wolfKeyMgr v0.7

* Fix for HTTP header encode/decode conflict with variable `i`.
* Fix for HTTP server response parsing with no null termination issue.
* Added expires data to HTTP response.
* Added ETSI client GET caching.
* Added etsi_client `-r` support for GET (test caching).

Author: dgarske

configure.ac

@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[0.6],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[0.7],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=4:0:0
+WOLFKM_LIBRARY_VERSION=4:1:0
 #                      | | |
 #               +------+ | +---+
 #               |        |     |

examples/etsi_client/etsi_client.c

@@ -44,6 +44,7 @@ typedef struct WorkThreadInfo {
     const char* keyPass;
     const char* clientCertFile;
     const char* caFile;
+    EtsiKey key;
     WOLFSSL_CTX* ctx; /* test ctx loading static ephemeral key */
 } WorkThreadInfo;
 
@@ -84,12 +85,20 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadInfo* info)
     /* push: will wait for server to push new keys */
     /* get:  will ask server for key and return */
     if (info->useGet) {
-        EtsiKey key;
-        memset(&key, 0, sizeof(key));
-
-        ret = wolfEtsiClientGet(client, &key, keyType, NULL, NULL, info->timeoutSec);
-        if (ret == 0) {
-            keyCb(client, &key, info);
+        ret = wolfEtsiClientGet(client, &info->key, keyType, NULL, NULL,
+            info->timeoutSec);
+        /* positive return means new key returned */
+        /* zero means, same key is used */
+        /* negative means error */
+        if (ret > 0) {
+            /* use same "push" callback to test key use / print */
+            keyCb(client, &info->key, info);
+            ret = 0;
+        }
+        else if (ret == 0) {
+            XLOG(WOLFKM_LOG_INFO, "ETSI Key Cached (valid for %lu sec)\n",
+                info->key.expires - wolfGetCurrentTimeT());
+            sleep(1); /* wait 1 second */
         }
     }
     else {
@@ -264,7 +273,6 @@ int main(int argc, char** argv)
     wolfEtsiClientInit();
 
     if (poolSize == 0) {
-        info.requests = 1; /* only 1 request for this */
         DoRequests(&info);
     }
     else {

examples/etsi_client/etsi_client.h

@@ -29,8 +29,7 @@ extern "C" {
 /* for client tests only */
 #define WOLFKM_DEFAULT_HOST         "localhost"
 #define WOLFKM_DEFAULT_ETSISVC_PORT "8119"
-#define WOLFKM_DEFAULT_REQUESTS     100   /* per thread */
-#define WOLFKM_ERROR_MODE_MAX       5       /* error mode type for forcing errors */
+#define WOLFKM_DEFAULT_REQUESTS     1       /* per thread */
 
 /* example certificate and key for mutual authentication to key manager */
 /* see ./certs/test-cert.sh for generation and signing */

src/mod_etsi.c

@@ -168,15 +168,18 @@ int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key,
     int    pos, i;
     HttpRsp rsp;
     const char* group;
+    time_t now;
 
     if (client == NULL || key == NULL) {
         return WOLFKM_BAD_ARGS;
     }
 
     /* Has current key expired? */
+    now = wolfGetCurrentTimeT();
     if (key->type == keyType && key->responseSz > 0 && 
-        key->expires > 0 && key->expires < wolfGetCurrentTimeT()) {
+        key->expires > 0 && key->expires >= now) {
         /* key is still valid, use existing */
+        /* return zero, indicating no key change */
         return 0;
     }
 
@@ -209,6 +212,7 @@ int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key,
     /* get key response */
     /* TODO: handle HTTP chunked content type */
     /* TODO: handle multiple packets */
+    /* TODO: Integrate HTTP processing with read to handle larger payloads */
     key->responseSz = sizeof(key->response);
     do {
         ret = wolfTlsRead(client->ssl, (byte*)key->response, key->responseSz,
@@ -237,15 +241,24 @@ int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key,
                     memset(&tm, 0, sizeof(tm));
                     /* Convert string to time_t */
                     /* HTTP expires example: "Wed, 21 Oct 2015 07:28:00 GMT" */
-                    if (strptime(rsp.headers[i].string, 
-                        "%a, %d %b %Y %H:%M:%s %Z", &tm) != NULL) {
+                    if (strptime(rsp.headers[i].string, HTTP_DATE_FMT,
+                                                                 &tm) != NULL) {
                         key->expires = mktime(&tm);
+                        /* sanity check time against current time */
+                        /* if this is past current here then it has already 
+                            expired or is invalid */
+                        if (key->expires < now) {
+                            XLOG(WOLFKM_LOG_WARN,
+                                "Key expires time invalid %lu < %lu\n",
+                                key->expires, now);
+                            key->expires = 0;
+                        }
                     }
                     break;
                 }
             }
 
