| #
2aae14c8 |
| 05-Apr-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-13860: Incorrect PHP_STREAM_OPTION_CHECK_LIVENESS case in ext/openssl/xp_ssl.c - causing use of dead socket
php_socket_errno() may return a stale value when recv returns a
value >
Fix GH-13860: Incorrect PHP_STREAM_OPTION_CHECK_LIVENESS case in ext/openssl/xp_ssl.c - causing use of dead socket
php_socket_errno() may return a stale value when recv returns a
value >= 0. As such, the liveness check is wrong.
This is the same bug as #70198 (fixed in GH-1456). So we fix it in the
same way.
Closes GH-13895.
show more ...
|
| #
c1bd9a93 |
| 21-Dec-2023 |
Jakub Zelenka |
Fix GH-10495: feof on OpenSSL stream hangs indefinitely
This fixes the issue with unbounded waiting on SSL_peek which can happen
when only part of the record is fetched. It makes socket
Fix GH-10495: feof on OpenSSL stream hangs indefinitely
This fixes the issue with unbounded waiting on SSL_peek which can happen
when only part of the record is fetched. It makes socket non blocking so
it is possible to verify if OpenSSL is expecting some more data or if
there is an error.
This also fixes bug #79501
Closes GH-13487
show more ...
|
| #
732d92c0 |
| 28-Apr-2023 |
Javier Eguiluz |
[skip ci] Fix various typos and grammar issues (#11143)
|
| #
f0cfebc2 |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Use zend_result where appropriate in ext/openssl
Remove dead code
s is always NULL, so the check is always false.
Closes GH-10704.
|
| #
c8955c07 |
| 16-Jan-2023 |
Christoph M. Becker |
Revert GH-10220
Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>.
This reverts commit ecc880f491d66081298a16634629f149459706a9.
This reverts commit 588a07
Revert GH-10220
Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>.
This reverts commit ecc880f491d66081298a16634629f149459706a9.
This reverts commit 588a07f7371ee2b5fac17de147926780e427fae6.
This reverts commit f377e15751d3aa48b69cd9bcc366ede7803d511f.
This reverts commit b4ba16fe189b109144aff669e11d81365160104b.
This reverts commit 694ec1deea36e366b28b6349a52be49824e1a1a8.
This reverts commit 6b34de8eba9f66882ae16e6073af28783670ac53.
This reverts commit aa1cd02a4367834026ea2205ea13a2f904455aa1.
This reverts commit 308fd311ea6fcf3094b448df7f2b264f08e4fe4f.
This reverts commit 16203b53e1822a37b6ba6f2ab198bb435d05fdad.
This reverts commit 738fb5ca5412f5e833a7fab82b11519e635a3357.
This reverts commit 9fdbefacd3c382d731aa175b7bdc002ec9cb2b30.
This reverts commit cd4a7c1d90562ebb5f89caf94d00d579631b9fbe.
This reverts commit 928685eba2b2f0ded90e7f78fd806ea164002f6e.
This reverts commit 01e5ffc85cd4357fd7b5b7ceefa29f2d10ca26b7.
show more ...
|
| #
308fd311 |
| 04-Jan-2023 |
Max Kellermann |
ext/{standard,json,random,...}: add missing includes
|
| #
3fc013b2 |
| 09-Jun-2023 |
Jakub Zelenka |
Fix CS and checking for IPv6 SAN verify
|
| #
fd09728b |
| 28-Apr-2023 |
James Lucas |
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses ex
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses except
if they fall within addresses in the RFC 4193 range. Google and
CloudFlare provide IPv6 addresses in their DNS over HTTPS services.
Internal CAs do not have those restrictions and can issue Unique
local addresses in certificates.
Closes GH-11145
show more ...
|
| #
e80073d3 |
| 18-Mar-2023 |
Jakub Zelenka |
Fix GH-10406: feof() behavior change for UNIX based socket resources
This change restores the old behaviour for the server socket streams
that don't support IO. This is now stored in the
Fix GH-10406: feof() behavior change for UNIX based socket resources
This change restores the old behaviour for the server socket streams
that don't support IO. This is now stored in the stream flags so it can
be later used to do some other decisions and possibly introduce some
better error reporting.
