From: Daniel Lowrey <rdlowrey@php.net>
Date: Wed, 7 May 2014 13:55:40 +0000 (-0600)
Subject: Bug #67224: stream_socket_enable_crypto()
X-Git-Tag: PRE_PHPNG_MERGE~300^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=27f5957e9f5e8526033d946aaa02ad3bb07023b6;p=php

Bug #67224: stream_socket_enable_crypto()

- Allow crypto_method context value in stream_socket_enable_crypto()
- As of 5.6.x stream crypto type may be specified in the SSL context,
  making the $crypto_type parameter to stream_socket_enable_crypto()
  optional. This commit checks for a crypto type in the context prior
  to erroring out.
- Update NEWS/UPGRADING
---

27f5957e9f5e8526033d946aaa02ad3bb07023b6
diff --cc NEWS
index 5fe882b1d0,4f0c3191d8..1d100f64f3
--- a/NEWS
+++ b/NEWS
@@@ -1,248 -1,12 +1,252 @@@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 -?? ??? 2014, PHP 5.6.0 Beta 1
 +?? ??? 2014, PHP 5.6.0 Beta 3
 +
 +- Core:
 +  . Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
 +    (Nikita)
 +  . Fixed bug #67198 (php://input regression). (Mike)
 +
++- OpenSSL:
++  . Fixed bug #67224 (Fall back to crypto_type from context if not specified
++    explicitly in stream_socket_enable_crypto). (Chris Wright)
++
 +01 May 2014, PHP 5.6.0 Beta 2
 +
 +- CLI server:
 +  . Fixed bug #67079 (Missing MIME types for XML/XSL files). (Anatol)
 +
 +- COM:
 +  . Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)). (Anatol)
 +
 +- Core:
 +  . Fixed bug #65701 (copy() doesn't work when destination filename is created
 +    by tempnam()). (Boro Sitnikovski)
 +  . Fixed bug #66015 (Unexpected array indexing in class's static property). (Bob)
 +  . Added (constant) string/array dereferencing to static scalar expressions
 +    to complete the set; now possible thanks to bug #66015 being fixed. (Bob)
 +  . Fixed bug #66568 (Update reflection information for unserialize() function).
 +    (Ferenc)
 +  . Fixed bug #66660 (Composer.phar install/update fails). (Ferenc)
 +  . Fixed bug #67024 (getimagesize should recognize BMP files with negative
 +    height). (Gabor Buella)
 +  . Fixed bug #67064  (Countable interface prevents using 2nd parameter
 +    ($mode) of count() function). (Bob)
 +  . Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol)
 +  . Fixed bug #67033 (Remove reference to Windows 95). (Anatol)
 +
 +- cURL:
 +  . Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike)
 +  . Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
 +    (Freek Lijten)
 +
 +- Date:
 +  . Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is
 +    supplied). (Boro Sitnikovski)
 +  . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
 +
 +- DOM:
 +  . Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,
 +    not only the subset). (Anatol)
 +
 +- Fileinfo:
 +  . Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
 +    (Anatol)
 +  . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol)
 +
 +- FPM:
 +  . Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
 +  . Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
 +    (Julio Pintos)
 +  . Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure
 +    default configuration) (CVE-2014-0185). (Stas)
 +
 +- GMP:
 +  . Fixed crashes in serialize/unserialize. (Stas)
 +
 +- JSON:
 +  . Fixed bug #66021 (Blank line inside empty array/object when
 +    JSON_PRETTY_PRINT is set). (Kevin Israel)
 +
 +- LDAP:
 +  . Fixed issue with null bytes in LDAP bindings. (Matthew Daley)
 +
 +- litespeed
 +  . Fixed bug #63228 (-Werror=format-security error in lsapi code).
 +    (Elan Ruusamäe, George)
 +
 +- mysqli:
 +  . Fixed building against an external libmysqlclient. (Adam)
 +
 +- mysqlnd:
 +  . Added a new fetching mode to mysqlnd. (Andrey)
 +
 +- OpenSSL:
 +  . Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
 +  . Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma)
 +  . Fix bug #66840 (Fix broken build when extension built separately).
 +    (Daniel Lowrey)
 +
 +- phpdbg:
 +  . Added watchpoints (watch command). (Bob)
 +  . Renamed some commands (next => continue and how to step). (Joe)
 +  . Fixed issue #85 (https://github.com/krakjoe/phpdbg/issues/85)
 +    (Added stdin/stdout/stderr constants and their php:// wrappers). (Bob)
 +
 +- PDO:
 +  . Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
 +    (Matteo)
 +
 +- PDO-ODBC:
 +  . Fixed bug #50444 (PDO-ODBC changes for 64-bit). 
 +
 +- Phar:
 +  . Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent
 +    in its name). (PR #588)
 +
 +- SQLite:
 +  . Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3). (Anatol)
 +
 +- Apache2 Handler SAPI:
 +  . Fixed Apache log issue caused by APR's lack of support for %zu
 +    (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
 +    (Jeff Trawick)
 +
 +10 Apr 2014, PHP 5.6.0 Beta 1
 +
 +- Core:
 +  . Allow zero length comparison in substr_compare() (Tjerk)
 +  . Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
 +  . Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
 +  . Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace 
 +    UNIX sockets). (Mike)
 +  . Fixed bug #66182 (exit in stream filter produces segfault). (Mike)  
 +  . Fixed bug #66736 (fpassthru broken). (Mike)
 +  . Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
 +  . Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
 +
 +- SPL:
 +  . Added feature #65545 (SplFileObject::fread()) (Tjerk)
 +  . Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
 +  . Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert). (Joshua
 +    Thijssen)
 +
 +- cURL:
 +  . Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour)
 +    (Tjerk)
 +  . Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
 +    (Adam)
 +
 +- Date:
 +  . Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable
 +    object from an existing DateTime (mutable) object (Derick)
 +
 +- Embed:
 +  . Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
 +
 +- Fileinfo:
 +  . Fixed bug #66820 (out-of-bounds memory access in fileinfo)
 +    (CVE-2014-2270). (Remi)
 +  . Fixed bug #66946i (fileinfo: extensive backtracking in awk rule regular
 +    expression). (CVE-2013-7345) (Remi)
 +  . Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
 +    (Remi)
 +
 +
 +- GD:
 +  . Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer
 +    CVE-2013-7327). (Tomas Hoger, Remi).
 +  . Fixed #66869 (Invalid 2nd argument crashes imageaffinematrixget) (Pierre)
 +  . Fixed bug #66887 (imagescale - poor quality of scaled image). (Remi)
 +  . Fixed bug #66890 (imagescale segfault). (Remi)
 +  . Fixed bug #66893 (imagescale ignore method argument). (Remi)
 +
 +- GMP:
 +  . Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
 +
 +- Hash:
 +  . Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions).
 +    (Michael M Slusarz).
 +  . Implemented timing attack safe string comparison function
 +    (RFC: https://wiki.php.net/rfc/timing_attack). (Rouven Weßling)
 +  . hash_pbkdf2() now works correctly if the $length argument is not specified.
 +    (Nikita)
 +
 +- Intl:
 +  . Fixed bug #66873 (A reproductible crash in UConverter when given invalid
 +    encoding) (Stas)
 +
 +- Mail:
 +  . Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
 +
 +- Mbstring:
 +  . Upgraded to oniguruma 5.9.5 (Anatol)
 +
 +- Mcrypt:
 +  . No longer allow invalid key sizes, invalid IV sizes or missing required IV
 +    in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
 +    (Nikita)
 +  . Use /dev/urandom as the default source for mcrypt_create_iv(). (Nikita)
  
