Re: [PHP-CVS] com php-src: DNS name comparison is now case insensitive.: ext/openssl/openssl.c ext/openssl/tests/bug65729.phpt
Hi, On Tue, 2013-10-08 at 02:07 +, Michael Wallner wrote: > > Log: > DNS name comparison is now case insensitive. > - if (strcmp(subjectname, certname) == 0) { > + if (strcasecmp(subjectname, certname) == 0) { Shouldn't that use an non-locale-dependent (ASCII based) comparison? Else we get into trouble with the famous tolower(toupper('i')) != 'i' issue in Turkish locales. johannes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: openssl NEWS,UPGRADING: NEWS UPGRADING
Commit:cf6413ae7ca9773ea154df3b94ce9299435f0e33 Author:Michael Wallner Tue, 8 Oct 2013 16:20:07 +0200 Parents: ea0578e223229a9e1fd84d6c29701aee21bc75ac Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=cf6413ae7ca9773ea154df3b94ce9299435f0e33 Log: openssl NEWS,UPGRADING Changed paths: M NEWS M UPGRADING Diff: diff --git a/NEWS b/NEWS index 8113514..c2cf3d7 100644 --- a/NEWS +++ b/NEWS @@ -40,6 +40,11 @@ PHP NEWS cache_slots) in op_array->literals table. (Laruence, Dmitry) . Added script level constant replacement optimization pass. (Dmitry) +- Openssl: + . Added crypto_method option for the ssl stream context. (Martin Jansen) + . Added certificate fingerprint support. (Tjerk Meesters) + . Fixed bug #65729 (CN_match gives false positive). (Tjerk Meesters) + - PDO_pgsql: . Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support). (Matteo) . Fixed Bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 diff --git a/UPGRADING b/UPGRADING index fb8daab..238aa5e 100755 --- a/UPGRADING +++ b/UPGRADING @@ -42,6 +42,11 @@ PHP X.Y UPGRADE NOTES - Added gost-crypto (CryptoPro S-box) hash algo. +- Added openssl certificate fingerprint support (inclusive stream context + option). + +- Added openssl crypto method stream context option. + 2. Changes in SAPI modules @@ -71,6 +76,8 @@ PHP X.Y UPGRADE NOTES 5. New Functions +- Openssl: + Added string openssl_x509_fingerprint($x509, $type, $binary). 6. New Classes and Interfaces @@ -106,6 +113,11 @@ PHP X.Y UPGRADE NOTES 9. New Global Constants +- Openssl: + . STREAM_CRYPTO_METHOD_SSLv2_CLIENT + . STREAM_CRYPTO_METHOD_SSLv3_CLIENT + . STREAM_CRYPTO_METHOD_SSLv23_CLIENT + . STREAM_CRYPTO_METHOD_TLS_CLIENT 10. Changes to INI File Handling -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Add unit test that covers setting the crypto method.: ext/openssl/tests/streams_crypto_method.pem ext/openssl/tests/streams_crypto_method.phpt
Commit:047877e8106ef9cb53f6a32dc8b645693d59e4b0 Author:Martin Jansen Fri, 4 Oct 2013 21:55:29 +0200 Parents: ce2789558a970057539094ca9019d98ff09e831e Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=047877e8106ef9cb53f6a32dc8b645693d59e4b0 Log: Add unit test that covers setting the crypto method. Changed paths: A ext/openssl/tests/streams_crypto_method.pem A ext/openssl/tests/streams_crypto_method.phpt Diff: diff --git a/ext/openssl/tests/streams_crypto_method.pem b/ext/openssl/tests/streams_crypto_method.pem new file mode 100644 index 000..9d754d4 --- /dev/null +++ b/ext/openssl/tests/streams_crypto_method.pem @@ -0,0 +1,33 @@ +-BEGIN CERTIFICATE- +MIIC5jCCAk+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET +MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx +HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzNTQ4WhcN +MDUwNzExMjEzNTQ4WjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu +ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENB +ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2haT/f5Zwy +V+MiuSDjSR62adBoSiBB7Usty44lXqsp9RICw+DCCxpsn/CfxPEDXLLd4olsWXc6 +JRcxGynbYmnzk+Z6aIPPJQhK3CTvaqGnWKZsA1m+WaUIUqJCuNTK4N+7hMAGaf6S +S3e9HVgEQ4a34gXJ7VQFVIBNV1EnZRWHAgMBAAGjgbcwgbQwHQYDVR0OBBYEFE0R +aEcrj18q1dw+G6nJbsTWR213MIGEBgNVHSMEfTB7gBRNEWhHK49fKtXcPhupyW7E +1kdtd6FgpF4wXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY +BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy +NCBiaXQpggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAUa8B3pho ++Mvxeq9HsEzJxHIFQla05S5J/e/V+DQTYoKiRFchKPrDAdrzYSEvP3h4QJEtsNqQ +JfOxg5M42uLFq7aPGWkF6ZZqZsYS+zA9IVT14g7gNA6Ne+5QtJqQtH9HA24st0T0 +Tga/lZ9M2ovImovaxSL/kRHbpCWcqWVxpOw= +-END CERTIFICATE- +-BEGIN RSA PRIVATE KEY- +MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg +wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ +vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB +AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc +z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz +xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7 +HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD +yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS +xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj +7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG +h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL +QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q +hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc= +-END RSA PRIVATE KEY- diff --git a/ext/openssl/tests/streams_crypto_method.phpt b/ext/openssl/tests/streams_crypto_method.phpt new file mode 100644 index 000..7ac195b --- /dev/null +++ b/ext/openssl/tests/streams_crypto_method.phpt @@ -0,0 +1,77 @@ +--TEST-- +Specific crypto method for ssl:// transports. +--SKIPIF-- + +--FILE-- +https://127.0.0.1:' . $port . '/', 'r', false, $ctx); + if ($fp) { + fpassthru($fp); + fclose($fp); + } +} + +function server($port, $transport) { +$context = stream_context_create(); + +stream_context_set_option($context, 'ssl', 'local_cert', dirname(__FILE__) . '/streams_crypto_method.pem'); +stream_context_set_option($context, 'ssl', 'allow_self_signed', true); +stream_context_set_option($context, 'ssl', 'verify_peer', false); + +$server = stream_socket_server($transport . '127.0.0.1:' . $port, $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); + + $client = @stream_socket_accept($server); + + if ($client) { + $in = ''; + while (!preg_match('/\r?\n\r?\n/', $in)) { + $in .= fread($client, 2048); + } + + $response = << +--EXPECTF-- +Hello World! -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Streams for ssl:// transports can now be configured to use a specific crypto method (SSLv3, SSLv2 etc.) by calling: ext/openssl/xp_ssl.c
