Skip to content

Commit c63547b

Browse files
bukkabukka
committed
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2: Fix phpGH-21617: sni_server self signed certifcate expired
2 parents bc8a95e + 0f38bfd commit c63547b

15 files changed

Lines changed: 106 additions & 379 deletions

ext/openssl/tests/gh9310.phpt

Lines changed: 41 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,21 @@ $certificateGenerator->saveNewCertAndKey('gh9310', $certFile, $pkFile);
2323

2424
copy($certFile, $baseDirCertFile);
2525
copy($pkFile, $baseDirPkFile);
26-
copy(__DIR__ . '/sni_server_uk_cert.pem', $baseDir . '/sni_server_uk_cert.pem');
26+
27+
$sniCaFile = __DIR__ . '/gh9310_sni_ca.pem.tmp';
28+
$sniCsFile = __DIR__ . '/gh9310_sni_cs.pem.tmp';
29+
$sniUkCertFile = __DIR__ . '/gh9310_sni_uk_cert.pem.tmp';
30+
$sniUkKeyFile = __DIR__ . '/gh9310_sni_uk_key.pem.tmp';
31+
$sniUsCertFile = __DIR__ . '/gh9310_sni_us_cert.pem.tmp';
32+
$sniUsKeyFile = __DIR__ . '/gh9310_sni_us_key.pem.tmp';
33+
$baseDirSniUkCertFile = $baseDir . '/sni_uk_cert.pem';
34+
35+
$certificateGenerator->saveCaCert($sniCaFile);
36+
$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $sniCsFile);
37+
$certificateGenerator->saveNewCertAndKey('uk.php.net', $sniUkCertFile, $sniUkKeyFile);
38+
$certificateGenerator->saveNewCertAndKey('us.php.net', $sniUsCertFile, $sniUsKeyFile);
39+
40+
copy($sniUkCertFile, $baseDirSniUkCertFile);
2741

2842

2943
$serverCodeTemplate = <<<'CODE'
@@ -60,7 +74,7 @@ $sniServerCodeV1 = <<<'CODE'
6074
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
6175
$ctx = stream_context_create(['ssl' => [
6276
'SNI_server_certs' => [
63-
"cs.php.net" => __DIR__ . "/sni_server_cs.pem",
77+
"cs.php.net" => '%s',
6478
]
6579
]]);
6680
@@ -69,6 +83,7 @@ $sniServerCodeV1 = <<<'CODE'
6983
7084
stream_socket_accept($server);
7185
CODE;
86+
$sniServerCodeV1 = sprintf($sniServerCodeV1, $sniCsFile);
7287

7388
$sniServerCodeV2 = <<<'CODE'
7489
ini_set('log_errors', 'On');
@@ -77,8 +92,8 @@ $sniServerCodeV2 = <<<'CODE'
7792
$ctx = stream_context_create(['ssl' => [
7893
'SNI_server_certs' => [
7994
"uk.php.net" => [
80-
'local_cert' => __DIR__ . '/gh9310/sni_server_uk_cert.pem',
81-
'local_pk' => __DIR__ . '/sni_server_uk_key.pem',
95+
'local_cert' => '%s',
96+
'local_pk' => '%s',
8297
]
8398
]
8499
]]);
@@ -88,6 +103,7 @@ $sniServerCodeV2 = <<<'CODE'
88103
89104
stream_socket_accept($server);
90105
CODE;
106+
$sniServerCodeV2 = sprintf($sniServerCodeV2, $baseDirSniUkCertFile, $sniUkKeyFile);
91107

