#define STREAM_CRYPTO_METHOD_TLSv1_2 (1<<5)
/* Simplify ssl context option retrieval */
-#define GET_VER_OPT(name) (PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)
-#define GET_VER_OPT_STRING(name, str) if (GET_VER_OPT(name)) { convert_to_string_ex(val); str = Z_STRVAL_P(val); }
-#define GET_VER_OPT_LONG(name, num) if (GET_VER_OPT(name)) { convert_to_long_ex(val); num = Z_LVAL_P(val); }
+#define GET_VER_OPT(name) \
+ (PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)
+#define GET_VER_OPT_STRING(name, str) \
+ if (GET_VER_OPT(name)) { convert_to_string_ex(val); str = Z_STRVAL_P(val); }
+#define GET_VER_OPT_LONG(name, num) \
+ if (GET_VER_OPT(name)) { convert_to_long_ex(val); num = Z_LVAL_P(val); }
/* Used for peer verification in windows */
-#define PHP_X509_NAME_ENTRY_TO_UTF8(ne, i, out) ASN1_STRING_to_UTF8(&out, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(ne, i)))
+#define PHP_X509_NAME_ENTRY_TO_UTF8(ne, i, out) \
+ ASN1_STRING_to_UTF8(&out, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(ne, i)))
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength);
+static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif
extern php_stream* php_openssl_get_stream_from_ssl_handle(const SSL *ssl);
extern zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_bool raw);
extern int php_openssl_get_ssl_stream_data_index();
extern int php_openssl_get_x509_list_id(void);
-static struct timeval subtract_timeval( struct timeval a, struct timeval b );
-static int compare_timeval( struct timeval a, struct timeval b );
+static struct timeval php_openssl_subtract_timeval(struct timeval a, struct timeval b);
+static int php_openssl_compare_timeval(struct timeval a, struct timeval b);
static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, size_t count);
php_stream_ops php_openssl_socket_ops;
/* it doesn't matter that we do some hash traversal here, since it is done only
* in an error condition arising from a network connection problem */
-static int is_http_stream_talking_to_iis(php_stream *stream) /* {{{ */
+static int php_openssl_is_http_stream_talking_to_iis(php_stream *stream) /* {{{ */
{
- if (Z_TYPE(stream->wrapperdata) == IS_ARRAY && stream->wrapper && strcasecmp(stream->wrapper->wops->label, "HTTP") == 0) {
+ if (Z_TYPE(stream->wrapperdata) == IS_ARRAY &&
+ stream->wrapper &&
+ strcasecmp(stream->wrapper->wops->label, "HTTP") == 0
+ ) {
/* the wrapperdata is an array zval containing the headers */
zval *tmp;
}
/* }}} */
-static int handle_ssl_error(php_stream *stream, int nr_bytes, zend_bool is_init) /* {{{ */
+static int php_openssl_handle_ssl_error(php_stream *stream, int nr_bytes, zend_bool is_init) /* {{{ */
{
php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
int err = SSL_get_error(sslsock->ssl_handle, nr_bytes);
case SSL_ERROR_SYSCALL:
if (ERR_peek_error() == 0) {
if (nr_bytes == 0) {
- if (!is_http_stream_talking_to_iis(stream) && ERR_get_error() != 0) {
- php_error_docref(NULL, E_WARNING,
- "SSL: fatal protocol error");
+ if (!php_openssl_is_http_stream_talking_to_iis(stream) && ERR_get_error() != 0) {
+ php_error_docref(NULL, E_WARNING, "SSL: fatal protocol error");
}
SSL_set_shutdown(sslsock->ssl_handle, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
stream->eof = 1;
switch (ERR_GET_REASON(ecode)) {
case SSL_R_NO_SHARED_CIPHER:
- php_error_docref(NULL, E_WARNING, "SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used. This could be because the server is missing an SSL certificate (local_cert context option)");
+ php_error_docref(NULL, E_WARNING,
+ "SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used. "
+ "This could be because the server is missing an SSL certificate "
+ "(local_cert context option)");
retry = 0;
break;
}
/* }}} */
-static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected)
+static int php_openssl_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected)
{
zend_string *fingerprint;
int result = -1;
return result;
}
-static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val)
+static zend_bool php_openssl_x509_fingerprint_match(X509 *peer, zval *val)
{
if (Z_TYPE_P(val) == IS_STRING) {
const char *method = NULL;
break;
}
