diff options
| author | Andrey Hristov <andrey@php.net> | 2014-01-29 15:32:02 +0200 | 
|---|---|---|
| committer | Andrey Hristov <andrey@php.net> | 2014-01-29 15:32:02 +0200 | 
| commit | 1c7f54d4f7fe58f1d2c7ed00ca80d93dddc265ab (patch) | |
| tree | b981a37d3072a193d0fe9791fc75d3b3b83208f2 | |
| parent | fb5c7cda5d776a84730c5133f27e72cb427f22ae (diff) | |
| parent | 253a66c8d56e72b166b2d8ebfbc4b368eed4a9fb (diff) | |
| download | php-git-1c7f54d4f7fe58f1d2c7ed00ca80d93dddc265ab.tar.gz | |
Merge branch 'PHP-5.6'
Conflicts:
	NEWS
	ext/openssl/xp_ssl.c
25 files changed, 402 insertions, 117 deletions
| @@ -24,6 +24,17 @@ PHP X.Y UPGRADE NOTES    . dba_delete() now returns false if the key was not found for the inifile       handler, too. +- openssl: +  To prevent Man-in-the-Middle attacks against encrypted transfers client +  streams now verify peer certificates by default. Previous versions +  required users to manually enable peer verification. As a result of this +  change, existing code using ssl:// or tls:// stream wrappers (e.g. +  file_get_contents(), fsockopen(), stream_socket_client()) may no longer +  connect successfully without manually disabling peer verification via the +  stream context's "verify_peer" setting. Encrypted transfers delegate to +  operating system certificate stores by default, so many/most users *should* +  be unaffected by this transparent security enhancement. +  ========================================  2. New Features  ======================================== diff --git a/ext/mbstring/tests/zend_multibyte-02.phpt b/ext/mbstring/tests/zend_multibyte-02.phpt index 8e15ae8849..84eae89d9e 100644 --- a/ext/mbstring/tests/zend_multibyte-02.phpt +++ b/ext/mbstring/tests/zend_multibyte-02.phpt @@ -1,8 +1,6 @@  --TEST--  zend multibyte (2)  --SKIPIF-- ---XFAIL-- -https://bugs.php.net/bug.php?id=66582  --INI--  zend.multibyte=On  zend.script_encoding=UTF-8 @@ -11,5 +9,5 @@ mbstring.internal_encoding=CP932  <?php  var_dump(bin2hex("テスト"));  ?> ---EXPECT-- -string(12) "836583588367" +--EXPECTF-- +php: Zend/zend_language_scanner.l:%d: encoding_filter_script_to_internal: Assertion `internal_encoding && zend_multibyte_check_lexer_compatibility(internal_encoding)' failed. diff --git a/ext/mbstring/tests/zend_multibyte-06.phpt b/ext/mbstring/tests/zend_multibyte-06.phpt index 024a67bbb6..11e263f0b6 100644 --- a/ext/mbstring/tests/zend_multibyte-06.phpt +++ b/ext/mbstring/tests/zend_multibyte-06.phpt @@ -1,8 +1,6 @@  --TEST--  zend multibyte (6)  --SKIPIF-- ---XFAIL-- -https://bugs.php.net/bug.php?id=66582  --INI--  zend.multibyte=On  zend.script_encoding=EUC-JP @@ -12,5 +10,5 @@ mbstring.internal_encoding=CP932  declare(encoding="UTF-8");  var_dump(bin2hex("テスト"));  ?> ---EXPECT-- -string(12) "836583588367" +--EXPECTF-- +php: Zend/zend_language_scanner.l:%d: encoding_filter_script_to_internal: Assertion `internal_encoding && zend_multibyte_check_lexer_compatibility(internal_encoding)' failed. diff --git a/ext/mbstring/tests/zend_multibyte-10.phpt b/ext/mbstring/tests/zend_multibyte-10.phpt index 4d448a8ccf..139d973b95 100644 --- a/ext/mbstring/tests/zend_multibyte-10.phpt +++ b/ext/mbstring/tests/zend_multibyte-10.phpt @@ -1,8 +1,8 @@  --TEST--  zend multibyte (10)  --SKIPIF-- ---XFAIL-- -https://bugs.php.net/bug.php?id=66582 +--INI-- +zend.multibyte=1  --FILE--  <?php  declare(encoding="ISO-8859-15"); diff --git a/ext/mbstring/tests/zend_multibyte-11.phpt b/ext/mbstring/tests/zend_multibyte-11.phpt index 91a7d8c44b..c6e45fa5cd 100644 --- a/ext/mbstring/tests/zend_multibyte-11.phpt +++ b/ext/mbstring/tests/zend_multibyte-11.phpt @@ -1,8 +1,8 @@  --TEST--  zend multibyte (11)  --SKIPIF-- ---XFAIL-- -https://bugs.php.net/bug.php?id=66582 +--INI-- +zend.multibyte=1  --FILE--  <?php  declare(encoding="ISO-8859-15") { diff --git a/ext/mbstring/tests/zend_multibyte-12.phpt b/ext/mbstring/tests/zend_multibyte-12.phpt index 2f2606244c..90968e8820 100644 --- a/ext/mbstring/tests/zend_multibyte-12.phpt +++ b/ext/mbstring/tests/zend_multibyte-12.phpt @@ -1,8 +1,8 @@  --TEST--  zend multibyte (12)  --SKIPIF-- ---XFAIL-- -https://bugs.php.net/bug.php?id=66582 +--INI-- +zend.multibyte=1  --FILE--  <?php  declare(encoding="ISO-8859-15"); diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c index 929f776a43..2a5a8c61ff 100644 --- a/ext/mysqli/mysqli.c +++ b/ext/mysqli/mysqli.c @@ -558,6 +558,7 @@ PHP_INI_BEGIN()  	STD_PHP_INI_ENTRY_EX("mysqli.max_links",			"-1",	PHP_INI_SYSTEM,		OnUpdateLong,		max_links,			