Skip to content

Add TLSv1.1 and TLSv1.2 support #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 17, 2013
Merged

Add TLSv1.1 and TLSv1.2 support #483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions ext/openssl/openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1183,6 +1183,10 @@ PHP_MINIT_FUNCTION(openssl)
php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
#endif
php_stream_xport_register("tls", php_openssl_ssl_socket_factory TSRMLS_CC);
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
php_stream_xport_register("tlsv1.1", php_openssl_ssl_socket_factory TSRMLS_CC);
php_stream_xport_register("tlsv1.2", php_openssl_ssl_socket_factory TSRMLS_CC);
#endif

/* override the default tcp socket provider */
php_stream_xport_register("tcp", php_openssl_ssl_socket_factory TSRMLS_CC);
Expand Down Expand Up @@ -1221,6 +1225,10 @@ PHP_MSHUTDOWN_FUNCTION(openssl)
#endif
php_stream_xport_unregister("sslv3" TSRMLS_CC);
php_stream_xport_unregister("tls" TSRMLS_CC);
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
php_stream_xport_unregister("tlsv1.1" TSRMLS_CC);
php_stream_xport_unregister("tlsv1.2" TSRMLS_CC);
#endif

/* reinstate the default tcp handler */
php_stream_xport_register("tcp", php_stream_generic_socket_factory TSRMLS_CC);
Expand Down
46 changes: 46 additions & 0 deletions ext/openssl/tests/tlsv1.1_wrapper_001.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
--TEST--
tlsv1.1 stream wrapper
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(array('ssl' => array(
'local_cert' => __DIR__ . '/streams_crypto_method.pem',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the tests fail because of this missing cert?

)));

$server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} elseif ($pid) {
$flags = STREAM_CLIENT_CONNECT;
$ctx = stream_context_create(array('ssl' => array(
'verify_peer' => false
)));

$client = stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

} else {
@pcntl_wait($status);
for ($i=0; $i < 3; $i++) {
@stream_socket_accept($server, 1);
}
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
bool(false)
bool(false)
46 changes: 46 additions & 0 deletions ext/openssl/tests/tlsv1.2_wrapper_002.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
--TEST--
tlsv1.2 stream wrapper
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(array('ssl' => array(
'local_cert' => __DIR__ . '/streams_crypto_method.pem',
)));

$server = stream_socket_server('tlsv1.2://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} elseif ($pid) {
$flags = STREAM_CLIENT_CONNECT;
$ctx = stream_context_create(array('ssl' => array(
'verify_peer' => false
)));

$client = stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

} else {
@pcntl_wait($status);
for ($i=0; $i < 3; $i++) {
@stream_socket_accept($server, 1);
}
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
bool(false)
bool(false)
62 changes: 61 additions & 1 deletion ext/openssl/xp_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,24 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
sslsock->is_client = 1;
method = TLSv1_client_method();
break;
case STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT:
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
sslsock->is_client = 1;
method = TLSv1_1_client_method();
break;
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TLSv1.1 support is not compiled into the OpenSSL library PHP is linked against");
return -1;
#endif
case STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT:
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
sslsock->is_client = 1;
method = TLSv1_2_client_method();
break;
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TLSv1.2 support is not compiled into the OpenSSL library PHP is linked against");
return -1;
#endif
case STREAM_CRYPTO_METHOD_SSLv23_SERVER:
sslsock->is_client = 0;
method = SSLv23_server_method();
Expand All @@ -367,6 +385,24 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
sslsock->is_client = 0;
method = TLSv1_server_method();
break;
case STREAM_CRYPTO_METHOD_TLSv1_1_SERVER:
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
sslsock->is_client = 0;
method = TLSv1_1_server_method();
break;
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TLSv1.1 support is not compiled into the OpenSSL library PHP is linked against");
return -1;
#endif
case STREAM_CRYPTO_METHOD_TLSv1_2_SERVER:
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
sslsock->is_client = 0;
method = TLSv1_2_server_method();
break;
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TLSv1.2 support is not compiled into the OpenSSL library PHP is linked against");
return -1;
#endif
default:
return -1;