- return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0;
+ return method && php_openssl_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0;
} else if (Z_TYPE_P(val) == IS_ARRAY) {
zval *current;
zend_string *key;
php_error_docref(NULL, E_WARNING, "Invalid peer_fingerprint array; [algo => fingerprint] form required");
return 0;
}
- if (php_x509_fingerprint_cmp(peer, ZSTR_VAL(key), Z_STRVAL_P(current)) != 0) {
+ if (php_openssl_x509_fingerprint_cmp(peer, ZSTR_VAL(key), Z_STRVAL_P(current)) != 0) {
return 0;
}
} ZEND_HASH_FOREACH_END();
return 0;
}
-static zend_bool matches_wildcard_name(const char *subjectname, const char *certname) /* {{{ */
+static zend_bool php_openssl_matches_wildcard_name(const char *subjectname, const char *certname) /* {{{ */
{
char *wildcard = NULL;
ptrdiff_t prefix_len;
}
/* }}} */
-static zend_bool matches_san_list(X509 *peer, const char *subject_name) /* {{{ */
+static zend_bool php_openssl_matches_san_list(X509 *peer, const char *subject_name) /* {{{ */
{
int i, len;
unsigned char *cert_name = NULL;
cert_name[len-1] = '\0';
}
- if (matches_wildcard_name(subject_name, (const char *)cert_name)) {
+ if (php_openssl_matches_wildcard_name(subject_name, (const char *)cert_name)) {
OPENSSL_free(cert_name);
return 1;
}
}
}
/* No, we aren't bothering to check IPv6 addresses. Why?
- * * Because IP SAN names are officially deprecated and are
- * * not allowed by CAs starting in 2015. Deal with it.
- * */
+ * Because IP SAN names are officially deprecated and are
+ * not allowed by CAs starting in 2015. Deal with it.
+ */
}
}
}
/* }}} */
-static zend_bool matches_common_name(X509 *peer, const char *subject_name) /* {{{ */
+static zend_bool php_openssl_matches_common_name(X509 *peer, const char *subject_name) /* {{{ */
{
char buf[1024];
X509_NAME *cert_name;
php_error_docref(NULL, E_WARNING, "Unable to locate peer certificate CN");
} else if ((size_t)cert_name_len != strlen(buf)) {
php_error_docref(NULL, E_WARNING, "Peer certificate CN=`%.*s' is malformed", cert_name_len, buf);
- } else if (matches_wildcard_name(subject_name, buf)) {
+ } else if (php_openssl_matches_wildcard_name(subject_name, buf)) {
is_match = 1;
} else {
- php_error_docref(NULL, E_WARNING, "Peer certificate CN=`%.*s' did not match expected CN=`%s'", cert_name_len, buf, subject_name);
+ php_error_docref(NULL, E_WARNING,
+ "Peer certificate CN=`%.*s' did not match expected CN=`%s'",
+ cert_name_len, buf, subject_name);
}
return is_match;
}
/* }}} */
-static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stream) /* {{{ */
+static int php_openssl_apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stream) /* {{{ */
{
zval *val = NULL;
char *peer_name = NULL;
/* If a peer_fingerprint match is required this trumps peer and peer_name verification */
if (must_verify_fingerprint) {
if (Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_ARRAY) {
- if (!php_x509_fingerprint_match(peer, val)) {
+ if (!php_openssl_x509_fingerprint_match(peer, val)) {
php_error_docref(NULL, E_WARNING,
"peer_fingerprint match failure"
);
}
if (peer_name) {
- if (matches_san_list(peer, peer_name)) {
+ if (php_openssl_matches_san_list(peer, peer_name)) {
return SUCCESS;
- } else if (matches_common_name(peer, peer_name)) {
+ } else if (php_openssl_matches_common_name(peer, peer_name)) {
return SUCCESS;
} else {
return FAILURE;
}
/* }}} */
-static int passwd_callback(char *buf, int num, int verify, void *data) /* {{{ */
+static int php_openssl_passwd_callback(char *buf, int num, int verify, void *data) /* {{{ */
{
php_stream *stream = (php_stream *)data;
zval *val = NULL;
#ifdef PHP_WIN32
#define RETURN_CERT_VERIFY_FAILURE(code) X509_STORE_CTX_set_error(x509_store_ctx, code); return 0;
-static int win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, void *arg) /* {{{ */
+static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, void *arg) /* {{{ */
{
PCCERT_CONTEXT cert_ctx = NULL;
PCCERT_CHAIN_CONTEXT cert_chain_ctx = NULL;
/* }}} */
#endif
-static long load_stream_cafile(X509_STORE *cert_store, const char *cafile) /* {{{ */
+static long php_openssl_load_stream_cafile(X509_STORE *cert_store, const char *cafile) /* {{{ */
{
php_stream *stream;
X509 *cert;
}
