fix:protocal handshake probelms fix

- Filter out TLS_CERT_KEY_TYPE_UNKNOWN when setting certificates and private keys
- Fix the null pointer dereference risk and incomplete information in INDICATOR.
- Fix the macro wrapping issue in RecvFinishedProcess.
- Fix the counter handling issue in GroupCfgDeepCopy.

Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/1464

Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
longparty
2026-05-18 20:20:59 +08:00
committed by Dongjianwei001
parent 7dd522be8f
commit d52e42f5e1
10 changed files with 193 additions and 24 deletions
+1 -1
View File
@@ -504,7 +504,7 @@ int32_t HITLS_GetLocalSignScheme(const HITLS_Ctx *ctx, HITLS_SignHashAlgo *local
* @param ctx [IN] TLS connection handle
* @param idx [IN] Index of algorithm to query (starting from 0)
* - idx >= 0: return information for the specified index
* - idx = -1: only return total count, do not fill output parameters
* - idx < 0: only return total count, do not fill output parameters
* @param signatureScheme [OUT] IANA-defined signature scheme value (uint16_t), can be NULL
* @param keyType [OUT] Certificate key type (HITLS_CERT_KeyType), can be NULL
* @param paraId [OUT] Key parameter ID (CRYPT_PKEY_ParaId), can be NULL
+1 -2
View File
@@ -735,8 +735,7 @@ int32_t HITLS_CFG_GetDhAutoSupport(HITLS_Config *config, bool *isSupport);
* @ingroup hitls_config
* @brief Setting whether to support post-handshake auth takes effect only for TLS1.3.
client: If the client supports pha, the client sends pha extensions.
Server: supports pha. After the handshake, the upper-layer interface HITLS_VerifyClientPostHandshake
initiates certificate verification.
Server: Whether send certificate request in first handshake if client has sent pha extension.
* @param config [OUT] Config handle
* @param support [IN] Whether to support pha
True: pha is supported.
@@ -51,6 +51,7 @@
#include "hitls_cert_reg.h"
#include "hitls_config.h"
#include "hitls_cert_init.h"
#include "stub_utils.h"
#include "bsl_log.h"
#include "bsl_err.h"
#include "logger.h"
@@ -62,12 +63,38 @@
#include "bsl_errno.h"
#include "hitls_x509_adapt.h"
#include "hitls_pki_x509.h"
#include "hitls_pki_errno.h"
/* END_HEADER */
#define BUF_MAX_SIZE 4096
int32_t g_uiPort = 18886;
HITLS_CERT_X509 *HiTLS_X509_LoadCertFile(HITLS_Config *tlsCfg, const char *file);
STUB_DEFINE_RET5(int32_t, SAL_CERT_KeyCtrl, HITLS_Config *, HITLS_CERT_Key *, HITLS_CERT_CtrlCmd, void *, void *);
static int32_t STUB_SAL_CERT_KeyCtrl_UNKNOWN(HITLS_Config *config, HITLS_CERT_Key *key,
HITLS_CERT_CtrlCmd cmd, void *in, void *out)
{
if (cmd == CERT_KEY_CTRL_GET_TYPE && out != NULL) {
*(uint32_t *)out = TLS_CERT_KEY_TYPE_UNKNOWN;
return HITLS_SUCCESS;
}
if (key == NULL) {
return HITLS_NULL_INPUT;
}
if (cmd > CERT_CTRL_BUTT - 1) {
return HITLS_CERT_CTRL_ERR_INVALID_CMD;
}
int32_t ret;
#ifdef HITLS_TLS_FEATURE_PROVIDER
ret = HITLS_X509_Adapt_KeyCtrl(config, key, cmd, in, out);
#else
ret = config->certMgrCtx->method.keyCtrl(config, key, cmd, in, out);
#endif
return ret;
}
/* @
* @test UT_TLS_CERT_CM_SetVerifyStore_API_TC001
* @title The input parameters of the HITLS_SetVerifyStore and HITLS_GetVerifyStore interfaces are replaced.
@@ -305,3 +332,116 @@ EXIT:
HITLS_Free(ctx);
}
/* END_CASE */
/* @
* @test UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001
* @title Reject certificates and private keys whose key type is unknown
* @precon nan
* @brief 1. Create a TLS config.
