+++ /dev/null
-commit 8292260515a904b4d515484145c78f33a06ae1ae
-Author: Andrey Hristov <andrey@php.net>
-Date: Wed Oct 21 15:10:24 2015 +0200
-
- Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
-
-diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
-index 78540f1..349d6db 100644
---- a/ext/mysqli/tests/bug51647.phpt
-+++ b/ext/mysqli/tests/bug51647.phpt
-@@ -65,9 +65,43 @@ $link->close();
- } else {
- if (!$row = $res->fetch_assoc())
- printf("[006] [%d] %s\n", $link->errno, $link->error);
-+ if (!strlen($row["Value"]))
-+ printf("[007] Empty cipher. No encrytion!");
- }
-
- var_dump($row);
-+ $link->close();
-+
-+ if (!is_object($link = mysqli_init()))
-+ printf("[008] Cannot create link\n");
-+
-+ if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
-+ printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
-+ }
-+
-+ if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
-+ if (1064 == $link->errno) {
-+ /* ERROR 1064 (42000): You have an error in your SQL syntax; = sql strict mode */
-+ if ($res = $link->query("SHOW STATUS")) {
-+ while ($row = $res->fetch_assoc())
-+ if ($row['Variable_name'] == 'Ssl_cipher')
-+ break;
-+ } else {
-+ printf("[010] [%d] %s\n", $link->errno, $link->error);
-+ }
-+ } else {
-+ printf("[011] [%d] %s\n", $link->errno, $link->error);
-+ }
-+ } else {
-+ if (!$row = $res->fetch_assoc())
-+ printf("[012] [%d] %s\n", $link->errno, $link->error);
-+ if (!strlen($row["Value"]))
-+ printf("[013] Empty cipher. No encrytion!");
-+ }
-+
-+ var_dump($row);
-+
-+ $link->close();
-
- print "done!";
- ?>
-@@ -78,4 +112,10 @@ array(2) {
- ["Value"]=>
- string(%d) "%S"
- }
-+array(2) {
-+ ["Variable_name"]=>
-+ string(10) "Ssl_cipher"
-+ ["Value"]=>
-+ string(%d) "%S"
-+}
- done!
-diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
-index 69f4b7a..4cbe9de 100644
---- a/ext/mysqlnd/mysqlnd_net.c
-+++ b/ext/mysqlnd/mysqlnd_net.c
-@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
- zval verify_peer_zval;
- ZVAL_TRUE(&verify_peer_zval);
- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
-+ } else {
-+ zval verify_peer_zval;
-+ ZVAL_FALSE(&verify_peer_zval);
-+ php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
- }
- if (net->data->options.ssl_cert) {
- zval cert_zval;
-@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
- if (net->data->options.ssl_capath) {
- zval capath_zval;
- ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
-- php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
-+ php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
- }
- if (net->data->options.ssl_passphrase) {
- zval passphrase_zval;
-commit afd31489d0d9999f701467e99ef2b40794eed196
-Author: Andrey Hristov <andrey@php.net>
-Date: Thu Oct 22 11:48:53 2015 +0200
-
- Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
-
-diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
-index e028d60..198ed83 100644
---- a/ext/mysqli/mysqli.c
-+++ b/ext/mysqli/mysqli.c
-@@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT);
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT);
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
-+#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
-+ REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
-+#endif
- #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
- REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
-diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
-index dd0f769..1cb31cc 100644
---- a/ext/mysqli/tests/mysqli_constants.phpt
-+++ b/ext/mysqli/tests/mysqli_constants.phpt
-@@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
- $expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
- }
-
-+ if ($version >= 50033 || $IS_MYSQLND) {
-+ $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
-+ }
-
- /* First introduced in MySQL 6.0, backported to MySQL 5.5 */
- if ($version >= 50606 || $IS_MYSQLND) {
-diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
-index 4cbe9de..7b164ac 100644
---- a/ext/mysqlnd/mysqlnd_net.c
-+++ b/ext/mysqlnd/mysqlnd_net.c
-@@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
- ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
- php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
- }
-- if (net->data->options.ssl_verify_peer) {
-- zval verify_peer_zval;
-- ZVAL_TRUE(&verify_peer_zval);
-- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
-- } else {
-+ {
- zval verify_peer_zval;
-- ZVAL_FALSE(&verify_peer_zval);
-+ ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
- }
-commit 6d51b7b2e3468601acdaaf9041c9131b5aa47f98
-Author: Andrey Hristov <andrey@php.net>
-Date: Tue Oct 27 12:59:09 2015 +0100
-
- Another Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
- Added the possibility to explicitly state that the peer certificate should not be checked.
- Back to the default - checking the certificate.
- Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
- Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)
-
- If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
- then no verification takes place.