/* }}} */
-static int enable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
+static int php_openssl_enable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
{
zval *val = NULL;
char *cafile = NULL;
if (cafile || capath) {
if (!SSL_CTX_load_verify_locations(ctx, cafile, capath)) {
- if (cafile && !load_stream_cafile(SSL_CTX_get_cert_store(ctx), cafile)) {
+ if (cafile && !php_openssl_load_stream_cafile(SSL_CTX_get_cert_store(ctx), cafile)) {
return FAILURE;
}
}
} else {
#ifdef PHP_WIN32
- SSL_CTX_set_cert_verify_callback(ctx, win_cert_verify_callback, (void *)stream);
+ SSL_CTX_set_cert_verify_callback(ctx, php_openssl_win_cert_verify_callback, (void *)stream);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
#else
if (sslsock->is_client && !SSL_CTX_set_default_verify_paths(ctx)) {
}
/* }}} */
-static void disable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
+static void php_openssl_disable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
{
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
}
/* }}} */
-static int set_local_cert(SSL_CTX *ctx, php_stream *stream) /* {{{ */
+static int php_openssl_set_local_cert(SSL_CTX *ctx, php_stream *stream) /* {{{ */
{
zval *val = NULL;
char *certfile = NULL;
if (certfile) {
char resolved_path_buff[MAXPATHLEN];
- const char * private_key = NULL;
+ const char *private_key = NULL;
if (VCWD_REALPATH(certfile, resolved_path_buff)) {
/* a certificate to use for authentication */
if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
- php_error_docref(NULL, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
+ php_error_docref(NULL, E_WARNING,
+ "Unable to set local cert chain file `%s'; Check that your cafile/capath "
+ "settings include details of your certificate and its issuer",
+ certfile);
return FAILURE;
}
GET_VER_OPT_STRING("local_pk", private_key);
}
/* }}} */
-static const SSL_METHOD *php_select_crypto_method(zend_long method_value, int is_client) /* {{{ */
+static const SSL_METHOD *php_openssl_select_crypto_method(zend_long method_value, int is_client) /* {{{ */
{
if (method_value == STREAM_CRYPTO_METHOD_SSLv2) {
php_error_docref(NULL, E_WARNING,
#define PHP_SSL_MAX_VERSION_LEN 32
-static char *php_ssl_cipher_get_version(const SSL_CIPHER *c, char *buffer, size_t max_len) /* {{{ */
+static char *php_openssl_cipher_get_version(const SSL_CIPHER *c, char *buffer, size_t max_len) /* {{{ */
{
const char *version = SSL_CIPHER_get_version(c);
}
/* }}} */
-static int php_get_crypto_method_ctx_flags(int method_flags) /* {{{ */
+static int php_openssl_get_crypto_method_ctx_flags(int method_flags) /* {{{ */
{
int ssl_ctx_options = SSL_OP_ALL;
}
/* }}} */
-static void limit_handshake_reneg(const SSL *ssl) /* {{{ */
+static void php_openssl_limit_handshake_reneg(const SSL *ssl) /* {{{ */
{
php_stream *stream;
php_openssl_netstream_data_t *sslsock;
}
/* }}} */
-static void info_callback(const SSL *ssl, int where, int ret) /* {{{ */
+static void php_openssl_info_callback(const SSL *ssl, int where, int ret) /* {{{ */
{
/* Rate-limit client-initiated handshake renegotiation to prevent DoS */
if (where & SSL_CB_HANDSHAKE_START) {
- limit_handshake_reneg(ssl);
+ php_openssl_limit_handshake_reneg(ssl);
}
}
/* }}} */
-static void init_server_reneg_limit(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
+static void php_openssl_init_server_reneg_limit(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
{
zval *val;
zend_long limit = OPENSSL_DEFAULT_RENEG_LIMIT;
zend_long window = OPENSSL_DEFAULT_RENEG_WINDOW;
if (PHP_STREAM_CONTEXT(stream) &&
- NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
- "ssl", "reneg_limit"))
+ NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "reneg_limit"))
) {
convert_to_long(val);
limit = Z_LVAL_P(val);
}
if (PHP_STREAM_CONTEXT(stream) &&
- NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
- "ssl", "reneg_window"))
+ NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "reneg_window"))
) {
convert_to_long(val);
window = Z_LVAL_P(val);
sslsock->reneg->tokens = 0;
sslsock->reneg->should_close = 0;
- SSL_set_info_callback(sslsock->ssl_handle, info_callback);
+ SSL_set_info_callback(sslsock->ssl_handle, php_openssl_info_callback);
}
