diff options
| author | Ondřej Surý <ondrej@sury.org> | 2014-08-01 11:17:13 +0200 |
|---|---|---|
| committer | Ondřej Surý <ondrej@sury.org> | 2014-08-01 11:17:13 +0200 |
| commit | b60f6e95a473d1ae97fdf20cec4cfefc06b24ec2 (patch) | |
| tree | e92e8d3c102992bc63eae4327d3498e7203a9168 /ext/openssl | |
| parent | 09ed144817606a3a835391b12455e6d9cb3a0ae2 (diff) | |
| download | php-b60f6e95a473d1ae97fdf20cec4cfefc06b24ec2.tar.gz | |
New upstream version 5.6.0~rc3+dfsgupstream/5.6.0_rc3+dfsg
Diffstat (limited to 'ext/openssl')
| -rwxr-xr-x | ext/openssl/openssl.c | 11 | ||||
| -rw-r--r-- | ext/openssl/tests/026.phpt | 12 | ||||
| -rw-r--r-- | ext/openssl/xp_ssl.c | 9 |
3 files changed, 24 insertions, 8 deletions
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 0d9b9564d..140d75382 100755 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -841,13 +841,13 @@ static int add_oid_section(struct php_x509_request * req TSRMLS_DC) /* {{{ */ req->config_filename, req->var, req->req_config TSRMLS_CC) == FAILURE) return FAILURE #define SET_OPTIONAL_STRING_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) \ varname = Z_STRVAL_PP(item); \ else \ varname = defval #define SET_OPTIONAL_LONG_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_LONG) \ varname = Z_LVAL_PP(item); \ else \ varname = defval @@ -907,7 +907,8 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option } } - if (req->priv_key_encrypt && optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS) { + if (req->priv_key_encrypt && optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS + && Z_TYPE_PP(item) == IS_LONG) { long cipher_algo = Z_LVAL_PP(item); const EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo); if (cipher == NULL) { @@ -2455,7 +2456,7 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file) } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) friendly_name = Z_STRVAL_PP(item); /* certpbe (default RC2-40) keypbe (default 3DES) @@ -2533,7 +2534,7 @@ PHP_FUNCTION(openssl_pkcs12_export) } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) friendly_name = Z_STRVAL_PP(item); if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS) diff --git a/ext/openssl/tests/026.phpt b/ext/openssl/tests/026.phpt new file mode 100644 index 000000000..38d626d74 --- /dev/null +++ b/ext/openssl/tests/026.phpt @@ -0,0 +1,12 @@ +--TEST-- +Options type checks +--SKIPIF-- +<?php if (!extension_loaded("openssl")) print "skip"; ?> +--FILE-- +<?php +$x = openssl_pkey_new(); +$csr = openssl_csr_new(["countryName" => "DE"], $x, ["x509_extensions" => 0xDEADBEEF]); +?> +DONE +--EXPECT-- +DONE diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index c6a91570c..ba35c8828 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -274,11 +274,12 @@ static zend_bool matches_wildcard_name(const char *subjectname, const char *cert return 1; } - if (!(wildcard = strchr(certname, '*'))) { + /* wildcard, if present, must only be present in the left-most component */ + if (!(wildcard = strchr(certname, '*')) || memchr(certname, '.', wildcard - certname)) { return 0; } - // 1) prefix, if not empty, must match subject + /* 1) prefix, if not empty, must match subject */ prefix_len = wildcard - certname; if (prefix_len && strncasecmp(subjectname, certname, prefix_len) != 0) { return 0; @@ -321,7 +322,7 @@ static zend_bool matches_san_list(X509 *peer, const char *subject_name TSRMLS_DC if (san_name_len != strlen((const char*)cert_name)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer SAN entry is malformed"); } else { - is_match = strcasecmp(subject_name, (const char*)cert_name) == 0; + is_match = matches_wildcard_name(subject_name, (const char *)cert_name); } OPENSSL_free(cert_name); @@ -1164,12 +1165,14 @@ static int set_server_specific_opts(php_stream *stream, SSL_CTX *ctx TSRMLS_DC) ssl_ctx_options |= SSL_OP_SINGLE_DH_USE; } +#ifdef HAVE_ECDH if (SUCCESS == php_stream_context_get_option( stream->context, "ssl", "single_ecdh_use", &val) && zend_is_true(*val) ) { ssl_ctx_options |= SSL_OP_SINGLE_ECDH_USE; } +#endif SSL_CTX_set_options(ctx, ssl_ctx_options); |