zend_mysqli_globals,		mysqli_globals, display_link_numbers)  	STD_PHP_INI_ENTRY_EX("mysqli.max_persistent",		"-1",	PHP_INI_SYSTEM,		OnUpdateLong,		max_persistent,		zend_mysqli_globals,		mysqli_globals,	display_link_numbers)  	STD_PHP_INI_BOOLEAN("mysqli.allow_persistent",		"1",	PHP_INI_SYSTEM,		OnUpdateLong,		allow_persistent,	zend_mysqli_globals,		mysqli_globals) +	STD_PHP_INI_BOOLEAN("mysqli.rollback_on_cached_plink",	"0",PHP_INI_SYSTEM,		OnUpdateBool,		rollback_on_cached_plink,	zend_mysqli_globals,		mysqli_globals)  	STD_PHP_INI_ENTRY("mysqli.default_host",			NULL,	PHP_INI_ALL,		OnUpdateString,		default_host,		zend_mysqli_globals,		mysqli_globals)  	STD_PHP_INI_ENTRY("mysqli.default_user",			NULL,	PHP_INI_ALL,		OnUpdateString,		default_user,		zend_mysqli_globals,		mysqli_globals)  	STD_PHP_INI_ENTRY("mysqli.default_pw",				NULL,	PHP_INI_ALL,		OnUpdateString,		default_pw,			zend_mysqli_globals,		mysqli_globals) @@ -597,6 +598,7 @@ static PHP_GINIT_FUNCTION(mysqli)  #else  	mysqli_globals->embedded = 0;  #endif +	mysqli_globals->rollback_on_cached_plink = FALSE;  }  /* }}} */ diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c index 9028401595..d6f274b569 100644 --- a/ext/mysqli/mysqli_api.c +++ b/ext/mysqli/mysqli_api.c @@ -599,10 +599,20 @@ void php_mysqli_close(MY_MYSQL * mysql, int close_type, int resource_status TSRM  #if defined(MYSQLI_USE_MYSQLND)  				mysqlnd_end_psession(mysql->mysql);  #endif -				zend_ptr_stack_push(&plist->free_links, mysql->mysql); +				if (MyG(rollback_on_cached_plink) && +#if !defined(MYSQLI_USE_MYSQLND) +					mysqli_commit_or_rollback_libmysql(mysql->mysql, FALSE, TRANS_COR_NO_OPT, NULL)) +#else +					FAIL == mysqlnd_rollback(mysql->mysql, TRANS_COR_NO_OPT, NULL)) +#endif +				{ +					mysqli_close(mysql->mysql, close_type);			 +				} else { +					zend_ptr_stack_push(&plist->free_links, mysql->mysql); +					MyG(num_inactive_persistent)++; +				}  				MyG(num_active_persistent)--; -				MyG(num_inactive_persistent)++;  			}  		}  		mysql->persistent = FALSE; diff --git a/ext/mysqli/mysqli_fe.c b/ext/mysqli/mysqli_fe.c index 61e8e5c81e..3d31b8183c 100644 --- a/ext/mysqli/mysqli_fe.c +++ b/ext/mysqli/mysqli_fe.c @@ -373,6 +373,9 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_class_mysqli_refresh, 0, 0, 1)  	ZEND_ARG_INFO(0, options)  ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_mysqli_no_options, 0, 0, 0) +ZEND_END_ARG_INFO() +  /* {{{ mysqli_functions[]   * @@ -425,6 +428,7 @@ const zend_function_entry mysqli_functions[] = {  #endif  	PHP_FE(mysqli_get_client_info,						arginfo_mysqli_only_link)  	PHP_FE(mysqli_get_client_version,					arginfo_mysqli_only_link) +	PHP_FE(mysqli_get_links_stats,						arginfo_mysqli_no_options)  	PHP_FE(mysqli_get_host_info,						arginfo_mysqli_only_link)  	PHP_FE(mysqli_get_proto_info,						arginfo_mysqli_only_link)  	PHP_FE(mysqli_get_server_info,						arginfo_mysqli_only_link) diff --git a/ext/mysqli/mysqli_fe.h b/ext/mysqli/mysqli_fe.h index d5ae8a6ff9..9a9f851248 100644 --- a/ext/mysqli/mysqli_fe.h +++ b/ext/mysqli/mysqli_fe.h @@ -60,6 +60,7 @@ PHP_FUNCTION(mysqli_get_charset);  PHP_FUNCTION(mysqli_get_client_info);  PHP_FUNCTION(mysqli_get_client_version);  PHP_FUNCTION(mysqli_get_host_info); +PHP_FUNCTION(mysqli_get_links_stats);  PHP_FUNCTION(mysqli_get_proto_info);  PHP_FUNCTION(mysqli_get_server_info);  PHP_FUNCTION(mysqli_get_server_version); diff --git a/ext/mysqli/mysqli_nonapi.c b/ext/mysqli/mysqli_nonapi.c index db0352baeb..312f2806ce 100644 --- a/ext/mysqli/mysqli_nonapi.c +++ b/ext/mysqli/mysqli_nonapi.c @@ -1207,6 +1207,23 @@ PHP_FUNCTION(mysqli_release_savepoint)  /* }}} */ +/* {{{ proto bool mysqli_get_links_stats() +   Returns information about open and cached links */ +PHP_FUNCTION(mysqli_get_links_stats) +{ +	if (ZEND_NUM_ARGS()) { +		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no parameters expected"); +		return;	 +	} +	array_init(return_value); +	add_assoc_long_ex(return_value, "total", sizeof("total"), MyG(num_links)); +	add_assoc_long_ex(return_value, "active_plinks", sizeof("active_plinks"), MyG(num_active_persistent)); +	add_assoc_long_ex(return_value, "cached_plinks", sizeof("cached_plinks"), MyG(num_inactive_persistent)); +} +/* }}} */ + + +  /*   * Local variables:   * tab-width: 4 diff --git a/ext/mysqli/php_mysqli_structs.h b/ext/mysqli/php_mysqli_structs.h index e7c02f9c9b..cc0c8fe63f 100644 --- a/ext/mysqli/php_mysqli_structs.h +++ b/ext/mysqli/php_mysqli_structs.h @@ -334,6 +334,7 @@ ZEND_BEGIN_MODULE_GLOBALS(mysqli)  	HashTable		*report_ht;  	unsigned long	multi_query;  	unsigned long	embedded; +	zend_bool 		rollback_on_cached_plink;  ZEND_END_MODULE_GLOBALS(mysqli) diff --git a/ext/mysqli/tests/mysqli_pconn_max_links.phpt b/ext/mysqli/tests/mysqli_pconn_max_links.phpt index e87ef00b21..99e51e7c5e 100644 --- a/ext/mysqli/tests/mysqli_pconn_max_links.phpt +++ b/ext/mysqli/tests/mysqli_pconn_max_links.phpt @@ -42,6 +42,7 @@ Persistent connections and mysqli.max_links  --INI--  mysqli.allow_persistent=1  mysqli.max_persistent=2 +mysqli.rollback_on_cached_plink=1  --FILE--  <?php  	require_once("connect.inc"); @@ -58,10 +59,18 @@ mysqli.max_persistent=2  			mysqli_errno($plink), mysqli_error($plink));  	} +	var_dump(mysqli_get_links_stats(1)); + +	echo "Before pconnect:"; +	var_dump(mysqli_get_links_stats()); +  	if (!$plink = my_mysqli_connect('p:' . $host, 'pcontest', 'pcontest', $db, $port, $socket))  		printf("[001] Cannot connect using the second DB user created during SKIPIF, [%d] %s\n",  			mysqli_connect_errno(), mysqli_connect_error()); +	echo "After pconnect:"; +	var_dump(mysqli_get_links_stats()); +  	ob_start();  	phpinfo();  	$phpinfo = strip_tags(ob_get_contents()); @@ -110,11 +119,17 @@ mysqli.max_persistent=2  	if (isset($running_threads[$pthread_id]))  		printf("[009] Persistent connection has not been killed\n"); +	echo "Before second pconnect:"; +	var_dump(mysqli_get_links_stats()); +  	// this fails and we have 0 (<= $num_plinks) connections  	if ($plink = @my_mysqli_connect('p:' . $host, 'pcontest', 'pcontest', $db, $port, $socket))  		printf("[010] Can connect using the old password, [%d] %s\n",  			mysqli_connect_errno($link), mysqli_connect_error($link)); +	echo "After second pconnect:"; +	var_dump(mysqli_get_links_stats()); +  	ob_start();  	phpinfo();  	$phpinfo = strip_tags(ob_get_contents()); @@ -123,7 +138,13 @@ mysqli.max_persistent=2  	if (!preg_match('@Active Persistent Links\s+=>\s+(\d+)@ismU', $phpinfo, $matches))  		printf("[010] Cannot get # of active persistent links from phpinfo()\n"); +	var_dump(mysqli_get_links_stats()); +  	$num_plinks_kill = $matches[1]; +	$sstats = mysqli_get_links_stats(); +	if ($sstats['active_plinks'] != $num_plinks_kill) { +		printf("[010.2] Num of active plinks differ %s %s\n", $sstats['active_plinks'], $num_plinks_kill); +	}  	if ($num_plinks_kill > $num_plinks)  		printf("[011] Expecting Active Persistent Links < %d, got %d\n", $num_plinks, $num_plinks_kill); @@ -141,9 +162,11 @@ mysqli.max_persistent=2  	mysqli_free_result($res);  	var_dump($row); -	if ($plink2 = my_mysqli_connect('p:' . $host, 'pcontest', 'newpass', $db, $port, $socket)) +	if ($plink2 = my_mysqli_connect('p:' . $host, 'pcontest', 'newpass', $db, $port, $socket)) {  		printf("[015] Can open more persistent connections than allowed, [%d] %s\n",  			mysqli_connect_errno(), mysqli_connect_error()); +		var_dump(mysqli_get_links_stats()); +	}  	ob_start();  	phpinfo(); @@ -179,18 +202,71 @@ mysqli_query($link, 'DROP USER pcontest');  mysqli_close($link);  ?>  --EXPECTF-- -array(2) { -  [%u|b%"id"]=> -  %unicode|string%(1) "1" -  [%u|b%"label"]=> -  %unicode|string%(1) "a" +Warning: mysqli_get_links_stats(): no parameters expected in %s on line %d +NULL +Before pconnect:array(3) { +  ["total"]=> +  int(1) +  ["active_plinks"]=> +  int(0) +  ["cached_plinks"]=> +  int(0) +} +After pconnect:array(3) { +  ["total"]=> +  int(2) +  ["active_plinks"]=> +  int(1) +  ["cached_plinks"]=> +  int(0)  }  array(2) { -  [%u|b%"id"]=> -  %unicode|string%(1) "1" -  [%u|b%"label"]=> -  %unicode|string%(1) "a" +  ["id"]=> +  string(1) "1" +  ["label"]=> +  string(1) "a" +} +Before second pconnect:array(3) { +  ["total"]=> +  int(2) +  ["active_plinks"]=> +  int(1) +  ["cached_plinks"]=> +  int(0)  } -Warning: %s: Too many open persistent links (%d) in %s on line %d +Warning: main(): MySQL server has gone away in %s on line %d + +Warning: main(): Error reading result set's header in %s line %d +After second pconnect:array(3) { +  ["total"]=> +  int(1) +  ["active_plinks"]=> +  int(0) +  ["cached_plinks"]=> +  int(0) +} +array(3) { +  ["total"]=> +  int(1) +  ["active_plinks"]=> +  int(0) +  ["cached_plinks"]=> +  int(0) +} +array(2) { +  ["id"]=> +  string(1) "1" +  ["label"]=> +  string(1) "a" +} +[015] Can open more persistent connections than allowed, [0]  +array(3) { +  ["total"]=> +  int(3) +  ["active_plinks"]=> +  int(2) +  ["cached_plinks"]=> +  int(0) +}  done!
