mirror of
https://github.com/openharmony/third_party_openhitls.git
synced 2026-07-01 10:05:26 -04:00
fix:protocal handshake probelms fix
- Filter out TLS_CERT_KEY_TYPE_UNKNOWN when setting certificates and private keys - Fix the null pointer dereference risk and incomplete information in INDICATOR. - Fix the macro wrapping issue in RecvFinishedProcess. - Fix the counter handling issue in GroupCfgDeepCopy. Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/1464 Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
committed by
Dongjianwei001
parent
7dd522be8f
commit
d52e42f5e1
+1
-1
@@ -504,7 +504,7 @@ int32_t HITLS_GetLocalSignScheme(const HITLS_Ctx *ctx, HITLS_SignHashAlgo *local
|
||||
* @param ctx [IN] TLS connection handle
|
||||
* @param idx [IN] Index of algorithm to query (starting from 0)
|
||||
* - idx >= 0: return information for the specified index
|
||||
* - idx = -1: only return total count, do not fill output parameters
|
||||
* - idx < 0: only return total count, do not fill output parameters
|
||||
* @param signatureScheme [OUT] IANA-defined signature scheme value (uint16_t), can be NULL
|
||||
* @param keyType [OUT] Certificate key type (HITLS_CERT_KeyType), can be NULL
|
||||
* @param paraId [OUT] Key parameter ID (CRYPT_PKEY_ParaId), can be NULL
|
||||
|
||||
@@ -735,8 +735,7 @@ int32_t HITLS_CFG_GetDhAutoSupport(HITLS_Config *config, bool *isSupport);
|
||||
* @ingroup hitls_config
|
||||
* @brief Setting whether to support post-handshake auth takes effect only for TLS1.3.
|
||||
client: If the client supports pha, the client sends pha extensions.
|
||||
Server: supports pha. After the handshake, the upper-layer interface HITLS_VerifyClientPostHandshake
|
||||
initiates certificate verification.
|
||||
Server: Whether send certificate request in first handshake if client has sent pha extension.
|
||||
* @param config [OUT] Config handle
|
||||
* @param support [IN] Whether to support pha
|
||||
True: pha is supported.
|
||||
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "hitls_cert_reg.h"
|
||||
#include "hitls_config.h"
|
||||
#include "hitls_cert_init.h"
|
||||
#include "stub_utils.h"
|
||||
#include "bsl_log.h"
|
||||
#include "bsl_err.h"
|
||||
#include "logger.h"
|
||||
@@ -62,12 +63,38 @@
|
||||
#include "bsl_errno.h"
|
||||
#include "hitls_x509_adapt.h"
|
||||
#include "hitls_pki_x509.h"
|
||||
#include "hitls_pki_errno.h"
|
||||
/* END_HEADER */
|
||||
|
||||
#define BUF_MAX_SIZE 4096
|
||||
int32_t g_uiPort = 18886;
|
||||
HITLS_CERT_X509 *HiTLS_X509_LoadCertFile(HITLS_Config *tlsCfg, const char *file);
|
||||
|
||||
STUB_DEFINE_RET5(int32_t, SAL_CERT_KeyCtrl, HITLS_Config *, HITLS_CERT_Key *, HITLS_CERT_CtrlCmd, void *, void *);
|
||||
|
||||
static int32_t STUB_SAL_CERT_KeyCtrl_UNKNOWN(HITLS_Config *config, HITLS_CERT_Key *key,
|
||||
HITLS_CERT_CtrlCmd cmd, void *in, void *out)
|
||||
{
|
||||
if (cmd == CERT_KEY_CTRL_GET_TYPE && out != NULL) {
|
||||
*(uint32_t *)out = TLS_CERT_KEY_TYPE_UNKNOWN;
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
|
||||
if (key == NULL) {
|
||||
return HITLS_NULL_INPUT;
|
||||
}
|
||||
if (cmd > CERT_CTRL_BUTT - 1) {
|
||||
return HITLS_CERT_CTRL_ERR_INVALID_CMD;
|
||||
}
|
||||
int32_t ret;
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER
|
||||
ret = HITLS_X509_Adapt_KeyCtrl(config, key, cmd, in, out);
|
||||
#else
|
||||
ret = config->certMgrCtx->method.keyCtrl(config, key, cmd, in, out);
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* @
|
||||
* @test UT_TLS_CERT_CM_SetVerifyStore_API_TC001
|
||||
* @title The input parameters of the HITLS_SetVerifyStore and HITLS_GetVerifyStore interfaces are replaced.
