]>
Commit | Line | Data |
---|---|---|
a0d270c5 AM |
1 | commit 8292260515a904b4d515484145c78f33a06ae1ae |
2 | Author: Andrey Hristov <andrey@php.net> | |
3 | Date: Wed Oct 21 15:10:24 2015 +0200 | |
4 | ||
5 | Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation | |
6 | ||
7 | diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt | |
8 | index 78540f1..349d6db 100644 | |
9 | --- a/ext/mysqli/tests/bug51647.phpt | |
10 | +++ b/ext/mysqli/tests/bug51647.phpt | |
11 | @@ -65,9 +65,43 @@ $link->close(); | |
12 | } else { | |
13 | if (!$row = $res->fetch_assoc()) | |
14 | printf("[006] [%d] %s\n", $link->errno, $link->error); | |
15 | + if (!strlen($row["Value"])) | |
16 | + printf("[007] Empty cipher. No encrytion!"); | |
18d0d716 AM |
17 | } |
18 | ||
a0d270c5 AM |
19 | var_dump($row); |
20 | + $link->close(); | |
21 | + | |
22 | + if (!is_object($link = mysqli_init())) | |
23 | + printf("[008] Cannot create link\n"); | |
24 | + | |
25 | + if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) { | |
26 | + printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error()); | |
27 | + } | |
28 | + | |
29 | + if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) { | |
30 | + if (1064 == $link->errno) { | |
31 | + /* ERROR 1064 (42000): You have an error in your SQL syntax; = sql strict mode */ | |
32 | + if ($res = $link->query("SHOW STATUS")) { | |
33 | + while ($row = $res->fetch_assoc()) | |
34 | + if ($row['Variable_name'] == 'Ssl_cipher') | |
35 | + break; | |
36 | + } else { | |
37 | + printf("[010] [%d] %s\n", $link->errno, $link->error); | |
38 | + } | |
39 | + } else { | |
40 | + printf("[011] [%d] %s\n", $link->errno, $link->error); | |
18d0d716 | 41 | + } |
a0d270c5 AM |
42 | + } else { |
43 | + if (!$row = $res->fetch_assoc()) | |
44 | + printf("[012] [%d] %s\n", $link->errno, $link->error); | |
45 | + if (!strlen($row["Value"])) | |
46 | + printf("[013] Empty cipher. No encrytion!"); | |
18d0d716 AM |
47 | + } |
48 | + | |
a0d270c5 AM |
49 | + var_dump($row); |
50 | + | |
51 | + $link->close(); | |
52 | ||
53 | print "done!"; | |
54 | ?> | |
55 | @@ -78,4 +112,10 @@ array(2) { | |
56 | ["Value"]=> | |
57 | string(%d) "%S" | |
58 | } | |
59 | +array(2) { | |
60 | + ["Variable_name"]=> | |
61 | + string(10) "Ssl_cipher" | |
62 | + ["Value"]=> | |
63 | + string(%d) "%S" | |
64 | +} | |
65 | done! | |
66 | diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c | |
67 | index 69f4b7a..4cbe9de 100644 | |
68 | --- a/ext/mysqlnd/mysqlnd_net.c | |
69 | +++ b/ext/mysqlnd/mysqlnd_net.c | |
70 | @@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
71 | zval verify_peer_zval; | |
72 | ZVAL_TRUE(&verify_peer_zval); | |
73 | php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
74 | + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
75 | + } else { | |
76 | + zval verify_peer_zval; | |
77 | + ZVAL_FALSE(&verify_peer_zval); | |
78 | + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
79 | + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
80 | } | |
81 | if (net->data->options.ssl_cert) { | |
82 | zval cert_zval; | |
83 | @@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
84 | if (net->data->options.ssl_capath) { | |
85 | zval capath_zval; | |
86 | ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0); | |
87 | - php_stream_context_set_option(context, "ssl", "cafile", &capath_zval); | |
88 | + php_stream_context_set_option(context, "ssl", "capath", &capath_zval); | |
89 | } | |
90 | if (net->data->options.ssl_passphrase) { | |
91 | zval passphrase_zval; | |
92 | commit afd31489d0d9999f701467e99ef2b40794eed196 | |
93 | Author: Andrey Hristov <andrey@php.net> | |
94 | Date: Thu Oct 22 11:48:53 2015 +0200 | |
95 | ||
96 | Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation | |
18d0d716 | 97 | |
a0d270c5 AM |
98 | diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c |
99 | index e028d60..198ed83 100644 | |
100 | --- a/ext/mysqli/mysqli.c | |
101 | +++ b/ext/mysqli/mysqli.c | |
102 | @@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli) | |
