You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2020/11/24 08:43:35 UTC
[apisix] branch master updated: fix: check decrypt key to prevent
lua thread aborted (#2815)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 95226d9 fix: check decrypt key to prevent lua thread aborted (#2815)
95226d9 is described below
commit 95226d950f30162b6118ec2eb301217408e56cfb
Author: Peter Zhu <st...@gmail.com>
AuthorDate: Tue Nov 24 16:43:29 2020 +0800
fix: check decrypt key to prevent lua thread aborted (#2815)
Fix #2791
---
apisix/ssl/router/radixtree_sni.lua | 14 +++++--
t/certs/incorrect.crt | 12 ++++++
t/certs/incorrect.key | 12 ++++++
t/router/radixtree-sni.t | 83 ++++++++++++++++++++++++++++++++++++-
4 files changed, 115 insertions(+), 6 deletions(-)
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index ed2c8d6..6bf7519 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -67,12 +67,18 @@ local function decrypt_priv_pkey(iv, key)
return key
end
- local decrypted = iv:decrypt(ngx_decode_base64(key))
- if decrypted then
- return decrypted
+ local decoded_key = ngx_decode_base64(key)
+ if not decoded_key then
+ core.log.error("base64 decode ssl key failed and skipped. key[", key, "] ")
+ return
end
- core.log.error("decrypt ssl key failed. key[", key, "] ")
+ local decrypted = iv:decrypt(decoded_key)
+ if not decrypted then
+ core.log.error("decrypt ssl key failed and skipped. key[", key, "] ")
+ end
+
+ return decrypted
end
diff --git a/t/certs/incorrect.crt b/t/certs/incorrect.crt
new file mode 100644
index 0000000..5e758f8
--- /dev/null
+++ b/t/certs/incorrect.crt
@@ -0,0 +1,12 @@
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
diff --git a/t/certs/incorrect.key b/t/certs/incorrect.key
new file mode 100644
index 0000000..8b950f0
--- /dev/null
+++ b/t/certs/incorrect.key
@@ -0,0 +1,12 @@
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
index 0bd4241..6715171 100644
--- a/t/router/radixtree-sni.t
+++ b/t/router/radixtree-sni.t
@@ -939,7 +939,7 @@ GET /t
connected: 1
failed to do SSL handshake: handshake failed
--- error_log
-decrypt ssl key failed.
+decrypt ssl key failed and skipped.
@@ -1253,4 +1253,83 @@ GET /t
connected: 1
failed to do SSL handshake: handshake failed
--- error_log
-decrypt ssl key failed.
+decrypt ssl key failed and skipped.
+
+
+
+=== TEST 28: set miss_head ssl certificate
+--- config
+location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ --TODO: check the ssl certificate in admin ssl API
+ local ssl_cert = t.read_file("t/certs/incorrect.crt")
+ local ssl_key = t.read_file("t/certs/incorrect.key")
+ local data = {cert = ssl_cert, key = ssl_key, sni = "www.test.com"}
+
+ local code, body = t.test('/apisix/admin/ssl/1',
+ ngx.HTTP_PUT,
+ core.json.encode(data),
+ [[{
+ "node": {
+ "value": {
+ "sni": "www.test.com"
+ },
+ "key": "/apisix/ssl/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: test illegal ssl certificate
+--- config
+listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+location /t {
+ content_by_lua_block {
+ -- etcd sync
+ ngx.sleep(0.2)
+
+ do
+ local sock = ngx.socket.tcp()
+
+ sock:settimeout(2000)
+
+ local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+ if not ok then
+ ngx.say("failed to connect: ", err)
+ return
+ end
+
+ ngx.say("connected: ", ok)
+
+ local sess, err = sock:sslhandshake(nil, "www.test.com", true)
+ if not sess then
+ ngx.say("failed to do SSL handshake: ", err)
+ return
+ end
+ end -- do
+ -- collectgarbage()
+ }
+}
+--- request
+GET /t
+--- response_body
+connected: 1
+failed to do SSL handshake: handshake failed
+--- error_log
+base64 decode ssl key failed and skipped.