/* }}} */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength)
+static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength)
{
BIGNUM *bn = NULL;
static RSA *rsa_tmp = NULL;
}
#endif
-static int set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */
+static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */
{
DH *dh;
BIO* bio;
/* }}} */
#if defined(HAVE_ECDH) && (OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER))
-static int set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) /* {{{ */
+static int php_openssl_set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) /* {{{ */
{
zval *zvcurve;
int curve_nid;
/* }}} */
#endif
-static int set_server_specific_opts(php_stream *stream, SSL_CTX *ctx) /* {{{ */
+static int php_openssl_set_server_specific_opts(php_stream *stream, SSL_CTX *ctx) /* {{{ */
{
zval *zv;
long ssl_ctx_options = SSL_CTX_get_options(ctx);
#if defined(HAVE_ECDH) && (OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER))
- if (set_server_ecdh_curve(stream, ctx) == FAILURE) {
+ if (php_openssl_set_server_ecdh_curve(stream, ctx) == FAILURE) {
return FAILURE;
}
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
- SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
+ SSL_CTX_set_tmp_rsa_callback(ctx, php_openssl_tmp_rsa_cb);
#endif
- /* We now use tmp_rsa_cb to generate a key of appropriate size whenever necessary */
+ /* We now use php_openssl_tmp_rsa_cb to generate a key of appropriate size whenever necessary */
if (php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "rsa_key_size") != NULL) {
php_error_docref(NULL, E_WARNING, "rsa_key_size context option has been removed");
}
- set_server_dh_param(stream, ctx);
+ php_openssl_set_server_dh_param(stream, ctx);
zv = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "single_dh_use");
if (zv == NULL || zend_is_true(zv)) {
ssl_ctx_options |= SSL_OP_SINGLE_DH_USE;
/* }}} */
#ifdef HAVE_TLS_SNI
-static int server_sni_callback(SSL *ssl_handle, int *al, void *arg) /* {{{ */
+static int php_openssl_server_sni_callback(SSL *ssl_handle, int *al, void *arg) /* {{{ */
{
php_stream *stream;
php_openssl_netstream_data_t *sslsock;
}
for (i=0; i < sslsock->sni_cert_count; i++) {
- if (matches_wildcard_name(server_name, sslsock->sni_certs[i].name)) {
+ if (php_openssl_matches_wildcard_name(server_name, sslsock->sni_certs[i].name)) {
SSL_set_SSL_CTX(ssl_handle, sslsock->sni_certs[i].ctx);
return SSL_TLSEXT_ERR_OK;
}
}
/* }}} */
-static SSL_CTX *create_sni_server_ctx(char *cert_path, char *key_path) /* {{{ */
+static SSL_CTX *php_openssl_create_sni_server_ctx(char *cert_path, char *key_path) /* {{{ */
{
/* The hello method is not inherited by SSL structs when assigning a new context
* inside the SNI callback, so the just use SSLv23 */
}
/* }}} */
-static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
+static int php_openssl_enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
{
zval *val;
zval *current;
return FAILURE;
}
- ctx = create_sni_server_ctx(resolved_cert_path_buff, resolved_pk_path_buff);
+ ctx = php_openssl_create_sni_server_ctx(resolved_cert_path_buff, resolved_pk_path_buff);
} else if (VCWD_REALPATH(Z_STRVAL_P(current), resolved_path_buff)) {
- ctx = create_sni_server_ctx(resolved_path_buff, resolved_path_buff);
+ ctx = php_openssl_create_sni_server_ctx(resolved_path_buff, resolved_path_buff);
} else {
php_error_docref(NULL, E_WARNING,
"failed setting local cert chain file `%s'; file not found",
} ZEND_HASH_FOREACH_END();
- SSL_CTX_set_tlsext_servername_callback(sslsock->ctx, server_sni_callback);
+ SSL_CTX_set_tlsext_servername_callback(sslsock->ctx, php_openssl_server_sni_callback);
return SUCCESS;
}
/* }}} */
-static void enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
+static void php_openssl_enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
{
zval *val;
char *sni_server_name;
#endif
#ifdef HAVE_TLS_ALPN
-/*-
- * parses a comma-separated list of strings into a string suitable for SSL_CTX_set_next_protos_advertised
+/**
+ * Parses a comma-separated list of strings into a string suitable for SSL_CTX_set_next_protos_advertised
* outlen: (output) set to the length of the resulting buffer on success.
