From b8f9a20286c6d88c11e81967df42d118bdba2f02 Mon Sep 17 00:00:00 2001 From: datibbaw Date: Fri, 20 Sep 2013 15:04:52 +0800 Subject: [PATCH 01/13] added openssl_x509_digest(), output is binary sha1 --- ext/openssl/openssl.c | 41 +++++++++++++++++++++++++++++++++++++++ ext/openssl/php_openssl.h | 1 + 2 files changed, 42 insertions(+) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 4aac4e3137cad..c7203a74d63aa 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -129,6 +129,11 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2) ZEND_ARG_INFO(0, notext) ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) + ZEND_ARG_INFO(0, x509) + ZEND_ARG_INFO(1, out) +ZEND_END_ARG_INFO() + ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0) ZEND_ARG_INFO(0, cert) ZEND_ARG_INFO(0, key) @@ -443,6 +448,7 @@ const zend_function_entry openssl_functions[] = { PHP_FE(openssl_x509_checkpurpose, arginfo_openssl_x509_checkpurpose) PHP_FE(openssl_x509_check_private_key, arginfo_openssl_x509_check_private_key) PHP_FE(openssl_x509_export, arginfo_openssl_x509_export) + PHP_FE(openssl_x509_digest, arginfo_openssl_x509_digest) PHP_FE(openssl_x509_export_to_file, arginfo_openssl_x509_export_to_file) /* PKCS12 funcs */ @@ -1665,6 +1671,41 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ +PHP_FUNCTION(openssl_x509_digest) +{ + X509 *cert; + zval **zcert, *zout; + long certresource; + + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int n; + + RETVAL_FALSE; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz", &zcert, &zout) == FAILURE) { + return; + } + + cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); + if (cert == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); + return; + } + + if (!X509_digest(cert, EVP_sha1(), md, &n)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "out of memory"); + return; + } + + zval_dtor(zout); + ZVAL_STRINGL(zout, md, n, 1); + + if (certresource == -1 && cert) { + X509_free(cert); + } + RETVAL_TRUE; +} + /* {{{ proto bool openssl_x509_check_private_key(mixed cert, mixed key) Checks if a private key corresponds to a CERT */ PHP_FUNCTION(openssl_x509_check_private_key) diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index 8483bbf7626dd..4f0ac14100143 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -66,6 +66,7 @@ PHP_FUNCTION(openssl_x509_free); PHP_FUNCTION(openssl_x509_parse); PHP_FUNCTION(openssl_x509_checkpurpose); PHP_FUNCTION(openssl_x509_export); +PHP_FUNCTION(openssl_x509_digest); PHP_FUNCTION(openssl_x509_export_to_file); PHP_FUNCTION(openssl_x509_check_private_key); From 5cff92fb12e83f4c6c81c6e8b89480def3ee5e9e Mon Sep 17 00:00:00 2001 From: datibbaw Date: Fri, 20 Sep 2013 15:45:41 +0800 Subject: [PATCH 02/13] added option for raw output --- ext/openssl/openssl.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c7203a74d63aa..5dfb9b43695af 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -132,6 +132,7 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(1, out) + ZEND_ARG_INFO(0, raw_output) ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0) @@ -1676,13 +1677,14 @@ PHP_FUNCTION(openssl_x509_digest) X509 *cert; zval **zcert, *zout; long certresource; + zend_bool raw_output = 0; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz", &zcert, &zout) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|b", &zcert, &zout, &raw_output) == FAILURE) { return; } @@ -1698,7 +1700,16 @@ PHP_FUNCTION(openssl_x509_digest) } zval_dtor(zout); - ZVAL_STRINGL(zout, md, n, 1); + + if (raw_output) { + ZVAL_STRINGL(zout, md, n, 1); + } else { + int digest_str_len = n * 2; + char *digest_str = emalloc(digest_str_len + 1); + + make_digest_ex(digest_str, md, n); + ZVAL_STRINGL(zout, digest_str, digest_str_len, 0); + } if (certresource == -1 && cert) { X509_free(cert); From b2881db9a98db6e92d9f6964dd83a003c39a7fbd Mon Sep 17 00:00:00 2001 From: datibbaw Date: Fri, 20 Sep 2013 16:56:50 +0800 Subject: [PATCH 03/13] added option for hash function --- ext/openssl/openssl.