[PHP-CVS] com php-src: fix bug #51076 (race condition in shtool's mkdir -p): NEWS build/shtool
Commit:f32d2ac3aaa7d4af7c348b00ebebb9ae64955704
Author:Michael Wallner m...@php.net Tue, 8 Oct 2013 08:37:08 +0200
Parents: 0117eb747e1b36a301d58fa29aa3ae48b5aa2ac7
Branches: PHP-5.5 master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=f32d2ac3aaa7d4af7c348b00ebebb9ae64955704
Log:
fix bug #51076 (race condition in shtool's mkdir -p)
Bugs:
https://bugs.php.net/51076
Changed paths:
M NEWS
M build/shtool
Diff:
diff --git a/NEWS b/NEWS
index 796f82f..6649a49 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP
NEWS
|||
?? ??? 2013, PHP 5.5.5
+- Buildsystem:
+ . Fixed bug #51076 (race condition in shtool's mkdir -p implementation).
+(Mike, Raphael Geissert)
+
- Core:
. Fixed bug #64979 (Wrong behavior of static variables in closure
generators).
(Nikita)
diff --git a/build/shtool b/build/shtool
index 684a01f..fc6ae1e 100755
--- a/build/shtool
+++ b/build/shtool
@@ -1003,7 +1003,14 @@ mkdir )
if [ .$opt_t = .yes ]; then
echo mkdir $pathcomp 12
fi
-mkdir $pathcomp || errstatus=$?
+ # See https://bugs.php.net/51076
+ # The fix is from Debian who have sent
it
+ # upstream, too; but upstream seems
dead.
+mkdir $pathcomp || {
+_errstatus=$?
+[ -d $pathcomp ] || errstatus=${_errstatus}
+unset _errstatus
+}
if [ .$opt_o != . ]; then
if [ .$opt_t = .yes ]; then
echo chown $opt_o $pathcomp 12
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: fix bad cast: ext/standard/php_fopen_wrapper.c
Commit:5d430ad90257e353321789d9dfe529554028ff6e
Author:Michael Wallner m...@php.net Tue, 8 Oct 2013 11:16:53 +0200
Parents: b15765412aebb6b158465f26d8eedb85737862d8
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=5d430ad90257e353321789d9dfe529554028ff6e
Log:
fix bad cast
Changed paths:
M ext/standard/php_fopen_wrapper.c
Diff:
diff --git a/ext/standard/php_fopen_wrapper.c b/ext/standard/php_fopen_wrapper.c
index 76f77eb..0adb1e0 100644
--- a/ext/standard/php_fopen_wrapper.c
+++ b/ext/standard/php_fopen_wrapper.c
@@ -120,11 +120,11 @@ static int php_stream_input_flush(php_stream *stream
TSRMLS_DC) /* {{{ */
static int php_stream_input_seek(php_stream *stream, off_t offset, int whence,
off_t *newoffset TSRMLS_DC) /* {{{ */
{
- php_stream *inner = stream-abstract;
+ php_stream_input_t *input = stream-abstract;
- if (inner) {
- int sought = php_stream_seek(inner, offset, whence);
- *newoffset = inner-position;
+ if (*input-body_ptr) {
+ int sought = php_stream_seek(*input-body_ptr, offset, whence);
+ *newoffset = (*input-body_ptr)-position;
return sought;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /SVNROOT/ global_avail
pajoye Tue, 08 Oct 2013 13:33:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=331730 Log: - ab karma Changed paths: U SVNROOT/global_avail Modified: SVNROOT/global_avail === --- SVNROOT/global_avail2013-10-08 11:59:38 UTC (rev 331729) +++ SVNROOT/global_avail2013-10-08 13:33:08 UTC (rev 331730) @@ -411,8 +411,8 @@ avail|bcarlyon,derick|web/bugtracker # php-internals-win karma -avail|szarkos,pajoye,rrichards,auroraeosrose|php/php-internals-win -avail|pajoye,guilhermeblanco,auroraeosrose,rrichards,kalle,sascham78,szarkos|web/windows.git +avail|szarkos,pajoye,rrichards,auroraeosrose,ab|php/php-internals-win +avail|pajoye,guilhermeblanco,auroraeosrose,rrichards,kalle,sascham78,szarkos,ab|web/windows.git avail|szarkos,ab|web/rmtools.git # php-benchmarks karma -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Using SUCCESS and FAILURE for return values Using zend_bool for boolean arguments and return values Reduced one level of zval indirection where possible: ext/openssl/openssl.c
Commit:955bc1d91bd772cbb782830220048511b657f063
Author:datibbaw datib...@php.net Mon, 7 Oct 2013 15:38:48 +0800
Parents: e45eacd8fa4e32692697171e90f14d3c66d673de
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=955bc1d91bd772cbb782830220048511b657f063
Log:
Using SUCCESS and FAILURE for return values
Using zend_bool for boolean arguments and return values
Reduced one level of zval indirection where possible
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index c208d43..d963f86 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1672,18 +1672,18 @@ PHP_FUNCTION(openssl_x509_export)
}
/* }}} */
-static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int
raw, char **out, int *out_len)
+static int php_openssl_x509_fingerprint(X509 *peer, const char *method,
zend_bool raw, char **out, int *out_len)
{
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *mdtype;
int n;
if (!(mdtype = EVP_get_digestbyname(method))) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, `%s`: Unknown
signature algorithm, method);
- return 0;
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
+ return FAILURE;
} else if (!X509_digest(peer, mdtype, md, n)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, Could not generate
signature);
- return 0;
+ return FAILURE;
}
if (raw) {
@@ -1696,7 +1696,7 @@ static int php_openssl_x509_fingerprint(X509 *peer, const
char *method, int raw,
make_digest_ex(*out, md, n);
}
- return 1;
+ return SUCCESS;
}
static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char
*expected)
@@ -1705,7 +1705,7 @@ static int php_x509_fingerprint_cmp(X509 *peer, const
char *method, const char *
int fingerprint_len;
int result = -1;
- if (php_openssl_x509_fingerprint(peer, method, 0, fingerprint,
fingerprint_len)) {
+ if (php_openssl_x509_fingerprint(peer, method, 0, fingerprint,
fingerprint_len) == SUCCESS) {
result = strcmp(expected, fingerprint);
efree(fingerprint);
}
@@ -1713,12 +1713,12 @@ static int php_x509_fingerprint_cmp(X509 *peer, const
char *method, const char *
return result;
}
-static int php_x509_fingerprint_match(X509 *peer, zval **val)
+static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val)
{
- if (Z_TYPE_PP(val) == IS_STRING) {
+ if (Z_TYPE_P(val) == IS_STRING) {
const char *method = NULL;
- switch (Z_STRLEN_PP(val)) {
+ switch (Z_STRLEN_P(val)) {
case 32:
method = md5;
break;
@@ -1728,19 +1728,19 @@ static int php_x509_fingerprint_match(X509 *peer, zval
**val)
break;
}
- return method php_x509_fingerprint_cmp(peer, method,
Z_STRVAL_PP(val)) == 0;
- } else if (Z_TYPE_PP(val) == IS_ARRAY) {
+ return method php_x509_fingerprint_cmp(peer, method,
Z_STRVAL_P(val)) == 0;
+ } else if (Z_TYPE_P(val) == IS_ARRAY) {
HashPosition pos;
zval **current;
char *key;
uint key_len;
ulong key_index;
- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val),
pos);
- zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void
**)current, pos) == SUCCESS;
- zend_hash_move_forward_ex(Z_ARRVAL_PP(val), pos)
+ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(val), pos);
+ zend_hash_get_current_data_ex(Z_ARRVAL_P(val), (void
**)current, pos) == SUCCESS;
+ zend_hash_move_forward_ex(Z_ARRVAL_P(val), pos)
) {
- int key_type =
zend_hash_get_current_key_ex(Z_ARRVAL_PP(val), key, key_len, key_index, 0,
pos);
+ int key_type =
zend_hash_get_current_key_ex(Z_ARRVAL_P(val), key, key_len, key_index, 0,
pos);
if (key_type == HASH_KEY_IS_STRING
Z_TYPE_PP(current) == IS_STRING
@@ -1776,7 +1776,7 @@ PHP_FUNCTION(openssl_x509_fingerprint)
RETURN_FALSE;
}
- if (php_openssl_x509_fingerprint(cert, method, raw_output,
fingerprint, fingerprint_len)) {
+ if (php_openssl_x509_fingerprint(cert, method, raw_output,
fingerprint, fingerprint_len) == SUCCESS) {
RETVAL_STRINGL(fingerprint, fingerprint_len, 0);
} else {
RETVAL_FALSE;
@@ -4989,7 +4989,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509
*peer, php_stream *stre
[PHP-CVS] com php-src: Added test case for openssl_x509_digest(): ext/openssl/tests/openssl_x509_digest.phpt
Commit:a97aec16c0320c5737b43ad1c3caf01ea1485874
Author:Tjerk Meesters datib...@php.net Fri, 20 Sep 2013 23:28:29
+0800
Committer: Tjerk Meesters tj...@muvee.com Fri, 20 Sep 2013 23:29:04 +0800
Parents: 574fe449dc05a11cfe7e6a33b04d3f6557442600
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=a97aec16c0320c5737b43ad1c3caf01ea1485874
Log:
Added test case for openssl_x509_digest()
Changed paths:
A ext/openssl/tests/openssl_x509_digest.phpt
Diff:
diff --git a/ext/openssl/tests/openssl_x509_digest.phpt
b/ext/openssl/tests/openssl_x509_digest.phpt
new file mode 100644
index 000..98ec009
--- /dev/null
+++ b/ext/openssl/tests/openssl_x509_digest.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Testing openssl_x509_digest()
+--SKIPIF--
+?php
+if (!extension_loaded(openssl)) die(skip);
+?