|
||||
@@ -305,3 +332,116 @@ EXIT:
|
||||
HITLS_Free(ctx);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* @
|
||||
* @test UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001
|
||||
* @title Reject certificates and private keys whose key type is unknown
|
||||
* @precon nan
|
||||
* @brief 1. Create a TLS config.
|
||||
* 2. Stub SAL_CERT_KeyCtrl to report TLS_CERT_KEY_TYPE_UNKNOWN.
|
||||
* 3. Load a certificate and a private key file.
|
||||
* @expect 1. HITLS_CFG_LoadCertFile returns HITLS_CERT_ERR_INVALID_KEY_TYPE.
|
||||
* 2. HITLS_CFG_LoadKeyFile returns HITLS_CERT_ERR_INVALID_KEY_TYPE.
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
void UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001(int version)
|
||||
{
|
||||
const char *certFile = "../testdata/tls/certificate/der/ed25519/ed25519.end.der";
|
||||
const char *keyFile = "../testdata/tls/certificate/der/ed25519/ed25519.end.key.der";
|
||||
HITLS_Config *tlsConfig = NULL;
|
||||
|
||||
HitlsInit();
|
||||
tlsConfig = HitlsNewCtx(version);
|
||||
ASSERT_TRUE(tlsConfig != NULL);
|
||||
|
||||
STUB_REPLACE(SAL_CERT_KeyCtrl, STUB_SAL_CERT_KeyCtrl_UNKNOWN);
|
||||
ASSERT_EQ(HITLS_CFG_LoadCertFile(tlsConfig, certFile, TLS_PARSE_FORMAT_ASN1), HITLS_CERT_ERR_INVALID_KEY_TYPE);
|
||||
ASSERT_EQ(HITLS_CFG_LoadKeyFile(tlsConfig, keyFile, TLS_PARSE_FORMAT_ASN1), HITLS_CERT_ERR_INVALID_KEY_TYPE);
|
||||
|
||||
EXIT:
|
||||
STUB_RESTORE(SAL_CERT_KeyCtrl);
|
||||
HITLS_CFG_FreeConfig(tlsConfig);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* @
|
||||
* @test UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001
|
||||
* @title Clear CRLs configured in the verify store
|
||||
* @precon nan
|
||||
* @brief 1. Create a TLS config and configure an explicit verify store.
|
||||
* 2. Add CA certificates into the verify store and load a CRL file.
|
||||
* 3. Verify the handshake fails while the CRL is present.
|
||||
* 4. Clear CRLs and verify the verify store no longer contains the CRL.
|
||||
* @expect 1. HITLS_CFG_LoadCrlFile succeeds.
|
||||
* 2. The revoked-certificate handshake fails before clear.
|
||||
* 3. HITLS_CFG_ClearVerifyCrls succeeds.
|
||||
* 4. The post-clear handshake fails with CRL-not-found instead of certificate-revoked.