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 5dfb9b43695af..6979e35685b3a 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -132,6 +132,7 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(1, out) + ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, raw_output) ZEND_END_ARG_INFO() @@ -1678,13 +1679,16 @@ PHP_FUNCTION(openssl_x509_digest) zval **zcert, *zout; long certresource; zend_bool raw_output = 0; + char *method = "sha1"; + int method_len; + const EVP_MD *mdtype; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|b", &zcert, &zout, &raw_output) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|sb", &zcert, &zout, &method, &method_len, &raw_output) == FAILURE) { return; } @@ -1694,7 +1698,13 @@ PHP_FUNCTION(openssl_x509_digest) return; } - if (!X509_digest(cert, EVP_sha1(), md, &n)) { + mdtype = EVP_get_digestbyname(method); + if (!mdtype) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + RETURN_FALSE; + } + + if (!X509_digest(cert, mdtype, md, &n)) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "out of memory"); return; } From ce13f9fa328ae4a0c7fa9ef5efdb72a43f29dde2 Mon Sep 17 00:00:00 2001 From: datibbaw Date: Fri, 20 Sep 2013 16:59:44 +0800 Subject: [PATCH 04/13] indentation fail --- ext/openssl/openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 6979e35685b3a..f0ae2b70b19d3 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1676,14 +1676,14 @@ PHP_FUNCTION(openssl_x509_export) PHP_FUNCTION(openssl_x509_digest) { X509 *cert; - zval **zcert, *zout; + zval **zcert, *zout; long certresource; zend_bool raw_output = 0; char *method = "sha1"; int method_len; const EVP_MD *mdtype; - unsigned char md[EVP_MAX_MD_SIZE]; + unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; RETVAL_FALSE; From 574fe449dc05a11cfe7e6a33b04d3f6557442600 Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Fri, 20 Sep 2013 22:50:30 +0800 Subject: [PATCH 05/13] removed the byref result --- ext/openssl/openssl.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index f0ae2b70b19d3..e6040d5f2cbe4 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -129,9 +129,8 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2) ZEND_ARG_INFO(0, notext) ZEND_END_ARG_INFO() -ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 2) +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 1) ZEND_ARG_INFO(0, x509) - ZEND_ARG_INFO(1, out) ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, raw_output) ZEND_END_ARG_INFO() @@ -1676,7 +1675,7 @@ PHP_FUNCTION(openssl_x509_export) PHP_FUNCTION(openssl_x509_digest) { X509 *cert; - zval **zcert, *zout; + zval **zcert; long certresource; zend_bool raw_output = 0; char *method = "sha1"; @@ -1688,7 +1687,7 @@ PHP_FUNCTION(openssl_x509_digest) RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|sb", &zcert, &zout, &method, &method_len, &raw_output) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; } @@ -1701,7 +1700,7 @@ PHP_FUNCTION(openssl_x509_digest) mdtype = EVP_get_digestbyname(method); if (!mdtype) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); - RETURN_FALSE; + return; } if (!X509_digest(cert, mdtype, md, &n)) { @@ -1709,22 +1708,19 @@ PHP_FUNCTION(openssl_x509_digest) return; } - zval_dtor(zout); - if (raw_output) { - ZVAL_STRINGL(zout, md, n, 1); + RETVAL_STRINGL(md, n, 1); } else { int digest_str_len = n * 2; char *digest_str = emalloc(digest_str_len + 1); make_digest_ex(digest_str, md, n); - ZVAL_STRINGL(zout, digest_str, digest_str_len, 0); + RETVAL_STRINGL(digest_str, digest_str_len, 0); } if (certresource == -1 && cert) { X509_free(cert); } - RETVAL_TRUE; } /* {{{ proto bool openssl_x509_check_private_key(mixed cert, mixed key) From a97aec16c0320c5737b43ad1c3caf01ea1485874 Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Fri, 20 Sep 2013 23:28:29 +0800 Subject: [PATCH 06/13] Added test