Closes GH-10877
show more ...
|
| #
b09be29a |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix incorrect error checking in php_openssl_set_server_dh_param()
SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which m
Fix incorrect error checking in php_openssl_set_server_dh_param()
SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which means that errors were
never caught.
Closes GH-10705.
show more ...
|
| #
505e8d2a |
| 12-Aug-2022 |
Jakub Zelenka |
Fix GH-9310: SSL local_cert and local_pk do not respect open_basedir restriction
|
| #
d9ff5e07 |
| 04-Aug-2022 |
Jakub Zelenka |
Fix GH-8472: stream_socket_accept result may have incorrect metadata
|
| #
7ceae661 |
| 29-Jun-2022 |
David Carlier |
streams/xp_socket: fix clang build error with enum usage on bool condition.
Fix targeted for oses defining those flags as enums (like Linux/glibc).
`error: converting the enum const
streams/xp_socket: fix clang build error with enum usage on bool condition.
Fix targeted for oses defining those flags as enums (like Linux/glibc).
`error: converting the enum constant to a boolean [-Werror,-Wint-in-bool-context]
} else if ((!sslsock->ssl_active && value == 0 && (MSG_DONTWAIT || !sslsock->s.is_blocked)) ||`
Closes #8895.
show more ...
|
| #
2d986310 |
| 09-Feb-2022 |
Max Kellermann |
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necess
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necessary, and we can
just call recv() right away.
Before this change:
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 0 (Timeout)
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "", 1, MSG_PEEK, NULL, NULL) = 0
After this change:
recvfrom(4, 0x7ffe0cc719a0, 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348
recvfrom(4, "", 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = 0
The first poll() is replaced by recvfrom(), and the third poll() is
omitted completely.
ext/openssl/xp_ssl: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necessary, and we can
just call recv() right away.
Closes GH-8092.
show more ...
|
| #
b7a1633e |
| 08-Jul-2021 |
twosee |
Remove unused server_name variable
Closes GH-8760.
|
| #
74f75db0 |
| 15-May-2022 |
Jakub Zelenka |
Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint serve
Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint servers and
it is causing break for many users including potential majority
of those where the truncation attack is not applicable. For that reason
we try to keep behavior consitent with older OpenSSL versions which is
also the path chosen by some other languages and web servers.
Closes GH-8369
show more ...
|
| #
0ac60d60 |
| 03-Sep-2021 |
twosee |
Micro optimizations for xp_ssl.c (#7447)
If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now.
Also fixed sni_server tests.
Co-
Micro optimizations for xp_ssl.c (#7447)
If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now.
Also fixed sni_server tests.
Co-authored-by: Nikita Popov <nikita.ppv@googlemail.com>
show more ...
|
| #
aa893c4a |
| 01-Sep-2021 |
twosee |
Simplify SSL_set_mode() calls (#7444)
SSL_set_mode() adds the mode set via bitmask in mode to ssl.
|
| #
ef787bae |
| 10-Aug-2021 |
Nikita Popov |
Switch dh_param handling to EVP_PKEY API
|
| #
cd0cd3d3 |
| 01-Aug-2021 |
Kamil Tekiela |
Fix typos (#7327)
|
| #
7fd48264 |
| 27-May-2021 |
Christoph M. Becker |
Fix #76694: native Windows cert verification uses CN as sever name
This is not guaranteed to work, since the actual server name may only
be given as SAN. Since we're doing the peer veri
Fix #76694: native Windows cert verification uses CN as sever name
This is not guaranteed to work, since the actual server name may only
be given as SAN. Since we're doing the peer verification later anyway
(using the respective context options as appropriate), there is no need
to even supply a server name when verifying against the Windows cert
store.
Closes GH-7060.
show more ...
|
| #
c40231af |
| 12-May-2021 |
George Peter Banyard |
Mark various functions with void arguments.
This fixes a bunch of [-Wstrict-prototypes] warning,
because in C func() and func(void) have different semantics.
|
| #
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |
show more ...
|
| #
09efad61 |
| 08-Apr-2021 |
George Peter Banyard |
Use zend_string_equals_(literal_)ci() API more often
Also drive-by usage of zend_ini_parse_bool()
Closes GH-6844
|
| #
5caaf40b |
| 29-Sep-2020 |
George Peter Banyard |
Introduce pseudo-keyword ZEND_FALLTHROUGH
And use it instead of comments
|
