clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 18:37:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bug #47030 (separate host and peer verification)

Browse Source
This commit is contained in:
Daniel Lowrey 2014-02-14 15:17:30 -07:00
parent f073588e75
commit ce8dc0ede2
10 changed files with 227 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
ext/openssl/openssl.c
View File

@ -5077,62 +5077,82 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
zval **val = NULL;
char *cnmatch = NULL;
int err;
php_openssl_netstream_data_t *sslsock;
sslsock = (php_openssl_netstream_data_t*)stream->abstract;
zend_bool must_verify_peer;
zend_bool must_verify_host;
zend_bool must_verify_fingerprint;
php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
if (!(GET_VER_OPT("verify_peer") || sslsock->is_client)
|| (GET_VER_OPT("verify_peer") && !zval_is_true(*val))
) {
return SUCCESS;
}
must_verify_peer = GET_VER_OPT("verify_peer")
? zend_is_true(*val)
: sslsock->is_client;
if (peer == NULL) {
must_verify_host = GET_VER_OPT("verify_host")
? zend_is_true(*val)
: sslsock->is_client;
must_verify_fingerprint = (GET_VER_OPT("peer_fingerprint") && zend_is_true(*val));
if ((must_verify_peer || must_verify_host || must_verify_fingerprint) && peer == NULL) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not get peer certificate");
return FAILURE;
}
err = SSL_get_verify_result(ssl);
switch (err) {
case X509_V_OK:
/* fine */
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
if (GET_VER_OPT("allow_self_signed") && zval_is_true(*val)) {
/* allowed */
/* Verify the peer against using CA file/path settings */
if (must_verify_peer) {
err = SSL_get_verify_result(ssl);
switch (err) {
case X509_V_OK:
/* fine */
break;
}
/* not allowed, so fall through */
default:
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not verify peer: code:%d %s", err, X509_verify_cert_error_string(err));
return FAILURE;
}
/* if the cert passed the usual checks, apply our own local policies now */
if (GET_VER_OPT("peer_fingerprint")) {
if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) {
if (!php_x509_fingerprint_match(peer, *val TSRMLS_CC)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer fingerprint doesn't match");
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
if (GET_VER_OPT("allow_self_signed") && zval_is_true(*val)) {
/* allowed */
break;
}
/* not allowed, so fall through */
default:
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Could not verify peer: code:%d %s",
err,
X509_verify_cert_error_string(err)
);
return FAILURE;
}
} else {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Expected peer fingerprint must be a string or an array");
}
}
GET_VER_OPT_STRING("CN_match", cnmatch);
/* If no CN_match was specified assign the autodetected name when connecting as a client */
if (cnmatch == NULL && sslsock->is_client) {
cnmatch = sslsock->url_name;
/* If a peer_fingerprint match is required this trumps host verification */
if (must_verify_fingerprint) {
if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) {
if (!php_x509_fingerprint_match(peer, *val TSRMLS_CC)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Peer fingerprint doesn't match"
);
return FAILURE;
}
} else {
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Expected peer fingerprint must be a string or an array"
);
}
}
if (cnmatch) {
if (matches_san_list(peer, cnmatch TSRMLS_CC)) {
return SUCCESS;
} else if (matches_common_name(peer, cnmatch TSRMLS_CC)) {
return SUCCESS;
/* verify the host name presented in the peer certificate */
if (must_verify_host) {
GET_VER_OPT_STRING("CN_match", cnmatch);
/* If no CN_match was specified assign the autodetected url name in client environments */
if (cnmatch == NULL && sslsock->is_client) {
cnmatch = sslsock->url_name;
}
if (cnmatch) {
if (matches_san_list(peer, cnmatch TSRMLS_CC)) {
return SUCCESS;
} else if (matches_common_name(peer, cnmatch TSRMLS_CC)) {
return SUCCESS;
} else {
return FAILURE;
}
} else {
return FAILURE;
}