case for openssl_x509_digest() --- ext/openssl/tests/openssl_x509_digest.phpt | 39 ++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 ext/openssl/tests/openssl_x509_digest.phpt diff --git a/ext/openssl/tests/openssl_x509_digest.phpt b/ext/openssl/tests/openssl_x509_digest.phpt new file mode 100644 index 0000000000000..98ec0098e827e --- /dev/null +++ b/ext/openssl/tests/openssl_x509_digest.phpt @@ -0,0 +1,39 @@ +--TEST-- +Testing openssl_x509_digest() +--SKIPIF-- + +--FILE-- + Date: Sat, 21 Sep 2013 18:24:00 +0800 Subject: [PATCH 07/13] don't leak cert on errors, return null on zpp failure --- ext/openssl/openssl.c | 30 ++++++++++------------ ext/openssl/tests/openssl_x509_digest.phpt | 8 ++++++ 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index e6040d5f2cbe4..9685dac87c66e 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1685,8 +1685,6 @@ PHP_FUNCTION(openssl_x509_digest) unsigned char md[EVP_MAX_MD_SIZE]; unsigned int n; - RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; } @@ -1694,28 +1692,26 @@ PHP_FUNCTION(openssl_x509_digest) cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); - return; + RETURN_FALSE; } mdtype = EVP_get_digestbyname(method); if (!mdtype) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); - return; - } - - if (!X509_digest(cert, mdtype, md, &n)) { - php_error_docref(NULL TSRMLS_CC, E_ERROR, "out of memory"); - return; - } - - if (raw_output) { - RETVAL_STRINGL(md, n, 1); + RETVAL_FALSE; + } else if (!X509_digest(cert, mdtype, md, &n)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Out of memory"); + RETVAL_FALSE; } else { - int digest_str_len = n * 2; - char *digest_str = emalloc(digest_str_len + 1); + if (raw_output) { + RETVAL_STRINGL(md, n, 1); + } else { + int digest_str_len = n * 2; + char *digest_str = emalloc(digest_str_len + 1); - make_digest_ex(digest_str, md, n); - RETVAL_STRINGL(digest_str, digest_str_len, 0); + make_digest_ex(digest_str, md, n); + RETVAL_STRINGL(digest_str, digest_str_len, 0); + } } if (certresource == -1 && cert) { diff --git a/ext/openssl/tests/openssl_x509_digest.phpt b/ext/openssl/tests/openssl_x509_digest.phpt index 98ec0098e827e..fde42809a18c3 100644 --- a/ext/openssl/tests/openssl_x509_digest.phpt +++ b/ext/openssl/tests/openssl_x509_digest.phpt @@ -9,8 +9,12 @@ if (!extension_loaded("openssl")) die("skip"); $cert = "file://" . dirname(__FILE__) . "/cert.crt"; +echo "** Testing with no parameters **\n"; +var_dump(openssl_x509_digest()); + echo "** Testing default functionality **\n"; var_dump(openssl_x509_digest($cert)); + echo "** Testing hash method md5 **\n"; var_dump(openssl_x509_digest($cert, 'md5')); @@ -22,6 +26,10 @@ var_dump(openssl_x509_digest('123')); echo "** Testing bad hash method **\n"; var_dump(openssl_x509_digest($cert, 'xx45')); --EXPECTF-- +** Testing with no parameters ** + +Warning: openssl_x509_digest() expects at least 1 parameter, 0 given in %s on line %d +NULL ** Testing default functionality ** string(40) "6e6fd1ea10a5a23071d61c728ee9b40df6dbc33c" ** Testing hash method md5 ** From 2bfc5a253b4ee76f9930692f2d088371c38dd65f Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Mon, 23 Sep 2013 00:51:17 +0800 Subject: [PATCH 08/13] Renamed to be more descriptive of what it does --- ext/openssl/openssl.c | 6 +++--- ext/openssl/php_openssl.h | 2 +- ...est.phpt => openssl_x509_fingerprint.phpt} | 20 +++++++++---------- 3 files changed, 14 insertions(+), 14 deletions(-) rename ext/openssl/tests/{openssl_x509_digest.phpt => openssl_x509_fingerprint.phpt} (58%) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 9685dac87c66e..9da10fc0a0153 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -129,7 +129,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_export, 0, 0, 2) ZEND_ARG_INFO(0, notext) ZEND_END_ARG_INFO() -ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_digest, 0, 0, 1) +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_fingerprint, 