Commit:ce2789558a970057539094ca9019d98ff09e831e Author:Martin Jansen Sat, 21 Sep 2013 21:26:40 +0200 Parents: 9e3bedcd73265acb3d190c894860bd9aa1015121 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=ce2789558a970057539094ca9019d98ff09e831e Log: Streams for ssl:// transports can now be configured to use a specific crypto method (SSLv3, SSLv2 etc.) by calling stream_context_set_option($ctx, "ssl", "crypto_method", $crypto_method) where $crypto_method can be one of STREAM_CRYPTO_METHOD_SSLv2_CLIENT, STREAM_CRYPTO_METHOD_SSLv3_CLIENT, STREAM_CRYPTO_METHOD_SSLv23_CLIENT or STREAM_CRYPTO_METHOD_TLS_CLIENT. SSLv23 remains the default crypto method. This change makes it possible to fopen() SSL URLs that are only provided using SSL v3. Changed paths: M ext/openssl/xp_ssl.c Diff: diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index d7ef42e..1ac8a02 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -853,6 +853,29 @@ php_stream_ops php_openssl_socket_ops = { php_openssl_sockop_set_option, }; +static int get_crypto_method(php_stream_context *ctx) { +if (ctx) { +zval **val = NULL; +long crypto_method; + +if (php_stream_context_get_option(ctx, "ssl", "crypto_method", &val) == SUCCESS) { +convert_to_long_ex(val); +crypto_method = (long)Z_LVAL_PP(val); + +switch (crypto_method) { +case STREAM_CRYPTO_METHOD_SSLv2_CLIENT: +case STREAM_CRYPTO_METHOD_SSLv3_CLIENT: +case STREAM_CRYPTO_METHOD_SSLv23_CLIENT: +case STREAM_CRYPTO_METHOD_TLS_CLIENT: +return crypto_method; +} + +} +} + +return STREAM_CRYPTO_METHOD_SSLv23_CLIENT; +} + static char * get_sni(php_stream_context *ctx, const char *resourcename, size_t resourcenamelen, int is_persistent TSRMLS_DC) { php_url *url; @@ -939,7 +962,12 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, if (strncmp(proto, "ssl", protolen) == 0) { sslsock->enable_on_connect = 1; - sslsock->method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT; + + /* General ssl:// transports can use a number +* of crypto methods. The actual methhod can be +* provided in the streams context options. +*/ + sslsock->method = get_crypto_method(context); } else if (strncmp(proto, "sslv2", protolen) == 0) { #ifdef OPENSSL_NO_SSL2 php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against"); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: yay, reduced one variable: ext/openssl/openssl.c
Commit:a820c3d6baac945ead4a5fe6e54d0a04b02620de Author:Tjerk Meesters Sat, 21 Sep 2013 20:42:52 +0800 Parents: 8e847b5845b85c080295aea60c20869973c09a15 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=a820c3d6baac945ead4a5fe6e54d0a04b02620de Log: yay, reduced one variable Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 1c367df..2aa850a 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -4851,13 +4851,11 @@ static int php_openssl_match_cn(const char *subjectname, const char *certname) suffix_len = strlen(wildcard + 1); subject_len = strlen(subjectname); if (suffix_len <= subject_len) { - const char *suffix = subjectname + subject_len - suffix_len; - /* 2) suffix must match * 3) no . between prefix and suffix **/ - return strcmp(wildcard + 1, suffix) == 0 && - memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL; + return strcmp(wildcard + 1, subjectname + subject_len - suffix_len) == 0 && + memchr(subjectname + prefix_len, '.', subject_len - suffix_len - prefix_len) == NULL; } return 0; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added better wildcard matching for CN: ext/openssl/openssl.c ext/openssl/tests/bug65729.pem ext/openssl/tests/bug65729.phpt
Commit:8915c3fb4fa40743bdddf23013a63e014d03d02c Author:Tjerk Meesters Sat, 21 Sep 2013 16:45:20 +0800 Parents: 9e3bedcd73265acb3d190c894860bd9aa1015121 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=8915c3fb4fa40743bdddf23013a63e014d03d02c Log: added better wildcard matching for CN Changed paths: M ext/openssl/openssl.c A ext/openssl/tests/bug65729.pem A ext/openssl/tests/bug65729.phpt Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 4aac4e3..5460f3a 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -4829,6 +4829,30 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */ } /* }}} */ +static int php_openssl_match_cn(const char *subjectname, const char *certname) +{ + int match = strcmp(subjectname, certname) == 0; + + if (!match) { + char *wildcard = strchr(certname, '*'); + int prefix_len = wildcard - certname; + + /* 1) prefix, if not empty, must match */ + if (wildcard && (prefix_len == 0 || strncmp(subjectname, certname, prefix_len) == 0)) { + const char *suffix = subjectname + strlen(subjectname) - strlen(wildcard + 1); + + /* +* 2) suffix must match +* 3) no period between prefix and suffix + **/ + match = strcmp(wildcard + 1, suffix) == 0 && + memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL; + } + } + + return match; +} + int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stream TSRMLS_DC) /* {{{ */ { zval **val = NULL; @@ -4881,16 +4905,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre return FAILURE; } - match = strcmp(cnmatch, buf) == 0; - if (!match && strlen(buf) > 3 && buf[0] == '*' && buf[1] == '.') { - /* Try wildcard */ - - if (strchr(buf+2, '.')) { - char *tmp = strstr(cnmatch, buf+1); - - match = tmp && strcmp(tmp, buf+2) && tmp == strchr(cnmatch, '.'); - } - } + match = php_openssl_match_cn(cnmatch, buf); if (!match) { /* didn't match */ diff --git a/ext/openssl/tests/bug65729.pem b/ext/openssl/tests/bug65729.pem new file mode 100644 index 000..dbeed6e --- /dev/null +++ b/ext/openssl/tests/bug65729.pem @@ -0,0 +1,28 @@ +-BEGIN CERTIFICATE- +MIICCTCCAXICCQDNMI29sowT7TANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJT +RzESMBAGA1UECBMJVGVzdHZpbGxlMREwDwYDVQQKEwhkYXRpYmJhdzETMBEGA1UE +AxQKKi50ZXN0LmNvbTAeFw0xMzA5MjEwNzUyMjRaFw0xNDA5MjEwNzUyMjRaMEkx +CzAJBgNVBAYTAlNHMRIwEAYDVQQIEwlUZXN0dmlsbGUxETAPBgNVBAoTCGRhdGli +YmF3MRMwEQYDVQQDFAoqLnRlc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQCdzVnic8K5W4SVbwVuqezcTjeqVLoQ91vVNZB0Jnsuz6q3DoK03oAd1jTe +Vd0k+MQDbXpHoc37lA4+8z/g5Bs0UXxNx+nkbFTE7Ba2/G24caI9/cOXZPG3UViD +rtqXKL6h5/umqRG9Dt5liF2MVP9XFAesVC7B8+Ca+PbPlQoYzwIDAQABMA0GCSqG +SIb3DQEBBQUAA4GBAAS07u/Ke+EhEHidz6CG3Qcr+zg483JKRgZFyGz+YUKyyKKy +fmLs7JieGJxYQjOmIpj/6X9Gnb2HjIPDnI6A+MV1emXDTnnmsgf2/lZGcthhpZn2 +rMbj9bI0iH6HwOVGtp4ZJA5fB7nj3J+gWNTCQzDDOxwX36d2LL9ua+UMnk/g +-END CERTIFICATE- +-BEGIN RSA PRIVATE KEY- +MIICXQIBAAKBgQCdzVnic8K5W4SVbwVuqezcTjeqVLoQ91vVNZB0Jnsuz6q3DoK0 +3oAd1jTeVd0k+MQDbXpHoc37lA4+8z/g5Bs0UXxNx+nkbFTE7Ba2/G24caI9/cOX +ZPG3UViDrtqXKL6h5/umqRG9Dt5liF2MVP9XFAesVC7B8+Ca+PbPlQoYzwIDAQAB +AoGAeyzTwKPDl5QMRejHQL57GOwlH1vLcXrjv+VzwHZZKQ0IoKM++5fCQYf29KXp +XPahaluGW2u9sWa8R/7wGcd0Q4RtquGzsgT3+AQsIc5KfIamyOyDaRVM/ymX3fWg +gHIU7OOzB+ihOU8sHyRIwfbk01/kmrBXLRj8E31sy3i3PIECQQDQQYE+aN7Acrdt +yN5CaqvbkiCGjRvASlemiTzPosgOtndyp21w1gakJwKYhYDk1N6A6Qb8REMZqM/U +wFypldV/AkEAwfq6NFuhpGL6hDA7MvlyY1KiZ0cHetPUX+PgdNqy2DA+1Sv4i7gm +Wd/uA651K7aPXuUaf9dKtPCmZwI4M6SEsQJBALW89HTqP7niYoDEEnITdPaghxHk +gptERUln6lGo1L1CLus3gSI/JHyMLo+7scgAnEwTD62GRKhX0Ubwt+ymfTECQAY5 +fHYnppU20+EgBxZIqOIFCc8UmWnYmE0Ha/Fz/x8u1SVUBuK84wYpSGL32yyu7ATY +hzQo/W229zABAzqtAdECQQCUdB7IBFpPnsfv/EUBFX7X/7zAc9JpACmu9It5ju8C +KIsMuz/02D+TQoJNjdAngBM+4AJDIaGFgTMIfaDMh5L7 +-END RSA PRIVATE KEY- diff --git a/ext/openssl/tests/bug65729.phpt b/ext/openssl/tests/bug65729.phpt new file mode 100644 index 000..d4645d9 --- /dev/null +++ b/ext/openssl/tests/bug65729.phpt @@ -0,0 +1,42 @@ +--TEST-- +Bug #65729: CN_match gives false positive when wildcard is used +--SKIPIF-- + array( + 'verify_peer' => true, + 'allow_self_signed' => true, + 'CN_match' => 'foo.test.com.sg', + ) + ) + ); + var_dump(stream
