From: Daniel Lowrey <rdlowrey@php.net>
Date: Thu, 5 Mar 2015 05:42:25 +0000 (-0700)
Subject: Merge branch 'PHP-5.6'
X-Git-Tag: PRE_PHP7_NSAPI_REMOVAL~815
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=94a70b98a65db700192258addfa627101bbd86c5;p=php

Merge branch 'PHP-5.6'

* PHP-5.6:
  Fixed bug #68879 (IP Address fields in subjectAltNames not used)
  Fix broken test

Conflicts:
	ext/openssl/xp_ssl.c
---

94a70b98a65db700192258addfa627101bbd86c5
diff --cc ext/openssl/xp_ssl.c
index cb52c0420c,400b73fa8e..20ebda2336
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@@ -409,25 -381,36 +409,36 @@@ static zend_bool matches_san_list(X509 
  
  	for (i = 0; i < alt_name_count; i++) {
  		GENERAL_NAME *san = sk_GENERAL_NAME_value(alt_names, i);
- 		if (san->type != GEN_DNS) {
- 			/* we only care about DNS names */
- 			continue;
- 		}
- 
- 		san_name_len = ASN1_STRING_length(san->d.dNSName);
- 		ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName);
  
- 		/* prevent null byte poisoning */
- 		if (san_name_len != strlen((const char*)cert_name)) {
- 			php_error_docref(NULL, E_WARNING, "Peer SAN entry is malformed");
- 		} else {
- 			is_match = matches_wildcard_name(subject_name, (const char *)cert_name);
- 		}
- 
- 		OPENSSL_free(cert_name);
+ 		if (san->type == GEN_DNS) {
+ 			ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName);
+ 			if (ASN1_STRING_length(san->d.dNSName) != strlen((const char*)cert_name)) {
+ 				OPENSSL_free(cert_name);
+ 				/* prevent null-byte poisoning*/
+ 				continue;
+ 			}
  
- 		if (is_match) {
- 			break;
+ 			if (matches_wildcard_name(subject_name, (const char *)cert_name)) {
+ 				OPENSSL_free(cert_name);
+ 				return 1;
+ 			}
+ 			OPENSSL_free(cert_name);
+ 		} else if (san->type == GEN_IPADD) {
+ 			if (san->d.iPAddress->length == 4) {
+ 				sprintf(ipbuffer, "%d.%d.%d.%d",
+ 					san->d.iPAddress->data[0],
+ 					san->d.iPAddress->data[1],
+ 					san->d.iPAddress->data[2],
+ 					san->d.iPAddress->data[3]
+ 				);
+ 				if (strcasecmp(subject_name, (const char*)ipbuffer) == 0) {
+ 					return 1;
+ 				}
+ 			}
+ 			/* No, we aren't bothering to check IPv6 addresses. Why?
 -			 * Because IP SAN names are officially deprecated and are
 -			 * not allowed by CAs starting in 2015. Deal with it.
 -			 */
++ * 			 * Because IP SAN names are officially deprecated and are
++ * 			 			 * not allowed by CAs starting in 2015. Deal with it.
++ * 			 			 			 */
  		}
  	}