[packages/php.git] / php-mysql-ssl-context.patch

commit 8292260515a904b4d515484145c78f33a06ae1ae
Author: Andrey Hristov <andrey@php.net>
Date:   Wed Oct 21 15:10:24 2015 +0200

    Fix for Bug #68344 	MySQLi does not provide way to disable peer certificate validation

diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
index 78540f1..349d6db 100644
--- a/ext/mysqli/tests/bug51647.phpt
+++ b/ext/mysqli/tests/bug51647.phpt
@@ -65,9 +65,43 @@ $link->close();
 	} else {
 		if (!$row = $res->fetch_assoc())
 			printf("[006] [%d] %s\n", $link->errno, $link->error);
+		if (!strlen($row["Value"]))
+			printf("[007] Empty cipher. No encrytion!");
 	}
 
 	var_dump($row);
+	$link->close();
+
+	if (!is_object($link = mysqli_init()))
+		printf("[008] Cannot create link\n");
+
+	if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
+		printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+	}
+
+	if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
+		if (1064 == $link->errno) {
+			/* ERROR 1064 (42000): You have an error in your SQL syntax;  = sql strict mode */
+			if ($res = $link->query("SHOW STATUS")) {
+				while ($row = $res->fetch_assoc())
+					if ($row['Variable_name'] == 'Ssl_cipher')
+						break;
+			} else {
+				printf("[010] [%d] %s\n", $link->errno, $link->error);
+			}
+		} else {
+			printf("[011] [%d] %s\n", $link->errno, $link->error);
+		}
+	} else {
+		if (!$row = $res->fetch_assoc())
+			printf("[012] [%d] %s\n", $link->errno, $link->error);
+		if (!strlen($row["Value"]))
+			printf("[013] Empty cipher. No encrytion!");
+	}
+
+	var_dump($row);
+
+	$link->close();
 
 	print "done!";
 ?>
@@ -78,4 +112,10 @@ array(2) {
   ["Value"]=>
   string(%d) "%S"
 }
+array(2) {
+  ["Variable_name"]=>
+  string(10) "Ssl_cipher"
+  ["Value"]=>
+  string(%d) "%S"
+}
 done!
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 69f4b7a..4cbe9de 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		zval verify_peer_zval;
 		ZVAL_TRUE(&verify_peer_zval);
 		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
+	} else {
+		zval verify_peer_zval;
+		ZVAL_FALSE(&verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
 	if (net->data->options.ssl_cert) {
 		zval cert_zval;
@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 	if (net->data->options.ssl_capath) {
 		zval capath_zval;
 		ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
-		php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
+		php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
 	}
 	if (net->data->options.ssl_passphrase) {
 		zval passphrase_zval;
commit afd31489d0d9999f701467e99ef2b40794eed196
Author: Andrey Hristov <andrey@php.net>
Date:   Thu Oct 22 11:48:53 2015 +0200

    Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation

diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
index e028d60..198ed83 100644
--- a/ext/mysqli/mysqli.c
+++ b/ext/mysqli/mysqli.c
@@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
+#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
+	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#endif
 #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
index dd0f769..1cb31cc 100644
--- a/ext/mysqli/tests/mysqli_constants.phpt
+++ b/ext/mysqli/tests/mysqli_constants.phpt
@@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
 		$expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
 	}
 
+	if ($version >= 50033 || $IS_MYSQLND) {
+		$expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
+	}
 
