diff options
| author | Andrey Hristov <andrey@php.net> | 2015-10-27 12:59:09 +0100 |
|---|---|---|
| committer | Andrey Hristov <andrey@php.net> | 2015-10-27 12:59:09 +0100 |
| commit | 6d51b7b2e3468601acdaaf9041c9131b5aa47f98 (patch) | |
| tree | 2f2c193dc999941727f61c118ef06f532ff3e7e9 /ext/mysqlnd/mysqlnd_net.c | |
| parent | 2f7a8515ca7f3ab4b0640677e4f476f87642ff61 (diff) | |
| download | php-git-6d51b7b2e3468601acdaaf9041c9131b5aa47f98.tar.gz | |
Another Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
Added the possibility to explicitly state that the peer certificate should not be checked.
Back to the default - checking the certificate.
Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)
If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
then no verification takes place.
Diffstat (limited to 'ext/mysqlnd/mysqlnd_net.c')
| -rw-r--r-- | ext/mysqlnd/mysqlnd_net.c | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c index 7b164ac294..3e8d0993fa 100644 --- a/ext/mysqlnd/mysqlnd_net.c +++ b/ext/mysqlnd/mysqlnd_net.c @@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys break; } case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: - net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE; + { + enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value); + switch (val) { + case MYSQLND_SSL_PEER_VERIFY: + DBG_INF("MYSQLND_SSL_PEER_VERIFY"); + break; + case MYSQLND_SSL_PEER_DONT_VERIFY: + DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY"); + break; + case MYSQLND_SSL_PEER_DEFAULT: + DBG_INF("MYSQLND_SSL_PEER_DEFAULT"); + val = MYSQLND_SSL_PEER_DEFAULT; + break; + default: + DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION"); + val = MYSQLND_SSL_PEER_DEFAULT; + break; + } + net->data->options.ssl_verify_peer = val; break; + } case MYSQL_OPT_READ_TIMEOUT: net->data->options.timeout_read = *(unsigned int*) value; break; @@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) #ifdef MYSQLND_SSL_SUPPORTED php_stream_context * context = php_stream_context_alloc(TSRMLS_C); php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC); + zend_bool any_flag = FALSE; DBG_ENTER("mysqlnd_net::enable_ssl"); if (!context) { @@ -896,12 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) zval key_zval; ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0); php_stream_context_set_option(context, "ssl", "local_pk", &key_zval); - } - { - zval verify_peer_zval; - ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer); - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); - php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); + any_flag = TRUE; } if (net->data->options.ssl_cert) { zval cert_zval; @@ -910,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) if (!net->data->options.ssl_key) { php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval); } + any_flag = TRUE; } if (net->data->options.ssl_ca) { zval cafile_zval; ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0); php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval); + any_flag = TRUE; } if (net->data->options.ssl_capath) { zval capath_zval; ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0); php_stream_context_set_option(context, "ssl", "capath", &capath_zval); + any_flag = TRUE; } if (net->data->options.ssl_passphrase) { zval passphrase_zval; ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0); php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval); + any_flag = TRUE; } if (net->data->options.ssl_cipher) { zval cipher_zval; ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0); php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval); + any_flag = TRUE; + } + { + zval verify_peer_zval; + zend_bool verify; + + if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) { + net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY; + } + + verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE; + + DBG_INF_FMT("VERIFY=%d", verify); + ZVAL_BOOL(&verify_peer_zval, verify); + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); } + php_stream_context_set(net_stream, context); if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 || php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0) |