[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c xp_ssl.c
mj Mon, 25 Apr 2011 16:50:30 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=310476
Log:
The project calls itself OpenSSL and not openSSL, so let's keep it
that way in our code as well.
Changed paths:
U php/php-src/trunk/ext/openssl/openssl.c
U php/php-src/trunk/ext/openssl/xp_ssl.c
Modified: php/php-src/trunk/ext/openssl/openssl.c
===
--- php/php-src/trunk/ext/openssl/openssl.c 2011-04-25 15:22:09 UTC (rev
310475)
+++ php/php-src/trunk/ext/openssl/openssl.c 2011-04-25 16:50:30 UTC (rev
310476)
@@ -1020,8 +1020,8 @@
ERR_load_crypto_strings();
ERR_load_EVP_strings();
- /* register a resource id number with openSSL so that we can map SSL -
stream structures in
-* openSSL callbacks */
+ /* register a resource id number with OpenSSL so that we can map SSL -
stream structures in
+* OpenSSL callbacks */
ssl_stream_data_index = SSL_get_ex_new_index(0, PHP stream index,
NULL, NULL, NULL);
REGISTER_STRING_CONSTANT(OPENSSL_VERSION_TEXT, OPENSSL_VERSION_TEXT,
CONST_CS|CONST_PERSISTENT);
Modified: php/php-src/trunk/ext/openssl/xp_ssl.c
===
--- php/php-src/trunk/ext/openssl/xp_ssl.c 2011-04-25 15:22:09 UTC (rev
310475)
+++ php/php-src/trunk/ext/openssl/xp_ssl.c 2011-04-25 16:50:30 UTC (rev
310476)
@@ -330,7 +330,7 @@
break;
case STREAM_CRYPTO_METHOD_SSLv2_CLIENT:
#ifdef OPENSSL_NO_SSL2
- php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2
support is not compiled into the openSSL library PHP is linked against);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2
support is not compiled into the OpenSSL library PHP is linked against);
return -1;
#else
sslsock-is_client = 1;
@@ -355,7 +355,7 @@
break;
case STREAM_CRYPTO_METHOD_SSLv2_SERVER:
#ifdef OPENSSL_NO_SSL2
- php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2
support is not compiled into the openSSL library PHP is linked against);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2
support is not compiled into the OpenSSL library PHP is linked against);
return -1;
#else
sslsock-is_client = 0;
@@ -923,7 +923,7 @@
sslsock-method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
} else if (strncmp(proto, sslv2, protolen) == 0) {
#ifdef OPENSSL_NO_SSL2
- php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is
not compiled into the openSSL library PHP is linked against);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is
not compiled into the OpenSSL library PHP is linked against);
return NULL;
#else
sslsock-enable_on_connect = 1;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c tests/011.phpt tests/openssl_decrypt_error.phpt
pollita Wed, 19 May 2010 20:05:09 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=299508
Log:
Add parameter to openssl_(en|de)crypt
Changed paths:
U php/php-src/trunk/ext/openssl/openssl.c
U php/php-src/trunk/ext/openssl/tests/011.phpt
U php/php-src/trunk/ext/openssl/tests/openssl_decrypt_error.phpt
Modified: php/php-src/trunk/ext/openssl/openssl.c