-
-diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
-index 198ed83..5e40d19 100644
---- a/ext/mysqli/mysqli.c
-+++ b/ext/mysqli/mysqli.c
-@@ -717,6 +717,9 @@ PHP_MINIT_FUNCTION(mysqli)
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
- #ifdef CLIENT_SSL_VERIFY_SERVER_CERT
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
-+#if defined(MYSQLI_USE_MYSQLND)
-+ REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT", CLIENT_SSL_DONT_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
-+#endif
- #endif
- #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
- REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
-diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
-index 349d6db..7385538 100644
---- a/ext/mysqli/tests/bug51647.phpt
-+++ b/ext/mysqli/tests/bug51647.phpt
-@@ -41,11 +41,7 @@ $link->close();
- if (!is_object($link = mysqli_init()))
- printf("[001] Cannot create link\n");
-
-- $path_to_pems = !$IS_MYSQLND? "ext/mysqli/tests/" : "";
-- if (!$link->ssl_set("{$path_to_pems}client-key.pem", "{$path_to_pems}client-cert.pem", "{$path_to_pems}cacert.pem","",""))
-- printf("[002] [%d] %s\n", $link->errno, $link->error);
--
-- if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket)) {
-+ if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)) {
- printf("[003] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
- }
-
-@@ -67,9 +63,9 @@ $link->close();
- printf("[006] [%d] %s\n", $link->errno, $link->error);
- if (!strlen($row["Value"]))
- printf("[007] Empty cipher. No encrytion!");
-+ var_dump($row);
- }
-
-- var_dump($row);
- $link->close();
-
- if (!is_object($link = mysqli_init()))
-@@ -97,10 +93,9 @@ $link->close();
- printf("[012] [%d] %s\n", $link->errno, $link->error);
- if (!strlen($row["Value"]))
- printf("[013] Empty cipher. No encrytion!");
-+ var_dump($row);
- }
-
-- var_dump($row);
--
- $link->close();
-
- print "done!";
-diff --git a/ext/mysqli/tests/bug55283.phpt b/ext/mysqli/tests/bug55283.phpt
-index d03daae..a10c604 100644
---- a/ext/mysqli/tests/bug55283.phpt
-+++ b/ext/mysqli/tests/bug55283.phpt
-@@ -40,7 +40,7 @@ $link->close();
- $db1 = new mysqli();
-
-
-- $flags = MYSQLI_CLIENT_SSL;
-+ $flags = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
-
- $link = mysqli_init();
- mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
-diff --git a/ext/mysqli/tests/connect.inc b/ext/mysqli/tests/connect.inc
-index 67ce60a..606d1d3 100644
---- a/ext/mysqli/tests/connect.inc
-+++ b/ext/mysqli/tests/connect.inc
-@@ -9,7 +9,7 @@
- $driver = new mysqli_driver;
-
- $host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "127.0.0.1";
-- $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3308;
-+ $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306;
- $user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root";
- $passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : "";
- $db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test";
-@@ -87,9 +87,8 @@
- function my_mysqli_connect($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
- global $connect_flags;
-
-- $flags = ($enable_env_flags) ? $connect_flags : false;
--
-- if ($flags !== false) {
-+ $flags = $enable_env_flags? $connect_flags:0;
-+ if ($flags !== 0) {
- $link = mysqli_init();
- if (!mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags))
- $link = false;
-@@ -109,7 +108,7 @@
- global $connect_flags;
-
- if ($enable_env_flags)
-- $flags & $connect_flags;
-+ $flags = $flags | $connect_flags;
-
- return mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags);
- }
-@@ -118,7 +117,7 @@
- public function __construct($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
- global $connect_flags;
-
-- $flags = ($enable_env_flags) ? $connect_flags : false;
-+ $flags = ($enable_env_flags) ? $connect_flags : 0;
-
- if ($flags !== false) {
- parent::init();
-diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
-index 1cb31cc..cc5fa9f 100644
---- a/ext/mysqli/tests/mysqli_constants.phpt
-+++ b/ext/mysqli/tests/mysqli_constants.phpt
-@@ -139,6 +139,9 @@ require_once('skipifconnectfailure.inc');
- if ($version >= 50033 || $IS_MYSQLND) {
- $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
- }
-+ if ($IS_MYSQLND) {
-+ $expected_constants['MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'] = true;
-+ }
-
- /* First introduced in MySQL 6.0, backported to MySQL 5.5 */
- if ($version >= 50606 || $IS_MYSQLND) {
-diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c
-index f008986..94a3149 100644
---- a/ext/mysqlnd/mysqlnd.c
-+++ b/ext/mysqlnd/mysqlnd.c
-@@ -472,6 +472,7 @@ mysqlnd_switch_to_ssl_if_needed(
- DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA= %d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0);
- DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS= %d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0);
- DBG_INF_FMT("CLIENT_SESSION_TRACK= %d", mysql_flags & CLIENT_SESSION_TRACK? 1:0);
-+ DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0);
- DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0);
- DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS= %d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0);
-
-@@ -495,7 +496,11 @@ mysqlnd_switch_to_ssl_if_needed(
- if (server_has_ssl == FALSE) {
- goto close_conn;
- } else {
-- zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE;
-+ enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT?
-+ MYSQLND_SSL_PEER_VERIFY:
-+ (mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT?