* 2. Stub SAL_CERT_KeyCtrl to report TLS_CERT_KEY_TYPE_UNKNOWN.
* 3. Load a certificate and a private key file.
* @expect 1. HITLS_CFG_LoadCertFile returns HITLS_CERT_ERR_INVALID_KEY_TYPE.
* 2. HITLS_CFG_LoadKeyFile returns HITLS_CERT_ERR_INVALID_KEY_TYPE.
@ */
/* BEGIN_CASE */
void UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001(int version)
{
const char *certFile = "../testdata/tls/certificate/der/ed25519/ed25519.end.der";
const char *keyFile = "../testdata/tls/certificate/der/ed25519/ed25519.end.key.der";
HITLS_Config *tlsConfig = NULL;
HitlsInit();
tlsConfig = HitlsNewCtx(version);
ASSERT_TRUE(tlsConfig != NULL);
STUB_REPLACE(SAL_CERT_KeyCtrl, STUB_SAL_CERT_KeyCtrl_UNKNOWN);
ASSERT_EQ(HITLS_CFG_LoadCertFile(tlsConfig, certFile, TLS_PARSE_FORMAT_ASN1), HITLS_CERT_ERR_INVALID_KEY_TYPE);
ASSERT_EQ(HITLS_CFG_LoadKeyFile(tlsConfig, keyFile, TLS_PARSE_FORMAT_ASN1), HITLS_CERT_ERR_INVALID_KEY_TYPE);
EXIT:
STUB_RESTORE(SAL_CERT_KeyCtrl);
HITLS_CFG_FreeConfig(tlsConfig);
}
/* END_CASE */
/* @
* @test UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001
* @title Clear CRLs configured in the verify store
* @precon nan
* @brief 1. Create a TLS config and configure an explicit verify store.
* 2. Add CA certificates into the verify store and load a CRL file.
* 3. Verify the handshake fails while the CRL is present.
* 4. Clear CRLs and verify the verify store no longer contains the CRL.
* @expect 1. HITLS_CFG_LoadCrlFile succeeds.
* 2. The revoked-certificate handshake fails before clear.
* 3. HITLS_CFG_ClearVerifyCrls succeeds.
* 4. The post-clear handshake fails with CRL-not-found instead of certificate-revoked.
@ */
/* BEGIN_CASE */
void UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001(int version)
{
const char *serverCertPath = "../testdata/tls/certificate/der/ed25519/ed25519.end.der";
const char *serverKeyPath = "../testdata/tls/certificate/der/ed25519/ed25519.end.key.der";
const char *intCaPath = "../testdata/tls/certificate/der/ed25519/ed25519.intca.der";
const char *caCertPath = "../testdata/tls/certificate/der/ed25519/ed25519.ca.der";
const char *crlPath = "../testdata/tls/certificate/der/ed25519/ed25519.crl.der";
HITLS_Config *tlsConfig = NULL;
HITLS_CERT_Store *verifyStore = NULL;
HITLS_CERT_X509 *caCert = NULL;
FRAME_LinkObj *client = NULL;
FRAME_LinkObj *server = NULL;
HITLS_ERROR ret = HITLS_SUCCESS;
HitlsInit();
FRAME_Init();
tlsConfig = HitlsNewCtx(version);
ASSERT_TRUE(tlsConfig != NULL);
verifyStore = HITLS_X509_Adapt_StoreNew();
ASSERT_TRUE(verifyStore != NULL);
ASSERT_EQ(HITLS_CFG_SetVerifyStore(tlsConfig, verifyStore, false), HITLS_SUCCESS);
ASSERT_TRUE(HITLS_CFG_GetVerifyStore(tlsConfig) == verifyStore);
ASSERT_EQ(HITLS_CFG_LoadCertFile(tlsConfig, serverCertPath, TLS_PARSE_FORMAT_ASN1), HITLS_SUCCESS);
ASSERT_EQ(HITLS_CFG_LoadKeyFile(tlsConfig, serverKeyPath, TLS_PARSE_FORMAT_ASN1), HITLS_SUCCESS);
caCert = HiTLS_X509_LoadCertFile(tlsConfig, caCertPath);
ASSERT_TRUE(caCert != NULL);
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_VERIFY, false), HITLS_SUCCESS);
caCert = HiTLS_X509_LoadCertFile(tlsConfig, intCaPath);
ASSERT_TRUE(caCert != NULL);
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_VERIFY, false), HITLS_SUCCESS);
ASSERT_EQ(HITLS_CFG_SetVerifyFlags(tlsConfig, HITLS_X509_VFY_FLAG_CRL_DEV), HITLS_SUCCESS);