* err: (maybe NULL) on failure, an error message line is written to this BIO.
* in: a NULL terminated string like "abc,def,ghi"
*
* returns: an emalloced buffer or NULL on failure.
*/
-static unsigned char *alpn_protos_parse(unsigned short *outlen, const char *in)
+static unsigned char *php_openssl_alpn_protos_parse(unsigned short *outlen, const char *in) /* {{{ */
{
size_t len;
unsigned char *out;
return out;
}
+/* }}} */
-static int server_alpn_callback(SSL *ssl_handle, const unsigned char **out, unsigned char *outlen,
- const unsigned char *in, unsigned int inlen, void *arg)
+static int php_openssl_server_alpn_callback(SSL *ssl_handle,
+ const unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen, void *arg) /* {{{ */
{
php_openssl_netstream_data_t *sslsock = arg;
return SSL_TLSEXT_ERR_OK;
}
+/* }}} */
#endif
int php_openssl_setup_crypto(php_stream *stream,
php_openssl_netstream_data_t *sslsock,
- php_stream_xport_crypto_param *cparam
- ) /* {{{ */
+ php_stream_xport_crypto_param *cparam) /* {{{ */
{
const SSL_METHOD *method;
int ssl_ctx_options;
/* Should we use a specific crypto method or is generic SSLv23 okay? */
if ((method_flags & (method_flags-1)) == 0) {
ssl_ctx_options = SSL_OP_ALL;
- method = php_select_crypto_method(method_flags, sslsock->is_client);
+ method = php_openssl_select_crypto_method(method_flags, sslsock->is_client);
if (method == NULL) {
return FAILURE;
}
} else {
method = sslsock->is_client ? SSLv23_client_method() : SSLv23_server_method();
- ssl_ctx_options = php_get_crypto_method_ctx_flags(method_flags);
+ ssl_ctx_options = php_openssl_get_crypto_method_ctx_flags(method_flags);
if (ssl_ctx_options == -1) {
return FAILURE;
}
}
if (GET_VER_OPT("verify_peer") && !zend_is_true(val)) {
- disable_peer_verification(sslsock->ctx, stream);
- } else if (FAILURE == enable_peer_verification(sslsock->ctx, stream)) {
+ php_openssl_disable_peer_verification(sslsock->ctx, stream);
+ } else if (FAILURE == php_openssl_enable_peer_verification(sslsock->ctx, stream)) {
return FAILURE;
}
/* callback for the passphrase (for localcert) */
if (GET_VER_OPT("passphrase")) {
SSL_CTX_set_default_passwd_cb_userdata(sslsock->ctx, stream);
- SSL_CTX_set_default_passwd_cb(sslsock->ctx, passwd_callback);
+ SSL_CTX_set_default_passwd_cb(sslsock->ctx, php_openssl_passwd_callback);
}
GET_VER_OPT_STRING("ciphers", cipherlist);
#ifdef HAVE_TLS_ALPN
{
unsigned short alpn_len;
- unsigned char *alpn = alpn_protos_parse(&alpn_len, alpn_protocols);
+ unsigned char *alpn = php_openssl_alpn_protos_parse(&alpn_len, alpn_protocols);
if (alpn == NULL) {
php_error_docref(NULL, E_WARNING, "Failed parsing comma-separated TLS ALPN protocol string");
} else {
sslsock->alpn_ctx.data = (unsigned char *) pestrndup((const char*)alpn, alpn_len, php_stream_is_persistent(stream));
sslsock->alpn_ctx.len = alpn_len;
- SSL_CTX_set_alpn_select_cb(sslsock->ctx, server_alpn_callback, sslsock);
+ SSL_CTX_set_alpn_select_cb(sslsock->ctx, php_openssl_server_alpn_callback, sslsock);
}
efree(alpn);
#endif
}
- if (FAILURE == set_local_cert(sslsock->ctx, stream)) {
+ if (FAILURE == php_openssl_set_local_cert(sslsock->ctx, stream)) {
return FAILURE;
}
if (sslsock->is_client == 0 &&
PHP_STREAM_CONTEXT(stream) &&
- FAILURE == set_server_specific_opts(stream, sslsock->ctx)
+ FAILURE == php_openssl_set_server_specific_opts(stream, sslsock->ctx)