0, 0, 1) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, raw_output) @@ -449,7 +449,7 @@ const zend_function_entry openssl_functions[] = { PHP_FE(openssl_x509_checkpurpose, arginfo_openssl_x509_checkpurpose) PHP_FE(openssl_x509_check_private_key, arginfo_openssl_x509_check_private_key) PHP_FE(openssl_x509_export, arginfo_openssl_x509_export) - PHP_FE(openssl_x509_digest, arginfo_openssl_x509_digest) + PHP_FE(openssl_x509_fingerprint, arginfo_openssl_x509_fingerprint) PHP_FE(openssl_x509_export_to_file, arginfo_openssl_x509_export_to_file) /* PKCS12 funcs */ @@ -1672,7 +1672,7 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ -PHP_FUNCTION(openssl_x509_digest) +PHP_FUNCTION(openssl_x509_fingerprint) { X509 *cert; zval **zcert; diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index 4f0ac14100143..a06e43db1ce5e 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -66,7 +66,7 @@ PHP_FUNCTION(openssl_x509_free); PHP_FUNCTION(openssl_x509_parse); PHP_FUNCTION(openssl_x509_checkpurpose); PHP_FUNCTION(openssl_x509_export); -PHP_FUNCTION(openssl_x509_digest); +PHP_FUNCTION(openssl_x509_fingerprint); PHP_FUNCTION(openssl_x509_export_to_file); PHP_FUNCTION(openssl_x509_check_private_key); diff --git a/ext/openssl/tests/openssl_x509_digest.phpt b/ext/openssl/tests/openssl_x509_fingerprint.phpt similarity index 58% rename from ext/openssl/tests/openssl_x509_digest.phpt rename to ext/openssl/tests/openssl_x509_fingerprint.phpt index fde42809a18c3..6cd464a894872 100644 --- a/ext/openssl/tests/openssl_x509_digest.phpt +++ b/ext/openssl/tests/openssl_x509_fingerprint.phpt @@ -1,5 +1,5 @@ --TEST-- -Testing openssl_x509_digest() +Testing openssl_x509_fingerprint() --SKIPIF-- Date: Mon, 23 Sep 2013 23:29:17 +0800 Subject: [PATCH 09/13] add md5 and sha1 fingerprint tests --- ext/openssl/openssl.c | 79 ++++++++++++++----- .../tests/openssl_peer_fingerprint.phpt | 44 +++++++++++ 2 files changed, 104 insertions(+), 19 deletions(-) create mode 100644 ext/openssl/tests/openssl_peer_fingerprint.phpt diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 9da10fc0a0153..c8588e256904b 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1,4 +1,5 @@ /* + +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ @@ -1672,6 +1673,33 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ +int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) +{ + unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *mdtype; + int n; + + if (!(mdtype = EVP_get_digestbyname(method))) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + return 0; + } else if (!X509_digest(peer, mdtype, md, &n)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Could not generate signature"); + return 0; + } + + if (raw) { + *out_len = n; + *out = estrndup(md, n); + } else { + *out_len = n * 2; + *out = emalloc(*out_len + 1); + + make_digest_ex(*out, md, n); + } + + return 1; +} + PHP_FUNCTION(openssl_x509_fingerprint) { X509 *cert; @@ -1681,9 +1709,8 @@ PHP_FUNCTION(openssl_x509_fingerprint) char *method = "sha1"; int method_len; - const EVP_MD *mdtype; - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int n; + char *fingerprint; + char *fingerprint_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; @@ -1695,23 +1722,10 @@ PHP_FUNCTION(openssl_x509_fingerprint) RETURN_FALSE; } - mdtype = EVP_get_digestbyname(method); - if (!mdtype) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); - RETVAL_FALSE; - } else if (!X509_digest(cert, mdtype, md, &n)) { - php_error_docref(NULL TSRMLS_CC, E_ERROR, "Out of memory"); - RETVAL_FALSE; + if (php_openssl_x509_fingerprint(cert, method, raw_output, &fingerprint, &fingerprint_len)) { + RETVAL_STRINGL(fingerprint, fingerprint_len, 0); } else { - if (raw_output) { - RETVAL_STRINGL(md, n, 1); - } else { - int digest_str_len = n * 2; - char *digest_str = emalloc(digest_str_len + 