Skip to content

Commit 0f2b93e

Browse files
bukkabukka
committed
Merge branch 'PHP-8.4' into PHP-8.5
* PHP-8.4: Add back sni_server_ca for expired cert test Fix SNI tests for bugs #80770 and #74796 Fix GH-21617: sni_server self signed certifcate expired
2 parents a8b7665 + 1d8643d commit 0f2b93e

17 files changed

+183
-335
lines changed

ext/openssl/tests/bug74796.phpt

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,24 @@ if (substr(PHP_OS, 0, 3) == 'WIN') {
1212
--FILE--
1313
<?php
1414

15+
include 'CertificateGenerator.inc';
16+
$certificateGenerator = new CertificateGenerator();
17+
$caFile = __DIR__ . '/bug74796_ca.pem.tmp';
18+
$csFile = __DIR__ . '/bug74796_cs.pem.tmp';
19+
$ukFile = __DIR__ . '/bug74796_uk.pem.tmp';
20+
$usFile = __DIR__ . '/bug74796_us.pem.tmp';
21+
$certificateGenerator->saveCaCert($caFile);
22+
$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile);
23+
$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile);
24+
$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile);
25+
1526
$serverCode = <<<'CODE'
1627
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
1728
$ctx = stream_context_create(['ssl' => [
1829
'SNI_server_certs' => [
19-
"cs.php.net" => __DIR__ . "/sni_server_cs.pem",
20-
"uk.php.net" => __DIR__ . "/sni_server_uk.pem",
21-
"us.php.net" => __DIR__ . "/sni_server_us.pem"
30+
"cs.php.net" => '%s',
31+
"uk.php.net" => '%s',
32+
"us.php.net" => '%s',
2233
]
2334
]]);
2435
@@ -33,6 +44,7 @@ $serverCode = <<<'CODE'
3344
3445
phpt_wait();
3546
CODE;
47+
$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile);
3648

3749
$proxyCode = <<<'CODE'
3850
function parse_sni_from_client_hello($data) {
@@ -134,7 +146,7 @@ CODE;
134146
$clientCode = <<<'CODE'
135147
$clientCtx = stream_context_create([
136148
'ssl' => [
137-
'cafile' => __DIR__ . '/sni_server_ca.pem',
149+
'cafile' => '%s',
138150
'verify_peer' => true,
139151
'verify_peer_name' => true,
140152
],
@@ -155,16 +167,21 @@ $clientCode = <<<'CODE'
155167
156168
phpt_notify('server');
157169
CODE;
170+
$clientCode = sprintf($clientCode, $caFile);
158171

159172
include 'ServerClientTestCase.inc';
160173
ServerClientTestCase::getInstance()->run($clientCode, [
161-
'server' => $serverCode,
162-
'proxy' => $proxyCode,
174+
'server' => $serverCode,
175+
'proxy' => $proxyCode,
163176
]);
164177
?>
165178
--CLEAN--
166179
<?php
167180
@unlink(__DIR__ . "/bug74796_proxy_sni.log");
181+
@unlink(__DIR__ . '/bug74796_ca.pem.tmp');
182+
@unlink(__DIR__ . '/bug74796_cs.pem.tmp');
183+
@unlink(__DIR__ . '/bug74796_uk.pem.tmp');
184+
@unlink(__DIR__ . '/bug74796_us.pem.tmp');
168185
?>
169186
--EXPECT--
170187
string(19) "Hello from server 0"

ext/openssl/tests/bug80770.phpt

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11,14 +11,25 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
1111
<?php
1212
$clientCertFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_client.pem.tmp';
1313
$caCertFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_ca.pem.tmp';
14+
$csFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_cs.pem.tmp';
15+
$ukFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_uk.pem.tmp';
16+
$usFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_us.pem.tmp';
17+
18+
include 'CertificateGenerator.inc';
19+
$certificateGenerator = new CertificateGenerator();
20+
$certificateGenerator->saveCaCert($caCertFile);
21+
$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile);
22+
$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile);
23+
$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile);
24+
$certificateGenerator->saveNewCertAsFileWithKey('Bug80770 Test Client', $clientCertFile);
1425