) {
return FAILURE;
}
}
if (!SSL_set_fd(sslsock->ssl_handle, sslsock->s.socket)) {
- handle_ssl_error(stream, 0, 1);
+ php_openssl_handle_ssl_error(stream, 0, 1);
}
#ifdef HAVE_TLS_SNI
/* Enable server-side SNI */
- if (!sslsock->is_client && enable_server_sni(stream, sslsock) == FAILURE) {
+ if (!sslsock->is_client && php_openssl_enable_server_sni(stream, sslsock) == FAILURE) {
return FAILURE;
}
#endif
/* Enable server-side handshake renegotiation rate-limiting */
if (!sslsock->is_client) {
- init_server_reneg_limit(stream, sslsock);
+ php_openssl_init_server_reneg_limit(stream, sslsock);
}
#ifdef SSL_MODE_RELEASE_BUFFERS
}
/* }}} */
-static zend_array *capture_session_meta(SSL *ssl_handle) /* {{{ */
+static zend_array *php_openssl_capture_session_meta(SSL *ssl_handle) /* {{{ */
{
zval meta_arr;
char *proto_str;
add_assoc_string(&meta_arr, "protocol", proto_str);
add_assoc_string(&meta_arr, "cipher_name", (char *) SSL_CIPHER_get_name(cipher));
add_assoc_long(&meta_arr, "cipher_bits", SSL_CIPHER_get_bits(cipher, NULL));
- add_assoc_string(&meta_arr, "cipher_version", php_ssl_cipher_get_version(cipher, version_str, PHP_SSL_MAX_VERSION_LEN));
+ add_assoc_string(&meta_arr, "cipher_version",
+ php_openssl_cipher_get_version(cipher, version_str, PHP_SSL_MAX_VERSION_LEN));
return Z_ARR(meta_arr);
}
/* }}} */
-static int capture_peer_certs(php_stream *stream, php_openssl_netstream_data_t *sslsock, X509 *peer_cert) /* {{{ */
+static int php_openssl_capture_peer_certs(php_stream *stream,
+ php_openssl_netstream_data_t *sslsock, X509 *peer_cert) /* {{{ */
{
zval *val, zcert;
int cert_captured = 0;
static int php_openssl_enable_crypto(php_stream *stream,
php_openssl_netstream_data_t *sslsock,
- php_stream_xport_crypto_param *cparam
- )
+ php_stream_xport_crypto_param *cparam) /* {{{ */
{
int n;
int retry = 1;
X509 *peer_cert;
if (cparam->inputs.activate && !sslsock->ssl_active) {
- struct timeval start_time,
- *timeout;
- int blocked = sslsock->s.is_blocked,
- has_timeout = 0;
+ struct timeval start_time, *timeout;
+ int blocked = sslsock->s.is_blocked, has_timeout = 0;
#ifdef HAVE_TLS_SNI
if (sslsock->is_client) {
- enable_client_sni(stream, sslsock);
+ php_openssl_enable_client_sni(stream, sslsock);
}
#endif
}
do {
- struct timeval cur_time,
- elapsed_time;
+ struct timeval cur_time, elapsed_time;
if (sslsock->is_client) {
n = SSL_connect(sslsock->ssl_handle);
if (has_timeout) {
gettimeofday(&cur_time, NULL);
- elapsed_time = subtract_timeval( cur_time, start_time );
+ elapsed_time = php_openssl_subtract_timeval(cur_time, start_time);
- if (compare_timeval( elapsed_time, *timeout) > 0) {
+ if (php_openssl_compare_timeval( elapsed_time, *timeout) > 0) {
php_error_docref(NULL, E_WARNING, "SSL: Handshake timed out");
return -1;
}
if (n <= 0) {
/* in case of SSL_ERROR_WANT_READ/WRITE, do not retry in non-blocking mode */
- retry = handle_ssl_error(stream, n, blocked);
+ retry = php_openssl_handle_ssl_error(stream, n, blocked);
if (retry) {
/* wait until something interesting happens in the socket. It may be a
* timeout. Also consider the unlikely of possibility of a write block */
struct timeval left_time;
if (has_timeout) {
- left_time = subtract_timeval( *timeout, elapsed_time );
+ left_time = php_openssl_subtract_timeval(*timeout, elapsed_time);
}
php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_READ) ?
