diff -Naur php-5.3.29_orig/ext/openssl/openssl.c php-5.4.16/ext/openssl/openssl.c --- php-5.3.29_orig/ext/openssl/openssl.c 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/openssl.c 2013-06-05 11:03:57.000000000 +0600 @@ -16,7 +16,7 @@ | Wez Furlong | | Sascha Kettler | | Pierre-Alain Joye | - | Marc Delling (PKCS12 functions) | + | Marc Delling (PKCS12 functions) | +----------------------------------------------------------------------+ */ @@ -36,6 +36,10 @@ #include "ext/standard/md5.h" #include "ext/standard/base64.h" +#if PHP_WIN32 +# include "win32/winutil.h" +#endif + /* OpenSSL includes */ #include #include @@ -65,7 +69,13 @@ #define OPENSSL_ALGO_MD2 4 #endif #define OPENSSL_ALGO_DSS1 5 - +#if OPENSSL_VERSION_NUMBER >= 0x0090708fL +#define OPENSSL_ALGO_SHA224 6 +#define OPENSSL_ALGO_SHA256 7 +#define OPENSSL_ALGO_SHA384 8 +#define OPENSSL_ALGO_SHA512 9 +#define OPENSSL_ALGO_RMD160 10 +#endif #define DEBUG_SMIME 0 /* FIXME: Use the openssl constants instead of @@ -89,6 +99,9 @@ PHP_OPENSSL_CIPHER_RC2_64, PHP_OPENSSL_CIPHER_DES, PHP_OPENSSL_CIPHER_3DES, + PHP_OPENSSL_CIPHER_AES_128_CBC, + PHP_OPENSSL_CIPHER_AES_192_CBC, + PHP_OPENSSL_CIPHER_AES_256_CBC, PHP_OPENSSL_CIPHER_DEFAULT = PHP_OPENSSL_CIPHER_RC2_40 }; @@ -347,7 +360,7 @@ ZEND_ARG_INFO(0, data) ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, password) - ZEND_ARG_INFO(0, raw_output) + ZEND_ARG_INFO(0, options) ZEND_ARG_INFO(0, iv) ZEND_END_ARG_INFO() @@ -355,7 +368,7 @@ ZEND_ARG_INFO(0, data) ZEND_ARG_INFO(0, method) ZEND_ARG_INFO(0, password) - ZEND_ARG_INFO(0, raw_input) + ZEND_ARG_INFO(0, options) ZEND_ARG_INFO(0, iv) ZEND_END_ARG_INFO() @@ -497,16 +510,13 @@ } /* }}} */ -/* {{{ openssl safe_mode & open_basedir checks */ -inline static int php_openssl_safe_mode_chk(char *filename TSRMLS_DC) +/* {{{ openssl open_basedir check */ +inline static int php_openssl_open_base_dir_chk(char *filename TSRMLS_DC) { - if (PG(safe_mode) && (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { - return -1; - } if (php_check_open_basedir(filename TSRMLS_CC)) { return -1; } - + return 0; } /* }}} */ @@ -536,6 +546,8 @@ int priv_key_encrypt; EVP_PKEY * priv_key; + + const EVP_CIPHER * priv_key_encrypt_cipher; }; /* }}} */ @@ -563,7 +575,7 @@ } else { subitem = val; } - + for (i = 0; i < X509_NAME_entry_count(name); i++) { unsigned char *to_add; int to_add_len; @@ -606,7 +618,7 @@ last = j; } i = last; - + if (obj_cnt > 1) { add_assoc_zval_ex(subitem, sname, strlen(sname) + 1, subentries); } else { @@ -644,28 +656,18 @@ char * thestr; long gmadjust = 0; - if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp"); + if (timestr->length < 13) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data); return (time_t)-1; } - if (ASN1_STRING_length(timestr) != strlen((char*)ASN1_STRING_data(timestr))) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); - return (time_t)-1; - } - - if (ASN1_STRING_length(timestr) < 13) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data); - return (time_t)-1; - } - - strbuf = estrdup((char *)ASN1_STRING_data(timestr)); + strbuf = estrdup((char *)timestr->data); memset(&thetime, 0, sizeof(thetime)); /* we work backwards so that we can use atoi more easily */ - thestr = strbuf + ASN1_STRING_length(timestr) - 3; + thestr = strbuf + timestr->length - 3; thetime.tm_sec = atoi(thestr); *thestr = '\0'; @@ -716,7 +718,7 @@ #endif { X509V3_CTX ctx; - + X509V3_set_ctx_test(&ctx); X509V3_set_conf_lhash(&ctx, config); if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) { @@ -765,17 +767,20 @@ req->config_filename, req->var, req->req_config TSRMLS_CC) == FAILURE) return FAILURE #define SET_OPTIONAL_STRING_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ varname = Z_STRVAL_PP(item); \ else \ varname = defval #define SET_OPTIONAL_LONG_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_LONG) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ varname = Z_LVAL_PP(item); \ else \ varname = defval +static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(long algo); + + static int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args TSRMLS_DC) /* {{{ */ { char * str; @@ -792,7 +797,7 @@ /* read in the oids */ str = CONF_get_string(req->req_config, NULL, "oid_file"); - if (str && !php_openssl_safe_mode_chk(str TSRMLS_CC)) { + if (str && !php_openssl_open_base_dir_chk(str TSRMLS_CC)) { BIO *oid_bio = BIO_new_file(str, "r"); if (oid_bio) { OBJ_create_objects(oid_bio); @@ -813,7 +818,7 @@ SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT); - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_BOOL) { + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS) { req->priv_key_encrypt = Z_BVAL_PP(item); } else { str = CONF_get_string(req->req_config, req->section_name, "encrypt_rsa_key"); @@ -826,7 +831,22 @@ req->priv_key_encrypt = 1; } } - + + if (req->priv_key_encrypt && optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS) { + long cipher_algo = Z_LVAL_PP(item); + const EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo); + if (cipher == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown cipher algorithm for private key."); + return FAILURE; + } else { + req->priv_key_encrypt_cipher = cipher; + } + } else { + req->priv_key_encrypt_cipher = NULL; + } + + + /* digest alg */ if (req->digest_name == NULL) { req->digest_name = CONF_get_string(req->req_config, req->section_name, "default_md"); @@ -848,7 +868,7 @@ } PHP_SSL_CONFIG_SYNTAX_CHECK(request_extensions_section); - + return SUCCESS; } /* }}} */ @@ -870,12 +890,10 @@ } /* }}} */ -static int php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded) /* {{{ */ +static int php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded TSRMLS_DC) /* {{{ */ { char buffer[MAXPATHLEN]; - TSRMLS_FETCH(); - *egdsocket = 0; *seeded = 0; @@ -942,6 +960,23 @@ case OPENSSL_ALGO_DSS1: mdtype = (EVP_MD *) EVP_dss1(); break; +#if OPENSSL_VERSION_NUMBER >= 0x0090708fL + case OPENSSL_ALGO_SHA224: + mdtype = (EVP_MD *) EVP_sha224(); + break; + case OPENSSL_ALGO_SHA256: + mdtype = (EVP_MD *) EVP_sha256(); + break; + case OPENSSL_ALGO_SHA384: + mdtype = (EVP_MD *) EVP_sha384(); + break; + case OPENSSL_ALGO_SHA512: + mdtype = (EVP_MD *) EVP_sha512(); + break; + case OPENSSL_ALGO_RMD160: + mdtype = (EVP_MD *) EVP_ripemd160(); + break; +#endif default: return NULL; break; @@ -972,6 +1007,20 @@ return EVP_des_ede3_cbc(); break; #endif + +#ifndef OPENSSL_NO_AES + case PHP_OPENSSL_CIPHER_AES_128_CBC: + return EVP_aes_128_cbc(); + break; + case PHP_OPENSSL_CIPHER_AES_192_CBC: + return EVP_aes_192_cbc(); + break; + case PHP_OPENSSL_CIPHER_AES_256_CBC: + return EVP_aes_256_cbc(); + break; +#endif + + default: return NULL; break; @@ -994,17 +1043,15 @@ OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); - ERR_load_ERR_strings(); - ERR_load_crypto_strings(); - ERR_load_EVP_strings(); + SSL_load_error_strings(); /* register a resource id number with OpenSSL so that we can map SSL -> stream structures in * OpenSSL callbacks */ ssl_stream_data_index = SSL_get_ex_new_index(0, "PHP stream