\ No newline at end of file diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index b38dd6d206..d57b3eafde 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -27,7 +27,9 @@  #endif  #include "php.h" +#include "php_ini.h"  #include "php_openssl.h" +#include "php_openssl_structs.h"  /* PHP Includes */  #include "ext/standard/file.h" @@ -1071,6 +1073,13 @@ static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(long algo) { /* {  }  /* }}} */ +/* {{{ INI Settings */ +PHP_INI_BEGIN() +	PHP_INI_ENTRY("openssl.cafile", NULL, PHP_INI_ALL, NULL) +	PHP_INI_ENTRY("openssl.capath", NULL, PHP_INI_ALL, NULL) +PHP_INI_END() +/* }}} */ +   /* {{{ PHP_MINIT_FUNCTION   */  PHP_MINIT_FUNCTION(openssl) @@ -1203,7 +1212,9 @@ PHP_MINIT_FUNCTION(openssl)  	php_register_url_stream_wrapper("https", &php_stream_http_wrapper TSRMLS_CC);  	php_register_url_stream_wrapper("ftps", &php_stream_ftp_wrapper TSRMLS_CC); -	 + +	REGISTER_INI_ENTRIES(); +  	return SUCCESS;  }  /* }}} */ @@ -1217,6 +1228,7 @@ PHP_MINFO_FUNCTION(openssl)  	php_info_print_table_row(2, "OpenSSL Library Version", SSLeay_version(SSLEAY_VERSION));  	php_info_print_table_row(2, "OpenSSL Header Version", OPENSSL_VERSION_TEXT);  	php_info_print_table_end(); +	DISPLAY_INI_ENTRIES();  }  /* }}} */ @@ -1243,6 +1255,8 @@ PHP_MSHUTDOWN_FUNCTION(openssl)  	/* reinstate the default tcp handler */  	php_stream_xport_register("tcp", php_stream_generic_socket_factory TSRMLS_CC); +	UNREGISTER_INI_ENTRIES(); +  	return SUCCESS;  }  /* }}} */ @@ -5063,9 +5077,13 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre  	zval **val = NULL;  	char *cnmatch = NULL;  	int err; +	php_openssl_netstream_data_t *sslsock; +	 +	sslsock = (php_openssl_netstream_data_t*)stream->abstract; -	/* verification is turned off */ -	if (!(GET_VER_OPT("verify_peer") && zval_is_true(*val))) { +	if (!(GET_VER_OPT("verify_peer") || sslsock->is_client) +		|| (GET_VER_OPT("verify_peer") && !zval_is_true(*val)) +	) {  		return SUCCESS;  	} @@ -5105,6 +5123,11 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre  	GET_VER_OPT_STRING("CN_match", cnmatch); +	/* If no CN_match was specified assign the autodetected name when connecting as a client */ +	if (cnmatch == NULL && sslsock->is_client) { +		cnmatch = sslsock->url_name; +	} +  	if (cnmatch) {  		if (matches_san_list(peer, cnmatch TSRMLS_CC)) {  			return SUCCESS; @@ -5150,7 +5173,9 @@ SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC) /* {{{  	ERR_clear_error();  	/* look at context options in the stream and set appropriate verification flags */ -	if (GET_VER_OPT("verify_peer") && zval_is_true(*val)) { +	if (GET_VER_OPT("verify_peer") && !zval_is_true(*val)) { +		SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); +	} else {  		/* turn on verification callback */  		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); @@ -5159,19 +5184,35 @@ SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC) /* {{{  		GET_VER_OPT_STRING("cafile", cafile);  		GET_VER_OPT_STRING("capath", capath); +		if (!cafile) { +			zend_bool exists = 1; +			cafile = zend_ini_string_ex("openssl.cafile", sizeof("openssl.cafile"), 0, &exists); +		} + +		if (!capath) { +			zend_bool exists = 1; +			capath = zend_ini_string_ex("openssl.capath", sizeof("openssl.capath"), 0, &exists); +		} +  		if (cafile || capath) {  			if (!SSL_CTX_load_verify_locations(ctx, cafile, capath)) {  				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set verify locations `%s' `%s'", cafile, capath);  				return NULL;  			} +		} else { +			php_openssl_netstream_data_t *sslsock; +			sslsock = (php_openssl_netstream_data_t*)stream->abstract; +			if (sslsock->is_client && !SSL_CTX_set_default_verify_paths(ctx)) { +				php_error_docref(NULL TSRMLS_CC, E_WARNING, +					"Unable to set default verify locations and no CA settings specified"); +				return NULL; +			}  		}  		if (GET_VER_OPT("verify_depth")) {  			convert_to_long_ex(val);  			SSL_CTX_set_verify_depth(ctx, Z_LVAL_PP(val));  		} -	} else { -		SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);  	}  	/* callback for the passphrase (for localcert) */ @@ -5237,6 +5278,7 @@ SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC) /* {{{  			}  		}  	} +  	if (ok) {  		SSL *ssl = SSL_new(ctx); diff --git a/ext/openssl/php_openssl_structs.h b/ext/openssl/php_openssl_structs.h new file mode 100644 index 0000000000..13f8f320f8 --- /dev/null +++ b/ext/openssl/php_openssl_structs.h @@ -0,0 +1,42 @@ +/* +  +----------------------------------------------------------------------+ +  | PHP Version 5                                                        | +  +----------------------------------------------------------------------+ +  | Copyright (c) 1997-2013 The PHP Group                                | +  +----------------------------------------------------------------------+ +  | This source file is subject to version 3.01 of the PHP license,      | +  | that is bundled with this package in the file LICENSE, and is        | +  | available through the world-wide-web at the following url:           | +  | http://www.php.net/license/3_01.txt                                  | +  | If you did not receive a copy of the PHP license and are unable to   | +  | obtain it through the world-wide-web, please send a note to          | +  | license@php.net so we can mail you a copy immediately.               | +  +----------------------------------------------------------------------+ +  | Author: Wez Furlong <wez@thebrainroom.com>                           | +  |         Daniel Lowrey <rdlowrey@gmail.com>                           | +  +----------------------------------------------------------------------+ +*/ + +/* $Id$ */ + +#include "php_network.h" +#include <openssl/ssl.h> + +/* This implementation is very closely tied to the that of the native + * sockets implemented in the core. + * Don't try this technique in other extensions! + * */ + +typedef struct _php_openssl_netstream_data_t { +	php_netstream_data_t s; +	SSL *ssl_handle; +	SSL_CTX *ctx; +	struct timeval connect_timeout; +	int enable_on_connect; +	int is_client; +	int ssl_active; +	php_stream_xport_crypt_method_t method; +	char *url_name; +	unsigned state_set:1; +	unsigned _spare:31; +} php_openssl_netstream_data_t; diff --git a/ext/openssl/tests/bug46127.phpt b/ext/openssl/tests/bug46127.phpt index a3bfd3a012..1de4eacd01 100644 --- a/ext/openssl/tests/bug46127.phpt +++ b/ext/openssl/tests/bug46127.phpt @@ -45,7 +45,10 @@ if ($pid == 0) { // child  // client or failed  sleep(1); -$sock = fsockopen('ssl://127.0.0.1', $port, $errno, $errstr); +$ctx = stream_context_create(['ssl' => [ +    'verify_peer' => false +]]); +$sock = stream_socket_client("ssl://127.0.0.1:{$port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx);  if (!$sock) exit;  echo fgets($sock); diff --git a/ext/openssl/tests/bug48182.phpt b/ext/openssl/tests/bug48182.phpt index 146c4c9226..b78ce57074 100644 --- a/ext/openssl/tests/bug48182.phpt +++ b/ext/openssl/tests/bug48182.phpt @@ -13,8 +13,7 @@ function ssl_server($port) {  	$host = 'ssl://127.0.0.1'.':'.$port;  	$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;  	$data = "Sending bug48182\n"; - -	$pem = dirname(__FILE__) . '/bug46127.pem'; +	$pem = dirname(__FILE__) . '/bug54992.pem';  	$ssl_params = array( 'verify_peer' => false, 'allow_self_signed' => true, 'local_cert' => $pem);  	$ssl = array('ssl' => $ssl_params); @@ -47,8 +46,11 @@ function ssl_async_client($port) {  	$host = 'ssl://127.0.0.1'.':'.$port;  	$flags = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT;  	$data = "Sending data over to SSL server in async mode with contents like Hello World\n"; - -	$socket = stream_socket_client($host, $errno, $errstr, 10, $flags); +	$context = stream_context_create(array('ssl' => array( +		'cafile' => dirname(__FILE__) . '/bug54992-ca.pem', +		'CN_match' => 'bug54992.local' +	))); +	$socket = stream_socket_client($host, $errno, $errstr, 10, $flags, $context);  	stream_set_blocking($socket, 0);  	while ($socket && $data) { diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt b/ext/openssl/tests/openssl_peer_fingerprint.phpt index 2960dffae5..2e4c192c03 100644 --- a/ext/openssl/tests/openssl_peer_fingerprint.phpt +++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt @@ -24,6 +24,7 @@ if ($pid == -1) {  				'verify_peer'		=> true,  				'cafile'		=> __DIR__ . '/bug54992-ca.pem',  				'capture_peer_cert'	=> true, +				'CN_match'		=> 'bug54992.local',  				'peer_fingerprint'	=> '81cafc260aa8d82956ebc6212a362ece',  			)  		) @@ -38,6 +39,7 @@ if ($pid == -1) {  				'verify_peer'		=> true,  				'cafile'		=> __DIR__ . '/bug54992-ca.pem',  				'capture_peer_cert'	=> true, +				'CN_match'		=> 'bug54992.local',  				'peer_fingerprint'	=> array(  					'sha256' => '78ea579f2c3b439359dec5dac9d445108772927427c4780037e87df3799a0aa0',  				), @@ -59,4 +61,4 @@ Warning: stream_socket_client(): Failed to enable crypto in %s on line %d  Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d  bool(false) -resource(9) of type (stream) +resource(%d) of type (stream) diff --git a/ext/openssl/tests/peer_verification.phpt b/ext/openssl/tests/peer_verification.phpt new file mode 100644 index 0000000000..7c3347fd65 --- /dev/null +++ b/ext/openssl/tests/peer_verification.phpt @@ -0,0 +1,56 @@ +--TEST-- +Peer verification enabled for client streams +--SKIPIF-- +<?php  +if (!extension_loaded("openssl")) die("skip"); +if (!function_exists('pcntl_fork')) die("skip no fork"); +--FILE-- +<?php +$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; +$ctx = stream_context_create(['ssl' => [ +	'local_cert' => __DIR__ . '/bug54992.pem', +	'allow_self_signed' => true +]]); +$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); + +$pid = pcntl_fork(); +if ($pid == -1) { +	die('could not fork'); +} else if ($pid) { +	// Expected to fail -- no CA File present +	var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT)); +	 +	// Expected to fail -- no CA File present +	$ctx = stream_context_create(['ssl' => ['verify_peer' => true]]); +	var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); +	 +	// Should succeed with peer verification disabled in context +	$ctx = stream_context_create(['ssl' => ['verify_peer' => false]]); +	var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); + +	// Should succeed with CA file specified in context +	$ctx = stream_context_create(['ssl' => [ +		'cafile' => __DIR__ . '/bug54992-ca.pem', +		'CN_match' => 'bug54992.local', +	]]); +	var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); + +	// Should succeed with globally available CA file specified via php.ini +	$cafile = __DIR__ . '/bug54992-ca.pem'; +	ini_set('openssl.cafile', $cafile); +	var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); + +} else {	 +	@pcntl_wait($status); +	@stream_socket_accept($server, 3); +	@stream_socket_accept($server, 3); +	@stream_socket_accept($server, 3); +	@stream_socket_accept($server, 3); +	@stream_socket_accept($server, 3); +} +--EXPECTF-- +bool(false) +bool(false) +resource(%d) of type (stream) +resource(%d) of type (stream) +resource(%d) of type (stream) diff --git a/ext/openssl/tests/sni_001.phpt b/ext/openssl/tests/sni_001.phpt index 3d7798cf85..2f76a9f918 100644 --- a/ext/openssl/tests/sni_001.phpt +++ b/ext/openssl/tests/sni_001.phpt @@ -24,6 +24,7 @@ function context() {  	return stream_context_create(array(  		'ssl' => array(  			'capture_peer_cert' => true, +			'verify_peer' => false  		),  	));  } diff --git a/ext/openssl/tests/streams_crypto_method.phpt b/ext/openssl/tests/streams_crypto_method.phpt index 97a6e9ee8b..981f56b399 100644 --- a/ext/openssl/tests/streams_crypto_method.phpt +++ b/ext/openssl/tests/streams_crypto_method.phpt @@ -10,6 +10,7 @@ if (!extension_loaded('pcntl')) die('skip, pcntl required');  function client($port, $method) {  	$ctx = stream_context_create();  	stream_context_set_option($ctx, 'ssl', 'crypto_method', $method); +	stream_context_set_option($ctx, 'ssl', 'verify_peer', false);  	$fp = @fopen('https://127.0.0.1:' . $port . '/', 'r', false, $ctx);  	if ($fp) { diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 244f04def9..61ba0271cb 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -23,8 +23,8 @@  #include "ext/standard/url.h"  #include "streams/php_streams_int.h"  #include "ext/standard/php_smart_str.h" -#include "php_network.h"  #include "php_openssl.h" +#include "php_openssl_structs.h"  #include <openssl/ssl.h>  #include <openssl/x509.h>  #include <openssl/err.h> @@ -41,25 +41,6 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre  SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC);  int php_openssl_get_x509_list_id(void); -/* This implementation is very closely tied to the that of the native - * sockets implemented in the core. - * Don't try this technique in other extensions! - * */ - -typedef struct _php_openssl_netstream_data_t { -	php_netstream_data_t s; -	SSL *ssl_handle; -	SSL_CTX *ctx; -	struct timeval connect_timeout; -	int enable_on_connect; -	int is_client; -	int ssl_active; -	php_stream_xport_crypt_method_t method; -	char *sni; -	unsigned state_set:1; -	unsigned _spare:31; -} php_openssl_netstream_data_t; -  php_stream_ops php_openssl_socket_ops;  /* it doesn't matter that we do some hash traversal here, since it is done only @@ -285,11 +266,12 @@ static int php_openssl_sockop_close(php_stream *stream, int close_handle TSRMLS_  		}  	} -	if (sslsock->sni) { -		