[PHP-CVS] com php-src: Added two more test cases for CN matching.: ext/openssl/tests/bug65729.phpt
Commit:674dd73f8c34b9faf1e777a301e5302348b48b9d Author:Tjerk Meesters Mon, 7 Oct 2013 22:10:05 +0800 Parents: a820c3d6baac945ead4a5fe6e54d0a04b02620de Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=674dd73f8c34b9faf1e777a301e5302348b48b9d Log: Added two more test cases for CN matching. Changed paths: M ext/openssl/tests/bug65729.phpt Diff: diff --git a/ext/openssl/tests/bug65729.phpt b/ext/openssl/tests/bug65729.phpt index d4645d9..7008f3c 100644 --- a/ext/openssl/tests/bug65729.phpt +++ b/ext/openssl/tests/bug65729.phpt @@ -13,24 +13,28 @@ stream_context_set_option($context, 'ssl', 'allow_self_signed', true); $server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); +$expected_names = array('foo.test.com.sg', 'foo.test.com', 'foo.bar.test.com'); + $pid = pcntl_fork(); if ($pid == -1) { die('could not fork'); } else if ($pid) { - $contextC = stream_context_create( - array( + foreach ($expected_names as $expected_name) { + $contextC = stream_context_create(array( 'ssl' => array( 'verify_peer' => true, 'allow_self_signed' => true, - 'CN_match' => 'foo.test.com.sg', + 'CN_match' => $expected_name, ) - ) - ); - var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, + )); + var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $contextC)); + } } else { @pcntl_wait($status); - @stream_socket_accept($server, 1); + foreach ($expected_names as $name) { + @stream_socket_accept($server, 1); + } } --EXPECTF-- Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not match expected CN=`foo.test.com.sg' in %s on line %d @@ -39,4 +43,11 @@ Warning: stream_socket_client(): Failed to enable crypto in %s on line %d Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d bool(false) +resource(%d) of type (stream) + +Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not match expected CN=`foo.bar.test.com' in %s on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s on line %d +Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d +bool(false) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug that would lead to out of bounds memory access: ext/openssl/openssl.c
Commit:8e847b5845b85c080295aea60c20869973c09a15 Author:Tjerk Meesters Sat, 21 Sep 2013 19:38:09 +0800 Parents: 8915c3fb4fa40743bdddf23013a63e014d03d02c Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=8e847b5845b85c080295aea60c20869973c09a15 Log: Fixed bug that would lead to out of bounds memory access Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 5460f3a..1c367df 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -4831,26 +4831,36 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */ static int php_openssl_match_cn(const char *subjectname, const char *certname) { - int match = strcmp(subjectname, certname) == 0; - - if (!match) { - char *wildcard = strchr(certname, '*'); - int prefix_len = wildcard - certname; - - /* 1) prefix, if not empty, must match */ - if (wildcard && (prefix_len == 0 || strncmp(subjectname, certname, prefix_len) == 0)) { - const char *suffix = subjectname + strlen(subjectname) - strlen(wildcard + 1); - - /* -* 2) suffix must match -* 3) no period between prefix and suffix - **/ - match = strcmp(wildcard + 1, suffix) == 0 && - memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL; - } + char *wildcard; + int prefix_len, suffix_len, subject_len; + + if (strcmp(subjectname, certname) == 0) { + return 1; } - return match; + if (!(wildcard = strchr(certname, '*'))) { + return 0; + } + + // 1) prefix, if not empty, must match subject + prefix_len = wildcard - certname; + if (prefix_len && strncmp(subjectname, certname, prefix_len) != 0) { + return 0; + } + + suffix_len = strlen(wildcard + 1); + subject_len = strlen(subjectname); + if (suffix_len <= subject_len) { + const char *suffix = subjectname + subject_len - suffix_len; + + /* 2) suffix must match +* 3) no . between prefix and suffix +**/ + return strcmp(wildcard + 1, suffix) == 0 && + memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL; + } + + return 0; } int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stream TSRMLS_DC) /* {{{ */ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: DNS name comparison is now case insensitive.: ext/openssl/openssl.c ext/openssl/tests/bug65729.phpt
Commit:6106896440572dd8093acdd11ea691a07d9b169c Author:datibbaw Tue, 8 Oct 2013 10:07:54 +0800 Parents: 39c0daeb71f76ce22dc604bda8a063319fd55e59 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=6106896440572dd8093acdd11ea691a07d9b169c Log: DNS name comparison is now case insensitive. Changed paths: M ext/openssl/openssl.c M ext/openssl/tests/bug65729.phpt Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 2b34570..15cf798 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -4834,7 +4834,7 @@ static zend_bool php_openssl_match_cn(const char *subjectname, const char *certn char *wildcard; int prefix_len, suffix_len, subject_len; - if (strcmp(subjectname, certname) == 0) { + if (strcasecmp(subjectname, certname) == 0) { return 1; } @@ -4844,7 +4844,7 @@ static zend_bool php_openssl_match_cn(const char *subjectname, const char *certn // 1) prefix, if not empty, must match subject prefix_len = wildcard - certname; - if (prefix_len && strncmp(subjectname, certname, prefix_len) != 0) { + if (prefix_len && strncasecmp(subjectname, certname, prefix_len) != 0) { return 0; } @@ -4854,7 +4854,7 @@ static zend_bool php_openssl_match_cn(const char *subjectname, const char *certn /* 2) suffix must match * 3) no . between prefix and suffix **/ - return strcmp(wildcard + 1, subjectname + subject_len - suffix_len) == 0 && + return strcasecmp(wildcard + 1, subjectname + subject_len - suffix_len) == 0 && memchr(subjectname + prefix_len, '.', subject_len - suffix_len - prefix_len) == NULL; } diff --git a/ext/openssl/tests/bug65729.phpt b/ext/openssl/tests/bug65729.phpt index 7008f3c..c0ee444 100644 --- a/ext/openssl/tests/bug65729.phpt +++ b/ext/openssl/tests/bug65729.phpt @@ -13,7 +13,7 @@ stream_context_set_option($context, 'ssl', 'allow_self_signed', true); $server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); -$expected_names = array('foo.test.com.sg', 'foo.test.com', 'foo.bar.test.com'); +$expected_names = array('foo.test.com.sg', 'foo.test.com', 'FOO.TEST.COM', 'foo.bar.test.com'); $pid = pcntl_fork(); if ($pid == -1) { @@ -44,6 +44,7 @@ Warning: stream_socket_client(): Failed to enable crypto in %s on line %d Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d bool(false) resource(%d) of type (stream) +resource(%d) of type (stream) Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not match expected CN=`foo.bar.test.com' in %s on line %d -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Use zend_bool as return value for _match(): ext/openssl/openssl.c
Commit:39c0daeb71f76ce22dc604bda8a063319fd55e59 Author:Tjerk Meesters Mon, 7 Oct 2013 23:04:24 +0800 Parents: 674dd73f8c34b9faf1e777a301e5302348b48b9d Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=39c0daeb71f76ce22dc604bda8a063319fd55e59 Log: Use zend_bool as return value for _match() Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 2aa850a..2b34570 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -4829,7 +4829,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */ } /* }}} */ -static int php_openssl_match_cn(const char *subjectname, const char *certname) +static zend_bool php_openssl_match_cn(const char *subjectname, const char *certname) { char *wildcard; int prefix_len, suffix_len, subject_len; @@ -4902,7 +4902,6 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre /* Does the common name match ? (used primarily for https://) */ GET_VER_OPT_STRING("CN_match", cnmatch); if (cnmatch) { - int match = 0; int name_len = X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); if (name_len == -1) { @@ -4913,9 +4912,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre return FAILURE; } - match = php_openssl_match_cn(cnmatch, buf); - - if (!match) { + if (!php_openssl_match_cn(cnmatch, buf)) { /* didn't match */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer certificate CN=`%.*s' did not match expected CN=`%s'", name_len, buf, cnmatch); return FAILURE; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added openssl_x509_digest(), output is binary sha1: ext/openssl/openssl.c ext/openssl/php_openssl.h
Commit:b8f9a20286c6d88c11e81967df42d118bdba2f02 Author:datibbaw Fri, 20 Sep 2013 15:04:52 +0800 Parents: 11d60447f9f22944dd08d8dacba1230fc4caabd8 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=b8f9a20286c6d88c11e81967df42d118bdba2f02 Log: added openssl_x509_digest(), output is binary sha1 Changed paths: M ext/openssl/openssl.c M ext/openssl/php_openssl.h Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 4aac4e3..c7203a7 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -129,6 +129,11 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2) ZEND_ARG_INFO(0, notext) ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) + ZEND_ARG_INFO(0, x509) + ZEND_ARG_INFO(1, out) +ZEND_END_ARG_INFO() + ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0) ZEND_ARG_INFO(0, cert) ZEND_ARG_INFO(0, key) @@ -443,6 +448,7 @@ const zend_function_entry openssl_functions[] = { PHP_FE(openssl_x509_checkpurpose, arginfo_openssl_x509_checkpurpose) PHP_FE(openssl_x509_check_private_key, arginfo_openssl_x509_check_private_key) PHP_FE(openssl_x509_export, arginfo_openssl_x509_export) + PHP_FE(openssl_x509_digest, arginfo_openssl_x509_digest) PHP_FE(openssl_x509_export_to_file, arginfo_openssl_x509_export_to_file) /* PKCS12 funcs */ @@ -1665,6 +1671,41 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ +PHP_FUNCTION(openssl_x509_digest) +{ + X509 *cert; +zval **zcert, *zout; + long certresource; + +unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int n; + + RETVAL_FALSE; + +if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz", &zcert, &zout) == FAILURE) { + return; + } + + cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); + if (cert == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); + return; + } + + if (!X509_digest(cert, EVP_sha1(), md, &n)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "out of memory"); + return; + } + + zval_dtor(zout); + ZVAL_STRINGL(zout, md, n, 1); + + if (certresource == -1 && cert) { + X509_free(cert); + } + RETVAL_TRUE; +} + /* {{{ proto bool openssl_x509_check_private_key(mixed cert, mixed key) Checks if a private key corresponds to a CERT */ PHP_FUNCTION(openssl_x509_check_private_key) diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index 8483bbf..4f0ac14 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -66,6 +66,7 @@ PHP_FUNCTION(openssl_x509_free); PHP_FUNCTION(openssl_x509_parse); PHP_FUNCTION(openssl_x509_checkpurpose); PHP_FUNCTION(openssl_x509_export); +PHP_FUNCTION(openssl_x509_digest); PHP_FUNCTION(openssl_x509_export_to_file); PHP_FUNCTION(openssl_x509_check_private_key); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added option for hash function: ext/openssl/openssl.c
Commit:b2881db9a98db6e92d9f6964dd83a003c39a7fbd Author:datibbaw Fri, 20 Sep 2013 16:56:50 +0800 Parents: 5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=b2881db9a98db6e92d9f6964dd83a003c39a7fbd Log: added option for hash function Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 5dfb9b4..6979e35 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -132,6 +132,7 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(1, out) + ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, raw_output) ZEND_END_ARG_INFO() @@ -1678,13 +1679,16 @@ PHP_FUNCTION(openssl_x509_digest) zval **zcert, *zout; long certresource; zend_bool raw_output = 0; + char *method = "sha1"; + int method_len; + const EVP_MD *mdtype; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; RETVAL_FALSE; -if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|b", &zcert, &zout, &raw_output) == FAILURE) { +if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|sb", &zcert, &zout, &method, &method_len, &raw_output) == FAILURE) { return; } @@ -1694,7 +1698,13 @@ PHP_FUNCTION(openssl_x509_digest) return; } - if (!X509_digest(cert, EVP_sha1(), md, &n)) { + mdtype = EVP_get_digestbyname(method); + if (!mdtype) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + RETURN_FALSE; + } + + if (!X509_digest(cert, mdtype, md, &n)) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "out of memory"); return; } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'bug65729' of https://github.com/datibbaw/php-src: ext/openssl/openssl.c
