iliaa Mon, 14 Sep 2009 12:50:30 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=288329
Log:
Fixed certificate validation inside php_openssl_apply_verification_policy
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/ext/openssl/openssl.c
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
U php/php-src/trunk/ext/openssl/openssl.c
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2009-09-14 11:39:27 UTC (rev 288328)
+++ php/php-src/branches/PHP_5_2/NEWS 2009-09-14 12:50:30 UTC (rev 288329)
@@ -1,6 +1,8 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Sep 2009, PHP 5.2.11
+- Fixed certificate validation inside php_openssl_apply_verification_policy
+ (Ryan Sleevi, Ilia)
10 Sep 2009, PHP 5.2.11RC3
- Updated timezone database to version 2009.13 (2009m) (Derick)
Modified: php/php-src/branches/PHP_5_2/ext/openssl/openssl.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC
(rev 288328)
+++ php/php-src/branches/PHP_5_2/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC
(rev 288329)
@@ -3845,8 +3845,15 @@
GET_VER_OPT_STRING("CN_match", cnmatch);
if (cnmatch) {
int match = 0;
+ int name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
buf, sizeof(buf));
- X509_NAME_get_text_by_NID(name, NID_commonName, buf,
sizeof(buf));
+ if (name_len == -1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to
locate peer certificate CN");
+ return FAILURE;
+ } else if (name_len != strlen(buf)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer
certificate CN=`%.*s' is malformed", name_len, buf);
+ return FAILURE;
+ }
match = strcmp(cnmatch, buf) == 0;
if (!match && strlen(buf) > 3 && buf[0] == '*' && buf[1] ==
'.') {
@@ -3861,10 +3868,7 @@
if (!match) {
/* didn't match */
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
- "Peer certificate CN=`%s' did not match
expected CN=`%s'",
- buf, cnmatch);
-
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer
certificate CN=`%.*s' did not match expected CN=`%s'", name_len, buf, cnmatch);
return FAILURE;
}
}
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2009-09-14 11:39:27 UTC (rev 288328)
+++ php/php-src/branches/PHP_5_3/NEWS 2009-09-14 12:50:30 UTC (rev 288329)
@@ -3,6 +3,8 @@
?? ??? 2009, PHP 5.3.2
?? ??? 2009, PHP 5.3.1RC?
+- Fixed certificate validation inside php_openssl_apply_verification_policy
+ (Ryan Sleevi, Ilia)
- Restored shebang line check to CGI sapi (not checked by scanner anymore).
(Jani)
- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters).
Modified: php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC
(rev 288328)
+++ php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC
(rev 288329)
@@ -4323,8 +4323,15 @@
GET_VER_OPT_STRING("CN_match", cnmatch);
if (cnmatch) {
int match = 0;
+ int name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
buf, sizeof(buf));
- X509_NAME_get_text_by_NID(name, NID_commonName, buf,
sizeof(buf));
+ if (name_len == -1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to
locate peer certificate CN");
+ return FAILURE;
+ } else if (name_len != strlen(buf)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer
certificate CN=`%.*s' is malformed", name_len, buf);
+ return FAILURE;
+ }
match = strcmp(cnmatch, buf) == 0;
if (!match && strlen(buf) > 3 && buf[0] == '*' && buf[1] ==
'.') {
@@ -4339,10 +4346,7 @@
if (!match) {
/* didn't match */
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
- "Peer certificate CN=`%s' did not match
expected CN=`%s'",
- buf, cnmatch);
-
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer
certificate CN=`%.*s' did not match expected CN=`%s'", name_len, buf, cnmatch);
return FAILURE;
}
}
Modified: php/php-src/trunk/ext/openssl/openssl.c
===================================================================
--- php/php-src/trunk/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC (rev
288328)
+++ php/php-src/trunk/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC (rev
288329)
@@ -4583,8 +4583,15 @@
GET_VER_OPT_STRING("CN_match", cnmatch);
if (cnmatch) {
int match = 0;
+ int name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
buf, sizeof(buf));
- X509_NAME_get_text_by_NID(name, NID_commonName, buf,
sizeof(buf));
+ if (name_len == -1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to
locate peer certificate CN");
+ return FAILURE;
+ } else if (name_len != strlen(buf)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer
certificate CN=`%.*s' is malformed", name_len, buf);
+ return FAILURE;
+ }
match = strcmp(cnmatch, buf) == 0;
if (!match && strlen(buf) > 3 && buf[0] == '*' && buf[1] ==
'.') {
@@ -4599,10 +4606,7 @@
if (!match) {
/* didn't match */
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
- "Peer certificate CN=`%s' did not match
expected CN=`%s'",
- buf, cnmatch);
-
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer
certificate CN=`%.*s' did not match expected CN=`%s'", name_len, buf, cnmatch);
return FAILURE;
}
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
