diff options
author | Daniel Lowrey <rdlowrey@php.net> | 2015-03-04 23:55:42 -0700 |
---|---|---|
committer | Daniel Lowrey <rdlowrey@php.net> | 2015-03-04 23:55:42 -0700 |
commit | 65a9a5ca1283cf7ed59a5a14362fd6de0ad713b8 (patch) | |
tree | 524d1d1eccee3b91b8d106acc8ea017641710760 | |
parent | 1de1ff75f516d6a4124fa7408b92f7470452fa74 (diff) | |
download | php-git-65a9a5ca1283cf7ed59a5a14362fd6de0ad713b8.tar.gz |
Fixed bug #68265 (SAN match fails with trailing DNS dot)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/openssl/tests/bug68265.pem | 33 | ||||
-rw-r--r-- | ext/openssl/tests/bug68265.phpt | 41 | ||||
-rw-r--r-- | ext/openssl/xp_ssl.c | 8 |
4 files changed, 82 insertions, 1 deletions
@@ -38,6 +38,7 @@ (Daniel Lowrey) . Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey) + . Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey) - pgsql: . Fixed bug #68638 (pg_update() fails to store infinite values). diff --git a/ext/openssl/tests/bug68265.pem b/ext/openssl/tests/bug68265.pem new file mode 100644 index 0000000000..3d9e5bdb5e --- /dev/null +++ b/ext/openssl/tests/bug68265.pem @@ -0,0 +1,33 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuw/AFD7RWcMCAggA +MBQGCCqGSIb3DQMHBAh98F6GmaGn1ASCAoBpzaFxyttEhyh4dhMjarJIqTz24DjO +yZnp1K5qthejSYx2P28uUsh+gQOh6F2jbVAq++eAWkTBGuc4pWhhoT7nY8vhf0Y0 +6yTlVrTxuI/8MNo/lfa0xE/+ZD4B5zp0hQxfij4GTd8l6V/kpXMgiYD1JmIXArm7 +sucn+9XV3RucsTBpeIJ1nLEDfpbyEWqNfhoyskQ+S3I6HkMgELI9JpsO6OR9fh1Q +ttdoYxBU+YjoDYcSWRGkTGrJFeGGhTQzz+L2ijgoqNWDSfrLBoQR1bqNVUuw6gcE +9PpA/vpRlxcHbUNNkOWft+4e0tV3I2EqscEcsYeNbd2Ta4yu7f6pk4/Kxn40wrQ8 +6Ss9GZylghaFth2xppL/vpmGaCC7FqpZRh+NKqjlcBobIkwyRcsQrPHB0CYLPHA4 +yak/dNTY8L5K8Rtd5XG3+E41CoDF6ssNY0Kw7l9kAn/neDVh+WnQkWIiWPmq210a +p4L/uiXRK7aYi+UqKJ5+svayNw2w1dkqpbeejwLq2F1+ek/447JFPVJcvP8Nm7sr +04Mcg+ZHusZdjiWEv4W6CBq8o6eF2JdhfpSDgPkHwiZ/EarHfx0vcYIMJhlEQBmk +a/XsZPk2wnamKSPfJautO3MIus0M6SniWF6eDA4/AZzSjXV8Vc0unb6lc+Nc8tJa +6MU1soTsmki/YraCmQswqpL+kXFZVeHuLowOC5oH+CimQoscmiZ9tBvpnYo6XwEZ +S9jZRIBQ77oMku+rlMPfz2FURgVXZpEfrGmxKvA5Vt3ojrYfTwwD2YqZHVcm39zy +iKqA1qVt7A2A90ILMAzYnN0VRE4SO3yIDN1ZBp5OOY61AduPrhpaHl81 +-----END ENCRYPTED PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICdjCCAd+gAwIBAgIJAPbIVRT31Al2MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV +BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg +Q29tcGFueSBMdGQxFDASBgNVBAMMC3BocCB0ZXN0IGNhMB4XDTE1MDMwNTA2MTYz +MFoXDTI1MDMwMjA2MTYzMFowUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlNDMRUw +EwYDVQQHDAxNeXJ0bGUgQmVhY2gxDDAKBgNVBAsMA1BIUDERMA8GA1UEAwwIdGVz +dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKp5gxUbKvY5eFwZJti0 +6d6YBo400Or6M+bLfIMnz5C1WQ7dMfiQpeFLpSIlOIaFqyrqkeeR9k5dsx1K9FOu +PAJ4+lmWA4R93RpdJFz8kmQoNu3P59JMATXi8wvNBIrN/Vc08NT0wBRImeyQSVHd +UcFIXBEbBM0dQsPKQ1k8n5WDAgMBAAGjTjBMMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgXgMDIGA1UdEQQrMCmCEmRlYnMuYWstb25saW5lLmJlLoITZGVicy5hay1vbmxp +bmUubmV0LjANBgkqhkiG9w0BAQsFAAOBgQB8PaLt+IX690UIbHKuko4qAdc5SzWA +Vbm3D4StZeFwWQbZbBGFCDn0/0ON0iDv4JUgZnaX84mBDPczN26QG2PJND0Cggmi +umylEVYhclPF4RoGcoKd3jT2igzDNyzk/lu+NUtRv/Nj161ds9vb9XiOrEkPn8Ne +mzz3wA0D5A65lw== +-----END CERTIFICATE----- diff --git a/ext/openssl/tests/bug68265.phpt b/ext/openssl/tests/bug68265.phpt new file mode 100644 index 0000000000..aff9a9e511 --- /dev/null +++ b/ext/openssl/tests/bug68265.phpt @@ -0,0 +1,41 @@ +--TEST-- +Bug #68265: SAN match fails with trailing DNS dot +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip openssl not loaded"); +if (!function_exists("proc_open")) die("skip no proc_open"); +--FILE-- +<?php +$serverCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64321"; + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => __DIR__ . '/bug68265.pem', + 'passphrase' => 'elephpant', + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); + phpt_notify(); + + stream_socket_accept($server, 30); +CODE; + +$clientCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64321"; + $clientFlags = STREAM_CLIENT_CONNECT; + $clientCtx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => true, + 'peer_name' => 'debs.ak-online.net', + ]]); + + phpt_wait(); + + var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx)); +CODE; + +include 'ServerClientTestCase.inc'; +ServerClientTestCase::getInstance()->run($clientCode, $serverCode); +--EXPECTF-- +resource(%d) of type (stream) + diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 4786974239..18417705ed 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -372,7 +372,7 @@ static zend_bool matches_wildcard_name(const char *subjectname, const char *cert static zend_bool matches_san_list(X509 *peer, const char *subject_name) /* {{{ */ { - int i; + int i, len; unsigned char *cert_name = NULL; char ipbuffer[64]; @@ -390,6 +390,12 @@ static zend_bool matches_san_list(X509 *peer, const char *subject_name) /* {{{ * continue; } + /* accommodate valid FQDN entries ending in "." */ + len = strlen((const char*)cert_name); + if (len && strcmp((const char *)&cert_name[len-1], ".") == 0) { + cert_name[len-1] = '\0'; + } + if (matches_wildcard_name(subject_name, (const char *)cert_name)) { OPENSSL_free(cert_name); return 1; |