Commit:8300ced2f7daef0e1a6786d89361b92aadb3dd10 Author:Michael Wallner Tue, 8 Oct 2013 15:58:28 +0200 Parents: 0d8c83a251a96a81f53dec16e4ae4d39de01c4da 6106896440572dd8093acdd11ea691a07d9b169c Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=8300ced2f7daef0e1a6786d89361b92aadb3dd10 Log: Merge branch 'bug65729' of https://github.com/datibbaw/php-src * 'bug65729' of https://github.com/datibbaw/php-src: DNS name comparison is now case insensitive. Use zend_bool as return value for _match() Added two more test cases for CN matching. yay, reduced one variable Fixed bug that would lead to out of bounds memory access added better wildcard matching for CN Bugs: https://bugs.php.net/65729 Changed paths: MM ext/openssl/openssl.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: added option for raw output: ext/openssl/openssl.c
Commit:5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e Author:datibbaw Fri, 20 Sep 2013 15:45:41 +0800 Parents: b8f9a20286c6d88c11e81967df42d118bdba2f02 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e Log: added option for raw output Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c7203a7..5dfb9b4 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -132,6 +132,7 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(1, out) + ZEND_ARG_INFO(0, raw_output) ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0) @@ -1676,13 +1677,14 @@ PHP_FUNCTION(openssl_x509_digest) X509 *cert; zval **zcert, *zout; long certresource; + zend_bool raw_output = 0; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; RETVAL_FALSE; -if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz", &zcert, &zout) == FAILURE) { +if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|b", &zcert, &zout, &raw_output) == FAILURE) { return; } @@ -1698,7 +1700,16 @@ PHP_FUNCTION(openssl_x509_digest) } zval_dtor(zout); - ZVAL_STRINGL(zout, md, n, 1); + + if (raw_output) { + ZVAL_STRINGL(zout, md, n, 1); + } else { + int digest_str_len = n * 2; + char *digest_str = emalloc(digest_str_len + 1); + + make_digest_ex(digest_str, md, n); + ZVAL_STRINGL(zout, digest_str, digest_str_len, 0); + } if (certresource == -1 && cert) { X509_free(cert); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: removed the byref result: ext/openssl/openssl.c
Commit:574fe449dc05a11cfe7e6a33b04d3f6557442600 Author:Tjerk Meesters Fri, 20 Sep 2013 22:50:30 +0800 Parents: ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=574fe449dc05a11cfe7e6a33b04d3f6557442600 Log: removed the byref result Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index f0ae2b7..e6040d5 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -129,9 +129,8 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2) ZEND_ARG_INFO(0, notext) ZEND_END_ARG_INFO() -ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 1) ZEND_ARG_INFO(0, x509) - ZEND_ARG_INFO(1, out) ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, raw_output) ZEND_END_ARG_INFO() @@ -1676,7 +1675,7 @@ PHP_FUNCTION(openssl_x509_export) PHP_FUNCTION(openssl_x509_digest) { X509 *cert; - zval **zcert, *zout; + zval **zcert; long certresource; zend_bool raw_output = 0; char *method = "sha1"; @@ -1688,7 +1687,7 @@ PHP_FUNCTION(openssl_x509_digest) RETVAL_FALSE; -if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|sb", &zcert, &zout, &method, &method_len, &raw_output) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; } @@ -1701,7 +1700,7 @@ PHP_FUNCTION(openssl_x509_digest) mdtype = EVP_get_digestbyname(method); if (!mdtype) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); - RETURN_FALSE; + return; } if (!X509_digest(cert, mdtype, md, &n)) { @@ -1709,22 +1708,19 @@ PHP_FUNCTION(openssl_x509_digest) return; } - zval_dtor(zout); - if (raw_output) { - ZVAL_STRINGL(zout, md, n, 1); + RETVAL_STRINGL(md, n, 1); } else { int digest_str_len = n * 2; char *digest_str = emalloc(digest_str_len + 1); make_digest_ex(digest_str, md, n); - ZVAL_STRINGL(zout, digest_str, digest_str_len, 0); + RETVAL_STRINGL(digest_str, digest_str_len, 0); } if (certresource == -1 && cert) { X509_free(cert); } - RETVAL_TRUE; } /* {{{ proto bool openssl_x509_check_private_key(mixed cert, mixed key) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: indentation fail: ext/openssl/openssl.c
Commit:ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2 Author:datibbaw Fri, 20 Sep 2013 16:59:44 +0800 Parents: b2881db9a98db6e92d9f6964dd83a003c39a7fbd Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2 Log: indentation fail Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 6979e35..f0ae2b7 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1676,14 +1676,14 @@ PHP_FUNCTION(openssl_x509_export) PHP_FUNCTION(openssl_x509_digest) { X509 *cert; -zval **zcert, *zout; + zval **zcert, *zout; long certresource; zend_bool raw_output = 0; char *method = "sha1"; int method_len; const EVP_MD *mdtype; -unsigned char md[EVP_MAX_MD_SIZE]; + unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; RETVAL_FALSE; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: who put that stupid newline there?: ext/openssl/openssl.c
Commit:69bdc5aca8f14515556bb6fc8f86becf55ef30bf Author:Tjerk Meesters Mon, 23 Sep 2013 23:42:31 +0800 Parents: 1c7cabb2ca405e6763d7044015f9cb063941a838 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=69bdc5aca8f14515556bb6fc8f86becf55ef30bf Log: who put that stupid newline there? Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c8588e2..a6ddd14 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1,5 +1,4 @@ /* - +--+ | PHP Version 5| +--+ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: don't leak cert on errors, return null on zpp failure: ext/openssl/openssl.c ext/openssl/tests/openssl_x509_digest.phpt
