From b2f34721ab3964a1b1af71a6d6a8ec98cbc3ec7a Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 23 Jan 2026 19:21:44 +0100 Subject: [PATCH 01/17] Fix crash in openssl_digest() when EVP_MD_CTX_create() fails EVP_DigestInit() cannot handle a NULL argument: ``` ==8028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fade0826b2d bp 0x7ffcae8236f0 sp 0x7ffcae8236c0 T0) ==8028==The signal is caused by a READ memory access. ==8028==Hint: address points to the zero page. #0 0x7fade0826b2d (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1e3b2d) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #1 0x5584fb314601 in zif_openssl_digest /work/php-src/ext/openssl/openssl.c:4459 #2 0x5584fc0b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #3 0x5584fc3e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #4 0x5584fc540995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #5 0x5584fc5558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #6 0x5584fc6ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #7 0x5584fc0ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #8 0x5584fc0ecccb in php_execute_script /work/php-src/main/main.c:2685 #9 0x5584fc6bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #10 0x5584fc6c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #11 0x7fade02c51c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #12 0x7fade02c528a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #13 0x5584fb209b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` Closes GH-21019. --- ext/openssl/openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index c1545dba203f..27cf106e93a7 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -7670,7 +7670,8 @@ PHP_FUNCTION(openssl_digest) sigbuf = zend_string_alloc(siglen, 0); md_ctx = EVP_MD_CTX_create(); - if (EVP_DigestInit(md_ctx, mdtype) && + if (md_ctx && + EVP_DigestInit(md_ctx, mdtype) && EVP_DigestUpdate(md_ctx, (unsigned char *)data, data_len) && EVP_DigestFinal (md_ctx, (unsigned char *)ZSTR_VAL(sigbuf), &siglen)) { if (raw_output) { From d0d9183d9d00aafe57d33872b3430a9a33d39e4e Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 23 Jan 2026 22:38:08 +0100 Subject: [PATCH 02/17] Fix crash in openssl_pkey_export() when BIO_new() fails ``` ==59541==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f9fafba9b69 bp 0x7ffe3fd87700 sp 0x7ffe3fd876e8 T0) ==59541==The signal is caused by a WRITE memory access. ==59541==Hint: address points to the zero page. #0 0x7f9fafba9b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #1 0x7f9fafbb4ac2 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7f9fafc886f0 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7f9fafc88aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x7f9fafdaeadf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #5 0x7f9fafdaebc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #6 0x555dbe4ff75f in zif_openssl_pkey_export /work/php-src/ext/openssl/openssl.c:2216 #7 0x555dbf2b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #8 0x555dbf5e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #9 0x555dbf740995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #10 0x555dbf7558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #11 0x555dbf8ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #12 0x555dbf2ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #13 0x555dbf2ecccb in php_execute_script /work/php-src/main/main.c:2685 #14 0x555dbf8bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #15 0x555dbf8c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #16 0x7f9faf73e1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #17 0x7f9faf73e28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #18 0x555dbe409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` Closes GH-21021. --- ext/openssl/openssl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 27cf106e93a7..05eef77c6817 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5026,6 +5026,10 @@ PHP_FUNCTION(openssl_pkey_export) if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { bio_out = BIO_new(BIO_s_mem()); + if (!bio_out) { + php_openssl_store_errors(); + goto cleanup; + } if (passphrase && req.priv_key_encrypt) { if (req.priv_key_encrypt_cipher) { @@ -5054,6 +5058,7 @@ PHP_FUNCTION(openssl_pkey_export) php_openssl_store_errors(); } } +cleanup: PHP_SSL_REQ_DISPOSE(&req); EVP_PKEY_free(key); BIO_free(bio_out); From 5f9b6ed83405717bf85e07e27320a24f704f0a80 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 23 Jan 2026 22:41:51 +0100 Subject: [PATCH 03/17] Fix crash in openssl_pkcs12_read() when BIO_new() fails Example ASAN report: ``` ==55442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f73a6413b69 bp 0x7ffe666f6010 sp 0x7ffe666f5ff8 T0) ==55442==The signal is caused by a WRITE memory access. ==55442==Hint: address points to the zero page. #0 0x7f73a6413b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #1 0x7f73a641eac2 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7f73a64f26f0 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7f73a64f2aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x7f73a6618adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #5 0x7f73a6618bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #6 0x559b16af882b in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520 #7 0x559b178b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #8 0x559b17be024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #9 0x559b17d40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #10 0x559b17d558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #11 0x559b17eba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #12 0x559b178ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #13 0x559b178ecccb in php_execute_script /work/php-src/main/main.c:2685 #14 0x559b17ebfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #15 0x559b17ec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #16 0x7f73a5fa81c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #17 0x7f73a5fa828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #18 0x559b16a09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` Closes GH-21022. --- ext/openssl/openssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 05eef77c6817..30ac08397edd 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2856,7 +2856,7 @@ PHP_FUNCTION(openssl_pkcs12_read) if (cert) { bio_out = BIO_new(BIO_s_mem()); - if (PEM_write_bio_X509(bio_out, cert)) { + if (bio_out && PEM_write_bio_X509(bio_out, cert)) { BUF_MEM *bio_buf; BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length); @@ -2869,7 +2869,7 @@ PHP_FUNCTION(openssl_pkcs12_read) if (pkey) { bio_out = BIO_new(BIO_s_mem()); - if (PEM_write_bio_PrivateKey(bio_out, pkey, NULL, NULL, 0, 0, NULL)) { + if (bio_out && PEM_write_bio_PrivateKey(bio_out, pkey, NULL, NULL, 0, 0, NULL)) { BUF_MEM *bio_buf; BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zpkey, bio_buf->data, bio_buf->length); @@ -2890,7 +2890,7 @@ PHP_FUNCTION(openssl_pkcs12_read) if (!aCA) break; bio_out = BIO_new(BIO_s_mem()); - if (PEM_write_bio_X509(bio_out, aCA)) { + if (bio_out && PEM_write_bio_X509(bio_out, aCA)) { BUF_MEM *bio_buf; BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zextracert, bio_buf->data, bio_buf->length); From 1ef9aa7e32fede48941c36144fb9eb8faf587033 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 24 Jan 2026 17:55:55 +0100 Subject: [PATCH 04/17] Fix crash in php_openssl_create_sni_server_ctx() when SSL_CTX_new() fails ``` ==41743==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x557f134d3acf bp 0x7ffd4d5bc1f0 sp 0x7ffd4d5bb870 T0) ==41743==The signal is caused by a READ memory access. ==41743==Hint: address points to the zero page. #0 0x557f134d3acf in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:580 #1 0x557f134d857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204 #2 0x557f1375073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270 #3 0x557f13478fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409 #4 0x557f131bfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226 #5 0x557f136b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #6 0x557f139e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #7 0x557f13b40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #8 0x557f13b558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #9 0x557f13cba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #10 0x557f136ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #11 0x557f136ecccb in php_execute_script /work/php-src/main/main.c:2685 #12 0x557f13cbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #13 0x557f13cc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #14 0x7f14599cd1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #15 0x7f14599cd28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #16 0x557f12809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` Closes GH-21026. --- ext/openssl/xp_ssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 60477094a1b6..1bc5c8c1e67b 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -1416,6 +1416,10 @@ static SSL_CTX *php_openssl_create_sni_server_ctx(char *cert_path, char *key_pat /* The hello method is not inherited by SSL structs when assigning a new context * inside the SNI callback, so the just use SSLv23 */ SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method()); + if (!ctx) { + php_error_docref(NULL, E_WARNING, "Failed to create the SSL context"); + return NULL; + } if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) != 1) { php_error_docref(NULL, E_WARNING, From 20903a8485161b969ceacc75de1dd74198e91fea Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Tue, 27 Jan 2026 22:44:12 +0100 Subject: [PATCH 05/17] Fix memory leak on error path in openssl_open() `pkey` must be released after it was allocated on the error paths. Otherwise we get leaks like this: ``` Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x7ff8d76a1340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x7ff8d7189136 in EVP_PKEY_new evp/p_lib.c:385 #2 0x7ff8d71178e4 in d2i_PrivateKey asn1/a_pkey.c:80 #3 0x7ff8d719ed07 in PEM_read_bio_PrivateKey pem/pem_pkey.c:135 #4 0x555c54726e80 in php_openssl_pem_read_bio_private_key /work/php-src/ext/openssl/openssl_backend_v1.c:738 #5 0x555c5471ee77 in php_openssl_pkey_from_zval /work/php-src/ext/openssl/openssl_backend_common.c:1297 #6 0x555c54712e3f in zif_openssl_open /work/php-src/ext/openssl/openssl.c:4331 #7 0x555c554b44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #8 0x555c557dba0b in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2024 #9 0x555c5593cf57 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116514 #10 0x555c55951ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #11 0x555c55ab60cc in zend_execute_script /work/php-src/Zend/zend.c:1980 #12 0x555c554e8ecb in php_execute_script_ex /work/php-src/main/main.c:2645 #13 0x555c554e92db in php_execute_script /work/php-src/main/main.c:2685 #14 0x555c55abbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #15 0x555c55abe204 in main /work/php-src/sapi/cli/php_cli.c:1362 #16 0x7ff8d6d061c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #17 0x7ff8d6d0628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #18 0x555c54609db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605) ``` Closes GH-21054. --- ext/openssl/openssl.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 30ac08397edd..1b04164df413 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -7507,18 +7507,20 @@ PHP_FUNCTION(openssl_open) cipher = EVP_get_cipherbyname(method); if (!cipher) { php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm"); - RETURN_FALSE; + RETVAL_FALSE; + goto out_pkey; } cipher_iv_len = EVP_CIPHER_iv_length(cipher); if (cipher_iv_len > 0) { if (!iv) { zend_argument_value_error(6, "cannot be null for the chosen cipher algorithm"); - RETURN_THROWS(); + goto out_pkey; } if ((size_t)cipher_iv_len != iv_len) { php_error_docref(NULL, E_WARNING, "IV length is invalid"); - RETURN_FALSE; + RETVAL_FALSE; + goto out_pkey; } iv_buf = (unsigned char *)iv; } else { @@ -7540,8 +7542,9 @@ PHP_FUNCTION(openssl_open) } efree(buf); - EVP_PKEY_free(pkey); EVP_CIPHER_CTX_free(ctx); +out_pkey: + EVP_PKEY_free(pkey); } /* }}} */ From 2004b709c43b396c8229a8dac9f8310fcfb515d3 Mon Sep 17 00:00:00 2001 From: ndossche Date: Thu, 5 Mar 2026 13:27:03 +0100 Subject: [PATCH 06/17] Fix missing error propagation in openssl_x509_export_to_file() The file writes can have failed, but this error isn't visible for the application, fix it by propagating the error properly. Closes GH-21348. --- ext/openssl/openssl.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 1b04164df413..7e6638f7fd24 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1567,14 +1567,11 @@ PHP_FUNCTION(openssl_x509_export_to_file) bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY)); if (bio_out) { - if (!notext && !X509_print(bio_out, cert)) { - php_openssl_store_errors(); - } - if (!PEM_write_bio_X509(bio_out, cert)) { + if ((notext || X509_print(bio_out, cert)) && PEM_write_bio_X509(bio_out, cert)) { + RETVAL_TRUE; + } else { php_openssl_store_errors(); } - - RETVAL_TRUE; } else { php_openssl_store_errors(); php_error_docref(NULL, E_WARNING, "Error opening file %s", file_path); From 4bb68c567fae1303883188b346d08ea014919b2e Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 24 Jan 2026 22:59:16 +0100 Subject: [PATCH 07/17] Fix memory leaks when adding certificate to store fails When certificate `cert` exists, but is not added to the store, it causes memory leaks. The error handling was already existing but the freeing only happened on the success case. One could also ponder whether it is necessary to inform the user when adding a certificate failed or signal this in some way. Part of the leak report: ``` Direct leak of 384 byte(s) in 1 object(s) allocated from: #0 0x7fdbf1f9e9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fdbf183a7c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7fdbf16f9d13 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2d13) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7fdbf16f9e19 in ASN1_item_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2e19) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x7fdbf19a59f9 in X509_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x38e9f9) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #5 0x5575bcd295cb in php_openssl_pem_read_bio_x509 /work/php-src/ext/openssl/openssl_backend_v3.c:876 #6 0x5575bcd2ef3d in php_openssl_load_stream_cafile /work/php-src/ext/openssl/xp_ssl.c:855 #7 0x5575bcd2f4da in php_openssl_enable_peer_verification /work/php-src/ext/openssl/xp_ssl.c:912 #8 0x5575bcd33104 in php_openssl_setup_crypto /work/php-src/ext/openssl/xp_ssl.c:1610 #9 0x5575bcd39c18 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2512 #10 0x5575bdb4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #11 0x5575bdb5557d in php_stream_xport_crypto_setup /work/php-src/main/streams/transports.c:367 #12 0x5575bcd39f11 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2540 #13 0x5575bdb4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #14 0x5575bdb54655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 #15 0x5575bdb5365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 #16 0x5575bd8d30b1 in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:490 #17 0x5575bd8d857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204 #18 0x5575bdb5073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270 #19 0x5575bd878fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409 #20 0x5575bd5bfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226 #21 0x5575bdab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #22 0x5575bdde024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #23 0x5575bdf40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #24 0x5575bdf558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #25 0x5575be0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #26 0x5575bdaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #27 0x5575bdaecccb in php_execute_script /work/php-src/main/main.c:2685 #28 0x5575be0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #29 0x5575be0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 ... etc ... ``` Closes GH-21030. --- ext/openssl/xp_ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 1bc5c8c1e67b..c4423ce20411 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -859,8 +859,9 @@ static long php_openssl_load_stream_cafile(X509_STORE *cert_store, const char *c buffer_active = 0; if (cert && X509_STORE_add_cert(cert_store, cert)) { ++certs_added; - X509_free(cert); } + /* TODO: notify user when adding certificate failed? */ + X509_free(cert); goto cert_start; } From 1c946325890596ec22871d0ca7170c245fc93e3c Mon Sep 17 00:00:00 2001 From: Nora Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 3 Apr 2026 22:43:25 +0200 Subject: [PATCH 08/17] Fix SKIPIF of openssl_password.phpt (#20941) It's possible there is no argon2 provider at