diff options
Diffstat (limited to 'ext/mysqlnd')
| -rw-r--r-- | ext/mysqlnd/mysqlnd.c | 7 | ||||
| -rw-r--r-- | ext/mysqlnd/mysqlnd_enum_n_def.h | 4 | ||||
| -rw-r--r-- | ext/mysqlnd/mysqlnd_net.c | 51 | ||||
| -rw-r--r-- | ext/mysqlnd/mysqlnd_structs.h | 9 |
4 files changed, 62 insertions, 9 deletions
diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c index f008986227..94a314964d 100644 --- a/ext/mysqlnd/mysqlnd.c +++ b/ext/mysqlnd/mysqlnd.c @@ -472,6 +472,7 @@ mysqlnd_switch_to_ssl_if_needed( DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA= %d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0); DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS= %d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0); DBG_INF_FMT("CLIENT_SESSION_TRACK= %d", mysql_flags & CLIENT_SESSION_TRACK? 1:0); + DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0); DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0); DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS= %d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0); @@ -495,7 +496,11 @@ mysqlnd_switch_to_ssl_if_needed( if (server_has_ssl == FALSE) { goto close_conn; } else { - zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; + enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? + MYSQLND_SSL_PEER_VERIFY: + (mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? + MYSQLND_SSL_PEER_DONT_VERIFY: + MYSQLND_SSL_PEER_DEFAULT); DBG_INF("Switching to SSL"); if (!PACKET_WRITE(auth_packet, conn)) { goto close_conn; diff --git a/ext/mysqlnd/mysqlnd_enum_n_def.h b/ext/mysqlnd/mysqlnd_enum_n_def.h index c1ede7e656..9e29da29dd 100644 --- a/ext/mysqlnd/mysqlnd_enum_n_def.h +++ b/ext/mysqlnd/mysqlnd_enum_n_def.h @@ -101,6 +101,10 @@ #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */ #define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22) /* Don't close the connection for a connection with expired password. */ #define CLIENT_SESSION_TRACK (1UL << 23) /* Extended OK */ +/* + This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification +*/ +#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT CLIENT_ODBC #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30) #define CLIENT_REMEMBER_OPTIONS (1UL << 31) diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c index 69f4b7a54a..3e8d0993fa 100644 --- a/ext/mysqlnd/mysqlnd_net.c +++ b/ext/mysqlnd/mysqlnd_net.c @@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys break; } case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: - net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE; + { + enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value); + switch (val) { + case MYSQLND_SSL_PEER_VERIFY: + DBG_INF("MYSQLND_SSL_PEER_VERIFY"); + break; + case MYSQLND_SSL_PEER_DONT_VERIFY: + DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY"); + break; + case MYSQLND_SSL_PEER_DEFAULT: + DBG_INF("MYSQLND_SSL_PEER_DEFAULT"); + val = MYSQLND_SSL_PEER_DEFAULT; + break; + default: + DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION"); + val = MYSQLND_SSL_PEER_DEFAULT; + break; + } + net->data->options.ssl_verify_peer = val; break; + } case MYSQL_OPT_READ_TIMEOUT: net->data->options.timeout_read = *(unsigned int*) value; break; @@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) #ifdef MYSQLND_SSL_SUPPORTED php_stream_context * context = php_stream_context_alloc(TSRMLS_C); php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC); + zend_bool any_flag = FALSE; DBG_ENTER("mysqlnd_net::enable_ssl"); if (!context) { @@ -896,11 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) zval key_zval; ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0); php_stream_context_set_option(context, "ssl", "local_pk", &key_zval); - } - if (net->data->options.ssl_verify_peer) { - zval verify_peer_zval; - ZVAL_TRUE(&verify_peer_zval); - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); + any_flag = TRUE; } if (net->data->options.ssl_cert) { zval cert_zval; @@ -909,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) if (!net->data->options.ssl_key) { php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval); } + any_flag = TRUE; } if (net->data->options.ssl_ca) { zval cafile_zval; ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0); php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval); + any_flag = TRUE; } if (net->data->options.ssl_capath) { zval capath_zval; ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0); - php_stream_context_set_option(context, "ssl", "cafile", &capath_zval); + php_stream_context_set_option(context, "ssl", "capath", &capath_zval); + any_flag = TRUE; } if (net->data->options.ssl_passphrase) { zval passphrase_zval; ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0); php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval); + any_flag = TRUE; } if (net->data->options.ssl_cipher) { zval cipher_zval; ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0); php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval); + any_flag = TRUE; } + { + zval verify_peer_zval; + zend_bool verify; + + if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) { + net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY; + } + + verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE; + + DBG_INF_FMT("VERIFY=%d", verify); + ZVAL_BOOL(&verify_peer_zval, verify); + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); + } + php_stream_context_set(net_stream, context); if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 || php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0) diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h index 170c977c2b..f5d0b47a6f 100644 --- a/ext/mysqlnd/mysqlnd_structs.h +++ b/ext/mysqlnd/mysqlnd_structs.h @@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options char *ssl_capath; char *ssl_cipher; char *ssl_passphrase; - zend_bool ssl_verify_peer; + enum mysqlnd_ssl_peer { + MYSQLND_SSL_PEER_DEFAULT = 0, + MYSQLND_SSL_PEER_VERIFY = 1, + MYSQLND_SSL_PEER_DONT_VERIFY = 2, + +#define MYSQLND_SSL_PEER_DEFAULT_ACTION MYSQLND_SSL_PEER_VERIFY + } ssl_verify_peer; uint64_t flags; char * sha256_server_public_key; @@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options } MYSQLND_NET_OPTIONS; + typedef struct st_mysqlnd_connection MYSQLND; typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA; typedef struct st_mysqlnd_net MYSQLND_NET; |