Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
  • 2 commits
  • 2 files changed
  • 0 comments
  • 2 contributors
734 pfPorts/php5-openssl/files/patch-openssl.c
... ... @@ -0,0 +1,734 @@
  1 +--- openssl.c.orig 2012-03-03 15:31:39.449763300 +0100
  2 ++++ openssl.c 2012-04-09 14:27:59.060295800 +0200
  3 +@@ -17,6 +17,7 @@
  4 + | Sascha Kettler <kettler@gmx.net> |
  5 + | Pierre-Alain Joye <pierre@php.net> |
  6 + | Marc Delling <delling@silpion.de> (PKCS12 functions) |
  7 ++ | Moritz Bechler <mbechler@eenterphace.org> (CRL support) |
  8 + +----------------------------------------------------------------------+
  9 + */
  10 +
  11 +@@ -47,6 +48,7 @@
  12 + #include <openssl/rand.h>
  13 + #include <openssl/ssl.h>
  14 + #include <openssl/pkcs12.h>
  15 ++#include <openssl/ocsp.h>
  16 +
  17 + /* Common */
  18 + #include <time.h>
  19 +@@ -105,6 +107,56 @@
  20 + PHP_FUNCTION(openssl_random_pseudo_bytes);
  21 +
  22 + /* {{{ arginfo */
  23 ++ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_crl_export_file, 0, 0, 3)
  24 ++ ZEND_ARG_INFO(0, crl)
  25 ++ ZEND_ARG_INFO(0, filename)
  26 ++ ZEND_ARG_INFO(0, capkey)
  27 ++ ZEND_ARG_INFO(0, crlv2)
  28 ++ ZEND_ARG_INFO(0, notext)
  29 ++ ZEND_ARG_INFO(0, capass)
  30 ++ZEND_END_ARG_INFO()
  31 ++
  32 ++ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_crl_export, 0, 0, 3)
  33 ++ ZEND_ARG_INFO(0, crl)
  34 ++ ZEND_ARG_INFO(1, data)
  35 ++ ZEND_ARG_INFO(0, capkey)
  36 ++ ZEND_ARG_INFO(0, crlv2)
  37 ++ ZEND_ARG_INFO(0, notext)
  38 ++ ZEND_ARG_INFO(0, capass)
  39 ++ZEND_END_ARG_INFO()
  40 ++
  41 ++ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_crl_revoke_cert, 0, 0, 3)
  42 ++ ZEND_ARG_INFO(0, crl)
  43 ++ ZEND_ARG_INFO(0, certficate)
  44 ++ ZEND_ARG_INFO(0, revokation_date)
  45 ++ ZEND_ARG_INFO(0, reason)
  46 ++ ZEND_ARG_INFO(0, compromise_date)
  47 ++ ZEND_ARG_INFO(0, hold_instruction)
  48 ++ZEND_END_ARG_INFO()
  49 ++
  50 ++ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_crl_revoke_cert_by_serial, 0, 0, 3)
  51 ++ ZEND_ARG_INFO(0, crl)
  52 ++ ZEND_ARG_INFO(0, revoke_serial)
  53 ++ ZEND_ARG_INFO(0, revokation_date)
  54 ++ ZEND_ARG_INFO(0, reason)
  55 ++ ZEND_ARG_INFO(0, compromise_date)
  56 ++ ZEND_ARG_INFO(0, hold_instruction)
  57 ++ZEND_END_ARG_INFO()
  58 ++
  59 ++ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_crl_new, 0, 0, 1)
  60 ++ ZEND_ARG_INFO(0, cacert)
  61 ++ ZEND_ARG_INFO(0, crlserial)
  62 ++ ZEND_ARG_INFO(0, lifetime)
  63 ++ZEND_END_ARG_INFO()
  64 ++
  65 ++ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_check, 0, 0, 4)
  66 ++ ZEND_ARG_INFO(0, x509cert)
  67 ++ ZEND_ARG_INFO(0, purpose)
  68 ++ ZEND_ARG_INFO(0, flags)
  69 ++ ZEND_ARG_INFO(0, cainfo)
  70 ++ ZEND_ARG_INFO(0, untrustedfile)
  71 ++ZEND_END_ARG_INFO()
  72 ++
  73 + ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 0, 2)
  74 + ZEND_ARG_INFO(0, x509)
  75 + ZEND_ARG_INFO(0, outfilename)
  76 +@@ -398,12 +450,20 @@
  77 + PHP_FE(openssl_x509_check_private_key, arginfo_openssl_x509_check_private_key)
  78 + PHP_FE(openssl_x509_export, arginfo_openssl_x509_export)
  79 + PHP_FE(openssl_x509_export_to_file, arginfo_openssl_x509_export_to_file)
  80 ++ PHP_FE(openssl_x509_check, arginfo_openssl_x509_check)
  81 +
  82 + /* PKCS12 funcs */
  83 + PHP_FE(openssl_pkcs12_export, arginfo_openssl_pkcs12_export)
  84 + PHP_FE(openssl_pkcs12_export_to_file, arginfo_openssl_pkcs12_export_to_file)
  85 + PHP_FE(openssl_pkcs12_read, arginfo_openssl_pkcs12_read)
  86 +