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
void UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001(int version)
|
||||
{
|
||||
const char *serverCertPath = "../testdata/tls/certificate/der/ed25519/ed25519.end.der";
|
||||
const char *serverKeyPath = "../testdata/tls/certificate/der/ed25519/ed25519.end.key.der";
|
||||
const char *intCaPath = "../testdata/tls/certificate/der/ed25519/ed25519.intca.der";
|
||||
const char *caCertPath = "../testdata/tls/certificate/der/ed25519/ed25519.ca.der";
|
||||
const char *crlPath = "../testdata/tls/certificate/der/ed25519/ed25519.crl.der";
|
||||
HITLS_Config *tlsConfig = NULL;
|
||||
HITLS_CERT_Store *verifyStore = NULL;
|
||||
HITLS_CERT_X509 *caCert = NULL;
|
||||
FRAME_LinkObj *client = NULL;
|
||||
FRAME_LinkObj *server = NULL;
|
||||
HITLS_ERROR ret = HITLS_SUCCESS;
|
||||
|
||||
HitlsInit();
|
||||
FRAME_Init();
|
||||
tlsConfig = HitlsNewCtx(version);
|
||||
ASSERT_TRUE(tlsConfig != NULL);
|
||||
|
||||
verifyStore = HITLS_X509_Adapt_StoreNew();
|
||||
ASSERT_TRUE(verifyStore != NULL);
|
||||
ASSERT_EQ(HITLS_CFG_SetVerifyStore(tlsConfig, verifyStore, false), HITLS_SUCCESS);
|
||||
ASSERT_TRUE(HITLS_CFG_GetVerifyStore(tlsConfig) == verifyStore);
|
||||
|
||||
ASSERT_EQ(HITLS_CFG_LoadCertFile(tlsConfig, serverCertPath, TLS_PARSE_FORMAT_ASN1), HITLS_SUCCESS);
|
||||
ASSERT_EQ(HITLS_CFG_LoadKeyFile(tlsConfig, serverKeyPath, TLS_PARSE_FORMAT_ASN1), HITLS_SUCCESS);
|
||||
|
||||
caCert = HiTLS_X509_LoadCertFile(tlsConfig, caCertPath);
|
||||
ASSERT_TRUE(caCert != NULL);
|
||||
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_VERIFY, false), HITLS_SUCCESS);
|
||||
|
||||
caCert = HiTLS_X509_LoadCertFile(tlsConfig, intCaPath);
|
||||
ASSERT_TRUE(caCert != NULL);
|
||||
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_VERIFY, false), HITLS_SUCCESS);
|
||||
|
||||
ASSERT_EQ(HITLS_CFG_SetVerifyFlags(tlsConfig, HITLS_X509_VFY_FLAG_CRL_DEV), HITLS_SUCCESS);
|
||||
ASSERT_EQ(HITLS_CFG_LoadCrlFile(tlsConfig, crlPath, TLS_PARSE_FORMAT_ASN1), HITLS_SUCCESS);
|
||||
|
||||
client = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
|
||||
ASSERT_TRUE(client != NULL);
|
||||
server = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
|
||||
ASSERT_TRUE(server != NULL);
|
||||
ASSERT_NE(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS);
|
||||
HITLS_GetVerifyResult(client->ssl, &ret);
|
||||
ASSERT_EQ(ret, HITLS_X509_ERR_VFY_CERT_REVOKED);
|
||||
|
||||
FRAME_FreeLink(client);
|
||||
FRAME_FreeLink(server);
|
||||
client = NULL;
|
||||
server = NULL;
|
||||
|
||||
ASSERT_EQ(HITLS_CFG_ClearVerifyCrls(tlsConfig), HITLS_SUCCESS);
|
||||
|
||||
client = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
|
||||
ASSERT_TRUE(client != NULL);
|
||||
server = FRAME_CreateLinkBase(tlsConfig, BSL_UIO_TCP, false);
|
||||
ASSERT_TRUE(server != NULL);
|
||||
ASSERT_NE(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS);
|
||||
HITLS_GetVerifyResult(client->ssl, &ret);
|
||||
ASSERT_EQ(ret, HITLS_X509_ERR_VFY_CRL_NOT_FOUND);
|
||||
|
||||
EXIT:
|
||||
HITLS_CFG_FreeConfig(tlsConfig);
|
||||
FRAME_FreeLink(client);
|
||||
FRAME_FreeLink(server);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
+13
-1
@@ -32,4 +32,16 @@ UT_HITLS_CERT_ClearChainCerts_API_TC001
|
||||
UT_HITLS_CERT_ClearChainCerts_API_TC001:TLS1_2:"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/server.der":"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/inter.der"
|
||||
|
||||
UT_HITLS_CERT_ClearChainCerts_API_TC001
|
||||
UT_HITLS_CERT_ClearChainCerts_API_TC001:TLS1_3:"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/server.der":"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/inter.der"