-+ MYSQLND_SSL_PEER_DONT_VERIFY:
-+ MYSQLND_SSL_PEER_DEFAULT);
- DBG_INF("Switching to SSL");
- if (!PACKET_WRITE(auth_packet, conn)) {
- goto close_conn;
-diff --git a/ext/mysqlnd/mysqlnd_enum_n_def.h b/ext/mysqlnd/mysqlnd_enum_n_def.h
-index c1ede7e..9e29da2 100644
---- a/ext/mysqlnd/mysqlnd_enum_n_def.h
-+++ b/ext/mysqlnd/mysqlnd_enum_n_def.h
-@@ -101,6 +101,10 @@
- #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */
- #define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22) /* Don't close the connection for a connection with expired password. */
- #define CLIENT_SESSION_TRACK (1UL << 23) /* Extended OK */
-+/*
-+ This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification
-+*/
-+#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT CLIENT_ODBC
- #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
- #define CLIENT_REMEMBER_OPTIONS (1UL << 31)
-
-diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
-index 7b164ac..3e8d099 100644
---- a/ext/mysqlnd/mysqlnd_net.c
-+++ b/ext/mysqlnd/mysqlnd_net.c
-@@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys
- break;
- }
- case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
-- net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE;
-+ {
-+ enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value);
-+ switch (val) {
-+ case MYSQLND_SSL_PEER_VERIFY:
-+ DBG_INF("MYSQLND_SSL_PEER_VERIFY");
-+ break;
-+ case MYSQLND_SSL_PEER_DONT_VERIFY:
-+ DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY");
-+ break;
-+ case MYSQLND_SSL_PEER_DEFAULT:
-+ DBG_INF("MYSQLND_SSL_PEER_DEFAULT");
-+ val = MYSQLND_SSL_PEER_DEFAULT;
-+ break;
-+ default:
-+ DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION");
-+ val = MYSQLND_SSL_PEER_DEFAULT;
-+ break;
-+ }
-+ net->data->options.ssl_verify_peer = val;
- break;
-+ }
- case MYSQL_OPT_READ_TIMEOUT:
- net->data->options.timeout_read = *(unsigned int*) value;
- break;
-@@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
- #ifdef MYSQLND_SSL_SUPPORTED
- php_stream_context * context = php_stream_context_alloc(TSRMLS_C);
- php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC);
-+ zend_bool any_flag = FALSE;
-
- DBG_ENTER("mysqlnd_net::enable_ssl");
- if (!context) {
-@@ -896,12 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
- zval key_zval;
- ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
- php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
-- }
-- {
-- zval verify_peer_zval;
-- ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
-- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
-+ any_flag = TRUE;
- }
- if (net->data->options.ssl_cert) {
- zval cert_zval;
-@@ -910,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
- if (!net->data->options.ssl_key) {
- php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval);
- }
-+ any_flag = TRUE;
- }
- if (net->data->options.ssl_ca) {
- zval cafile_zval;
- ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0);
- php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval);
-+ any_flag = TRUE;
- }
- if (net->data->options.ssl_capath) {
- zval capath_zval;
- ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
- php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
-+ any_flag = TRUE;
- }
- if (net->data->options.ssl_passphrase) {
- zval passphrase_zval;
- ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0);
- php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval);
-+ any_flag = TRUE;
- }
- if (net->data->options.ssl_cipher) {
- zval cipher_zval;
- ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0);
- php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval);
-+ any_flag = TRUE;
-+ }
-+ {
-+ zval verify_peer_zval;
-+ zend_bool verify;
-+
-+ if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) {
-+ net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY;
-+ }
-+
-+ verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE;
-+
-+ DBG_INF_FMT("VERIFY=%d", verify);
-+ ZVAL_BOOL(&verify_peer_zval, verify);
-+ php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
- }
-+
- php_stream_context_set(net_stream, context);
- if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 ||
- php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0)
-diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h
-index 170c977..f5d0b47 100644
---- a/ext/mysqlnd/mysqlnd_structs.h
-+++ b/ext/mysqlnd/mysqlnd_structs.h
-@@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options
- char *ssl_capath;
- char *ssl_cipher;
- char *ssl_passphrase;
-- zend_bool ssl_verify_peer;
-+ enum mysqlnd_ssl_peer {
-+ MYSQLND_SSL_PEER_DEFAULT = 0,
-+ MYSQLND_SSL_PEER_VERIFY = 1,
-+ MYSQLND_SSL_PEER_DONT_VERIFY = 2,
-+
-+#define MYSQLND_SSL_PEER_DEFAULT_ACTION MYSQLND_SSL_PEER_VERIFY
-+ } ssl_verify_peer;
- uint64_t flags;
-
- char * sha256_server_public_key;
-@@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options
- } MYSQLND_NET_OPTIONS;
-
-
-+
- typedef struct st_mysqlnd_connection MYSQLND;
- typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA;
- typedef struct st_mysqlnd_net MYSQLND_NET;
projects / packages / php.git / commitdiff