Commit:521a5c956800115f0be008e0581878e4303a5118 Author:Tjerk Meesters Sat, 21 Sep 2013 18:24:00 +0800 Parents: a97aec16c0320c5737b43ad1c3caf01ea1485874 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=521a5c956800115f0be008e0581878e4303a5118 Log: don't leak cert on errors, return null on zpp failure Changed paths: M ext/openssl/openssl.c M ext/openssl/tests/openssl_x509_digest.phpt Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index e6040d5..9685dac 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1685,8 +1685,6 @@ PHP_FUNCTION(openssl_x509_digest) unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; - RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; } @@ -1694,28 +1692,26 @@ PHP_FUNCTION(openssl_x509_digest) cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); - return; + RETURN_FALSE; } mdtype = EVP_get_digestbyname(method); if (!mdtype) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); - return; - } - - if (!X509_digest(cert, mdtype, md, &n)) { - php_error_docref(NULL TSRMLS_CC, E_ERROR, "out of memory"); - return; - } - - if (raw_output) { - RETVAL_STRINGL(md, n, 1); + RETVAL_FALSE; + } else if (!X509_digest(cert, mdtype, md, &n)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Out of memory"); + RETVAL_FALSE; } else { - int digest_str_len = n * 2; - char *digest_str = emalloc(digest_str_len + 1); + if (raw_output) { + RETVAL_STRINGL(md, n, 1); + } else { + int digest_str_len = n * 2; + char *digest_str = emalloc(digest_str_len + 1); - make_digest_ex(digest_str, md, n); - RETVAL_STRINGL(digest_str, digest_str_len, 0); + make_digest_ex(digest_str, md, n); + RETVAL_STRINGL(digest_str, digest_str_len, 0); + } } if (certresource == -1 && cert) { diff --git a/ext/openssl/tests/openssl_x509_digest.phpt b/ext/openssl/tests/openssl_x509_digest.phpt index 98ec009..fde4280 100644 --- a/ext/openssl/tests/openssl_x509_digest.phpt +++ b/ext/openssl/tests/openssl_x509_digest.phpt @@ -9,8 +9,12 @@ if (!extension_loaded("openssl")) die("skip"); $cert = "file://" . dirname(__FILE__) . "/cert.crt"; +echo "** Testing with no parameters **\n"; +var_dump(openssl_x509_digest()); + echo "** Testing default functionality **\n"; var_dump(openssl_x509_digest($cert)); + echo "** Testing hash method md5 **\n"; var_dump(openssl_x509_digest($cert, 'md5')); @@ -22,6 +26,10 @@ var_dump(openssl_x509_digest('123')); echo "** Testing bad hash method **\n"; var_dump(openssl_x509_digest($cert, 'xx45')); --EXPECTF-- +** Testing with no parameters ** + +Warning: openssl_x509_digest() expects at least 1 parameter, 0 given in %s on line %d +NULL ** Testing default functionality ** string(40) "6e6fd1ea10a5a23071d61c728ee9b40df6dbc33c" ** Testing hash method md5 ** -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Support string and array for peer fingerprint matching: ext/openssl/openssl.c ext/openssl/tests/openssl_peer_fingerprint.phpt
Commit:edd93f34520b550c4c42877fe9e03112cad005ba Author:datibbaw Fri, 27 Sep 2013 14:13:11 +0800 Parents: 69bdc5aca8f14515556bb6fc8f86becf55ef30bf Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=edd93f34520b550c4c42877fe9e03112cad005ba Log: Support string and array for peer fingerprint matching Changed paths: M ext/openssl/openssl.c M ext/openssl/tests/openssl_peer_fingerprint.phpt Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index a6ddd14..c0d1b0b 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1672,7 +1672,7 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ -int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) +static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) { unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *mdtype; @@ -1699,6 +1699,61 @@ int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char * return 1; } +static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected) +{ + char *fingerprint; + int fingerprint_len; + int result = -1; + + if (php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { + result = strcmp(expected, fingerprint); + efree(fingerprint); + } + + return result; +} + +static int php_x509_fingerprint_match(X509 *peer, zval **val) +{ + if (Z_TYPE_PP(val) == IS_STRING) { + const char *method = NULL; + + switch (Z_STRLEN_PP(val)) { + case 32: + method = "md5"; + break; + + case 40: + method = "sha1"; + break; + } + + return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_PP(val)) == 0; + } else if (Z_TYPE_PP(val) == IS_ARRAY) { + HashPosition pos; + zval **current; + char *key; + uint key_len; + ulong key_index; + + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val), &pos); + zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void **)¤t, &pos) == SUCCESS; + zend_hash_move_forward_ex(Z_ARRVAL_PP(val), &pos) + ) { + int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(val), &key, &key_len, &key_index, 0, &pos); + + if (key_type == HASH_KEY_IS_STRING + && Z_TYPE_PP(current) == IS_STRING + && php_x509_fingerprint_cmp(peer, key, Z_STRVAL_PP(current)) != 0 + ) { + return 0; + } + } + return 1; + } + return 0; +} + PHP_FUNCTION(openssl_x509_fingerprint) { X509 *cert; @@ -1709,7 +1764,7 @@ PHP_FUNCTION(openssl_x509_fingerprint) int method_len; char *fingerprint; - char *fingerprint_len; + int fingerprint_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; @@ -4932,30 +4987,14 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre /* if the cert passed the usual checks, apply our own local policies now */ - if (GET_VER_OPT("peer_fingerprint") && Z_TYPE_PP(val) == IS_STRING) { - char *fingerprint; - int fingerprint_len; - const char *method = NULL; - - switch (Z_STRLEN_PP(val)) { - case 32: - method = "md5"; - break; - - case 40: - method = "sha1"; - break; - } - - if (method && php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { - int match = strcmp(Z_STRVAL_PP(val), fingerprint) == 0; - - efree(fingerprint); - - if (!match) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint `%s` not matched", Z_STRVAL_PP(val)); + if (GET_VER_OPT("peer_fingerprint")) { + if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) { + if (!php_x509_fingerprint_match(peer, val)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint doesn't match"); return FAILURE; } + } else { + php_err
[PHP-CVS] com php-src: Renamed to be more descriptive of what it does: ext/openssl/openssl.c ext/openssl/php_openssl.h ext/openssl/tests/openssl_x509_digest.phpt ext/openssl/tests/openssl_x509_fingerp