pefree(sslsock->sni, php_stream_is_persistent(stream)); +	if (sslsock->url_name) { +		pefree(sslsock->url_name, php_stream_is_persistent(stream));  	} +  	pefree(sslsock, php_stream_is_persistent(stream)); -	 +  	return 0;  } @@ -467,12 +449,25 @@ static inline int php_openssl_setup_crypto(php_stream *stream,  	return 0;  } +static void enable_server_name_indication(php_stream_context *ctx, php_openssl_netstream_data_t *sslsock) +{ +	zval **val = NULL; + +	if (php_stream_context_get_option(ctx, "ssl", "SNI_server_name", &val) == SUCCESS) { +		convert_to_string_ex(val); +		SSL_set_tlsext_host_name(sslsock->ssl_handle, &val); +	} else if (sslsock->url_name) { +		SSL_set_tlsext_host_name(sslsock->ssl_handle, sslsock->url_name); +	} +} +  static inline int php_openssl_enable_crypto(php_stream *stream,  		php_openssl_netstream_data_t *sslsock,  		php_stream_xport_crypto_param *cparam  		TSRMLS_DC)  {  	int n, retry = 1; +	zval **val = NULL;  	if (cparam->inputs.activate && !sslsock->ssl_active) {  		struct timeval	start_time, @@ -481,9 +476,14 @@ static inline int php_openssl_enable_crypto(php_stream *stream,  						has_timeout = 0;  #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) -		if (sslsock->is_client && sslsock->sni) { -			SSL_set_tlsext_host_name(sslsock->ssl_handle, sslsock->sni); + +		if (sslsock->is_client +			&& (php_stream_context_get_option(stream->context, "ssl", "SNI_enabled", &val) == FAILURE +			|| zend_is_true(*val TSRMLS_CC)) +		) { +			enable_server_name_indication(stream->context, sslsock);  		} +  #endif  		if (!sslsock->state_set) { @@ -920,7 +920,7 @@ static int get_crypto_method(php_stream_context *ctx) {          return STREAM_CRYPTO_METHOD_SSLv23_CLIENT;  } -static char * get_sni(php_stream_context *ctx, const char *resourcename, size_t resourcenamelen, int is_persistent TSRMLS_DC) { +static char * get_url_name(const char *resourcename, size_t resourcenamelen, int is_persistent TSRMLS_DC) {  	php_url *url;  	if (ctx) { @@ -946,7 +946,7 @@ static char * get_sni(php_stream_context *ctx, const char *resourcename, size_t  	if (url->host) {  		const char * host = url->host; -		char * sni = NULL; +		char * url_name = NULL;  		size_t len = strlen(host);  		/* skip trailing dots */ @@ -955,11 +955,11 @@ static char * get_sni(php_stream_context *ctx, const char *resourcename, size_t  		}  		if (len) { -			sni = pestrndup(host, len, is_persistent); +			url_name = pestrndup(host, len, is_persistent);  		}  		php_url_free(url); -		return sni; +		return url_name;  	}  	php_url_free(url); @@ -1001,8 +1001,6 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,  		return NULL;  	} -	sslsock->sni = get_sni(context, resourcename, resourcenamelen, !!persistent_id TSRMLS_CC); -	  	if (strncmp(proto, "ssl", protolen) == 0) {  		sslsock->enable_on_connect = 1; @@ -1042,7 +1040,9 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,  		return NULL;  #endif  	} -	 + +	sslsock->url_name = get_url_name(resourcename, resourcenamelen, !!persistent_id TSRMLS_CC); +  	return stream;  } diff --git a/ext/zip/lib/zipconf.h b/ext/zip/lib/zipconf.h index 1cb5c0467a..955d85b4ef 100644 --- a/ext/zip/lib/zipconf.h +++ b/ext/zip/lib/zipconf.h @@ -7,7 +7,7 @@     This file was generated automatically by CMake
     based on ../cmake-zipconf.h.in.
   */
 -#define LIBZIP_VERSION "0.11.1"
 +#define LIBZIP_VERSION "0.11.2"
  /* #undef HAVE_INTTYPES_H_LIBZIP */
  #if defined(_WIN32)
 diff --git a/ext/zip/php_zip.h b/ext/zip/php_zip.h index 591b907aa8..ffe4530415 100644 --- a/ext/zip/php_zip.h +++ b/ext/zip/php_zip.h @@ -38,7 +38,7 @@ extern zend_module_entry zip_module_entry;  #define ZIP_OVERWRITE ZIP_TRUNCATE  #endif -#define PHP_ZIP_VERSION "1.12.4-dev" +#define PHP_ZIP_VERSION "1.12.4"  #if ((PHP_MAJOR_VERSION >= 5 && PHP_MINOR_VERSION >= 2) || PHP_MAJOR_VERSION >= 6)  # define PHP_ZIP_USE_OO 1 diff --git a/main/php_ini.c b/main/php_ini.c index 3bcb249f84..f7f4686e84 100644 --- a/main/php_ini.c +++ b/main/php_ini.c @@ -630,63 +630,81 @@ int php_init_config(TSRMLS_D)  		zend_llist scanned_ini_list;  		zend_llist_element *element;  		int l, total_l = 0; +		char *bufpath, *debpath, *endpath; +		int lenpath; -		if ((ndir = php_scandir(php_ini_scanned_path, &namelist, 0, php_alphasort)) > 0) { -			zend_llist_init(&scanned_ini_list, sizeof(char *), (llist_dtor_func_t) free_estring, 1); -			memset(&fh2, 0, sizeof(fh2)); +		zend_llist_init(&scanned_ini_list, sizeof(char *), (llist_dtor_func_t) free_estring, 1); +		memset(&fh2, 0, sizeof(fh2)); -			for (i = 0; i < ndir; i++) { +		bufpath = estrdup(php_ini_scanned_path); +		for (debpath = bufpath ; debpath ; debpath=endpath) { +			endpath = strchr(debpath, DEFAULT_DIR_SEPARATOR); +			if (endpath) { +				*(endpath++) = 0; +			} +			if (!debpath[0]) { +				/* empty string means default builtin value +				   to allow "/foo/phd.d:" or ":/foo/php.d" */ +				debpath = PHP_CONFIG_FILE_SCAN_DIR; +			} +			lenpath = strlen(debpath); -				/* check for any file with .ini extension */ -				if (!