+--FILE--
+?php
+
+$cert = file:// . dirname(__FILE__) . /cert.crt;
+
+echo ** Testing default functionality **\n;
+var_dump(openssl_x509_digest($cert));
+echo ** Testing hash method md5 **\n;
+var_dump(openssl_x509_digest($cert, 'md5'));
+
+echo **Testing raw output md5 **\n;
+var_dump(bin2hex(openssl_x509_digest($cert, 'md5', true)));
+
+echo ** Testing bad certification **\n;
+var_dump(openssl_x509_digest('123'));
+echo ** Testing bad hash method **\n;
+var_dump(openssl_x509_digest($cert, 'xx45'));
+--EXPECTF--
+** Testing default functionality **
+string(40) 6e6fd1ea10a5a23071d61c728ee9b40df6dbc33c
+** Testing hash method md5 **
+string(32) ac77008e172897e06c0b065294487a67
+**Testing raw output md5 **
+string(32) ac77008e172897e06c0b065294487a67
+** Testing bad certification **
+
+Warning: openssl_x509_digest(): cannot get cert from parameter 1 in %s on line
%d
+bool(false)
+** Testing bad hash method **
+
+Warning: openssl_x509_digest(): Unknown signature algorithm in %s on line %d
+bool(false)
+
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Renamed to be more descriptive of what it does: ext/openssl/openssl.c ext/openssl/php_openssl.h ext/openssl/tests/openssl_x509_digest.phpt ext/openssl/tests/openssl_x509_fingerp
Commit:2bfc5a253b4ee76f9930692f2d088371c38dd65f
Author:Tjerk Meesters datib...@php.net Mon, 23 Sep 2013 00:51:17
+0800
Parents: 521a5c956800115f0be008e0581878e4303a5118
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=2bfc5a253b4ee76f9930692f2d088371c38dd65f
Log:
Renamed to be more descriptive of what it does
Changed paths:
M ext/openssl/openssl.c
M ext/openssl/php_openssl.h
D ext/openssl/tests/openssl_x509_digest.phpt
A ext/openssl/tests/openssl_x509_fingerprint.phpt
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 9685dac..9da10fc 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -129,7 +129,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2)
ZEND_ARG_INFO(0, notext)
ZEND_END_ARG_INFO()
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 1)
+ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_fingerprint, 0, 0, 1)
ZEND_ARG_INFO(0, x509)
ZEND_ARG_INFO(0, method)
ZEND_ARG_INFO(0, raw_output)
@@ -449,7 +449,7 @@ const zend_function_entry openssl_functions[] = {
PHP_FE(openssl_x509_checkpurpose,
arginfo_openssl_x509_checkpurpose)
PHP_FE(openssl_x509_check_private_key,
arginfo_openssl_x509_check_private_key)
PHP_FE(openssl_x509_export,
arginfo_openssl_x509_export)
- PHP_FE(openssl_x509_digest,
arginfo_openssl_x509_digest)
+ PHP_FE(openssl_x509_fingerprint,
arginfo_openssl_x509_fingerprint)
PHP_FE(openssl_x509_export_to_file,
arginfo_openssl_x509_export_to_file)
/* PKCS12 funcs */
@@ -1672,7 +1672,7 @@ PHP_FUNCTION(openssl_x509_export)
}
/* }}} */
-PHP_FUNCTION(openssl_x509_digest)
+PHP_FUNCTION(openssl_x509_fingerprint)
{
X509 *cert;
zval **zcert;
diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
index 4f0ac14..a06e43d 100644
--- a/ext/openssl/php_openssl.h
+++ b/ext/openssl/php_openssl.h
@@ -66,7 +66,7 @@ PHP_FUNCTION(openssl_x509_free);
PHP_FUNCTION(openssl_x509_parse);
PHP_FUNCTION(openssl_x509_checkpurpose);
PHP_FUNCTION(openssl_x509_export);
-PHP_FUNCTION(openssl_x509_digest);
+PHP_FUNCTION(openssl_x509_fingerprint);
PHP_FUNCTION(openssl_x509_export_to_file);
PHP_FUNCTION(openssl_x509_check_private_key);
diff --git a/ext/openssl/tests/openssl_x509_digest.phpt
b/ext/openssl/tests/openssl_x509_digest.phpt
deleted file mode 100644
index fde4280..000
--- a/ext/openssl/tests/openssl_x509_digest.phpt
+++ /dev/null
@@ -1,47 +0,0 @@
---TEST--
-Testing openssl_x509_digest()
---SKIPIF--
-?php
-if (!extension_loaded(openssl)) die(skip);
-?
---FILE--
-?php
-
-$cert = file:// . dirname(__FILE__) . /cert.crt;
-
-echo ** Testing with no parameters **\n;
-var_dump(openssl_x509_digest());
-
-echo ** Testing default functionality **\n;
-var_dump(openssl_x509_digest($cert));
-
-echo ** Testing hash method md5 **\n;
-var_dump(openssl_x509_digest($cert, 'md5'));
-
-echo **Testing raw output md5 **\n;
-var_dump(bin2hex(openssl_x509_digest($cert, 'md5', true)));
-
-echo ** Testing bad certification **\n;
-var_dump(openssl_x509_digest('123'));
-echo ** Testing bad hash method **\n;
-var_dump(openssl_x509_digest($cert, 'xx45'));
---EXPECTF--
-** Testing with no parameters **
-
-Warning: openssl_x509_digest() expects at least 1 parameter, 0 given in %s on
line %d
-NULL
-** Testing default functionality **
-string(40) 6e6fd1ea10a5a23071d61c728ee9b40df6dbc33c
-** Testing hash method md5 **
-string(32) ac77008e172897e06c0b065294487a67
-**Testing raw output md5 **
-string(32) ac77008e172897e06c0b065294487a67
-** Testing bad certification **
-
-Warning: openssl_x509_digest(): cannot get cert from parameter 1 in %s on line
%d
-bool(false)
-** Testing bad hash method **
-
-Warning: openssl_x509_digest(): Unknown signature algorithm in %s on line %d
-bool(false)
-
diff --git a/ext/openssl/tests/openssl_x509_fingerprint.phpt
b/ext/openssl/tests/openssl_x509_fingerprint.phpt
new file mode 100644
index 000..6cd464a
--- /dev/null
+++ b/ext/openssl/tests/openssl_x509_fingerprint.phpt
@@ -0,0 +1,47 @@
+--TEST--
+Testing openssl_x509_fingerprint()
+--SKIPIF--
+?php
+if (!extension_loaded(openssl)) die(skip);
+?