(POLLIN|POLLPRI) : POLLOUT, has_timeout ? &left_time : NULL);
if (n == 1) {
peer_cert = SSL_get_peer_certificate(sslsock->ssl_handle);
if (peer_cert && PHP_STREAM_CONTEXT(stream)) {
- cert_captured = capture_peer_certs(stream, sslsock, peer_cert);
+ cert_captured = php_openssl_capture_peer_certs(stream, sslsock, peer_cert);
}
- if (FAILURE == apply_peer_verification_policy(sslsock->ssl_handle, peer_cert, stream)) {
+ if (FAILURE == php_openssl_apply_peer_verification_policy(sslsock->ssl_handle, peer_cert, stream)) {
SSL_shutdown(sslsock->ssl_handle);
n = -1;
} else {
"ssl", "capture_session_meta"))
) {
php_error(E_DEPRECATED,
- "capture_session_meta is deprecated; its information is now available via stream_get_meta_data()"
+ "capture_session_meta is deprecated; its information is now available via stream_get_meta_data()"
);
}
if (val && zend_is_true(val)) {
zval meta_arr;
- ZVAL_ARR(&meta_arr, capture_session_meta(sslsock->ssl_handle));
+ ZVAL_ARR(&meta_arr, php_openssl_capture_session_meta(sslsock->ssl_handle));
php_stream_context_set_option(PHP_STREAM_CONTEXT(stream), "ssl", "session_meta", &meta_arr);
zval_ptr_dtor(&meta_arr);
}
/* We want to capture the peer cert even if verification fails*/
peer_cert = SSL_get_peer_certificate(sslsock->ssl_handle);
if (peer_cert && PHP_STREAM_CONTEXT(stream)) {
- cert_captured = capture_peer_certs(stream, sslsock, peer_cert);
+ cert_captured = php_openssl_capture_peer_certs(stream, sslsock, peer_cert);
}
}
return -1;
}
+/* }}} */
static size_t php_openssl_sockop_read(php_stream *stream, char *buf, size_t count) /* {{{ */
{
* Perform IO (read or write) to an SSL socket. If we have a timeout, we switch to non-blocking mode
* for the duration of the operation, using select to do our waits. If we time out, or we have an error
* report that back to PHP
- *
*/
static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, size_t count) /* {{{ */
{
gettimeofday(&cur_time, NULL);
/* Determine how much time we've taken so far. */
- elapsed_time = subtract_timeval(cur_time, start_time);
+ elapsed_time = php_openssl_subtract_timeval(cur_time, start_time);
/* and return an error if we've taken too long. */
- if (compare_timeval(elapsed_time, *timeout) > 0 ) {
+ if (php_openssl_compare_timeval(elapsed_time, *timeout) > 0 ) {
/* If the socket was originally blocking, set it back. */
if (began_blocked) {
php_set_sock_blocking(sslsock->s.socket, 1);
/* Now, how much time until we time out? */
if (has_timeout) {
- left_time = subtract_timeval( *timeout, elapsed_time );
+ left_time = php_openssl_subtract_timeval( *timeout, elapsed_time );
}
/* If we didn't do anything on the last loop (or an error) check to see if we should retry or exit. */
/* Get the error code from SSL, and check to see if it's an error or not. */
int err = SSL_get_error(sslsock->ssl_handle, nr_bytes );
- retry = handle_ssl_error(stream, nr_bytes, 0);
+ retry = php_openssl_handle_ssl_error(stream, nr_bytes, 0);
/* If we get this (the above doesn't check) then we'll retry as well. */
if (errno == EAGAIN && err == SSL_ERROR_WANT_READ && read) {
} else {
size_t nr_bytes = 0;
- /*
- * This block is if we had no timeout... We will just sit and wait forever on the IO operation.