  87 ++/* for CRL creation */
  88 ++ PHP_FE(openssl_crl_new, arginfo_openssl_crl_new)
  89 ++ PHP_FE(openssl_crl_revoke_cert_by_serial, arginfo_openssl_crl_revoke_cert_by_serial)
  90 ++ PHP_FE(openssl_crl_revoke_cert, arginfo_openssl_crl_revoke_cert)
  91 ++ PHP_FE(openssl_crl_export, arginfo_openssl_crl_export)
  92 ++ PHP_FE(openssl_crl_export_file, arginfo_openssl_crl_export_file)
  93 ++
  94 + /* CSR funcs */
  95 + PHP_FE(openssl_csr_new, arginfo_openssl_csr_new)
  96 + PHP_FE(openssl_csr_export, arginfo_openssl_csr_export)
  97 +@@ -466,6 +526,7 @@
  98 + static int le_key;
  99 + static int le_x509;
  100 + static int le_csr;
  101 ++static int le_crl;
  102 + static int ssl_stream_data_index;
  103 +
  104 + int php_openssl_get_x509_list_id(void) /* {{{ */
  105 +@@ -474,6 +535,16 @@
  106 + }
  107 + /* }}} */
  108 +
  109 ++/* {{{ */
  110 ++struct php_x509_crl {
  111 ++ X509_CRL *crl;
  112 ++ X509 *cacert;
  113 ++ long lifetime;
  114 ++ int forcev2;
  115 ++};
  116 ++/* }}} */
  117 ++
  118 ++
  119 + /* {{{ resource destructors */
  120 + static void php_pkey_free(zend_rsrc_list_entry *rsrc TSRMLS_DC)
  121 + {
  122 +@@ -495,6 +566,21 @@
  123 + X509_REQ * csr = (X509_REQ*)rsrc->ptr;
  124 + X509_REQ_free(csr);
  125 + }
  126 ++
  127 ++static void php_crl_free(zend_rsrc_list_entry *rsrc TSRMLS_DC)
  128 ++{
  129 ++ struct php_x509_crl *res = (struct php_x509_crl*)rsrc->ptr;
  130 ++
  131 ++ if(res) {
  132 ++ if(res->crl != NULL) {
  133 ++ X509_CRL_free(res->crl);
  134 ++ }
  135 ++
  136 ++ efree(res);
  137 ++ }
  138 ++
  139 ++}
  140 ++
  141 + /* }}} */
  142 +
  143 + /* {{{ openssl safe_mode & open_basedir checks */
  144 +@@ -978,6 +1064,7 @@
  145 + le_key = zend_register_list_destructors_ex(php_pkey_free, NULL, "OpenSSL key", module_number);
  146 + le_x509 = zend_register_list_destructors_ex(php_x509_free, NULL, "OpenSSL X.509", module_number);
  147 + le_csr = zend_register_list_destructors_ex(php_csr_free, NULL, "OpenSSL X.509 CSR", module_number);
  148 ++ le_crl = zend_register_list_destructors_ex(php_crl_free, NULL, "OpenSSL X.509 CRL", module_number);
  149 +
  150 + SSL_library_init();
  151 + OpenSSL_add_all_ciphers();
  152 +@@ -1052,6 +1139,36 @@
  153 + REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_EC", OPENSSL_KEYTYPE_EC, CONST_CS|CONST_PERSISTENT);
  154 + #endif
  155 +
  156 ++ /* OCSP revokation states */
  157 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_NOSTATUS", OCSP_REVOKED_STATUS_NOSTATUS, CONST_CS | CONST_PERSISTENT);
  158 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_UNSPECIFIED", OCSP_REVOKED_STATUS_UNSPECIFIED, CONST_CS | CONST_PERSISTENT);
  159 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_KEYCOMPROMISE", OCSP_REVOKED_STATUS_KEYCOMPROMISE, CONST_CS | CONST_PERSISTENT);
  160 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_CACOMPROMISE", OCSP_REVOKED_STATUS_CACOMPROMISE, CONST_CS | CONST_PERSISTENT);
  161 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_AFFILIATIONCHANGED", OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, CONST_CS | CONST_PERSISTENT);
  162 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_SUPERSEDED", OCSP_REVOKED_STATUS_SUPERSEDED, CONST_CS | CONST_PERSISTENT);
  163 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_CESSATIONOFOPERATION", OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, CONST_CS | CONST_PERSISTENT);
  164 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_CERTIFICATEHOLD", OCSP_REVOKED_STATUS_CERTIFICATEHOLD, CONST_CS | CONST_PERSISTENT);