+--FILE--
+?php
+
+$cert = file:// . dirname(__FILE__) . /cert.crt;
+
+echo ** Testing with no parameters **\n;
+var_dump(openssl_x509_fingerprint());
+
+echo ** Testing default functionality **\n;
+var_dump(openssl_x509_fingerprint($cert));
+
+echo ** Testing hash method md5 **\n;
+var_dump(openssl_x509_fingerprint($cert, 'md5'));
+
+echo **Testing raw output md5 **\n;
+var_dump(bin2hex(openssl_x509_fingerprint($cert, 'md5', true)));
+
+echo ** Testing bad certification **\n;
+var_dump(openssl_x509_fingerprint('123'));
+echo ** Testing bad hash method **\n;
+var_dump(openssl_x509_fingerprint($cert, 'xx45'));
+--EXPECTF--
+** Testing with no parameters **
+
+Warning:
[PHP-CVS] com php-src: show method in error message: ext/openssl/openssl.c
Commit:e45eacd8fa4e32692697171e90f14d3c66d673de
Author:Tjerk Meesters datib...@php.net Mon, 30 Sep 2013 21:21:56
+0800
Parents: edd93f34520b550c4c42877fe9e03112cad005ba
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=e45eacd8fa4e32692697171e90f14d3c66d673de
Log:
show method in error message
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index c0d1b0b..c208d43 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1679,7 +1679,7 @@ static int php_openssl_x509_fingerprint(X509 *peer, const
char *method, int raw,
int n;
if (!(mdtype = EVP_get_digestbyname(method))) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, `%s`: Unknown
signature algorithm, method);
return 0;
} else if (!X509_digest(peer, mdtype, md, n)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, Could not generate
signature);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Support string and array for peer fingerprint matching: ext/openssl/openssl.c ext/openssl/tests/openssl_peer_fingerprint.phpt
Commit:edd93f34520b550c4c42877fe9e03112cad005ba
Author:datibbaw datib...@php.net Fri, 27 Sep 2013 14:13:11 +0800
Parents: 69bdc5aca8f14515556bb6fc8f86becf55ef30bf
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=edd93f34520b550c4c42877fe9e03112cad005ba
Log:
Support string and array for peer fingerprint matching
Changed paths:
M ext/openssl/openssl.c
M ext/openssl/tests/openssl_peer_fingerprint.phpt
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index a6ddd14..c0d1b0b 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1672,7 +1672,7 @@ PHP_FUNCTION(openssl_x509_export)
}
/* }}} */
-int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char
**out, int *out_len)
+static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int
raw, char **out, int *out_len)
{
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *mdtype;
@@ -1699,6 +1699,61 @@ int php_openssl_x509_fingerprint(X509 *peer, const char
*method, int raw, char *
return 1;
}
+static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char
*expected)
+{
+ char *fingerprint;
+ int fingerprint_len;
+ int result = -1;
+
+ if (php_openssl_x509_fingerprint(peer, method, 0, fingerprint,
fingerprint_len)) {
+ result = strcmp(expected, fingerprint);
+ efree(fingerprint);
+ }
+
+ return result;
+}
+
+static int php_x509_fingerprint_match(X509 *peer, zval **val)
+{
+ if (Z_TYPE_PP(val) == IS_STRING) {
+ const char *method = NULL;
+
+ switch (Z_STRLEN_PP(val)) {
+ case 32:
+ method = md5;
+ break;
+
+ case 40:
+ method = sha1;
+ break;
+ }
+
+ return method php_x509_fingerprint_cmp(peer, method,
Z_STRVAL_PP(val)) == 0;
+ } else if (Z_TYPE_PP(val) == IS_ARRAY) {
+ HashPosition pos;
+ zval **current;
+ char *key;
+ uint key_len;
+ ulong key_index;
+
+ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val),
pos);
+ zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void
**)current, pos) == SUCCESS;
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(val), pos)
+ ) {
+ int key_type =
zend_hash_get_current_key_ex(Z_ARRVAL_PP(val), key, key_len, key_index, 0,
pos);
+
+ if (key_type == HASH_KEY_IS_STRING
+Z_TYPE_PP(current) == IS_STRING
+php_x509_fingerprint_cmp(peer, key,
Z_STRVAL_PP(current)) != 0
+ ) {
+ return 0;
+ }
+ }
+ return 1;
+ }
+ return 0;
+}
+
PHP_FUNCTION(openssl_x509_fingerprint)
{
X509 *cert;
@@ -1709,7 +1764,7 @@ PHP_FUNCTION(openssl_x509_fingerprint)
int method_len;
char *fingerprint;
- char *fingerprint_len;
+ int fingerprint_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Z|sb, zcert,
method, method_len, raw_output) == FAILURE) {
return;
@@ -4932,30 +4987,14 @@ int php_openssl_apply_verification_policy(SSL *ssl,
X509 *peer, php_stream *stre
/* if the cert passed the usual checks, apply our own local policies
now */
- if (GET_VER_OPT(peer_fingerprint) Z_TYPE_PP(val) == IS_STRING) {
- char *fingerprint;
- int fingerprint_len;
- const char *method = NULL;
-
- switch (Z_STRLEN_PP(val)) {
- case 32:
- method = md5;
- break;
-
- case 40:
- method = sha1;
- break;
- }
-
- if (method php_openssl_x509_fingerprint(peer, method, 0,
fingerprint, fingerprint_len)) {
- int match = strcmp(Z_STRVAL_PP(val), fingerprint) == 0;
-
- efree(fingerprint);
-
- if (!match) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
Peer fingerprint `%s` not matched, Z_STRVAL_PP(val));
+ if (GET_VER_OPT(peer_fingerprint)) {
+ if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) {
+ if (!php_x509_fingerprint_match(peer, val)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
Peer fingerprint doesn't match);
return FAILURE;
}
+ } else {
+ php_error_docref(NULL
[PHP-CVS] com php-src: who put that stupid newline there?: ext/openssl/openssl.c
Commit:69bdc5aca8f14515556bb6fc8f86becf55ef30bf Author:Tjerk Meesters datib...@php.net Mon, 23 Sep 2013 23:42:31 +0800 Parents: 1c7cabb2ca405e6763d7044015f9cb063941a838 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=69bdc5aca8f14515556bb6fc8f86becf55ef30bf Log: who put that stupid newline there? Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c8588e2..a6ddd14 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1,5 +1,4 @@ /* - +--+ | PHP Version 5| +--+ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: don't leak cert on errors, return null on zpp failure: ext/openssl/openssl.c ext/openssl/tests/openssl_x509_digest.phpt
Commit:521a5c956800115f0be008e0581878e4303a5118
Author:Tjerk Meesters tj...@muvee.com Sat, 21 Sep 2013 18:24:00
+0800
Parents: a97aec16c0320c5737b43ad1c3caf01ea1485874
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=521a5c956800115f0be008e0581878e4303a5118
Log:
don't leak cert on errors, return null on zpp failure
Changed paths:
M ext/openssl/openssl.c
M ext/openssl/tests/openssl_x509_digest.phpt
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index e6040d5..9685dac 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1685,8 +1685,6 @@ PHP_FUNCTION(openssl_x509_digest)
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int n;
- RETVAL_FALSE;
-
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Z|sb, zcert,
method, method_len, raw_output) == FAILURE) {
return;
}
@@ -1694,28 +1692,26 @@ PHP_FUNCTION(openssl_x509_digest)
cert = php_openssl_x509_from_zval(zcert, 0, certresource TSRMLS_CC);
if (cert == NULL) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, cannot get cert
from parameter 1);
- return;
+ RETURN_FALSE;
}
mdtype = EVP_get_digestbyname(method);
if (!mdtype) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
- return;
- }
-
- if (!X509_digest(cert, mdtype, md, n)) {
- php_error_docref(NULL TSRMLS_CC, E_ERROR, out of memory);
- return;
- }
-
- if (raw_output) {
- RETVAL_STRINGL(md, n, 1);
+ RETVAL_FALSE;
+ } else if (!X509_digest(cert, mdtype, md, n)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, Out of memory);
+ RETVAL_FALSE;
} else {
- int digest_str_len = n * 2;
- char *digest_str = emalloc(digest_str_len + 1);
+ if (raw_output) {
+ RETVAL_STRINGL(md, n, 1);
+ } else {
+ int digest_str_len = n * 2;
+ char *digest_str = emalloc(digest_str_len + 1);
- make_digest_ex(digest_str, md, n);
- RETVAL_STRINGL(digest_str, digest_str_len, 0);
+ make_digest_ex(digest_str, md, n);
+ RETVAL_STRINGL(digest_str, digest_str_len, 0);
+ }
}
if (certresource == -1 cert) {
diff --git a/ext/openssl/tests/openssl_x509_digest.phpt
b/ext/openssl/tests/openssl_x509_digest.phpt
index 98ec009..fde4280 100644
--- a/ext/openssl/tests/openssl_x509_digest.phpt