1); - - make_digest_ex(digest_str, md, n); - RETVAL_STRINGL(digest_str, digest_str_len, 0); - } + RETVAL_FALSE; } if (certresource == -1 && cert) { @@ -4919,6 +4933,33 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre /* if the cert passed the usual checks, apply our own local policies now */ + if (GET_VER_OPT("peer_fingerprint") && Z_TYPE_PP(val) == IS_STRING) { + char *fingerprint; + int fingerprint_len; + const char *method = NULL; + + switch (Z_STRLEN_PP(val)) { + case 32: + method = "md5"; + break; + + case 40: + method = "sha1"; + break; + } + + if (method && php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { + int match = strcmp(Z_STRVAL_PP(val), fingerprint) == 0; + + efree(fingerprint); + + if (!match) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint `%s` not matched", Z_STRVAL_PP(val)); + return FAILURE; + } + } + } + name = X509_get_subject_name(peer); /* Does the common name match ? (used primarily for https://) */ diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt b/ext/openssl/tests/openssl_peer_fingerprint.phpt new file mode 100644 index 0000000000000..a6be676dcb44a --- /dev/null +++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt @@ -0,0 +1,44 @@ +--TEST-- +Testing peer fingerprint on connection +--SKIPIF-- + array( + 'verify_peer' => true, + 'cafile' => __DIR__ . '/bug54992-ca.pem', + 'capture_peer_cert' => true, + 'peer_fingerprint' => '81cafc260aa8d82956ebc6212a362ece', + ) + ) + ); + // should be: 81cafc260aa8d82956ebc6212a362ecc + var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, + STREAM_CLIENT_CONNECT, $contextC)); +} else { + @pcntl_wait($status); + @stream_socket_accept($server, 1); +} +--EXPECTF-- +Warning: stream_socket_client(): Peer fingerprint `81cafc260aa8d82956ebc6212a362ece` not matched in %s on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s on line %d + +Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d +bool(false) From 69bdc5aca8f14515556bb6fc8f86becf55ef30bf Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Mon, 23 Sep 2013 23:42:31 +0800 Subject: [PATCH 10/13] who put that stupid newline there? --- ext/openssl/openssl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c8588e256904b..a6ddd1458c98f 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1,5 +1,4 @@ /* - +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ From edd93f34520b550c4c42877fe9e03112cad005ba Mon Sep 17 00:00:00 2001 From: datibbaw Date: Fri, 27 Sep 2013 14:13:11 +0800 Subject: [PATCH 11/13] Support string and array for peer fingerprint matching --- ext/openssl/openssl.c | 87 ++++++++++++++----- .../tests/openssl_peer_fingerprint.phpt | 20 ++++- 2 files changed, 82 insertions(+), 25 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index a6ddd1458c98f..c0d1b0bf2ddbc 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1672,7 +1672,7 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ -int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) +static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) { unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *mdtype; @@ -1699,6 +1699,61 @@ int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char * return 1; } +static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected) +{ + char *fingerprint; + int fingerprint_len; + int result = -1; + + if (php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { + result = strcmp(expected, fingerprint); + efree(fingerprint); + } + + return result; +} + +static int php_x509_fingerprint_match(X509 *peer, zval **val) +{ + if (Z_TYPE_PP(val) == IS_STRING) { + const char *method = NULL; + + switch (Z_STRLEN_PP(val)) { + case 32: + method = "md5"; + break; + + case 40: + method = "sha1"; + break; + } + + return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_PP(val)) == 0; + } else if (Z_TYPE_PP(val) == IS_ARRAY) { + HashPosition pos; + zval **current; + char *key; + uint key_len; + ulong