  165 ++ REGISTER_LONG_CONSTANT("OCSP_REVOKED_STATUS_REMOVEFROMCRL", OCSP_REVOKED_STATUS_REMOVEFROMCRL, CONST_CS | CONST_PERSISTENT);
  166 ++
  167 ++ /* X509 Hold instruction NIDs */
  168 ++ REGISTER_LONG_CONSTANT("OPENSSL_HOLDINSTRUCTION_NONE", NID_hold_instruction_none, CONST_CS | CONST_PERSISTENT);
  169 ++ REGISTER_LONG_CONSTANT("OPENSSL_HOLDINSTRUCTION_CALL_ISSUER", NID_hold_instruction_call_issuer, CONST_CS | CONST_PERSISTENT);
  170 ++ REGISTER_LONG_CONSTANT("OPENSSL_HOLDINSTRUCTION_REJECT", NID_hold_instruction_reject, CONST_CS | CONST_PERSISTENT);
  171 ++
  172 ++ /* openssl_verify flags */
  173 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_CB_ISSUER_CHECK", X509_V_FLAG_CB_ISSUER_CHECK, CONST_CS | CONST_PERSISTENT);
  174 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_USE_CHECK_TIME", X509_V_FLAG_USE_CHECK_TIME, CONST_CS | CONST_PERSISTENT);
  175 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_CRL_CHECK", X509_V_FLAG_CRL_CHECK, CONST_CS | CONST_PERSISTENT);
  176 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_CRL_CHECK_ALL", X509_V_FLAG_CRL_CHECK_ALL, CONST_CS | CONST_PERSISTENT);
  177 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_IGNORE_CRITICAL", X509_V_FLAG_IGNORE_CRITICAL, CONST_CS | CONST_PERSISTENT);
  178 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_X509_STRICT", X509_V_FLAG_X509_STRICT, CONST_CS | CONST_PERSISTENT);
  179 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_ALLOW_PROXY_CERTS", X509_V_FLAG_ALLOW_PROXY_CERTS, CONST_CS | CONST_PERSISTENT);
  180 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_POLICY_CHECK", X509_V_FLAG_POLICY_CHECK, CONST_CS | CONST_PERSISTENT);
  181 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_EXPLICIT_POLICY", X509_V_FLAG_EXPLICIT_POLICY, CONST_CS | CONST_PERSISTENT);
  182 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_INHIBIT_ANY", X509_V_FLAG_INHIBIT_ANY, CONST_CS | CONST_PERSISTENT);
  183 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_INHIBIT_MAP", X509_V_FLAG_INHIBIT_MAP, CONST_CS | CONST_PERSISTENT);
  184 ++ REGISTER_LONG_CONSTANT("X509_V_FLAG_NOTIFY_POLICY", X509_V_FLAG_NOTIFY_POLICY, CONST_CS | CONST_PERSISTENT);
  185 ++
  186 + #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
  187 + /* SNI support included in OpenSSL >= 0.9.8j */
  188 + REGISTER_LONG_CONSTANT("OPENSSL_TLSEXT_SERVER_NAME", 1, CONST_CS|CONST_PERSISTENT);
  189 +@@ -1502,7 +1619,7 @@
  190 + /* }}} */
  191 +
  192 + /* {{{ check_cert */
  193 +-static int check_cert(X509_STORE *ctx, X509 *x, STACK_OF(X509) *untrustedchain, int purpose)
  194 ++static int check_cert(X509_STORE *ctx, X509 *x, STACK_OF(X509) *untrustedchain, int purpose, long flags)
  195 + {
  196 + int ret=0;
  197 + X509_STORE_CTX *csc;
  198 +@@ -1514,6 +1631,11 @@
  199 + return 0;
  200 + }
  201 + X509_STORE_CTX_init(csc, ctx, x, untrustedchain);
  202 ++
  203 ++ if(flags) {
  204 ++ X509_STORE_CTX_set_flags(csc, flags);
  205 ++ }
  206 ++
  207 + if(purpose >= 0) {
  208 + X509_STORE_CTX_set_purpose(csc, purpose);
  209 + }
  210 +@@ -1524,6 +1646,59 @@
  211 + }
  212 + /* }}} */
  213 +
  214 ++/* {{{ proto int openssl_x509_check(mixed x509cert, int purpose, int flags, array cainfo [, string untrustedfile])
  215 ++ Checks the CERT to see if it can be used for the purpose in purpose. cainfo holds information about trusted CAs.
  216 ++ Flags should be one of the X509_V_FLAG_* constants and controls the behaviour of the check.