- */
+ /* This block is if we had no timeout... We will just sit and wait forever on the IO operation. */
if (read) {
nr_bytes = php_stream_socket_ops.read(stream, buf, count);
} else {
}
/* }}} */
-static struct timeval subtract_timeval( struct timeval a, struct timeval b )
+static struct timeval php_openssl_subtract_timeval(struct timeval a, struct timeval b) /* {{{ */
{
struct timeval difference;
return difference;
}
+/* }}} */
-static int compare_timeval( struct timeval a, struct timeval b )
+static int php_openssl_compare_timeval( struct timeval a, struct timeval b )
{
if (a.tv_sec > b.tv_sec || (a.tv_sec == b.tv_sec && a.tv_usec > b.tv_usec) ) {
return 1;
/* }}} */
static inline int php_openssl_tcp_sockop_accept(php_stream *stream, php_openssl_netstream_data_t *sock,
- php_stream_xport_param *xparam STREAMS_DC)
+ php_stream_xport_param *xparam STREAMS_DC) /* {{{ */
{
int clisock;
zend_bool nodelay = 0;
return xparam->outputs.client == NULL ? -1 : 0;
}
+/* }}} */
-static int php_openssl_sockop_set_option(php_stream *stream, int option, int value, void *ptrparam)
+static int php_openssl_sockop_set_option(php_stream *stream, int option, int value, void *ptrparam) /* {{{ */
{
php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
php_stream_xport_crypto_param *cparam = (php_stream_xport_crypto_param *)ptrparam;
add_assoc_string(&tmp, "protocol", proto_str);
add_assoc_string(&tmp, "cipher_name", (char *) SSL_CIPHER_get_name(cipher));
add_assoc_long(&tmp, "cipher_bits", SSL_CIPHER_get_bits(cipher, NULL));
- add_assoc_string(&tmp, "cipher_version", php_ssl_cipher_get_version(cipher, version_str, PHP_SSL_MAX_VERSION_LEN));
+ add_assoc_string(&tmp, "cipher_version",
+ php_openssl_cipher_get_version(cipher, version_str, PHP_SSL_MAX_VERSION_LEN));
#ifdef HAVE_TLS_ALPN
{
return php_stream_socket_ops.set_option(stream, option, value, ptrparam);
}
+/* }}} */
-static int php_openssl_sockop_cast(php_stream *stream, int castas, void **ret)
+static int php_openssl_sockop_cast(php_stream *stream, int castas, void **ret) /* {{{ */
{
php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
return FAILURE;
}
}
+/* }}} */
php_stream_ops php_openssl_socket_ops = {
php_openssl_sockop_write, php_openssl_sockop_read,
php_openssl_sockop_set_option,
};
-static zend_long get_crypto_method(php_stream_context *ctx, zend_long crypto_method)
+static zend_long php_openssl_get_crypto_method(
+ php_stream_context *ctx, zend_long crypto_method) /* {{{ */
{
zval *val;
return crypto_method;
}
+/* }}} */
-static char *get_url_name(const char *resourcename, size_t resourcenamelen, int is_persistent)
+static char *php_openssl_get_url_name(const char *resourcename,
+ size_t resourcenamelen, int is_persistent) /* {{{ */
{
php_url *url;
php_url_free(url);
return NULL;
}
+/* }}} */
php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,
const char *resourcename, size_t resourcenamelen,
const char *persistent_id, int options, int flags,
struct timeval *timeout,
- php_stream_context *context STREAMS_DC)
+ php_stream_context *context STREAMS_DC) /* {{{ */
{
php_stream *stream = NULL;
php_openssl_netstream_data_t *sslsock = NULL;
if (strncmp(proto, "ssl", protolen) == 0) {
sslsock->enable_on_connect = 1;
- sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT);
+ sslsock->method = php_openssl_get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT);
} else if (strncmp(proto, "sslv2", protolen) == 0) {
php_error_docref(NULL, E_WARNING, "SSLv2 unavailable in this PHP version");
php_stream_close(stream);
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
#else
- php_error_docref(NULL, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library against which PHP is linked");
+ php_error_docref(NULL, E_WARNING,
+ "SSLv3 support is not compiled into the OpenSSL library against which PHP is linked");
php_stream_close(stream);
return NULL;
#endif
} else if (strncmp(proto, "tls", protolen) == 0) {
sslsock->enable_on_connect = 1;
- sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT);
+ sslsock->method = php_openssl_get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT);
} else if (strncmp(proto, "tlsv1.0", protolen) == 0) {
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
#else
- php_error_docref(NULL, E_WARNING, "TLSv1.1 support is not compiled into the OpenSSL library against which PHP is linked");
+ php_error_docref(NULL, E_WARNING,
+ "TLSv1.1 support is not compiled into the OpenSSL library against which PHP is linked");
php_stream_close(stream);
return NULL;
#endif
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
#else
- php_error_docref(NULL, E_WARNING, "TLSv1.2 support is not compiled into the OpenSSL library against which PHP is linked");
+ php_error_docref(NULL, E_WARNING,
+ "TLSv1.2 support is not compiled into the OpenSSL library against which PHP is linked");
php_stream_close(stream);
return NULL;
#endif
}
- sslsock->url_name = get_url_name(resourcename, resourcenamelen, !!persistent_id);
+ sslsock->url_name = php_openssl_get_url_name(resourcename, resourcenamelen, !!persistent_id);
return stream;
}
-
-
+/* }}} */
/*
* Local variables:
projects / php / commitdiff