|
||||
UT_HITLS_CERT_ClearChainCerts_API_TC001:TLS1_3:"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/server.der":"../../testcode/testdata/tls/certificate/der/ecdsa_sha256/inter.der"
|
||||
|
||||
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001
|
||||
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001:TLS1_2
|
||||
|
||||
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001
|
||||
UT_TLS_CERT_CFG_FILTER_UNKNOWN_KEY_TYPE_TC001:TLS1_3
|
||||
|
||||
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001
|
||||
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001:TLS1_2
|
||||
|
||||
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001
|
||||
UT_TLS_CERT_CFG_CLEAR_VERIFY_CRLS_FUNC_TC001:TLS1_3
|
||||
|
||||
@@ -103,6 +103,10 @@ int32_t SAL_CERT_SetCurrentCert(HITLS_Config *config, HITLS_CERT_X509 *cert, boo
|
||||
return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16100, "GET KEY TYPE fail");
|
||||
}
|
||||
|
||||
if (keyType == TLS_CERT_KEY_TYPE_UNKNOWN) {
|
||||
return HITLS_CERT_ERR_INVALID_KEY_TYPE;
|
||||
}
|
||||
|
||||
CERT_Pair *certPair = NULL;
|
||||
ret = GetOrInsertCertPair(mgrCtx, keyType, &certPair);
|
||||
if (ret != HITLS_SUCCESS || certPair == NULL) {
|
||||
@@ -182,6 +186,10 @@ int32_t SAL_CERT_SetCurrentPrivateKey(HITLS_Config *config, HITLS_CERT_Key *key,
|
||||
return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16104, "get key type fail");
|
||||
}
|
||||
|
||||
if (keyType == TLS_CERT_KEY_TYPE_UNKNOWN) {
|
||||
return HITLS_CERT_ERR_INVALID_KEY_TYPE;
|
||||
}
|
||||
|
||||
CERT_Pair *certPair = NULL;
|
||||
ret = GetOrInsertCertPair(mgrCtx, keyType, &certPair);
|
||||
if (ret != HITLS_SUCCESS || certPair == NULL) {
|
||||
|
||||
@@ -299,8 +299,8 @@ static int32_t GroupCfgDeepCopy(HITLS_Config *destConfig, const HITLS_Config *sr
|
||||
if (destConfig->groupInfo[i].name == NULL) {
|
||||
return HITLS_MEMALLOC_FAIL;
|
||||
}
|
||||
destConfig->groupInfolen++;
|
||||
#endif
|
||||
destConfig->groupInfolen++;
|
||||
}
|
||||
}
|
||||
#endif /* HITLS_TLS_FEATURE_PROVIDER_DYNAMIC */
|
||||
@@ -334,9 +334,11 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C
|
||||
}
|
||||
#ifdef HITLS_TLS_FEATURE_PROVIDER_DYNAMIC
|
||||
if (srcConfig->sigSchemeInfo != NULL) {
|
||||
#ifndef HITLS_TLS_CAP_NO_STR
|
||||
for (uint32_t i = 0; i < destConfig->sigSchemeInfolen; i++) {
|
||||
BSL_SAL_FREE(destConfig->sigSchemeInfo[i].name);
|
||||
}
|
||||
#endif
|
||||
BSL_SAL_FREE(destConfig->sigSchemeInfo);
|
||||
destConfig->sigSchemeInfoSize = 0;
|
||||
destConfig->sigSchemeInfolen = 0;
|
||||
@@ -347,11 +349,13 @@ static int32_t SignAlgorithmsCfgDeepCopy(HITLS_Config *destConfig, const HITLS_C
|
||||
destConfig->sigSchemeInfoSize = srcConfig->sigSchemeInfolen;
|
||||
for (uint32_t i = 0; i < srcConfig->sigSchemeInfolen; i++) {
|
||||
destConfig->sigSchemeInfo[i] = srcConfig->sigSchemeInfo[i];
|
||||
#ifndef HITLS_TLS_CAP_NO_STR
|
||||
destConfig->sigSchemeInfo[i].name =
|
||||
BSL_SAL_Dump(srcConfig->sigSchemeInfo[i].name, strlen(srcConfig->sigSchemeInfo[i].name) + 1);
|
||||
if (destConfig->sigSchemeInfo[i].name == NULL) {
|
||||
return HITLS_MEMALLOC_FAIL;
|
||||
}
|
||||
#endif
|
||||
destConfig->sigSchemeInfolen++;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1226,7 +1226,8 @@ int32_t HITLS_CFG_ClearVerifyCrls(HITLS_Config *config)
|
||||
return RETURN_ERROR_NUMBER_PROCESS(HITLS_UNREGISTERED_CALLBACK, BINLOG_ID16569, "unregistered callback");
|
||||
}
|
||||
|
||||
HITLS_CERT_Store *certStore = SAL_CERT_GET_CERT_STORE(mgrCtx);
|
||||
HITLS_CERT_Store *certStore = SAL_CERT_GET_VERIFY_STORE(mgrCtx) == NULL ?