  217 ++ */
  218 ++PHP_FUNCTION(openssl_x509_check)
  219 ++{
  220 ++ zval ** zcert, * zcainfo = NULL;
  221 ++ X509_STORE * cainfo = NULL;
  222 ++ X509 * cert = NULL;
  223 ++ long certresource = -1;
  224 ++ STACK_OF(X509) * untrustedchain = NULL;
  225 ++ long purpose;
  226 ++ char * untrusted = NULL;
  227 ++ int untrusted_len;
  228 ++ long flags = 0;
  229 ++
  230 ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zll|a!s", &zcert, &purpose, &flags, &zcainfo, &untrusted, &untrusted_len) == FAILURE) {
  231 ++ return;
  232 ++ }
  233 ++
  234 ++ RETVAL_LONG(-1);
  235 ++
  236 ++ if (untrusted) {
  237 ++ untrustedchain = load_all_certs_from_file(untrusted);
  238 ++ if (untrustedchain == NULL) {
  239 ++ goto clean_exit;
  240 ++ }
  241 ++ }
  242 ++
  243 ++ cainfo = setup_verify(zcainfo TSRMLS_CC);
  244 ++ if (cainfo == NULL) {
  245 ++ goto clean_exit;
  246 ++ }
  247 ++ cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC);
  248 ++ if (cert == NULL) {
  249 ++ goto clean_exit;
  250 ++ }
  251 ++ RETVAL_LONG(check_cert(cainfo, cert, untrustedchain, purpose, flags));
  252 ++
  253 ++clean_exit:
  254 ++ if (certresource == 1 && cert) {
  255 ++ X509_free(cert);
  256 ++ }
  257 ++ if (cainfo) {
  258 ++ X509_STORE_free(cainfo);
  259 ++ }
  260 ++ if (untrustedchain) {
  261 ++ sk_X509_pop_free(untrustedchain, X509_free);
  262 ++ }
  263 ++}
  264 ++/* }}} */
  265 ++
  266 ++
  267 + /* {{{ proto int openssl_x509_checkpurpose(mixed x509cert, int purpose, array cainfo [, string untrustedfile])
  268 + Checks the CERT to see if it can be used for the purpose in purpose. cainfo holds information about trusted CAs */
  269 + PHP_FUNCTION(openssl_x509_checkpurpose)
  270 +@@ -1559,7 +1734,7 @@
  271 + goto clean_exit;
  272 + }
  273 +
  274 +- ret = check_cert(cainfo, cert, untrustedchain, purpose);
  275 ++ ret = check_cert(cainfo, cert, untrustedchain, purpose, 0);
  276 + if (ret != 0 && ret != 1) {
  277 + RETVAL_LONG(ret);
  278 + } else {
  279 +@@ -4296,6 +4471,455 @@
  280 + }
  281 + /* }}} */
  282 +
  283 ++/* CRL creation functions */
  284 ++
  285 ++/* {{{ proto resource openssl_crl_new(mixed cacert[, int crlserial[, string int lifetime]])
  286 ++ Creates a new CRL */
  287 ++PHP_FUNCTION(openssl_crl_new)
  288 ++{
  289 ++ struct php_x509_crl *res = NULL;
  290 ++ long serial = 0;
  291 ++ ASN1_INTEGER *crl_number;
  292 ++ long lifetime_days = 80;
  293 ++
  294 ++ long certresource;
  295 ++ zval* zcacert;
  296 ++
  297 ++ if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|ll", &zcacert, &serial, &lifetime_days) == FAILURE) {
  298 ++ RETURN_NULL();
  299 ++ }
  300 ++
  301 ++ res = emalloc(sizeof(struct php_x509_crl));
  302 ++ memset(res, 0, sizeof(struct php_x509_crl));
  303 ++ res->lifetime = 60*60*24*lifetime_days;
  304 ++
  305 ++ /* Initialize CRL */
  306 ++ res->crl = X509_CRL_new();
  307 ++ if(res->crl == NULL) {
  308 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING,
  309 ++ "Failed to create CRL");
  310 ++ efree(res);
  311 ++ RETURN_NULL();
  312 ++ }
  313 ++
  314 ++ res->cacert = php_openssl_x509_from_zval(&zcacert, 0, &certresource TSRMLS_CC);
  315 ++
  316 ++ if(!res->cacert) {
  317 ++ X509_CRL_free(res->crl);
  318 ++ efree(res);
  319 ++
  320 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to load CA Certificate");
  321 ++ RETURN_NULL();
  322 ++ }
  323 ++
  324 ++ if (!X509_CRL_set_issuer_name(res->crl, X509_get_subject_name(res->cacert))) {
  325 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid ca certificate");
  326 ++ X509_free(res->cacert);
