| #
ae5220ae |
| 08-Apr-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Avoid call to php_socket_errno() if possible (#13909)
This call is only necessary if ret < 0.
Note that I also had to reoder the checks for EWOULDBLOCK, EMSGSIZE, EAGAIN
to avoid a f
Avoid call to php_socket_errno() if possible (#13909)
This call is only necessary if ret < 0.
Note that I also had to reoder the checks for EWOULDBLOCK, EMSGSIZE, EAGAIN
to avoid a false positive GCC warning about a duplicate condition
(EAGAIN == EWOULDBLOCK on my system).
show more ...
|
| #
2aae14c8 |
| 05-Apr-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-13860: Incorrect PHP_STREAM_OPTION_CHECK_LIVENESS case in ext/openssl/xp_ssl.c - causing use of dead socket
php_socket_errno() may return a stale value when recv returns a
value >
Fix GH-13860: Incorrect PHP_STREAM_OPTION_CHECK_LIVENESS case in ext/openssl/xp_ssl.c - causing use of dead socket
php_socket_errno() may return a stale value when recv returns a
value >= 0. As such, the liveness check is wrong.
This is the same bug as #70198 (fixed in GH-1456). So we fix it in the
same way.
Closes GH-13895.
show more ...
|
| #
c1bd9a93 |
| 21-Dec-2023 |
Jakub Zelenka |
Fix GH-10495: feof on OpenSSL stream hangs indefinitely
This fixes the issue with unbounded waiting on SSL_peek which can happen
when only part of the record is fetched. It makes socket
Fix GH-10495: feof on OpenSSL stream hangs indefinitely
This fixes the issue with unbounded waiting on SSL_peek which can happen
when only part of the record is fetched. It makes socket non blocking so
it is possible to verify if OpenSSL is expecting some more data or if
there is an error.
This also fixes bug #79501
Closes GH-13487
show more ...
|
| #
3de3e137 |
| 25-Feb-2024 |
Ayesh Karunaratne |
ext/openssl: Bump minimum required OpenSSL version to 1.1.1
Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.
OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL
ext/openssl: Bump minimum required OpenSSL version to 1.1.1
Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.
OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors
continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached
EOL in 2018.
Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of
conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere.
- Debian buster: 1.1.1[^2]
- Ubuntu 20.04: 1.1.1[^3]
- CentOS/RHEL 7: 1.0.2
- RHEL 8/Rocky 8/EL 8: 1.1.1
- Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well)
RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely
bump the minimum OpenSSL version.
[^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html
[^2]: https://packages.debian.org/buster/libssl-dev
[^3]: https://packages.ubuntu.com/focal/libssl-dev
show more ...
|
| #
e630aacf |
| 21-Feb-2024 |
Jorg Adam Sowa |
Remove HAVE_INET_PTON (#13410)
|
| #
3fc013b2 |
| 09-Jun-2023 |
Jakub Zelenka |
Fix CS and checking for IPv6 SAN verify
|
| #
fd09728b |
| 28-Apr-2023 |
James Lucas |
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses ex
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses except
if they fall within addresses in the RFC 4193 range. Google and
CloudFlare provide IPv6 addresses in their DNS over HTTPS services.
Internal CAs do not have those restrictions and can issue Unique
local addresses in certificates.
Closes GH-11145
show more ...
|
| #
732d92c0 |
| 28-Apr-2023 |
Javier Eguiluz |
[skip ci] Fix various typos and grammar issues (#11143)
|
| #
e80073d3 |
| 18-Mar-2023 |
Jakub Zelenka |
Fix GH-10406: feof() behavior change for UNIX based socket resources
This change restores the old behaviour for the server socket streams
that don't support IO. This is now stored in the
Fix GH-10406: feof() behavior change for UNIX based socket resources
This change restores the old behaviour for the server socket streams
that don't support IO. This is now stored in the stream flags so it can
be later used to do some other decisions and possibly introduce some
better error reporting.
Closes GH-10877
show more ...
|
| #
f0cfebc2 |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Use zend_result where appropriate in ext/openssl
Remove dead code
s is always NULL, so the check is always false.
Closes GH-10704.
|
| #
b09be29a |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix incorrect error checking in php_openssl_set_server_dh_param()
SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which m
Fix incorrect error checking in php_openssl_set_server_dh_param()
SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which means that errors were
never caught.
Closes GH-10705.
show more ...
|
| #
c8955c07 |
| 16-Jan-2023 |
Christoph M. Becker |
Revert GH-10220
Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>.
This reverts commit ecc880f491d66081298a16634629f149459706a9.
This reverts commit 588a07
Revert GH-10220
Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>.
This reverts commit ecc880f491d66081298a16634629f149459706a9.
This reverts commit 588a07f7371ee2b5fac17de147926780e427fae6.
This reverts commit f377e15751d3aa48b69cd9bcc366ede7803d511f.
This reverts commit b4ba16fe189b109144aff669e11d81365160104b.
This reverts commit 694ec1deea36e366b28b6349a52be49824e1a1a8.
This reverts commit 6b34de8eba9f66882ae16e6073af28783670ac53.
This reverts commit aa1cd02a4367834026ea2205ea13a2f904455aa1.
This reverts commit 308fd311ea6fcf3094b448df7f2b264f08e4fe4f.
This reverts commit 16203b53e1822a37b6ba6f2ab198bb435d05fdad.
This reverts commit 738fb5ca5412f5e833a7fab82b11519e635a3357.
This reverts commit 9fdbefacd3c382d731aa175b7bdc002ec9cb2b30.
This reverts commit cd4a7c1d90562ebb5f89caf94d00d579631b9fbe.
