + } + + if (fPEM != -1) + EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, + NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); + + if (fDER != -1) + EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, + NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); + + for (;;) { + struct kevent event; + int numEvents = kevent(kq, &change, 1, &event, 1, NULL); + + CYASSL_MSG("Got kevent"); + + if (numEvents == -1) { + CYASSL_MSG("kevent problem, continue"); + continue; + } + + if (SwapLists(crl) < 0) { + CYASSL_MSG("SwapLists problem, continue"); + } + } + + return NULL; +} + + +#elif __linux__ + +#include +#include +#include + +/* linux monitoring */ +static void* DoMonitor(void* arg) +{ + int notifyFd; + int wd; + CYASSL_CRL* crl = (CYASSL_CRL*)arg; + + CYASSL_ENTER("DoMonitor"); + + notifyFd = inotify_init(); + if (notifyFd < 0) { + CYASSL_MSG("inotify failed"); + return NULL; + } + + if (crl->monitors[0].path) { + wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE | + IN_DELETE); + if (wd < 0) { + CYASSL_MSG("PEM notify add watch failed"); + return NULL; + } + } + + if (crl->monitors[1].path) { + wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE | + IN_DELETE); + if (wd < 0) { + CYASSL_MSG("DER notify add watch failed"); + return NULL; + } + } + + for (;;) { + char buffer[8192]; + int length = read(notifyFd, buffer, sizeof(buffer)); + + CYASSL_MSG("Got notify event"); + + if (length < 0) { + CYASSL_MSG("notify read problem, continue"); + continue; + } + + if (SwapLists(crl) < 0) { + CYASSL_MSG("SwapLists problem, continue"); + } + } + + return NULL; +} + + + +#endif /* MACH or linux */ + + +/* Start Monitoring the CRL path(s) in a thread */ +int StartMonitorCRL(CYASSL_CRL* crl) +{ + pthread_attr_t attr; + + CYASSL_ENTER("StartMonitorCRL"); + + if (crl == NULL) + return BAD_FUNC_ARG; + + if (crl->tid != 0) { + CYASSL_MSG("Monitor thread already running"); + return MONITOR_RUNNING_E; + } + + pthread_attr_init(&attr); + + if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) { + CYASSL_MSG("Thread creation error"); + return THREAD_CREATE_E; + } + + return SSL_SUCCESS; +} + + +#else /* HAVE_CRL_MONITOR */ + +int StartMonitorCRL(CYASSL_CRL* crl) +{ + return NOT_COMPILED_IN; +} + +#endif /* HAVE_CRL_MONITOR */ + + /* Load CRL path files of type, SSL_SUCCESS on ok */ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) { @@ -267,7 +514,7 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) CYASSL_MSG("opendir path crl load failed"); return BAD_PATH_ERROR; } - while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) { + while ( (entry = readdir(dir)) != NULL) { if (entry->d_type & DT_REG) { char name[MAX_FILENAME_SZ]; @@ -291,15 +538,36 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) XSTRNCAT(name, "/", 1); XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - ret = ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl); + if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) + != SSL_SUCCESS) { + CYASSL_MSG("CRL file load failed, continuing"); + } } } - if (monitor) { + if (monitor & CYASSL_CRL_MONITOR) { CYASSL_MSG("monitor path requested"); + + if (type == SSL_FILETYPE_PEM) { + crl->monitors[0].path = strdup(path); + crl->monitors[0].type = SSL_FILETYPE_PEM; + if (crl->monitors[0].path == NULL) + ret = MEMORY_E; + } else { + crl->monitors[1].path = strdup(path); + crl->monitors[1].type = SSL_FILETYPE_ASN1; + if (crl->monitors[1].path == NULL) + ret = MEMORY_E; + } + + if (monitor & CYASSL_CRL_START_MON) { + CYASSL_MSG("start monitoring requested"); + + ret = StartMonitorCRL(crl); + } } - return SSL_SUCCESS; + return ret; } #endif /* HAVE_CRL */ diff --git a/src/include.am b/src/include.am index 9890a8f7e..95c7c026d 100644 --- a/src/include.am +++ b/src/include.am @@ -72,5 +72,7 @@ endif if BUILD_CRL src_libcyassl_la_SOURCES += src/crl.c +src_libcyassl_la_CFLAGS += $(PTHREAD_CFLAGS) +src_libcyassl_la_LIBADD += $(PTHREAD_LIBS) endif diff --git a/src/internal.c b/src/internal.c index 5cc2f5a44..685e4df3f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1628,11 +1628,9 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) ssl->ctx->cm); if (ret == 0 && dCert.isCA == 0) { CYASSL_MSG("Chain cert is not a CA, not adding as one"); - (void)ret; } else if (ret == 0 && ssl->options.verifyNone) { CYASSL_MSG("Chain cert not verified by option, not adding as CA"); - (void)ret; } else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) { buffer add; @@ -1651,13 +1649,22 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) } else if (ret != 0) { CYASSL_MSG("Failed to verify CA from chain"); - (void)ret; } else { CYASSL_MSG("Verified CA from chain and already had it"); - (void)ret; } +#ifdef HAVE_CRL + if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) { + CYASSL_MSG("Doing Non Leaf CRL check"); + ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert); + + if (ret != 0) { + CYASSL_MSG("\tCRL check not ok"); + } + } +#endif /* HAVE_CRL */ + if (ret != 0 && anyError == 0) anyError = ret; /* save error from last time */ @@ -1705,7 +1712,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) #endif #ifdef HAVE_CRL - if (ssl->ctx->cm->crlEnabled) { + if (fatal == 0 && ssl->ctx->cm->crlEnabled) { + CYASSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert); if (ret != 0) { @@ -3530,6 +3538,14 @@ void SetErrorString(int error, char* str) XSTRNCPY(str, "CRL missing, not loaded", max); break; + case MONITOR_RUNNING_E: + XSTRNCPY(str, "CRL monitor already running", max); + break; + + case THREAD_CREATE_E: + XSTRNCPY(str, "Thread creation problem", max); + break; + case OCSP_NEED_URL: XSTRNCPY(str, "OCSP need URL", max); break; diff --git a/src/ssl.c b/src/ssl.c index 818999375..f61ab880a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1474,7 +1474,7 @@ int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER* cm, byte* der, int sz) int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) { - CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); + CYASSL_ENTER("CyaSSL_CertManagerSetCRL_Cb"); if (cm == NULL) return BAD_FUNC_ARG;