ASSERT_EQ(HITLS_CFG_LoadCrlFile(tlsConfig, crlPath, TLS_PARSE_FORMAT_ASN1), HITLS_SUCCESS);
client = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
ASSERT_TRUE(client != NULL);
server = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
ASSERT_TRUE(server != NULL);
ASSERT_NE(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS);
HITLS_GetVerifyResult(client->ssl, &ret);
ASSERT_EQ(ret, HITLS_X509_ERR_VFY_CERT_REVOKED);
FRAME_FreeLink(client);
FRAME_FreeLink(server);
client = NULL;
server = NULL;
ASSERT_EQ(HITLS_CFG_ClearVerifyCrls(tlsConfig), HITLS_SUCCESS);
client = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
ASSERT_TRUE(client != NULL);
server = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
ASSERT_TRUE(server != NULL);
ASSERT_NE(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS);
HITLS_GetVerifyResult(client->ssl, &ret);
ASSERT_EQ(ret, HITLS_X509_ERR_VFY_CRL_NOT_FOUND);
EXIT:
HITLS_CFG_FreeConfig(tlsConfig);
FRAME_FreeLink(client);
FRAME_FreeLink(server);
}
/* END_CASE */
@@ -32,4 +32,16 @@ UT_HITLS_CERT_ClearChainCerts_API_TC001
UT_HITLS_CERT_ClearChainCerts_API_TC001:TLS1_2:"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/server.der":"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/inter.der"
UT_HITLS_CERT_ClearChainCerts_API_TC001
UT_HITLS_CERT_ClearChainCerts_API_TC001:TLS1_3:"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/server.der":"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/inter.der"
UT_HITLS_CERT_ClearChainCerts_API_TC001:TLS1_3:"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/server.der":"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/inter.der"
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001:TLS1_2
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001:TLS1_3
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001:TLS1_2
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001:TLS1_3
+8
View File
@@ -103,6 +103,10 @@ int32_t SAL_CERT_SetCurrentCert(HITLS_Config *config, HITLS_CERT_X509 *cert, boo
return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16100, "GET KEY TYPE fail");
}
if (keyType == TLS_CERT_KEY_TYPE_UNKNOWN) {
return HITLS_CERT_ERR_INVALID_KEY_TYPE;
}
CERT_Pair *certPair = NULL;
ret = GetOrInsertCertPair(mgrCtx, keyType, &certPair);
if (ret != HITLS_SUCCESS || certPair == NULL) {
@@ -182,6 +186,10 @@ int32_t SAL_CERT_SetCurrentPrivateKey(HITLS_Config *config, HITLS_CERT_Key *key,
return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16104, "get key type fail");
}
if (keyType == TLS_CERT_KEY_TYPE_UNKNOWN) {
return HITLS_CERT_ERR_INVALID_KEY_TYPE;
}
CERT_Pair *certPair = NULL;
ret = GetOrInsertCertPair(mgrCtx, keyType, &certPair);
if (ret != HITLS_SUCCESS || certPair == NULL) {
+5 -1
View File
@@ -299,8 +299,8 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr
if (destConfig->groupInfo[i].name == NULL) {
return HITLS_MEMALLOC_FAIL;
}
destConfig->groupInfolen++;
#endif
destConfig->groupInfolen++;
}
}
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
@@ -334,9 +334,11 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C
}
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
if (srcConfig->sigSchemeInfo != NULL) {
#ifndef HITLS_TLS_CAP_NO_STR
