]>
Commit | Line | Data |
---|---|---|
a0d270c5 AM |
1 | commit 8292260515a904b4d515484145c78f33a06ae1ae |
2 | Author: Andrey Hristov <andrey@php.net> | |
3 | Date: Wed Oct 21 15:10:24 2015 +0200 | |
4 | ||
5 | Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation | |
6 | ||
7 | diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt | |
8 | index 78540f1..349d6db 100644 | |
9 | --- a/ext/mysqli/tests/bug51647.phpt | |
10 | +++ b/ext/mysqli/tests/bug51647.phpt | |
11 | @@ -65,9 +65,43 @@ $link->close(); | |
12 | } else { | |
13 | if (!$row = $res->fetch_assoc()) | |
14 | printf("[006] [%d] %s\n", $link->errno, $link->error); | |
15 | + if (!strlen($row["Value"])) | |
16 | + printf("[007] Empty cipher. No encrytion!"); | |
18d0d716 AM |
17 | } |
18 | ||
a0d270c5 AM |
19 | var_dump($row); |
20 | + $link->close(); | |
21 | + | |
22 | + if (!is_object($link = mysqli_init())) | |
23 | + printf("[008] Cannot create link\n"); | |
24 | + | |
25 | + if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) { | |
26 | + printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error()); | |
27 | + } | |
28 | + | |
29 | + if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) { | |
30 | + if (1064 == $link->errno) { | |
31 | + /* ERROR 1064 (42000): You have an error in your SQL syntax; = sql strict mode */ | |
32 | + if ($res = $link->query("SHOW STATUS")) { | |
33 | + while ($row = $res->fetch_assoc()) | |
34 | + if ($row['Variable_name'] == 'Ssl_cipher') | |
35 | + break; | |
36 | + } else { | |
37 | + printf("[010] [%d] %s\n", $link->errno, $link->error); | |
38 | + } | |
39 | + } else { | |
40 | + printf("[011] [%d] %s\n", $link->errno, $link->error); | |
18d0d716 | 41 | + } |
a0d270c5 AM |
42 | + } else { |
43 | + if (!$row = $res->fetch_assoc()) | |
44 | + printf("[012] [%d] %s\n", $link->errno, $link->error); | |
45 | + if (!strlen($row["Value"])) | |
46 | + printf("[013] Empty cipher. No encrytion!"); | |
18d0d716 AM |
47 | + } |
48 | + | |
a0d270c5 AM |
49 | + var_dump($row); |
50 | + | |
51 | + $link->close(); | |
52 | ||
53 | print "done!"; | |
54 | ?> | |
55 | @@ -78,4 +112,10 @@ array(2) { | |
56 | ["Value"]=> | |
57 | string(%d) "%S" | |
58 | } | |
59 | +array(2) { | |
60 | + ["Variable_name"]=> | |
61 | + string(10) "Ssl_cipher" | |
62 | + ["Value"]=> | |
63 | + string(%d) "%S" | |
64 | +} | |
65 | done! | |
66 | diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c | |
67 | index 69f4b7a..4cbe9de 100644 | |
68 | --- a/ext/mysqlnd/mysqlnd_net.c | |
69 | +++ b/ext/mysqlnd/mysqlnd_net.c | |
70 | @@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
71 | zval verify_peer_zval; | |
72 | ZVAL_TRUE(&verify_peer_zval); | |
73 | php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
74 | + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
75 | + } else { | |
76 | + zval verify_peer_zval; | |
77 | + ZVAL_FALSE(&verify_peer_zval); | |
78 | + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
79 | + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
80 | } | |
81 | if (net->data->options.ssl_cert) { | |
82 | zval cert_zval; | |
83 | @@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
84 | if (net->data->options.ssl_capath) { | |
85 | zval capath_zval; | |
86 | ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0); | |
87 | - php_stream_context_set_option(context, "ssl", "cafile", &capath_zval); | |
88 | + php_stream_context_set_option(context, "ssl", "capath", &capath_zval); | |
89 | } | |
90 | if (net->data->options.ssl_passphrase) { | |
91 | zval passphrase_zval; | |
92 | commit afd31489d0d9999f701467e99ef2b40794eed196 | |
93 | Author: Andrey Hristov <andrey@php.net> | |
94 | Date: Thu Oct 22 11:48:53 2015 +0200 | |
95 | ||
96 | Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation | |
18d0d716 | 97 | |
a0d270c5 AM |
98 | diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c |
99 | index e028d60..198ed83 100644 | |
100 | --- a/ext/mysqli/mysqli.c | |
101 | +++ b/ext/mysqli/mysqli.c | |
102 | @@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli) | |
103 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT); | |
104 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT); | |
105 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT); | |
106 | +#ifdef CLIENT_SSL_VERIFY_SERVER_CERT | |
107 | + REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT); | |
108 | +#endif | |
109 | #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND) | |
110 | REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT); | |
111 | REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT); | |
112 | diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt | |
113 | index dd0f769..1cb31cc 100644 | |
114 | --- a/ext/mysqli/tests/mysqli_constants.phpt | |
115 | +++ b/ext/mysqli/tests/mysqli_constants.phpt | |
116 | @@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc'); | |
117 | $expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true; | |
118 | } | |
119 | ||
120 | + if ($version >= 50033 || $IS_MYSQLND) { | |
121 | + $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true; | |
122 | + } | |
123 | ||
124 | /* First introduced in MySQL 6.0, backported to MySQL 5.5 */ | |
125 | if ($version >= 50606 || $IS_MYSQLND) { | |
126 | diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c | |
127 | index 4cbe9de..7b164ac 100644 | |
128 | --- a/ext/mysqlnd/mysqlnd_net.c | |
129 | +++ b/ext/mysqlnd/mysqlnd_net.c | |
130 | @@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC) | |
131 | ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0); | |
132 | php_stream_context_set_option(context, "ssl", "local_pk", &key_zval); | |
133 | } | |
134 | - if (net->data->options.ssl_verify_peer) { | |
135 | - zval verify_peer_zval; | |
136 | - ZVAL_TRUE(&verify_peer_zval); | |
137 | - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
138 | - php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
139 | - } else { | |
140 | + { | |
141 | zval verify_peer_zval; | |
142 | - ZVAL_FALSE(&verify_peer_zval); | |
143 | + ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer); | |
144 | php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval); | |
145 | php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval); | |
146 | } |