You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2020/11/24 08:43:35 UTC

[apisix] branch master updated: fix: check decrypt key to prevent lua thread aborted (#2815)

This is an automated email from the ASF dual-hosted git repository.

spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 95226d9  fix: check decrypt key to prevent lua thread aborted  (#2815)
95226d9 is described below

commit 95226d950f30162b6118ec2eb301217408e56cfb
Author: Peter Zhu <st...@gmail.com>
AuthorDate: Tue Nov 24 16:43:29 2020 +0800

    fix: check decrypt key to prevent lua thread aborted  (#2815)
    
    Fix #2791
---
 apisix/ssl/router/radixtree_sni.lua | 14 +++++--
 t/certs/incorrect.crt               | 12 ++++++
 t/certs/incorrect.key               | 12 ++++++
 t/router/radixtree-sni.t            | 83 ++++++++++++++++++++++++++++++++++++-
 4 files changed, 115 insertions(+), 6 deletions(-)

diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index ed2c8d6..6bf7519 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -67,12 +67,18 @@ local function decrypt_priv_pkey(iv, key)
         return key
     end
 
-    local decrypted = iv:decrypt(ngx_decode_base64(key))
-    if decrypted then
-        return decrypted
+    local decoded_key = ngx_decode_base64(key)
+    if not decoded_key then
+        core.log.error("base64 decode ssl key failed and skipped. key[", key, "] ")
+        return
     end
 
-    core.log.error("decrypt ssl key failed. key[", key, "] ")
+    local decrypted = iv:decrypt(decoded_key)
+    if not decrypted then
+        core.log.error("decrypt ssl key failed and skipped. key[", key, "] ")
+    end
+
+    return decrypted
 end
 
 
diff --git a/t/certs/incorrect.crt b/t/certs/incorrect.crt
new file mode 100644
index 0000000..5e758f8
--- /dev/null
+++ b/t/certs/incorrect.crt
@@ -0,0 +1,12 @@
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
diff --git a/t/certs/incorrect.key b/t/certs/incorrect.key
new file mode 100644
index 0000000..8b950f0
--- /dev/null
+++ b/t/certs/incorrect.key
@@ -0,0 +1,12 @@
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
index 0bd4241..6715171 100644
--- a/t/router/radixtree-sni.t
+++ b/t/router/radixtree-sni.t
@@ -939,7 +939,7 @@ GET /t
 connected: 1
 failed to do SSL handshake: handshake failed
 --- error_log
-decrypt ssl key failed.
+decrypt ssl key failed and skipped.
 
 
 
@@ -1253,4 +1253,83 @@ GET /t
 connected: 1
 failed to do SSL handshake: handshake failed
 --- error_log
-decrypt ssl key failed.
+decrypt ssl key failed and skipped.
+
+
+
+=== TEST 28: set miss_head ssl certificate
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        --TODO: check the ssl certificate in admin ssl API
+        local ssl_cert = t.read_file("t/certs/incorrect.crt")
+        local ssl_key =  t.read_file("t/certs/incorrect.key")
+        local data = {cert = ssl_cert, key = ssl_key, sni = "www.test.com"}
+
+        local code, body = t.test('/apisix/admin/ssl/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data),
+            [[{
+                "node": {
+                    "value": {
+                        "sni": "www.test.com"
+                    },
+                    "key": "/apisix/ssl/1"
+                },
+                "action": "set"
+            }]]
+            )
+
+        ngx.status = code
+        ngx.say(body)
+    }
+}
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: test illegal ssl certificate
+--- config
+listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+location /t {
+    content_by_lua_block {
+        -- etcd sync
+        ngx.sleep(0.2)
+
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(2000)
+
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local sess, err = sock:sslhandshake(nil, "www.test.com", true)
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+        end  -- do
+        -- collectgarbage()
+    }
+}
+--- request
+GET /t
+--- response_body
+connected: 1
+failed to do SSL handshake: handshake failed
+--- error_log
+base64 decode ssl key failed and skipped.