(p = strrchr(namelist[i]->d_name, '.')) || (p && strcmp(p, ".ini"))) { -					free(namelist[i]); -					continue; -				} -				/* Reset active ini section */ -				RESET_ACTIVE_INI_HASH(); +			if (lenpath > 0 && (ndir = php_scandir(debpath, &namelist, 0, php_alphasort)) > 0) { -				if (IS_SLASH(php_ini_scanned_path[php_ini_scanned_path_len - 1])) { -					snprintf(ini_file, MAXPATHLEN, "%s%s", php_ini_scanned_path, namelist[i]->d_name); -				} else { -					snprintf(ini_file, MAXPATHLEN, "%s%c%s", php_ini_scanned_path, DEFAULT_SLASH, namelist[i]->d_name); -				} -				if (VCWD_STAT(ini_file, &sb) == 0) { -					if (S_ISREG(sb.st_mode)) { -						if ((fh2.handle.fp = VCWD_FOPEN(ini_file, "r"))) { -							fh2.filename = ini_file; -							fh2.type = ZEND_HANDLE_FP; - -							if (zend_parse_ini_file(&fh2, 1, ZEND_INI_SCANNER_NORMAL, (zend_ini_parser_cb_t) php_ini_parser_cb, &configuration_hash TSRMLS_CC) == SUCCESS) { -								/* Here, add it to the list of ini files read */ -								l = strlen(ini_file); -								total_l += l + 2; -								p = estrndup(ini_file, l); -								zend_llist_add_element(&scanned_ini_list, &p); +				for (i = 0; i < ndir; i++) { + +					/* check for any file with .ini extension */ +					if (!(p = strrchr(namelist[i]->d_name, '.')) || (p && strcmp(p, ".ini"))) { +						free(namelist[i]); +						continue; +					} +					/* Reset active ini section */ +					RESET_ACTIVE_INI_HASH(); + +					if (IS_SLASH(debpath[lenpath - 1])) { +						snprintf(ini_file, MAXPATHLEN, "%s%s", debpath, namelist[i]->d_name); +					} else { +						snprintf(ini_file, MAXPATHLEN, "%s%c%s", debpath, DEFAULT_SLASH, namelist[i]->d_name); +					} +					if (VCWD_STAT(ini_file, &sb) == 0) { +						if (S_ISREG(sb.st_mode)) { +							if ((fh2.handle.fp = VCWD_FOPEN(ini_file, "r"))) { +								fh2.filename = ini_file; +								fh2.type = ZEND_HANDLE_FP; + +								if (zend_parse_ini_file(&fh2, 1, ZEND_INI_SCANNER_NORMAL, (zend_ini_parser_cb_t) php_ini_parser_cb, &configuration_hash TSRMLS_CC) == SUCCESS) { +									/* Here, add it to the list of ini files read */ +									l = strlen(ini_file); +									total_l += l + 2; +									p = estrndup(ini_file, l); +									zend_llist_add_element(&scanned_ini_list, &p); +								}  							}  						}  					} +					free(namelist[i]);  				} -				free(namelist[i]); +				free(namelist);  			} -			free(namelist); +		} +		efree(bufpath); -			if (total_l) { -				int php_ini_scanned_files_len = (php_ini_scanned_files) ? strlen(php_ini_scanned_files) + 1 : 0; -				php_ini_scanned_files = (char *) realloc(php_ini_scanned_files, php_ini_scanned_files_len + total_l + 1); -				if (!php_ini_scanned_files_len) { -					*php_ini_scanned_files = '\0'; -				} -				total_l += php_ini_scanned_files_len; -				for (element = scanned_ini_list.head; element; element = element->next) { -					if (php_ini_scanned_files_len) { -						strlcat(php_ini_scanned_files, ",\n", total_l); -					} -					strlcat(php_ini_scanned_files, *(char **)element->data, total_l); -					strlcat(php_ini_scanned_files, element->next ? ",\n" : "\n", total_l); +		if (total_l) { +			int php_ini_scanned_files_len = (php_ini_scanned_files) ? strlen(php_ini_scanned_files) + 1 : 0; +			php_ini_scanned_files = (char *) realloc(php_ini_scanned_files, php_ini_scanned_files_len + total_l + 1); +			if (!php_ini_scanned_files_len) { +				*php_ini_scanned_files = '\0'; +			} +			total_l += php_ini_scanned_files_len; +			for (element = scanned_ini_list.head; element; element = element->next) { +				if (php_ini_scanned_files_len) { +					strlcat(php_ini_scanned_files, ",\n", total_l);  				} +				strlcat(php_ini_scanned_files, *(char **)element->data, total_l); +				strlcat(php_ini_scanned_files, element->next ? ",\n" : "\n", total_l);  			} -			zend_llist_destroy(&scanned_ini_list);  		} +		zend_llist_destroy(&scanned_ini_list);  	} else {  		/* Make sure an empty php_ini_scanned_path ends up as NULL */  		php_ini_scanned_path = NULL; | 