index", NULL, NULL, NULL); - + REGISTER_STRING_CONSTANT("OPENSSL_VERSION_TEXT", OPENSSL_VERSION_TEXT, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("OPENSSL_VERSION_NUMBER", OPENSSL_VERSION_NUMBER, CONST_CS|CONST_PERSISTENT); - + /* purposes for cert purpose checking */ REGISTER_LONG_CONSTANT("X509_PURPOSE_SSL_CLIENT", X509_PURPOSE_SSL_CLIENT, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("X509_PURPOSE_SSL_SERVER", X509_PURPOSE_SSL_SERVER, CONST_CS|CONST_PERSISTENT); @@ -1024,6 +1071,13 @@ REGISTER_LONG_CONSTANT("OPENSSL_ALGO_MD2", OPENSSL_ALGO_MD2, CONST_CS|CONST_PERSISTENT); #endif REGISTER_LONG_CONSTANT("OPENSSL_ALGO_DSS1", OPENSSL_ALGO_DSS1, CONST_CS|CONST_PERSISTENT); +#if OPENSSL_VERSION_NUMBER >= 0x0090708fL + REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA224", OPENSSL_ALGO_SHA224, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA256", OPENSSL_ALGO_SHA256, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA384", OPENSSL_ALGO_SHA384, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA512", OPENSSL_ALGO_SHA512, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_ALGO_RMD160", OPENSSL_ALGO_RMD160, CONST_CS|CONST_PERSISTENT); +#endif /* flags for S/MIME */ REGISTER_LONG_CONSTANT("PKCS7_DETACHED", PKCS7_DETACHED, CONST_CS|CONST_PERSISTENT); @@ -1051,6 +1105,11 @@ REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_DES", PHP_OPENSSL_CIPHER_DES, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_3DES", PHP_OPENSSL_CIPHER_3DES, CONST_CS|CONST_PERSISTENT); #endif +#ifndef OPENSSL_NO_AES + REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_128_CBC", PHP_OPENSSL_CIPHER_AES_128_CBC, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_192_CBC", PHP_OPENSSL_CIPHER_AES_192_CBC, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_256_CBC", PHP_OPENSSL_CIPHER_AES_256_CBC, CONST_CS|CONST_PERSISTENT); +#endif /* Values for key types */ REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_RSA", OPENSSL_KEYTYPE_RSA, CONST_CS|CONST_PERSISTENT); @@ -1062,6 +1121,9 @@ REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_EC", OPENSSL_KEYTYPE_EC, CONST_CS|CONST_PERSISTENT); #endif + REGISTER_LONG_CONSTANT("OPENSSL_RAW_DATA", OPENSSL_RAW_DATA, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_ZERO_PADDING", OPENSSL_ZERO_PADDING, CONST_CS|CONST_PERSISTENT); + #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) /* SNI support included in OpenSSL >= 0.9.8j */ REGISTER_LONG_CONSTANT("OPENSSL_TLSEXT_SERVER_NAME", 1, CONST_CS|CONST_PERSISTENT); @@ -1094,7 +1156,7 @@ php_register_url_stream_wrapper("https", &php_stream_http_wrapper TSRMLS_CC); php_register_url_stream_wrapper("ftps", &php_stream_ftp_wrapper TSRMLS_CC); - + return SUCCESS; } /* }}} */ @@ -1184,7 +1246,7 @@ /* read cert from the named file */ BIO *in; - if (php_openssl_safe_mode_chk(Z_STRVAL_PP(val) + (sizeof("file://") - 1) TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(Z_STRVAL_PP(val) + (sizeof("file://") - 1) TSRMLS_CC)) { return NULL; } @@ -1210,7 +1272,7 @@ } if (cert && makeresource && resourceval) { - *resourceval = zend_list_insert(cert, le_x509); + *resourceval = zend_list_insert(cert, le_x509 TSRMLS_CC); } return cert; } @@ -1229,7 +1291,7 @@ char * filename; int filename_len; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zs|b", &zcert, &filename, &filename_len, ¬ext) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zp|b", &zcert, &filename, &filename_len, ¬ext) == FAILURE) { return; } RETVAL_FALSE; @@ -1240,7 +1302,7 @@ return; } - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { return; } @@ -1314,14 +1376,14 @@ long certresource = -1, keyresource = -1; RETVAL_FALSE; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZ", &zcert, &zkey) == FAILURE) { return; } cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { RETURN_FALSE; - } + } key = php_openssl_evp_from_zval(zkey, 0, "", 1, &keyresource TSRMLS_CC); if (key) { RETVAL_BOOL(X509_check_private_key(cert, key)); @@ -1336,74 +1398,6 @@ } /* }}} */ -/* Special handling of subjectAltName, see CVE-2013-4073 - * Christian Heimes - */ - -static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension) -{ - GENERAL_NAMES *names; - const X509V3_EXT_METHOD *method = NULL; - long i, length, num; - const unsigned char *p; - - method = X509V3_EXT_get(extension); - if (method == NULL) { - return -1; - } - - p = extension->value->data; - length = extension->value->length; - if (method->it) { - names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length, - ASN1_ITEM_ptr(method->it))); - } else { - names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length)); - } - if (names == NULL) { - return -1; - } - - num = sk_GENERAL_NAME_num(names); - for (i = 0; i < num; i++) { - GENERAL_NAME *name; - ASN1_STRING *as; - name = sk_GENERAL_NAME_value(names, i); - switch (name->type) { - case GEN_EMAIL: - BIO_puts(bio, "email:"); - as = name->d.rfc822Name; - BIO_write(bio, ASN1_STRING_data(as), - ASN1_STRING_length(as)); - break; - case GEN_DNS: - BIO_puts(bio, "DNS:"); - as = name->d.dNSName; - BIO_write(bio, ASN1_STRING_data(as), - ASN1_STRING_length(as)); - break; - case GEN_URI: - BIO_puts(bio, "URI:"); - as = name->d.uniformResourceIdentifier; - BIO_write(bio, ASN1_STRING_data(as), - ASN1_STRING_length(as)); - break; - default: - /* use builtin print for GEN_OTHERNAME, GEN_X400, - * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID - */ - GENERAL_NAME_print(bio, name); - } - /* trailing ', ' except for last element */ - if (i < (num - 1)) { - BIO_puts(bio, ", "); - } - } - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); - - return 0; -} - /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true]) Returns an array of the fields/values of the CERT */ PHP_FUNCTION(openssl_x509_parse) @@ -1442,11 +1436,11 @@ snprintf(buf, sizeof(buf), "%08lx", X509_subject_name_hash(cert)); add_assoc_string(return_value, "hash", buf, 1); } - + add_assoc_name_entry(return_value, "issuer", X509_get_issuer_name(cert), useshortnames TSRMLS_CC); add_assoc_long(return_value, "version", X509_get_version(cert)); - add_assoc_string(return_value, "serialNumber", i2s_ASN1_INTEGER(NULL, X509_get_serialNumber(cert)), 1); + add_assoc_string(return_value, "serialNumber", i2s_ASN1_INTEGER(NULL, X509_get_serialNumber(cert)), 1); add_assoc_asn1_string(return_value, "validFrom", X509_get_notBefore(cert)); add_assoc_asn1_string(return_value, "validTo", X509_get_notAfter(cert)); @@ -1500,30 +1494,15 @@ for (i = 0; i < X509_get_ext_count(cert); i++) { - int nid; extension = X509_get_ext(cert, i); - nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension)); - if (nid != NID_undef) { + if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) { extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension))); } else { OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1); extname = buf; } bio_out = BIO_new(BIO_s_mem()); - if (nid == NID_subject_alt_name) { - if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) { - BIO_get_mem_ptr(bio_out, &bio_buf); - add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1); - } else { - zval_dtor(return_value); - if (certresource == -1 && cert) { - X509_free(cert); - } - BIO_free(bio_out); - RETURN_FALSE; - } - } - else