|
||||
SAL_CERT_GET_CERT_STORE(mgrCtx) : SAL_CERT_GET_VERIFY_STORE(mgrCtx);
|
||||
if (certStore == NULL) {
|
||||
return HITLS_SUCCESS; /* No store, nothing to clear */
|
||||
}
|
||||
|
||||
@@ -274,6 +274,7 @@ int32_t HS_GetReassMsg(TLS_Ctx *ctx, HS_MsgInfo *msgInfo, uint32_t *len)
|
||||
msgInfo->sequence = node->sequence;
|
||||
msgInfo->fragmentOffset = 0u;
|
||||
msgInfo->fragmentLength = node->msgLen - DTLS_HS_MSG_HEADER_SIZE;
|
||||
msgInfo->headerAndBodyLen = DTLS_HS_MSG_HEADER_SIZE + msgInfo->length;
|
||||
int32_t ret = HS_ReSizeMsgBuf(ctx, node->msgLen);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
|
||||
@@ -282,23 +282,6 @@ static int32_t RecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
}
|
||||
return HITLS_SUCCESS;
|
||||
}
|
||||
#ifdef HITLS_TLS_HOST_CLIENT
|
||||
#ifdef HITLS_TLS_PROTO_TLS_BASIC
|
||||
int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (ctx->negotiatedInfo.isResume == true) {
|
||||
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
|
||||
return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
|
||||
}
|
||||
|
||||
return HS_ChangeState(ctx, TLS_CONNECTED);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS_BASIC */
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_DTLS12
|
||||
int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
@@ -329,7 +312,26 @@ int32_t DtlsClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
|
||||
return HS_ChangeState(ctx, TLS_CONNECTED);
|
||||
}
|
||||
#endif
|
||||
#endif /* HITLS_TLS_PROTO_DTLS12 */
|
||||
|
||||
#ifdef HITLS_TLS_HOST_CLIENT
|
||||
#ifdef HITLS_TLS_PROTO_TLS_BASIC
|
||||
int32_t Tls12ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
int32_t ret = RecvFinishedProcess(ctx, msg);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (ctx->negotiatedInfo.isResume == true) {
|
||||
ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
|
||||
return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
|
||||
}
|
||||
|
||||
return HS_ChangeState(ctx, TLS_CONNECTED);
|
||||
}
|
||||
#endif /* HITLS_TLS_PROTO_TLS_BASIC */
|
||||
|
||||
#ifdef HITLS_TLS_PROTO_TLS13
|
||||
int32_t Tls13ClientRecvFinishedProcess(TLS_Ctx *ctx, const HS_Msg *msg)
|
||||
{
|
||||
|
||||
@@ -927,6 +927,8 @@ int32_t TryReadOneTlsRecord(TLS_Ctx *ctx, uint8_t **recordBody, RecHdr *recHeade
|
||||
recHeader->bodyLen = BSL_ByteToUint16(recordHeader + REC_TLS_RECORD_LENGTH_OFFSET);
|
||||
|
||||
ret = TlsCheckRecordHeader(ctx, recHeader);
|
||||
/* TlsCheckRecordHeader may reszie the buffer in inBuf */
|
||||
recordHeader = &inBuf->buf[inBuf->start];
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
#ifdef HITLS_TLS_FEATURE_INDICATOR
|
||||
INDICATOR_MessageIndicate(0, 0, RECORD_HEADER, recordHeader, REC_TLS_RECORD_HEADER_LEN, ctx,
|
||||
|
||||
Reference in New Issue
Block a user