Expand Down Expand Up @@ -667,6 +703,12 @@ static inline int php_openssl_tcp_sockop_accept(php_stream *stream, php_openssl_
case STREAM_CRYPTO_METHOD_TLS_CLIENT:
sock->method = STREAM_CRYPTO_METHOD_TLS_SERVER;
break;
case STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT:
sock->method = STREAM_CRYPTO_METHOD_TLSv1_1_SERVER;
break;
case STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT:
sock->method = STREAM_CRYPTO_METHOD_TLSv1_2_SERVER;
break;
default:
break;
}
Expand Down Expand Up @@ -867,6 +909,8 @@ static int get_crypto_method(php_stream_context *ctx) {
case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
case STREAM_CRYPTO_METHOD_SSLv23_CLIENT:
case STREAM_CRYPTO_METHOD_TLS_CLIENT:
case STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT:
case STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT:
return crypto_method;
}

Expand Down Expand Up @@ -982,8 +1026,24 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,
} else if (strncmp(proto, "tls", protolen) == 0) {
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_TLS_CLIENT;
} else if (strncmp(proto, "tlsv1.1", protolen) == 0) {
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TLSv1.1 support is not compiled into the OpenSSL library PHP is linked against");
return NULL;
#endif
} else if (strncmp(proto, "tlsv1.2", protolen) == 0) {
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
sslsock->enable_on_connect = 1;
sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TLSv1.2 support is not compiled into the OpenSSL library PHP is linked against");
return NULL;
#endif
}

return stream;
}

Expand Down
4 changes: 4 additions & 0 deletions ext/standard/file.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,10 +223,14 @@ PHP_MINIT_FUNCTION(file)
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_SSLv3_CLIENT", STREAM_CRYPTO_METHOD_SSLv3_CLIENT, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_SSLv23_CLIENT", STREAM_CRYPTO_METHOD_SSLv23_CLIENT, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_TLS_CLIENT", STREAM_CRYPTO_METHOD_TLS_CLIENT, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT", STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT", STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_SSLv2_SERVER", STREAM_CRYPTO_METHOD_SSLv2_SERVER, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_SSLv3_SERVER", STREAM_CRYPTO_METHOD_SSLv3_SERVER, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_SSLv23_SERVER", STREAM_CRYPTO_METHOD_SSLv23_SERVER, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_TLS_SERVER", STREAM_CRYPTO_METHOD_TLS_SERVER, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_TLSv1_1_SERVER", STREAM_CRYPTO_METHOD_TLSv1_1_SERVER, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_CRYPTO_METHOD_TLSv1_2_SERVER", STREAM_CRYPTO_METHOD_TLSv1_2_SERVER, CONST_CS|CONST_PERSISTENT);

REGISTER_LONG_CONSTANT("STREAM_SHUT_RD", STREAM_SHUT_RD, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("STREAM_SHUT_WR", STREAM_SHUT_WR, CONST_CS|CONST_PERSISTENT);
Expand Down
6 changes: 5 additions & 1 deletion main/streams/php_stream_transport.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,10 +170,14 @@ typedef enum {
STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
STREAM_CRYPTO_METHOD_TLS_CLIENT,
STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
STREAM_CRYPTO_METHOD_SSLv2_SERVER,
STREAM_CRYPTO_METHOD_SSLv3_SERVER,
STREAM_CRYPTO_METHOD_SSLv23_SERVER,
STREAM_CRYPTO_METHOD_TLS_SERVER
STREAM_CRYPTO_METHOD_TLS_SERVER,
STREAM_CRYPTO_METHOD_TLSv1_1_SERVER,
STREAM_CRYPTO_METHOD_TLSv1_2_SERVER
} php_stream_xport_crypt_method_t;

BEGIN_EXTERN_C()
Expand Down