feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

renumbered new error codes and dynamic data types

Browse Source
This commit is contained in:
John Safranek
2012-05-24 14:36:40 -07:00
parent e8e575fd58 baddc07300
commit 0a31dc3a37
17 changed files with 362 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.am
View File

@@ -21,10 +21,6 @@ exampledir = $(docdir)/@PACKAGE@/example
example_DATA= example_DATA=
EXTRA_DIST+= $(example_DATA) EXTRA_DIST+= $(example_DATA)
certsdir = $(sysconfdir)/ssl/certs
certs_DATA=
EXTRA_DIST+= $(certs_DATA)
EXTRA_DIST+= $(doc_DATA) EXTRA_DIST+= $(doc_DATA)
ACLOCAL_AMFLAGS= -I m4 --install ACLOCAL_AMFLAGS= -I m4 --install

5
certs/crl/include.am
View File

@@ -2,12 +2,11 @@
# All paths should be given relative to the root # All paths should be given relative to the root
# #
certs_DATA+= \ EXTRA_DIST += \
certs/crl/crl.pem \ certs/crl/crl.pem \
certs/crl/cliCrl.pem certs/crl/cliCrl.pem
certs_DATA+= \ EXTRA_DIST += \
certs/crl/crl.revoked certs/crl/crl.revoked
EXTRA_DIST+= ${certs_DATA}

5
certs/include.am
View File

@@ -2,7 +2,7 @@
# All paths should be given relative to the root # All paths should be given relative to the root
# #
certs_DATA+= \ EXTRA_DIST += \
certs/ca-cert.pem \ certs/ca-cert.pem \
certs/ca-key.pem \ certs/ca-key.pem \
certs/client-cert.pem \ certs/client-cert.pem \
@@ -23,7 +23,7 @@ certs_DATA+= \
certs/server-keyPkcs8Enc.pem \ certs/server-keyPkcs8Enc.pem \
certs/server-keyPkcs8.pem certs/server-keyPkcs8.pem
certs_DATA+= \ EXTRA_DIST += \
certs/ca-key.der \ certs/ca-key.der \
certs/client-cert.der \ certs/client-cert.der \
certs/client-key.der \ certs/client-key.der \
@@ -32,7 +32,6 @@ certs_DATA+= \
certs/dsa2048.der \ certs/dsa2048.der \
certs/ecc-key.der certs/ecc-key.der
EXTRA_DIST+= ${certs_DATA}
doc_DATA+= certs/taoCert.txt doc_DATA+= certs/taoCert.txt

2
configure.ac
View File

@@ -500,7 +500,7 @@ AC_ARG_ENABLE(crl,
if test "$ENABLED_CRL" = "yes" if test "$ENABLED_CRL" = "yes"
then then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL -DHAVE_CRL_MONITOR"
fi fi
AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"]) AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"])

18
ctaocrypt/src/asn.c
View File

@@ -1538,7 +1538,7 @@ static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
/* like atoi but only use first byte */ /* like atoi but only use first byte */
/* Make sure before and after dates are valid */ /* Make sure before and after dates are valid */
static int ValidateDate(const byte* date, byte format, int dateType) int ValidateDate(const byte* date, byte format, int dateType)
{ {
time_t ltime; time_t ltime;
struct tm certTime; struct tm certTime;
@@ -4652,15 +4652,16 @@ static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
/* Get raw Date only, no processing, 0 on success */ /* Get raw Date only, no processing, 0 on success */
static int GetBasicDate(const byte* source, word32* idx, byte* date, int maxIdx) static int GetBasicDate(const byte* source, word32* idx, byte* date,
byte* format, int maxIdx)
{ {
int length; int length;
byte b = source[*idx];
CYASSL_ENTER("GetBasicDate"); CYASSL_ENTER("GetBasicDate");
*format = source[*idx];
*idx += 1; *idx += 1;
if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME)
return ASN_TIME_E; return ASN_TIME_E;
if (GetLength(source, idx, &length, maxIdx) < 0) if (GetLength(source, idx, &length, maxIdx) < 0)
@@ -4815,12 +4816,17 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (GetBasicDate(buff, &idx, dcrl->lastDate, sz) < 0) if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0) if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
CYASSL_MSG("CRL after date is no longer valid");
return ASN_AFTER_DATE_E;
}
if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
if (GetSequence(buff, &idx, &len, sz) < 0) if (GetSequence(buff, &idx, &len, sz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;