if (X509V3_EXT_print(bio_out, extension, 0, 0)) { + if (X509V3_EXT_print(bio_out, extension, 0, 0)) { BIO_get_mem_ptr(bio_out, &bio_buf); add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1); } else { @@ -1553,7 +1532,7 @@ goto end; } - if (php_openssl_safe_mode_chk(certfile TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(certfile TSRMLS_CC)) { sk_X509_free(stack); goto end; } @@ -1663,8 +1642,8 @@ if (certresource == 1 && cert) { X509_free(cert); } - if (cainfo) { - X509_STORE_free(cainfo); + if (cainfo) { + X509_STORE_free(cainfo); } if (untrustedchain) { sk_X509_pop_free(untrustedchain, X509_free); @@ -1717,7 +1696,7 @@ dir_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); if (dir_lookup == NULL || !X509_LOOKUP_add_dir(dir_lookup, Z_STRVAL_PP(item), X509_FILETYPE_PEM)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "error loading directory %s", Z_STRVAL_PP(item)); - } else { + } else { ndirs++; } dir_lookup = NULL; @@ -1811,11 +1790,11 @@ if (certresource != -1) { cert = X509_dup(cert); - + if (cert == NULL) { goto clean_exit; } - + } sk_X509_push(sk, cert); @@ -1824,7 +1803,7 @@ } else { /* a single certificate */ cert = php_openssl_x509_from_zval(zcerts, 0, &certresource TSRMLS_CC); - + if (cert == NULL) { goto clean_exit; } @@ -1861,15 +1840,11 @@ zval ** item; STACK_OF(X509) *ca = NULL; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zszs|a", &zcert, &filename, &filename_len, &zpkey, &pass, &pass_len, &args) == FAILURE) + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zpzs|a", &zcert, &filename, &filename_len, &zpkey, &pass, &pass_len, &args) == FAILURE) return; RETVAL_FALSE; - if (strlen(filename) != filename_len) { - return; - } - cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); @@ -1884,12 +1859,12 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "private key does not correspond to cert"); goto cleanup; } - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { goto cleanup; } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) friendly_name = Z_STRVAL_PP(item); /* certpbe (default RC2-40) keypbe (default 3DES) @@ -1905,9 +1880,9 @@ p12 = PKCS12_create(pass, friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0); - bio_out = BIO_new_file(filename, "w"); + bio_out = BIO_new_file(filename, "w"); if (bio_out) { - + i2d_PKCS12_bio(bio_out, p12); RETVAL_TRUE; @@ -1918,13 +1893,13 @@ BIO_free(bio_out); PKCS12_free(p12); php_sk_X509_free(ca); - + cleanup: if (keyresource == -1 && priv_key) { EVP_PKEY_free(priv_key); } - if (certresource == -1 && cert) { + if (certresource == -1 && cert) { X509_free(cert); } } @@ -1950,7 +1925,7 @@ return; RETVAL_FALSE; - + cert = php_openssl_x509_from_zval(&zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); @@ -1967,13 +1942,13 @@ } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) friendly_name = Z_STRVAL_PP(item); if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS) ca = php_array_to_X509_sk(item TSRMLS_CC); /* end parse extra config */ - + p12 = PKCS12_create(pass, friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0); bio_out = BIO_new(BIO_s_mem()); @@ -1990,13 +1965,13 @@ BIO_free(bio_out); PKCS12_free(p12); php_sk_X509_free(ca); - + cleanup: if (keyresource == -1 && priv_key) { EVP_PKEY_free(priv_key); } - if (certresource == -1 && cert) { + if (certresource == -1 && cert) { X509_free(cert); } } @@ -2020,12 +1995,12 @@ return; RETVAL_FALSE; - + bio_in = BIO_new(BIO_s_mem()); - + if(!BIO_write(bio_in, zp12, zp12_len)) goto cleanup; - + if(d2i_PKCS12_bio(bio_in, &p12)) { if(PKCS12_parse(p12, pass, &pkey, &cert, &ca)) { BIO * bio_out; @@ -2055,12 +2030,12 @@ MAKE_STD_ZVAL(zextracerts); array_init(zextracerts); - + for (i=0;;i++) { zval * zextracert; X509* aCA = sk_X509_pop(ca); if (!aCA) break; - + bio_out = BIO_new(BIO_s_mem()); if (PEM_write_bio_X509(bio_out, aCA)) { BUF_MEM *bio_buf; @@ -2068,7 +2043,7 @@ MAKE_STD_ZVAL(zextracert); ZVAL_STRINGL(zextracert, bio_buf->data, bio_buf->length, 1); add_index_zval(zextracerts, i, zextracert); - + } BIO_free(bio_out); @@ -2080,13 +2055,13 @@ } else { zval_dtor(zextracerts); } - + RETVAL_TRUE; - + PKCS12_free(p12); } } - + cleanup: if (bio_in) { BIO_free(bio_in); @@ -2094,7 +2069,7 @@ if (pkey) { EVP_PKEY_free(pkey); } - if (cert) { + if (cert) { X509_free(cert); } } @@ -2113,7 +2088,7 @@ return FAILURE; } dn_sk = CONF_get_section(req->req_config, dn_sect); - if (dn_sk == NULL) { + if (dn_sk == NULL) { return FAILURE; } attr_sect = CONF_get_string(req->req_config, req->section_name, "attributes"); @@ -2133,15 +2108,15 @@ X509_NAME * subj; HashPosition hpos; zval ** item; - + subj = X509_REQ_get_subject_name(csr); /* apply values from the dn hash */ zend_hash_internal_pointer_reset_ex(HASH_OF(dn), &hpos); while(zend_hash_get_current_data_ex(HASH_OF(dn), (void**)&item, &hpos) == SUCCESS) { - char * strindex = NULL; + char * strindex = NULL; uint strindexlen = 0; ulong intindex; - + zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos); convert_to_string_ex(item); @@ -2151,10 +2126,14 @@ nid = OBJ_txt2nid(strindex); if (nid != NID_undef) { - if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, + if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(item)); + php_error_docref(NULL TSRMLS_CC, E_WARNING, + "dn: add_entry_by_NID %d -> %s (failed; check error" + " queue and value of string_mask OpenSSL option " + "if illegal characters are reported)", + nid, Z_STRVAL_PP(item)); return FAILURE; } } else { @@ -2168,10 +2147,10 @@ for(i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { int len; char buffer[200 + 1]; /*200 + \0 !*/ - + v = sk_CONF_VALUE_value(dn_sk, i); type = v->name; - + len = strlen(type); if (len < sizeof("_default")) { continue; @@ -2186,7 +2165,7 @@ memcpy(buffer, type, len); buffer[len] = '\0'; type = buffer; - + /* Skip past any leading X. X: X, etc to allow for multiple * instances */ for (str = type; *str; str++) { @@ -2203,7 +2182,7 @@ if (X509_NAME_get_index_by_NID(subj, nid, -1) >= 0) { continue; } - if (!X509_NAME_add_entry_by_txt(subj, type, MBSTRING_ASC, (unsigned char*)v->value, -1, -1, 0)) { + if (!X509_NAME_add_entry_by_txt(subj, type, MBSTRING_UTF8, (unsigned char*)v->value, -1, -1, 0)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "add_entry_by_txt %s -> %s (failed)", type, v->value); return FAILURE; } @@ -2227,7 +2206,7 @@ nid = OBJ_txt2nid(strindex); if (nid != NID_undef) { - if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)) { + if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "attribs: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(item)); return FAILURE; } @@ -2244,8 +2223,12 @@ if (X509_REQ_get_attr_by_NID(csr, nid, -1) >= 0) { continue; } - if (!X509_REQ_add1_attr_by_txt(csr, v->name, MBSTRING_ASC, (unsigned char*)v->value, -1)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "add1_attr_by_txt %s -> %s (failed)", v->name, v->value); + if (!X509_REQ_add1_attr_by_txt(csr, v->name, MBSTRING_UTF8, (unsigned char*)v->value, -1)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, + "add1_attr_by_txt %s -> %s (failed; check error queue " + "and value of string_mask OpenSSL option