===
--- php/php-src/trunk/ext/openssl/openssl.c 2010-05-19 19:34:58 UTC (rev 299507)
+++ php/php-src/trunk/ext/openssl/openssl.c 2010-05-19 20:05:09 UTC (rev 299508)
@@ -99,6 +99,7 @@
PHP_FUNCTION(openssl_digest);
PHP_FUNCTION(openssl_encrypt);
PHP_FUNCTION(openssl_decrypt);
+PHP_FUNCTION(openssl_cipher_iv_length);
PHP_FUNCTION(openssl_dh_compute_key);
PHP_FUNCTION(openssl_random_pseudo_bytes);
@@ -347,6 +348,7 @@
ZEND_ARG_INFO(0, method)
ZEND_ARG_INFO(0, password)
ZEND_ARG_INFO(0, raw_output)
+ZEND_ARG_INFO(0, iv)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_decrypt, 0, 0, 3)
@@ -354,8 +356,13 @@
ZEND_ARG_INFO(0, method)
ZEND_ARG_INFO(0, password)
ZEND_ARG_INFO(0, raw_input)
+ZEND_ARG_INFO(0, iv)
ZEND_END_ARG_INFO()
+ZEND_BEGIN_ARG_INFO(arginfo_openssl_cipher_iv_length, 0)
+ZEND_ARG_INFO(0, method)
+ZEND_END_ARG_INFO()
+
ZEND_BEGIN_ARG_INFO(arginfo_openssl_dh_compute_key, 0)
ZEND_ARG_INFO(0, pub_key)
ZEND_ARG_INFO(0, dh_key)
@@ -408,6 +415,7 @@
PHP_FE(openssl_digest,arginfo_openssl_digest)
PHP_FE(openssl_encrypt,arginfo_openssl_encrypt)
PHP_FE(openssl_decrypt,arginfo_openssl_decrypt)
+ PHP_FE(openssl_cipher_iv_length, arginfo_openssl_cipher_iv_length)
PHP_FE(openssl_sign,arginfo_openssl_sign)
PHP_FE(openssl_verify,arginfo_openssl_verify)
PHP_FE(openssl_seal,arginfo_openssl_seal)
@@ -4585,19 +4593,54 @@
}
/* }}} */
-/* {{{ proto string openssl_encrypt(string data, string method, string password [, bool raw_output=false])
+static zend_bool php_openssl_validate_iv(char **piv, int *piv_len, int iv_required_len)
+{
+ char *iv_new;
+
+ /* Best case scenario, user behaved */
+ if (*piv_len == iv_required_len) {
+ return 0;
+ }
+
+ iv_new = ecalloc(1, iv_required_len + 1);
+
+ if (*piv_len = 0) {
+ /* BC behavior */
+ *piv_len = iv_required_len;
+ *piv = iv_new;
+ return 1;
+ }
+
+ if (*piv_len iv_required_len) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, IV passed is only %d bytes long, cipher expects an IV of precisely %d bytes, padding with \\0, *piv_len, iv_required_len);
+ memcpy(iv_new, *piv, *piv_len);
+ *piv_len = iv_required_len;
+ *piv = iv_new;
+ return 1;
+ }
+
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, IV passed is %d bytes long which is longer than the %d expected by selected cipher, truncating, *piv_len, iv_required_len);
+ memcpy(iv_new, *piv, iv_required_len);
+ *piv_len = iv_required_len;
+ *piv = iv_new;
+ return 1;
+
+}
+
+/* {{{ proto string openssl_encrypt(string data, string method, string password [, bool raw_output=false [, string $iv='']])
Encrypts given data with given method and key, returns raw or base64 encoded string */
PHP_FUNCTION(openssl_encrypt)
{
zend_bool raw_output = 0;
- char *data, *method, *password;
- int data_len, method_len, password_len;
+ char *data, *method, *password, *iv = ;
+ int data_len, method_len, password_len, iv_len = 0;
const EVP_CIPHER *cipher_type;
EVP_CIPHER_CTX cipher_ctx;
- int i, outlen, keylen, ivlen;