+++ b/ext/openssl/tests/openssl_x509_digest.phpt
@@ -9,8 +9,12 @@ if (!extension_loaded(openssl)) die(skip);
$cert = file:// . dirname(__FILE__) . /cert.crt;
+echo ** Testing with no parameters **\n;
+var_dump(openssl_x509_digest());
+
echo ** Testing default functionality **\n;
var_dump(openssl_x509_digest($cert));
+
echo ** Testing hash method md5 **\n;
var_dump(openssl_x509_digest($cert, 'md5'));
@@ -22,6 +26,10 @@ var_dump(openssl_x509_digest('123'));
echo ** Testing bad hash method **\n;
var_dump(openssl_x509_digest($cert, 'xx45'));
--EXPECTF--
+** Testing with no parameters **
+
+Warning: openssl_x509_digest() expects at least 1 parameter, 0 given in %s on
line %d
+NULL
** Testing default functionality **
string(40) 6e6fd1ea10a5a23071d61c728ee9b40df6dbc33c
** Testing hash method md5 **
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: add md5 and sha1 fingerprint tests: ext/openssl/openssl.c ext/openssl/tests/openssl_peer_fingerprint.phpt
Commit:1c7cabb2ca405e6763d7044015f9cb063941a838
Author:Tjerk Meesters datib...@php.net Mon, 23 Sep 2013 23:29:17
+0800
Parents: 2bfc5a253b4ee76f9930692f2d088371c38dd65f
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=1c7cabb2ca405e6763d7044015f9cb063941a838
Log:
add md5 and sha1 fingerprint tests
Changed paths:
M ext/openssl/openssl.c
A ext/openssl/tests/openssl_peer_fingerprint.phpt
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 9da10fc..c8588e2 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1,4 +1,5 @@
/*
+
+--+
| PHP Version 5|
+--+
@@ -1672,6 +1673,33 @@ PHP_FUNCTION(openssl_x509_export)
}
/* }}} */
+int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char
**out, int *out_len)
+{
+ unsigned char md[EVP_MAX_MD_SIZE];
+ const EVP_MD *mdtype;
+ int n;
+
+ if (!(mdtype = EVP_get_digestbyname(method))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
+ return 0;
+ } else if (!X509_digest(peer, mdtype, md, n)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, Could not generate
signature);
+ return 0;
+ }
+
+ if (raw) {
+ *out_len = n;
+ *out = estrndup(md, n);
+ } else {
+ *out_len = n * 2;
+ *out = emalloc(*out_len + 1);
+
+ make_digest_ex(*out, md, n);
+ }
+
+ return 1;
+}
+
PHP_FUNCTION(openssl_x509_fingerprint)
{
X509 *cert;
@@ -1681,9 +1709,8 @@ PHP_FUNCTION(openssl_x509_fingerprint)
char *method = sha1;
int method_len;
- const EVP_MD *mdtype;
- unsigned char md[EVP_MAX_MD_SIZE];
- unsigned int n;
+ char *fingerprint;
+ char *fingerprint_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Z|sb, zcert,
method, method_len, raw_output) == FAILURE) {
return;
@@ -1695,23 +1722,10 @@ PHP_FUNCTION(openssl_x509_fingerprint)
RETURN_FALSE;
}
- mdtype = EVP_get_digestbyname(method);
- if (!mdtype) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
- RETVAL_FALSE;
- } else if (!X509_digest(cert, mdtype, md, n)) {
- php_error_docref(NULL TSRMLS_CC, E_ERROR, Out of memory);
- RETVAL_FALSE;
+ if (php_openssl_x509_fingerprint(cert, method, raw_output,
fingerprint, fingerprint_len)) {
+ RETVAL_STRINGL(fingerprint, fingerprint_len, 0);
} else {
- if (raw_output) {
- RETVAL_STRINGL(md, n, 1);
- } else {
- int digest_str_len = n * 2;
- char *digest_str = emalloc(digest_str_len + 1);
-
- make_digest_ex(digest_str, md, n);
- RETVAL_STRINGL(digest_str, digest_str_len, 0);
- }
+ RETVAL_FALSE;
}
if (certresource == -1 cert) {
@@ -4919,6 +4933,33 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509
*peer, php_stream *stre
/* if the cert passed the usual checks, apply our own local policies
now */
+ if (GET_VER_OPT(peer_fingerprint) Z_TYPE_PP(val) == IS_STRING) {
+ char *fingerprint;
+ int fingerprint_len;
+ const char *method = NULL;
+
+ switch (Z_STRLEN_PP(val)) {
+ case 32:
+ method = md5;
+ break;
+
+ case 40:
+ method = sha1;
+ break;
+ }
+
+ if (method php_openssl_x509_fingerprint(peer, method, 0,
fingerprint, fingerprint_len)) {
+ int match = strcmp(Z_STRVAL_PP(val), fingerprint) == 0;
+
+ efree(fingerprint);
+
+ if (!match) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
Peer fingerprint `%s` not matched, Z_STRVAL_PP(val));
+ return FAILURE;
+ }
+ }
+ }
+
name = X509_get_subject_name(peer);
/* Does the common name match ? (used primarily for https://) */
diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt
b/ext/openssl/tests/openssl_peer_fingerprint.phpt
new file mode 100644
index 000..a6be676
--- /dev/null
+++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Testing peer fingerprint on connection
+--SKIPIF--
+?php
+if
[PHP-CVS] com php-src: indentation fail: ext/openssl/openssl.c
Commit:ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2
Author:datibbaw datib...@php.net Fri, 20 Sep 2013 16:59:44 +0800
Parents: b2881db9a98db6e92d9f6964dd83a003c39a7fbd
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2
Log:
indentation fail
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 6979e35..f0ae2b7 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1676,14 +1676,14 @@ PHP_FUNCTION(openssl_x509_export)
PHP_FUNCTION(openssl_x509_digest)
{
X509 *cert;
-zval **zcert, *zout;
+ zval **zcert, *zout;
long certresource;
zend_bool raw_output = 0;
char *method = sha1;
int method_len;
const EVP_MD *mdtype;
-unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned char md[EVP_MAX_MD_SIZE];
unsigned int n;
RETVAL_FALSE;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added option for raw output: ext/openssl/openssl.c
Commit:5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e
Author:datibbaw datib...@php.net Fri, 20 Sep 2013 15:45:41 +0800
Parents: b8f9a20286c6d88c11e81967df42d118bdba2f02
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e
Log:
added option for raw output
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index c7203a7..5dfb9b4 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -132,6 +132,7 @@ ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2)
ZEND_ARG_INFO(0, x509)
ZEND_ARG_INFO(1, out)
+ ZEND_ARG_INFO(0, raw_output)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0)
@@ -1676,13 +1677,14 @@ PHP_FUNCTION(openssl_x509_digest)
X509 *cert;
zval **zcert, *zout;
long certresource;
+ zend_bool raw_output = 0;
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int n;
RETVAL_FALSE;
-if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Zz, zcert, zout)
== FAILURE) {
+if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Zz|b, zcert,
zout, raw_output) == FAILURE) {
return;
}
@@ -1698,7 +1700,16 @@ PHP_FUNCTION(openssl_x509_digest)
}
zval_dtor(zout);
- ZVAL_STRINGL(zout, md, n, 1);
+
+ if (raw_output) {
+ ZVAL_STRINGL(zout, md, n, 1);
+ } else {
+ int digest_str_len = n * 2;
+ char *digest_str = emalloc(digest_str_len + 1);
+
+ make_digest_ex(digest_str, md, n);
+ ZVAL_STRINGL(zout, digest_str, digest_str_len, 0);
+ }
if (certresource == -1 cert) {
X509_free(cert);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: removed the byref result: ext/openssl/openssl.c
Commit:574fe449dc05a11cfe7e6a33b04d3f6557442600
Author:Tjerk Meesters tj...@muvee.com Fri, 20 Sep 2013 22:50:30
+0800
Parents: ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=574fe449dc05a11cfe7e6a33b04d3f6557442600
Log:
removed the byref result
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index f0ae2b7..e6040d5 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -129,9 +129,8 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2)
ZEND_ARG_INFO(0, notext)
ZEND_END_ARG_INFO()
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2)
+ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 1)
ZEND_ARG_INFO(0, x509)
- ZEND_ARG_INFO(1, out)
ZEND_ARG_INFO(0, method)
ZEND_ARG_INFO(0, raw_output)
ZEND_END_ARG_INFO()
@@ -1676,7 +1675,7 @@ PHP_FUNCTION(openssl_x509_export)
PHP_FUNCTION(openssl_x509_digest)
{
X509 *cert;
- zval **zcert, *zout;
+ zval **zcert;
long certresource;
zend_bool raw_output = 0;
char *method = sha1;
@@ -1688,7 +1687,7 @@ PHP_FUNCTION(openssl_x509_digest)
RETVAL_FALSE;
-if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Zz|sb, zcert,
zout, method, method_len, raw_output) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Z|sb, zcert,
method, method_len, raw_output) == FAILURE) {