if illegal " + "characters are reported)", + v->name, v->value); return FAILURE; } } @@ -2263,7 +2246,7 @@ X509_REQ * csr = NULL; char * filename = NULL; BIO * in; - + if (resourceval) { *resourceval = -1; } @@ -2287,7 +2270,7 @@ filename = Z_STRVAL_PP(val) + (sizeof("file://") - 1); } if (filename) { - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { return NULL; } in = BIO_new_file(filename, "r"); @@ -2312,22 +2295,18 @@ BIO * bio_out; long csr_resource; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|b", &zcsr, &filename, &filename_len, ¬ext) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|b", &zcsr, &filename, &filename_len, ¬ext) == FAILURE) { return; } RETVAL_FALSE; - if (strlen(filename) != filename_len) { - return; - } - csr = php_openssl_csr_from_zval(&zcsr, 0, &csr_resource TSRMLS_CC); if (csr == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get CSR from parameter 1"); return; } - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { return; } @@ -2408,13 +2387,13 @@ long csr_resource, certresource = 0, keyresource = -1; int i; struct php_x509_request req; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZ!Zl|a!l", &zcsr, &zcert, &zpkey, &num_days, &args, &serial) == FAILURE) return; RETVAL_FALSE; PHP_SSL_REQ_INIT(&req); - + csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource TSRMLS_CC); if (csr == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get CSR from parameter 1"); @@ -2436,7 +2415,7 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "private key does not correspond to signing cert"); goto cleanup; } - + if (PHP_SSL_REQ_PARSE(&req, args) == FAILURE) { goto cleanup; } @@ -2456,9 +2435,9 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Signature did not match the certificate request"); goto cleanup; } - + /* Now we can get on with it */ - + new_cert = X509_new(); if (new_cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "No memory"); @@ -2469,7 +2448,7 @@ goto cleanup; ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial); - + X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr)); if (cert == NULL) { @@ -2486,7 +2465,7 @@ } if (req.extensions_section) { X509V3_CTX ctx; - + X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0); X509V3_set_conf_lhash(&ctx, req.req_config); if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) { @@ -2499,11 +2478,11 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to sign it"); goto cleanup; } - + /* Succeeded; lets return the cert */ - RETVAL_RESOURCE(zend_list_insert(new_cert, le_x509)); + RETVAL_RESOURCE(zend_list_insert(new_cert, le_x509 TSRMLS_CC)); new_cert = NULL; - + cleanup: if (cert == new_cert) { @@ -2520,7 +2499,7 @@ if (csr_resource == -1 && csr) { X509_REQ_free(csr); } - if (certresource == -1 && cert) { + if (certresource == -1 && cert) { X509_free(cert); } if (new_cert) { @@ -2539,12 +2518,12 @@ X509_REQ * csr = NULL; int we_made_the_key = 1; long key_resource; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "az|a!a!", &dn, &out_pkey, &args, &attribs) == FAILURE) { return; } RETVAL_FALSE; - + PHP_SSL_REQ_INIT(&req); if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { @@ -2576,10 +2555,10 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error loading extension section %s", req.request_extensions_section); } else { RETVAL_TRUE; - + if (X509_REQ_sign(csr, req.priv_key, req.digest)) { - RETVAL_RESOURCE(zend_list_insert(csr, le_csr)); - csr = NULL; + RETVAL_RESOURCE(zend_list_insert(csr, le_csr TSRMLS_CC)); + csr = NULL; } else { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error signing request"); } @@ -2587,7 +2566,7 @@ if (we_made_the_key) { /* and a resource for the private key */ zval_dtor(out_pkey); - ZVAL_RESOURCE(out_pkey, zend_list_insert(req.priv_key, le_key)); + ZVAL_RESOURCE(out_pkey, zend_list_insert(req.priv_key, le_key TSRMLS_CC)); req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */ } else if (key_resource != -1) { req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */ @@ -2660,7 +2639,7 @@ } tpubkey=X509_REQ_get_pubkey(csr); - RETVAL_RESOURCE(zend_list_insert(tpubkey, le_key)); + RETVAL_RESOURCE(zend_list_insert(tpubkey, le_key TSRMLS_CC)); return; } /* }}} */ @@ -2704,14 +2683,14 @@ } if (Z_TYPE_PP(val) == IS_ARRAY) { zval ** zphrase; - + /* get passphrase */ if (zend_hash_index_find(HASH_OF(*val), 1, (void **)&zphrase) == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "key array must be of the form array(0 => key, 1 => phrase)"); return NULL; } - + if (Z_TYPE_PP(zphrase) == IS_STRING) { passphrase = Z_STRVAL_PP(zphrase); } else { @@ -2736,7 +2715,7 @@ if (!what) { TMP_CLEAN; } - if (resourceval) { + if (resourceval) { *resourceval = Z_LVAL_PP(val); } if (type == le_x509) { @@ -2770,8 +2749,8 @@ } } else { /* force it to be a string and check if it refers to a file */ - /* passing non string values leaks, object uses toString, it returns NULL - * See bug38255.phpt + /* passing non string values leaks, object uses toString, it returns NULL + * See bug38255.phpt */ if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) { TMP_CLEAN; @@ -2805,7 +2784,7 @@ BIO *in; if (filename) { - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { TMP_CLEAN; } in = BIO_new_file(filename, "r"); @@ -2845,7 +2824,7 @@ char * randfile = NULL; int egdsocket, seeded; EVP_PKEY * return_val = NULL; - + if (req->priv_key_bits < MIN_KEY_LENGTH) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "private key length is too short; it needs to be at least %d bits, not %d", MIN_KEY_LENGTH, req->priv_key_bits); @@ -2853,8 +2832,8 @@ } randfile = CONF_get_string(req->req_config, req->section_name, "RANDFILE"); - php_openssl_load_rand_file(randfile, &egdsocket, &seeded); - + php_openssl_load_rand_file(randfile, &egdsocket, &seeded TSRMLS_CC); + if ((req->priv_key = EVP_PKEY_new()) != NULL) { switch(req->priv_key_type) { case OPENSSL_KEYTYPE_RSA: @@ -2904,13 +2883,13 @@ } php_openssl_write_rand_file(randfile, egdsocket, seeded); - + if (return_val == NULL) { EVP_PKEY_free(req->priv_key); req->priv_key = NULL; return NULL; } - + return return_val; } /* }}} */ @@ -2939,7 +2918,7 @@ case EVP_PKEY_DSA4: assert(pkey->pkey.dsa != NULL); - if (NULL == pkey->pkey.dsa->p || NULL == pkey->pkey.dsa->q || NULL == pkey->pkey.dsa->priv_key){ + if (NULL == pkey->pkey.dsa->p || NULL == pkey->pkey.dsa->q || NULL == pkey->pkey.dsa->priv_key){ return 0; } break; @@ -3014,7 +2993,7 @@ OPENSSL_PKEY_SET_BN(Z_ARRVAL_PP(data), rsa, iqmp); if (rsa->n && rsa->d) { if (EVP_PKEY_assign_RSA(pkey, rsa)) { - RETURN_RESOURCE(zend_list_insert(pkey, le_key)); + RETURN_RESOURCE(zend_list_insert(pkey, le_key TSRMLS_CC)); } } RSA_free(rsa); @@ -3038,7 +3017,7 @@ DSA_generate_key(dsa); } if (EVP_PKEY_assign_DSA(pkey, dsa)) { - RETURN_RESOURCE(zend_list_insert(pkey, le_key)); + RETURN_RESOURCE(zend_list_insert(pkey, le_key TSRMLS_CC)); } } DSA_free(dsa); @@ -3061,7 +3040,7 @@ DH_generate_key(dh); } if (EVP_PKEY_assign_DH(pkey, dh)) { - RETURN_RESOURCE(zend_list_insert(pkey, le_key)); + RETURN_RESOURCE(zend_list_insert(pkey, le_key TSRMLS_CC)); } } DH_free(dh); @@ -3070,7 +3049,7 @@ } RETURN_FALSE; } - } + } PHP_SSL_REQ_INIT(&req); @@ -3078,7 +3057,7 @@ { if (php_openssl_generate_private_key(&req TSRMLS_CC)) { /* pass back a key resource */ - RETVAL_RESOURCE(zend_list_insert(req.priv_key, le_key)); + RETVAL_RESOURCE(zend_list_insert(req.priv_key, le_key TSRMLS_CC)); /* make sure the cleanup code doesn't zap it! */ req.priv_key = NULL; } @@ -3099,15 +3078,11 @@ EVP_PKEY * key; BIO * bio_out = NULL; const EVP_CIPHER * cipher; - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zs|s!a!", &zpkey, &filename, &filename_len, &passphrase, &passphrase_len, &args) == FAILURE) { - return; - } - RETVAL_FALSE; - if (strlen(filename) != filename_len) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zp|s!a!", &zpkey, &filename, &filename_len, &passphrase, &passphrase_len, &args) == FAILURE) { return; } + RETVAL_FALSE; key = php_openssl_evp_from_zval(zpkey, 0, passphrase, 0, &key_resource TSRMLS_CC); @@ -3115,18 +3090,22 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get key from parameter 1"); RETURN_FALSE; } - - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { RETURN_FALSE; } - + PHP_SSL_REQ_INIT(&req); if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { bio_out = BIO_new_file(filename, "w"); if (passphrase && req.priv_key_encrypt) { - cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); + if (req.priv_key_encrypt_cipher) { + cipher = req.priv_key_encrypt_cipher; + } else { + cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); + } } else { cipher = NULL; } @@ -3158,7 +3137,7 @@ EVP_PKEY * key; BIO * bio_out = NULL; const EVP_CIPHER * cipher; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|s!a!", &zpkey, &out, &passphrase, &passphrase_len, &args) == FAILURE) { return; } @@ -3170,14 +3149,18 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get key from parameter 1"); RETURN_FALSE; } - + PHP_SSL_REQ_INIT(&req); if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { bio_out = BIO_new(BIO_s_mem()); if (passphrase && req.priv_key_encrypt) { - cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); + if (req.priv_key_encrypt_cipher) { + cipher = req.priv_key_encrypt_cipher; + } else { + cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); + } } else { cipher = NULL; } @@ -3221,6 +3204,7 @@ if (pkey == NULL) { RETURN_FALSE; } + zend_list_addref(Z_LVAL_P(return_value)); } /* }}} */ @@ -3257,6 +3241,7 @@ if (pkey == NULL) { RETURN_FALSE; } + zend_list_addref(Z_LVAL_P(return_value)); } /* }}} */ @@ -3286,7 +3271,7 @@ array_init(return_value); add_assoc_long(return_value, "bits", EVP_PKEY_bits(pkey)); add_assoc_stringl(return_value, "key", pbio, pbio_len, 1); - /*TODO: Use the real values once the openssl constants are used + /*TODO: Use the real values once the openssl constants are used * See the enum at the top of this file */ switch (EVP_PKEY_type(pkey->type)) { @@ -3310,7 +3295,7 @@ add_assoc_zval(return_value, "rsa", rsa); } - break; + break; case EVP_PKEY_DSA: case EVP_PKEY_DSA2: case EVP_PKEY_DSA3: @@ -3331,7 +3316,7 @@ } break; case EVP_PKEY_DH: - + ktype = OPENSSL_KEYTYPE_DH; if (pkey->pkey.dh != NULL) { @@ -3347,7 +3332,7 @@ } break; -#ifdef EVP_PKEY_EC +#ifdef EVP_PKEY_EC case EVP_PKEY_EC: ktype = OPENSSL_KEYTYPE_EC; break; @@ -3381,15 +3366,15 @@ char * extracerts = NULL; int extracerts_len = 0; char * signersfilename = NULL; int signersfilename_len = 0; char * datafilename = NULL; int datafilename_len = 0; - + RETVAL_LONG(-1); - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|sass", &filename, &filename_len, + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pl|papp", &filename, &filename_len, &flags, &signersfilename, &signersfilename_len, &cainfo, &extracerts, &extracerts_len, &datafilename, &datafilename_len) == FAILURE) { return; } - + if (extracerts) { others = load_all_certs_from_file(extracerts); if (others == NULL) { @@ -3404,7 +3389,7 @@ if (!store) { goto clean_exit; } - if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { goto clean_exit; } @@ -3422,7 +3407,7 @@ if (datafilename) { - if (php_openssl_safe_mode_chk(datafilename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(datafilename TSRMLS_CC)) { goto clean_exit; } @@ -3441,11 +3426,11 @@ if (signersfilename) { BIO *certout; - - if (php_openssl_safe_mode_chk(signersfilename TSRMLS_CC)) { + + if (php_openssl_open_base_dir_chk(signersfilename TSRMLS_CC)) { goto clean_exit; } - + certout = BIO_new_file(signersfilename, "w"); if (certout) { int i; @@ -3494,22 +3479,15 @@ char * strindex; char * infilename = NULL; int infilename_len; char * outfilename = NULL; int outfilename_len; - + RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZa!|ll", &infilename, &infilename_len, + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ppZa!|ll", &infilename, &infilename_len, &outfilename, &outfilename_len, &zrecipcerts, &zheaders, &flags, &cipherid) == FAILURE) return; - if (strlen(infilename) != infilename_len) { - return; - } - if (strlen(outfilename) != outfilename_len) { - return; - } - - if (php_openssl_safe_mode_chk(infilename TSRMLS_CC) || php_openssl_safe_mode_chk(outfilename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(infilename TSRMLS_CC) || php_openssl_open_base_dir_chk(outfilename TSRMLS_CC)) { return; } @@ -3519,7 +3497,7 @@ } outfile = BIO_new_file(outfilename, "w"); - if (outfile == NULL) { + if (outfile == NULL) { goto clean_exit; } @@ -3640,25 +3618,18 @@ char * outfilename; int outfilename_len; char * extracertsfilename = NULL; int extracertsfilename_len; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZZa!|ls", + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ppZZa!|lp", &infilename, &infilename_len, &outfilename, &outfilename_len, &zcert, &zprivkey, &zheaders, &flags, &extracertsfilename, &extracertsfilename_len) == FAILURE) { return; } - RETVAL_FALSE; - if (strlen(infilename) != infilename_len) { - return; - } - - if (strlen(outfilename) != outfilename_len) { - return; - } + RETVAL_FALSE; if (extracertsfilename) { others = load_all_certs_from_file(extracertsfilename); - if (others == NULL) { + if (others == NULL) { goto clean_exit; } } @@ -3675,7 +3646,7 @@ goto clean_exit; } - if (php_openssl_safe_mode_chk(infilename TSRMLS_CC) || php_openssl_safe_mode_chk(outfilename TSRMLS_CC)) { + if (php_openssl_open_base_dir_chk(infilename TSRMLS_CC) || php_openssl_open_base_dir_chk(outfilename TSRMLS_CC)) { goto clean_exit; } @@ -3751,20 +3722,12 @@ char * infilename; int infilename_len; char * outfilename; int outfilename_len; - RETVAL_FALSE; - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZ|Z", &infilename, &infilename_len, + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ppZ|Z", &infilename, &infilename_len, &outfilename, &outfilename_len, &recipcert, &recipkey) == FAILURE) { return; } - if (strlen(infilename) != infilename_len) { - return; - } - - if (strlen(outfilename) != outfilename_len) { - return; - } + RETVAL_FALSE; cert = php_openssl_x509_from_zval(recipcert, 0, &certresval TSRMLS_CC); if (cert == NULL) { @@ -3777,8 +3740,8 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to get private key"); goto clean_exit; } - - if (php_openssl_safe_mode_chk(infilename