This reverts commit 928685eba2b2f0ded90e7f78fd806ea164002f6e.
This reverts commit 01e5ffc85cd4357fd7b5b7ceefa29f2d10ca26b7.
show more ...
|
| #
308fd311 |
| 04-Jan-2023 |
Max Kellermann |
ext/{standard,json,random,...}: add missing includes
|
|
Revision tags: php-8.2.0RC1, php-8.1.10, php-8.0.23, php-8.0.23RC1, php-8.1.10RC1, php-8.2.0beta3 |
|
| #
505e8d2a |
| 12-Aug-2022 |
Jakub Zelenka |
Fix GH-9310: SSL local_cert and local_pk do not respect open_basedir restriction |
| #
80197c59 |
| 07-Aug-2022 |
Jakub Zelenka |
Merge branch 'PHP-8.1'
|
| #
c9fa98a1 |
| 07-Aug-2022 |
Jakub Zelenka |
Merge branch 'PHP-8.0' into PHP-8.1
|
| #
d9ff5e07 |
| 04-Aug-2022 |
Jakub Zelenka |
Fix GH-8472: stream_socket_accept result may have incorrect metadata |
|
Revision tags: php-8.2.0beta2, php-8.1.9, php-8.0.22, php-8.1.9RC1, php-8.2.0beta1, php-8.0.22RC1, php-8.0.21, php-8.1.8, php-8.2.0alpha3 |
|
| #
7ceae661 |
| 29-Jun-2022 |
David Carlier |
streams/xp_socket: fix clang build error with enum usage on bool condition.
Fix targeted for oses defining those flags as enums (like Linux/glibc).
`error: converting the enum const
streams/xp_socket: fix clang build error with enum usage on bool condition.
Fix targeted for oses defining those flags as enums (like Linux/glibc).
`error: converting the enum constant to a boolean [-Werror,-Wint-in-bool-context]
} else if ((!sslsock->ssl_active && value == 0 && (MSG_DONTWAIT || !sslsock->s.is_blocked)) ||`
Closes #8895.
show more ...
|
|
Revision tags: php-8.1.8RC1, php-8.2.0alpha2, php-8.0.21RC1, php-8.0.20, php-8.1.7, php-8.2.0alpha1, php-7.4.30, php-8.1.7RC1, php-8.0.20RC1, php-8.1.6, php-8.0.19, php-8.1.6RC1, php-8.0.19RC1, php-8.0.18, php-8.1.5, php-7.4.29, php-8.1.5RC1, php-8.0.18RC1, php-8.1.4, php-8.0.17, php-8.1.4RC1, php-8.0.17RC1, php-8.1.3, php-8.0.16, php-7.4.28 |
|
| #
2d986310 |
| 09-Feb-2022 |
Max Kellermann |
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necess
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necessary, and we can
just call recv() right away.
Before this change:
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 0 (Timeout)
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "", 1, MSG_PEEK, NULL, NULL) = 0
After this change:
recvfrom(4, 0x7ffe0cc719a0, 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348
recvfrom(4, "", 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = 0
The first poll() is replaced by recvfrom(), and the third poll() is
omitted completely.
ext/openssl/xp_ssl: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necessary, and we can
just call recv() right away.
Closes GH-8092.
show more ...
|
|
Revision tags: php-8.1.3RC1, php-8.0.16RC1, php-8.1.2, php-8.0.15, php-8.1.2RC1, php-8.0.15RC1, php-8.0.14, php-8.1.1, php-7.4.27, php-8.1.1RC1, php-8.0.14RC1, php-7.4.27RC1, php-8.1.0, php-8.0.13, php-7.4.26, php-7.3.33, php-8.1.0RC6, php-7.4.26RC1, php-8.0.13RC1, php-8.1.0RC5, php-7.3.32, php-7.4.25, php-8.0.12, php-8.1.0RC4, php-8.0.12RC1, php-7.4.25RC1, php-8.1.0RC3, php-8.0.11, php-7.4.24, php-7.3.31, php-8.1.0RC2, php-7.4.24RC1, php-8.0.11RC1, php-8.1.0RC1, php-7.4.23, php-8.0.10, php-7.3.30, php-8.1.0beta3, php-8.0.10RC1, php-7.4.23RC1, php-8.1.0beta2, php-8.0.9, php-7.4.22, php-8.1.0beta1, php-7.4.22RC1, php-8.0.9RC1 |
|
| #
b7a1633e |
| 08-Jul-2021 |
twosee |
Remove unused server_name variable
Closes GH-8760. |
| #
834e32e5 |
| 15-May-2022 |
Jakub Zelenka |
Merge branch 'PHP-8.1'
|
| #
74f75db0 |
| 15-May-2022 |
Jakub Zelenka |
Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint serve
Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint servers and
it is causing break for many users including potential majority
of those where the truncation attack is not applicable. For that reason
we try to keep behavior consitent with older OpenSSL versions which is
also the path chosen by some other languages and web servers.
Closes GH-8369
show more ...
|
| #
0ac60d60 |
| 03-Sep-2021 |
twosee |
Micro optimizations for xp_ssl.c (#7447)
If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now.
Also fixed sni_server tests.
Co-
Micro optimizations for xp_ssl.c (#7447)
If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now.
Also fixed sni_server tests.
Co-authored-by: Nikita Popov <nikita.ppv@googlemail.com>
show more ...
|
| #
aa893c4a |
| 01-Sep-2021 |
twosee |
Simplify SSL_set_mode() calls (#7444)
SSL_set_mode() adds the mode set via bitmask in mode to ssl. |
| #
ef787bae |
| 10-Aug-2021 |
Nikita Popov |
Switch dh_param handling to EVP_PKEY API |