  327 ++ X509_CRL_free(res->crl);
  328 ++ efree(res);
  329 ++ RETURN_NULL();
  330 ++ }
  331 ++
  332 ++ /* set CRL number (serial) (forces the crl to be version 2) */
  333 ++ if(serial) {
  334 ++ crl_number = ASN1_INTEGER_new();
  335 ++ ASN1_INTEGER_set(crl_number, serial);
  336 ++
  337 ++ if(!X509_CRL_add1_ext_i2d(res->crl,NID_crl_number,crl_number,0,0)) {
  338 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to set CRL serial");
  339 ++ ASN1_INTEGER_free(crl_number);
  340 ++ X509_free(res->cacert);
  341 ++ X509_CRL_free(res->crl);
  342 ++ efree(res);
  343 ++ RETURN_NULL();
  344 ++ }
  345 ++ res->forcev2 = 1;
  346 ++
  347 ++ ASN1_INTEGER_free(crl_number);
  348 ++ }
  349 ++
  350 ++ ZEND_REGISTER_RESOURCE(return_value, res, le_crl);
  351 ++}
  352 ++/* }}} */
  353 ++
  354 ++/* {{{ Adds an entry to the CRL */
  355 ++static int php_crl_revoke_serial(struct php_x509_crl *res, ASN1_INTEGER *serial, time_t rev_timestamp, long reason_code, time_t comp_timestamp, int hold TSRMLS_DC)
  356 ++{
  357 ++ X509_REVOKED *revoke;
  358 ++
  359 ++ ASN1_TIME *rev_date;
  360 ++ ASN1_GENERALIZEDTIME *comp_date;
  361 ++
  362 ++ ASN1_ENUMERATED *rtmp;
  363 ++
  364 ++ ASN1_OBJECT *hold_instruction;
  365 ++
  366 ++ if(!res) {
  367 ++ return FAILURE;
  368 ++ }
  369 ++
  370 ++ revoke = X509_REVOKED_new();
  371 ++
  372 ++ if(!revoke) {
  373 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to revoke cert");
  374 ++ X509_REVOKED_free(revoke);
  375 ++ return FAILURE;
  376 ++ }
  377 ++
  378 ++ /* Add serial to the CRL */
  379 ++ if(!X509_REVOKED_set_serialNumber(revoke, serial)) {
  380 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to set serial number");
  381 ++ X509_REVOKED_free(revoke);
  382 ++ return FAILURE;
  383 ++ }
  384 ++
  385 ++ /* Revokation date */
  386 ++ rev_date = ASN1_UTCTIME_new();
  387 ++ if (!ASN1_UTCTIME_set(rev_date, rev_timestamp) || !X509_REVOKED_set_revocationDate(revoke,rev_date)) {
  388 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to set revokation time");
  389 ++ ASN1_UTCTIME_free(rev_date);
  390 ++ X509_REVOKED_free(revoke);
  391 ++ return FAILURE;
  392 ++ }
  393 ++ ASN1_UTCTIME_free(rev_date);
  394 ++
  395 ++
  396 ++ if(reason_code && reason_code != OCSP_REVOKED_STATUS_UNSPECIFIED) {
  397 ++ rtmp = ASN1_ENUMERATED_new();
  398 ++ ASN1_ENUMERATED_set(rtmp, reason_code);
  399 ++
  400 ++ if(!X509_REVOKED_add1_ext_i2d(revoke, NID_crl_reason, rtmp, 0, 0)) {
  401 ++ ASN1_ENUMERATED_free(rtmp);
  402 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to set revokation reason");
  403 ++ return FAILURE;
  404 ++ }
  405 ++ res->forcev2 = 1;
  406 ++ ASN1_ENUMERATED_free(rtmp);
  407 ++ }
  408 ++
  409 ++ /* Add compromise timestamp if reason is key or ca compromise */
  410 ++ if(comp_timestamp && (reason_code == OCSP_REVOKED_STATUS_KEYCOMPROMISE || reason_code == OCSP_REVOKED_STATUS_CACOMPROMISE)) {
  411 ++ comp_date = ASN1_GENERALIZEDTIME_new();
  412 ++ if (!ASN1_GENERALIZEDTIME_set(comp_date, comp_timestamp) ||
  413 ++ !X509_REVOKED_add1_ext_i2d(revoke, NID_invalidity_date, comp_date, 0, 0)) {
  414 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to set compromise time");
  415 ++ ASN1_GENERALIZEDTIME_free(comp_date);
  416 ++ return FAILURE;
  417 ++ }
  418 ++ ASN1_GENERALIZEDTIME_free(comp_date);
  419 ++ }
  420 ++
  421 ++ /* Add hold instruction if reason is certificateHold */
  422 ++ if(reason_code == OCSP_REVOKED_STATUS_CERTIFICATEHOLD) {
  423 ++ hold_instruction = OBJ_nid2obj(hold);
  424 ++
  425 ++ if (!X509_REVOKED_add1_ext_i2d(revoke, NID_hold_instruction_code, hold_instruction, 0, 0)) {