-            /* move payload (body) to response */
+            /* move payload (body) to response (same buffer) */
             memcpy(key->response, rsp.body, rsp.bodySz);
             key->responseSz = rsp.bodySz;
         }
@@ -256,7 +269,9 @@ int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key,
 
     if (ret == 0) {
         /* asymmetric key package response */
-        XLOG(WOLFKM_LOG_INFO, "Got ETSI response (%d bytes)\n", key->responseSz);
+        XLOG(WOLFKM_LOG_INFO, "Got ETSI response (%d bytes)\n",
+            key->responseSz);
+        ret = key->responseSz; /* return key size */
     }
 
     return ret;

src/mod_http.c

@@ -199,6 +199,10 @@ int wolfHttpServer_ParseRequest(HttpReq* req, byte* buf, word32 sz)
         *endline = '\0'; /* null terminate line */
         HttpParseHeader(req->headers, &req->headerCount, sec);
         endline += 2; /* 2=length of CRLF */
+
+        /* check if we have reached end of incoming buffer */
+        if (endline >= (char*)buf + sz)
+            break;
         endline = strstr(endline, kCrlf); /* Find end of line */
     }
 
@@ -209,7 +213,7 @@ int wolfHttpServer_EncodeResponse(int rspCode, const char* message,
     byte* response, word32* responseSz, HttpHeader* headers, word32 headerCount,
     const byte* body, word32 bodySz)
 {
-    int i;
+    int i, c;
     HttpHeader* hdr;
     char* out = (char*)response;
     word32 remain;
@@ -236,8 +240,8 @@ int wolfHttpServer_EncodeResponse(int rspCode, const char* message,
     }
 
     /* append headers */
-    for (i=0; i<headerCount && remain > 0; i++) {
-        hdr = &headers[i];
+    for (c=0; c<headerCount && remain > 0; c++) {
+        hdr = &headers[c];
 
         i = snprintf(out, remain, "%s%s\r\n", 
             wolfHttpGetHeaderStr(hdr->type, NULL), hdr->string);
@@ -352,7 +356,7 @@ int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz)
 int wolfHttpClient_EncodeRequest(HttpMethodType type, const char* uri,
     byte* request, word32* requestSz, HttpHeader* headers, word32 headerCount)
 {
-    int i;
+    int i, c;
     HttpHeader* hdr;
     char* out = (char*)request;
     word32 remain;
@@ -372,8 +376,8 @@ int wolfHttpClient_EncodeRequest(HttpMethodType type, const char* uri,
     }
 
     /* append headers */
-    for (i=0; i<headerCount && remain > 0; i++) {
-        hdr = &headers[i];
+    for (c=0; c<headerCount && remain > 0; c++) {
+        hdr = &headers[c];
 
         i = snprintf(out, remain, "%s%s\r\n", 
             wolfHttpGetHeaderStr(hdr->type, NULL), hdr->string);

src/sock_mgr.c

@@ -559,7 +559,15 @@ static void ThreadEventProcess(int fd, short which, void* arg)
         return;
     }
     else if (memcmp(buffer, &kNotify, sizeof(kNotify)) == 0) {
-        svcConn* conn = me->activeSvcConns.head;
+        svcConn* conn = me->activeSvcConns.head, conn_lcl;
+        if (conn == NULL) {
+            /* Setup an empty connection for notify only */
+            memset(&conn_lcl, 0, sizeof(conn_lcl));
+            conn = &conn_lcl;
+            conn->svc          = me->svc;
+            conn->svcThreadCtx = me->svcThreadCtx;
+            conn->me           = me;
+        }
         while (conn) {
             if (conn->svc->notifyCb) {
                 conn->svc->notifyCb(conn);

src/svc_etsi.c

@@ -35,7 +35,7 @@ typedef struct etsiSvcCtx {
     pthread_mutex_t lock; /* queue lock */
     pthread_t       thread; /* key gen worker */
 } etsiSvcCtx;
-static etsiSvcCtx svcCtx;
+static etsiSvcCtx gSvcCtx;
 
 /* the top level service */
 static svcInfo etsiService = {
@@ -57,14 +57,14 @@ static svcInfo etsiService = {
     .caBuffer = NULL,
     .caBufferSz = 0,
 
-    .svcCtx = &svcCtx,
+    .svcCtx = &gSvcCtx,
 };
 