103 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT); | |
104 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT); | |
105 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT); | |
106 | +#ifdef CLIENT_SSL_VERIFY_SERVER_CERT | |
107 | + REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT); | |
108 | +#endif | |
109 | #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND) | |
110 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT); | |
111 | REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT); | |
112 | diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt | |
113 | index dd0f769..1cb31cc 100644 | |
114 | --- a/ext/mysqli/tests/mysqli_constants.phpt | |
115 | +++ b/ext/mysqli/tests/mysqli_constants.phpt | |
116 | @@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc'); | |
117 | $expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true; | |
118 | } | |
119 | ||
120 | + if ($version >= 50033 || $IS_MYSQLND) { | |
121 | + $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true; | |
122 | + } | |
123 | ||
124 | /* First introduced in MySQL 6.0, backported to MySQL 5.5 */ | |
125 | if ($version >= 50606 || $IS_MYSQLND) { | |
126 | diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c | |
127 | index 4cbe9de..7b164ac 100644 | |
128 | --- a/ext/mysqlnd/mysqlnd_net.c | |
129 | +++ b/ext/mysqlnd/mysqlnd_net.c | |
130 | @@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
131 | ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0); | |
132 | php_stream_context_set_option(context, "ssl", "local_pk", &key_zval); | |
133 | } | |
134 | - if (net->data->options.ssl_verify_peer) { | |
135 | - zval verify_peer_zval; | |
136 | - ZVAL_TRUE(&verify_peer_zval); | |
137 | - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
138 | - php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
139 | - } else { | |
140 | + { | |
141 | zval verify_peer_zval; | |
142 | - ZVAL_FALSE(&verify_peer_zval); | |
143 | + ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer); | |
144 | php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
145 | php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
146 | } | |
c48f22c4 AM |
147 | commit 6d51b7b2e3468601acdaaf9041c9131b5aa47f98 |
148 | Author: Andrey Hristov <andrey@php.net> | |
149 | Date: Tue Oct 27 12:59:09 2015 +0100 | |
150 | ||
151 | Another Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation | |
152 | Added the possibility to explicitly state that the peer certificate should not be checked. | |
153 | Back to the default - checking the certificate. | |
154 | Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT | |
155 | Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT) | |
156 | ||
157 | If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag, | |
158 | then no verification takes place. | |
159 | ||
160 | diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c | |
161 | index 198ed83..5e40d19 100644 | |
162 | --- a/ext/mysqli/mysqli.c | |
163 | +++ b/ext/mysqli/mysqli.c | |
164 | @@ -717,6 +717,9 @@ PHP_MINIT_FUNCTION(mysqli) | |
165 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT); | |
166 | #ifdef CLIENT_SSL_VERIFY_SERVER_CERT | |
167 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT); | |
168 | +#if defined(MYSQLI_USE_MYSQLND) | |
169 | + REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT", CLIENT_SSL_DONT_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT); | |
170 | +#endif | |
171 | #endif | |
172 | #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND) | |
173 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT); | |
174 | diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt | |
175 | index 349d6db..7385538 100644 | |
176 | --- a/ext/mysqli/tests/bug51647.phpt | |
177 | +++ b/ext/mysqli/tests/bug51647.phpt | |
178 | @@ -41,11 +41,7 @@ $link->close(); | |
179 | if (!is_object($link = mysqli_init())) | |
180 | printf("[001] Cannot create link\n"); | |
181 | ||
182 | - $path_to_pems = !$IS_MYSQLND? "ext/mysqli/tests/" : ""; | |
