diff options
Diffstat (limited to 'ext/openssl')
| -rw-r--r-- | ext/openssl/openssl.c | 6 | ||||
| -rw-r--r-- | ext/openssl/openssl.mak | 185 | ||||
| -rw-r--r-- | ext/openssl/tests/bug61124.phpt | 24 | ||||
| -rw-r--r-- | ext/openssl/tests/bug66501.phpt | 44 | ||||
| -rw-r--r-- | ext/openssl/tests/openssl_decrypt_ccm.phpt | 6 | ||||
| -rw-r--r-- | ext/openssl/tests/openssl_decrypt_gcm.phpt | 6 | ||||
| -rw-r--r-- | ext/openssl/tests/openssl_pkcs7_verify_basic.phpt | 48 | ||||
| -rw-r--r-- | ext/openssl/tests/signed.eml | 68 | ||||
| -rw-r--r-- | ext/openssl/tests/tls_wrapper.phpt | 59 | ||||
| -rw-r--r-- | ext/openssl/xp_ssl.c | 38 |
10 files changed, 231 insertions, 253 deletions
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 47bafaf660..ed2371ac19 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -60,11 +60,10 @@ /* Common */ #include <time.h> -#if defined(NETWARE) || (defined(PHP_WIN32) && defined(_MSC_VER) && _MSC_VER >= 1900) +#if (defined(PHP_WIN32) && defined(_MSC_VER) && _MSC_VER >= 1900) #define timezone _timezone /* timezone is called _timezone in LibC */ #endif -#define DEFAULT_KEY_LENGTH 512 #define MIN_KEY_LENGTH 384 #define OPENSSL_ALGO_SHA1 1 @@ -3967,11 +3966,12 @@ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req #ifdef HAVE_EVP_PKEY_EC case OPENSSL_KEYTYPE_EC: { + EC_KEY *eckey; if (req->curve_name == NID_undef) { php_error_docref(NULL, E_WARNING, "Missing configuration value: 'curve_name' not set"); return NULL; } - EC_KEY *eckey = EC_KEY_new_by_curve_name(req->curve_name); + eckey = EC_KEY_new_by_curve_name(req->curve_name); if (eckey) { EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); if (EC_KEY_generate_key(eckey) && diff --git a/ext/openssl/openssl.mak b/ext/openssl/openssl.mak deleted file mode 100644 index 9bc053b662..0000000000 --- a/ext/openssl/openssl.mak +++ /dev/null @@ -1,185 +0,0 @@ -# Temporarily here -- later may go into some batch file -# which will set this as an environment variable -PROJECT_ROOT = ..\.. - -# Module details -MODULE_NAME = php_ossl -MODULE_DESC = "PHP 7 - OpenSSL Extension" -VMAJ = 1 -VMIN = 0 -VREV = 0 - -#include the common settings -include $(PROJECT_ROOT)/netware/common.mif - -# OpenSSL directory -OSSL_DIR = P:/APPS/script/sw/OpenSSL - -# Build type defaults to 'release' -ifndef BUILD -BUILD = release -endif - -# Extensions of all input and output files -.SUFFIXES: -.SUFFIXES: .nlm .lib .obj .cpp .c .msg .mlc .mdb .xdc .d - -# Source files -C_SRC = openssl.c \ - xp_ssl.c \ - start.c \ - -CPP_SRC_NODIR = $(notdir $(CPP_SRC)) -C_SRC_NODIR = $(notdir $(C_SRC)) -SRC_DIR = $(dir $(CPP_SRC) $(C_SRC)) - -# Library files -LIBRARY = $(OSSL_DIR)/lib/RSAglue.lib \ - $(OSSL_DIR)/lib/crypto.lib \ - $(OSSL_DIR)/lib/ssl.lib - -# Destination directories and files -OBJ_DIR = $(BUILD) -FINAL_DIR = $(BUILD) -MAP_FILE = $(FINAL_DIR)\$(MODULE_NAME).map -OBJECTS = $(addprefix $(OBJ_DIR)/,$(CPP_SRC_NODIR:.c=.obj) $(C_SRC_NODIR:.c=.obj)) -DEPDS = $(addprefix $(OBJ_DIR)/,$(CPP_SRC_NODIR:.c=.d) $(C_SRC_NODIR:.c=.d)) - -# Binary file -ifndef BINARY - BINARY=$(FINAL_DIR)\$(MODULE_NAME).nlm -endif - -# Compile flags -C_FLAGS += -c -maxerrors 25 -msgstyle gcc -C_FLAGS += -wchar_t on -bool on -processor Pentium -C_FLAGS += -nostdinc -nosyspath -C_FLAGS += -relax_pointers # To remove type-casting errors -C_FLAGS += -DNETWARE -DZTS -C_FLAGS += -DUSE_OLD_FUNCTIONS -DCOMPILE_DL_OPENSSL=1 - -C_FLAGS += -I. -I$(PROJECT_ROOT) -I$(PROJECT_ROOT)/main -C_FLAGS += -I$(PROJECT_ROOT)/ext/standard -I$(PROJECT_ROOT)/netware -C_FLAGS += -I$(PROJECT_ROOT)/zend -I$(PROJECT_ROOT)/tsrm -C_FLAGS += -I- -I$(SDK_DIR)/include -I$(MWCIncludes) -C_FLAGS += -I$(OSSL_DIR)/include - -ifndef STACK_SIZE -STACK_SIZE=8192 -endif - -# Extra stuff based on debug / release builds -ifeq '$(BUILD)' 'debug' - SYM_FILE = $(FINAL_DIR)\$(MODULE_NAME).sym - C_FLAGS += -inline smart -sym on -sym codeview4 -opt off -opt intrinsics -sym internal -DDEBUGGING -DDKFBPON - C_FLAGS += -exc cw -DZEND_DEBUG=1 - LD_FLAGS += -sym on -sym codeview4 -osym $(SYM_FILE) - export MWLibraryFiles=$(SDK_DIR)/imports/libcpre.o;mwcrtld.lib -else - C_FLAGS += -opt all -inline on -inline smart -inline auto -sym off - C_FLAGS += -opt intrinsics -opt level=4 -DZEND_DEBUG=0 - LD_FLAGS += -sym off - export MWLibraryFiles=$(SDK_DIR)/imports/libcpre.o;mwcrtl.lib -endif - - -# Dependencies -MODULE = LibC \ - phplib -IMPORT = @$(SDK_DIR)/imports/libc.imp \ - @$(SDK_DIR)/imports/ws2nlm.imp \ - @$(SDK_DIR)/imports/netware.imp \ - @$(MPK_DIR)/import/mpkOrg.imp \ - @$(PROJECT_ROOT)/netware/phplib.imp -EXPORT = ($(MODULE_NAME)) get_module -API = OutputToScreen - -# Virtual paths -vpath %.cpp . -vpath %.c . ..\..\netware -vpath %.obj $(OBJ_DIR) - - -all: prebuild project - -.PHONY: all - -prebuild: - @if not exist $(OBJ_DIR) md $(OBJ_DIR) - -project: $(BINARY) - @echo Build complete. - -$(OBJ_DIR)/%.d: %.cpp - @echo Building Dependencies for $(<F) - @$(CC) -M $< $(C_FLAGS) -o $@ - -$(OBJ_DIR)/%.d: %.c - @echo Building Dependencies for $(<F) - @$(CC) -M $< $(C_FLAGS) -o $@ - -$(OBJ_DIR)/%.obj: %.cpp - @echo Compiling $?... - @$(CC) $< $(C_FLAGS) -o $@ - -$(OBJ_DIR)/%.obj: %.c - @echo Compiling $?... - @$(CC) $< $(C_FLAGS) -o $@ - - -$(BINARY): $(OBJECTS) - @echo Import $(IMPORT) > $(basename $@).def -ifdef API - @echo Import $(API) >> $(basename $@).def -endif - @echo Module $(MODULE) >> $(basename $@).def -ifdef EXPORT - @echo Export $(EXPORT) >> $(basename $@).def -endif - @echo AutoUnload >> $(basename $@).def -ifeq '$(BUILD)' 'debug' - @echo Debug >> $(basename $@).def -endif - @echo Flag_On 0x00000008 >> $(basename $@).def - @echo Start _LibCPrelude >> $(basename $@).def - @echo Exit _LibCPostlude >> $(basename $@).def - -# Two functions imported to build the openssl extension - @echo Import GetProcessSwitchCount >> $(basename $@).def - @echo Import RunningProcess >> $(basename $@).def - - $(MPKTOOL) $(XDCFLAGS) $(basename $@).xdc - @echo xdcdata $(basename $@).xdc >> $(basename $@).def - - @echo Linking $@... - @echo $(LD_FLAGS) -commandfile $(basename $@).def > $(basename $@).link - - @echo $(LIBRARY) $(OBJECTS) >> $(basename $@).link - - @$(LINK) @$(basename $@).link - - -.PHONY: clean -clean: cleanobj cleanbin - -.PHONY: cleand -cleand: - @echo Deleting all dependency files... - -@del "$(OBJ_DIR)\*.d" - -.PHONY: cleanobj -cleanobj: - @echo Deleting all object files... - -@del "$(OBJ_DIR)\*.obj" - -.PHONY: cleanbin -cleanbin: - @echo Deleting binary files... - -@del "$(FINAL_DIR)\$(MODULE_NAME).nlm" - @echo Deleting MAP, DEF files, etc.... - -@del "$(FINAL_DIR)\$(MODULE_NAME).map" - -@del "$(FINAL_DIR)\$(MODULE_NAME).def" - -@del "$(FINAL_DIR)\$(MODULE_NAME).link" -ifeq '$(BUILD)' 'debug' - -@del $(FINAL_DIR)\$(MODULE_NAME).sym -endif diff --git a/ext/openssl/tests/bug61124.phpt b/ext/openssl/tests/bug61124.phpt index 9b21da5048..4b6194bdb4 100644 --- a/ext/openssl/tests/bug61124.phpt +++ b/ext/openssl/tests/bug61124.phpt @@ -1,12 +1,12 @@ ---TEST--
-Bug #61124: Segmentation fault with openssl_decrypt
---SKIPIF--
-<?php
-if (!extension_loaded("openssl")) die("skip");
---FILE--
-<?php
-var_dump(openssl_decrypt('kzo w2RMExUTYQXW2Xzxmg==', 'aes-128-cbc', 'pass', false, 'pass'));
-
---EXPECTF--
-Warning: openssl_decrypt(): IV passed is only 4 bytes long, cipher expects an IV of precisely 16 bytes, padding with \0 in %s on line %d
-bool(false)
+--TEST-- +Bug #61124: Segmentation fault with openssl_decrypt +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip"); +--FILE-- +<?php +var_dump(openssl_decrypt('kzo w2RMExUTYQXW2Xzxmg==', 'aes-128-cbc', 'pass', false, 'pass')); + +--EXPECTF-- +Warning: openssl_decrypt(): IV passed is only 4 bytes long, cipher expects an IV of precisely 16 bytes, padding with \0 in %s on line %d +bool(false) diff --git a/ext/openssl/tests/bug66501.phpt b/ext/openssl/tests/bug66501.phpt index 99ac4f55de..fa450318c2 100644 --- a/ext/openssl/tests/bug66501.phpt +++ b/ext/openssl/tests/bug66501.phpt @@ -1,22 +1,22 @@ ---TEST--
-Bug #66501: EC private key support in openssl_sign
---SKIPIF--
-<?php
-if (!extension_loaded("openssl")) die("skip");
-if (!defined('OPENSSL_KEYTYPE_EC')) die("skip no EC available");
---FILE--
-<?php
-$pkey = 'ASN1 OID: prime256v1
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEILPkqoeyM7XgwYkuSj3077lrsrfWJK5LqMolv+m2oOjZoAoGCCqGSM49
-AwEHoUQDQgAEPq4hbIWHvB51rdWr8ejrjWo4qVNWVugYFtPg/xLQw0mHkIPZ4DvK
-sqOTOnMoezkbSmVVMuwz9flvnqHGmQvmug==
------END EC PRIVATE KEY-----';
-$key = openssl_pkey_get_private($pkey);
-$res = openssl_sign($data ='alpha', $sign, $key, 'SHA1');
-var_dump($res);
---EXPECTF--
-bool(true)
+--TEST-- +Bug #66501: EC private key support in openssl_sign +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip"); +if (!defined('OPENSSL_KEYTYPE_EC')) die("skip no EC available"); +--FILE-- +<?php +$pkey = 'ASN1 OID: prime256v1 +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEILPkqoeyM7XgwYkuSj3077lrsrfWJK5LqMolv+m2oOjZoAoGCCqGSM49 +AwEHoUQDQgAEPq4hbIWHvB51rdWr8ejrjWo4qVNWVugYFtPg/xLQw0mHkIPZ4DvK +sqOTOnMoezkbSmVVMuwz9flvnqHGmQvmug== +-----END EC PRIVATE KEY-----'; +$key = openssl_pkey_get_private($pkey); +$res = openssl_sign($data ='alpha', $sign, $key, 