 /* worker thread objects */
 typedef struct etsiSvcThread {
-    word32  index;
-    byte*   httpRspBuf;
-    word32  httpRspSz;
+    word32 index;
+    byte*  httpRspBuf;
+    word32 httpRspSz;
 } etsiSvcThread;
 
 typedef struct etsiSvcConn {
@@ -109,16 +109,26 @@ static int SetupKeyPackage(etsiSvcCtx* svcCtx, etsiSvcThread* etsiThread)
     int ret = 0;
     byte rsp[ETSI_MAX_RESPONSE_SZ], keyBuf[ECC_BUFSIZE];
     word32 rspSz = (word32)sizeof(rsp), keyBufSz = (word32)sizeof(keyBuf);
-    HttpHeader headers[2];
+    char expiresStr[100];
+    HttpHeader headers[3];
     headers[0].type = HTTP_HDR_CONTENT_TYPE;
     headers[0].string = "application/pkcs8";
     headers[1].type = HTTP_HDR_CONNECTION;
     headers[1].string = "Keep-Alive";
-    /* TODO: Add key expiration using HTTP_HDR_EXPIRES */
-    /* Example "Expires: Wed, 21 Oct 2015 07:28:00 GMT" */
+    headers[2].type = HTTP_HDR_EXPIRES;
+    headers[2].string = expiresStr;
+    memset(expiresStr, 0, sizeof(expiresStr));
 
     pthread_mutex_lock(&svcCtx->lock);
+    XLOG(WOLFKM_LOG_DEBUG, "Synchronizing key to worker thread\n"); 
     if (etsiThread->index != svcCtx->index) {
+        /* Format Expires Time */
+        time_t t = wolfGetCurrentTimeT();
+        struct tm tm;
+        t += svcCtx->renewSec; /* offset by key renewal period */
+        localtime_r(&t, &tm);
+        strftime(expiresStr, sizeof(expiresStr), HTTP_DATE_FMT, &tm);
+
         /* Export as DER IETF RFC 5915 */
         ret = wc_EccKeyToDer(&svcCtx->key, keyBuf, keyBufSz);
         if (ret < 0) {
@@ -259,14 +269,13 @@ void wolfEtsiSvc_ConnClose(svcConn* conn)
 
 int wolfEtsiSvc_DoNotify(svcConn* conn)
 {
-    int ret = 0;
+    int ret;
     svcInfo* svc;
     etsiSvcCtx* svcCtx;
     etsiSvcThread* etsiThread;
     etsiSvcConn* etsiConn;
 
-    if (conn == NULL || conn->stream == NULL || conn->svc == NULL || 
-            conn->svcThreadCtx == NULL || conn->svcConnCtx == NULL) {
+    if (conn == NULL || conn->svc == NULL || conn->svcThreadCtx == NULL) {
         XLOG(WOLFKM_LOG_ERROR, "Bad ETSI notify pointers\n");
         return WOLFKM_BAD_ARGS;
     }
@@ -276,13 +285,14 @@ int wolfEtsiSvc_DoNotify(svcConn* conn)
     etsiThread = (etsiSvcThread*)conn->svcThreadCtx;
     etsiConn = (etsiSvcConn*)conn->svcConnCtx;
 
-    if (etsiConn->req.type == HTTP_METHOD_PUT) {
-        /* updated key */
-        ret = SetupKeyPackage(svcCtx, etsiThread);
-        if (ret == 0) {
-            /* send updated key */
-            ret = wolfEtsiSvc_DoResponse(conn);
-        }
+    /* update key */
+    ret = SetupKeyPackage(svcCtx, etsiThread);
+
+    /* push key to active push threads */
+    if (ret == 0 && etsiConn != NULL && 
+            etsiConn->req.type == HTTP_METHOD_PUT) {
+        /* send updated key */
+        ret = wolfEtsiSvc_DoResponse(conn);
     }
 
     return ret;

wolfkeymgr/mod_etsi.h

@@ -112,6 +112,10 @@ WOLFKM_API int wolfEtsiClientMakeRequest(EtsiClientType type, const char* finger
 /* Fingerprint is a SHA256 hash of public key first 80 bits of digest in big- 
     endian format as HEX string (10 characters max) */
 /* keyType can be DHE/ECDHE/X25519/X448 */
+/* return:
+     - zero response means existing key is used, 
+     - negative is error
+     - positive means new key retrieved */
 WOLFKM_API int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key, 
     EtsiKeyType keyType, const char* fingerprint, const char* contextStr,
     int timeoutSec);

wolfkeymgr/mod_http.h

@@ -33,6 +33,10 @@ extern "C" {
 #define HTTP_HDR_MAX_ITEMS 10
 #endif
 
+#ifndef HTTP_DATE_FMT
+#define HTTP_DATE_FMT "%a, %d %b %Y %H:%M:%S %Z"
+#endif
+
 /* HTTP Types */
 typedef enum HttpMethodType {
     HTTP_METHOD_UNKNOWN,

wolfkeymgr/version.h

@@ -27,7 +27,7 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "0.6"
+#define LIBWOLFSSL_VERSION_STRING "0.7"
 #define LIBWOLFSSL_VERSION_HEX @HEX_VERSION@
 
 #ifdef __cplusplus