4
ext/openssl/tests/bug46127.phpt
View File

@ -13,6 +13,7 @@ function ssl_server($port) {
$pem = dirname(__FILE__) . '/bug46127.pem';
$ssl = array(
'verify_peer' => false,
'verify_host' => false,
'allow_self_signed' => true,
'local_cert' => $pem,
// 'passphrase' => '',
@ -46,7 +47,8 @@ if ($pid == 0) { // child
// client or failed
sleep(1);
$ctx = stream_context_create(['ssl' => [
'verify_peer' => false
'verify_peer' => false,
'verify_host' => false
]]);
$sock = stream_socket_client("ssl://127.0.0.1:{$port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx);
if (!$sock) exit;

5
ext/openssl/tests/peer_verification.phpt
View File

@ -25,7 +25,10 @@ if ($pid == -1) {
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
// Should succeed with peer verification disabled in context
$ctx = stream_context_create(['ssl' => ['verify_peer' => false]]);
$ctx = stream_context_create(['ssl' => [
'verify_peer' => false,
'verify_host' => false
]]);
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
// Should succeed with CA file specified in context

31
ext/openssl/tests/sni_001.phpt
View File

@ -20,13 +20,18 @@ SNI 001
* the server returned.
*/
function context() {
return stream_context_create(array(
'ssl' => array(
'capture_peer_cert' => true,
'verify_peer' => false
),
));
function context($host = NULL) {
$ctx = stream_context_create();
stream_context_set_option($ctx, 'ssl', 'capture_peer_cert', true);
stream_context_set_option($ctx, 'ssl', 'verify_peer', false);
if ($host) {
stream_context_set_option($ctx, 'ssl', 'CN_match', $host);
} else {
stream_context_set_option($ctx, 'ssl', 'verify_host', false);
}
return $ctx;
}
function get_CN($context) {
@ -73,13 +78,13 @@ function do_enable_crypto_test($url, $context) {
/* Test https:// streams */
echo "-- auto host name (1) --\n";
do_http_test('https://alice.sni.velox.ch/', context());
do_http_test('https://alice.sni.velox.ch/', context('alice.sni.velox.ch'));
echo "-- auto host name (2) --\n";
do_http_test('https://bob.sni.velox.ch/', context());
do_http_test('https://bob.sni.velox.ch/', context('bob.sni.velox.ch'));
echo "-- auto host name (3) --\n";
do_http_test('https://bob.sni.velox.ch./', context());
do_http_test('https://bob.sni.velox.ch./', context('bob.sni.velox.ch'));
echo "-- user supplied server name --\n";
@ -97,14 +102,14 @@ do_http_test('https://bob.sni.velox.ch/', $context);
/* Test ssl:// socket streams */
echo "-- raw SSL stream (1) --\n";
do_ssl_test('ssl://bob.sni.velox.ch:443', context());
do_ssl_test('ssl://bob.sni.velox.ch:443', context('bob.sni.velox.ch'));
echo "-- raw SSL stream (2) --\n";
do_ssl_test('ssl://mallory.sni.velox.ch:443', context());
do_ssl_test('ssl://mallory.sni.velox.ch:443', context('mallory.sni.velox.ch'));
echo "-- raw SSL stream with user supplied sni --\n";
$context = context();
$context = context('bob.sni.velox.ch');
stream_context_set_option($context, 'ssl', 'SNI_server_name', 'bob.sni.velox.ch');
do_ssl_test('ssl://mallory.sni.velox.ch:443', $context);

35
ext/openssl/tests/stream_verify_host_001.phpt Normal file
View File

@ -0,0 +1,35 @@
--TEST--
Verify host name by default in client transfers
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$serverUri = "ssl://127.0.0.1:64321";
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$serverCtx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem'
]]);
$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {
$clientFlags = STREAM_CLIENT_CONNECT;
$clientCtx = stream_context_create(['ssl' => [
'verify_peer' => false,
'CN_match' => 'bug54992.local'
]]);
$client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx);
var_dump($client);
} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
}
--EXPECTF--
resource(%d) of type (stream)