TSRMLS_CC) || php_openssl_safe_mode_chk(outfilename TSRMLS_CC)) { + + if (php_openssl_open_base_dir_chk(infilename TSRMLS_CC) || php_openssl_open_base_dir_chk(outfilename TSRMLS_CC)) { goto clean_exit; } @@ -3796,7 +3759,7 @@ if (p7 == NULL) { goto clean_exit; } - if (PKCS7_decrypt(p7, key, cert, out, PKCS7_DETACHED)) { + if (PKCS7_decrypt(p7, key, cert, out, PKCS7_DETACHED)) { RETVAL_TRUE; } clean_exit: @@ -3829,7 +3792,7 @@ int data_len; long padding = RSA_PKCS1_PADDING; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szZ|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szZ|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) { return; } RETVAL_FALSE; @@ -3847,10 +3810,10 @@ switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - successful = (RSA_private_encrypt(data_len, - (unsigned char *)data, - cryptedbuf, - pkey->pkey.rsa, + successful = (RSA_private_encrypt(data_len, + (unsigned char *)data, + cryptedbuf, + pkey->pkey.rsa, padding) == cryptedlen); break; default: @@ -3867,7 +3830,7 @@ if (cryptedbuf) { efree(cryptedbuf); } - if (keyresource == -1) { + if (keyresource == -1) { EVP_PKEY_free(pkey); } } @@ -3905,10 +3868,10 @@ switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - cryptedlen = RSA_private_decrypt(data_len, - (unsigned char *)data, - crypttemp, - pkey->pkey.rsa, + cryptedlen = RSA_private_decrypt(data_len, + (unsigned char *)data, + crypttemp, + pkey->pkey.rsa, padding); if (cryptedlen != -1) { cryptedbuf = emalloc(cryptedlen + 1); @@ -3933,7 +3896,7 @@ if (keyresource == -1) { EVP_PKEY_free(pkey); } - if (cryptedbuf) { + if (cryptedbuf) { efree(cryptedbuf); } } @@ -3957,7 +3920,7 @@ return; RETVAL_FALSE; - + pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, &keyresource TSRMLS_CC); if (pkey == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "key parameter is not a valid public key"); @@ -3970,10 +3933,10 @@ switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - successful = (RSA_public_encrypt(data_len, - (unsigned char *)data, - cryptedbuf, - pkey->pkey.rsa, + successful = (RSA_public_encrypt(data_len, + (unsigned char *)data, + cryptedbuf, + pkey->pkey.rsa, padding) == cryptedlen); break; default: @@ -4016,7 +3979,7 @@ return; } RETVAL_FALSE; - + pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, &keyresource TSRMLS_CC); if (pkey == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "key parameter is not a valid public key"); @@ -4029,10 +3992,10 @@ switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - cryptedlen = RSA_public_decrypt(data_len, - (unsigned char *)data, - crypttemp, - pkey->pkey.rsa, + cryptedlen = RSA_public_decrypt(data_len, + (unsigned char *)data, + crypttemp, + pkey->pkey.rsa, padding); if (cryptedlen != -1) { cryptedbuf = emalloc(cryptedlen + 1); @@ -4040,10 +4003,10 @@ successful = 1; } break; - + default: php_error_docref(NULL TSRMLS_CC, E_WARNING, "key type not supported in this PHP build!"); - + } efree(crypttemp); @@ -4161,7 +4124,7 @@ char * signature; int signature_len; zval *method = NULL; long signature_algo = OPENSSL_ALGO_SHA1; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZ|z", &data, &data_len, &signature, &signature_len, &key, &method) == FAILURE) { return; } @@ -4220,7 +4183,7 @@ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szza/|s", &data, &data_len, &sealdata, &ekeys, &pubkeys, &method, &method_len) == FAILURE) { return; } - + pubkeysht = HASH_OF(pubkeys); nkeys = pubkeysht ? zend_hash_num_elements(pubkeysht) : 0; if (!nkeys) { @@ -4315,7 +4278,7 @@ if (key_resources[i] == -1) { EVP_PKEY_free(pkeys[i]); } - if (eks[i]) { + if (eks[i]) { efree(eks[i]); } } @@ -4361,13 +4324,13 @@ } else { cipher = EVP_rc4(); } - + buf = emalloc(data_len + 1); if (EVP_OpenInit(&ctx, cipher, (unsigned char *)ekey, ekey_len, NULL, pkey) && EVP_OpenUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len)) { if (!EVP_OpenFinal(&ctx, buf + len1, &len2) || (len1 + len2 == 0)) { efree(buf); - if (keyresource == -1) { + if (keyresource == -1) { EVP_PKEY_free(pkey); } RETURN_FALSE; @@ -4604,7 +4567,7 @@ if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff); return NULL; - } + } } tmpssl = SSL_new(ctx); @@ -4661,7 +4624,7 @@ } array_init(return_value); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH, - aliases ? openssl_add_method_or_alias: openssl_add_method, + aliases ? openssl_add_method_or_alias: openssl_add_method, return_value); } /* }}} */ @@ -4677,7 +4640,7 @@ } array_init(return_value); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, - aliases ? openssl_add_method_or_alias: openssl_add_method, + aliases ? openssl_add_method_or_alias: openssl_add_method, return_value); } /* }}} */ @@ -4761,20 +4724,20 @@ } -/* {{{ proto string openssl_encrypt(string data, string method, string password [, bool raw_output=false [, string $iv='']]) +/* {{{ proto string openssl_encrypt(string data, string method, string password [, long options=0 [, string $iv='']]) Encrypts given data with given method and key, returns raw or base64 encoded string */ PHP_FUNCTION(openssl_encrypt) { - zend_bool raw_output = 0; + long options = 0; char *data, *method, *password, *iv = ""; int data_len, method_len, password_len, iv_len = 0, max_iv_len; const EVP_CIPHER *cipher_type; EVP_CIPHER_CTX cipher_ctx; - int i = 0, outlen, keylen; + int i=0, outlen, keylen; unsigned char *outbuf, *key; zend_bool free_iv; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|bs", &data, &data_len, &method, &method_len, &password, &password_len, &raw_output, &iv, &iv_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ls", &data, &data_len, &method, &method_len, &password, &password_len, &options, &iv, &iv_len) == FAILURE) { return; } cipher_type = EVP_get_cipherbyname(method); @@ -4806,13 +4769,16 @@ EVP_CIPHER_CTX_set_key_length(&cipher_ctx, password_len); } EVP_EncryptInit_ex(&cipher_ctx, NULL, NULL, key, (unsigned char *)iv); + if (options & OPENSSL_ZERO_PADDING) { + EVP_CIPHER_CTX_set_padding(&cipher_ctx, 0); + } if (data_len > 0) { EVP_EncryptUpdate(&cipher_ctx, outbuf, &i, (unsigned char *)data, data_len); } outlen = i; if (EVP_EncryptFinal(&cipher_ctx, (unsigned char *)outbuf + i, &i)) { outlen += i; - if (raw_output) { + if (options & OPENSSL_RAW_DATA) { outbuf[outlen] = '\0'; RETVAL_STRINGL((char *)outbuf, outlen, 0); } else { @@ -4837,11 +4803,11 @@ } /* }}} */ -/* {{{ proto string openssl_decrypt(string data, string method, string password [, bool raw_input=false [, string $iv = '']]) +/* {{{ proto string openssl_decrypt(string data, string method, string password [, long options=0 [, string $iv = '']]) Takes raw or base64 encoded string and dectupt it using given method and key */ PHP_FUNCTION(openssl_decrypt) { - zend_bool raw_input = 0; + long options = 0; char *data, *method, *password, *iv = ""; int data_len, method_len, password_len, iv_len = 0; const EVP_CIPHER *cipher_type; @@ -4852,7 +4818,7 @@ char *base64_str = NULL; zend_bool free_iv; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|bs", &data, &data_len, &method, &method_len, &password, &password_len, &raw_input, &iv, &iv_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ls", &data, &data_len, &method, &method_len, &password, &password_len, &options, &iv, &iv_len) == FAILURE) { return; } @@ -4867,7 +4833,7 @@ RETURN_FALSE; } - if (!raw_input) { + if (!