 	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
 	if ($version >= 50606 || $IS_MYSQLND) {
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 4cbe9de..7b164ac 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
 		php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
 	}
-	if (net->data->options.ssl_verify_peer) {
-		zval verify_peer_zval;
-		ZVAL_TRUE(&verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
-	} else {
+	{
 		zval verify_peer_zval;
-		ZVAL_FALSE(&verify_peer_zval);
+		ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
 		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
 		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
Commit	Line	Data
a0d270c5 AM	1	commit 8292260515a904b4d515484145c78f33a06ae1ae
	2	Author: Andrey Hristov <andrey@php.net>
	3	Date: Wed Oct 21 15:10:24 2015 +0200
	4
	5	Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
	6
	7	diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
	8	index 78540f1..349d6db 100644
	9	--- a/ext/mysqli/tests/bug51647.phpt
	10	+++ b/ext/mysqli/tests/bug51647.phpt
	11	@@ -65,9 +65,43 @@ $link->close();
	12	} else {
	13	if (!$row = $res->fetch_assoc())
	14	printf("[006] [%d] %s\n", $link->errno, $link->error);
	15	+ if (!strlen($row["Value"]))
	16	+ printf("[007] Empty cipher. No encrytion!");
18d0d716 AM	17	}
18d0d716 AM	18
a0d270c5 AM	19	var_dump($row);
	20	+ $link->close();
	21	+
	22	+ if (!is_object($link = mysqli_init()))
	23	+ printf("[008] Cannot create link\n");
	24	+
	25	+ if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
	26	+ printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
	27	+ }
	28	+
	29	+ if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
	30	+ if (1064 == $link->errno) {
	31	+ /* ERROR 1064 (42000): You have an error in your SQL syntax; = sql strict mode */
	32	+ if ($res = $link->query("SHOW STATUS")) {
	33	+ while ($row = $res->fetch_assoc())
	34	+ if ($row['Variable_name'] == 'Ssl_cipher')
	35	+ break;
	36	+ } else {
	37	+ printf("[010] [%d] %s\n", $link->errno, $link->error);
	38	+ }
	39	+ } else {
	40	+ printf("[011] [%d] %s\n", $link->errno, $link->error);
18d0d716	41	+ }
a0d270c5 AM	42	+ } else {
	43	+ if (!$row = $res->fetch_assoc())
	44	+ printf("[012] [%d] %s\n", $link->errno, $link->error);
	45	+ if (!strlen($row["Value"]))
	46	+ printf("[013] Empty cipher. No encrytion!");
18d0d716 AM	47	+ }
18d0d716 AM	48	+
a0d270c5 AM	49	+ var_dump($row);
	50	+
	51	+ $link->close();
	52
	53	print "done!";
	54	?>
	55	@@ -78,4 +112,10 @@ array(2) {
	56	["Value"]=>
	57	string(%d) "%S"
	58	}
	59	+array(2) {
	60	+ ["Variable_name"]=>
	61	+ string(10) "Ssl_cipher"
	62	+ ["Value"]=>
	63	+ string(%d) "%S"
	64	+}
	65	done!
	66	diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
	67	index 69f4b7a..4cbe9de 100644
	68	--- a/ext/mysqlnd/mysqlnd_net.c
	69	+++ b/ext/mysqlnd/mysqlnd_net.c
	70	@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
	71	zval verify_peer_zval;
	72	ZVAL_TRUE(&verify_peer_zval);
	73	php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	74	+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	75	+ } else {
	76	+ zval verify_peer_zval;
	77	+ ZVAL_FALSE(&verify_peer_zval);
	78	+ php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	79	+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	80	}
	81	if (net->data->options.ssl_cert) {
	82	zval cert_zval;
	83	@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
	84	if (net->data->options.ssl_capath) {
	85	zval capath_zval;
	86	ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
	87	- php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
	88	+ php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
	89	}
	90	if (net->data->options.ssl_passphrase) {
	91	zval passphrase_zval;
	92	commit afd31489d0d9999f701467e99ef2b40794eed196
	93	Author: Andrey Hristov <andrey@php.net>
	94	Date: Thu Oct 22 11:48:53 2015 +0200
	95
	96	Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
18d0d716	97
a0d270c5 AM	98	diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
	99	index e028d60..198ed83 100644
	100	--- a/ext/mysqli/mysqli.c
	101	+++ b/ext/mysqli/mysqli.c
	102	@@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
	103	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS \| CONST_PERSISTENT);
	104	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS \| CONST_PERSISTENT);
	105	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS \| CONST_PERSISTENT);
	106	+#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
	107	+ REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS \| CONST_PERSISTENT);
	108	+#endif
	109	#if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) \|\| defined(MYSQLI_USE_MYSQLND)
	110	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS \| CONST_PERSISTENT);
	111	REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS \| CONST_PERSISTENT);
	112	diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
	113	index dd0f769..1cb31cc 100644
	114	--- a/ext/mysqli/tests/mysqli_constants.phpt
	115	+++ b/ext/mysqli/tests/mysqli_constants.phpt
	116	@@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
	117	$expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
	118	}
	119
	120	+ if ($version >= 50033 \|\| $IS_MYSQLND) {
	121	+ $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
	122	+ }
	123
	124	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
	125	if ($version >= 50606 \|\| $IS_MYSQLND) {
	126	diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
	127	index 4cbe9de..7b164ac 100644
	128	--- a/ext/mysqlnd/mysqlnd_net.c
	129	+++ b/ext/mysqlnd/mysqlnd_net.c
	130	@@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
	131	ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
	132	php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
	133	}
	134	- if (net->data->options.ssl_verify_peer) {
	135	- zval verify_peer_zval;
	136	- ZVAL_TRUE(&verify_peer_zval);
	137	- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	138	- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	139	- } else {
	140	+ {
	141	zval verify_peer_zval;
	142	- ZVAL_FALSE(&verify_peer_zval);
	143	+ ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
	144	php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	145	php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	146	}