for (uint32_t i = 0; i < destConfig->sigSchemeInfolen; i++) {
BSL_SAL_FREE(destConfig->sigSchemeInfo[i].name);
}
#endif
BSL_SAL_FREE(destConfig->sigSchemeInfo);
destConfig->sigSchemeInfoSize = 0;
destConfig->sigSchemeInfolen = 0;
@@ -347,11 +349,13 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C
destConfig->sigSchemeInfoSize = srcConfig->sigSchemeInfolen;
for (uint32_t i = 0; i < srcConfig->sigSchemeInfolen; i++) {
destConfig->sigSchemeInfo[i] = srcConfig->sigSchemeInfo[i];
#ifndef HITLS_TLS_CAP_NO_STR
destConfig->sigSchemeInfo[i].name =
BSL_SAL_Dump(srcConfig->sigSchemeInfo[i].name, strlen(srcConfig->sigSchemeInfo[i].name) + 1);
if (destConfig->sigSchemeInfo[i].name == NULL) {
return HITLS_MEMALLOC_FAIL;
}
#endif
destConfig->sigSchemeInfolen++;
}
}
+2 -1
View File
@@ -1226,7 +1226,8 @@ int32_t HITLS_CFG_ClearVerifyCrls(HITLS_Config *config)
return RETURN_ERROR_NUMBER_PROCESS(HITLS_UNREGISTERED_CALLBACK, BINLOG_ID16569, "unregistered callback");
}
HITLS_CERT_Store *certStore = SAL_CERT_GET_CERT_STORE(mgrCtx);
HITLS_CERT_Store *certStore = SAL_CERT_GET_VERIFY_STORE(mgrCtx) == NULL ?
SAL_CERT_GET_CERT_STORE(mgrCtx) : SAL_CERT_GET_VERIFY_STORE(mgrCtx);
if (certStore == NULL) {
return HITLS_SUCCESS; /* No store, nothing to clear */
}
+1
View File
@@ -274,6 +274,7 @@ int32_t HS_GetReassMsg(TLS_Ctx *ctx, HS_MsgInfo *msgInfo, uint32_t *len)
msgInfo->sequence = node->sequence;
msgInfo->fragmentOffset = 0u;
msgInfo->fragmentLength = node->msgLen - DTLS_HS_MSG_HEADER_SIZE;
msgInfo->headerAndBodyLen = DTLS_HS_MSG_HEADER_SIZE + msgInfo->length;
int32_t ret = HS_ReSizeMsgBuf(ctx, node->msgLen);
if (ret != HITLS_SUCCESS) {
return ret;
+20 -18
View File
@@ -282,23 +282,6 @@ static int32_t RecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
}
return HITLS_SUCCESS;
}
#ifdef HITLS_TLS_HOST_CLIENT
#ifdef HITLS_TLS_PROTO_TLS_BASIC
int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
if (ctx->negotiatedInfo.isResume == true) {
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
}
return HS_ChangeState(ctx, TLS_CONNECTED);
}
#endif /* HITLS_TLS_PROTO_TLS_BASIC */
#ifdef HITLS_TLS_PROTO_DTLS12
int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
@@ -329,7 +312,26 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
return HS_ChangeState(ctx, TLS_CONNECTED);
}
#endif
#endif /* HITLS_TLS_PROTO_DTLS12 */
#ifdef HITLS_TLS_HOST_CLIENT
#ifdef HITLS_TLS_PROTO_TLS_BASIC
int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
int32_t ret = RecvFinishedProcess(ctx, msg);
if (ret != HITLS_SUCCESS) {
return ret;
}
if (ctx->negotiatedInfo.isResume == true) {
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
}
return HS_ChangeState(ctx, TLS_CONNECTED);
}
#endif /* HITLS_TLS_PROTO_TLS_BASIC */
#ifdef HITLS_TLS_PROTO_TLS13
int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
{
+2
View File
@@ -927,6 +927,8 @@ int32_t TryReadOneTlsRecord(TLS_Ctx *ctx, uint8_t **recordBody, RecHdr *recHeade
recHeader->bodyLen = BSL_ByteToUint16(recordHeader + REC_TLS_RECORD_LENGTH_OFFSET);
ret = TlsCheckRecordHeader(ctx, recHeader);
/* TlsCheckRecordHeader may reszie the buffer in inBuf */
recordHeader = &inBuf->buf[inBuf->start];
if (ret != HITLS_SUCCESS) {
#ifdef HITLS_TLS_FEATURE_INDICATOR
INDICATOR_MessageIndicate(0, 0, RECORD_HEADER, recordHeader, REC_TLS_RECORD_HEADER_LEN, ctx,