fix: check decrypt key to prevent lua thread aborted (#2791)

apache · Nov 23, 2020 · 56aa1d6 · 56aa1d6
1 parent 4d29017
commit 56aa1d6
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 4 deletions.
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
@@ -67,12 +67,18 @@ local function decrypt_priv_pkey(iv, key)
         return key
     end
 
-    local decrypted = iv:decrypt(ngx_decode_base64(key))
-    if decrypted then
-        return decrypted
+    local decoded_key = ngx_decode_base64(key)
+    if not decoded_key then
+        core.log.error("base64 decode ssl key failed and skipped. key[", key, "] ")
+        return
     end
 
-    core.log.error("decrypt ssl key failed. key[", key, "] ")
+    local decrypted = iv:decrypt(decoded_key)
+    if not decrypted then
+        core.log.error("decrypt ssl key failed and skipped. key[", key, "] ")
+    end
+
+    return decrypted
 end
 
 

diff --git a/t/certs/incorrect.crt b/t/certs/incorrect.crt
@@ -0,0 +1,12 @@
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
+test not base64 encoded crt
diff --git a/t/certs/incorrect.key b/t/certs/incorrect.key
@@ -0,0 +1,12 @@
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
+test not base64 encoded key
diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
@@ -1254,3 +1254,82 @@ connected: 1
 failed to do SSL handshake: handshake failed
 --- error_log
 decrypt ssl key failed.
+
+
+
+=== TEST 28: set miss_head ssl certificate
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        --TODO: check the ssl certificate in admin ssl API
+        local ssl_cert = t.read_file("t/certs/incorrect.crt")
+        local ssl_key =  t.read_file("t/certs/incorrect.key")
+        local data = {cert = ssl_cert, key = ssl_key, sni = "www.test.com"}
+
+        local code, body = t.test('/apisix/admin/ssl/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data),
+            [[{
+                "node": {
+                    "value": {
+                        "sni": "www.test.com"
+                    },
+                    "key": "/apisix/ssl/1"
+                },
+                "action": "set"
+            }]]
+            )
+
+        ngx.status = code
+        ngx.say(body)
+    }
+}
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: test illegal ssl certificate
+--- config
+listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+location /t {
+    content_by_lua_block {
+        -- etcd sync
+        ngx.sleep(0.2)
+
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(2000)
+
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local sess, err = sock:sslhandshake(nil, "www.test.com", true)
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+        end  -- do
+        -- collectgarbage()
+    }
+}
+--- request
+GET /t
+--- response_body
+connected: 1
+failed to do SSL handshake: handshake failed
+--- error_log
+base64 decode ssl key failed.