return;
}
@@ -1701,7 +1700,7 @@ PHP_FUNCTION(openssl_x509_digest)
mdtype = EVP_get_digestbyname(method);
if (!mdtype) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
- RETURN_FALSE;
+ return;
}
if (!X509_digest(cert, mdtype, md, n)) {
@@ -1709,22 +1708,19 @@ PHP_FUNCTION(openssl_x509_digest)
return;
}
- zval_dtor(zout);
-
if (raw_output) {
- ZVAL_STRINGL(zout, md, n, 1);
+ RETVAL_STRINGL(md, n, 1);
} else {
int digest_str_len = n * 2;
char *digest_str = emalloc(digest_str_len + 1);
make_digest_ex(digest_str, md, n);
- ZVAL_STRINGL(zout, digest_str, digest_str_len, 0);
+ RETVAL_STRINGL(digest_str, digest_str_len, 0);
}
if (certresource == -1 cert) {
X509_free(cert);
}
- RETVAL_TRUE;
}
/* {{{ proto bool openssl_x509_check_private_key(mixed cert, mixed key)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'bug65729' of https://github.com/datibbaw/php-src: ext/openssl/openssl.c
Commit:8300ced2f7daef0e1a6786d89361b92aadb3dd10 Author:Michael Wallner m...@php.net Tue, 8 Oct 2013 15:58:28 +0200 Parents: 0d8c83a251a96a81f53dec16e4ae4d39de01c4da 6106896440572dd8093acdd11ea691a07d9b169c Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=8300ced2f7daef0e1a6786d89361b92aadb3dd10 Log: Merge branch 'bug65729' of https://github.com/datibbaw/php-src * 'bug65729' of https://github.com/datibbaw/php-src: DNS name comparison is now case insensitive. Use zend_bool as return value for _match() Added two more test cases for CN matching. yay, reduced one variable Fixed bug that would lead to out of bounds memory access added better wildcard matching for CN Bugs: https://bugs.php.net/65729 Changed paths: MM ext/openssl/openssl.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added openssl_x509_digest(), output is binary sha1: ext/openssl/openssl.c ext/openssl/php_openssl.h
Commit:b8f9a20286c6d88c11e81967df42d118bdba2f02
Author:datibbaw datib...@php.net Fri, 20 Sep 2013 15:04:52 +0800
Parents: 11d60447f9f22944dd08d8dacba1230fc4caabd8
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b8f9a20286c6d88c11e81967df42d118bdba2f02
Log:
added openssl_x509_digest(), output is binary sha1
Changed paths:
M ext/openssl/openssl.c
M ext/openssl/php_openssl.h
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 4aac4e3..c7203a7 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -129,6 +129,11 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0,
2)
ZEND_ARG_INFO(0, notext)
ZEND_END_ARG_INFO()
+ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2)
+ ZEND_ARG_INFO(0, x509)
+ ZEND_ARG_INFO(1, out)
+ZEND_END_ARG_INFO()
+
ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0)
ZEND_ARG_INFO(0, cert)
ZEND_ARG_INFO(0, key)
@@ -443,6 +448,7 @@ const zend_function_entry openssl_functions[] = {
PHP_FE(openssl_x509_checkpurpose,
arginfo_openssl_x509_checkpurpose)
PHP_FE(openssl_x509_check_private_key,
arginfo_openssl_x509_check_private_key)
PHP_FE(openssl_x509_export,
arginfo_openssl_x509_export)
+ PHP_FE(openssl_x509_digest,
arginfo_openssl_x509_digest)
PHP_FE(openssl_x509_export_to_file,
arginfo_openssl_x509_export_to_file)
/* PKCS12 funcs */
@@ -1665,6 +1671,41 @@ PHP_FUNCTION(openssl_x509_export)
}
/* }}} */
+PHP_FUNCTION(openssl_x509_digest)
+{
+ X509 *cert;
+zval **zcert, *zout;
+ long certresource;
+
+unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned int n;
+
+ RETVAL_FALSE;
+
+if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Zz, zcert, zout)
== FAILURE) {
+ return;
+ }
+
+ cert = php_openssl_x509_from_zval(zcert, 0, certresource TSRMLS_CC);
+ if (cert == NULL) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, cannot get cert
from parameter 1);
+ return;
+ }
+
+ if (!X509_digest(cert, EVP_sha1(), md, n)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, out of memory);
+ return;
+ }
+
+ zval_dtor(zout);
+ ZVAL_STRINGL(zout, md, n, 1);
+
+ if (certresource == -1 cert) {
+ X509_free(cert);
+ }
+ RETVAL_TRUE;
+}
+
/* {{{ proto bool openssl_x509_check_private_key(mixed cert, mixed key)
Checks if a private key corresponds to a CERT */
PHP_FUNCTION(openssl_x509_check_private_key)
diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
index 8483bbf..4f0ac14 100644
--- a/ext/openssl/php_openssl.h
+++ b/ext/openssl/php_openssl.h
@@ -66,6 +66,7 @@ PHP_FUNCTION(openssl_x509_free);
PHP_FUNCTION(openssl_x509_parse);
PHP_FUNCTION(openssl_x509_checkpurpose);
PHP_FUNCTION(openssl_x509_export);
+PHP_FUNCTION(openssl_x509_digest);
PHP_FUNCTION(openssl_x509_export_to_file);
PHP_FUNCTION(openssl_x509_check_private_key);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added option for hash function: ext/openssl/openssl.c
Commit:b2881db9a98db6e92d9f6964dd83a003c39a7fbd
Author:datibbaw datib...@php.net Fri, 20 Sep 2013 16:56:50 +0800
Parents: 5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b2881db9a98db6e92d9f6964dd83a003c39a7fbd
Log:
added option for hash function
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 5dfb9b4..6979e35 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -132,6 +132,7 @@ ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2)
ZEND_ARG_INFO(0, x509)
ZEND_ARG_INFO(1, out)
+ ZEND_ARG_INFO(0, method)
ZEND_ARG_INFO(0, raw_output)
ZEND_END_ARG_INFO()
@@ -1678,13 +1679,16 @@ PHP_FUNCTION(openssl_x509_digest)
zval **zcert, *zout;
long certresource;
zend_bool raw_output = 0;
+ char *method = sha1;
+ int method_len;
+ const EVP_MD *mdtype;
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int n;
RETVAL_FALSE;
-if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Zz|b, zcert,
zout, raw_output) == FAILURE) {
+if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, Zz|sb, zcert,
zout, method, method_len, raw_output) == FAILURE) {
return;
}
@@ -1694,7 +1698,13 @@ PHP_FUNCTION(openssl_x509_digest)
return;
}
- if (!X509_digest(cert, EVP_sha1(), md, n)) {
+ mdtype = EVP_get_digestbyname(method);
+ if (!mdtype) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Unknown signature
algorithm);
+ RETURN_FALSE;
+ }
+
+ if (!X509_digest(cert, mdtype, md, n)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, out of memory);
return;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Use zend_bool as return value for _match(): ext/openssl/openssl.c
Commit:39c0daeb71f76ce22dc604bda8a063319fd55e59
Author:Tjerk Meesters datib...@php.net Mon, 7 Oct 2013 23:04:24
+0800
Parents: 674dd73f8c34b9faf1e777a301e5302348b48b9d
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=39c0daeb71f76ce22dc604bda8a063319fd55e59
Log:
Use zend_bool as return value for _match()
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 2aa850a..2b34570 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4829,7 +4829,7 @@ static int verify_callback(int preverify_ok,
X509_STORE_CTX *ctx) /* {{{ */
}
/* }}} */
-static int php_openssl_match_cn(const char *subjectname, const char *certname)
+static zend_bool php_openssl_match_cn(const char *subjectname, const char
*certname)
{
char *wildcard;
int prefix_len, suffix_len, subject_len;
@@ -4902,7 +4902,6 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509
*peer, php_stream *stre
/* Does the common name match ? (used primarily for https://) */
GET_VER_OPT_STRING(CN_match, cnmatch);
if (cnmatch) {
- int match = 0;
int name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
buf, sizeof(buf));
if (name_len == -1) {
@@ -4913,9 +4912,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509
*peer, php_stream *stre
return FAILURE;
}
- match = php_openssl_match_cn(cnmatch, buf);
-
- if (!match) {
+ if (!php_openssl_match_cn(cnmatch, buf)) {
/* didn't match */
php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer
certificate CN=`%.*s' did not match expected CN=`%s', name_len, buf, cnmatch);
return FAILURE;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: DNS name comparison is now case insensitive.: ext/openssl/openssl.c ext/openssl/tests/bug65729.phpt
Commit:6106896440572dd8093acdd11ea691a07d9b169c
Author:datibbaw datib...@php.net Tue, 8 Oct 2013 10:07:54 +0800
Parents: 39c0daeb71f76ce22dc604bda8a063319fd55e59
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=6106896440572dd8093acdd11ea691a07d9b169c
Log:
DNS name comparison is now case insensitive.
