#
2aae14c8 |
| 05-Apr-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-13860: Incorrect PHP_STREAM_OPTION_CHECK_LIVENESS case in ext/openssl/xp_ssl.c - causing use of dead socket php_socket_errno() may return a stale value when recv returns a value >
Fix GH-13860: Incorrect PHP_STREAM_OPTION_CHECK_LIVENESS case in ext/openssl/xp_ssl.c - causing use of dead socket php_socket_errno() may return a stale value when recv returns a value >= 0. As such, the liveness check is wrong. This is the same bug as #70198 (fixed in GH-1456). So we fix it in the same way. Closes GH-13895.
show more ...
|
#
c1bd9a93 |
| 21-Dec-2023 |
Jakub Zelenka |
Fix GH-10495: feof on OpenSSL stream hangs indefinitely This fixes the issue with unbounded waiting on SSL_peek which can happen when only part of the record is fetched. It makes socket
Fix GH-10495: feof on OpenSSL stream hangs indefinitely This fixes the issue with unbounded waiting on SSL_peek which can happen when only part of the record is fetched. It makes socket non blocking so it is possible to verify if OpenSSL is expecting some more data or if there is an error. This also fixes bug #79501 Closes GH-13487
show more ...
|
#
732d92c0 |
| 28-Apr-2023 |
Javier Eguiluz |
[skip ci] Fix various typos and grammar issues (#11143)
|
#
f0cfebc2 |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Use zend_result where appropriate in ext/openssl Remove dead code s is always NULL, so the check is always false. Closes GH-10704.
|
#
c8955c07 |
| 16-Jan-2023 |
Christoph M. Becker |
Revert GH-10220 Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>. This reverts commit ecc880f491d66081298a16634629f149459706a9. This reverts commit 588a07
Revert GH-10220 Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>. This reverts commit ecc880f491d66081298a16634629f149459706a9. This reverts commit 588a07f7371ee2b5fac17de147926780e427fae6. This reverts commit f377e15751d3aa48b69cd9bcc366ede7803d511f. This reverts commit b4ba16fe189b109144aff669e11d81365160104b. This reverts commit 694ec1deea36e366b28b6349a52be49824e1a1a8. This reverts commit 6b34de8eba9f66882ae16e6073af28783670ac53. This reverts commit aa1cd02a4367834026ea2205ea13a2f904455aa1. This reverts commit 308fd311ea6fcf3094b448df7f2b264f08e4fe4f. This reverts commit 16203b53e1822a37b6ba6f2ab198bb435d05fdad. This reverts commit 738fb5ca5412f5e833a7fab82b11519e635a3357. This reverts commit 9fdbefacd3c382d731aa175b7bdc002ec9cb2b30. This reverts commit cd4a7c1d90562ebb5f89caf94d00d579631b9fbe. This reverts commit 928685eba2b2f0ded90e7f78fd806ea164002f6e. This reverts commit 01e5ffc85cd4357fd7b5b7ceefa29f2d10ca26b7.
show more ...
|
#
308fd311 |
| 04-Jan-2023 |
Max Kellermann |
ext/{standard,json,random,...}: add missing includes
|
#
3fc013b2 |
| 09-Jun-2023 |
Jakub Zelenka |
Fix CS and checking for IPv6 SAN verify
|
#
fd09728b |
| 28-Apr-2023 |
James Lucas |
Fix bug GH-9356: Incomplete SAN validation of IPv6 address IPv6 addresses are valid entries in subjectAltNames. Certificate Authorities may issue certificates including IPv6 addresses ex
Fix bug GH-9356: Incomplete SAN validation of IPv6 address IPv6 addresses are valid entries in subjectAltNames. Certificate Authorities may issue certificates including IPv6 addresses except if they fall within addresses in the RFC 4193 range. Google and CloudFlare provide IPv6 addresses in their DNS over HTTPS services. Internal CAs do not have those restrictions and can issue Unique local addresses in certificates. Closes GH-11145
show more ...
|
#
e80073d3 |
| 18-Mar-2023 |
Jakub Zelenka |
Fix GH-10406: feof() behavior change for UNIX based socket resources This change restores the old behaviour for the server socket streams that don't support IO. This is now stored in the
Fix GH-10406: feof() behavior change for UNIX based socket resources This change restores the old behaviour for the server socket streams that don't support IO. This is now stored in the stream flags so it can be later used to do some other decisions and possibly introduce some better error reporting. Closes GH-10877
show more ...
|
#
b09be29a |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix incorrect error checking in php_openssl_set_server_dh_param() SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success and 0 on error. But only < 0 was checked which m
Fix incorrect error checking in php_openssl_set_server_dh_param() SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success and 0 on error. But only < 0 was checked which means that errors were never caught. Closes GH-10705.
