Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Streams: Configure crypto method for ssl:// transports #469

Merged
merged 2 commits into from
Oct 8, 2013
Merged

Streams: Configure crypto method for ssl:// transports #469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ce27895
Streams for ssl:// transports can now be configured to use a specific
mj Sep 21, 2013
047877e
Add unit test that covers setting the crypto method.
mj Oct 4, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions ext/openssl/tests/streams_crypto_method.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIC5jCCAk+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzNTQ4WhcN
MDUwNzExMjEzNTQ4WjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENB
ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2haT/f5Zwy
V+MiuSDjSR62adBoSiBB7Usty44lXqsp9RICw+DCCxpsn/CfxPEDXLLd4olsWXc6
JRcxGynbYmnzk+Z6aIPPJQhK3CTvaqGnWKZsA1m+WaUIUqJCuNTK4N+7hMAGaf6S
S3e9HVgEQ4a34gXJ7VQFVIBNV1EnZRWHAgMBAAGjgbcwgbQwHQYDVR0OBBYEFE0R
aEcrj18q1dw+G6nJbsTWR213MIGEBgNVHSMEfTB7gBRNEWhHK49fKtXcPhupyW7E
1kdtd6FgpF4wXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
NCBiaXQpggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAUa8B3pho
+Mvxeq9HsEzJxHIFQla05S5J/e/V+DQTYoKiRFchKPrDAdrzYSEvP3h4QJEtsNqQ
JfOxg5M42uLFq7aPGWkF6ZZqZsYS+zA9IVT14g7gNA6Ne+5QtJqQtH9HA24st0T0
Tga/lZ9M2ovImovaxSL/kRHbpCWcqWVxpOw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
-----END RSA PRIVATE KEY-----
77 changes: 77 additions & 0 deletions ext/openssl/tests/streams_crypto_method.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
--TEST--
Specific crypto method for ssl:// transports.
--SKIPIF--
<?php
if (!extension_loaded('openssl')) die('skip, openssl required');
if (!extension_loaded('pcntl')) die('skip, pcntl required');
?>
--FILE--
<?php
function client($port, $method) {
$ctx = stream_context_create();
stream_context_set_option($ctx, 'ssl', 'crypto_method', $method);

$fp = @fopen('https://127.0.0.1:' . $port . '/', 'r', false, $ctx);
if ($fp) {
fpassthru($fp);
fclose($fp);
}
}

function server($port, $transport) {
$context = stream_context_create();

stream_context_set_option($context, 'ssl', 'local_cert', dirname(__FILE__) . '/streams_crypto_method.pem');
stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);

$server = stream_socket_server($transport . '127.0.0.1:' . $port, $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);

$client = @stream_socket_accept($server);

if ($client) {
$in = '';
while (!preg_match('/\r?\n\r?\n/', $in)) {
$in .= fread($client, 2048);
}

$response = <<<EOS
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 13
Connection: close

Hello World!

EOS;

fwrite($client, $response);
fclose($client);
exit();
}
}

$port1 = rand(15000, 16000);
$port2 = rand(16001, 17000);

$pid1 = pcntl_fork();
$pid2 = pcntl_fork();

if ($pid1 == 0 && $pid2 != 0) {
server($port1, 'sslv3://');
exit;
}

if ($pid1 != 0 && $pid2 == 0) {
server($port2, 'sslv3://');
exit;
}

client($port1, STREAM_CRYPTO_METHOD_SSLv3_CLIENT);
client($port2, STREAM_CRYPTO_METHOD_SSLv2_CLIENT);

pcntl_waitpid($pid1, $status);
pcntl_waitpid($pid2, $status);
?>
--EXPECTF--
Hello World!
30 changes: 29 additions & 1 deletion ext/openssl/xp_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,29 @@ php_stream_ops php_openssl_socket_ops = {
php_openssl_sockop_set_option,
};

static int get_crypto_method(php_stream_context *ctx) {
if (ctx) {
zval **val = NULL;
long crypto_method;

if (php_stream_context_get_option(ctx, "ssl", "crypto_method", &val) == SUCCESS) {
convert_to_long_ex(val);
crypto_method = (long)Z_LVAL_PP(val);

switch (crypto_method) {
case STREAM_CRYPTO_METHOD_SSLv2_CLIENT:
case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
case STREAM_CRYPTO_METHOD_SSLv23_CLIENT:
case STREAM_CRYPTO_METHOD_TLS_CLIENT:
return crypto_method;
}

}
}

return STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
}

static char * get_sni(php_stream_context *ctx, const char *resourcename, size_t resourcenamelen, int is_persistent TSRMLS_DC) {

php_url *url;
Expand Down Expand Up @@ -939,7 +962,12 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,

if (strncmp(proto, "ssl", protolen) == 0) {
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT;

/* General ssl:// transports can use a number
* of crypto methods. The actual methhod can be
* provided in the streams context options.
*/
sslsock->method = get_crypto_method(context);
} else if (strncmp(proto, "sslv2", protolen) == 0) {
#ifdef OPENSSL_NO_SSL2
php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
Expand Down