3
cyassl/ctaocrypt/asn.h
View File

@@ -297,6 +297,7 @@ CYASSL_LOCAL void FreeSigners(Signer*, void*);
CYASSL_LOCAL int ToTraditional(byte* buffer, word32 length); CYASSL_LOCAL int ToTraditional(byte* buffer, word32 length);
CYASSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*, int); CYASSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*, int);
CYASSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
#ifdef HAVE_ECC #ifdef HAVE_ECC
/* ASN sig helpers */ /* ASN sig helpers */
@@ -436,6 +437,8 @@ struct DecodedCRL {
byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */ byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte lastDateFormat; /* format of last date */
byte nextDateFormat; /* format of next date */
RevokedCert* certs; /* revoked cert list */ RevokedCert* certs; /* revoked cert list */
int totalCerts; /* number on list */ int totalCerts; /* number on list */
}; };

5
cyassl/ctaocrypt/types.h
View File

@@ -206,8 +206,9 @@ enum {
DYNAMIC_TYPE_REVOKED = 23, DYNAMIC_TYPE_REVOKED = 23,
DYNAMIC_TYPE_CRL_ENTRY = 24, DYNAMIC_TYPE_CRL_ENTRY = 24,
DYNAMIC_TYPE_CERT_MANAGER = 25, DYNAMIC_TYPE_CERT_MANAGER = 25,
DYNAMIC_TYPE_CERT_STATUS = 26, /* OCSP Certificate Status */ DYNAMIC_TYPE_CRL_MONITOR = 26,
DYNAMIC_TYPE_OCSP_ENTRY = 27 /* OCSP CA Entry */ DYNAMIC_TYPE_OCSP_STATUS = 27,
DYNAMIC_TYPE_OCSP_ENTRY = 28
}; };
/* stack protection */ /* stack protection */

8
cyassl/error.h
View File

@@ -95,9 +95,11 @@ enum CyaSSL_ErrorCodes {
OCSP_CERT_REVOKED = -260, /* OCSP Certificate revoked */ OCSP_CERT_REVOKED = -260, /* OCSP Certificate revoked */
CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */ CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */
CRL_MISSING = -262, /* CRL Not loaded */ CRL_MISSING = -262, /* CRL Not loaded */
OCSP_NEED_URL = -263, /* OCSP need an URL for lookup */ MONITOR_RUNNING_E = -263, /* CRL Monitor already running */
OCSP_CERT_UNKNOWN = -264, /* OCSP responder doesn't know */ THREAD_CREATE_E = -264, /* Thread Create Error */
OCSP_LOOKUP_FAIL = -265, /* OCSP lookup not successful */ OCSP_NEED_URL = -265, /* OCSP need an URL for lookup */
OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */
OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */
/* add strings to SetErrorString !!!!! */ /* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */ /* begin negotiation parameter errors */

15
cyassl/internal.h
View File

@@ -633,16 +633,31 @@ struct CRL_Entry {
byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */ byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte lastDateFormat; /* last date format */
byte nextDateFormat; /* next date format */
RevokedCert* certs; /* revoked cert list */ RevokedCert* certs; /* revoked cert list */
int totalCerts; /* number on list */ int totalCerts; /* number on list */
}; };
typedef struct CRL_Monitor CRL_Monitor;
/* CRL directory monitor */
struct CRL_Monitor {
char* path; /* full dir path, if valid pointer we're using */
int type; /* PEM or ASN1 type */
};
/* CyaSSL CRL controller */ /* CyaSSL CRL controller */
struct CYASSL_CRL { struct CYASSL_CRL {
CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */ CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */
CRL_Entry* crlList; /* our CRL list */ CRL_Entry* crlList; /* our CRL list */
CyaSSL_Mutex crlLock; /* CRL list lock */ CyaSSL_Mutex crlLock; /* CRL list lock */
CRL_Monitor monitors[2]; /* PEM and DER possible */
#ifdef HAVE_CRL_MONITOR
pthread_t tid; /* monitoring thread */
#endif
}; };

3
cyassl/ssl.h
View File

@@ -807,7 +807,8 @@ CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx);
CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int);
CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL);
#define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */
#define CYASSL_CRL_START_MON 0x02 /* start monitoring flag */
#ifdef CYASSL_CALLBACKS #ifdef CYASSL_CALLBACKS