  426 ++ ASN1_OBJECT_free(hold_instruction);
  427 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to set hold instruction");
  428 ++ return FAILURE;
  429 ++ }
  430 ++
  431 ++
  432 ++ ASN1_OBJECT_free(hold_instruction);
  433 ++ }
  434 ++
  435 ++ X509_CRL_add0_revoked(res->crl,revoke);
  436 ++
  437 ++ return SUCCESS;
  438 ++}
  439 ++/* }}} */
  440 ++
  441 ++/* {{{ proto bool openssl_crl_revoke_cert_by_serial(resource crl, string revoke_serial, int revokation_date[, int reason[, int compromise_date[, int hold_instruction]]])
  442 ++ Adds a certificate to the revokation list using its serial */
  443 ++PHP_FUNCTION(openssl_crl_revoke_cert_by_serial)
  444 ++{
  445 ++
  446 ++ time_t rev_timestamp;
  447 ++ time_t comp_timestamp;
  448 ++
  449 ++ zval *crl_res;
  450 ++ struct php_x509_crl *res = NULL;
  451 ++
  452 ++ long reason_code = OCSP_REVOKED_STATUS_UNSPECIFIED;
  453 ++ zval *serial_num;
  454 ++
  455 ++ long hold = NID_hold_instruction_reject;
  456 ++
  457 ++ ASN1_INTEGER *serial;
  458 ++
  459 ++ if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rzl|lll",
  460 ++ &crl_res, &serial_num, &rev_timestamp, &reason_code, &comp_timestamp, &hold) == FAILURE) {
  461 ++ RETURN_FALSE;
  462 ++ }
  463 ++
  464 ++
  465 ++ ZEND_FETCH_RESOURCE(res, struct php_x509_crl*, &crl_res, -1, "OpenSSL X.509 CRL", le_crl);
  466 ++
  467 ++ if(!res) {
  468 ++ RETURN_FALSE;
  469 ++ }
  470 ++
  471 ++
  472 ++ convert_to_string(serial_num);
  473 ++
  474 ++ serial = ASN1_INTEGER_new();
  475 ++ serial = s2i_ASN1_INTEGER(NULL, Z_STRVAL_P(serial_num));
  476 ++
  477 ++ if(php_crl_revoke_serial(res, serial, rev_timestamp, reason_code, comp_timestamp, hold TSRMLS_CC) != SUCCESS) {
  478 ++ ASN1_INTEGER_free(serial);
  479 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to revoke certificate");
  480 ++ RETURN_FALSE;
  481 ++ }
  482 ++ ASN1_INTEGER_free(serial);
  483 ++
  484 ++ RETURN_TRUE;
  485 ++}
  486 ++
  487 ++/* {{{ proto bool openssl_revoke_cert(resource crl, mixed certficate, int revokation_date[, int reason[, int compromise_date[, int hold_instruction]]])
  488 ++ Adds a certificate to the revokation list using a certificate resource */
  489 ++PHP_FUNCTION(openssl_crl_revoke_cert)
  490 ++{
  491 ++ time_t rev_timestamp;
  492 ++ time_t comp_timestamp;
  493 ++
  494 ++ zval *crl_res;
  495 ++ struct php_x509_crl *res = NULL;
  496 ++
  497 ++ long reason_code = OCSP_REVOKED_STATUS_UNSPECIFIED;
  498 ++
  499 ++ X509 *cert;
  500 ++ zval *zcert;
  501 ++ long certresource;
  502 ++
  503 ++ long hold = NID_hold_instruction_reject;
  504 ++
  505 ++ ASN1_INTEGER *serial;
  506 ++
  507 ++ if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rzl|lll",
  508 ++ &crl_res, &zcert, &rev_timestamp, &reason_code, &comp_timestamp, &hold) == FAILURE) {
  509 ++ RETURN_FALSE;
  510 ++ }
  511 ++
  512 ++
  513 ++ ZEND_FETCH_RESOURCE(res, struct php_x509_crl*, &crl_res, -1, "OpenSSL X.509 CRL", le_crl);
  514 ++
  515 ++ if(!res) {
  516 ++ RETURN_FALSE;
  517 ++ }
  518 ++
  519 ++
  520 ++ cert = php_openssl_x509_from_zval(&zcert, 0, &certresource TSRMLS_CC);
  521 ++ serial = X509_get_serialNumber(cert);
  522 ++
  523 ++ if(php_crl_revoke_serial(res, serial, rev_timestamp, reason_code, comp_timestamp, hold TSRMLS_CC) != SUCCESS) {
  524 ++ ASN1_INTEGER_free(serial);
  525 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to revoke certificate");
  526 ++ RETURN_FALSE;
  527 ++ }
  528 ++ ASN1_INTEGER_free(serial);
  529 ++
  530 ++ RETURN_TRUE;
  531 ++}
  532 ++
  533 ++/* Generates the CRL */