183 | - if (!$link->ssl_set("{$path_to_pems}client-key.pem", "{$path_to_pems}client-cert.pem", "{$path_to_pems}cacert.pem","","")) | |
184 | - printf("[002] [%d] %s\n", $link->errno, $link->error); | |
185 | - | |
186 | - if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket)) { | |
187 | + if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)) { | |
188 | printf("[003] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error()); | |
189 | } | |
190 | ||
191 | @@ -67,9 +63,9 @@ $link->close(); | |
192 | printf("[006] [%d] %s\n", $link->errno, $link->error); | |
193 | if (!strlen($row["Value"])) | |
194 | printf("[007] Empty cipher. No encrytion!"); | |
195 | + var_dump($row); | |
196 | } | |
197 | ||
198 | - var_dump($row); | |
199 | $link->close(); | |
200 | ||
201 | if (!is_object($link = mysqli_init())) | |
202 | @@ -97,10 +93,9 @@ $link->close(); | |
203 | printf("[012] [%d] %s\n", $link->errno, $link->error); | |
204 | if (!strlen($row["Value"])) | |
205 | printf("[013] Empty cipher. No encrytion!"); | |
206 | + var_dump($row); | |
207 | } | |
208 | ||
209 | - var_dump($row); | |
210 | - | |
211 | $link->close(); | |
212 | ||
213 | print "done!"; | |
214 | diff --git a/ext/mysqli/tests/bug55283.phpt b/ext/mysqli/tests/bug55283.phpt | |
215 | index d03daae..a10c604 100644 | |
216 | --- a/ext/mysqli/tests/bug55283.phpt | |
217 | +++ b/ext/mysqli/tests/bug55283.phpt | |
218 | @@ -40,7 +40,7 @@ $link->close(); | |
219 | $db1 = new mysqli(); | |
220 | ||
221 | ||
222 | - $flags = MYSQLI_CLIENT_SSL; | |
223 | + $flags = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; | |
224 | ||
225 | $link = mysqli_init(); | |
226 | mysqli_ssl_set($link, null, null, null, null, "RC4-MD5"); | |
227 | diff --git a/ext/mysqli/tests/connect.inc b/ext/mysqli/tests/connect.inc | |
228 | index 67ce60a..606d1d3 100644 | |
229 | --- a/ext/mysqli/tests/connect.inc | |
230 | +++ b/ext/mysqli/tests/connect.inc | |
231 | @@ -9,7 +9,7 @@ | |
232 | $driver = new mysqli_driver; | |
233 | ||
234 | $host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "127.0.0.1"; | |
235 | - $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3308; | |
236 | + $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306; | |
237 | $user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root"; | |
238 | $passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : ""; | |
239 | $db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test"; | |
240 | @@ -87,9 +87,8 @@ | |
241 | function my_mysqli_connect($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) { | |
242 | global $connect_flags; | |
243 | ||
244 | - $flags = ($enable_env_flags) ? $connect_flags : false; | |
245 | - | |
246 | - if ($flags !== false) { | |
247 | + $flags = $enable_env_flags? $connect_flags:0; | |
248 | + if ($flags !== 0) { | |
249 | $link = mysqli_init(); | |
250 | if (!mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags)) | |
251 | $link = false; | |
252 | @@ -109,7 +108,7 @@ | |
253 | global $connect_flags; | |
254 | ||
255 | if ($enable_env_flags) | |
256 | - $flags & $connect_flags; | |
257 | + $flags = $flags | $connect_flags; | |
258 | ||
259 | return mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags); | |
260 | } | |
261 | @@ -118,7 +117,7 @@ | |
262 | public function __construct($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) { | |
263 | global $connect_flags; | |
264 | ||
265 | - $flags = ($enable_env_flags) ? $connect_flags : false; | |
266 | + $flags = ($enable_env_flags) ? $connect_flags : 0; | |
267 | ||
268 | if ($flags !== false) { | |
269 | parent::init(); | |
270 | diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt | |
271 | index 1cb31cc..cc5fa9f 100644 | |
272 | --- a/ext/mysqli/tests/mysqli_constants.phpt | |
273 | +++ b/ext/mysqli/tests/mysqli_constants.phpt | |
274 | @@ -139,6 +139,9 @@ require_once('skipifconnectfailure.inc'); | |
275 | if ($version >= 50033 || $IS_MYSQLND) { | |
276 | $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true; | |