Commit:2bfc5a253b4ee76f9930692f2d088371c38dd65f Author:Tjerk Meesters Mon, 23 Sep 2013 00:51:17 +0800 Parents: 521a5c956800115f0be008e0581878e4303a5118 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=2bfc5a253b4ee76f9930692f2d088371c38dd65f Log: Renamed to be more descriptive of what it does Changed paths: M ext/openssl/openssl.c M ext/openssl/php_openssl.h D ext/openssl/tests/openssl_x509_digest.phpt A ext/openssl/tests/openssl_x509_fingerprint.phpt Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 9685dac..9da10fc 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -129,7 +129,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2) ZEND_ARG_INFO(0, notext) ZEND_END_ARG_INFO() -ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 1) +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_fingerprint, 0, 0, 1) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, raw_output) @@ -449,7 +449,7 @@ const zend_function_entry openssl_functions[] = { PHP_FE(openssl_x509_checkpurpose, arginfo_openssl_x509_checkpurpose) PHP_FE(openssl_x509_check_private_key, arginfo_openssl_x509_check_private_key) PHP_FE(openssl_x509_export, arginfo_openssl_x509_export) - PHP_FE(openssl_x509_digest, arginfo_openssl_x509_digest) + PHP_FE(openssl_x509_fingerprint, arginfo_openssl_x509_fingerprint) PHP_FE(openssl_x509_export_to_file, arginfo_openssl_x509_export_to_file) /* PKCS12 funcs */ @@ -1672,7 +1672,7 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ -PHP_FUNCTION(openssl_x509_digest) +PHP_FUNCTION(openssl_x509_fingerprint) { X509 *cert; zval **zcert; diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index 4f0ac14..a06e43d 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -66,7 +66,7 @@ PHP_FUNCTION(openssl_x509_free); PHP_FUNCTION(openssl_x509_parse); PHP_FUNCTION(openssl_x509_checkpurpose); PHP_FUNCTION(openssl_x509_export); -PHP_FUNCTION(openssl_x509_digest); +PHP_FUNCTION(openssl_x509_fingerprint); PHP_FUNCTION(openssl_x509_export_to_file); PHP_FUNCTION(openssl_x509_check_private_key); diff --git a/ext/openssl/tests/openssl_x509_digest.phpt b/ext/openssl/tests/openssl_x509_digest.phpt deleted file mode 100644 index fde4280..000 --- a/ext/openssl/tests/openssl_x509_digest.phpt +++ /dev/null @@ -1,47 +0,0 @@ ---TEST-- -Testing openssl_x509_digest() ---SKIPIF-- - ---FILE-- - +--FILE-- +http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: show method in error message: ext/openssl/openssl.c
Commit:e45eacd8fa4e32692697171e90f14d3c66d673de Author:Tjerk Meesters Mon, 30 Sep 2013 21:21:56 +0800 Parents: edd93f34520b550c4c42877fe9e03112cad005ba Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=e45eacd8fa4e32692697171e90f14d3c66d673de Log: show method in error message Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c0d1b0b..c208d43 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1679,7 +1679,7 @@ static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, int n; if (!(mdtype = EVP_get_digestbyname(method))) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "`%s`: Unknown signature algorithm", method); return 0; } else if (!X509_digest(peer, mdtype, md, &n)) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Could not generate signature"); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: add md5 and sha1 fingerprint tests: ext/openssl/openssl.c ext/openssl/tests/openssl_peer_fingerprint.phpt
Commit:1c7cabb2ca405e6763d7044015f9cb063941a838 Author:Tjerk Meesters Mon, 23 Sep 2013 23:29:17 +0800 Parents: 2bfc5a253b4ee76f9930692f2d088371c38dd65f Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=1c7cabb2ca405e6763d7044015f9cb063941a838 Log: add md5 and sha1 fingerprint tests Changed paths: M ext/openssl/openssl.c A ext/openssl/tests/openssl_peer_fingerprint.phpt Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 9da10fc..c8588e2 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1,4 +1,5 @@ /* + +--+ | PHP Version 5| +--+ @@ -1672,6 +1673,33 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ +int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) +{ + unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *mdtype; + int n; + + if (!(mdtype = EVP_get_digestbyname(method))) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + return 0; + } else if (!X509_digest(peer, mdtype, md, &n)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Could not generate signature"); + return 0; + } + + if (raw) { + *out_len = n; + *out = estrndup(md, n); + } else { + *out_len = n * 2; + *out = emalloc(*out_len + 1); + + make_digest_ex(*out, md, n); + } + + return 1; +} + PHP_FUNCTION(openssl_x509_fingerprint) { X509 *cert; @@ -1681,9 +1709,8 @@ PHP_FUNCTION(openssl_x509_fingerprint) char *method = "sha1"; int method_len; - const EVP_MD *mdtype; - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int n; + char *fingerprint; + char *fingerprint_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; @@ -1695,23 +1722,10 @@ PHP_FUNCTION(openssl_x509_fingerprint) RETURN_FALSE; } - mdtype = EVP_get_digestbyname(method); - if (!mdtype) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); - RETVAL_FALSE; - } else if (!X509_digest(cert, mdtype, md, &n)) { - php_error_docref(NULL TSRMLS_CC, E_ERROR, "Out of memory"); - RETVAL_FALSE; + if (php_openssl_x509_fingerprint(cert, method, raw_output, &fingerprint, &fingerprint_len)) { + RETVAL_STRINGL(fingerprint, fingerprint_len, 0); } else { - if (raw_output) { - RETVAL_STRINGL(md, n, 1); - } else { - int digest_str_len = n * 2; - char *digest_str = emalloc(digest_str_len + 1); - - make_digest_ex(digest_str, md, n); - RETVAL_STRINGL(digest_str, digest_str_len, 0); - } + RETVAL_FALSE; } if (certresource == -1 && cert) { @@ -4919,6 +4933,33 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre /* if the cert passed the usual checks, apply our own local policies now */ + if (GET_VER_OPT("peer_fingerprint") && Z_TYPE_PP(val) == IS_STRING) { + char *fingerprint; + int fingerprint_len; + const char *method = NULL; + + switch (Z_STRLEN_PP(val)) { + case 32: + method = "md5"; + break; + + case 40: + method = "sha1"; + break; + } + + if (method && php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { + int match = strcmp(Z_STRVAL_PP(val), fingerprint) == 0; + + efree(fingerprint); + + if (!match) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint `%s` not matched", Z_STRVAL_PP(val)); + return FAILURE; + } + } + } + name = X509_get_subject_name(peer); /* Does the common name match ? (used primarily for https://) */ diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt b/ext/openssl/tests/openssl_peer_fingerprint.phpt new file mode 100644 index 000..a6be676 --- /dev/null +++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt @@ -0,0 +1,44 @@ +--TEST-- +Testing peer fingerprint on connection +--SKIPIF-- + arra
[PHP-CVS] com php-src: Added test case for openssl_x509_digest(): ext/openssl/tests/openssl_x509_digest.phpt
