diff options
author | Jakub Zelenka <bukka@php.net> | 2017-07-17 17:40:51 +0100 |
---|---|---|
committer | Jakub Zelenka <bukka@php.net> | 2017-07-17 17:40:51 +0100 |
commit | 26982e36d56b0735359cdf648e5fd4af92407dba (patch) | |
tree | b2bb4aa1704e0d80d8230d7fcfbea2af427416f6 /ext/openssl | |
parent | d9d3b2c20641b61b4d02258cd1363aa713de37b8 (diff) | |
download | php-git-26982e36d56b0735359cdf648e5fd4af92407dba.tar.gz |
Add support for OpenSSL security level
Diffstat (limited to 'ext/openssl')
-rw-r--r-- | ext/openssl/tests/stream_security_level.phpt | 48 | ||||
-rw-r--r-- | ext/openssl/xp_ssl.c | 17 |
2 files changed, 65 insertions, 0 deletions
diff --git a/ext/openssl/tests/stream_security_level.phpt b/ext/openssl/tests/stream_security_level.phpt new file mode 100644 index 0000000000..fb1d36a586 --- /dev/null +++ b/ext/openssl/tests/stream_security_level.phpt @@ -0,0 +1,48 @@ +--TEST-- +security_level setting to prohibit cert +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip openssl not loaded"); +if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required"); +if (!function_exists("proc_open")) die("skip no proc_open"); +--FILE-- +<?php +$serverCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64322"; + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => __DIR__ . '/bug54992.pem' + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); + phpt_notify(); + + @stream_socket_accept($server, 1); +CODE; + +$clientCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64322"; + $clientFlags = STREAM_CLIENT_CONNECT; + $clientCtx = stream_context_create(['ssl' => [ + 'security_level' => 3, + 'verify_peer' => true, + 'cafile' => __DIR__ . '/bug54992-ca.pem', + 'verify_peer_name' => false + ]]); + + phpt_wait(); + $client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx); + + var_dump($client); +CODE; + +include 'ServerClientTestCase.inc'; +ServerClientTestCase::getInstance()->run($clientCode, $serverCode); +--EXPECTF-- +Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: +error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d + +Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d + +Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64322 (Unknown error) in %s : eval()'d code on line %d +bool(false) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 94420fd0e4..5aec089e00 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -70,6 +70,9 @@ #endif #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +#define HAVE_SEC_LEVEL 1 +#endif /* Flags for determining allowed stream crypto methods */ #define STREAM_CRYPTO_IS_CLIENT (1<<0) @@ -1613,6 +1616,20 @@ int php_openssl_setup_crypto(php_stream *stream, } } + if (GET_VER_OPT("security_level")) { +#ifdef HAVE_SEC_LEVEL + convert_to_long(val); + if (Z_LVAL_P(val) < 0 || Z_LVAL_P(val) > 5) { + php_error_docref(NULL, E_WARNING, "Security level must be between 0 and 5"); + } + SSL_CTX_set_security_level(sslsock->ctx, Z_LVAL_P(val)); +#else + php_error_docref(NULL, E_WARNING, + "security_level is not supported by the linked OpenSSL library " + "- it is supported from version 1.1.0"); +#endif + } + GET_VER_OPT_STRING("alpn_protocols", alpn_protocols); if (alpn_protocols) { #ifdef HAVE_TLS_ALPN |