2
cyassl/test.h
View File

@@ -577,7 +577,7 @@ static int myVerify(int preverify, CYASSL_X509_STORE_CTX* store)
#ifdef HAVE_CRL #ifdef HAVE_CRL
static void CRL_CallBack(char* url) static void CRL_CallBack(const char* url)
{ {
printf("CRL callback url = %s\n", url); printf("CRL callback url = %s\n", url);
} }

2
examples/client/client.c
View File

@@ -208,7 +208,7 @@ void client_test(void* args)
ssl = CyaSSL_new(ctx); ssl = CyaSSL_new(ctx);
CyaSSL_set_fd(ssl, sockfd); CyaSSL_set_fd(ssl, sockfd);
#ifdef HAVE_CRL #ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0); CyaSSL_EnableCRL(ssl, CYASSL_CRL_CHECKALL);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0); CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif #endif

6
examples/server/server.c
View File

@@ -147,6 +147,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif /* NO_FILESYSTEM */ #endif /* NO_FILESYSTEM */
ssl = SSL_new(ctx); ssl = SSL_new(ctx);
#ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR |
CYASSL_CRL_START_MON);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif
tcp_accept(&sockfd, &clientfd, (func_args*)args); tcp_accept(&sockfd, &clientfd, (func_args*)args);
#ifndef CYASSL_DTLS #ifndef CYASSL_DTLS
CloseSocket(sockfd); CloseSocket(sockfd);