- unsigned char *outbuf, *key, *iv;
+ int i, outlen, keylen;
+ unsigned char *outbuf, *key;
+ zend_bool free_iv;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, sss|b, data, data_len, method, method_len, password, password_len, raw_output) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, sss|bs, data, data_len, method, method_len, password, password_len, raw_output, iv, iv_len) == FAILURE) {
return;
}
cipher_type = EVP_get_cipherbyname(method);
@@ -4615,14 +4658,15 @@
key = (unsigned char*)password;
}
- ivlen = EVP_CIPHER_iv_length(cipher_type);
- iv = emalloc(ivlen);
- memset(iv, 0, ivlen);
+ if (iv_len = 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Using an empty Initialization Vector (iv) is potentially insecure and not recommended);
+ }
+ free_iv = php_openssl_validate_iv(iv, iv_len, EVP_CIPHER_iv_length(cipher_type));
outlen = data_len + EVP_CIPHER_block_size(cipher_type);
outbuf = emalloc(outlen + 1);
- EVP_EncryptInit(cipher_ctx, cipher_type, key, iv);
+ EVP_EncryptInit(cipher_ctx, cipher_type, key, (unsigned char *)iv);
EVP_EncryptUpdate(cipher_ctx, outbuf, i, (unsigned char *)data, data_len);
outlen = i;
if (EVP_EncryptFinal(cipher_ctx, (unsigned char *)outbuf + i, i)) {
@@ -4645,25 +4689,28 @@
if (key != (unsigned char*)password) {
efree(key);
}
- efree(iv);
+ if (free_iv) {
+ efree(iv);
+ }
}
/* }}} */
-/* {{{ proto string
Re: [PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c tests/011.phpt tests/openssl_decrypt_error.phpt
hi, Little notice for the doc team, please see the respective on internals for the details about this new parameter. Cheers, On Wed, May 19, 2010 at 10:05 PM, Sara Golemon poll...@php.net wrote: pollita Wed, 19 May 2010 20:05:09 + Revision: http://svn.php.net/viewvc?view=revisionrevision=299508 Log: Add parameter to openssl_(en|de)crypt Changed paths: U php/php-src/trunk/ext/openssl/openssl.c U php/php-src/trunk/ext/openssl/tests/011.phpt U php/php-src/trunk/ext/openssl/tests/openssl_decrypt_error.phpt -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c
tony2001 Thu, 22 Apr 2010 16:00:45 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=298332
Log:
fix typo
Changed paths:
U php/php-src/trunk/ext/openssl/openssl.c
Modified: php/php-src/trunk/ext/openssl/openssl.c
===
--- php/php-src/trunk/ext/openssl/openssl.c 2010-04-22 15:59:44 UTC (rev
298331)
+++ php/php-src/trunk/ext/openssl/openssl.c 2010-04-22 16:00:45 UTC (rev
298332)
@@ -4451,7 +4451,7 @@
return NULL;
}
- if (SSL_CTX_use_PrivateKey_file(ctx, reso,
SSL_FILETYPE_PEM) != 1) {
+ if (SSL_CTX_use_PrivateKey_file(ctx,
resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,
Unable to set private key file `%s', resolved_path_buff);
return NULL;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c tests/sni_001.phpt xp_ssl.c
lbarnaud Wed, 21 Oct 2009 16:10:19 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=289831
Log:
Added client-side Server Name Indication (SNI) support in OpenSSL extension.