'SHA1'); +var_dump($res); +--EXPECTF-- +bool(true) diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt index beb3074938..83278e093e 100644 --- a/ext/openssl/tests/openssl_decrypt_ccm.phpt +++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt @@ -22,13 +22,13 @@ foreach ($tests as $idx => $test) { // no IV var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - NULL, $test['tag'], $test['aad'])); + NULL, $test['tag'], $test['aad'])); // failed because no AAD var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - $test['iv'], $test['tag'])); + $test['iv'], $test['tag'])); // failed because wrong tag var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - $test['iv'], str_repeat('x', 10), $test['aad'])); + $test['iv'], str_repeat('x', 10), $test['aad'])); ?> --EXPECTF-- diff --git a/ext/openssl/tests/openssl_decrypt_gcm.phpt b/ext/openssl/tests/openssl_decrypt_gcm.phpt index 11802e9d8e..f7002ed51b 100644 --- a/ext/openssl/tests/openssl_decrypt_gcm.phpt +++ b/ext/openssl/tests/openssl_decrypt_gcm.phpt @@ -22,13 +22,13 @@ foreach ($tests as $idx => $test) { // no IV var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - NULL, $test['tag'], $test['aad'])); + NULL, $test['tag'], $test['aad'])); // failed because no AAD var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - $test['iv'], $test['tag'])); + $test['iv'], $test['tag'])); // failed because wrong tag var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - $test['iv'], str_repeat('x', 16), $test['aad'])); + $test['iv'], str_repeat('x', 16), $test['aad'])); ?> --EXPECTF-- diff --git a/ext/openssl/tests/openssl_pkcs7_verify_basic.phpt b/ext/openssl/tests/openssl_pkcs7_verify_basic.phpt new file mode 100644 index 0000000000..67cda99d06 --- /dev/null +++ b/ext/openssl/tests/openssl_pkcs7_verify_basic.phpt @@ -0,0 +1,48 @@ +--TEST-- +openssl_pkcs7_verify() tests +--SKIPIF-- +<?php if (!extension_loaded("openssl")) print "skip"; ?> +--FILE-- +<?php +$outfile = tempnam(sys_get_temp_dir(), "ssl"); +if ($outfile === false) { + die("failed to get a temporary filename!"); +} + +$contentfile = tempnam(sys_get_temp_dir(), "ssl"); +if ($contentfile === false) { + die("failed to get a temporary filename!"); +} + +$infile = dirname(__FILE__) . "/cert.crt"; +$eml = dirname(__FILE__) . "/signed.eml"; +$wrong = "wrong"; +$empty = ""; +$cainfo = array(); + +var_dump(openssl_pkcs7_verify($wrong, 0)); +var_dump(openssl_pkcs7_verify($empty, 0)); +var_dump(openssl_pkcs7_verify($eml, 0)); +var_dump(openssl_pkcs7_verify($eml, 0, $empty)); +var_dump(openssl_pkcs7_verify($eml, PKCS7_NOVERIFY, $outfile)); +var_dump(openssl_pkcs7_verify($eml, PKCS7_NOVERIFY, $outfile, $cainfo, $outfile, $contentfile)); + +if (file_exists($outfile)) { + echo "true\n"; + unlink($outfile); +} + +if (file_exists($contentfile)) { + echo "true\n"; + unlink($contentfile); +} +?