92108
$sniServerCodeV3 = <<<'CODE'
93109
ini_set('log_errors', 'On');
@@ -96,8 +112,8 @@ $sniServerCodeV3 = <<<'CODE'
96112
$ctx = stream_context_create(['ssl' => [
97113
'SNI_server_certs' => [
98114
"us.php.net" => [
99-
'local_cert' => __DIR__ . '/sni_server_us_cert.pem',
100-
'local_pk' => __DIR__ . '/sni_server_us_key.pem',
115+
'local_cert' => '%s',
116+
'local_pk' => '%s',
101117
]
102118
]
103119
]]);
@@ -107,14 +123,15 @@ $sniServerCodeV3 = <<<'CODE'
107123
108124
stream_socket_accept($server);
109125
CODE;
126+
$sniServerCodeV3 = sprintf($sniServerCodeV3, $sniUsCertFile, $sniUsKeyFile);
110127

111128
$sniClientCodeTemplate = <<<'CODE'
112129
$flags = STREAM_CLIENT_CONNECT;
113130
$ctxArr = [
114-
'cafile' => __DIR__ . '/sni_server_ca.pem',
131+
'cafile' => '%s',
132+
'peer_name' => '%s',
115133
];
116134
117-
$ctxArr['peer_name'] = '%s';
118135
$ctx = stream_context_create(['ssl' => $ctxArr]);
119136
@stream_socket_client("tls://{{ ADDR }}", $errno, $errstr, 1, $flags, $ctx);
120137
CODE;
@@ -131,13 +148,13 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
131148
$serverCode = sprintf($serverCodeTemplate, $baseDirCertFile, $pkFile);
132149
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
133150

134-
$sniClientCode = sprintf($sniClientCodeTemplate, 'cs.php.net');
151+
$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'cs.php.net');
135152
ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV1);
136153

137-
$sniClientCode = sprintf($sniClientCodeTemplate, 'uk.php.net');
154+
$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'uk.php.net');
138155
ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV2);
139156

140-
$sniClientCode = sprintf($sniClientCodeTemplate, 'us.php.net');
157+
$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'us.php.net');
141158
ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV3);
142159

143160
?>
@@ -149,7 +166,13 @@ $baseDir = __DIR__ . '/gh9310';
149166
@unlink(__DIR__ . '/gh9310.key');
150167
@unlink($baseDir . '/cert.crt');
151168
@unlink($baseDir . '/private.key');
152-
@unlink($baseDir . '/sni_server_uk_cert.pem');
169+
@unlink($baseDir . '/sni_uk_cert.pem');
170+
@unlink(__DIR__ . '/gh9310_sni_ca.pem.tmp');
171+
@unlink(__DIR__ . '/gh9310_sni_cs.pem.tmp');
172+
@unlink(__DIR__ . '/gh9310_sni_uk_cert.pem.tmp');
173+
@unlink(__DIR__ . '/gh9310_sni_uk_key.pem.tmp');
174+
@unlink(__DIR__ . '/gh9310_sni_us_cert.pem.tmp');
175+
@unlink(__DIR__ . '/gh9310_sni_us_key.pem.tmp');
153176
@rmdir($baseDir);
154177
?>
155178
--EXPECTF--
@@ -169,15 +192,15 @@ PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%
169192
PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sgh9310.key' in %s
170193
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
171194
PHP Warning: stream_socket_accept(): Accept failed: %s
172-
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_cs.pem) is not within the allowed path(s): (%sgh9310) in %s
173-
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%ssni_server_cs.pem'; file not found in %s
195+
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_cs.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s
196+
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_cs.pem.tmp'; file not found in %s
174197
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
175198
PHP Warning: stream_socket_accept(): Accept failed: %s
176-
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_uk_key.pem) is not within the allowed path(s): (%sgh9310) in %s
177-
PHP Warning: stream_socket_accept(): Failed setting local private key file `%ssni_server_uk_key.pem'; could not open file in %s
199+
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_uk_key.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s
200+
PHP Warning: stream_socket_accept(): Failed setting local private key file `%sgh9310_sni_uk_key.pem.tmp'; could not open file in %s
178201
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
179202
PHP Warning: stream_socket_accept(): Accept failed: %s
180-
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_us_cert.pem) is not within the allowed path(s): (%sgh9310) in %s
181-
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%ssni_server_us_cert.pem'; could not open file in %s
203+
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_us_cert.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s
204+
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_us_cert.pem.tmp'; could not open file in %s
182205
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
183206
PHP Warning: stream_socket_accept(): Accept failed: %s

ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ $cert = "file://" . __DIR__ . "/cert.crt";
1717
$bert = "file://" . __DIR__ . "/bug41033.pem";
1818
$sert = "file://" . __DIR__ . "/san-cert.pem";
1919
$cpca = __DIR__ . "/san-cert.pem";
20-
$utfl = __DIR__ . "/sni_server_uk.pem";
20+
$utfl = __DIR__ . "/sni_server.pem";
2121
$rcrt = openssl_x509_read($cert);
2222

2323
/* int openssl_x509_checkpurpose ( mixed $x509cert , int $purpose); */

ext/openssl/tests/openssl_x509_export_to_file_leak.phpt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ openssl
55
--FILE--
66
<?php
77

8-
$path = "file://" . __DIR__ . "/sni_server_ca.pem";
8+
$path = "file://" . __DIR__ . "/cert.crt";
99
var_dump(openssl_x509_export_to_file($path, str_repeat("a", 10000)));
1010

1111
?>

ext/openssl/tests/sni_server_uk.pem renamed to ext/openssl/tests/sni_server.pem

File renamed without changes.

ext/openssl/tests/sni_server.phpt

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,25 @@ if (!function_exists("proc_open")) die("skip no proc_open");
88
?>
99
--FILE--
1010
<?php
11+
$caFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_ca.pem.tmp';
12+
$csFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_cs.pem.tmp';
13+
$ukFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_uk.pem.tmp';
14+
$usFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_us.pem.tmp';
15+
16+
include 'CertificateGenerator.inc';
17+
$certificateGenerator = new CertificateGenerator();
18+
$certificateGenerator->saveCaCert($caFile);
19+
$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile);
20+
$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile);
21+
$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile);
22+
1123
$serverCode = <<<'CODE'
1224
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
1325
$ctx = stream_context_create(['ssl' => [
1426
'SNI_server_certs' => [
15-
"cs.php.net" => __DIR__ . "/sni_server_cs.pem",
16-
"uk.php.net" => __DIR__ . "/sni_server_uk.pem",
17-
"us.php.net" => __DIR__ . "/sni_server_us.pem"
27+
"cs.php.net" => '%s',
28+
"uk.php.net" => '%s',
29+
"us.php.net" => '%s',
1830
]
1931
]]);
2032
@@ -25,11 +37,12 @@ $serverCode = <<<'CODE'
2537
@stream_socket_accept($server, 3);
2638
}
2739
CODE;
40+
$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile);
2841

2942
$clientCode = <<<'CODE'
3043
$flags = STREAM_CLIENT_CONNECT;
3144
$ctxArr = [
32-
'cafile' => __DIR__ . '/sni_server_ca.pem',
45+
'cafile' => '%s',
3346
'capture_peer_cert' => true
3447
];
3548
@@ -51,10 +64,18 @@ $clientCode = <<<'CODE'
5164
$cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
5265
var_dump(openssl_x509_parse($cert)['subject']['CN']);
5366
CODE;
67+
$clientCode = sprintf($clientCode, $caFile);
5468

5569
include 'ServerClientTestCase.inc';
5670
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
5771
?>
72+
--CLEAN--
73+
<?php
74+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_ca.pem.tmp');
75+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_cs.pem.tmp');
76+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_uk.pem.tmp');
77+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_us.pem.tmp');
78+
?>
5879
--EXPECTF--
5980
string(%d) "cs.php.net"
6081
string(%d) "uk.php.net"

ext/openssl/tests/sni_server_ca.pem

Lines changed: 0 additions & 63 deletions
This file was deleted.

ext/openssl/tests/sni_server_cs.pem

Lines changed: 0 additions & 57 deletions
This file was deleted.

ext/openssl/tests/sni_server_cs_cert.pem

Lines changed: 0 additions & 30 deletions
This file was deleted.

0 commit comments

Comments
 (0)