- MFB: #36732, add req_extensions support to openssl_csr_new and _sign

   (ben at psc dot edu)
- MFB: fix leaks in openssl_csr_new and sig

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index eab811546635171f629261be95bdb9c37a64ce16..9571f653dfe71bb0f54056a754278db59ed89cb1 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -454,8 +454,8 @@ static int php_openssl_parse_config(
                CONF_get_string(req->req_config, req->section_name, "default_md"));
        SET_OPTIONAL_STRING_ARG("x509_extensions", req->extensions_section,
                CONF_get_string(req->req_config, req->section_name, "x509_extensions"));
-       SET_OPTIONAL_STRING_ARG("req_extensions", req->extensions_section,
-               CONF_get_string(req->req_config, req->request_extensions_section, "req_extensions"));
+       SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section,
+               CONF_get_string(req->req_config, req->section_name, "req_extensions"));
        SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits,
                CONF_get_number(req->req_config, req->section_name, "default_bits"));
 
@@ -495,9 +495,6 @@ static int php_openssl_parse_config(
                return FAILURE;
        }
 
-       if (req->request_extensions_section == NULL) {
-               req->request_extensions_section = CONF_get_string(req->req_config, req->section_name, "req_extensions");
-       }
        PHP_SSL_CONFIG_SYNTAX_CHECK(request_extensions_section);
        
        return SUCCESS;
@@ -865,8 +862,6 @@ PHP_FUNCTION(openssl_x509_export)
        zend_bool notext = 1;
        BIO * bio_out;
        long certresource;
-       char * bio_mem_ptr;
-       long bio_mem_len;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rz|b", &zcert, &zout, &notext) == FAILURE) {
                return;
@@ -883,12 +878,15 @@ PHP_FUNCTION(openssl_x509_export)
        if (!notext) {
                X509_print(bio_out, cert);
        }
-       PEM_write_bio_X509(bio_out, cert);
+       if (PEM_write_bio_X509(bio_out, cert))  {
+               BUF_MEM *bio_buf;
 
-       bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);
-       ZVAL_STRINGL(zout, bio_mem_ptr, bio_mem_len, 1);
+               zval_dtor(zout);
+               BIO_get_mem_ptr(bio_out, &bio_buf);
+               ZVAL_STRINGL(zout, bio_buf->data, bio_buf->length, 1);
 
-       RETVAL_TRUE;
+               RETVAL_TRUE;
+       }
 
        if (certresource == -1 && cert) {
                X509_free(cert);
@@ -1519,9 +1517,8 @@ PHP_FUNCTION(openssl_csr_export)
        zval * zcsr = NULL, *zout=NULL;
        zend_bool notext = 1;
        BIO * bio_out;
+
        long csr_resource;
-       char * bio_mem_ptr;
-       long bio_mem_len;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rz|b", &zcsr, &zout, &notext) == FAILURE) {
                return;
@@ -1540,12 +1537,16 @@ PHP_FUNCTION(openssl_csr_export)
        if (!notext) {
                X509_REQ_print(bio_out, csr);
        }
-       PEM_write_bio_X509_REQ(bio_out, csr);
 
-       bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);
-       ZVAL_STRINGL(zout, bio_mem_ptr, bio_mem_len, 1);
+       if (PEM_write_bio_X509_REQ(bio_out, csr)) {
+               BUF_MEM *bio_buf;
 
-       RETVAL_TRUE;
+               BIO_get_mem_ptr(bio_out, &bio_buf);
+               zval_dtor(zout);
+               ZVAL_STRINGL(zout, bio_buf->data, bio_buf->length, 1);
+
+               RETVAL_TRUE;
+       }
 
        if (csr_resource == -1 && csr) {
                X509_REQ_free(csr);
@@ -1643,12 +1644,12 @@ PHP_FUNCTION(openssl_csr_sign)
        if (!i) {
                goto cleanup;
        }
-       if (req.request_extensions_section) {
+       if (req.extensions_section) {
                X509V3_CTX ctx;
                
                X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0);
                X509V3_set_conf_lhash(&ctx, req.req_config);
-               if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.request_extensions_section, new_cert)) {
+               if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) {
                        goto cleanup;
                }
        }

diff --git a/ext/openssl/tests/bug36732.phpt b/ext/openssl/tests/bug36732.phpt
new file mode 100644 (file)
index 0000000..c7bb8ab
--- /dev/null
+++ b/ext/openssl/tests/bug36732.phpt
@@ -0,0 +1,39 @@
+--TEST--
+#36732, add support for req_extensions in openss_csr_new and sign
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip"); 
+?>
+--FILE--
+<?php 
+$configargs = array(
+        "req_extensions" => "v3_req",
+        "x509_extensions" => "usr_cert"
+);
+
+$dn = array(
+        "countryName" => "GB",
+        "stateOrProvinceName" => "Berkshire",
+        "localityName" => "Newbury",
+        "organizationName" => "My Company Ltd",
+        "commonName" => "Demo Cert"
+);
+
+$key = openssl_pkey_new();
+$csr = openssl_csr_new($dn, $key, $configargs);
+$crt = openssl_csr_sign($csr, NULL, $key, 365, $configargs);
+
+$str = '';
+openssl_csr_export($csr, $str, false);
+
+if (strpos($str, 'Requested Extensions:')) {
+       echo "Ok\n";
+}
+openssl_x509_export($crt, $str, false);
+if (strpos($str, 'X509v3 extensions:')) {
+       echo "Ok\n";
+}
+?>
+--EXPECTF--
+Ok
+Ok