> +--EXPECTF-- +int(-1) +int(-1) +bool(false) +bool(false) +bool(true) +bool(true) +true +true diff --git a/ext/openssl/tests/signed.eml b/ext/openssl/tests/signed.eml new file mode 100644 index 0000000000..557f175090 --- /dev/null +++ b/ext/openssl/tests/signed.eml @@ -0,0 +1,68 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----68AEC934FD4DA77FB8B713FA8054A638" + +This is an S/MIME signed message + +------68AEC934FD4DA77FB8B713FA8054A638 +-----BEGIN CERTIFICATE----- +MIIDbDCCAtWgAwIBAgIJAK7FVsxyN1CiMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD +VQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTATBgNVBAcTDFBv +cnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5nZWxvMR8wHQYJ +KoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0MB4XDTA4MDYzMDEwMjg0M1oXDTA4 +MDczMDEwMjg0M1owgYExCzAJBgNVBAYTAkJSMRowGAYDVQQIExFSaW8gR3JhbmRl +IGRvIFN1bDEVMBMGA1UEBxMMUG9ydG8gQWxlZ3JlMR4wHAYDVQQDExVIZW5yaXF1 +ZSBkbyBOLiBBbmdlbG8xHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQw +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMteno+QK1ulX4/WDAVBYfoTPRTz +e4SZLwgael4jwWTytj+8c5nNllrFELD6WjJzfjaoIMhCF4w4I2bkWR6/PTqrvnv+ +iiiItHfKvJgYqIobUhkiKmWa2wL3mgqvNRIqTrTC4jWZuCkxQ/ksqL9O/F6zk+aR +S1d+KbPaqCR5Rw+lAgMBAAGjgekwgeYwHQYDVR0OBBYEFNt+QHK9XDWF7CkpgRLo +Ymhqtz99MIG2BgNVHSMEga4wgauAFNt+QHK9XDWF7CkpgRLoYmhqtz99oYGHpIGE +MIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTAT +BgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5n +ZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0ggkArsVWzHI3UKIw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCP1GUnStC0TBqngr3Kx+zS +UW8KutKO0ORc5R8aV/x9LlaJrzPyQJgiPpu5hXogLSKRIHxQS3X2+Y0VvIpW72LW +PVKPhYlNtO3oKnfoJGKin0eEhXRZMjfEW/kznY+ZZmNifV2r8s+KhNAqI4PbClvn +4vh8xF/9+eVEj+hM+0OflA== +-----END CERTIFICATE----- + +------68AEC934FD4DA77FB8B713FA8054A638 +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIFzQYJKoZIhvcNAQcCoIIFvjCCBboCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggNwMIIDbDCCAtWgAwIBAgIJAK7FVsxyN1CiMA0GCSqGSIb3DQEB +BQUAMIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwx +FTATBgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4g +QW5nZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0MB4XDTA4MDYz +MDEwMjg0M1oXDTA4MDczMDEwMjg0M1owgYExCzAJBgNVBAYTAkJSMRowGAYDVQQI +ExFSaW8gR3JhbmRlIGRvIFN1bDEVMBMGA1UEBxMMUG9ydG8gQWxlZ3JlMR4wHAYD +VQQDExVIZW5yaXF1ZSBkbyBOLiBBbmdlbG8xHzAdBgkqhkiG9w0BCQEWEGhuYW5n +ZWxvQHBocC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMteno+QK1ul +X4/WDAVBYfoTPRTze4SZLwgael4jwWTytj+8c5nNllrFELD6WjJzfjaoIMhCF4w4 +I2bkWR6/PTqrvnv+iiiItHfKvJgYqIobUhkiKmWa2wL3mgqvNRIqTrTC4jWZuCkx +Q/ksqL9O/F6zk+aRS1d+KbPaqCR5Rw+lAgMBAAGjgekwgeYwHQYDVR0OBBYEFNt+ +QHK9XDWF7CkpgRLoYmhqtz99MIG2BgNVHSMEga4wgauAFNt+QHK9XDWF7CkpgRLo +Ymhqtz99oYGHpIGEMIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5k +ZSBkbyBTdWwxFTATBgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlx +dWUgZG8gTi4gQW5nZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0 +ggkArsVWzHI3UKIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCP1GUn +StC0TBqngr3Kx+zSUW8KutKO0ORc5R8aV/x9LlaJrzPyQJgiPpu5hXogLSKRIHxQ +S3X2+Y0VvIpW72LWPVKPhYlNtO3oKnfoJGKin0eEhXRZMjfEW/kznY+ZZmNifV2r +8s+KhNAqI4PbClvn4vh8xF/9+eVEj+hM+0OflDGCAiEwggIdAgEBMIGPMIGBMQsw +CQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTATBgNVBAcT +DFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5nZWxvMR8w +HQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0AgkArsVWzHI3UKIwDQYJYIZI +AWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B +CQUxDxcNMTcwNTIyMTAxMDU1WjAvBgkqhkiG9w0BCQQxIgQg37MSoxw91phVhwUO +MeurwtXAXK1ADEeYYl/7Bfmz4CsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQME +ASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG +9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw +DQYJKoZIhvcNAQEBBQAEgYAw4XcsQ4BIhEuRNspG8RqPE9ODCrTWwXPSQ4B9fzks +KUAsqcefO8AfifY+uuq3/k6Prhl23U5ILth/0fUAIGFLTcIZziaGTwbpgcmRSmNi +jBxatHyKVaGJNGqij5KRk8vhEpy5mwOzmkUzYa0r4teXjyfnKhI/h1vUrO3kKybC +5Q== + +------68AEC934FD4DA77FB8B713FA8054A638-- + diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt new file mode 100644 index 0000000000..9135233831 --- /dev/null +++ b/ext/openssl/tests/tls_wrapper.phpt @@ -0,0 +1,59 @@ +--TEST-- +tls stream wrapper +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip openssl not loaded"); +if (!function_exists("proc_open")) die("skip no proc_open"); +--FILE-- +<?php +$serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => __DIR__ . '/streams_crypto_method.pem', + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); + phpt_notify(); + + for ($i=0; $i < 6; $i++) { + @stream_socket_accept($server, 3); + } +CODE; + +$clientCode = <<<'CODE' + $flags = STREAM_CLIENT_CONNECT; + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, + ]]); + + phpt_wait(); + + $client = stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); +CODE; + +include 'ServerClientTestCase.inc'; +ServerClientTestCase::getInstance()->run($clientCode, $serverCode); +--EXPECTF-- +resource(%d) of type (stream) +bool(false) +resource(%d) of type (stream) +resource(%d) of type (stream) +resource(%d) of type (stream) +resource(%d) of type (stream) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index b00bf06304..c56e67f365 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -52,10 +52,6 @@ #undef X509_EXTENSIONS #endif -#ifdef NETWARE -#include <sys/select.h> -#endif - #ifndef OPENSSL_NO_SSL3 #define HAVE_SSL3 1 #endif @@ -145,7 +141,7 @@ typedef struct _php_openssl_netstream_data_t { php_openssl_sni_cert_t *sni_certs; unsigned sni_cert_count; #ifdef HAVE_TLS_ALPN - php_openssl_alpn_ctx *alpn_ctx; + php_openssl_alpn_ctx alpn_ctx; #endif char *url_name; unsigned state_set:1; @@ -1256,12 +1252,12 @@ static int set_server_specific_opts(php_stream *stream, SSL_CTX *ctx) /* {{{ */ set_server_dh_param(stream, ctx); zv = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "single_dh_use"); - if (zv != NULL && zend_is_true(zv)) { + if (zv == NULL || zend_is_true(zv)) { ssl_ctx_options |= SSL_OP_SINGLE_DH_USE; } zv = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "honor_cipher_order"); - if (zv != NULL && zend_is_true(zv)) { + if (zv == NULL || zend_is_true(zv)) { ssl_ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; } @@ -1435,9 +1431,6 @@ static unsigned char *alpn_protos_parse(unsigned short *outlen, const