276
src/crl.c
View File

@@ -40,6 +40,11 @@ int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm)
crl->cm = cm; crl->cm = cm;
crl->crlList = NULL; crl->crlList = NULL;
crl->monitors[0].path = NULL;
crl->monitors[1].path = NULL;
#ifdef HAVE_CRL_MONITOR
crl->tid = 0;
#endif
if (InitMutex(&crl->crlLock) != 0) if (InitMutex(&crl->crlLock) != 0)
return BAD_MUTEX_ERROR; return BAD_MUTEX_ERROR;
@@ -56,6 +61,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE); XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE);
XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
crle->lastDateFormat = dcrl->lastDateFormat;
crle->nextDateFormat = dcrl->nextDateFormat;
crle->certs = dcrl->certs; /* take ownsership */ crle->certs = dcrl->certs; /* take ownsership */
dcrl->certs = NULL; dcrl->certs = NULL;
@@ -88,6 +95,12 @@ void FreeCRL(CYASSL_CRL* crl)
CYASSL_ENTER("FreeCRL"); CYASSL_ENTER("FreeCRL");
if (crl->monitors[0].path)
XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
if (crl->monitors[1].path)
XFREE(crl->monitors[1].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
while(tmp) { while(tmp) {
CRL_Entry* next = tmp->next; CRL_Entry* next = tmp->next;
FreeCRL_Entry(tmp); FreeCRL_Entry(tmp);
@@ -95,6 +108,12 @@ void FreeCRL(CYASSL_CRL* crl)
tmp = next; tmp = next;
} }
#ifdef HAVE_CRL_MONITOR
if (crl->tid != 0) {
CYASSL_MSG("Canceling monitor thread");
pthread_cancel(crl->tid);
}
#endif
FreeMutex(&crl->crlLock); FreeMutex(&crl->crlLock);
} }
@@ -119,6 +138,13 @@ int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert)
while (crle) { while (crle) {
if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) { if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) {
CYASSL_MSG("Found CRL Entry on list"); CYASSL_MSG("Found CRL Entry on list");
CYASSL_MSG("Checking next date validity");
if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) {
CYASSL_MSG("CRL next date is no longer valid");
ret = ASN_AFTER_DATE_E;
}
else
foundEntry = 1; foundEntry = 1;
break; break;
} }
@@ -251,6 +277,227 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type)
} }
#ifdef HAVE_CRL_MONITOR
/* read in new CRL entries and save new list */
static int SwapLists(CYASSL_CRL* crl)
{
int ret;
CYASSL_CRL tmp;
CRL_Entry* newList;
if (InitCRL(&tmp, crl->cm) < 0) {
CYASSL_MSG("Init tmp CRL failed");
return -1;
}
if (crl->monitors[0].path) {
ret = LoadCRL(&tmp, crl->monitors[0].path, SSL_FILETYPE_PEM, 0);
if (ret != SSL_SUCCESS) {
CYASSL_MSG("PEM LoadCRL on dir change failed");
FreeCRL(&tmp);
return -1;
}
}
if (crl->monitors[1].path) {
ret = LoadCRL(&tmp, crl->monitors[1].path, SSL_FILETYPE_ASN1, 0);
if (ret != SSL_SUCCESS) {
CYASSL_MSG("DER LoadCRL on dir change failed");
FreeCRL(&tmp);
return -1;
}
}
if (LockMutex(&crl->crlLock) != 0) {
CYASSL_MSG("LockMutex failed");
FreeCRL(&tmp);
return -1;
}
newList = tmp.crlList;
/* swap lists */
tmp.crlList = crl->crlList;
crl->crlList = newList;
UnLockMutex(&crl->crlLock);
FreeCRL(&tmp);
return 0;
}
#ifdef __MACH__
#include <sys/event.h>
#include <sys/time.h>
#include <fcntl.h>
/* OS X monitoring */
static void* DoMonitor(void* arg)
{
int fPEM, fDER, kq;
struct kevent change;
CYASSL_CRL* crl = (CYASSL_CRL*)arg;
CYASSL_ENTER("DoMonitor");
kq = kqueue();
if (kq == -1) {
CYASSL_MSG("kqueue failed");
return NULL;
}
fPEM = -1;
fDER = -1;
if (crl->monitors[0].path) {
fPEM = open(crl->monitors[0].path, O_EVTONLY);
if (fPEM == -1) {
CYASSL_MSG("PEM event dir open failed");
return NULL;
}
}
if (crl->monitors[1].path) {
fDER = open(crl->monitors[1].path, O_EVTONLY);
if (fDER == -1) {
CYASSL_MSG("DER event dir open failed");
return NULL;
}
}
if (fPEM != -1)
EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
if (fDER != -1)
EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
for (;;) {
struct kevent event;
int numEvents = kevent(kq, &change, 1, &event, 1, NULL);
CYASSL_MSG("Got kevent");
if (numEvents == -1) {
CYASSL_MSG("kevent problem, continue");
continue;
}
if (SwapLists(crl) < 0) {
CYASSL_MSG("SwapLists problem, continue");
}
}
return NULL;
}
#elif __linux__
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
/* linux monitoring */
static void* DoMonitor(void* arg)
{
int notifyFd;
int wd;
CYASSL_CRL* crl = (CYASSL_CRL*)arg;
CYASSL_ENTER("DoMonitor");
notifyFd = inotify_init();
if (notifyFd < 0) {
CYASSL_MSG("inotify failed");
return NULL;
}
if (crl->monitors[0].path) {
wd = inotify_add_watch(notifyFd, crl->monitors[0].path, IN_CLOSE_WRITE |
IN_DELETE);
if (wd < 0) {
CYASSL_MSG("PEM notify add watch failed");
return NULL;
}
}
if (crl->monitors[1].path) {
wd = inotify_add_watch(notifyFd, crl->monitors[1].path, IN_CLOSE_WRITE |
IN_DELETE);
if (wd < 0) {
CYASSL_MSG("DER notify add watch failed");
return NULL;
}
}
for (;;) {
char buffer[8192];
int length = read(notifyFd, buffer, sizeof(buffer));
CYASSL_MSG("Got notify event");
if (length < 0) {
CYASSL_MSG("notify read problem, continue");
continue;
}
if (SwapLists(crl) < 0) {
CYASSL_MSG("SwapLists problem, continue");
}
}
return NULL;
}
#endif /* MACH or linux */
/* Start Monitoring the CRL path(s) in a thread */
int StartMonitorCRL(CYASSL_CRL* crl)
{
pthread_attr_t attr;
CYASSL_ENTER("StartMonitorCRL");
if (crl == NULL)
return BAD_FUNC_ARG;
if (crl->tid != 0) {
CYASSL_MSG("Monitor thread already running");
return MONITOR_RUNNING_E;
}
pthread_attr_init(&attr);
if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) {
CYASSL_MSG("Thread creation error");
return THREAD_CREATE_E;
}
return SSL_SUCCESS;
}
#else /* HAVE_CRL_MONITOR */
int StartMonitorCRL(CYASSL_CRL* crl)
{
return NOT_COMPILED_IN;
}
#endif /* HAVE_CRL_MONITOR */
/* Load CRL path files of type, SSL_SUCCESS on ok */ /* Load CRL path files of type, SSL_SUCCESS on ok */
int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
{ {
@@ -267,7 +514,7 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
CYASSL_MSG("opendir path crl load failed"); CYASSL_MSG("opendir path crl load failed");
return BAD_PATH_ERROR; return BAD_PATH_ERROR;
} }
while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) { while ( (entry = readdir(dir)) != NULL) {
if (entry->d_type & DT_REG) { if (entry->d_type & DT_REG) {
char name[MAX_FILENAME_SZ]; char name[MAX_FILENAME_SZ];
@@ -291,15 +538,36 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
XSTRNCAT(name, "/", 1); XSTRNCAT(name, "/", 1);
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
ret = ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl); if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
!= SSL_SUCCESS) {
CYASSL_MSG("CRL file load failed, continuing");
}
} }
} }
if (monitor) { if (monitor & CYASSL_CRL_MONITOR) {
CYASSL_MSG("monitor path requested"); CYASSL_MSG("monitor path requested");
if (type == SSL_FILETYPE_PEM) {
crl->monitors[0].path = strdup(path);
crl->monitors[0].type = SSL_FILETYPE_PEM;
if (crl->monitors[0].path == NULL)
ret = MEMORY_E;
} else {
crl->monitors[1].path = strdup(path);
crl->monitors[1].type = SSL_FILETYPE_ASN1;
if (crl->monitors[1].path == NULL)
ret = MEMORY_E;
} }
return SSL_SUCCESS; if (monitor & CYASSL_CRL_START_MON) {
CYASSL_MSG("start monitoring requested");
ret = StartMonitorCRL(crl);
}
}
return ret;
} }
#endif /* HAVE_CRL */ #endif /* HAVE_CRL */

