diff options
author | Daniel Lowrey <rdlowrey@php.net> | 2015-03-04 12:54:34 -0500 |
---|---|---|
committer | Daniel Lowrey <rdlowrey@php.net> | 2015-03-04 12:47:46 -0700 |
commit | 241f3c34b89ab55432d5af3fd1e4217540e161a3 (patch) | |
tree | 45a4e474ae56e322342d38caafe311a9c9e00d0a | |
parent | a29b64fc1029b4121e3e9ff20901c35ad600b4da (diff) | |
download | php-git-241f3c34b89ab55432d5af3fd1e4217540e161a3.tar.gz |
Fixed bug #68920 (use strict peer_fingerprint input checks)
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/openssl/tests/bug68920.phpt | 57 | ||||
-rw-r--r-- | ext/openssl/tests/openssl_peer_fingerprint.phpt | 2 | ||||
-rw-r--r-- | ext/openssl/xp_ssl.c | 29 |
4 files changed, 82 insertions, 8 deletions
@@ -34,6 +34,8 @@ . Fixed bug #68912 (Segmentation fault at openssl_spki_new). (Laruence) . Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts). (Brad Broerman) + . Fixed bug #68920 (use strict peer_fingerprint input checks) + (Daniel Lowrey) - pgsql: . Fixed bug #68638 (pg_update() fails to store infinite values). diff --git a/ext/openssl/tests/bug68920.phpt b/ext/openssl/tests/bug68920.phpt new file mode 100644 index 0000000000..72e3f6c8f9 --- /dev/null +++ b/ext/openssl/tests/bug68920.phpt @@ -0,0 +1,57 @@ +--TEST-- +Bug #68920: peer_fingerprint input checks should be strict +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip openssl not loaded"); +--FILE-- +<?php +error_reporting(E_ALL); + +$ctx = stream_context_create(['ssl' => ['verify_peer'=> false, 'peer_fingerprint' => true]]); +$sock = stream_socket_client("ssl://php.net:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx); +var_dump($sock); + +$ctx = stream_context_create(['ssl' => ['verify_peer'=> false, 'peer_fingerprint' => null]]); +$sock = stream_socket_client("ssl://php.net:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx); +var_dump($sock); + +$ctx = stream_context_create(['ssl' => ['verify_peer'=> false, 'peer_fingerprint' => []]]); +$sock = stream_socket_client("ssl://php.net:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx); +var_dump($sock); + +$ctx = stream_context_create(['ssl' => ['verify_peer'=> false, 'peer_fingerprint' => ['foo']]]); +$sock = stream_socket_client("ssl://php.net:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx); +var_dump($sock); +--EXPECTF-- + +Warning: stream_socket_client(): Expected peer fingerprint must be a string or an array in %s on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s on line %d + +Warning: stream_socket_client(): unable to connect to %s (Unknown error) in %s on line %d +bool(false) + +Warning: stream_socket_client(): Expected peer fingerprint must be a string or an array in %s on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s on line %d + +Warning: stream_socket_client(): unable to connect to %s (Unknown error) in %s on line %d +bool(false) + +Warning: stream_socket_client(): Invalid peer_fingerprint array; [algo => fingerprint] form required in %s on line %d + +Warning: stream_socket_client(): peer_fingerprint match failure in %s on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s on line %d + +Warning: stream_socket_client(): unable to connect to %s (Unknown error) in %s on line %d +bool(false) + +Warning: stream_socket_client(): Invalid peer_fingerprint array; [algo => fingerprint] form required in %s on line %d + +Warning: stream_socket_client(): peer_fingerprint match failure in %s on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s on line %d + +Warning: stream_socket_client(): unable to connect to %s (Unknown error) in %s on line %d +bool(false) diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt b/ext/openssl/tests/openssl_peer_fingerprint.phpt index 7f48cb4546..743233579a 100644 --- a/ext/openssl/tests/openssl_peer_fingerprint.phpt +++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt @@ -45,7 +45,7 @@ CODE; include 'ServerClientTestCase.inc'; ServerClientTestCase::getInstance()->run($clientCode, $serverCode); --EXPECTF-- -Warning: stream_socket_client(): Peer fingerprint doesn't match in %s on line %d +Warning: stream_socket_client(): peer_fingerprint match failure in %s on line %d Warning: stream_socket_client(): Failed to enable crypto in %s on line %d diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 96c282c30d..54f0435e8f 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -298,6 +298,7 @@ static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val TSRMLS_DC) } return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val) TSRMLS_CC) == 0; + } else if (Z_TYPE_P(val) == IS_ARRAY) { HashPosition pos; zval **current; @@ -305,21 +306,33 @@ static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val TSRMLS_DC) uint key_len; ulong key_index; + if (!zend_hash_num_elements(Z_ARRVAL_P(val))) { + php_error_docref(NULL, E_WARNING, "Invalid peer_fingerprint array; [algo => fingerprint] form required"); + return 0; + } + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(val), &pos); zend_hash_get_current_data_ex(Z_ARRVAL_P(val), (void **)¤t, &pos) == SUCCESS; zend_hash_move_forward_ex(Z_ARRVAL_P(val), &pos) ) { int key_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(val), &key, &key_len, &key_index, 0, &pos); - if (key_type == HASH_KEY_IS_STRING - && Z_TYPE_PP(current) == IS_STRING - && php_x509_fingerprint_cmp(peer, key, Z_STRVAL_PP(current) TSRMLS_CC) != 0 - ) { + if (!(key_type == HASH_KEY_IS_STRING && Z_TYPE_PP(current) == IS_STRING)) { + php_error_docref(NULL, E_WARNING, "Invalid peer_fingerprint array; [algo => fingerprint] form required"); + return 0; + } + if (php_x509_fingerprint_cmp(peer, key, Z_STRVAL_PP(current) TSRMLS_CC) != 0) { return 0; } } + return 1; + + } else { + php_error_docref(NULL, E_WARNING, + "Invalid peer_fingerprint value; fingerprint string or array of the form [algo => fingerprint] required"); } + return 0; } @@ -439,7 +452,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre ? zend_is_true(*val) : sslsock->is_client; - must_verify_fingerprint = (GET_VER_OPT("peer_fingerprint") && zend_is_true(*val)); + must_verify_fingerprint = GET_VER_OPT("peer_fingerprint"); if ((must_verify_peer || must_verify_peer_name || must_verify_fingerprint) && peer == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not get peer certificate"); @@ -474,7 +487,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre if (Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_ARRAY) { if (!php_x509_fingerprint_match(peer, *val TSRMLS_CC)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, - "Peer fingerprint doesn't match" + "peer_fingerprint match failure" ); return FAILURE; } @@ -482,6 +495,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre php_error_docref(NULL TSRMLS_CC, E_WARNING, "Expected peer fingerprint must be a string or an array" ); + return FAILURE; } } @@ -1894,7 +1908,7 @@ static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, siz break; /* Otherwise, we need to wait again (up to time_left or we get an error) */ - if (blocked) + if (blocked) { if (read) { php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_WRITE) ? (POLLOUT|POLLPRI) : (POLLIN|POLLPRI), has_timeout ? &left_time : NULL); @@ -1902,6 +1916,7 @@ static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, siz php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_READ) ? (POLLIN|POLLPRI) : (POLLOUT|POLLPRI), has_timeout ? &left_time : NULL); } + } } /* Finally, we keep going until we got data, and an SSL_ERROR_NONE, unless we had an error. */ } while (retry); |