  534 ++static int php_crl_generate(struct php_x509_crl *res, zval* zcapkey, int crlv2, char* capass, long capass_len, long digest_alg TSRMLS_DC)
  535 ++{
  536 ++ long capkeyres;
  537 ++ EVP_PKEY *capkey;
  538 ++ EVP_MD *digest;
  539 ++ ASN1_TIME *tmptm;
  540 ++
  541 ++
  542 ++ /* Prepare last updated and next update timestamps */
  543 ++ tmptm = ASN1_TIME_new();
  544 ++ if (!tmptm) {
  545 ++ return FAILURE;
  546 ++ }
  547 ++ X509_gmtime_adj(tmptm,0);
  548 ++ X509_CRL_set_lastUpdate(res->crl, tmptm);
  549 ++ X509_gmtime_adj(tmptm,res->lifetime);
  550 ++ X509_CRL_set_nextUpdate(res->crl, tmptm);
  551 ++ ASN1_TIME_free(tmptm);
  552 ++
  553 ++ /* Initialize message digest */
  554 ++
  555 ++
  556 ++ digest = php_openssl_get_evp_md_from_algo(digest_alg);
  557 ++ if (digest == NULL)
  558 ++ {
  559 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid message digest");
  560 ++ return FAILURE;
  561 ++ }
  562 ++
  563 ++ /* Sorts the CRL */
  564 ++ X509_CRL_sort(res->crl);
  565 ++
  566 ++ /* Check whether to use version 2 crls */
  567 ++ if(crlv2 || res->forcev2) {
  568 ++ if (!X509_CRL_set_version(res->crl, 1)) {
  569 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to use v2 CRLs");
  570 ++ return FAILURE;
  571 ++ }
  572 ++ }
  573 ++
  574 ++
  575 ++ if(!crlv2 && res->forcev2) {
  576 ++ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "The CRL contains extensions which need a V2 CRL, creating a V2 CRL");
  577 ++ }
  578 ++
  579 ++ capkey = php_openssl_evp_from_zval(&zcapkey, 0, capass, 0, &capkeyres TSRMLS_CC);
  580 ++
  581 ++ if(!capkey) {
  582 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to read CA private key");
  583 ++ return FAILURE;
  584 ++ }
  585 ++
  586 ++ /* verify private key */
  587 ++ if (!X509_check_private_key(res->cacert,capkey)) {
  588 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "CA Cert does not match private key");
  589 ++ return FAILURE;
  590 ++ }
  591 ++
  592 ++ /* sign CRL */
  593 ++ if (!X509_CRL_sign(res->crl,capkey,digest)) {
  594 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to sign CRL");
  595 ++ return FAILURE;
  596 ++ }
  597 ++
  598 ++ return SUCCESS;
  599 ++}
  600 ++
  601 ++/* {{{ proto bool openssl_crl_export(resource crl, string &data, mixed capkey[, bool crlv2[, bool notext[, string capass]]])
  602 ++ Exports a CRL to a string */
  603 ++PHP_FUNCTION(openssl_crl_export)
  604 ++{
  605 ++ BIO *out;
  606 ++ BUF_MEM *buf;
  607 ++
  608 ++ zval *crl_res;
  609 ++ struct php_x509_crl *res = NULL;
  610 ++
  611 ++ zval *zcapkey;
  612 ++
  613 ++ char *capass;
  614 ++ long capass_len;
  615 ++
  616 ++ int crlv2 = 1;
  617 ++ int notext = 1;
  618 ++
  619 ++ long digest_alg = OPENSSL_ALGO_SHA1;
  620 ++
  621 ++ zval *output;
  622 ++
  623 ++ if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rzz|bbsl",
  624 ++ &crl_res, &output,
  625 ++ &zcapkey,
  626 ++ &crlv2, &notext,
  627 ++ &capass, &capass_len,
  628 ++ &digest_alg) == FAILURE) {
  629 ++ RETURN_NULL();
  630 ++ }
  631 ++
  632 ++ ZEND_FETCH_RESOURCE(res, struct php_x509_crl*, &crl_res, -1, "OpenSSL X.509 CRL", le_crl);
  633 ++
  634 ++ if(!res) {
  635 ++ RETURN_FALSE;
  636 ++ }
  637 ++
  638 ++ if(php_crl_generate(res, zcapkey, crlv2, capass, capass_len, digest_alg TSRMLS_CC) != SUCCESS) {
  639 ++ RETURN_FALSE;
  640 ++ }
  641 ++
  642 ++
  643 ++ out = BIO_new(BIO_s_mem());
  644 ++ if (!notext) {
  645 ++ X509_CRL_print(out, res->crl);
  646 ++ }
  647 ++
  648 ++ if (!PEM_write_bio_X509_CRL(out, res->crl)) {
  649 ++ BIO_free(out);
