From: Daniel Lowrey <rdlowrey@php.net>
Date: Wed, 11 Mar 2015 00:18:19 +0000 (-0600)
Subject: Merge branch 'PHP-5.6'
X-Git-Tag: PRE_PHP7_NSAPI_REMOVAL~710
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4a336f5d0b9f98cefc6a8bd00ba70d1ad57c8a8b;p=php

Merge branch 'PHP-5.6'

* PHP-5.6:
  Fix bug# 69215 (Crypto servers should send client CA list)

Conflicts:
	ext/openssl/xp_ssl.c
---

4a336f5d0b9f98cefc6a8bd00ba70d1ad57c8a8b
diff --cc ext/openssl/xp_ssl.c
index c2a0039547,f74edd23ad..3ef0360114
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@@ -840,22 -812,32 +840,32 @@@ static long load_stream_cafile(X509_STO
  }
  /* }}} */
  
 -static int enable_peer_verification(SSL_CTX *ctx, php_stream *stream TSRMLS_DC) /* {{{ */
 +static int enable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
  {
 -	zval **val = NULL;
 +	zval *val = NULL;
  	char *cafile = NULL;
  	char *capath = NULL;
+ 	php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
  
  	GET_VER_OPT_STRING("cafile", cafile);
  	GET_VER_OPT_STRING("capath", capath);
  
- 	if (!cafile) {
+ 	if (cafile == NULL) {
 -		cafile = zend_ini_string("openssl.cafile", sizeof("openssl.cafile"), 0);
 +		cafile = zend_ini_string("openssl.cafile", sizeof("openssl.cafile")-1, 0);
  		cafile = strlen(cafile) ? cafile : NULL;
+ 	} else if (!sslsock->is_client) {
+ 		/* Servers need to load and assign CA names from the cafile */
+ 		STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(cafile);
+ 		if (cert_names != NULL) {
+ 			SSL_CTX_set_client_CA_list(ctx, cert_names);
+ 		} else {
+ 			php_error(E_WARNING, "SSL: failed loading CA names from cafile");
+ 			return FAILURE;
+ 		}
  	}
  
- 	if (!capath) {
+ 	if (capath == NULL) {
 -		capath = zend_ini_string("openssl.capath", sizeof("openssl.capath"), 0);
 +		capath = zend_ini_string("openssl.capath", sizeof("openssl.capath")-1, 0);
  		capath = strlen(capath) ? capath : NULL;
  	}
  
@@@ -870,11 -852,8 +880,8 @@@
  		SSL_CTX_set_cert_verify_callback(ctx, win_cert_verify_callback, (void *)stream);
  		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
  #else
- 		php_openssl_netstream_data_t *sslsock;
- 		sslsock = (php_openssl_netstream_data_t*)stream->abstract;
- 
  		if (sslsock->is_client && !SSL_CTX_set_default_verify_paths(ctx)) {
 -			php_error_docref(NULL TSRMLS_CC, E_WARNING,
 +			php_error_docref(NULL, E_WARNING,
  				"Unable to set default verify locations and no CA settings specified");
  			return FAILURE;
  		}