From 26153ffad6422b0b168bf87c4609df8e9dcfab75 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 10:52:32 -0700 Subject: [PATCH] add crl monitor flag, handle no revoked case --- ctaocrypt/src/asn.c | 3 +-- cyassl/crl.h | 2 +- cyassl/ctaocrypt/asn.h | 1 + cyassl/ssl.h | 7 ++++--- examples/client/client.c | 2 +- src/crl.c | 6 +++++- src/ssl.c | 16 ++++++++++------ 7 files changed, 23 insertions(+), 14 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 160974175..db1e0e1ec 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4660,8 +4660,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0) return ASN_PARSE_E; - - if (idx != dcrl->sigIndex) { + if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { if (GetSequence(buff, &idx, &len, sz) < 0) return ASN_PARSE_E; diff --git a/cyassl/crl.h b/cyassl/crl.h index 918927cc2..5e2fa62b2 100644 --- a/cyassl/crl.h +++ b/cyassl/crl.h @@ -35,7 +35,7 @@ typedef struct CYASSL_CRL CYASSL_CRL; CYASSL_LOCAL int InitCRL(CYASSL_CRL*, CYASSL_CERT_MANAGER*); CYASSL_LOCAL void FreeCRL(CYASSL_CRL*); -CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type); +CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int mon); CYASSL_LOCAL int BufferLoadCRL(CYASSL_CRL*, const byte*, long, int); CYASSL_LOCAL int CheckCertCRL(CYASSL_CRL*, DecodedCert*); diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 5f215b8fc..eaf06a794 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -62,6 +62,7 @@ enum ASN_Tags { ASN_SET = 0x11, ASN_UTC_TIME = 0x17, ASN_GENERALIZED_TIME = 0x18, + CRL_EXTENSIONS = 0xa0, ASN_EXTENSIONS = 0xa3, ASN_LONG_LENGTH = 0x80 }; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index c30a9ac52..f87da7307 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -791,17 +791,18 @@ CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); -CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*,int); +CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*, int, + int); CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL); CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); -CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int); +CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); -CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int); +CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); diff --git a/examples/client/client.c b/examples/client/client.c index d09ec8cd3..7e5abcdb9 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -209,7 +209,7 @@ void client_test(void* args) CyaSSL_set_fd(ssl, sockfd); #ifdef HAVE_CRL CyaSSL_EnableCRL(ssl, 0); - CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM); + CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0); CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); #endif if (argc != 3) diff --git a/src/crl.c b/src/crl.c index b3211d274..561d573bf 100644 --- a/src/crl.c +++ b/src/crl.c @@ -250,7 +250,7 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) /* Load CRL path files of type, SSL_SUCCESS on ok */ -int LoadCRL(CYASSL_CRL* crl, const char* path, int type) +int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) { struct dirent* entry; DIR* dir; @@ -293,6 +293,10 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type) } } + if (monitor) { + CYASSL_MSG("monitor path requested"); + } + return SSL_SUCCESS; } diff --git a/src/ssl.c b/src/ssl.c index b478e2d7a..bb7608763 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1332,6 +1332,10 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, if (ret == 0) ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm); +#ifdef HAVE_CRL + if (ret == 0 && cm->crlEnabled) + ret = CheckCertCRL(cm->crl, &cert); +#endif } FreeDecodedCert(&cert); @@ -1441,7 +1445,7 @@ int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, - int type) + int type, int monitor) { CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); if (cm == NULL) @@ -1454,7 +1458,7 @@ int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, } } - return LoadCRL(cm->crl, path, type); + return LoadCRL(cm->crl, path, type, monitor); } @@ -1478,11 +1482,11 @@ int CyaSSL_DisableCRL(CYASSL* ssl) } -int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type) +int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type, int monitor) { CYASSL_ENTER("CyaSSL_LoadCRL"); if (ssl) - return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type); + return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type, monitor); else return BAD_FUNC_ARG; } @@ -1518,11 +1522,11 @@ int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx) } -int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type) +int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type, int monitor) { CYASSL_ENTER("CyaSSL_CTX_LoadCRL"); if (ctx) - return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type); + return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type, monitor); else return BAD_FUNC_ARG; }