char *in) } out = emalloc(strlen(in) + 1); - if (!out) { - return NULL; - } for (i = 0; i <= len; ++i) { if (i == len || in[i] == ',') { @@ -1462,9 +1455,7 @@ static int server_alpn_callback(SSL *ssl_handle, const unsigned char **out, unsi { php_openssl_netstream_data_t *sslsock = arg; - if (SSL_select_next_proto - ((unsigned char **)out, outlen, sslsock->alpn_ctx->data, sslsock->alpn_ctx->len, in, - inlen) != OPENSSL_NPN_NEGOTIATED) { + if (SSL_select_next_proto((unsigned char **)out, outlen, sslsock->alpn_ctx.data, sslsock->alpn_ctx.len, in, inlen) != OPENSSL_NPN_NEGOTIATED) { return SSL_TLSEXT_ERR_NOACK; } @@ -1573,9 +1564,8 @@ int php_openssl_setup_crypto(php_stream *stream, if (sslsock->is_client) { SSL_CTX_set_alpn_protos(sslsock->ctx, alpn, alpn_len); } else { - sslsock->alpn_ctx = (php_openssl_alpn_ctx *) pemalloc(sizeof(php_openssl_alpn_ctx), php_stream_is_persistent(stream)); - sslsock->alpn_ctx->data = (unsigned char *) pestrndup((const char*)alpn, alpn_len, php_stream_is_persistent(stream)); - sslsock->alpn_ctx->len = alpn_len; + sslsock->alpn_ctx.data = (unsigned char *) pestrndup((const char*)alpn, alpn_len, php_stream_is_persistent(stream)); + sslsock->alpn_ctx.len = alpn_len; SSL_CTX_set_alpn_select_cb(sslsock->ctx, server_alpn_callback, sslsock); } @@ -1607,10 +1597,9 @@ int php_openssl_setup_crypto(php_stream *stream, SSL_CTX_free(sslsock->ctx); sslsock->ctx = NULL; #ifdef HAVE_TLS_ALPN - if (sslsock->alpn_ctx) { - pefree(sslsock->alpn_ctx->data, php_stream_is_persistent(stream)); - pefree(sslsock->alpn_ctx, php_stream_is_persistent(stream)); - sslsock->alpn_ctx = NULL; + if (sslsock->alpn_ctx.data) { + pefree(sslsock->alpn_ctx.data, php_stream_is_persistent(stream)); + sslsock->alpn_ctx.data = NULL; } #endif return FAILURE; @@ -2122,9 +2111,8 @@ static int php_openssl_sockop_close(php_stream *stream, int close_handle) /* {{{ sslsock->ctx = NULL; } #ifdef HAVE_TLS_ALPN - if (sslsock->alpn_ctx) { - pefree(sslsock->alpn_ctx->data, php_stream_is_persistent(stream)); - pefree(sslsock->alpn_ctx, php_stream_is_persistent(stream)); + if (sslsock->alpn_ctx.data) { + pefree(sslsock->alpn_ctx.data, php_stream_is_persistent(stream)); } #endif #ifdef PHP_WIN32 @@ -2569,7 +2557,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, if (strncmp(proto, "ssl", protolen) == 0) { sslsock->enable_on_connect = 1; - sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_ANY_CLIENT); + sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT); } else if (strncmp(proto, "sslv2", protolen) == 0) { php_error_docref(NULL, E_WARNING, "SSLv2 unavailable in this PHP version"); php_stream_close(stream); @@ -2585,7 +2573,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, #endif } else if (strncmp(proto, "tls", protolen) == 0) { sslsock->enable_on_connect = 1; - sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_CLIENT); + sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT); } else if (strncmp(proto, "tlsv1.0", protolen) == 0) { sslsock->enable_on_connect = 1; sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; |