ext/openssl: refactor php_openssl_x509_fingerprint_cmp() function

Girgias · Girgias · commit 4d49c0c77a65 · 2026-06-17T13:14:28.000+01:00
Use sites only care if the string matches, thus change the function to be an 'is equal' variant.
Also use a zend_string* rather than a char* so that we can use the zend_string equals API.
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
@@ -377,18 +377,16 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */
 }
 /* }}} */
 
-static int php_openssl_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected)
+static bool php_openssl_x509_fingerprint_is_equal(X509 *peer, const char *method, const zend_string *expected)
 {
-	zend_string *fingerprint;
-	int result = -1;
-
-	fingerprint = php_openssl_x509_fingerprint(peer, method, false);
+	bool is_equal = false;
+	zend_string *fingerprint = php_openssl_x509_fingerprint(peer, method, false);
 	if (fingerprint) {
-		result = strcasecmp(expected, ZSTR_VAL(fingerprint));
-		zend_string_release_ex(fingerprint, 0);
+		is_equal = zend_string_equals_ci(fingerprint, expected);
+		zend_string_release_ex(fingerprint, false);
 	}
 
-	return result;
+	return is_equal;
 }
 
 static bool php_openssl_x509_fingerprint_match(php_stream *stream, X509 *peer, const zval *val)
@@ -406,7 +404,7 @@ static bool php_openssl_x509_fingerprint_match(php_stream *stream, X509 *peer, c
 				break;
 		}
 
-		return method && php_openssl_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0;
+		return method && php_openssl_x509_fingerprint_is_equal(peer, method, Z_STR_P(val));
 	} else if (Z_TYPE_P(val) == IS_ARRAY) {
 		zval *current;
 		zend_string *key;
@@ -423,7 +421,7 @@ static bool php_openssl_x509_fingerprint_match(php_stream *stream, X509 *peer, c
 				php_stream_warn(stream, Generic, "Invalid peer_fingerprint array; [algo => fingerprint] form required");
 				return false;
 			}
-			if (php_openssl_x509_fingerprint_cmp(peer, ZSTR_VAL(key), Z_STRVAL_P(current)) != 0) {
+			if (!php_openssl_x509_fingerprint_is_equal(peer, ZSTR_VAL(key), Z_STR_P(current))) {
 				return false;
 			}
 		} ZEND_HASH_FOREACH_END();

Original file line number	Diff line number	Diff line change
`@@ -377,18 +377,16 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX ctx) / {{{ */`
`377`	`377`	`}`
`378`	`378`	`/* }}} */`
`379`	`379`
`380`		`-static int php_openssl_x509_fingerprint_cmp(X509 peer, const char method, const char *expected)`
	`380`	`+static bool php_openssl_x509_fingerprint_is_equal(X509 peer, const char method, const zend_string *expected)`
`381`	`381`	`{`
`382`		`- zend_string *fingerprint;`
`383`		`- int result = -1;`
`384`		`-`
`385`		`- fingerprint = php_openssl_x509_fingerprint(peer, method, false);`
	`382`	`+ bool is_equal = false;`
	`383`	`+ zend_string *fingerprint = php_openssl_x509_fingerprint(peer, method, false);`
`386`	`384`	`if (fingerprint) {`
`387`		`- result = strcasecmp(expected, ZSTR_VAL(fingerprint));`
`388`		`- zend_string_release_ex(fingerprint, 0);`
	`385`	`+ is_equal = zend_string_equals_ci(fingerprint, expected);`
	`386`	`+ zend_string_release_ex(fingerprint, false);`
`389`	`387`	`}`
`390`	`388`
`391`		`- return result;`
	`389`	`+ return is_equal;`
`392`	`390`	`}`
`393`	`391`
`394`	`392`	`static bool php_openssl_x509_fingerprint_match(php_stream stream, X509 peer, const zval *val)`
`@@ -406,7 +404,7 @@ static bool php_openssl_x509_fingerprint_match(php_stream stream, X509 peer, c`
`406`	`404`	`break;`
`407`	`405`	`}`
`408`	`406`
`409`		`- return method && php_openssl_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0;`
	`407`	`+ return method && php_openssl_x509_fingerprint_is_equal(peer, method, Z_STR_P(val));`
`410`	`408`	`} else if (Z_TYPE_P(val) == IS_ARRAY) {`
`411`	`409`	`zval *current;`
`412`	`410`	`zend_string *key;`
`@@ -423,7 +421,7 @@ static bool php_openssl_x509_fingerprint_match(php_stream stream, X509 peer, c`
`423`	`421`	`php_stream_warn(stream, Generic, "Invalid peer_fingerprint array; [algo => fingerprint] form required");`
`424`	`422`	`return false;`
`425`	`423`	`}`
`426`		`- if (php_openssl_x509_fingerprint_cmp(peer, ZSTR_VAL(key), Z_STRVAL_P(current)) != 0) {`
	`424`	`+ if (!php_openssl_x509_fingerprint_is_equal(peer, ZSTR_VAL(key), Z_STR_P(current))) {`
`427`	`425`	`return false;`
`428`	`426`	`}`
`429`	`427`	`} ZEND_HASH_FOREACH_END();`