  650 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to export CRL");
  651 ++ RETURN_FALSE;
  652 ++ }
  653 ++
  654 ++ zval_dtor(output);
  655 ++ BIO_get_mem_ptr(out, &buf);
  656 ++ ZVAL_STRINGL(output, buf->data, buf->length, 1);
  657 ++
  658 ++ BIO_free(out);
  659 ++
  660 ++ RETURN_TRUE;
  661 ++
  662 ++}
  663 ++/* }}} */
  664 ++
  665 ++/* {{{ proto bool openssl_crl_export_file(resource crl, string filename, mixed capkey[, bool crlv2[, bool notext[, string capass]]])
  666 ++ Exports a CRL to a file */
  667 ++PHP_FUNCTION(openssl_crl_export_file)
  668 ++{
  669 ++ BIO *out;
  670 ++
  671 ++ zval *crl_res;
  672 ++ struct php_x509_crl *res = NULL;
  673 ++
  674 ++ char *export_filename;
  675 ++ long export_filename_len;
  676 ++
  677 ++ zval *zcapkey;
  678 ++
  679 ++ char *capass;
  680 ++ long capass_len;
  681 ++
  682 ++ int crlv2 = 0;
  683 ++ int notext = 1;
  684 ++
  685 ++ long digest_alg = OPENSSL_ALGO_SHA1;
  686 ++
  687 ++ if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rsz|bbsl",
  688 ++ &crl_res,
  689 ++ &export_filename, &export_filename_len,
  690 ++ &zcapkey,
  691 ++ &crlv2, &notext,
  692 ++ &capass, &capass_len,
  693 ++ &digest_alg) == FAILURE) {
  694 ++ RETURN_NULL();
  695 ++ }
  696 ++
  697 ++ ZEND_FETCH_RESOURCE(res, struct php_x509_crl*, &crl_res, -1, "OpenSSL X.509 CRL", le_crl);
  698 ++
  699 ++ if(!res) {
  700 ++ RETURN_FALSE;
  701 ++ }
  702 ++
  703 ++ if(php_crl_generate(res, zcapkey, crlv2, capass, capass_len, digest_alg TSRMLS_CC) != SUCCESS) {
  704 ++ RETURN_FALSE;
  705 ++ }
  706 ++
  707 ++
  708 ++ /* write CRL */
  709 ++ if(php_openssl_safe_mode_chk(export_filename TSRMLS_CC) != 0) {
  710 ++ RETURN_FALSE;
  711 ++ }
  712 ++
  713 ++ out = BIO_new(BIO_s_file());
  714 ++
  715 ++ if(BIO_write_filename(out, export_filename) <= 0) {
  716 ++ BIO_free(out);
  717 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to write CRL");
  718 ++ RETURN_FALSE;
  719 ++ }
  720 ++ if (!notext) {
  721 ++ X509_CRL_print(out, res->crl);
  722 ++ }
  723 ++
  724 ++ PEM_write_bio_X509_CRL(out,res->crl);
  725 ++ BIO_free(out);
  726 ++
  727 ++ RETURN_TRUE;
  728 ++}
  729 ++/* }}} */
  730 ++
  731 ++
  732 + /* SSL verification functions */
  733 +
  734 + #define GET_VER_OPT(name) (stream->context && SUCCESS == php_stream_context_get_option(stream->context, "ssl", name, &val))
17 pfPorts/php5-openssl/files/patch-php_openssl.h
... ... @@ -1,16 +1,23 @@
1   ---- php_openssl.h.orig 2010-07-01 17:24:24.000000000 -0400
2   -+++ php_openssl.h 2010-07-01 17:24:40.000000000 -0400
3   -@@ -74,6 +74,13 @@
  1 +--- php_openssl.h.orig 2012-03-03 15:31:33.629430400 +0100
  2 ++++ php_openssl.h 2012-03-03 15:34:43.078266300 +0100
  3 +@@ -63,6 +63,7 @@
  4 + PHP_FUNCTION(openssl_x509_export);
  5 + PHP_FUNCTION(openssl_x509_export_to_file);
  6 + PHP_FUNCTION(openssl_x509_check_private_key);
  7 ++PHP_FUNCTION(openssl_x509_check);
  8 +
  9 + PHP_FUNCTION(openssl_pkcs12_export);
  10 + PHP_FUNCTION(openssl_pkcs12_export_to_file);
  11 +@@ -74,6 +75,12 @@
4 12 PHP_FUNCTION(openssl_csr_sign);
5 13 PHP_FUNCTION(openssl_csr_get_subject);
6 14 PHP_FUNCTION(openssl_csr_get_public_key);
7 15 +
8 16 +PHP_FUNCTION(openssl_crl_new);
9   -+PHP_FUNCTION(openssl_crl_revoke_cert_by_serial);
10 17 +PHP_FUNCTION(openssl_crl_revoke_cert);
  18 ++PHP_FUNCTION(openssl_crl_revoke_cert_by_serial);
11 19 +PHP_FUNCTION(openssl_crl_export);
12 20 +PHP_FUNCTION(openssl_crl_export_file);
13   -+
14 21 #else
15 22
16 23 #define phpext_openssl_ptr NULL

No commit comments for this range

Something went wrong with that request. Please try again.