show more ...
|
#
505e8d2a |
| 12-Aug-2022 |
Jakub Zelenka |
Fix GH-9310: SSL local_cert and local_pk do not respect open_basedir restriction
|
#
d9ff5e07 |
| 04-Aug-2022 |
Jakub Zelenka |
Fix GH-8472: stream_socket_accept result may have incorrect metadata
|
#
7ceae661 |
| 29-Jun-2022 |
David Carlier |
streams/xp_socket: fix clang build error with enum usage on bool condition. Fix targeted for oses defining those flags as enums (like Linux/glibc). `error: converting the enum const
streams/xp_socket: fix clang build error with enum usage on bool condition. Fix targeted for oses defining those flags as enums (like Linux/glibc). `error: converting the enum constant to a boolean [-Werror,-Wint-in-bool-context] } else if ((!sslsock->ssl_active && value == 0 && (MSG_DONTWAIT || !sslsock->s.is_blocked)) ||` Closes #8895.
show more ...
|
#
2d986310 |
| 09-Feb-2022 |
Max Kellermann |
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available If there is a zero timeout and MSG_DONTWAIT is available (or the socket is non-blocking), the poll() call is not necess
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available If there is a zero timeout and MSG_DONTWAIT is available (or the socket is non-blocking), the poll() call is not necessary, and we can just call recv() right away. Before this change: poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 0 (Timeout) poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348 poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "", 1, MSG_PEEK, NULL, NULL) = 0 After this change: recvfrom(4, 0x7ffe0cc719a0, 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348 recvfrom(4, "", 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = 0 The first poll() is replaced by recvfrom(), and the third poll() is omitted completely. ext/openssl/xp_ssl: eliminate poll() when MSG_DONTWAIT is available If there is a zero timeout and MSG_DONTWAIT is available (or the socket is non-blocking), the poll() call is not necessary, and we can just call recv() right away. Closes GH-8092.
show more ...
|
#
b7a1633e |
| 08-Jul-2021 |
twosee |
Remove unused server_name variable Closes GH-8760.
|
#
74f75db0 |
| 15-May-2022 |
Jakub Zelenka |
Fix bug #79589: ssl3_read_n:unexpected eof while reading The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent truncation attack. However there are many non complaint serve
Fix bug #79589: ssl3_read_n:unexpected eof while reading The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent truncation attack. However there are many non complaint servers and it is causing break for many users including potential majority of those where the truncation attack is not applicable. For that reason we try to keep behavior consitent with older OpenSSL versions which is also the path chosen by some other languages and web servers. Closes GH-8369
show more ...
|
#
0ac60d60 |
| 03-Sep-2021 |
twosee |
Micro optimizations for xp_ssl.c (#7447) If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now. Also fixed sni_server tests. Co-
Micro optimizations for xp_ssl.c (#7447) If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now. Also fixed sni_server tests. Co-authored-by: Nikita Popov <nikita.ppv@googlemail.com>
show more ...
|
#
aa893c4a |
| 01-Sep-2021 |
twosee |
Simplify SSL_set_mode() calls (#7444) SSL_set_mode() adds the mode set via bitmask in mode to ssl.
|
#
ef787bae |
| 10-Aug-2021 |
Nikita Popov |
Switch dh_param handling to EVP_PKEY API
|
#
cd0cd3d3 |
| 01-Aug-2021 |
Kamil Tekiela |
Fix typos (#7327)
|
#
7fd48264 |
| 27-May-2021 |
Christoph M. Becker |
Fix #76694: native Windows cert verification uses CN as sever name This is not guaranteed to work, since the actual server name may only be given as SAN. Since we're doing the peer veri
Fix #76694: native Windows cert verification uses CN as sever name This is not guaranteed to work, since the actual server name may only be given as SAN. Since we're doing the peer verification later anyway (using the respective context options as appropriate), there is no need to even supply a server name when verifying against the Windows cert store. Closes GH-7060.
show more ...
|
#
c40231af |
| 12-May-2021 |
George Peter Banyard |
Mark various functions with void arguments. This fixes a bunch of [-Wstrict-prototypes] warning, because in C func() and func(void) have different semantics.
|
#
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier". 3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted. 4. fixed indentation in some files before |
show more ...
|
#
09efad61 |
| 08-Apr-2021 |
George Peter Banyard |
Use zend_string_equals_(literal_)ci() API more often Also drive-by usage of zend_ini_parse_bool() Closes GH-6844
|
#
5caaf40b |
| 29-Sep-2020 |
George Peter Banyard |
Introduce pseudo-keyword ZEND_FALLTHROUGH And use it instead of comments
|