Changed paths:
M ext/openssl/openssl.c
M ext/openssl/tests/bug65729.phpt
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 2b34570..15cf798 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4834,7 +4834,7 @@ static zend_bool php_openssl_match_cn(const char
*subjectname, const char *certn
char *wildcard;
int prefix_len, suffix_len, subject_len;
- if (strcmp(subjectname, certname) == 0) {
+ if (strcasecmp(subjectname, certname) == 0) {
return 1;
}
@@ -4844,7 +4844,7 @@ static zend_bool php_openssl_match_cn(const char
*subjectname, const char *certn
// 1) prefix, if not empty, must match subject
prefix_len = wildcard - certname;
- if (prefix_len strncmp(subjectname, certname, prefix_len) != 0) {
+ if (prefix_len strncasecmp(subjectname, certname, prefix_len) != 0) {
return 0;
}
@@ -4854,7 +4854,7 @@ static zend_bool php_openssl_match_cn(const char
*subjectname, const char *certn
/* 2) suffix must match
* 3) no . between prefix and suffix
**/
- return strcmp(wildcard + 1, subjectname + subject_len -
suffix_len) == 0
+ return strcasecmp(wildcard + 1, subjectname + subject_len -
suffix_len) == 0
memchr(subjectname + prefix_len, '.', subject_len -
suffix_len - prefix_len) == NULL;
}
diff --git a/ext/openssl/tests/bug65729.phpt b/ext/openssl/tests/bug65729.phpt
index 7008f3c..c0ee444 100644
--- a/ext/openssl/tests/bug65729.phpt
+++ b/ext/openssl/tests/bug65729.phpt
@@ -13,7 +13,7 @@ stream_context_set_option($context, 'ssl',
'allow_self_signed', true);
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr,
STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);
-$expected_names = array('foo.test.com.sg', 'foo.test.com', 'foo.bar.test.com');
+$expected_names = array('foo.test.com.sg', 'foo.test.com', 'FOO.TEST.COM',
'foo.bar.test.com');
$pid = pcntl_fork();
if ($pid == -1) {
@@ -44,6 +44,7 @@ Warning: stream_socket_client(): Failed to enable crypto in
%s on line %d
Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321
(Unknown error) in %s on line %d
bool(false)
resource(%d) of type (stream)
+resource(%d) of type (stream)
Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not
match expected CN=`foo.bar.test.com' in %s on line %d
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug that would lead to out of bounds memory access: ext/openssl/openssl.c
Commit:8e847b5845b85c080295aea60c20869973c09a15
Author:Tjerk Meesters datib...@php.net Sat, 21 Sep 2013 19:38:09
+0800
Parents: 8915c3fb4fa40743bdddf23013a63e014d03d02c
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e847b5845b85c080295aea60c20869973c09a15
Log:
Fixed bug that would lead to out of bounds memory access
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 5460f3a..1c367df 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4831,26 +4831,36 @@ static int verify_callback(int preverify_ok,
X509_STORE_CTX *ctx) /* {{{ */
static int php_openssl_match_cn(const char *subjectname, const char *certname)
{
- int match = strcmp(subjectname, certname) == 0;
-
- if (!match) {
- char *wildcard = strchr(certname, '*');
- int prefix_len = wildcard - certname;
-
- /* 1) prefix, if not empty, must match */
- if (wildcard (prefix_len == 0 || strncmp(subjectname,
certname, prefix_len) == 0)) {
- const char *suffix = subjectname + strlen(subjectname)
- strlen(wildcard + 1);
-
- /*
-* 2) suffix must match
-* 3) no period between prefix and suffix
- **/
- match = strcmp(wildcard + 1, suffix) == 0
- memchr(subjectname + prefix_len, '.', suffix -
subjectname - prefix_len) == NULL;
- }
+ char *wildcard;
+ int prefix_len, suffix_len, subject_len;
+
+ if (strcmp(subjectname, certname) == 0) {
+ return 1;
}
- return match;
+ if (!(wildcard = strchr(certname, '*'))) {
+ return 0;
+ }
+
+ // 1) prefix, if not empty, must match subject
+ prefix_len = wildcard - certname;
+ if (prefix_len strncmp(subjectname, certname, prefix_len) != 0) {
+ return 0;
+ }
+
+ suffix_len = strlen(wildcard + 1);
+ subject_len = strlen(subjectname);
+ if (suffix_len = subject_len) {
+ const char *suffix = subjectname + subject_len - suffix_len;
+
+ /* 2) suffix must match
+* 3) no . between prefix and suffix
+**/
+ return strcmp(wildcard + 1, suffix) == 0
+ memchr(subjectname + prefix_len, '.', suffix -
subjectname - prefix_len) == NULL;
+ }
+
+ return 0;
}
int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream
*stream TSRMLS_DC) /* {{{ */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Added two more test cases for CN matching.: ext/openssl/tests/bug65729.phpt
Commit:674dd73f8c34b9faf1e777a301e5302348b48b9d
Author:Tjerk Meesters datib...@php.net Mon, 7 Oct 2013 22:10:05
+0800
Parents: a820c3d6baac945ead4a5fe6e54d0a04b02620de
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=674dd73f8c34b9faf1e777a301e5302348b48b9d
Log:
Added two more test cases for CN matching.
Changed paths:
M ext/openssl/tests/bug65729.phpt
Diff:
diff --git a/ext/openssl/tests/bug65729.phpt b/ext/openssl/tests/bug65729.phpt
index d4645d9..7008f3c 100644
--- a/ext/openssl/tests/bug65729.phpt
+++ b/ext/openssl/tests/bug65729.phpt
@@ -13,24 +13,28 @@ stream_context_set_option($context, 'ssl',
'allow_self_signed', true);
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr,
STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);
+$expected_names = array('foo.test.com.sg', 'foo.test.com', 'foo.bar.test.com');
+
$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {
- $contextC = stream_context_create(
- array(
+ foreach ($expected_names as $expected_name) {
+ $contextC = stream_context_create(array(
'ssl' = array(
'verify_peer' = true,
'allow_self_signed' = true,
- 'CN_match' = 'foo.test.com.sg',
+ 'CN_match' = $expected_name,
)
- )
- );
- var_dump(stream_socket_client(ssl://127.0.0.1:64321, $errno, $errstr,
1,
+ ));
+ var_dump(stream_socket_client(ssl://127.0.0.1:64321, $errno,
$errstr, 1,
STREAM_CLIENT_CONNECT, $contextC));
+ }
} else {
@pcntl_wait($status);
- @stream_socket_accept($server, 1);
+ foreach ($expected_names as $name) {
+ @stream_socket_accept($server, 1);
+ }
}
--EXPECTF--
Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not
match expected CN=`foo.test.com.sg' in %s on line %d
@@ -39,4 +43,11 @@ Warning: stream_socket_client(): Failed to enable crypto in
%s on line %d
Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321
(Unknown error) in %s on line %d
bool(false)
+resource(%d) of type (stream)
+
+Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not
match expected CN=`foo.bar.test.com' in %s on line %d
+
+Warning: stream_socket_client(): Failed to enable crypto in %s on line %d
+Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321
(Unknown error) in %s on line %d
+bool(false)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: yay, reduced one variable: ext/openssl/openssl.c
Commit:a820c3d6baac945ead4a5fe6e54d0a04b02620de
Author:Tjerk Meesters datib...@php.net Sat, 21 Sep 2013 20:42:52
+0800
Parents: 8e847b5845b85c080295aea60c20869973c09a15
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=a820c3d6baac945ead4a5fe6e54d0a04b02620de
Log:
yay, reduced one variable
Changed paths:
M ext/openssl/openssl.c
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 1c367df..2aa850a 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4851,13 +4851,11 @@ static int php_openssl_match_cn(const char
*subjectname, const char *certname)