Commit:a97aec16c0320c5737b43ad1c3caf01ea1485874 Author:Tjerk Meesters Fri, 20 Sep 2013 23:28:29 +0800 Committer: Tjerk Meesters Fri, 20 Sep 2013 23:29:04 +0800 Parents: 574fe449dc05a11cfe7e6a33b04d3f6557442600 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=a97aec16c0320c5737b43ad1c3caf01ea1485874 Log: Added test case for openssl_x509_digest() Changed paths: A ext/openssl/tests/openssl_x509_digest.phpt Diff: diff --git a/ext/openssl/tests/openssl_x509_digest.phpt b/ext/openssl/tests/openssl_x509_digest.phpt new file mode 100644 index 000..98ec009 --- /dev/null +++ b/ext/openssl/tests/openssl_x509_digest.phpt @@ -0,0 +1,39 @@ +--TEST-- +Testing openssl_x509_digest() +--SKIPIF-- + +--FILE-- +http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Using SUCCESS and FAILURE for return values Using zend_bool for boolean arguments and return values Reduced one level of zval indirection where possible: ext/openssl/openssl.c
Commit:955bc1d91bd772cbb782830220048511b657f063 Author:datibbaw Mon, 7 Oct 2013 15:38:48 +0800 Parents: e45eacd8fa4e32692697171e90f14d3c66d673de Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=955bc1d91bd772cbb782830220048511b657f063 Log: Using SUCCESS and FAILURE for return values Using zend_bool for boolean arguments and return values Reduced one level of zval indirection where possible Changed paths: M ext/openssl/openssl.c Diff: diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c208d43..d963f86 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1672,18 +1672,18 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ -static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) +static int php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_bool raw, char **out, int *out_len) { unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *mdtype; int n; if (!(mdtype = EVP_get_digestbyname(method))) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "`%s`: Unknown signature algorithm", method); - return 0; + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + return FAILURE; } else if (!X509_digest(peer, mdtype, md, &n)) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Could not generate signature"); - return 0; + return FAILURE; } if (raw) { @@ -1696,7 +1696,7 @@ static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, make_digest_ex(*out, md, n); } - return 1; + return SUCCESS; } static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected) @@ -1705,7 +1705,7 @@ static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char * int fingerprint_len; int result = -1; - if (php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { + if (php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len) == SUCCESS) { result = strcmp(expected, fingerprint); efree(fingerprint); } @@ -1713,12 +1713,12 @@ static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char * return result; } -static int php_x509_fingerprint_match(X509 *peer, zval **val) +static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val) { - if (Z_TYPE_PP(val) == IS_STRING) { + if (Z_TYPE_P(val) == IS_STRING) { const char *method = NULL; - switch (Z_STRLEN_PP(val)) { + switch (Z_STRLEN_P(val)) { case 32: method = "md5"; break; @@ -1728,19 +1728,19 @@ static int php_x509_fingerprint_match(X509 *peer, zval **val) break; } - return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_PP(val)) == 0; - } else if (Z_TYPE_PP(val) == IS_ARRAY) { + return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0; + } else if (Z_TYPE_P(val) == IS_ARRAY) { HashPosition pos; zval **current; char *key; uint key_len; ulong key_index; - for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val), &pos); - zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void **)¤t, &pos) == SUCCESS; - zend_hash_move_forward_ex(Z_ARRVAL_PP(val), &pos) + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(val), &pos); + zend_hash_get_current_data_ex(Z_ARRVAL_P(val), (void **)¤t, &pos) == SUCCESS; + zend_hash_move_forward_ex(Z_ARRVAL_P(val), &pos) ) { - int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(val), &key, &key_len, &key_index, 0, &pos); + int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(val), &key, &key_len, &key_index, 0, &pos); if (key_type == HASH_KEY_IS_STRING && Z_TYPE_PP(current) == IS_STRING @@ -1776,7 +1776,7 @@ PHP_FUNCTION(openssl_x509_fingerprint) RETURN_FALSE; } - if (php_openssl_x509_fingerprint(cert, method, raw_output, &fingerprint, &fingerprint_len)) { + if (php_openssl_x509_fingerprint(cert, method, raw_output, &fingerprint, &fingerprint_len) == SUCCESS) { RETVAL_STRINGL(fingerprint, fingerprint_len, 0); } else { RETVAL_FALSE; @@ -4989,7 +4989,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
[PHP-CVS] svn: /SVNROOT/ global_avail
pajoye Tue, 08 Oct 2013 13:33:08 + Revision: http://svn.php.net/viewvc?view=revision&revision=331730 Log: - ab karma Changed paths: U SVNROOT/global_avail Modified: SVNROOT/global_avail === --- SVNROOT/global_avail2013-10-08 11:59:38 UTC (rev 331729) +++ SVNROOT/global_avail2013-10-08 13:33:08 UTC (rev 331730) @@ -411,8 +411,8 @@ avail|bcarlyon,derick|web/bugtracker # php-internals-win karma -avail|szarkos,pajoye,rrichards,auroraeosrose|php/php-internals-win -avail|pajoye,guilhermeblanco,auroraeosrose,rrichards,kalle,sascham78,szarkos|web/windows.git +avail|szarkos,pajoye,rrichards,auroraeosrose,ab|php/php-internals-win +avail|pajoye,guilhermeblanco,auroraeosrose,rrichards,kalle,sascham78,szarkos,ab|web/windows.git avail|szarkos,ab|web/rmtools.git # php-benchmarks karma -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: fix bad cast: ext/standard/php_fopen_wrapper.c
Commit:5d430ad90257e353321789d9dfe529554028ff6e Author:Michael Wallner Tue, 8 Oct 2013 11:16:53 +0200 Parents: b15765412aebb6b158465f26d8eedb85737862d8 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=5d430ad90257e353321789d9dfe529554028ff6e Log: fix bad cast Changed paths: M ext/standard/php_fopen_wrapper.c Diff: diff --git a/ext/standard/php_fopen_wrapper.c b/ext/standard/php_fopen_wrapper.c index 76f77eb..0adb1e0 100644 --- a/ext/standard/php_fopen_wrapper.c +++ b/ext/standard/php_fopen_wrapper.c @@ -120,11 +120,11 @@ static int php_stream_input_flush(php_stream *stream TSRMLS_DC) /* {{{ */ static int php_stream_input_seek(php_stream *stream, off_t offset, int whence, off_t *newoffset TSRMLS_DC) /* {{{ */ { - php_stream *inner = stream->abstract; + php_stream_input_t *input = stream->abstract; - if (inner) { - int sought = php_stream_seek(inner, offset, whence); - *newoffset = inner->position; + if (*input->body_ptr) { + int sought = php_stream_seek(*input->body_ptr, offset, whence); + *newoffset = (*input->body_ptr)->position; return sought; } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php