key_index; + + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val), &pos); + zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void **)¤t, &pos) == SUCCESS; + zend_hash_move_forward_ex(Z_ARRVAL_PP(val), &pos) + ) { + int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(val), &key, &key_len, &key_index, 0, &pos); + + if (key_type == HASH_KEY_IS_STRING + && Z_TYPE_PP(current) == IS_STRING + && php_x509_fingerprint_cmp(peer, key, Z_STRVAL_PP(current)) != 0 + ) { + return 0; + } + } + return 1; + } + return 0; +} + PHP_FUNCTION(openssl_x509_fingerprint) { X509 *cert; @@ -1709,7 +1764,7 @@ PHP_FUNCTION(openssl_x509_fingerprint) int method_len; char *fingerprint; - char *fingerprint_len; + int fingerprint_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) { return; @@ -4932,30 +4987,14 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre /* if the cert passed the usual checks, apply our own local policies now */ - if (GET_VER_OPT("peer_fingerprint") && Z_TYPE_PP(val) == IS_STRING) { - char *fingerprint; - int fingerprint_len; - const char *method = NULL; - - switch (Z_STRLEN_PP(val)) { - case 32: - method = "md5"; - break; - - case 40: - method = "sha1"; - break; - } - - if (method && php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { - int match = strcmp(Z_STRVAL_PP(val), fingerprint) == 0; - - efree(fingerprint); - - if (!match) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint `%s` not matched", Z_STRVAL_PP(val)); + if (GET_VER_OPT("peer_fingerprint")) { + if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) { + if (!php_x509_fingerprint_match(peer, val)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint doesn't match"); return FAILURE; } + } else { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Expected peer fingerprint must be a string or an array"); } } diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt b/ext/openssl/tests/openssl_peer_fingerprint.phpt index a6be676dcb44a..2960dffae506e 100644 --- a/ext/openssl/tests/openssl_peer_fingerprint.phpt +++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt @@ -31,14 +31,32 @@ if ($pid == -1) { // should be: 81cafc260aa8d82956ebc6212a362ecc var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $contextC)); + + $contextC = stream_context_create( + array( + 'ssl' => array( + 'verify_peer' => true, + 'cafile' => __DIR__ . '/bug54992-ca.pem', + 'capture_peer_cert' => true, + 'peer_fingerprint' => array( + 'sha256' => '78ea579f2c3b439359dec5dac9d445108772927427c4780037e87df3799a0aa0', + ), + ) + ) + ); + + var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, + STREAM_CLIENT_CONNECT, $contextC)); } else { @pcntl_wait($status); @stream_socket_accept($server, 1); + @stream_socket_accept($server, 1); } --EXPECTF-- -Warning: stream_socket_client(): Peer fingerprint `81cafc260aa8d82956ebc6212a362ece` not matched in %s on line %d +Warning: stream_socket_client(): Peer fingerprint doesn't match in %s on line %d Warning: stream_socket_client(): Failed to enable crypto in %s on line %d Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d bool(false) +resource(9) of type (stream) From e45eacd8fa4e32692697171e90f14d3c66d673de Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Mon, 30 Sep 2013 21:21:56 +0800 Subject: [PATCH 12/13] show method in error message --- ext/openssl/openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c0d1b0bf2ddbc..c208d439d6232 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1679,7 +1679,7 @@ static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, int n; if (!(mdtype = EVP_get_digestbyname(method))) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "`%s`: Unknown signature algorithm", method); return 0; } else if (!X509_digest(peer, mdtype, md, &n)) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Could not generate signature"); From 955bc1d91bd772cbb782830220048511b657f063 Mon Sep 17 00:00:00 2001 From: datibbaw Date: Mon, 7 Oct 2013 15:38:48 +0800 Subject: [PATCH 13/13] Using SUCCESS and FAILURE for return values Using zend_bool for boolean arguments and return values Reduced one level of zval indirection where possible --- ext/openssl/openssl.