277 | } | |
278 | + if ($IS_MYSQLND) { | |
279 | + $expected_constants['MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'] = true; | |
280 | + } | |
281 | ||
282 | /* First introduced in MySQL 6.0, backported to MySQL 5.5 */ | |
283 | if ($version >= 50606 || $IS_MYSQLND) { | |
284 | diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c | |
285 | index f008986..94a3149 100644 | |
286 | --- a/ext/mysqlnd/mysqlnd.c | |
287 | +++ b/ext/mysqlnd/mysqlnd.c | |
288 | @@ -472,6 +472,7 @@ mysqlnd_switch_to_ssl_if_needed( | |
289 | DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA= %d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0); | |
290 | DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS= %d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0); | |
291 | DBG_INF_FMT("CLIENT_SESSION_TRACK= %d", mysql_flags & CLIENT_SESSION_TRACK? 1:0); | |
292 | + DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0); | |
293 | DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0); | |
294 | DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS= %d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0); | |
295 | ||
296 | @@ -495,7 +496,11 @@ mysqlnd_switch_to_ssl_if_needed( | |
297 | if (server_has_ssl == FALSE) { | |
298 | goto close_conn; | |
299 | } else { | |
300 | - zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; | |
301 | + enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? | |
302 | + MYSQLND_SSL_PEER_VERIFY: | |
303 | + (mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? | |
304 | + MYSQLND_SSL_PEER_DONT_VERIFY: | |
305 | + MYSQLND_SSL_PEER_DEFAULT); | |
306 | DBG_INF("Switching to SSL"); | |
307 | if (!PACKET_WRITE(auth_packet, conn)) { | |
308 | goto close_conn; | |
309 | diff --git a/ext/mysqlnd/mysqlnd_enum_n_def.h b/ext/mysqlnd/mysqlnd_enum_n_def.h | |
310 | index c1ede7e..9e29da2 100644 | |
311 | --- a/ext/mysqlnd/mysqlnd_enum_n_def.h | |
312 | +++ b/ext/mysqlnd/mysqlnd_enum_n_def.h | |
313 | @@ -101,6 +101,10 @@ | |
314 | #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */ | |
315 | #define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22) /* Don't close the connection for a connection with expired password. */ | |
316 | #define CLIENT_SESSION_TRACK (1UL << 23) /* Extended OK */ | |
317 | +/* | |
318 | + This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification | |
319 | +*/ | |
320 | +#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT CLIENT_ODBC | |
321 | #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30) | |
322 | #define CLIENT_REMEMBER_OPTIONS (1UL << 31) | |
323 | ||
324 | diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c | |
325 | index 7b164ac..3e8d099 100644 | |
326 | --- a/ext/mysqlnd/mysqlnd_net.c | |
327 | +++ b/ext/mysqlnd/mysqlnd_net.c | |
328 | @@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys | |
329 | break; | |
330 | } | |
331 | case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: | |
332 | - net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE; | |
333 | + { | |
334 | + enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value); | |
335 | + switch (val) { | |
336 | + case MYSQLND_SSL_PEER_VERIFY: | |
337 | + DBG_INF("MYSQLND_SSL_PEER_VERIFY"); | |
338 | + break; | |
339 | + case MYSQLND_SSL_PEER_DONT_VERIFY: | |
340 | + DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY"); | |
341 | + break; | |
342 | + case MYSQLND_SSL_PEER_DEFAULT: | |
343 | + DBG_INF("MYSQLND_SSL_PEER_DEFAULT"); | |
344 | + val = MYSQLND_SSL_PEER_DEFAULT; | |
345 | + break; | |
346 | + default: | |
347 | + DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION"); | |
348 | + val = MYSQLND_SSL_PEER_DEFAULT; | |
349 | + break; | |
350 | + } | |
351 | + net->data->options.ssl_verify_peer = val; | |
352 | break; | |
353 | + } | |
354 | case MYSQL_OPT_READ_TIMEOUT: | |
355 | net->data->options.timeout_read = *(unsigned int*) value; | |
356 | break; | |
357 | @@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