suffix_len = strlen(wildcard + 1);
subject_len = strlen(subjectname);
if (suffix_len = subject_len) {
- const char *suffix = subjectname + subject_len - suffix_len;
-
/* 2) suffix must match
* 3) no . between prefix and suffix
**/
- return strcmp(wildcard + 1, suffix) == 0
- memchr(subjectname + prefix_len, '.', suffix -
subjectname - prefix_len) == NULL;
+ return strcmp(wildcard + 1, subjectname + subject_len -
suffix_len) == 0
+ memchr(subjectname + prefix_len, '.', subject_len -
suffix_len - prefix_len) == NULL;
}
return 0;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added better wildcard matching for CN: ext/openssl/openssl.c ext/openssl/tests/bug65729.pem ext/openssl/tests/bug65729.phpt
Commit:8915c3fb4fa40743bdddf23013a63e014d03d02c
Author:Tjerk Meesters tj...@muvee.com Sat, 21 Sep 2013 16:45:20
+0800
Parents: 9e3bedcd73265acb3d190c894860bd9aa1015121
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=8915c3fb4fa40743bdddf23013a63e014d03d02c
Log:
added better wildcard matching for CN
Changed paths:
M ext/openssl/openssl.c
A ext/openssl/tests/bug65729.pem
A ext/openssl/tests/bug65729.phpt
Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 4aac4e3..5460f3a 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4829,6 +4829,30 @@ static int verify_callback(int preverify_ok,
X509_STORE_CTX *ctx) /* {{{ */
}
/* }}} */
+static int php_openssl_match_cn(const char *subjectname, const char *certname)
+{
+ int match = strcmp(subjectname, certname) == 0;
+
+ if (!match) {
+ char *wildcard = strchr(certname, '*');
+ int prefix_len = wildcard - certname;
+
+ /* 1) prefix, if not empty, must match */
+ if (wildcard (prefix_len == 0 || strncmp(subjectname,
certname, prefix_len) == 0)) {
+ const char *suffix = subjectname + strlen(subjectname)
- strlen(wildcard + 1);
+
+ /*
+* 2) suffix must match
+* 3) no period between prefix and suffix
+ **/
+ match = strcmp(wildcard + 1, suffix) == 0
+ memchr(subjectname + prefix_len, '.', suffix -
subjectname - prefix_len) == NULL;
+ }
+ }
+
+ return match;
+}
+
int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream
*stream TSRMLS_DC) /* {{{ */
{
zval **val = NULL;
@@ -4881,16 +4905,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509
*peer, php_stream *stre
return FAILURE;
}
- match = strcmp(cnmatch, buf) == 0;
- if (!match strlen(buf) 3 buf[0] == '*' buf[1] ==
'.') {
- /* Try wildcard */
-
- if (strchr(buf+2, '.')) {
- char *tmp = strstr(cnmatch, buf+1);
-
- match = tmp strcmp(tmp, buf+2) tmp ==
strchr(cnmatch, '.');
- }
- }
+ match = php_openssl_match_cn(cnmatch, buf);
if (!match) {
/* didn't match */
diff --git a/ext/openssl/tests/bug65729.pem b/ext/openssl/tests/bug65729.pem
new file mode 100644
index 000..dbeed6e
--- /dev/null
+++ b/ext/openssl/tests/bug65729.pem
@@ -0,0 +1,28 @@
+-BEGIN CERTIFICATE-
+MIICCTCCAXICCQDNMI29sowT7TANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJT
+RzESMBAGA1UECBMJVGVzdHZpbGxlMREwDwYDVQQKEwhkYXRpYmJhdzETMBEGA1UE
+AxQKKi50ZXN0LmNvbTAeFw0xMzA5MjEwNzUyMjRaFw0xNDA5MjEwNzUyMjRaMEkx
+CzAJBgNVBAYTAlNHMRIwEAYDVQQIEwlUZXN0dmlsbGUxETAPBgNVBAoTCGRhdGli
+YmF3MRMwEQYDVQQDFAoqLnRlc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCdzVnic8K5W4SVbwVuqezcTjeqVLoQ91vVNZB0Jnsuz6q3DoK03oAd1jTe
+Vd0k+MQDbXpHoc37lA4+8z/g5Bs0UXxNx+nkbFTE7Ba2/G24caI9/cOXZPG3UViD
+rtqXKL6h5/umqRG9Dt5liF2MVP9XFAesVC7B8+Ca+PbPlQoYzwIDAQABMA0GCSqG
+SIb3DQEBBQUAA4GBAAS07u/Ke+EhEHidz6CG3Qcr+zg483JKRgZFyGz+YUKyyKKy
+fmLs7JieGJxYQjOmIpj/6X9Gnb2HjIPDnI6A+MV1emXDTnnmsgf2/lZGcthhpZn2
+rMbj9bI0iH6HwOVGtp4ZJA5fB7nj3J+gWNTCQzDDOxwX36d2LL9ua+UMnk/g
+-END CERTIFICATE-
+-BEGIN RSA PRIVATE KEY-
+MIICXQIBAAKBgQCdzVnic8K5W4SVbwVuqezcTjeqVLoQ91vVNZB0Jnsuz6q3DoK0
+3oAd1jTeVd0k+MQDbXpHoc37lA4+8z/g5Bs0UXxNx+nkbFTE7Ba2/G24caI9/cOX
+ZPG3UViDrtqXKL6h5/umqRG9Dt5liF2MVP9XFAesVC7B8+Ca+PbPlQoYzwIDAQAB
+AoGAeyzTwKPDl5QMRejHQL57GOwlH1vLcXrjv+VzwHZZKQ0IoKM++5fCQYf29KXp
+XPahaluGW2u9sWa8R/7wGcd0Q4RtquGzsgT3+AQsIc5KfIamyOyDaRVM/ymX3fWg
+gHIU7OOzB+ihOU8sHyRIwfbk01/kmrBXLRj8E31sy3i3PIECQQDQQYE+aN7Acrdt
+yN5CaqvbkiCGjRvASlemiTzPosgOtndyp21w1gakJwKYhYDk1N6A6Qb8REMZqM/U
+wFypldV/AkEAwfq6NFuhpGL6hDA7MvlyY1KiZ0cHetPUX+PgdNqy2DA+1Sv4i7gm
+Wd/uA651K7aPXuUaf9dKtPCmZwI4M6SEsQJBALW89HTqP7niYoDEEnITdPaghxHk
+gptERUln6lGo1L1CLus3gSI/JHyMLo+7scgAnEwTD62GRKhX0Ubwt+ymfTECQAY5
+fHYnppU20+EgBxZIqOIFCc8UmWnYmE0Ha/Fz/x8u1SVUBuK84wYpSGL32yyu7ATY
+hzQo/W229zABAzqtAdECQQCUdB7IBFpPnsfv/EUBFX7X/7zAc9JpACmu9It5ju8C
+KIsMuz/02D+TQoJNjdAngBM+4AJDIaGFgTMIfaDMh5L7
+-END RSA PRIVATE KEY-
diff --git a/ext/openssl/tests/bug65729.phpt b/ext/openssl/tests/bug65729.phpt
new file mode 100644
index 000..d4645d9
--- /dev/null
+++ b/ext/openssl/tests/bug65729.phpt
@@ -0,0 +1,42 @@
+--TEST--
+Bug #65729: CN_match gives false positive when wildcard is used
+--SKIPIF--
+?php
+if (!extension_loaded(openssl)) die(skip);
+if (!function_exists('pcntl_fork')) die(skip no fork);
+--FILE--
+?php
+$context = stream_context_create();
+
+stream_context_set_option($context, 'ssl', 'local_cert', __DIR__ .
/bug65729.pem);
+stream_context_set_option($context, 'ssl',
[PHP-CVS] com php-src: Streams for ssl:// transports can now be configured to use a specific crypto method (SSLv3, SSLv2 etc.) by calling: ext/openssl/xp_ssl.c
Commit:ce2789558a970057539094ca9019d98ff09e831e
Author:Martin Jansen mar...@divbyzero.net Sat, 21 Sep 2013
21:26:40 +0200
Parents: 9e3bedcd73265acb3d190c894860bd9aa1015121
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=ce2789558a970057539094ca9019d98ff09e831e
Log:
Streams for ssl:// transports can now be configured to use a specific
crypto method (SSLv3, SSLv2 etc.) by calling
stream_context_set_option($ctx, ssl, crypto_method, $crypto_method)
where $crypto_method can be one of STREAM_CRYPTO_METHOD_SSLv2_CLIENT,
STREAM_CRYPTO_METHOD_SSLv3_CLIENT, STREAM_CRYPTO_METHOD_SSLv23_CLIENT
or STREAM_CRYPTO_METHOD_TLS_CLIENT. SSLv23 remains the default crypto
method.
This change makes it possible to fopen() SSL URLs that are only
provided using SSL v3.
Changed paths:
M ext/openssl/xp_ssl.c
Diff:
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index d7ef42e..1ac8a02 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -853,6 +853,29 @@ php_stream_ops php_openssl_socket_ops = {
php_openssl_sockop_set_option,
};
+static int get_crypto_method(php_stream_context *ctx) {
+if (ctx) {
+zval **val = NULL;
+long crypto_method;
+
+if (php_stream_context_get_option(ctx, ssl, crypto_method,
val) == SUCCESS) {
+convert_to_long_ex(val);
+crypto_method = (long)Z_LVAL_PP(val);
+
+switch (crypto_method) {
+case STREAM_CRYPTO_METHOD_SSLv2_CLIENT:
+case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
+case STREAM_CRYPTO_METHOD_SSLv23_CLIENT:
+case STREAM_CRYPTO_METHOD_TLS_CLIENT:
+return crypto_method;
+}
+
+}
+}
+
+return STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
+}
+
static char * get_sni(php_stream_context *ctx, const char *resourcename,
size_t resourcenamelen, int is_persistent TSRMLS_DC) {
php_url *url;
@@ -939,7 +962,12 @@ php_stream *php_openssl_ssl_socket_factory(const char
*proto, size_t protolen,
if (strncmp(proto, ssl, protolen) == 0) {
sslsock-enable_on_connect = 1;
- sslsock-method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
+
+ /* General ssl:// transports can use a number
+* of crypto methods. The actual methhod can be
+* provided in the streams context options.