36
ext/openssl/tests/stream_verify_host_002.phpt Normal file
View File

@ -0,0 +1,36 @@
--TEST--
Allow host name mismatch when "verify_host" disabled
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$serverUri = "ssl://127.0.0.1:64321";
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$serverCtx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem'
]]);
$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {
$clientFlags = STREAM_CLIENT_CONNECT;
$clientCtx = stream_context_create(['ssl' => [
'verify_peer' => true,
'cafile' => __DIR__ . '/bug54992-ca.pem',
'verify_host' => false
]]);
$client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx);
var_dump($client);
} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
}
--EXPECTF--
resource(%d) of type (stream)

40
ext/openssl/tests/stream_verify_host_003.phpt Normal file
View File

@ -0,0 +1,40 @@
--TEST--
Host name mismatch triggers error
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$serverUri = "ssl://127.0.0.1:64321";
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$serverCtx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem'
]]);
$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {
$clientFlags = STREAM_CLIENT_CONNECT;
$clientCtx = stream_context_create(['ssl' => [
'verify_peer' => true,
'cafile' => __DIR__ . '/bug54992-ca.pem'
]]);
$client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx);
var_dump($client);
} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
}
--EXPECTF--
Warning: stream_socket_client(): Peer certificate CN=`bug54992.local' did not match expected CN=`127.0.0.1' in %s on line %d
Warning: stream_socket_client(): Failed to enable crypto in %s on line %d
Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d
bool(false)

52
ext/openssl/tests/streams_crypto_method.phpt
View File

@ -8,9 +8,7 @@ if (!extension_loaded('pcntl')) die('skip, pcntl required');
--FILE--
<?php
$serverCtx = stream_context_create(['ssl' => [
'local_cert' => dirname(__FILE__) . '/streams_crypto_method.pem',
'allow_self_signed' => true,
'verify_peer' => false
'local_cert' => dirname(__FILE__) . '/streams_crypto_method.pem',
]]);
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$server = stream_socket_server('sslv3://127.0.0.1:12345', $errno, $errstr, $serverFlags, $serverCtx);
@ -18,31 +16,29 @@ $server = stream_socket_server('sslv3://127.0.0.1:12345', $errno, $errstr, $serv
$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
die('could not fork');
} else if ($pid) {
$clientCtx = stream_context_create(['ssl' => [
'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
'verify_peer' => false
]]);
$clientCtx = stream_context_create(['ssl' => [
'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
'verify_peer' => false,
'verify_host' => false
]]);
$fp = fopen('https://127.0.0.1:12345/', 'r', false, $clientCtx);
$fp = fopen('https://127.0.0.1:12345/', 'r', false, $clientCtx);
if ($fp) {
fpassthru($fp);
fclose($fp);
}
if ($fp) {
fpassthru($fp);
fclose($fp);
}
} else {
@pcntl_wait($status);
$client = @stream_socket_accept($server);
if ($client) {
$in = '';
while (!preg_match('/\r?\n\r?\n/', $in)) {
$in .= fread($client, 2048);
}
$response = <<<EOS
@pcntl_wait($status);
$client = @stream_socket_accept($server);
if ($client) {
$in = '';
while (!preg_match('/\r?\n\r?\n/', $in)) {
$in .= fread($client, 2048);
}
$response = <<<EOS
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 13
@ -51,11 +47,11 @@ Connection: close
Hello World!
EOS;
fwrite($client, $response);
fclose($client);
fwrite($client, $response);
fclose($client);
exit();
}
exit();
}
}
?>
--EXPECTF--

3
ext/openssl/tests/tlsv1.1_wrapper_001.phpt
View File

@ -21,7 +21,8 @@ if ($pid == -1) {
} elseif ($pid) {
$flags = STREAM_CLIENT_CONNECT;
$ctx = stream_context_create(array('ssl' => array(
'verify_peer' => false
'verify_peer' => false,
'verify_host' => false
)));
$client = stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);

3
ext/openssl/tests/tlsv1.2_wrapper_002.phpt
View File

@ -21,7 +21,8 @@ if ($pid == -1) {
} elseif ($pid) {
$flags = STREAM_CLIENT_CONNECT;
$ctx = stream_context_create(array('ssl' => array(
'verify_peer' => false
'verify_peer' => false,
'verify_host' => false
)));
$client = stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);