(options & OPENSSL_RAW_DATA)) { base64_str = (char*)php_base64_decode((unsigned char*)data, data_len, &base64_str_len); if (!base64_str) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to base64 decode the input"); @@ -4896,6 +4862,9 @@ EVP_CIPHER_CTX_set_key_length(&cipher_ctx, password_len); } EVP_DecryptInit_ex(&cipher_ctx, NULL, NULL, key, (unsigned char *)iv); + if (options & OPENSSL_ZERO_PADDING) { + EVP_CIPHER_CTX_set_padding(&cipher_ctx, 0); + } EVP_DecryptUpdate(&cipher_ctx, outbuf, &i, (unsigned char *)data, data_len); outlen = i; if (EVP_DecryptFinal(&cipher_ctx, (unsigned char *)outbuf + i, &i)) { @@ -5007,10 +4976,25 @@ buffer = emalloc(buffer_length + 1); +#ifdef PHP_WIN32 + strong_result = 1; + /* random/urandom equivalent on Windows */ + if (php_win32_get_random_bytes(buffer, (size_t) buffer_length) == FAILURE) { + efree(buffer); + if (zstrong_result_returned) { + ZVAL_BOOL(zstrong_result_returned, 0); + } + RETURN_FALSE; + } +#else if ((strong_result = RAND_pseudo_bytes(buffer, buffer_length)) < 0) { efree(buffer); + if (zstrong_result_returned) { + ZVAL_BOOL(zstrong_result_returned, 0); + } RETURN_FALSE; } +#endif buffer[buffer_length] = 0; RETVAL_STRINGL((char *)buffer, buffer_length, 0); diff -Naur php-5.3.29_orig/ext/openssl/php_openssl.h php-5.4.16/ext/openssl/php_openssl.h --- php-5.3.29_orig/ext/openssl/php_openssl.h 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/php_openssl.h 2013-06-05 11:03:57.000000000 +0600 @@ -26,6 +26,9 @@ extern zend_module_entry openssl_module_entry; #define phpext_openssl_ptr &openssl_module_entry +#define OPENSSL_RAW_DATA 1 +#define OPENSSL_ZERO_PADDING 2 + php_stream_transport_factory_func php_openssl_ssl_socket_factory; PHP_MINIT_FUNCTION(openssl); diff -Naur php-5.3.29_orig/ext/openssl/tests/004.phpt php-5.4.16/ext/openssl/tests/004.phpt --- php-5.3.29_orig/ext/openssl/tests/004.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/004.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -28,7 +28,7 @@ Warning: openssl_csr_new(): key array must be of the form array(0 => key, 1 => phrase) in %s on line %d -Warning: openssl_csr_new(): add1_attr_by_txt challengePassword_min -> 4 (failed) in %s on line %d +Warning: openssl_csr_new(): add1_attr_by_txt challengePassword_min -> 4 (failed; check error queue and value of string_mask OpenSSL option if illegal characters are reported) in %s on line %d bool(false) resource(%d) of type (OpenSSL X.509 CSR) Done diff -Naur php-5.3.29_orig/ext/openssl/tests/011.phpt php-5.4.16/ext/openssl/tests/011.phpt --- php-5.3.29_orig/ext/openssl/tests/011.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/011.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -13,14 +13,19 @@ srand(time() + ((microtime(true) * 1000000) % 1000000)); while(strlen($iv) < $ivlen) $iv .= chr(rand(0,255)); -$encrypted = openssl_encrypt($data, $method, $password, false, $iv); -$output = openssl_decrypt($encrypted, $method, $password, false, $iv); +$encrypted = openssl_encrypt($data, $method, $password, 0, $iv); +$output = openssl_decrypt($encrypted, $method, $password, 0, $iv); var_dump($output); -$encrypted = openssl_encrypt($data, $method, $password, true, $iv); -$output = openssl_decrypt($encrypted, $method, $password, true, $iv); +$encrypted = openssl_encrypt($data, $method, $password, OPENSSL_RAW_DATA, $iv); +$output = openssl_decrypt($encrypted, $method, $password, OPENSSL_RAW_DATA, $iv); var_dump($output); +// if we want to manage our own padding +$padded_data = $data . str_repeat(' ', 16 - (strlen($data) % 16)); +$encrypted = openssl_encrypt($padded_data, $method, $password, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv); +$output = openssl_decrypt($encrypted, $method, $password, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv); +var_dump(rtrim($output)); ?> --EXPECT-- string(45) "openssl_encrypt() and openssl_decrypt() tests" string(45) "openssl_encrypt() and openssl_decrypt() tests" - +string(45) "openssl_encrypt() and openssl_decrypt() tests" diff -Naur php-5.3.29_orig/ext/openssl/tests/026.phpt php-5.4.16/ext/openssl/tests/026.phpt --- php-5.3.29_orig/ext/openssl/tests/026.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/026.phpt 1970-01-01 06:00:00.000000000 +0600 @@ -1,12 +0,0 @@ ---TEST-- -Options type checks ---SKIPIF-- - ---FILE-- - "DE"], $x, ["x509_extensions" => 0xDEADBEEF]); -?> -DONE ---EXPECT-- -DONE diff -Naur php-5.3.29_orig/ext/openssl/tests/bug54060.phpt php-5.4.16/ext/openssl/tests/bug54060.phpt --- php-5.3.29_orig/ext/openssl/tests/bug54060.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/bug54060.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -10,7 +10,7 @@ 972439 8478942 yrhfjkdhls"; $pass = "r23498rui324hjbnkj"; -openssl_encrypt($data, 'des3', $pass, false, '1qazxsw2'); +openssl_encrypt($data, 'des3', $pass, 0, '1qazxsw2'); echo "Done"; ?> --EXPECT-- diff -Naur php-5.3.29_orig/ext/openssl/tests/bug54061.phpt php-5.4.16/ext/openssl/tests/bug54061.phpt --- php-5.3.29_orig/ext/openssl/tests/bug54061.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/bug54061.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -9,8 +9,8 @@ 972439 8478942 yrhfjkdhls"; $pass = "r23498rui324hjbnkj"; -$cr = openssl_encrypt($data, 'des3', $pass, false, '1qazxsw2'); -$dcr = openssl_decrypt($cr, 'des3', $pass, false, '1qazxsw2'); +$cr = openssl_encrypt($data, 'des3', $pass, 0, '1qazxsw2'); +$dcr = openssl_decrypt($cr, 'des3', $pass, 0, '1qazxsw2'); echo "Done"; ?> --EXPECT-- diff -Naur php-5.3.29_orig/ext/openssl/tests/bug55646.phpt php-5.4.16/ext/openssl/tests/bug55646.phpt --- php-5.3.29_orig/ext/openssl/tests/bug55646.phpt 1970-01-01 06:00:00.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/bug55646.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -0,0 +1,38 @@ +--TEST-- +Bug #55646: textual input in openssl_csr_new() is not expected in UTF-8 +--SKIPIF-- + "sha1","x509_extensions" => "v3_ca","req_extensions" => "v3_req","private_key_bits" => 2048,"private_key_type" => OPENSSL_KEYTYPE_RSA,"encrypt_key" => false,); +$csr_info = array( + "countryName" => "US", + "stateOrProvinceName" => "Utah", + "localityName" => "Lindon", + "organizationName" => "Chinese", + "organizationalUnitName" => "IT \xe4\xba\x92", + "commonName" => "www.example.com",); +$private = openssl_pkey_new($config); +while (openssl_error_string()) {} +$csr_res = openssl_csr_new($csr_info, $private, + ['config' => __DIR__."/openssl.cnf"]); +if (!$csr_res) { + while ($e = openssl_error_string()) { $err = $e; } + die("Failed; last error: $err"); +} +openssl_csr_export($csr_res, $csr); +$output = openssl_csr_get_subject($csr); + +echo "A: ".$csr_info["organizationalUnitName"]."\n"; +echo "B: ".stringAsHex($csr_info["organizationalUnitName"])."\n"; +echo "C: ".$output['OU']."\n"; +echo "D: ".stringAsHex($output['OU'])."\n"; +--EXPECT-- +A: IT 互 +B: 49 54 20 e4 ba 92 +C: IT 互 +D: 49 54 20 e4 ba 92 diff -Naur php-5.3.29_orig/ext/openssl/tests/bug61930.phpt php-5.4.16/ext/openssl/tests/bug61930.phpt --- php-5.3.29_orig/ext/openssl/tests/bug61930.phpt 1970-01-01 06:00:00.