+*/
+ sslsock-method = get_crypto_method(context);
} else if (strncmp(proto, sslv2, protolen) == 0) {
#ifdef OPENSSL_NO_SSL2
php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is
not compiled into the OpenSSL library PHP is linked against);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Add unit test that covers setting the crypto method.: ext/openssl/tests/streams_crypto_method.pem ext/openssl/tests/streams_crypto_method.phpt
Commit:047877e8106ef9cb53f6a32dc8b645693d59e4b0
Author:Martin Jansen mar...@divbyzero.net Fri, 4 Oct 2013
21:55:29 +0200
Parents: ce2789558a970057539094ca9019d98ff09e831e
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=047877e8106ef9cb53f6a32dc8b645693d59e4b0
Log:
Add unit test that covers setting the crypto method.
Changed paths:
A ext/openssl/tests/streams_crypto_method.pem
A ext/openssl/tests/streams_crypto_method.phpt
Diff:
diff --git a/ext/openssl/tests/streams_crypto_method.pem
b/ext/openssl/tests/streams_crypto_method.pem
new file mode 100644
index 000..9d754d4
--- /dev/null
+++ b/ext/openssl/tests/streams_crypto_method.pem
@@ -0,0 +1,33 @@
+-BEGIN CERTIFICATE-
+MIIC5jCCAk+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
+HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzNTQ4WhcN
+MDUwNzExMjEzNTQ4WjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
+ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENB
+ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2haT/f5Zwy
+V+MiuSDjSR62adBoSiBB7Usty44lXqsp9RICw+DCCxpsn/CfxPEDXLLd4olsWXc6
+JRcxGynbYmnzk+Z6aIPPJQhK3CTvaqGnWKZsA1m+WaUIUqJCuNTK4N+7hMAGaf6S
+S3e9HVgEQ4a34gXJ7VQFVIBNV1EnZRWHAgMBAAGjgbcwgbQwHQYDVR0OBBYEFE0R
+aEcrj18q1dw+G6nJbsTWR213MIGEBgNVHSMEfTB7gBRNEWhHK49fKtXcPhupyW7E
+1kdtd6FgpF4wXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
+NCBiaXQpggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAUa8B3pho
++Mvxeq9HsEzJxHIFQla05S5J/e/V+DQTYoKiRFchKPrDAdrzYSEvP3h4QJEtsNqQ
+JfOxg5M42uLFq7aPGWkF6ZZqZsYS+zA9IVT14g7gNA6Ne+5QtJqQtH9HA24st0T0
+Tga/lZ9M2ovImovaxSL/kRHbpCWcqWVxpOw=
+-END CERTIFICATE-
+-BEGIN RSA PRIVATE KEY-
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-END RSA PRIVATE KEY-
diff --git a/ext/openssl/tests/streams_crypto_method.phpt
b/ext/openssl/tests/streams_crypto_method.phpt
new file mode 100644
index 000..7ac195b
--- /dev/null
+++ b/ext/openssl/tests/streams_crypto_method.phpt
@@ -0,0 +1,77 @@
+--TEST--
+Specific crypto method for ssl:// transports.
+--SKIPIF--
+?php
+if (!extension_loaded('openssl')) die('skip, openssl required');
+if (!extension_loaded('pcntl')) die('skip, pcntl required');
+?
+--FILE--
+?php
+function client($port, $method) {
+ $ctx = stream_context_create();
+ stream_context_set_option($ctx, 'ssl', 'crypto_method', $method);
+
+ $fp = @fopen('https://127.0.0.1:' . $port . '/', 'r', false, $ctx);
+ if ($fp) {
+ fpassthru($fp);
+ fclose($fp);
+ }
+}
+
+function server($port, $transport) {
+$context = stream_context_create();
+
+stream_context_set_option($context, 'ssl', 'local_cert',
dirname(__FILE__) . '/streams_crypto_method.pem');
+stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
+stream_context_set_option($context, 'ssl', 'verify_peer', false);
+
+$server = stream_socket_server($transport . '127.0.0.1:' . $port,
$errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);
+
+ $client = @stream_socket_accept($server);
+
+ if ($client) {
+ $in = '';
+ while (!preg_match('/\r?\n\r?\n/', $in)) {
+ $in .= fread($client, 2048);
+ }
+
+ $response = EOS
+HTTP/1.1 200 OK
+Content-Type: text/plain
+Content-Length: 13
+Connection: close
+
+Hello World!
+
+EOS;
+
+ fwrite($client, $response);
+ fclose($client);
+ exit();
+ }
+}
+
+$port1 = rand(15000, 16000);
+$port2 = rand(16001, 17000);
+
+$pid1 = pcntl_fork();
+$pid2 = pcntl_fork();
+
+if ($pid1 == 0 $pid2 != 0) {
+ server($port1, 'sslv3://');
+ exit;
+}
+
+if ($pid1 != 0 $pid2 == 0) {
+ server($port2, 'sslv3://');
+ exit;
+}
+
+client($port1, STREAM_CRYPTO_METHOD_SSLv3_CLIENT);
+client($port2, STREAM_CRYPTO_METHOD_SSLv2_CLIENT);
+
+pcntl_waitpid($pid1, $status);
+pcntl_waitpid($pid2, $status);
+?
+--EXPECTF--
+Hello World!
--
PHP CVS Mailing List
[PHP-CVS] com php-src: openssl NEWS,UPGRADING: NEWS UPGRADING
Commit:cf6413ae7ca9773ea154df3b94ce9299435f0e33 Author:Michael Wallner m...@php.net Tue, 8 Oct 2013 16:20:07 +0200 Parents: ea0578e223229a9e1fd84d6c29701aee21bc75ac Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=cf6413ae7ca9773ea154df3b94ce9299435f0e33 Log: openssl NEWS,UPGRADING Changed paths: M NEWS M UPGRADING Diff: diff --git a/NEWS b/NEWS index 8113514..c2cf3d7 100644 --- a/NEWS +++ b/NEWS @@ -40,6 +40,11 @@ PHP NEWS cache_slots) in op_array-literals table. (Laruence, Dmitry) . Added script level constant replacement optimization pass. (Dmitry) +- Openssl: + . Added crypto_method option for the ssl stream context. (Martin Jansen) + . Added certificate fingerprint support. (Tjerk Meesters) + . Fixed bug #65729 (CN_match gives false positive). (Tjerk Meesters) + - PDO_pgsql: . Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support). (Matteo) . Fixed Bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres 7.3 diff --git a/UPGRADING b/UPGRADING index fb8daab..238aa5e 100755 --- a/UPGRADING +++ b/UPGRADING @@ -42,6 +42,11 @@ PHP X.Y UPGRADE NOTES - Added gost-crypto (CryptoPro S-box) hash algo. +- Added openssl certificate fingerprint support (inclusive stream context + option). + +- Added openssl crypto method stream context option. + 2. Changes in SAPI modules @@ -71,6 +76,8 @@ PHP X.Y UPGRADE NOTES 5. New Functions +- Openssl: + Added string openssl_x509_fingerprint($x509, $type, $binary). 6. New Classes and Interfaces @@ -106,6 +113,11 @@ PHP X.Y UPGRADE NOTES 9. New Global Constants +- Openssl: + . STREAM_CRYPTO_METHOD_SSLv2_CLIENT + . STREAM_CRYPTO_METHOD_SSLv3_CLIENT + . STREAM_CRYPTO_METHOD_SSLv23_CLIENT + . STREAM_CRYPTO_METHOD_TLS_CLIENT 10. Changes to INI File Handling -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: DNS name comparison is now case insensitive.: ext/openssl/openssl.c ext/openssl/tests/bug65729.phpt
Hi,
On Tue, 2013-10-08 at 02:07 +, Michael Wallner wrote:
Log:
DNS name comparison is now case insensitive.
- if (strcmp(subjectname, certname) == 0) {
+ if (strcasecmp(subjectname, certname) == 0) {
Shouldn't that use an non-locale-dependent (ASCII based) comparison?
Else we get into trouble with the famous tolower(toupper('i')) != 'i'
issue in Turkish locales.
johannes
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
