diff options
author | Jakub Zelenka <bukka@php.net> | 2018-08-19 20:14:26 +0100 |
---|---|---|
committer | Jakub Zelenka <bukka@php.net> | 2018-08-19 20:14:26 +0100 |
commit | 4c542e6c13ca0d1b3944efee715a4dadb4794c7c (patch) | |
tree | 49673be88af658df64e7c6e07ebabe5fb0968d5c | |
parent | 4c448334bdfe61c8c2a0b3c3d5797d5ff31d4ca0 (diff) | |
download | php-git-4c542e6c13ca0d1b3944efee715a4dadb4794c7c.tar.gz |
Fix bug #76705 (unusable ssl => peer_fingerprint in stream_context_create())
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/openssl/tests/bug76705.pem | 50 | ||||
-rw-r--r-- | ext/openssl/tests/bug76705.phpt | 43 | ||||
-rw-r--r-- | ext/openssl/xp_ssl.c | 6 |
4 files changed, 101 insertions, 2 deletions
@@ -25,6 +25,10 @@ PHP NEWS . Fixed bug #76747 (Opcache treats path containing "test.pharma.tld" as a phar file). (Laruence) +- OpenSSL: + . Fixed bug #76705 (unusable ssl => peer_fingerprint in + stream_context_create()). (Jakub Zelenka) + - phpdbg: . Fixed bug #76595 (phpdbg man page contains outdated information). (Kevin Abel) diff --git a/ext/openssl/tests/bug76705.pem b/ext/openssl/tests/bug76705.pem new file mode 100644 index 0000000000..295544af62 --- /dev/null +++ b/ext/openssl/tests/bug76705.pem @@ -0,0 +1,50 @@ +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIJAJCtQJeo8gdyMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV +BAYTAkdCMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg +Q29tcGFueSBMdGQxGDAWBgNVBAMMD29wZW5zc2wucGhwLm5ldDAeFw0xODA4MTkx +ODQxMzdaFw0yODA4MTYxODQxMzdaMFwxCzAJBgNVBAYTAkdCMRUwEwYDVQQHDAxE +ZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGDAWBgNV +BAMMD29wZW5zc2wucGhwLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqnJTvXG3o47uPpaJI+rjCfwWAvX8lqUPD05jYCEckYOCQZDze0qAzxJRnl +dJS4V/sEWgqtroJm+AuasEd7GFhuTWG72eo4Gq8kJHt2+ev68yIfxtOvV4gDcN3w +9Mkk66q661Jg2oMnWK518VpiQQaNRKQtVkjrLf0DG+WRjx1Y6BFpx8mw699lepfk +IYhblg1JulmIQ99FnE3xkuJ9gsh74BrBD4CxwBAHk3WFB6nnrMW++4rG1gexOCdB +fikGALEZDjH5iPjNT1c7Los3CVDldHLTDHHUKEM3w/hp5d2lw67eUpoGrxwbnXF5 +nngdFHe2QJNd5jN2TFICJkcIZb8CAwEAAaNTMFEwHQYDVR0OBBYEFAfXyCoG/LwU +8eoV8bdp1859DnjCMB8GA1UdIwQYMBaAFAfXyCoG/LwU8eoV8bdp1859DnjCMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADLZHI4YYvgmKVmtzvow +kqhljnR14WVeVgr/zfGbRwgeiyokG+BAb0yaNAWO5QYJH8rrx2+1pTq4alAvkoQm +2mjJu5d4Dfyb7Cmiz8EeITbfZUmX/JZJIOTrXUx5NiIndB6zJf3Bzq2oqeeENW7E +zKLmBpiOhywoVdzhGTGOxJo7nlXhzkQleQ+N1NgDjIyFSSkKyuXpdUjhD8Pm+/x9 +0oJIU1pcCVFmavjwFmAEPTD+xNiXZDhndWElEmb6q5yJzbPbxQmCwYpNOknQXKRA ++ERVRVyaMmO286CONAhSO2cP9P/Ss7NSt28kXNGux1zSeXsRjMx8ICUqtaG99ZhD +bdo= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC6pyU71xt6OO7j +6WiSPq4wn8FgL1/JalDw9OY2AhHJGDgkGQ83tKgM8SUZ5XSUuFf7BFoKra6CZvgL +mrBHexhYbk1hu9nqOBqvJCR7dvnr+vMiH8bTr1eIA3Dd8PTJJOuquutSYNqDJ1iu +dfFaYkEGjUSkLVZI6y39AxvlkY8dWOgRacfJsOvfZXqX5CGIW5YNSbpZiEPfRZxN +8ZLifYLIe+AawQ+AscAQB5N1hQep56zFvvuKxtYHsTgnQX4pBgCxGQ4x+Yj4zU9X +Oy6LNwlQ5XRy0wxx1ChDN8P4aeXdpcOu3lKaBq8cG51xeZ54HRR3tkCTXeYzdkxS +AiZHCGW/AgMBAAECggEBAKTTTyT9uoz+0649gpOKeGYF3Uzj6NFDakCt8tEEmNIc +6g6udmq5xKDRHfM1VfKyqzbGTAEcCHutFCOjMUGeKQyGMx04NqIHc0DwSKsikGZb +z/J1Xy21rDU23KeQzYkGann04DN5xdyFlWFSU5R+KW/wtgnI42Y3EABai3r5RAkj +4s5GzXhKygdcyDbhv+bcllQi3iAIZExjo6rMN+lmkdP90w/Bjvp4hagCqxEoAh7c +60PVHfSa5oxd4l9/ni0tddtmkaiwEyxVRDDdduGquOtS3tbThCOzoOeXvbhWCjc2 +QmYAymKAe6G2LxmCUTUz6iPxTQPBAT1q2DFuUpBoOwECgYEA8IFZyooC8lO3WJSX +sPSOKRryO/TKrtWJY2Mh8gZpVlK8OrLZzpv+odPtIpKMvljlNRd0HTonnVrfB7jy +6MQN8r6Go+Q9Xy0fYUEoPapdzPvfiYx93KqYIFpg2BrZZFOLN3Ptp7kOhej1KJNe +DCiN2nk1l+Kp1I22ONYLSwR90D8CgYEAxq2bzaNvzkiIWpKucD9P1DJAVw91QJ3t +Ll/IF4+d6TPxKq7HKq/3FZSBTL49y7QXScryMR6H92syY0Jnax2erq8iVTc+KBqi +9j85A9LQi50qo/0AY4Fly3GrDENAohvCBt66OLrINbem5J+tY2pJHOWqzljaXzKx ++u7F/YaACoECgYEAgcUpz/F7+YlWasNyvhaXBnL1tYg2PPQXd7sru83d1Kg7zGho +weTGFkelsnvk2WhZ9LW8/3A7o9o+cYpH93SiGhLXz2L+Anb0caOYtP1SM6LMUQmv +d/vMrdhWXQTPvCSf/8HbwB5ISdUTQ1uQ6XqQYAv68QNqo7f7VNuZqFa6FD0CgYEA +tV/GLYv3xNUYjb78uoJB6VDaxd/Zxdymq0BLlZ7JpRyDHNkj/4dWxP+mrp26Il3N +KNO6GDdsHuZgwJbdfL80nvpJGIxvFQOEI9OBxEjPk7UuOTj+AtkdSgYCBhbbSWKX +1de9H478uXVoSaywCGL+TgAo12nsKR5JtvAGFbWU7IECgYADfyGWKiRpHUmxn/OH +9vkiISASRrh3YqdDtqij16pYc+VRC9/jUvGRtYAb7x0j6kO9zh3wkZlUXoPIH+zn +uBmiIY401DNbWe9rM7IeZOg88+WCLmZ6onMew752O7VUm6VotPOuUvYA5pQRZkma +aDvX/slF+5i+zgN6JKaqqppzQA== +-----END PRIVATE KEY----- diff --git a/ext/openssl/tests/bug76705.phpt b/ext/openssl/tests/bug76705.phpt new file mode 100644 index 0000000000..ef10aa48f8 --- /dev/null +++ b/ext/openssl/tests/bug76705.phpt @@ -0,0 +1,43 @@ +--TEST-- +Bug #76705: unusable ssl => peer_fingerprint in stream_context_create() +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip openssl not loaded"); +if (!function_exists("proc_open")) die("skip no proc_open"); +?> +--FILE-- +<?php +$serverCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64323"; + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => __DIR__ . '/bug76705.pem' + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); + phpt_notify(); + + @stream_socket_accept($server, 1); +CODE; + +$clientCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64323"; + $clientFlags = STREAM_CLIENT_CONNECT; + $clientCtx = stream_context_create(['ssl' => [ + 'verify_peer' => true, + 'peer_name' => 'openssl.php.net', + 'allow_self_signed' => true, + 'peer_fingerprint' => [ + 'sha256' => '4A524F3617E41BCCA1370ED9E89C9A7A83C28F0F342C490296D362869BDF1DA8', + ] + ]]); + + phpt_wait(); + var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx)); +CODE; + +include 'ServerClientTestCase.inc'; +ServerClientTestCase::getInstance()->run($clientCode, $serverCode); +?> +--EXPECTF-- +resource(%d) of type (stream) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 5207657ef2..9af01f5b89 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -471,6 +471,7 @@ static zend_bool matches_common_name(X509 *peer, const char *subject_name) /* {{ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stream) /* {{{ */ { zval *val = NULL; + zval *peer_fingerprint; char *peer_name = NULL; int err, must_verify_peer, @@ -488,6 +489,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre : sslsock->is_client; must_verify_fingerprint = GET_VER_OPT("peer_fingerprint"); + peer_fingerprint = val; if ((must_verify_peer || must_verify_peer_name || must_verify_fingerprint) && peer == NULL) { php_error_docref(NULL, E_WARNING, "Could not get peer certificate"); @@ -519,8 +521,8 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre /* If a peer_fingerprint match is required this trumps peer and peer_name verification */ if (must_verify_fingerprint) { - if (Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_ARRAY) { - if (!php_x509_fingerprint_match(peer, val)) { + if (Z_TYPE_P(peer_fingerprint) == IS_STRING || Z_TYPE_P(peer_fingerprint) == IS_ARRAY) { + if (!php_x509_fingerprint_match(peer, peer_fingerprint)) { php_error_docref(NULL, E_WARNING, "peer_fingerprint match failure" ); |