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/bug61930.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -0,0 +1,24 @@ +--TEST-- +Bug #61930: openssl corrupts ssl key resource when using openssl_get_publickey() +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +resource(%d) of type (OpenSSL key) +int(1) + diff -Naur php-5.3.29_orig/ext/openssl/tests/cve-2013-6420.crt php-5.4.16/ext/openssl/tests/cve-2013-6420.crt --- php-5.3.29_orig/ext/openssl/tests/cve-2013-6420.crt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/cve-2013-6420.crt 1970-01-01 06:00:00.000000000 +0600 @@ -1,29 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD -VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH -S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91 -cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k -ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY -ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO -b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT -ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G -A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz -dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu -wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh -0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8 -pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6 -SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX -1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw -EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF -BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD -8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl -VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7 -lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319 -o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg -Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg== ------END CERTIFICATE----- - - diff -Naur php-5.3.29_orig/ext/openssl/tests/cve-2013-6420.phpt php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt --- php-5.3.29_orig/ext/openssl/tests/cve-2013-6420.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt 1970-01-01 06:00:00.000000000 +0600 @@ -1,18 +0,0 @@ ---TEST-- -CVE-2013-6420 ---SKIPIF-- - ---FILE-- - -Done ---EXPECTF-- -%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s%ecve-2013-6420.php on line 3 -string(27) "stefan.esser@sektioneins.de" -int(-1) -Done diff -Naur php-5.3.29_orig/ext/openssl/tests/cve2013_4073.pem php-5.4.16/ext/openssl/tests/cve2013_4073.pem --- php-5.3.29_orig/ext/openssl/tests/cve2013_4073.pem 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/cve2013_4073.pem 1970-01-01 06:00:00.000000000 +0600 @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx -DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ -eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg -RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y -ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw -NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI -DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv -ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt -ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq -hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j -pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P -vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv -KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA -oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL -08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV -HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E -BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu -Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251 -bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA -AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9 -i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j -HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk -kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx -VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW -RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ= ------END CERTIFICATE----- diff -Naur php-5.3.29_orig/ext/openssl/tests/cve2013_4073.phpt php-5.4.16/ext/openssl/tests/cve2013_4073.phpt --- php-5.3.29_orig/ext/openssl/tests/cve2013_4073.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/cve2013_4073.phpt 1970-01-01 06:00:00.000000000 +0600 @@ -1,19 +0,0 @@ ---TEST-- -CVE 2013-4073: Null-byte certificate handling ---SKIPIF-- - 'CA:FALSE', - 'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C', - 'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment', - 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1 -', -) diff -Naur php-5.3.29_orig/ext/openssl/tests/openssl_decrypt_error.phpt php-5.4.16/ext/openssl/tests/openssl_decrypt_error.phpt --- php-5.3.29_orig/ext/openssl/tests/openssl_decrypt_error.phpt 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/tests/openssl_decrypt_error.phpt 2013-06-05 11:03:57.000000000 +0600 @@ -12,7 +12,7 @@ $encrypted = openssl_encrypt($data, $method, $password); var_dump($encrypted); /* Not passing $iv should be the same as all-NULL iv, but with a warning */ -var_dump(openssl_encrypt($data, $method, $password, false, $iv)); +var_dump(openssl_encrypt($data, $method, $password, 0, $iv)); var_dump(openssl_decrypt($encrypted, $method, $wrong)); var_dump(openssl_decrypt($encrypted, $wrong, $password)); var_dump(openssl_decrypt($wrong, $method, $password)); diff -Naur php-5.3.29_orig/ext/openssl/xp_ssl.c php-5.4.16/ext/openssl/xp_ssl.c --- php-5.3.29_orig/ext/openssl/xp_ssl.c 2014-08-14 01:22:50.000000000 +0600 +++ php-5.4.16/ext/openssl/xp_ssl.c 2013-06-05 11:03:57.000000000 +0600 @@ -310,6 +310,7 @@ TSRMLS_DC) { SSL_METHOD *method; + long ssl_ctx_options = SSL_OP_ALL; if (sslsock->ssl_handle) { if (sslsock->s.is_blocked) { @@ -377,7 +378,10 @@ return -1; } - SSL_CTX_set_options(sslsock->ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090605fL + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options); #if OPENSSL_VERSION_NUMBER >= 0x0090806fL { @@ -391,6 +395,18 @@ } #endif +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + { + zval **val; + + if (stream->context && SUCCESS == php_stream_context_get_option( + stream->context, "ssl", "disable_compression", &val) && + zval_is_true(*val)) { + SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_COMPRESSION); + } + } +#endif + sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC); if (sslsock->ssl_handle == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle"); @@ -532,7 +548,7 @@ zval_is_true(*val)) { MAKE_STD_ZVAL(zcert); ZVAL_RESOURCE(zcert, zend_list_insert(peer_cert, - php_openssl_get_x509_list_id())); + php_openssl_get_x509_list_id() TSRMLS_CC)); php_stream_context_set_option(stream->context, "ssl", "peer_certificate", zcert); @@ -561,7 +577,7 @@ MAKE_STD_ZVAL(zcert); ZVAL_RESOURCE(zcert, zend_list_insert(mycert, - php_openssl_get_x509_list_id())); + php_openssl_get_x509_list_id() TSRMLS_CC)); add_next_index_zval(arr, zcert); }