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c208d439d6232..d963f86af9ecb 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1672,18 +1672,18 @@ PHP_FUNCTION(openssl_x509_export) } /* }}} */ -static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, char **out, int *out_len) +static int php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_bool raw, char **out, int *out_len) { unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *mdtype; int n; if (!(mdtype = EVP_get_digestbyname(method))) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "`%s`: Unknown signature algorithm", method); - return 0; + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm"); + return FAILURE; } else if (!X509_digest(peer, mdtype, md, &n)) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Could not generate signature"); - return 0; + return FAILURE; } if (raw) { @@ -1696,7 +1696,7 @@ static int php_openssl_x509_fingerprint(X509 *peer, const char *method, int raw, make_digest_ex(*out, md, n); } - return 1; + return SUCCESS; } static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected) @@ -1705,7 +1705,7 @@ static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char * int fingerprint_len; int result = -1; - if (php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len)) { + if (php_openssl_x509_fingerprint(peer, method, 0, &fingerprint, &fingerprint_len) == SUCCESS) { result = strcmp(expected, fingerprint); efree(fingerprint); } @@ -1713,12 +1713,12 @@ static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char * return result; } -static int php_x509_fingerprint_match(X509 *peer, zval **val) +static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val) { - if (Z_TYPE_PP(val) == IS_STRING) { + if (Z_TYPE_P(val) == IS_STRING) { const char *method = NULL; - switch (Z_STRLEN_PP(val)) { + switch (Z_STRLEN_P(val)) { case 32: method = "md5"; break; @@ -1728,19 +1728,19 @@ static int php_x509_fingerprint_match(X509 *peer, zval **val) break; } - return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_PP(val)) == 0; - } else if (Z_TYPE_PP(val) == IS_ARRAY) { + return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0; + } else if (Z_TYPE_P(val) == IS_ARRAY) { HashPosition pos; zval **current; char *key; uint key_len; ulong key_index; - for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val), &pos); - zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void **)¤t, &pos) == SUCCESS; - zend_hash_move_forward_ex(Z_ARRVAL_PP(val), &pos) + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(val), &pos); + zend_hash_get_current_data_ex(Z_ARRVAL_P(val), (void **)¤t, &pos) == SUCCESS; + zend_hash_move_forward_ex(Z_ARRVAL_P(val), &pos) ) { - int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(val), &key, &key_len, &key_index, 0, &pos); + int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(val), &key, &key_len, &key_index, 0, &pos); if (key_type == HASH_KEY_IS_STRING && Z_TYPE_PP(current) == IS_STRING @@ -1776,7 +1776,7 @@ PHP_FUNCTION(openssl_x509_fingerprint) RETURN_FALSE; } - if (php_openssl_x509_fingerprint(cert, method, raw_output, &fingerprint, &fingerprint_len)) { + if (php_openssl_x509_fingerprint(cert, method, raw_output, &fingerprint, &fingerprint_len) == SUCCESS) { RETVAL_STRINGL(fingerprint, fingerprint_len, 0); } else { RETVAL_FALSE; @@ -4989,7 +4989,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre if (GET_VER_OPT("peer_fingerprint")) { if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) { - if (!php_x509_fingerprint_match(peer, val)) { + if (!php_x509_fingerprint_match(peer, *val)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint doesn't match"); return FAILURE; }