2
src/include.am
View File

@@ -72,5 +72,7 @@ endif
if BUILD_CRL if BUILD_CRL
src_libcyassl_la_SOURCES += src/crl.c src_libcyassl_la_SOURCES += src/crl.c
src_libcyassl_la_CFLAGS += $(PTHREAD_CFLAGS)
src_libcyassl_la_LIBADD += $(PTHREAD_LIBS)
endif endif

26
src/internal.c
View File

@@ -1628,11 +1628,9 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
ssl->ctx->cm); ssl->ctx->cm);
if (ret == 0 && dCert.isCA == 0) { if (ret == 0 && dCert.isCA == 0) {
CYASSL_MSG("Chain cert is not a CA, not adding as one"); CYASSL_MSG("Chain cert is not a CA, not adding as one");
(void)ret;
} }
else if (ret == 0 && ssl->options.verifyNone) { else if (ret == 0 && ssl->options.verifyNone) {
CYASSL_MSG("Chain cert not verified by option, not adding as CA"); CYASSL_MSG("Chain cert not verified by option, not adding as CA");
(void)ret;
} }
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) { else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) {
buffer add; buffer add;
@@ -1651,13 +1649,22 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
} }
else if (ret != 0) { else if (ret != 0) {
CYASSL_MSG("Failed to verify CA from chain"); CYASSL_MSG("Failed to verify CA from chain");
(void)ret;
} }
else { else {
CYASSL_MSG("Verified CA from chain and already had it"); CYASSL_MSG("Verified CA from chain and already had it");
(void)ret;
} }
#ifdef HAVE_CRL
if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
CYASSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
if (ret != 0) {
CYASSL_MSG("\tCRL check not ok");
}
}
#endif /* HAVE_CRL */
if (ret != 0 && anyError == 0) if (ret != 0 && anyError == 0)
anyError = ret; /* save error from last time */ anyError = ret; /* save error from last time */
@@ -1705,7 +1712,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
#endif #endif
#ifdef HAVE_CRL #ifdef HAVE_CRL
if (ssl->ctx->cm->crlEnabled) { if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
CYASSL_MSG("Doing Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert); ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
if (ret != 0) { if (ret != 0) {
@@ -3530,6 +3538,14 @@ void SetErrorString(int error, char* str)
XSTRNCPY(str, "CRL missing, not loaded", max); XSTRNCPY(str, "CRL missing, not loaded", max);
break; break;
case MONITOR_RUNNING_E:
XSTRNCPY(str, "CRL monitor already running", max);
break;
case THREAD_CREATE_E:
XSTRNCPY(str, "Thread creation problem", max);
break;
case OCSP_NEED_URL: case OCSP_NEED_URL:
XSTRNCPY(str, "OCSP need URL", max); XSTRNCPY(str, "OCSP need URL", max);
break; break;

2
src/ssl.c
View File

@@ -1474,7 +1474,7 @@ int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER* cm, byte* der, int sz)
int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb)
{ {
CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); CYASSL_ENTER("CyaSSL_CertManagerSetCRL_Cb");
if (cm == NULL) if (cm == NULL)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;