#
# [DOC]
#
# New SSL context options :
#
# - SNI_enabled : Set to FALSE to disable SNI support (enabled by default)
# - SNI_server_name : If not set, the server name will be guessed from the
# stream URL (e.g. https://example.com/ will use example.com as hostname.),
# else the given name will be used.
#
# SNI is to SSL/TLS what the Host header is for HTTP : it allows multiple
# certificates on the same IP address.
#
# As for HTTP virtual hosts, this should be totaly transparent in most cases.
#
# Context options allows more control, e.g. :
#
# $context = stream_context_create(array(
# 'ssl' = array('SNI_server_name' = 'foo.example.com'),
# 'http' = array('header' = 'Host: foo.example.com'),
# ));
# file_get_contents('https://127.0.0.1/', false, $context);
#
# OpenSSL = 0.9.8j supports SNI (by default since OpenSSL 0.9.8k).
Changed paths:
U php/php-src/trunk/ext/openssl/openssl.c
A php/php-src/trunk/ext/openssl/tests/sni_001.phpt
U php/php-src/trunk/ext/openssl/xp_ssl.c
Modified: php/php-src/trunk/ext/openssl/openssl.c
===
--- php/php-src/trunk/ext/openssl/openssl.c 2009-10-21 13:06:40 UTC (rev 289830)
+++ php/php-src/trunk/ext/openssl/openssl.c 2009-10-21 16:10:19 UTC (rev 289831)
@@ -1036,6 +1036,11 @@
REGISTER_LONG_CONSTANT(OPENSSL_KEYTYPE_EC, OPENSSL_KEYTYPE_EC, CONST_CS|CONST_PERSISTENT);
#endif
+#if OPENSSL_VERSION_NUMBER = 0x0090806fL !defined(OPENSSL_NO_TLSEXT)
+ /* SNI support included in OpenSSL = 0.9.8j */
+ REGISTER_LONG_CONSTANT(OPENSSL_TLSEXT_SERVER_NAME, 1, CONST_CS|CONST_PERSISTENT);
+#endif
+
/* Determine default SSL configuration file */
config_filename = getenv(OPENSSL_CONF);
if (config_filename == NULL) {
Added: php/php-src/trunk/ext/openssl/tests/sni_001.phpt
===
--- php/php-src/trunk/ext/openssl/tests/sni_001.phpt (rev 0)
+++ php/php-src/trunk/ext/openssl/tests/sni_001.phpt 2009-10-21 16:10:19 UTC (rev 289831)
@@ -0,0 +1,178 @@
+--TEST--
+SNI 001
+--SKIPIF--
+?php
+ if (!extension_loaded('openssl')) die(skip openssl extension not available);
+ if (!getenv('SNI_TESTS')) die(skip Set SNI_TESTS to enable this test (uses remote resources));
+?
+--FILE--
+?php
+/* Server Name Indication (SNI) tests
+ *
+ * This test relies on https://sni.velox.ch/ and thus is disabled by default.
+ *
+ * sni.velox.ch uses 3 certificates :
+ * - CN=alice.sni.velox.ch (sent in response to server_name = alice.sni.velox.ch or not set)
+ * - CN=bob.sni.velox.ch (sent in response to server_name = bob.sni.velox.ch)
+ * - CN=*.sni.velox.ch (sent in response to server_name = mallory.sni.velox.ch or *.sni.velox.ch or sni.velox.ch)
+ *
+ * The test sends requests to the server, sending different names, and checks which certificate
+ * the server returned.
+ */
+
+function context() {
+ return stream_context_create(array(
+ 'ssl' = array(
+ 'capture_peer_cert' = true,
+ ),
+ ));
+}
+
+function get_CN($context) {
+
+ $ary = stream_context_get_options($context);
+ assert($ary);
+
+ $cert = $ary['ssl']['peer_certificate'];
+ assert($cert);
+
+ $cert_ary = openssl_x509_parse($cert);
+ return $cert_ary['subject']['CN'];
+}
+
+function do_http_test($url, $context) {
+
+ $fh = fopen($url, 'r', false, $context);
+ assert($fh);
+
+ var_dump(get_CN($context));
+}
+
+function do_ssl_test($url, $context) {
+
+ $fh = stream_socket_client($url, $errno, $errstr,
+ ini_get(default_socket_timeout), STREAM_CLIENT_CONNECT, $context);
+ assert($fh);
+
+ var_dump(get_CN($context));
+}
+
+function do_enable_crypto_test($url, $context) {
+
+ $fh = stream_socket_client($url, $errno, $errstr,
+ ini_get(default_socket_timeout), STREAM_CLIENT_CONNECT, $context);
+ assert($fh);
+
+ $r = stream_socket_enable_crypto($fh, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ assert($r);
+
+ var_dump(get_CN($context));
+}
+
+/* Test https:// streams */
+
+echo -- auto host name (1) --\n;
+do_http_test('https://alice.sni.velox.ch/', context());
+
+echo -- auto host name (2) --\n;
+do_http_test('https://bob.sni.velox.ch/', context());
+
+echo -- auto host name (3) --\n;
+do_http_test('https://bob.sni.velox.ch./', context());
+
+echo -- user supplied server name --\n;
+
+$context = context();
+stream_context_set_option($context, 'ssl', 'SNI_server_name', 'bob.sni.velox.ch');
+stream_context_set_option($context, 'http', 'header', b'Host: bob.sni.velox.ch');
+do_http_test('https://alice.sni.velox.ch/', $context);
+
+echo -- sni disabled --\n;
+
+$context = context();
+stream_context_set_option($context, 'ssl', 'SNI_enabled', false);
+do_http_test('https://bob.sni.velox.ch/', $context);
+
+/* Test ssl:// socket streams */
+
+echo -- raw SSL stream (1) --\n;