1526
$serverCode = <<<'CODE'
1627
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
1728
$ctx = stream_context_create(['ssl' => [
1829
'SNI_server_certs' => [
19-
"cs.php.net" => __DIR__ . "/sni_server_cs.pem",
20-
"uk.php.net" => __DIR__ . "/sni_server_uk.pem",
21-
"us.php.net" => __DIR__ . "/sni_server_us.pem"
30+
"cs.php.net" => '%s',
31+
"uk.php.net" => '%s',
32+
"us.php.net" => '%s',
2233
],
2334
'verify_peer' => true,
2435
'cafile' => '%s',
@@ -28,7 +39,6 @@ $serverCode = <<<'CODE'
2839
]]);
2940
$server = stream_socket_server('tcp://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
3041
phpt_notify_server_start($server);
31-
3242
$client = stream_socket_accept($server, 30);
3343
if ($client) {
3444
$success = stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_SERVER);
@@ -43,7 +53,7 @@ $serverCode = <<<'CODE'
4353
phpt_notify(message: "ACCEPT_FAILED");
4454
}
4555
CODE;
46-
$serverCode = sprintf($serverCode, $caCertFile);
56+
$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile, $caCertFile);
4757

4858
$clientCode = <<<'CODE'
4959
$flags = STREAM_CLIENT_CONNECT;
@@ -58,26 +68,21 @@ $clientCode = <<<'CODE'
5868
if ($client) {
5969
stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
6070
}
61-
6271
$result = phpt_wait();
6372
echo trim($result);
6473
CODE;
6574
$clientCode = sprintf($clientCode, $clientCertFile);
6675

67-
include 'CertificateGenerator.inc';
68-
69-
// Generate CA and client certificate signed by that CA
70-
$certificateGenerator = new CertificateGenerator();
71-
$certificateGenerator->saveCaCert($caCertFile);
72-
$certificateGenerator->saveNewCertAsFileWithKey('Bug80770 Test Client', $clientCertFile);
73-
7476
include 'ServerClientTestCase.inc';
7577
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
7678
?>
7779
--CLEAN--
7880
<?php
7981
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_client.pem.tmp');
8082
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_ca.pem.tmp');
83+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_cs.pem.tmp');
84+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_uk.pem.tmp');
85+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_us.pem.tmp');
8186
?>
8287
--EXPECTF--
8388
CLIENT_CERT_CAPTURED

ext/openssl/tests/gh9310.phpt

Lines changed: 41 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,21 @@ $certificateGenerator->saveNewCertAndKey('gh9310', $certFile, $pkFile);
2323

2424
copy($certFile, $baseDirCertFile);
2525
copy($pkFile, $baseDirPkFile);
26-
copy(__DIR__ . '/sni_server_uk_cert.pem', $baseDir . '/sni_server_uk_cert.pem');
26+
27+
$sniCaFile = __DIR__ . '/gh9310_sni_ca.pem.tmp';
28+
$sniCsFile = __DIR__ . '/gh9310_sni_cs.pem.tmp';
29+
$sniUkCertFile = __DIR__ . '/gh9310_sni_uk_cert.pem.tmp';
30+
$sniUkKeyFile = __DIR__ . '/gh9310_sni_uk_key.pem.tmp';
31+
$sniUsCertFile = __DIR__ . '/gh9310_sni_us_cert.pem.tmp';
32+
$sniUsKeyFile = __DIR__ . '/gh9310_sni_us_key.pem.tmp';
33+
$baseDirSniUkCertFile = $baseDir . '/sni_uk_cert.pem';
34+
35+
$certificateGenerator->saveCaCert($sniCaFile);
36+
$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $sniCsFile);
37+
$certificateGenerator->saveNewCertAndKey('uk.php.net', $sniUkCertFile, $sniUkKeyFile);
38+
$certificateGenerator->saveNewCertAndKey('us.php.net', $sniUsCertFile, $sniUsKeyFile);
39+
40+
copy($sniUkCertFile, $baseDirSniUkCertFile);
2741

2842

2943
$serverCodeTemplate = <<<'CODE'
@@ -60,7 +74,7 @@ $sniServerCodeV1 = <<<'CODE'
6074
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
6175
$ctx = stream_context_create(['ssl' => [
6276
'SNI_server_certs' => [
63-
"cs.php.net" => __DIR__ . "/sni_server_cs.pem",
77+
"cs.php.net" => '%s',
6478
]
6579
]]);
6680
@@ -69,6 +83,7 @@ $sniServerCodeV1 = <<<'CODE'
6983
7084
stream_socket_accept($server);
7185
CODE;
86+
$sniServerCodeV1 = sprintf($sniServerCodeV1, $sniCsFile);
7287