  - MySQLi:
 -  . Fixed bug #66762i (Segfault in mysqli_stmt::bind_result() when link closed)
 -  (Remi)
 +  . Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
 +    (Remi)
 +
 +- OCI8
 +  . Fixed Bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries)
 +   (Perrier, Chris Jones)
 +
 +- OpenSSL:
 +  . Fixed memory leak in windows cert verification on verify failure.
 +    (Chris Wright)
 +  . Peer certificate capturing via SSL context options now functions even if
 +    peer verification fails. (Daniel Lowrey)
 +  . Encrypted TLS servers now support the server name indication TLS extension
 +    via the new  "SNI_server_certs" SSL context option. (Daniel Lowrey)
 +  . Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1). (Remi)
 +
 +- PCRE:
 +  . Added support for (*MARK) backtracking verbs. (Nikita)
 +
 +- PDO_firebird:
 +  . Fixed Bug #66071 (memory corruption in error handling) (Popa)
 +
 +- PDO_pgsql:
 +  . Cleaned up code by increasing the requirements to libpq versions providing
 +    PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According
 +    to the release notes that means 8.0.8+ or 8.1.4+. (Matteo)
 +  . Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an
 +    undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
 +    (Matteo)
 +  . Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries
 +    without preparing them, while still passing parameters separately from
 +    the command text using PQexecParams. (Matteo)
 +
 +- Pgsql:
 +  . Read-only access to the socket stream underlying database connections is
 +    exposed via a new pg_socket() function to allow read/write polling when
 +    establishing asynchronous connections and executing queries in non-blocking
 +    applications. (Daniel Lowrey)
 +  . Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC
 +    flag in conjunction with a new pg_connect_poll() function and connection
 +    polling status constants. (Daniel Lowrey)
 +  . New pg_flush() and pg_consume_input() functions added to manually complete
 +    non-blocking reads/writes to underlying connection sockets. (Daniel Lowrey)
 +
 +- Session
 +  . Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
 +
 +- SimpleXML:
 +  . Fixed bug #66084 (simplexml_load_string() mangles empty node name)
 +    (Anatol)
 +
 +- SQLite:
 +  . Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
 +
 +- XSL:
 +  . Fixed bug #53965 (<xsl:include> cannot find files with relative paths
 +    when loaded with "file://"). (Anatol)
  
 -|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  27 Feb 2014, PHP 5.6.0 Alpha 3
  
  - Core
diff --cc UPGRADING
index d68bafde57,5d4be41bb7..faf66d1ba4
--- a/UPGRADING
+++ b/UPGRADING
@@@ -218,10 -156,6 +218,16 @@@ PHP 5.6 UPGRADE NOTE
    crypt() will now raise an E_NOTICE error if the salt parameter is omitted.
    See: https://wiki.php.net/rfc/crypt_function_salt
  
 +- Mcrypt:
 +  The $source parameter of mcrypt_create_iv() now defaults to
 +  MCRYPT_DEV_URANDOM instead of MCRYPT_DEV_RANDOM.
 +
++- OpenSSL:
++  The $crypto_type parameter is now optional in stream_socket_enable_crypto()
++  if the stream's SSL context specifies the new "crypto_type" option. The
++  crypto method from the context is used as a fallback if no crypto method is
++  specified at call-time.
++
  - XMLReader:
    XMLReader::getAttributeNs and XMLReader::getAttributeNo now return NULL if
    the attribute could not be found, just like XMLReader::getAttribute.