358 | #ifdef MYSQLND_SSL_SUPPORTED | |
359 | php_stream_context * context = php_stream_context_alloc(TSRMLS_C); | |
360 | php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC); | |
361 | + zend_bool any_flag = FALSE; | |
362 | ||
363 | DBG_ENTER("mysqlnd_net::enable_ssl"); | |
364 | if (!context) { | |
365 | @@ -896,12 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
366 | zval key_zval; | |
367 | ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0); | |
368 | php_stream_context_set_option(context, "ssl", "local_pk", &key_zval); | |
369 | - } | |
370 | - { | |
371 | - zval verify_peer_zval; | |
372 | - ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer); | |
373 | - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
374 | - php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
375 | + any_flag = TRUE; | |
376 | } | |
377 | if (net->data->options.ssl_cert) { | |
378 | zval cert_zval; | |
379 | @@ -910,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
380 | if (!net->data->options.ssl_key) { | |
381 | php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval); | |
382 | } | |
383 | + any_flag = TRUE; | |
384 | } | |
385 | if (net->data->options.ssl_ca) { | |
386 | zval cafile_zval; | |
387 | ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0); | |
388 | php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval); | |
389 | + any_flag = TRUE; | |
390 | } | |
391 | if (net->data->options.ssl_capath) { | |
392 | zval capath_zval; | |
393 | ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0); | |
394 | php_stream_context_set_option(context, "ssl", "capath", &capath_zval); | |
395 | + any_flag = TRUE; | |
396 | } | |
397 | if (net->data->options.ssl_passphrase) { | |
398 | zval passphrase_zval; | |
399 | ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0); | |
400 | php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval); | |
401 | + any_flag = TRUE; | |
402 | } | |
403 | if (net->data->options.ssl_cipher) { | |
404 | zval cipher_zval; | |
405 | ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0); | |
406 | php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval); | |
407 | + any_flag = TRUE; | |
408 | + } | |
409 | + { | |
410 | + zval verify_peer_zval; | |
411 | + zend_bool verify; | |
412 | + | |
413 | + if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) { | |
414 | + net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY; | |
415 | + } | |
416 | + | |
417 | + verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE; | |
418 | + | |
419 | + DBG_INF_FMT("VERIFY=%d", verify); | |
420 | + ZVAL_BOOL(&verify_peer_zval, verify); | |
421 | + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
422 | + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
423 | } | |
424 | + | |
425 | php_stream_context_set(net_stream, context); | |
426 | if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 || | |
427 | php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0) | |
428 | diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h | |
429 | index 170c977..f5d0b47 100644 | |
430 | --- a/ext/mysqlnd/mysqlnd_structs.h | |
431 | +++ b/ext/mysqlnd/mysqlnd_structs.h | |
432 | @@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options | |
433 | char *ssl_capath; | |
434 | char *ssl_cipher; | |
435 | char *ssl_passphrase; | |
436 | - zend_bool ssl_verify_peer; | |
437 | + enum mysqlnd_ssl_peer { | |
438 | + MYSQLND_SSL_PEER_DEFAULT = 0, | |
439 | + MYSQLND_SSL_PEER_VERIFY = 1, | |
440 | + MYSQLND_SSL_PEER_DONT_VERIFY = 2, | |
441 | + | |
442 | +#define MYSQLND_SSL_PEER_DEFAULT_ACTION MYSQLND_SSL_PEER_VERIFY | |
443 | + } ssl_verify_peer; | |
444 | uint64_t flags; | |
445 | ||
446 | char * sha256_server_public_key; | |
447 | @@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options | |
448 | } MYSQLND_NET_OPTIONS; | |
449 | ||
450 | ||
451 | + | |
452 | typedef struct st_mysqlnd_connection MYSQLND; | |
453 | typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA; | |
454 | typedef struct st_mysqlnd_net MYSQLND_NET; |