[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c xp_ssl.c
mj Mon, 25 Apr 2011 16:50:30 + Revision: http://svn.php.net/viewvc?view=revisionrevision=310476 Log: The project calls itself OpenSSL and not openSSL, so let's keep it that way in our code as well. Changed paths: U php/php-src/trunk/ext/openssl/openssl.c U php/php-src/trunk/ext/openssl/xp_ssl.c Modified: php/php-src/trunk/ext/openssl/openssl.c === --- php/php-src/trunk/ext/openssl/openssl.c 2011-04-25 15:22:09 UTC (rev 310475) +++ php/php-src/trunk/ext/openssl/openssl.c 2011-04-25 16:50:30 UTC (rev 310476) @@ -1020,8 +1020,8 @@ ERR_load_crypto_strings(); ERR_load_EVP_strings(); - /* register a resource id number with openSSL so that we can map SSL - stream structures in -* openSSL callbacks */ + /* register a resource id number with OpenSSL so that we can map SSL - stream structures in +* OpenSSL callbacks */ ssl_stream_data_index = SSL_get_ex_new_index(0, PHP stream index, NULL, NULL, NULL); REGISTER_STRING_CONSTANT(OPENSSL_VERSION_TEXT, OPENSSL_VERSION_TEXT, CONST_CS|CONST_PERSISTENT); Modified: php/php-src/trunk/ext/openssl/xp_ssl.c === --- php/php-src/trunk/ext/openssl/xp_ssl.c 2011-04-25 15:22:09 UTC (rev 310475) +++ php/php-src/trunk/ext/openssl/xp_ssl.c 2011-04-25 16:50:30 UTC (rev 310476) @@ -330,7 +330,7 @@ break; case STREAM_CRYPTO_METHOD_SSLv2_CLIENT: #ifdef OPENSSL_NO_SSL2 - php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is not compiled into the openSSL library PHP is linked against); + php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is not compiled into the OpenSSL library PHP is linked against); return -1; #else sslsock-is_client = 1; @@ -355,7 +355,7 @@ break; case STREAM_CRYPTO_METHOD_SSLv2_SERVER: #ifdef OPENSSL_NO_SSL2 - php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is not compiled into the openSSL library PHP is linked against); + php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is not compiled into the OpenSSL library PHP is linked against); return -1; #else sslsock-is_client = 0; @@ -923,7 +923,7 @@ sslsock-method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT; } else if (strncmp(proto, sslv2, protolen) == 0) { #ifdef OPENSSL_NO_SSL2 - php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is not compiled into the openSSL library PHP is linked against); + php_error_docref(NULL TSRMLS_CC, E_WARNING, SSLv2 support is not compiled into the OpenSSL library PHP is linked against); return NULL; #else sslsock-enable_on_connect = 1; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c tests/011.phpt tests/openssl_decrypt_error.phpt
pollita Wed, 19 May 2010 20:05:09 + Revision: http://svn.php.net/viewvc?view=revisionrevision=299508 Log: Add parameter to openssl_(en|de)crypt Changed paths: U php/php-src/trunk/ext/openssl/openssl.c U php/php-src/trunk/ext/openssl/tests/011.phpt U php/php-src/trunk/ext/openssl/tests/openssl_decrypt_error.phpt Modified: php/php-src/trunk/ext/openssl/openssl.c === --- php/php-src/trunk/ext/openssl/openssl.c 2010-05-19 19:34:58 UTC (rev 299507) +++ php/php-src/trunk/ext/openssl/openssl.c 2010-05-19 20:05:09 UTC (rev 299508) @@ -99,6 +99,7 @@ PHP_FUNCTION(openssl_digest); PHP_FUNCTION(openssl_encrypt); PHP_FUNCTION(openssl_decrypt); +PHP_FUNCTION(openssl_cipher_iv_length); PHP_FUNCTION(openssl_dh_compute_key); PHP_FUNCTION(openssl_random_pseudo_bytes); @@ -347,6 +348,7 @@ ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, password) ZEND_ARG_INFO(0, raw_output) +ZEND_ARG_INFO(0, iv) ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_decrypt, 0, 0, 3) @@ -354,8 +356,13 @@ ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, password) ZEND_ARG_INFO(0, raw_input) +ZEND_ARG_INFO(0, iv) ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO(arginfo_openssl_cipher_iv_length, 0) +ZEND_ARG_INFO(0, method) +ZEND_END_ARG_INFO() + ZEND_BEGIN_ARG_INFO(arginfo_openssl_dh_compute_key, 0) ZEND_ARG_INFO(0, pub_key) ZEND_ARG_INFO(0, dh_key) @@ -408,6 +415,7 @@ PHP_FE(openssl_digest,arginfo_openssl_digest) PHP_FE(openssl_encrypt,arginfo_openssl_encrypt) PHP_FE(openssl_decrypt,arginfo_openssl_decrypt) + PHP_FE(openssl_cipher_iv_length, arginfo_openssl_cipher_iv_length) PHP_FE(openssl_sign,arginfo_openssl_sign) PHP_FE(openssl_verify,arginfo_openssl_verify) PHP_FE(openssl_seal,arginfo_openssl_seal) @@ -4585,19 +4593,54 @@ } /* }}} */ -/* {{{ proto string openssl_encrypt(string data, string method, string password [, bool raw_output=false]) +static zend_bool php_openssl_validate_iv(char **piv, int *piv_len, int iv_required_len) +{ + char *iv_new; + + /* Best case scenario, user behaved */ + if (*piv_len == iv_required_len) { + return 0; + } + + iv_new = ecalloc(1, iv_required_len + 1); + + if (*piv_len = 0) { + /* BC behavior */ + *piv_len = iv_required_len; + *piv = iv_new; + return 1; + } + + if (*piv_len iv_required_len) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, IV passed is only %d bytes long, cipher expects an IV of precisely %d bytes, padding with \\0, *piv_len, iv_required_len); + memcpy(iv_new, *piv, *piv_len); + *piv_len = iv_required_len; + *piv = iv_new; + return 1; + } + + php_error_docref(NULL TSRMLS_CC, E_WARNING, IV passed is %d bytes long which is longer than the %d expected by selected cipher, truncating, *piv_len, iv_required_len); + memcpy(iv_new, *piv, iv_required_len); + *piv_len = iv_required_len; + *piv = iv_new; + return 1; + +} + +/* {{{ proto string openssl_encrypt(string data, string method, string password [, bool raw_output=false [, string $iv='']]) Encrypts given data with given method and key, returns raw or base64 encoded string */ PHP_FUNCTION(openssl_encrypt) { zend_bool raw_output = 0; - char *data, *method, *password; - int data_len, method_len, password_len; + char *data, *method, *password, *iv = ; + int data_len, method_len, password_len, iv_len = 0; const EVP_CIPHER *cipher_type; EVP_CIPHER_CTX cipher_ctx; - int i, outlen, keylen, ivlen; - unsigned char *outbuf, *key, *iv; + int i, outlen, keylen; + unsigned char *outbuf, *key; + zend_bool free_iv; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, sss|b, data, data_len, method, method_len, password, password_len, raw_output) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, sss|bs, data, data_len, method, method_len, password, password_len, raw_output, iv, iv_len) == FAILURE) { return; } cipher_type = EVP_get_cipherbyname(method); @@ -4615,14 +4658,15 @@ key = (unsigned char*)password; } - ivlen = EVP_CIPHER_iv_length(cipher_type); - iv = emalloc(ivlen); - memset(iv, 0, ivlen); + if (iv_len = 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Using an empty Initialization Vector (iv) is potentially insecure and not recommended); + } + free_iv = php_openssl_validate_iv(iv, iv_len, EVP_CIPHER_iv_length(cipher_type)); outlen = data_len + EVP_CIPHER_block_size(cipher_type); outbuf = emalloc(outlen + 1); - EVP_EncryptInit(cipher_ctx, cipher_type, key, iv); + EVP_EncryptInit(cipher_ctx, cipher_type, key, (unsigned char *)iv); EVP_EncryptUpdate(cipher_ctx, outbuf, i, (unsigned char *)data, data_len); outlen = i; if (EVP_EncryptFinal(cipher_ctx, (unsigned char *)outbuf + i, i)) { @@ -4645,25 +4689,28 @@ if (key != (unsigned char*)password) { efree(key); } - efree(iv); + if (free_iv) { + efree(iv); + } } /* }}} */ -/* {{{ proto string
Re: [PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c tests/011.phpt tests/openssl_decrypt_error.phpt
hi, Little notice for the doc team, please see the respective on internals for the details about this new parameter. Cheers, On Wed, May 19, 2010 at 10:05 PM, Sara Golemon poll...@php.net wrote: pollita Wed, 19 May 2010 20:05:09 + Revision: http://svn.php.net/viewvc?view=revisionrevision=299508 Log: Add parameter to openssl_(en|de)crypt Changed paths: U php/php-src/trunk/ext/openssl/openssl.c U php/php-src/trunk/ext/openssl/tests/011.phpt U php/php-src/trunk/ext/openssl/tests/openssl_decrypt_error.phpt -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c
tony2001 Thu, 22 Apr 2010 16:00:45 + Revision: http://svn.php.net/viewvc?view=revisionrevision=298332 Log: fix typo Changed paths: U php/php-src/trunk/ext/openssl/openssl.c Modified: php/php-src/trunk/ext/openssl/openssl.c === --- php/php-src/trunk/ext/openssl/openssl.c 2010-04-22 15:59:44 UTC (rev 298331) +++ php/php-src/trunk/ext/openssl/openssl.c 2010-04-22 16:00:45 UTC (rev 298332) @@ -4451,7 +4451,7 @@ return NULL; } - if (SSL_CTX_use_PrivateKey_file(ctx, reso, SSL_FILETYPE_PEM) != 1) { + if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) { php_error_docref(NULL TSRMLS_CC, E_WARNING, Unable to set private key file `%s', resolved_path_buff); return NULL; } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/openssl/ openssl.c tests/sni_001.phpt xp_ssl.c
lbarnaud Wed, 21 Oct 2009 16:10:19 + Revision: http://svn.php.net/viewvc?view=revisionrevision=289831 Log: Added client-side Server Name Indication (SNI) support in OpenSSL extension. # # [DOC] # # New SSL context options : # # - SNI_enabled : Set to FALSE to disable SNI support (enabled by default) # - SNI_server_name : If not set, the server name will be guessed from the # stream URL (e.g. https://example.com/ will use example.com as hostname.), # else the given name will be used. # # SNI is to SSL/TLS what the Host header is for HTTP : it allows multiple # certificates on the same IP address. # # As for HTTP virtual hosts, this should be totaly transparent in most cases. # # Context options allows more control, e.g. : # # $context = stream_context_create(array( # 'ssl' = array('SNI_server_name' = 'foo.example.com'), # 'http' = array('header' = 'Host: foo.example.com'), # )); # file_get_contents('https://127.0.0.1/', false, $context); # # OpenSSL = 0.9.8j supports SNI (by default since OpenSSL 0.9.8k). Changed paths: U php/php-src/trunk/ext/openssl/openssl.c A php/php-src/trunk/ext/openssl/tests/sni_001.phpt U php/php-src/trunk/ext/openssl/xp_ssl.c Modified: php/php-src/trunk/ext/openssl/openssl.c === --- php/php-src/trunk/ext/openssl/openssl.c 2009-10-21 13:06:40 UTC (rev 289830) +++ php/php-src/trunk/ext/openssl/openssl.c 2009-10-21 16:10:19 UTC (rev 289831) @@ -1036,6 +1036,11 @@ REGISTER_LONG_CONSTANT(OPENSSL_KEYTYPE_EC, OPENSSL_KEYTYPE_EC, CONST_CS|CONST_PERSISTENT); #endif +#if OPENSSL_VERSION_NUMBER = 0x0090806fL !defined(OPENSSL_NO_TLSEXT) + /* SNI support included in OpenSSL = 0.9.8j */ + REGISTER_LONG_CONSTANT(OPENSSL_TLSEXT_SERVER_NAME, 1, CONST_CS|CONST_PERSISTENT); +#endif + /* Determine default SSL configuration file */ config_filename = getenv(OPENSSL_CONF); if (config_filename == NULL) { Added: php/php-src/trunk/ext/openssl/tests/sni_001.phpt === --- php/php-src/trunk/ext/openssl/tests/sni_001.phpt (rev 0) +++ php/php-src/trunk/ext/openssl/tests/sni_001.phpt 2009-10-21 16:10:19 UTC (rev 289831) @@ -0,0 +1,178 @@ +--TEST-- +SNI 001 +--SKIPIF-- +?php + if (!extension_loaded('openssl')) die(skip openssl extension not available); + if (!getenv('SNI_TESTS')) die(skip Set SNI_TESTS to enable this test (uses remote resources)); +? +--FILE-- +?php +/* Server Name Indication (SNI) tests + * + * This test relies on https://sni.velox.ch/ and thus is disabled by default. + * + * sni.velox.ch uses 3 certificates : + * - CN=alice.sni.velox.ch (sent in response to server_name = alice.sni.velox.ch or not set) + * - CN=bob.sni.velox.ch (sent in response to server_name = bob.sni.velox.ch) + * - CN=*.sni.velox.ch (sent in response to server_name = mallory.sni.velox.ch or *.sni.velox.ch or sni.velox.ch) + * + * The test sends requests to the server, sending different names, and checks which certificate + * the server returned. + */ + +function context() { + return stream_context_create(array( + 'ssl' = array( + 'capture_peer_cert' = true, + ), + )); +} + +function get_CN($context) { + + $ary = stream_context_get_options($context); + assert($ary); + + $cert = $ary['ssl']['peer_certificate']; + assert($cert); + + $cert_ary = openssl_x509_parse($cert); + return $cert_ary['subject']['CN']; +} + +function do_http_test($url, $context) { + + $fh = fopen($url, 'r', false, $context); + assert($fh); + + var_dump(get_CN($context)); +} + +function do_ssl_test($url, $context) { + + $fh = stream_socket_client($url, $errno, $errstr, + ini_get(default_socket_timeout), STREAM_CLIENT_CONNECT, $context); + assert($fh); + + var_dump(get_CN($context)); +} + +function do_enable_crypto_test($url, $context) { + + $fh = stream_socket_client($url, $errno, $errstr, + ini_get(default_socket_timeout), STREAM_CLIENT_CONNECT, $context); + assert($fh); + + $r = stream_socket_enable_crypto($fh, true, STREAM_CRYPTO_METHOD_TLS_CLIENT); + assert($r); + + var_dump(get_CN($context)); +} + +/* Test https:// streams */ + +echo -- auto host name (1) --\n; +do_http_test('https://alice.sni.velox.ch/', context()); + +echo -- auto host name (2) --\n; +do_http_test('https://bob.sni.velox.ch/', context()); + +echo -- auto host name (3) --\n; +do_http_test('https://bob.sni.velox.ch./', context()); + +echo -- user supplied server name --\n; + +$context = context(); +stream_context_set_option($context, 'ssl', 'SNI_server_name', 'bob.sni.velox.ch'); +stream_context_set_option($context, 'http', 'header', b'Host: bob.sni.velox.ch'); +do_http_test('https://alice.sni.velox.ch/', $context); + +echo -- sni disabled --\n; + +$context = context(); +stream_context_set_option($context, 'ssl', 'SNI_enabled', false); +do_http_test('https://bob.sni.velox.ch/', $context); + +/* Test ssl:// socket streams */ + +echo -- raw SSL stream (1) --\n;