7388
$sniServerCodeV2 = <<<'CODE'
7489
ini_set('log_errors', 'On');
@@ -77,8 +92,8 @@ $sniServerCodeV2 = <<<'CODE'
7792
$ctx = stream_context_create(['ssl' => [
7893
'SNI_server_certs' => [
7994
"uk.php.net" => [
80-
'local_cert' => __DIR__ . '/gh9310/sni_server_uk_cert.pem',
81-
'local_pk' => __DIR__ . '/sni_server_uk_key.pem',
95+
'local_cert' => '%s',
96+
'local_pk' => '%s',
8297
]
8398
]
8499
]]);
@@ -88,6 +103,7 @@ $sniServerCodeV2 = <<<'CODE'
88103
89104
stream_socket_accept($server);
90105
CODE;
106+
$sniServerCodeV2 = sprintf($sniServerCodeV2, $baseDirSniUkCertFile, $sniUkKeyFile);
91107

92108
$sniServerCodeV3 = <<<'CODE'
93109
ini_set('log_errors', 'On');
@@ -96,8 +112,8 @@ $sniServerCodeV3 = <<<'CODE'
96112
$ctx = stream_context_create(['ssl' => [
97113
'SNI_server_certs' => [
98114
"us.php.net" => [
99-
'local_cert' => __DIR__ . '/sni_server_us_cert.pem',
100-
'local_pk' => __DIR__ . '/sni_server_us_key.pem',
115+
'local_cert' => '%s',
116+
'local_pk' => '%s',
101117
]
102118
]
103119
]]);
@@ -107,14 +123,15 @@ $sniServerCodeV3 = <<<'CODE'
107123
108124
stream_socket_accept($server);
109125
CODE;
126+
$sniServerCodeV3 = sprintf($sniServerCodeV3, $sniUsCertFile, $sniUsKeyFile);
110127

111128
$sniClientCodeTemplate = <<<'CODE'
112129
$flags = STREAM_CLIENT_CONNECT;
113130
$ctxArr = [
114-
'cafile' => __DIR__ . '/sni_server_ca.pem',
131+
'cafile' => '%s',
132+
'peer_name' => '%s',
115133
];
116134
117-
$ctxArr['peer_name'] = '%s';
118135
$ctx = stream_context_create(['ssl' => $ctxArr]);
119136
@stream_socket_client("tls://{{ ADDR }}", $errno, $errstr, 1, $flags, $ctx);
120137
CODE;
@@ -131,13 +148,13 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
131148
$serverCode = sprintf($serverCodeTemplate, $baseDirCertFile, $pkFile);
132149
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
133150

134-
$sniClientCode = sprintf($sniClientCodeTemplate, 'cs.php.net');
151+
$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'cs.php.net');
135152
ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV1);
136153

137-
$sniClientCode = sprintf($sniClientCodeTemplate, 'uk.php.net');
154+
$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'uk.php.net');
138155
ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV2);
139156

140-
$sniClientCode = sprintf($sniClientCodeTemplate, 'us.php.net');
157+
$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'us.php.net');
141158
ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV3);
142159

143160
?>
@@ -149,7 +166,13 @@ $baseDir = __DIR__ . '/gh9310';
149166
@unlink(__DIR__ . '/gh9310.key');
150167
@unlink($baseDir . '/cert.crt');
151168
@unlink($baseDir . '/private.key');
152-
@unlink($baseDir . '/sni_server_uk_cert.pem');
169+
@unlink($baseDir . '/sni_uk_cert.pem');
170+
@unlink(__DIR__ . '/gh9310_sni_ca.pem.tmp');
171+
@unlink(__DIR__ . '/gh9310_sni_cs.pem.tmp');
172+
@unlink(__DIR__ . '/gh9310_sni_uk_cert.pem.tmp');
173+
@unlink(__DIR__ . '/gh9310_sni_uk_key.pem.tmp');
174+
@unlink(__DIR__ . '/gh9310_sni_us_cert.pem.tmp');
175+
@unlink(__DIR__ . '/gh9310_sni_us_key.pem.tmp');
153176
@rmdir($baseDir);
154177
?>
155178
--EXPECTF--
@@ -169,15 +192,15 @@ PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%
169192
PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sgh9310.key' in %s
170193
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
171194
PHP Warning: stream_socket_accept(): Accept failed: %s
172-
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_cs.pem) is not within the allowed path(s): (%sgh9310) in %s
173-
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%ssni_server_cs.pem'; file not found in %s
195+
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_cs.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s
196+
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_cs.pem.tmp'; file not found in %s
174197
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
175198
PHP Warning: stream_socket_accept(): Accept failed: %s
176-
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_uk_key.pem) is not within the allowed path(s): (%sgh9310) in %s
177-
PHP Warning: stream_socket_accept(): Failed setting local private key file `%ssni_server_uk_key.pem'; could not open file in %s
199+
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_uk_key.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s
200+
PHP Warning: stream_socket_accept(): Failed setting local private key file `%sgh9310_sni_uk_key.pem.tmp'; could not open file in %s
178201
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
179202
PHP Warning: stream_socket_accept(): Accept failed: %s
180-
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_us_cert.pem) is not within the allowed path(s): (%sgh9310) in %s
181-
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%ssni_server_us_cert.pem'; could not open file in %s
203+
PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_us_cert.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s
204+
PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_us_cert.pem.tmp'; could not open file in %s
182205
PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
183206
PHP Warning: stream_socket_accept(): Accept failed: %s

ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ $cert = "file://" . __DIR__ . "/cert.crt";
1414
$bert = "file://" . __DIR__ . "/bug41033.pem";
1515
$sert = "file://" . __DIR__ . "/san-cert.pem";
1616
$cpca = __DIR__ . "/san-cert.pem";
17-
$utfl = __DIR__ . "/sni_server_uk.pem";
17+
$utfl = __DIR__ . "/sni_server.pem";
1818
$rcrt = openssl_x509_read($cert);
1919

2020
/* int openssl_x509_checkpurpose ( mixed $x509cert , int $purpose); */

ext/openssl/tests/openssl_x509_export_to_file_leak.phpt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ openssl
55
--FILE--
66
<?php
77

8-
$path = "file://" . __DIR__ . "/sni_server_ca.pem";
8+
$path = "file://" . __DIR__ . "/cert.crt";
99
var_dump(openssl_x509_export_to_file($path, str_repeat("a", 10000)));
1010

1111
?>

ext/openssl/tests/sni_server_uk.pem renamed to ext/openssl/tests/sni_server.pem

File renamed without changes.

ext/openssl/tests/sni_server.phpt

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,25 @@ if (!function_exists("proc_open")) die("skip no proc_open");
88
?>
99
--FILE--
1010
<?php
11+
$caFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_ca.pem.tmp';
12+
$csFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_cs.pem.tmp';
13+
$ukFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_uk.pem.tmp';
14+
$usFile = __DIR__ . DIRECTORY_SEPARATOR . 'sni_server_us.pem.tmp';
15+
16+
include 'CertificateGenerator.inc';
17+
$certificateGenerator = new CertificateGenerator();
18+
$certificateGenerator->saveCaCert($caFile);
19+
$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile);
20+
$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile);
21+
$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile);
22+
1123
$serverCode = <<<'CODE'
1224
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
1325
$ctx = stream_context_create(['ssl' => [
1426
'SNI_server_certs' => [
15-
"cs.php.net" => __DIR__ . "/sni_server_cs.pem",
16-
"uk.php.net" => __DIR__ . "/sni_server_uk.pem",
17-
"us.php.net" => __DIR__ . "/sni_server_us.pem"
27+
"cs.php.net" => '%s',
28+
"uk.php.net" => '%s',
29+
"us.php.net" => '%s',
1830
]
1931
]]);
2032
@@ -25,11 +37,12 @@ $serverCode = <<<'CODE'
2537
@stream_socket_accept($server, 3);
2638
}
2739
CODE;
40+
$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile);
2841

2942
$clientCode = <<<'CODE'
3043
$flags = STREAM_CLIENT_CONNECT;
3144
$ctxArr = [
32-
'cafile' => __DIR__ . '/sni_server_ca.pem',
45+
'cafile' => '%s',
3346
'capture_peer_cert' => true
3447
];
3548
@@ -51,10 +64,18 @@ $clientCode = <<<'CODE'
5164
$cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
5265
var_dump(openssl_x509_parse($cert)['subject']['CN']);
5366
CODE;
67+
$clientCode = sprintf($clientCode, $caFile);
5468

5569
include 'ServerClientTestCase.inc';
5670
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
5771
?>
72+
--CLEAN--
73+
<?php
74+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_ca.pem.tmp');
75+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_cs.pem.tmp');
76+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_uk.pem.tmp');
77+
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'sni_server_us.pem.tmp');
78+
?>
5879
--EXPECTF--
5980
string(%d) "cs.php.net"
6081
string(%d) "uk.php.net"

0 commit comments

Comments
 (0)