all. --- ext/openssl/tests/openssl_password.phpt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ext/openssl/tests/openssl_password.phpt b/ext/openssl/tests/openssl_password.phpt index 0dbc1ae42a3f..ca0d20f9bcc3 100644 --- a/ext/openssl/tests/openssl_password.phpt +++ b/ext/openssl/tests/openssl_password.phpt @@ -5,7 +5,10 @@ openssl --SKIPIF-- --FILE-- From 7831244633d0f514f3f07875f4cbc4e3343edef4 Mon Sep 17 00:00:00 2001 From: Nora Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 3 Apr 2026 22:43:31 +0200 Subject: [PATCH 09/17] openssl: Fix missing error propagation in openssl_x509_export() (#21375) The file writes can have failed, but this error isn't visible for the application, fix it by propagating the error properly. --- ext/openssl/openssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 7e6638f7fd24..f5869a8999d2 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1869,8 +1869,7 @@ PHP_FUNCTION(openssl_x509_export) } if (!notext && !X509_print(bio_out, cert)) { php_openssl_store_errors(); - } - if (PEM_write_bio_X509(bio_out, cert)) { + } else if (PEM_write_bio_X509(bio_out, cert)) { BUF_MEM *bio_buf; BIO_get_mem_ptr(bio_out, &bio_buf); From 4a16d22970b0b717879e37ced9ed43ed54a09d6e Mon Sep 17 00:00:00 2001 From: Nora Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 3 Apr 2026 22:43:39 +0200 Subject: [PATCH 10/17] openssl: Fix error propagation in csr exports (#21403) If the print fails, then the write is still executed, resulting in a partial export without any way of the user knowing this happened. Fix this by only returning true if all writes succeed. --- ext/openssl/openssl.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index f5869a8999d2..22f25a48eedd 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -3176,9 +3176,9 @@ PHP_FUNCTION(openssl_csr_export_to_file) bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY)); if (bio_out != NULL) { if (!notext && !X509_REQ_print(bio_out, csr)) { + /* TODO: warn? */ php_openssl_store_errors(); - } - if (!PEM_write_bio_X509_REQ(bio_out, csr)) { + } else if (!PEM_write_bio_X509_REQ(bio_out, csr)) { php_error_docref(NULL, E_WARNING, "Error writing PEM to file %s", file_path); php_openssl_store_errors(); } else { @@ -3227,9 +3227,7 @@ PHP_FUNCTION(openssl_csr_export) bio_out = BIO_new(BIO_s_mem()); if (!notext && !X509_REQ_print(bio_out, csr)) { php_openssl_store_errors(); - } - - if (PEM_write_bio_X509_REQ(bio_out, csr)) { + } else if (PEM_write_bio_X509_REQ(bio_out, csr)) { BUF_MEM *bio_buf; BIO_get_mem_ptr(bio_out, &bio_buf); From 5684949337009fdaed7487e49acab140c9e23df6 Mon Sep 17 00:00:00 2001 From: ndossche Date: Tue, 27 Jan 2026 12:03:51 +0100 Subject: [PATCH 11/17] Fix error check on X509V3_EXT_print() The docs I found of this function appear to be wrong, as it can also return -1 on failure. See also https://github.com/openssl/openssl/pull/29793 Closes GH-21047. --- ext/openssl/openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 22f25a48eedd..f8be531d8dd8 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2252,7 +2252,7 @@ PHP_FUNCTION(openssl_x509_parse) goto err_subitem; } } - else if (X509V3_EXT_print(bio_out, extension, 0, 0)) { + else if (X509V3_EXT_print(bio_out, extension, 0, 0) > 0) { BIO_get_mem_ptr(bio_out, &bio_buf); add_assoc_stringl(&subitem, extname, bio_buf->data, bio_buf->length); } else { From e474d3c99f91adf41323c332381b4e2096b35b13 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 23 Jan 2026 12:15:31 +0100 Subject: [PATCH 12/17] Fix crash in openssl_pkey_get_details() when BIO_new() fails PEM_write_bio_PUBKEY() cannot handle a NULL argument: ``` ==10779==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f426f79db69 bp 0x7fff0ec17940 sp 0x7fff0ec17928 T0) ==10779==The signal is caused by a WRITE memory access. ==10779==Hint: address points to the zero page. #0 0x7f426f79db69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #1 0x7f426f7a8ac2 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7f426f87c6f0 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7f426f87caa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x7f426f99dc5e in PEM_write_bio_PUBKEY (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2edc5e) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #5 0x5637ebd00530 in zif_openssl_pkey_get_details /work/php-src/ext/openssl/openssl.c:2308 #6 0x5637ecab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #7 0x5637ecde024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #8 0x5637ecf40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #9 0x5637ecf558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #10 0x5637ed0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #11 0x5637ecaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #12 0x5637ecaecccb in php_execute_script /work/php-src/main/main.c:2685 #13 0x5637ed0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #14 0x5637ed0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #15 0x7f426f3321c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #16 0x7f426f33228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #17 0x5637ebc09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: eb0a8e6b6d683fbdf45156dfed4d76f9110252b9) ``` Closes GH-21015. --- ext/openssl/openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index f8be531d8dd8..3dd58f5591a0 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5176,7 +5176,7 @@ PHP_FUNCTION(openssl_pkey_get_details) EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; BIO *out = BIO_new(BIO_s_mem()); - if (!PEM_write_bio_PUBKEY(out, pkey)) { + if (!out || !PEM_write_bio_PUBKEY(out, pkey)) { BIO_free(out); php_openssl_store_errors(); RETURN_FALSE; From 8c1137097468b993d3264c8159db81d71515672b Mon Sep 17 00:00:00 2001 From: Nora Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 23 Jan 2026 14:54:12 +0100 Subject: [PATCH 13/17] Fix crash when ASN1_STRING_to_UTF8() fails This function returns -1 on failure. Not checking this causes a segfault if `cert_name` is still NULL, i.e. if the failure happens on the first iteration. If the failure happens on the second iteration, we get a use-after-free. NULL deref example: ``` ==189347==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f961f6f379d bp 0x7ffdc44afed0 sp 0x7ffdc44af658 T0) ==189347==The signal is caused by a READ memory access. ==189347==Hint: address points to the zero page. #0 0x7f961f6f379d (/lib/x86_64-linux-gnu/libc.so.6+0x18b79d) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #1 0x7f9620217826 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 #2 0x560faa92d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478 #3 0x560faa92e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #4 0x560faa93565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #5 0x560faa939c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #6 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #7 0x560fab7557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #8 0x560faa939f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 #9 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #10 0x560fab754655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 #11 0x560fab75365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 #12 0x560fab54d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 #13 0x560fab6b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #14 0x560fab9e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #15 0x560fabb40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #16 0x560fabb558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #17 0x560fabcba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #18 0x560fab6ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #19 0x560fab6ecccb in php_execute_script /work/php-src/main/main.c:2685 #20 0x560fabcbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #21 0x560fabcc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #22 0x7f961f5921c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #23 0x7f961f59228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #24 0x560faa809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` UAF example: ``` ==190632==ERROR: AddressSanitizer: heap-use-after-free on address 0x5020000690f0 at pc 0x7fc2cdb3596f bp 0x7ffce2ed98d0 sp 0x7ffce2ed9078 READ of size 3 at 0x5020000690f0 thread T0 #0 0x7fc2cdb3596e in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391 #1 0x558b6eb2d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478 #2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 #10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 #11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 #12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685 #19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #21 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) 0x5020000690f0 is located 0 bytes inside of 9-byte region [0x5020000690f0,0x5020000690f9) freed by thread T0 here: #0 0x7fc2cdbb44d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x558b6eb2d2fa in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:496 #2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 #10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 #11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 #12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685 #19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #21 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) previously allocated by thread T0 here: #0 0x7fc2cdbb59c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fc2cd2faeab in ASN1_mbstring_ncopy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcceab) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7fc2cd2fb2e5 in ASN1_mbstring_copy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcd2e5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7fc2cd2fe2a5 in ASN1_STRING_to_UTF8 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xd02a5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x558b6eb2d0a8 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:477 #5 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #6 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #7 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #9 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #10 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 #11 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #12 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 #13 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 #14 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 #15 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 #16 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 #17 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 #18 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #19 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #20 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #21 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685 #22 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #23 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #24 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #25 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #26 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` Closes GH-21017. --- ext/openssl/xp_ssl.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index c4423ce20411..88c75253abaf 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -126,10 +126,6 @@ #define GET_VER_OPT_LONG(_name, _num) \ if (GET_VER_OPT(_name)) _num = zval_get_long(val) -/* Used for peer verification in windows */ -#define PHP_X509_NAME_ENTRY_TO_UTF8(ne, i, out) \ - ASN1_STRING_to_UTF8(&out, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(ne, i))) - #ifdef HAVE_IPV6 /* Used for IPv6 Address peer verification */ #define EXPAND_IPV6_ADDRESS(_str, _bytes) \ @@ -476,7 +472,10 @@ static bool php_openssl_matches_san_list(X509 *peer, const char *subject_name) / GENERAL_NAME *san = sk_GENERAL_NAME_value(alt_names, i); if (san->type == GEN_DNS) { - ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName); + if (ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName) < 0) { + /* TODO: warn ? */ + continue; + } if ((size_t)ASN1_STRING_length(san->d.dNSName) != strlen((const char*)cert_name)) { OPENSSL_free(cert_name); /* prevent null-byte poisoning*/ From 8b031ea6eda1b9c5bc3e8db479bbaf6283c1511f Mon Sep 17 00:00:00 2001 From: Nora Dossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 24 Jan 2026 19:15:10 +0100 Subject: [PATCH 14/17] Fix error check on X509_set_subject_name() This call can fail but this is not checked. The other setter call is checked however. Closes GH-21028. --- ext/openssl/openssl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 3dd58f5591a0..460474488224 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -3376,7 +3376,10 @@ PHP_FUNCTION(openssl_csr_sign) PHP_OPENSSL_ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial); } - X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr)); + if (!X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr))) { + php_openssl_store_errors(); + goto cleanup; + } if (cert == NULL) { cert = new_cert; From 0f38bfdef2d9e5ccbb266658b29bd576e36ed8a8 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Fri, 3 Apr 2026 21:49:54 +0200 Subject: [PATCH 15/17] Fix GH-21617: sni_server self signed certifcate expired It changes the SNI tests to use certificate generator like other TLS tests. Closes GH-21628 --- ext/openssl/tests/gh9310.phpt | 59 +++++++++++------ .../openssl_x509_checkpurpose_basic.phpt | 2 +- .../openssl_x509_export_to_file_leak.phpt | 2 +- .../{sni_server_uk.pem => sni_server.pem} | 0 ext/openssl/tests/sni_server.phpt | 29 +++++++-- ext/openssl/tests/sni_server_ca.pem | 63 ------------------- ext/openssl/tests/sni_server_cs.pem | 57 ----------------- ext/openssl/tests/sni_server_cs_cert.pem | 30 --------- ext/openssl/tests/sni_server_cs_key.pem | 27 -------- ext/openssl/tests/sni_server_key_cert.phpt | 45 ++++++++++--- ext/openssl/tests/sni_server_uk_cert.pem | 30 --------- ext/openssl/tests/sni_server_uk_key.pem | 27 -------- ext/openssl/tests/sni_server_us.pem | 57 ----------------- ext/openssl/tests/sni_server_us_cert.pem | 30 --------- ext/openssl/tests/sni_server_us_key.pem | 27 -------- 15 files changed, 106 insertions(+), 379 deletions(-) rename ext/openssl/tests/{sni_server_uk.pem => sni_server.pem} (100%) delete mode 100644 ext/openssl/tests/sni_server_ca.pem delete mode 100644 ext/openssl/tests/sni_server_cs.pem delete mode 100644 ext/openssl/tests/sni_server_cs_cert.pem delete mode 100644 ext/openssl/tests/sni_server_cs_key.pem delete mode 100644 ext/openssl/tests/sni_server_uk_cert.pem delete mode 100644 ext/openssl/tests/sni_server_uk_key.pem delete mode 100644 ext/openssl/tests/sni_server_us.pem delete mode 100644 ext/openssl/tests/sni_server_us_cert.pem delete mode 100644 ext/openssl/tests/sni_server_us_key.pem diff --git a/ext/openssl/tests/gh9310.phpt b/ext/openssl/tests/gh9310.phpt index 07a7d442cec8..874ed4c781d3 100644 --- a/ext/openssl/tests/gh9310.phpt +++ b/ext/openssl/tests/gh9310.phpt @@ -23,7 +23,21 @@ $certificateGenerator->saveNewCertAndKey('gh9310', $certFile, $pkFile); copy($certFile, $baseDirCertFile); copy($pkFile, $baseDirPkFile); -copy(__DIR__ . '/sni_server_uk_cert.pem', $baseDir . '/sni_server_uk_cert.pem'); + +$sniCaFile = __DIR__ . '/gh9310_sni_ca.pem.tmp'; +$sniCsFile = __DIR__ . '/gh9310_sni_cs.pem.tmp'; +$sniUkCertFile = __DIR__ . '/gh9310_sni_uk_cert.pem.tmp'; +$sniUkKeyFile = __DIR__ . '/gh9310_sni_uk_key.pem.tmp'; +$sniUsCertFile = __DIR__ . '/gh9310_sni_us_cert.pem.tmp'; +$sniUsKeyFile = __DIR__ . '/gh9310_sni_us_key.pem.tmp'; +$baseDirSniUkCertFile = $baseDir . '/sni_uk_cert.pem'; + +$certificateGenerator->saveCaCert($sniCaFile); +$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $sniCsFile); +$certificateGenerator->saveNewCertAndKey('uk.php.net', $sniUkCertFile, $sniUkKeyFile); +$certificateGenerator->saveNewCertAndKey('us.php.net', $sniUsCertFile, $sniUsKeyFile); + +copy($sniUkCertFile, $baseDirSniUkCertFile); $serverCodeTemplate = <<<'CODE' @@ -60,7 +74,7 @@ $sniServerCodeV1 = <<<'CODE' $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ - "cs.php.net" => __DIR__ . "/sni_server_cs.pem", + "cs.php.net" => '%s', ] ]]); @@ -69,6 +83,7 @@ $sniServerCodeV1 = <<<'CODE' stream_socket_accept($server); CODE; +$sniServerCodeV1 = sprintf($sniServerCodeV1, $sniCsFile); $sniServerCodeV2 = <<<'CODE' ini_set('log_errors', 'On'); @@ -77,8 +92,8 @@ $sniServerCodeV2 = <<<'CODE' $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ "uk.php.net" => [ - 'local_cert' => __DIR__ . '/gh9310/sni_server_uk_cert.pem', - 'local_pk' => __DIR__ . '/sni_server_uk_key.pem', + 'local_cert' => '%s', + 'local_pk' => '%s', ] ] ]]); @@ -88,6 +103,7 @@ $sniServerCodeV2 = <<<'CODE' stream_socket_accept($server); CODE; +$sniServerCodeV2 = sprintf($sniServerCodeV2, $baseDirSniUkCertFile, $sniUkKeyFile); $sniServerCodeV3 = <<<'CODE' ini_set('log_errors', 'On'); @@ -96,8 +112,8 @@ $sniServerCodeV3 = <<<'CODE' $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ "us.php.net" => [ - 'local_cert' => __DIR__ . '/sni_server_us_cert.pem', - 'local_pk' => __DIR__ . '/sni_server_us_key.pem', + 'local_cert' => '%s', + 'local_pk' => '%s', ] ] ]]); @@ -107,14 +123,15 @@ $sniServerCodeV3 = <<<'CODE' stream_socket_accept($server); CODE; +$sniServerCodeV3 = sprintf($sniServerCodeV3, $sniUsCertFile, $sniUsKeyFile); $sniClientCodeTemplate = <<<'CODE' $flags = STREAM_CLIENT_CONNECT; $ctxArr = [ - 'cafile' => __DIR__ . '/sni_server_ca.pem', + 'cafile' => '%s', + 'peer_name' => '%s', ]; - $ctxArr['peer_name'] = '%s'; $ctx = stream_context_create(['ssl' => $ctxArr]); @stream_socket_client("tls://{{ ADDR }}", $errno, $errstr, 1, $flags, $ctx); CODE; @@ -131,13 +148,13 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode); $serverCode = sprintf($serverCodeTemplate, $baseDirCertFile, $pkFile); ServerClientTestCase::getInstance()->run($clientCode, $serverCode); -$sniClientCode = sprintf($sniClientCodeTemplate, 'cs.php.net'); +$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'cs.php.net'); ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV1); -$sniClientCode = sprintf($sniClientCodeTemplate, 'uk.php.net'); +$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'uk.php.net'); ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV2); -$sniClientCode = sprintf($sniClientCodeTemplate, 'us.php.net'); +$sniClientCode = sprintf($sniClientCodeTemplate, $sniCaFile, 'us.php.net'); ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV3); ?> @@ -149,7 +166,13 @@ $baseDir = __DIR__ . '/gh9310'; @unlink(__DIR__ . '/gh9310.key'); @unlink($baseDir . '/cert.crt'); @unlink($baseDir . '/private.key'); -@unlink($baseDir . '/sni_server_uk_cert.pem'); +@unlink($baseDir . '/sni_uk_cert.pem'); +@unlink(__DIR__ . '/gh9310_sni_ca.pem.tmp'); +@unlink(__DIR__ . '/gh9310_sni_cs.pem.tmp'); +@unlink(__DIR__ . '/gh9310_sni_uk_cert.pem.tmp'); +@unlink(__DIR__ . '/gh9310_sni_uk_key.pem.tmp'); +@unlink(__DIR__ . '/gh9310_sni_us_cert.pem.tmp'); +@unlink(__DIR__ . '/gh9310_sni_us_key.pem.tmp'); @rmdir($baseDir); ?> --EXPECTF-- @@ -169,15 +192,15 @@ PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(% PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sgh9310.key' in %s PHP Warning: stream_socket_accept(): Failed to enable crypto in %s PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_cs.pem) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%ssni_server_cs.pem'; file not found in %s +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_cs.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s +PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_cs.pem.tmp'; file not found in %s PHP Warning: stream_socket_accept(): Failed to enable crypto in %s PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_uk_key.pem) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Failed setting local private key file `%ssni_server_uk_key.pem'; could not open file in %s +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_uk_key.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s +PHP Warning: stream_socket_accept(): Failed setting local private key file `%sgh9310_sni_uk_key.pem.tmp'; could not open file in %s PHP Warning: stream_socket_accept(): Failed to enable crypto in %s PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_us_cert.pem) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%ssni_server_us_cert.pem'; could not open file in %s +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_us_cert.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s +PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_us_cert.pem.tmp'; could not open file in %s PHP Warning: stream_socket_accept(): Failed to enable crypto in %s PHP Warning: stream_socket_accept(): Accept failed: %s diff --git a/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt b/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt index d09317b1d22f..c1dba964bc67 100644 --- a/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt +++ b/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt @@ -17,7 +17,7 @@ $cert = "file://" . __DIR__ . "/cert.crt"; $bert = "file://" . __DIR__ . "/bug41033.pem"; $sert = "file://" . __DIR__ . "/san-cert.pem"; $cpca = __DIR__ . "/san-cert.pem"; -$utfl = __DIR__ . "/sni_server_uk.pem"; +$utfl = __DIR__ . "/sni_server.pem"; $rcrt = openssl_x509_read($cert); /* int openssl_x509_checkpurpose ( mixed $x509cert , int $purpose); */ diff --git a/ext/openssl/tests/openssl_x509_export_to_file_leak.phpt b/ext/openssl/tests/openssl_x509_export_to_file_leak.phpt index 5775c2597c3e..59a942d6a67e 100644 --- a/ext/openssl/tests/openssl_x509_export_to_file_leak.phpt +++ b/ext/openssl/tests/openssl_x509_export_to_file_leak.phpt @@ -5,7 +5,7 @@ openssl --FILE-- diff --git a/ext/openssl/tests/sni_server_uk.pem b/ext/openssl/tests/sni_server.pem similarity index 100% rename from ext/openssl/tests/sni_server_uk.pem rename to ext/openssl/tests/sni_server.pem diff --git a/ext/openssl/tests/sni_server.phpt b/ext/openssl/tests/sni_server.phpt index 7f9a4e82872b..db0b0190dab3 100644 --- a/ext/openssl/tests/sni_server.phpt +++ b/ext/openssl/tests/sni_server.phpt @@ -8,13 +8,25 @@ if (!function_exists("proc_open")) die("skip no proc_open"); ?> --FILE-- saveCaCert($caFile); +$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile); +$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile); +$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile); + $serverCode = <<<'CODE' $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ - "cs.php.net" => __DIR__ . "/sni_server_cs.pem", - "uk.php.net" => __DIR__ . "/sni_server_uk.pem", - "us.php.net" => __DIR__ . "/sni_server_us.pem" + "cs.php.net" => '%s', + "uk.php.net" => '%s', + "us.php.net" => '%s', ] ]]); @@ -25,11 +37,12 @@ $serverCode = <<<'CODE' @stream_socket_accept($server, 3); } CODE; +$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile); $clientCode = <<<'CODE' $flags = STREAM_CLIENT_CONNECT; $ctxArr = [ - 'cafile' => __DIR__ . '/sni_server_ca.pem', + 'cafile' => '%s', 'capture_peer_cert' => true ]; @@ -51,10 +64,18 @@ $clientCode = <<<'CODE' $cert = stream_context_get_options($ctx)['ssl']['peer_certificate']; var_dump(openssl_x509_parse($cert)['subject']['CN']); CODE; +$clientCode = sprintf($clientCode, $caFile); include 'ServerClientTestCase.inc'; ServerClientTestCase::getInstance()->run($clientCode, $serverCode); ?> +--CLEAN-- + --EXPECTF-- string(%d) "cs.php.net" string(%d) "uk.php.net" diff --git a/ext/openssl/tests/sni_server_ca.pem b/ext/openssl/tests/sni_server_ca.pem deleted file mode 100644 index b2522884565d..000000000000 --- a/ext/openssl/tests/sni_server_ca.pem +++ /dev/null @@ -1,63 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFejCCA2KgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwQzELMAkGA1UEBhMCR0Ix -EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAMMB3Bo -cC5uZXQwHhcNMTcxMTIyMTQyODIzWhcNMjcxMTIwMTQyODIzWjBVMQswCQYDVQQG -EwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwHUEhQLm5ldDEQMA4GA1UE -CwwHb3BlbnNzbDEQMA4GA1UEAwwHcGhwLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD -ggIPADCCAgoCggIBAMeENPus84HfIaypUVybbn5ZZyu1gXSYZAnDYYHhOlHu5kFh -26ohnHnoheapXVRbUtDZgUW5BztA+vDhKkM5G3U4p+YsqcSA/IkF2JQBkJH1jrxs -XMDtXIA4/MzYAVtyySqoMsrbkSCDzvI8imsbZI9O1x02VgaqoaQ9JZvglt1nhTIY -YpTbTKGCzMmrnFGHITeBsVose1ACFIAtqKqvUaA6TxcCtVcrENY3T3N/vEmoHHBg -O7j9+UvYN/WRPNcv0aIOlro83O9xQuJdRCygPmcv/jkqWRKm2Pu0lEkvbMCvOJr/ -Fz/kQg/6EVmIMsR/dgOMIjWjmpeTx24UJaNHUdNCeUbxIyTIyl9ISLWLM0Ipoq3L -95ygH6FSESAOpc8rVE2A5YZCtKlwvogMx3C/tMH1gWwMlfxn0CopP4Jx6lngw3yn -IpP0hnuCauQikBkyhsGu4J0Lbx5BsyDWQLwjiq4s8EcEy0vTdAvhDMRUGvpnjWaa -zBDVVrzHaRFvp6ueh35xf+dYieGL5UTICyrrQX9wwSafHV90a87y6XU+RwA25Dmc -V/kTn8/xkFv/4CbZp+0yArKpwXjqBMsQFbkFjT+Ky9MN+nedoFUMl7slgjpBs6RI -T08Hoa7/kMZGtLCiGcRXlwiIhB00gDz2avUvFTxwik9ssjDqBJGzNbBvZGb/AgMB -AAGjZjBkMB0GA1UdDgQWBBTjyuOBGnHnb+x20diIHG3sPuJFGjAfBgNVHSMEGDAW -gBQ0s99BNsV4Dszph6PArogA8HP4TDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud -DwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAFrQMmCoSe8uJbJLqPGMPW4ZE -0U81WWboc9FrSfezBYkTKuCjMTjQFv8oLp4pnuWZw22mHrOiz9izjNnXcR/rdVbG -Cip/JSHlTzHd3gnxSSd2diXvVrSb4zuLyN6WIficlsj3QdIP4Cdfv1pdHBTsRPbW -vuHpwYqqjxPBjqvoVZyZRyRM1pqpxLCvxOt4S3z4uZXyIH2UI7yWxI6MvdHBZg5m -TwiVi1gEQuRnYRy4sK9qJlBo5jERvzDr46W1e9Yz5sNMPfwWb64Hkkys3GqJt5am -OKxvgF3lvIK90vBjenGDfYEENP+0qdmdpHQkxGM2cl9iPqW8iyRGBVjdbzTIeRgB -u+CEbffSKWCpbm1Zcszv3FHMlsU4Px2pUTdLwEMgBQUPW/ngBMdRgVZE01GI7D1k -AM3hO347eehQTWoyuHgsnB2uaANEeR/XFBGDFmbs5ggAzxxRsH1FxoHXrv3iDIPW -9lKnSow+OZGcPKgaY5Nsregt4jO+pQqhzxlMa2QMfrMoGkEvrKNcDqeEI6KQa1SI -Zbq7sjf2w+VL0oQcse+gtg4q771dKy9V/XcfnPbiBAXfQqGj/v0LmZRn3ZRrkgzl -CaZocqVRJZbqu7/iu/p9pDRMR03vhBWPn7iM8VqzkhKjAlD0rolnQqvOAXyPpd/O -qYuYP+6Ymt/rUWXGVh0= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIJAJcrLHeFQrGEMA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV -BAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRAwDgYDVQQKDAdQSFAubmV0MRAwDgYD -VQQDDAdwaHAubmV0MB4XDTE3MTExNTE5MTEwMVoXDTM4MDUyOTE5MTEwMVowQzEL -MAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQx -EDAOBgNVBAMMB3BocC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQC4bIXbh+e+OCbLum2FYB8i6ZnOShp1teWNEE/8A4ot20wkPxLeXFSU1Egn+3BG -fxHKrWxV/FOiL7bims/SfwptFkgNZkwE52HVk49zgQevG38smsnIGuBMXMKebLPT -wlsIWRqCmZqEmh1wNcC9+qwoHoYjvJvMYfFvofiSc7qkTFsjoBVe+ho90vjYMznr -Bs9DlD88iXO0kKN0Bsu2igz68JWkUsoNeD6UKSir16SmQZxdFPCM0O0gxmOyz4NZ -w8pJ5XGDJyS82fVp13tYCOBFhK0QBvvzaz/gN6De5arefm6cer9TX0HE+VvGhx4T -2lqydFLfAVKTTNoZHOQk2mFVUm7dlMzLvsgNKdEZH6wAa12eBImCea+CyJNkbGLC -nrN6a93iGqTft75sbDyvzRk/BdnxadkAPlOxgK1qGrOgeS0+7chPMh24MRoKj5bU -lYGdcp7Y9qIW1hZXFfgPJO0yMOug/7J14jybp+YhymBIBTZYi1zbGqGNXdLPyp77 -9KTfyJE9KkbGegBvwqJmZTW8QoUDllopDjr1zaIqHWJqfAK7vGivu0iLVJHBRbRs -w9c48RCjfIh7AkvFKsdIDt9SMdZOdm9D8SXosYPM1zMFQsFFRPh/nKyl9QnhWbwd -Vs1tIFDrb10Z2sn0pF/V0F0gubR5rvYs+3h/dLciLVFobQIDAQABo2MwYTAdBgNV -HQ4EFgQUNLPfQTbFeA7M6YejwK6IAPBz+EwwHwYDVR0jBBgwFoAUNLPfQTbFeA7M -6YejwK6IAPBz+EwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJ -KoZIhvcNAQELBQADggIBAIkctDRCNcNVs2qP/O3zZsVZ1cqlqYNjcHIVHqNZRvVb -bPtInZ/i/6BbwA5QM/giKpl2aMwetUnezjHVD+7/m24Mfs1FWyPD3joCMIANj7hR -MNbmX1LQBMt/bD3E5trq9S9rZ++/ny4gn/z2jH3x+lzDMBDiam/wXbvSmyIUPUX6 -V8FFpkTBNERpurUvX1NEFLuiilWKrI7/u1qS11PGBcX3pNQNfhKNMtuFz74hAE7C -RE8756CGu2bZzydYCarUXSNTXqNm5ly2J0UN6Al4myFwj/6XnLnDhXDAI8CaqDMD -MwmxUzJvzuphNS085ZIntrSgPJESGozevEsf9bGD8GyoBQN/cSqOJCFfnJqxtKHb -wNa2F78SXYsiWkRb5EzoyCeon+0tygG6gLBouVY8ouCerExkH9qzRLLzFInxmCm2 -ill7c8Xmml4H2BxJE33dz/Qh7PM3eF2A2VriioLDj4+HOiWq/1BjdW6/Xiwx5iP2 -nC6Cex+lBt6HkP9WIiJbGxVeamF5jxNWWvLoUkrjFhpukjb5BPR9zFt7mAty9J/T -iQt26yylP4ucmL9KB6lv4ISW4Ri8mhMcYh6nF3tIYWZMCSQKqkyvymhKdLMZa20A -IME2oxnfZcmsfMpM6BYsN4XDfGBeYctqqt2AFRNLkI4wFkFFdPTMcTi1q0iRH2Xk ------END CERTIFICATE----- diff --git a/ext/openssl/tests/sni_server_cs.pem b/ext/openssl/tests/sni_server_cs.pem deleted file mode 100644 index 9f5a201b26d1..000000000000 --- a/ext/openssl/tests/sni_server_cs.pem +++ /dev/null @@ -1,57 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAvy5NhzktzEdsHTbGB6vqYANms5rn1zXFmTJrGlWCwoIsNmTf -ahvZkrC1cCXTZ7fbPB8XQbpAtz2ZSU7OcwBW9B8okYUPo9zi/ptwcrgsQsN0hrcD -8MBRUccevwime5fLvg8E9RJ/68y9y3BnRcVWYO2sAK9juTfidNjETU3Bb05oXv8D -SD/6onXQu4uXDgsQ3cRXeld9UB0xazmQXyyiIqXc/cpTAnaEVYzn28aj7NlUbzNq -511UXMXY44x9EcXWpPVZ7heNcJNzY5DCNzmtXKrt9yiMpWQcPXEzsESVxAMqib9u -TFOlvVX17LIPxBG656PjTD9J1h6kBbMCUxzs7wIDAQABAoIBAQC85lBeY0X4ST3v -I7bJz7kWQ2YP4uhfAdeLhoDDFWjNLffniwYhfwEc6xNri0R2f/jUT9gX7qORKwEx -qPdeNCC2t67LElGg1FlJv2Z9Q7MgCKYzkdQH5s6y4e9kTHTLO/JpiceZKz1QTQ3f -XOH9032E6nIAf0wmr6xHTgOwajrN8VI5BuPEMVmEwIw3AtYeqVuPCNKyGR4HUVkC -2bAydnGngbRJRnNzmKcWJancxpHDGBSFqPyuXMFC7Jgo3ZmyCbGp99vuXVk/sW9x -5aj94M9nRE0guk05ivH2/JZao2uLYkIgjFWlhNxKdWgWRk8DEuN4djC8mKS9YH1q -crYRToMhAoGBAOspUTtKP54mpZmyhxuDqj02JaJRzNTskPHsiF1UhtXuw7uT+ryV -ekUFLNXoFmn9mbx1WVaUvGH4qjilvQOxz7u++lz0ApqJEfyM3jc/cC40Y5zcuGSu -Etbg+SyDoytlgMCIydJyrS7NNALSo5p5oG6XY2f8yd/DCAmo8LzypaHRAoGBANAf -R1SlBMc/bOsi6GrJxcBVSCFMiKYiO5woL5aUKa9yM+UQuQ/6xbQ7Q+sOlt0FH3xo -AJ2L60qTdjyXVtjOdtXs5ZC4l+C6AfnCx6yLr+fNc4SOYXEfqS4LZylgwKd9KyVB -asspIW9Idbgebmi6vPyt9LDkIp0h1VuFGjkvQJK/AoGBAI4pbS0dprXyARyYW6sb -fpgAmuG099IkrT9DUfCx/81myTclr2fAKal+BmvOIXaz0/OlMXvw8K19iVIzh7+r -B70lJ+93p/dKM/BsLI5TsHqOO0YB/QsIXOVAHgJ2FfdPJnW+e9vYba+kZ/Po6PSi -4ITaykJ8BIJcQgis89QWEGFxAoGBAJhQO+jzuDKF9ZWEf6ofrw0anOZZ16wWY5/e -PS2rk3JmVxpuibHrKqPDt+ogTELHDAsFJmYmz3VNxHuFmrajK49Wh4/JuMVr/CQo -6+8YcA1qa/94IFIlBLDBAafjujsZvOjQHnM+z8xcsGKmStF00Pjv6qNG4xoyd646 -FD4DmfOLAoGAWXehpopZKXE9gRAni881ucK6WqxPPBoofbozi09D0MmfarIVaSkv -jNVVHBfLWd7IEXTjiipPBeUqq6Jc3pscN1Vp4rrl8jTmVTdazEv0LuzpdUFqmNo2 -M+xw17uz9D9Q32/aW1Lar0PdIaL/wGEDEyzEBFwrGppcENLilPz8gzU= ------END RSA PRIVATE KEY----- ------BEGIN CERTIFICATE----- -MIIFIjCCAwqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCR0Ix -EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAsMB29w -ZW5zc2wxEDAOBgNVBAMMB3BocC5uZXQwHhcNMTgwMTE0MTgzNjEyWhcNMjYwNDAy -MTgzNjEyWjBGMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UE -CgwHUEhQLm5ldDETMBEGA1UEAwwKY3MucGhwLm5ldDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAL8uTYc5LcxHbB02xger6mADZrOa59c1xZkyaxpVgsKC -LDZk32ob2ZKwtXAl02e32zwfF0G6QLc9mUlOznMAVvQfKJGFD6Pc4v6bcHK4LELD -dIa3A/DAUVHHHr8IpnuXy74PBPUSf+vMvctwZ0XFVmDtrACvY7k34nTYxE1NwW9O -aF7/A0g/+qJ10LuLlw4LEN3EV3pXfVAdMWs5kF8soiKl3P3KUwJ2hFWM59vGo+zZ -VG8zauddVFzF2OOMfRHF1qT1We4XjXCTc2OQwjc5rVyq7fcojKVkHD1xM7BElcQD -Kom/bkxTpb1V9eyyD8QRuuej40w/SdYepAWzAlMc7O8CAwEAAaOCAQkwggEFMAkG -A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVu -U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHPfd8dK -Lz1R0Ck4WV1B9AWXd5DSMGwGA1UdIwRlMGOAFOPK44Eacedv7HbR2Igcbew+4kUa -oUekRTBDMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwH -UEhQLm5ldDEQMA4GA1UEAwwHcGhwLm5ldIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG -A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQB6WSIHEyDXLZxH -hZjqSNQOA7Wc9Z2FCAiD29xYkGTL8WuPVGGP1mu4B92ytj+PMWwqSReDa7eTGLE7 -O7ozw9l+c+gNmHFNikSsGjlV2E8CToQOFMny+jAQYMSXf8UbTp9xDfgG02t/71hv -SLWqdeHMLcR0xi0nBQH0vDOkwUbuWYqFa3jejHieGhykHM6CkIk6lqnyOEO+ooIF -ZsLprrg1ss/mXCPI6niP0hze55ERKdxI7Rk8sZ4pVkf2SUWqZrUS0aJ+Ymmwi6Xd -2V7izq5N30PkJS8MtqII4FAjRBIkwPh0sy8PmW/DzkYU+lYQnDfYLKDFKcj8xJK/ -o8oZUBsQltrSj0KlM9QuqxCTCBCy1nXZ9WHOhq+jdLiTc1Oi60uEHcUMrLK8aYc4 -HqIvZS6C2iwMI0d1OP3VxmAbMQ9yqRi+FbLYavJ3H40jrU9SYqdxa0BrTaz8MJNE -6AEwgQDPChczSghvHME+Fs4mtGCY3TesbNZKVahQRjaFIhMZIZ4RP4CRc0bJOBG+ -8Me4+KHNsD2ki5b03wAN6C1P2QrMzI+gH9fXLZYp761ciDAsX6YIzrhHHYLxYpJH -BkQKKs8dCQWE5IzgVrdlvC3Z1/l9om66wHqqx7nKnPfYs/Sfnwe9MpCD6xJrXiTm -WS7NM6fbQpO9APNr7o0ZOjbbWFzlNw== ------END CERTIFICATE----- diff --git a/ext/openssl/tests/sni_server_cs_cert.pem b/ext/openssl/tests/sni_server_cs_cert.pem deleted file mode 100644 index b77c7b83e2ad..000000000000 --- a/ext/openssl/tests/sni_server_cs_cert.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFIjCCAwqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCR0Ix -EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAsMB29w -ZW5zc2wxEDAOBgNVBAMMB3BocC5uZXQwHhcNMTgwMTE0MTgzNjEyWhcNMjYwNDAy -MTgzNjEyWjBGMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UE -CgwHUEhQLm5ldDETMBEGA1UEAwwKY3MucGhwLm5ldDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAL8uTYc5LcxHbB02xger6mADZrOa59c1xZkyaxpVgsKC -LDZk32ob2ZKwtXAl02e32zwfF0G6QLc9mUlOznMAVvQfKJGFD6Pc4v6bcHK4LELD -dIa3A/DAUVHHHr8IpnuXy74PBPUSf+vMvctwZ0XFVmDtrACvY7k34nTYxE1NwW9O -aF7/A0g/+qJ10LuLlw4LEN3EV3pXfVAdMWs5kF8soiKl3P3KUwJ2hFWM59vGo+zZ -VG8zauddVFzF2OOMfRHF1qT1We4XjXCTc2OQwjc5rVyq7fcojKVkHD1xM7BElcQD -Kom/bkxTpb1V9eyyD8QRuuej40w/SdYepAWzAlMc7O8CAwEAAaOCAQkwggEFMAkG -A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVu -U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHPfd8dK -Lz1R0Ck4WV1B9AWXd5DSMGwGA1UdIwRlMGOAFOPK44Eacedv7HbR2Igcbew+4kUa -oUekRTBDMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwH -UEhQLm5ldDEQMA4GA1UEAwwHcGhwLm5ldIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG -A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQB6WSIHEyDXLZxH -hZjqSNQOA7Wc9Z2FCAiD29xYkGTL8WuPVGGP1mu4B92ytj+PMWwqSReDa7eTGLE7 -O7ozw9l+c+gNmHFNikSsGjlV2E8CToQOFMny+jAQYMSXf8UbTp9xDfgG02t/71hv -SLWqdeHMLcR0xi0nBQH0vDOkwUbuWYqFa3jejHieGhykHM6CkIk6lqnyOEO+ooIF -ZsLprrg1ss/mXCPI6niP0hze55ERKdxI7Rk8sZ4pVkf2SUWqZrUS0aJ+Ymmwi6Xd -2V7izq5N30PkJS8MtqII4FAjRBIkwPh0sy8PmW/DzkYU+lYQnDfYLKDFKcj8xJK/ -o8oZUBsQltrSj0KlM9QuqxCTCBCy1nXZ9WHOhq+jdLiTc1Oi60uEHcUMrLK8aYc4 -HqIvZS6C2iwMI0d1OP3VxmAbMQ9yqRi+FbLYavJ3H40jrU9SYqdxa0BrTaz8MJNE -6AEwgQDPChczSghvHME+Fs4mtGCY3TesbNZKVahQRjaFIhMZIZ4RP4CRc0bJOBG+ -8Me4+KHNsD2ki5b03wAN6C1P2QrMzI+gH9fXLZYp761ciDAsX6YIzrhHHYLxYpJH -BkQKKs8dCQWE5IzgVrdlvC3Z1/l9om66wHqqx7nKnPfYs/Sfnwe9MpCD6xJrXiTm -WS7NM6fbQpO9APNr7o0ZOjbbWFzlNw== ------END CERTIFICATE----- diff --git a/ext/openssl/tests/sni_server_cs_key.pem b/ext/openssl/tests/sni_server_cs_key.pem deleted file mode 100644 index bf1e9f25193b..000000000000 --- a/ext/openssl/tests/sni_server_cs_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAvy5NhzktzEdsHTbGB6vqYANms5rn1zXFmTJrGlWCwoIsNmTf -ahvZkrC1cCXTZ7fbPB8XQbpAtz2ZSU7OcwBW9B8okYUPo9zi/ptwcrgsQsN0hrcD -8MBRUccevwime5fLvg8E9RJ/68y9y3BnRcVWYO2sAK9juTfidNjETU3Bb05oXv8D -SD/6onXQu4uXDgsQ3cRXeld9UB0xazmQXyyiIqXc/cpTAnaEVYzn28aj7NlUbzNq -511UXMXY44x9EcXWpPVZ7heNcJNzY5DCNzmtXKrt9yiMpWQcPXEzsESVxAMqib9u -TFOlvVX17LIPxBG656PjTD9J1h6kBbMCUxzs7wIDAQABAoIBAQC85lBeY0X4ST3v -I7bJz7kWQ2YP4uhfAdeLhoDDFWjNLffniwYhfwEc6xNri0R2f/jUT9gX7qORKwEx -qPdeNCC2t67LElGg1FlJv2Z9Q7MgCKYzkdQH5s6y4e9kTHTLO/JpiceZKz1QTQ3f -XOH9032E6nIAf0wmr6xHTgOwajrN8VI5BuPEMVmEwIw3AtYeqVuPCNKyGR4HUVkC -2bAydnGngbRJRnNzmKcWJancxpHDGBSFqPyuXMFC7Jgo3ZmyCbGp99vuXVk/sW9x -5aj94M9nRE0guk05ivH2/JZao2uLYkIgjFWlhNxKdWgWRk8DEuN4djC8mKS9YH1q -crYRToMhAoGBAOspUTtKP54mpZmyhxuDqj02JaJRzNTskPHsiF1UhtXuw7uT+ryV -ekUFLNXoFmn9mbx1WVaUvGH4qjilvQOxz7u++lz0ApqJEfyM3jc/cC40Y5zcuGSu -Etbg+SyDoytlgMCIydJyrS7NNALSo5p5oG6XY2f8yd/DCAmo8LzypaHRAoGBANAf -R1SlBMc/bOsi6GrJxcBVSCFMiKYiO5woL5aUKa9yM+UQuQ/6xbQ7Q+sOlt0FH3xo -AJ2L60qTdjyXVtjOdtXs5ZC4l+C6AfnCx6yLr+fNc4SOYXEfqS4LZylgwKd9KyVB -asspIW9Idbgebmi6vPyt9LDkIp0h1VuFGjkvQJK/AoGBAI4pbS0dprXyARyYW6sb -fpgAmuG099IkrT9DUfCx/81myTclr2fAKal+BmvOIXaz0/OlMXvw8K19iVIzh7+r -B70lJ+93p/dKM/BsLI5TsHqOO0YB/QsIXOVAHgJ2FfdPJnW+e9vYba+kZ/Po6PSi -4ITaykJ8BIJcQgis89QWEGFxAoGBAJhQO+jzuDKF9ZWEf6ofrw0anOZZ16wWY5/e -PS2rk3JmVxpuibHrKqPDt+ogTELHDAsFJmYmz3VNxHuFmrajK49Wh4/JuMVr/CQo -6+8YcA1qa/94IFIlBLDBAafjujsZvOjQHnM+z8xcsGKmStF00Pjv6qNG4xoyd646 -FD4DmfOLAoGAWXehpopZKXE9gRAni881ucK6WqxPPBoofbozi09D0MmfarIVaSkv -jNVVHBfLWd7IEXTjiipPBeUqq6Jc3pscN1Vp4rrl8jTmVTdazEv0LuzpdUFqmNo2 -M+xw17uz9D9Q32/aW1Lar0PdIaL/wGEDEyzEBFwrGppcENLilPz8gzU= ------END RSA PRIVATE KEY----- diff --git a/ext/openssl/tests/sni_server_key_cert.phpt b/ext/openssl/tests/sni_server_key_cert.phpt index 49ed6aa5328c..878f97c1e359 100644 --- a/ext/openssl/tests/sni_server_key_cert.phpt +++ b/ext/openssl/tests/sni_server_key_cert.phpt @@ -8,21 +8,36 @@ if (!function_exists("proc_open")) die("skip no proc_open"); ?> --FILE-- saveCaCert($caFile); +$certificateGenerator->saveNewCertAndKey('cs.php.net', $csCertFile, $csKeyFile); +$certificateGenerator->saveNewCertAndKey('uk.php.net', $ukCertFile, $ukKeyFile); +$certificateGenerator->saveNewCertAndKey('us.php.net', $usCertFile, $usKeyFile); + $serverCode = <<<'CODE' $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ "cs.php.net" => [ - 'local_cert' => __DIR__ . "/sni_server_cs_cert.pem", - 'local_pk' => __DIR__ . "/sni_server_cs_key.pem" + 'local_cert' => '%s', + 'local_pk' => '%s', ], "uk.php.net" => [ - 'local_cert' => __DIR__ . "/sni_server_uk_cert.pem", - 'local_pk' => __DIR__ . "/sni_server_uk_key.pem" + 'local_cert' => '%s', + 'local_pk' => '%s', ], "us.php.net" => [ - 'local_cert' => __DIR__ . "/sni_server_us_cert.pem", - 'local_pk' => __DIR__ . "/sni_server_us_key.pem" + 'local_cert' => '%s', + 'local_pk' => '%s', ], ] ]]); @@ -34,11 +49,16 @@ $serverCode = <<<'CODE' @stream_socket_accept($server, 3); } CODE; +$serverCode = sprintf($serverCode, + $csCertFile, $csKeyFile, + $ukCertFile, $ukKeyFile, + $usCertFile, $usKeyFile +); $clientCode = <<<'CODE' $flags = STREAM_CLIENT_CONNECT; $ctxArr = [ - 'cafile' => __DIR__ . '/sni_server_ca.pem', + 'cafile' => '%s', 'capture_peer_cert' => true ]; @@ -60,10 +80,21 @@ $clientCode = <<<'CODE' $cert = stream_context_get_options($ctx)['ssl']['peer_certificate']; var_dump(openssl_x509_parse($cert)['subject']['CN']); CODE; +$clientCode = sprintf($clientCode, $caFile); include 'ServerClientTestCase.inc'; ServerClientTestCase::getInstance()->run($clientCode, $serverCode); ?> +--CLEAN-- + --EXPECTF-- string(%d) "cs.php.net" string(%d) "uk.php.net" diff --git a/ext/openssl/tests/sni_server_uk_cert.pem b/ext/openssl/tests/sni_server_uk_cert.pem deleted file mode 100644 index 57663855e590..000000000000 --- a/ext/openssl/tests/sni_server_uk_cert.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFIjCCAwqgAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCR0Ix -EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAsMB29w -ZW5zc2wxEDAOBgNVBAMMB3BocC5uZXQwHhcNMTgwMTE0MTgzNjMyWhcNMjYwNDAy -MTgzNjMyWjBGMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UE -CgwHUEhQLm5ldDETMBEGA1UEAwwKdWsucGhwLm5ldDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAKzKRXj0jVBzRwolFn7Ej0MR2kE6Q36IBCEiDLhquSYR -Lh1spR0XudSVmRot/Wvz2PawApX4P6qj57scBQ6KL4ULKvSndCZ7F1tdQjEqogYp -n/L8oBhP1dgyDonsewG/PucxC+3Aqzcl3w5Pg7qE+zad42khP7t9TjFAMxc+PxC+ -2as5ZCDJBwfxksCyCQfFWx7eB7p39vGy63k3Izv+UKTZEhbSdT721kb91oXkecpE -EFhihfVYMGMEtC7u2JLSxdkRhWYSMqVCvI2syYsLAUUNH2kgqQF00j2Iddhg3oMA -IiqhpC/n2slHVhp56WE1TsrGC/JgqIvQK9AT4LRxFb8CAwEAAaOCAQkwggEFMAkG -A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVu -U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJK58uJe -Lv8WDOR8TTLUcSxO1zCyMGwGA1UdIwRlMGOAFOPK44Eacedv7HbR2Igcbew+4kUa -oUekRTBDMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwH -UEhQLm5ldDEQMA4GA1UEAwwHcGhwLm5ldIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG -A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQDHayU795hFnQNj -fuYV21sEmkSjgtp6X4rV9JfoCp8U2gieL4mizoCPx9Q8HYaAf98hPYTofGUaCSd+ -Xlzd8lhLt9GCU+BsCxGtJocrjOQDhyhkioN8iirQRTtJpRVC6a4RCBGpenOD7Z7C -Z32uGXohzFuigP/J8/SXBdHrlpNSa03iEkkisPR46mbGj06lFVOFHJDNKA3CnQwM -3VfqvZt0ksZi/gAOol8dtrAd3k5JBfJ2BtqsPbycEGAhsGrTK/MeqiFcO8QZiXpN -qf0wZzOMFZJ4HqTiHs4TMMQaDK8c4qfR0l1OE224ijcB5NlqMjGAZabMfHgNZcl7 -fYPX+POsOMaqubv98uoC0PCK8NCTyfB4V/el72EEoVfwKYOxm3eYXBEE2ZNyIci6 -YKYhNa9e2k+cFueYMztV06HTGgkcHcSJATP+3ISTRx3tj1BPmc4O4WAMEMx1E0gg -PaVrBVAylGzt8kaMaOQMBImpsALSfutq6+KtQiu0OTGS3yVUGamV4AyRjuwF1/ZA -kZbjmNEGsf9d2rzS89ckds24QUx0zrfJ56p7lRvyVK/pML7iadv8dUH3fKDDDerD -oocLjOjNxFGN9Woz+kfidA8Siu0zsfQ6CLPlaQrVAVQH4iMuCZraqMc3TqAiUKRj -iHKp6FFrRZmY8W8HEKHv98uGofn+3g== ------END CERTIFICATE----- diff --git a/ext/openssl/tests/sni_server_uk_key.pem b/ext/openssl/tests/sni_server_uk_key.pem deleted file mode 100644 index 3baa6efd776e..000000000000 --- a/ext/openssl/tests/sni_server_uk_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArMpFePSNUHNHCiUWfsSPQxHaQTpDfogEISIMuGq5JhEuHWyl -HRe51JWZGi39a/PY9rAClfg/qqPnuxwFDoovhQsq9Kd0JnsXW11CMSqiBimf8vyg -GE/V2DIOiex7Ab8+5zEL7cCrNyXfDk+DuoT7Np3jaSE/u31OMUAzFz4/EL7Zqzlk -IMkHB/GSwLIJB8VbHt4Hunf28bLreTcjO/5QpNkSFtJ1PvbWRv3WheR5ykQQWGKF -9VgwYwS0Lu7YktLF2RGFZhIypUK8jazJiwsBRQ0faSCpAXTSPYh12GDegwAiKqGk -L+fayUdWGnnpYTVOysYL8mCoi9Ar0BPgtHEVvwIDAQABAoIBAGpg7XyWMxpAno/k -XYEWSo0kRJa75CnWW5R6fhJbwjlpglajONQ8czAqGeRARDFeI0lc+3qRJ8FKv7Q2 -f/Z/pNnoEj4liiDWz350X/gdIztgDRVv6rCNFj7QMps/eEuPDo8PZySs5bxCGJ2a -3qLKlE7/za4/xhkMAEPaHppEvFb15dpomqP2Fjqei9afp8tD+xJv9BGtkFIy9acw -94AWQi974kgW7ZzfEf8RqHM0ExKiESCc26knbcBu0tQ892YHggMccUMk/UrVgR5d -vuGOBurlYGLBstSDSKCCe6la4N/FX3FiC3WhVNescnuTZPXcX3zebh7roGjgrTdd -6UJYBIECgYEA09XYihdwW66G9Y09OatzlzBh1Rvzjv2Vl5NmWHHb6vh38H4PcOof -S1pT0JvRzpt8uEs4i+Eda5PyQyp4iGtD+DQ07Dxh2jiixsE3PRFRG2wg2QCgDHnS -6vgV1VOqA/A4on4nhxLZXxhX4YvHaJYlm1bZ+amG+j5XiI/NtHJm9k8CgYEA0NB9 -bAoaZnc06+T8rMaO45boX5SvYsCZbtY3VRl75SrbMal0IKfnXHELVHuei12LmlMs -LuFgG8jGO3+ncxUqMytoGvrmk/cM9tCNbDKVHtFbqz0qt9lkDAwLsBougKnVsNDW -Aae/tz/wYXJct86unfLh0xtvkx5Iz1we4cS1fZECgYA8YR+vfK7R8xUUuIVTAsOX -vHqmO6lYgH87DRCG9S0x9FB7g/LyxEjXOY/aTg+nTDpobUhY1nmESE8tRdXFTI27 -GWZcT3m0sZ/z9u6/wUfVAST7tWnpJHAx+TR/8bDsHnSGHF836O98Y3vpFeZosSNW -+5J1zxRiD5LzocmIPXOLkQKBgEgHApxXx898YwbTj8zRGMysay89DFpV8RboUWHL -To83/y/cMbBp+kZKwAu+MGwGMndjJSRunUY4NRik6c+qh0nrORfFX+++Efy4529g -60scEDC7Apc0J2x4Yze1cED1VD6PaqJbiKffKD2UwyKr6lOVSgwVtKDcm2Tbc9OQ -lMHhAoGBAIPwYVxzWM6I6pr8x2TucpBZZReLytz7uzybMNvbKCrwlETbNNXubnfp -nPuPKzpeRI0y26pIIAbijzFW0MXq+kIu3H7we8TaImsJ1AaQCTYeoLWBVcr6RISk -3d4i7iT35aWCuhPVve0FNIv/u3jrqX2H2C2MXMiLOsw1GFxPvpi4 ------END RSA PRIVATE KEY----- diff --git a/ext/openssl/tests/sni_server_us.pem b/ext/openssl/tests/sni_server_us.pem deleted file mode 100644 index 170a8a96e75d..000000000000 --- a/ext/openssl/tests/sni_server_us.pem +++ /dev/null @@ -1,57 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA1QkC3tiNYDY+ZxMmPbagYUbMpzuXo9mVBvYh86bYZaeB7bts -QCBK+6VD4D2LjR3RszpzmOzhJXjm8j0t+GeRS3OMIM75/BKAnixXicRSIb8zdIPz -JP992vvMq8p46/XftAfBhAMOaCqcD85zpyX4PhfC9733nOyN4yqx58O4UhVTKih6 -W9/ldp3uwSYAW+HyoINnHls/bFO8vv60K5VIhkxK30LHnC5PvByGfuHOgrscEThs -jW0ESqO0+9l88KhGdmLgzvbBlGxNziCMfn0LcFH6p2ITc3foD4LSzGEFtJ92OZi3 -buCOfbFsN7vWHTsEi89fRcCnWGtMwLUx0TCluQIDAQABAoIBAQCnsUQ1Lrl6trhA -Yu6DPbLZX+XQ7jPbonaQ2Ea5iOhmfIjmHdaEU+cyV1EqvseO+Z4MO0KraiuAV79T -h50cIEpa3kW7vbFCHz5nQ/hUVdlg/yT93rASu5rSOctOnz64Xv8Ms948kDtS+9eF -Cbo4JMdX+VRbt4mmWP8HhqAsFACPexEoWxJcIxwFcI24GTGzySjemNjQzbmcVhzM -a4k6n8DolCL1cRS54C5Aaf5g4+IFDgyydcgZXp1lnX3MnqivSNkejnPnY55NcmrH -X3ZWPlAi9GHOJE33uy8bGWnip7Tn4iTt6tJvjz/yP82TGACDg1B8XsKrqsuQLsoU -cNBVGcQBAoGBAPteCgNmuNOpo4SRA1UVRw1WgnE8YtnNA6vYyVcTLSpqabq33UaD -03L9CQsbHtj88U+E8OH24Iqj3U9x7QJfH8DVmWuBrlwez80JsKGnLdViHydjKcAz -H2Cbv+SiWeaWXkFCkN4Jf7k3q0Ew4SG2LOq5PVUy/NB4bilbJD2ExKpZAoGBANj2 -Hpwo35IQ4XfSSsGaCdn+8ajMcNUMMGZ6YkZqmVO4kogqobyrPL/2KE9ol/hlacw6 -U/6Digox5/wqruYfqyM8lqGOq2/0Xf7c4XfiOTS9Na4JN3OGzlyqPvcn2zdqhYFY -iHPu2RqpA+LhCHW9Zs8C1Bp/KAEPdRP6OabqVaphAoGACLrHVj7nBFLL3vq6RuYq -RYhPl2cld7LrAbjRpTiBRQvVCCsCgERrv36SJdSXSanfJ4fSZcaRHb97HBs0w/RR -wfypC1bBm2lmhhRkEfkgWlzCADgtZwNff5dpHqOUw7FNLK8HIO7rhJ8uT2FHMEiH -Xs94FdFjfknwaXdE1u4ZdmECgYEAgxfbkQHFbO2UPqErGGXp0/WOsS6ucpyF1jXW -kbOxZ3vb1jjkNyrEbzzeSHTrdmRYk9UekWeLjfNvt9dWjKfP8V+XqJCbF+9wqCFw -fs6LQEmfWMQq5DwtDqKznwVPGOHdPzVuZZaJSemb9oeAZBwINccAv+3bDyD23hZQ -pYFsN6ECgYEA33QYDNG/spki4D8rlxyxZ+1MdB/efnrGBhO8FsJpG5+AtmYhWgD9 -sl29+3aiRkmDznoy36z+hoeZePILEAKMcbHyXOymixOHPuaZJ95hbvq6sqd6WMAe -w5tHnxlfEuu11zatolk6WiAmTmG3sZpN5Tqloq0Ye4dvlhVKNV3Bn3E= ------END RSA PRIVATE KEY----- ------BEGIN CERTIFICATE----- -MIIFIjCCAwqgAwIBAgICEAQwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCR0Ix -EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAsMB29w -ZW5zc2wxEDAOBgNVBAMMB3BocC5uZXQwHhcNMTgwMTE0MTgzNjQ0WhcNMjYwNDAy -MTgzNjQ0WjBGMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UE -CgwHUEhQLm5ldDETMBEGA1UEAwwKdXMucGhwLm5ldDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBANUJAt7YjWA2PmcTJj22oGFGzKc7l6PZlQb2IfOm2GWn -ge27bEAgSvulQ+A9i40d0bM6c5js4SV45vI9LfhnkUtzjCDO+fwSgJ4sV4nEUiG/ -M3SD8yT/fdr7zKvKeOv137QHwYQDDmgqnA/Oc6cl+D4Xwve995zsjeMqsefDuFIV -Uyooelvf5Xad7sEmAFvh8qCDZx5bP2xTvL7+tCuVSIZMSt9Cx5wuT7wchn7hzoK7 -HBE4bI1tBEqjtPvZfPCoRnZi4M72wZRsTc4gjH59C3BR+qdiE3N36A+C0sxhBbSf -djmYt27gjn2xbDe71h07BIvPX0XAp1hrTMC1MdEwpbkCAwEAAaOCAQkwggEFMAkG -A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVu -U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOXnUeNs -grKQb+EvG36DXjjDDmsFMGwGA1UdIwRlMGOAFOPK44Eacedv7HbR2Igcbew+4kUa -oUekRTBDMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwH -UEhQLm5ldDEQMA4GA1UEAwwHcGhwLm5ldIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG -A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBDLwuLbx75ACSU -5cF2L/D17JEnhlna62MgKNdpNLJSpaofK2Lk2BqsmnQf5JdkrXWMUN/DsmXZc9pq -25XmprfABUP9Cx18KPVqLQ43Z9o+R9xI1Ospt5mrpxGp6l2BHSs/4G69nuPFpcIJ -iabnLYdUk2Z+64lPe4EMBrZH+pj4xn3JA59BACJYNYn0nLaw45DIAyzyLJ0vVSwc -0JtjsztXQov4UqdWXxLRFfe2nEGoK8ZkTJ8ELcCYu6sNSBjw9Ech78uXN1BQOBTK -lhAgN3FKqOp3hqf0umqf35gDvmWwLB/eptUYZ96gBYT0tbPA0P+YsW+iZmamxXma -Odgg8iRcPxKl9bVPt57NLaDy/RQhOxTGXQs1Q2jp7UhzqoZDClwVSDxd6DEppAFA -OZAY+Rsrm7VoCwVQ/1KbcJHmJ/79tArvaWJk3KHLGMpdZq4KwrC3hM8/QxYtyX/6 -cfnXvShBYCdfTGgNlj3t/mNAgp1ZB3s9ClGqRBR/P0Db+ryv5DuxYM6nzEB3Od0y -kT5tHbXDQY+1HCExjOMi7Al0cmC2r3+oxDA4UjGv+npgcfeoxQhXmm/SQRiPdKlb -vT0D594sLoB23jqA9bMehpxEyI7eGjfFUmXwMeu0tJhipvpJI3ogJoM+SCFTyLkc -12cPiz/sR/ALhvhUJXTeUH8wxPjzbA== ------END CERTIFICATE----- diff --git a/ext/openssl/tests/sni_server_us_cert.pem b/ext/openssl/tests/sni_server_us_cert.pem deleted file mode 100644 index 4452e3c6cfbf..000000000000 --- a/ext/openssl/tests/sni_server_us_cert.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFIjCCAwqgAwIBAgICEAQwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCR0Ix -EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAsMB29w -ZW5zc2wxEDAOBgNVBAMMB3BocC5uZXQwHhcNMTgwMTE0MTgzNjQ0WhcNMjYwNDAy -MTgzNjQ0WjBGMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UE -CgwHUEhQLm5ldDETMBEGA1UEAwwKdXMucGhwLm5ldDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBANUJAt7YjWA2PmcTJj22oGFGzKc7l6PZlQb2IfOm2GWn -ge27bEAgSvulQ+A9i40d0bM6c5js4SV45vI9LfhnkUtzjCDO+fwSgJ4sV4nEUiG/ -M3SD8yT/fdr7zKvKeOv137QHwYQDDmgqnA/Oc6cl+D4Xwve995zsjeMqsefDuFIV -Uyooelvf5Xad7sEmAFvh8qCDZx5bP2xTvL7+tCuVSIZMSt9Cx5wuT7wchn7hzoK7 -HBE4bI1tBEqjtPvZfPCoRnZi4M72wZRsTc4gjH59C3BR+qdiE3N36A+C0sxhBbSf -djmYt27gjn2xbDe71h07BIvPX0XAp1hrTMC1MdEwpbkCAwEAAaOCAQkwggEFMAkG -A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVu -U1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOXnUeNs -grKQb+EvG36DXjjDDmsFMGwGA1UdIwRlMGOAFOPK44Eacedv7HbR2Igcbew+4kUa -oUekRTBDMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwH -UEhQLm5ldDEQMA4GA1UEAwwHcGhwLm5ldIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG -A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBDLwuLbx75ACSU -5cF2L/D17JEnhlna62MgKNdpNLJSpaofK2Lk2BqsmnQf5JdkrXWMUN/DsmXZc9pq -25XmprfABUP9Cx18KPVqLQ43Z9o+R9xI1Ospt5mrpxGp6l2BHSs/4G69nuPFpcIJ -iabnLYdUk2Z+64lPe4EMBrZH+pj4xn3JA59BACJYNYn0nLaw45DIAyzyLJ0vVSwc -0JtjsztXQov4UqdWXxLRFfe2nEGoK8ZkTJ8ELcCYu6sNSBjw9Ech78uXN1BQOBTK -lhAgN3FKqOp3hqf0umqf35gDvmWwLB/eptUYZ96gBYT0tbPA0P+YsW+iZmamxXma -Odgg8iRcPxKl9bVPt57NLaDy/RQhOxTGXQs1Q2jp7UhzqoZDClwVSDxd6DEppAFA -OZAY+Rsrm7VoCwVQ/1KbcJHmJ/79tArvaWJk3KHLGMpdZq4KwrC3hM8/QxYtyX/6 -cfnXvShBYCdfTGgNlj3t/mNAgp1ZB3s9ClGqRBR/P0Db+ryv5DuxYM6nzEB3Od0y -kT5tHbXDQY+1HCExjOMi7Al0cmC2r3+oxDA4UjGv+npgcfeoxQhXmm/SQRiPdKlb -vT0D594sLoB23jqA9bMehpxEyI7eGjfFUmXwMeu0tJhipvpJI3ogJoM+SCFTyLkc -12cPiz/sR/ALhvhUJXTeUH8wxPjzbA== ------END CERTIFICATE----- diff --git a/ext/openssl/tests/sni_server_us_key.pem b/ext/openssl/tests/sni_server_us_key.pem deleted file mode 100644 index 8b0d73d7d63e..000000000000 --- a/ext/openssl/tests/sni_server_us_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA1QkC3tiNYDY+ZxMmPbagYUbMpzuXo9mVBvYh86bYZaeB7bts -QCBK+6VD4D2LjR3RszpzmOzhJXjm8j0t+GeRS3OMIM75/BKAnixXicRSIb8zdIPz -JP992vvMq8p46/XftAfBhAMOaCqcD85zpyX4PhfC9733nOyN4yqx58O4UhVTKih6 -W9/ldp3uwSYAW+HyoINnHls/bFO8vv60K5VIhkxK30LHnC5PvByGfuHOgrscEThs -jW0ESqO0+9l88KhGdmLgzvbBlGxNziCMfn0LcFH6p2ITc3foD4LSzGEFtJ92OZi3 -buCOfbFsN7vWHTsEi89fRcCnWGtMwLUx0TCluQIDAQABAoIBAQCnsUQ1Lrl6trhA -Yu6DPbLZX+XQ7jPbonaQ2Ea5iOhmfIjmHdaEU+cyV1EqvseO+Z4MO0KraiuAV79T -h50cIEpa3kW7vbFCHz5nQ/hUVdlg/yT93rASu5rSOctOnz64Xv8Ms948kDtS+9eF -Cbo4JMdX+VRbt4mmWP8HhqAsFACPexEoWxJcIxwFcI24GTGzySjemNjQzbmcVhzM -a4k6n8DolCL1cRS54C5Aaf5g4+IFDgyydcgZXp1lnX3MnqivSNkejnPnY55NcmrH -X3ZWPlAi9GHOJE33uy8bGWnip7Tn4iTt6tJvjz/yP82TGACDg1B8XsKrqsuQLsoU -cNBVGcQBAoGBAPteCgNmuNOpo4SRA1UVRw1WgnE8YtnNA6vYyVcTLSpqabq33UaD -03L9CQsbHtj88U+E8OH24Iqj3U9x7QJfH8DVmWuBrlwez80JsKGnLdViHydjKcAz -H2Cbv+SiWeaWXkFCkN4Jf7k3q0Ew4SG2LOq5PVUy/NB4bilbJD2ExKpZAoGBANj2 -Hpwo35IQ4XfSSsGaCdn+8ajMcNUMMGZ6YkZqmVO4kogqobyrPL/2KE9ol/hlacw6 -U/6Digox5/wqruYfqyM8lqGOq2/0Xf7c4XfiOTS9Na4JN3OGzlyqPvcn2zdqhYFY -iHPu2RqpA+LhCHW9Zs8C1Bp/KAEPdRP6OabqVaphAoGACLrHVj7nBFLL3vq6RuYq -RYhPl2cld7LrAbjRpTiBRQvVCCsCgERrv36SJdSXSanfJ4fSZcaRHb97HBs0w/RR -wfypC1bBm2lmhhRkEfkgWlzCADgtZwNff5dpHqOUw7FNLK8HIO7rhJ8uT2FHMEiH -Xs94FdFjfknwaXdE1u4ZdmECgYEAgxfbkQHFbO2UPqErGGXp0/WOsS6ucpyF1jXW -kbOxZ3vb1jjkNyrEbzzeSHTrdmRYk9UekWeLjfNvt9dWjKfP8V+XqJCbF+9wqCFw -fs6LQEmfWMQq5DwtDqKznwVPGOHdPzVuZZaJSemb9oeAZBwINccAv+3bDyD23hZQ -pYFsN6ECgYEA33QYDNG/spki4D8rlxyxZ+1MdB/efnrGBhO8FsJpG5+AtmYhWgD9 -sl29+3aiRkmDznoy36z+hoeZePILEAKMcbHyXOymixOHPuaZJ95hbvq6sqd6WMAe -w5tHnxlfEuu11zatolk6WiAmTmG3sZpN5Tqloq0Ye4dvlhVKNV3Bn3E= ------END RSA PRIVATE KEY----- From 178a30b9e700d32a8aac4f49864838829bedd389 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 4 Apr 2026 00:28:29 +0200 Subject: [PATCH 16/17] Fix SNI tests for bugs #80770 and #74796 --- ext/openssl/tests/bug74796.phpt | 29 ++++++++++++++++++++------ ext/openssl/tests/bug80770.phpt | 31 ++++++++++++++++------------ php-8.3.30.manifest | 36 +++++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 19 deletions(-) create mode 100644 php-8.3.30.manifest diff --git a/ext/openssl/tests/bug74796.phpt b/ext/openssl/tests/bug74796.phpt index b3f594d5e60f..8ec5590c064f 100644 --- a/ext/openssl/tests/bug74796.phpt +++ b/ext/openssl/tests/bug74796.phpt @@ -12,13 +12,24 @@ if (substr(PHP_OS, 0, 3) == 'WIN') { --FILE-- saveCaCert($caFile); +$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile); +$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile); +$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile); + $serverCode = <<<'CODE' $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ - "cs.php.net" => __DIR__ . "/sni_server_cs.pem", - "uk.php.net" => __DIR__ . "/sni_server_uk.pem", - "us.php.net" => __DIR__ . "/sni_server_us.pem" + "cs.php.net" => '%s', + "uk.php.net" => '%s', + "us.php.net" => '%s', ] ]]); @@ -33,6 +44,7 @@ $serverCode = <<<'CODE' phpt_wait(); CODE; +$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile); $proxyCode = <<<'CODE' function parse_sni_from_client_hello($data) { @@ -134,7 +146,7 @@ CODE; $clientCode = <<<'CODE' $clientCtx = stream_context_create([ 'ssl' => [ - 'cafile' => __DIR__ . '/sni_server_ca.pem', + 'cafile' => '%s', 'verify_peer' => true, 'verify_peer_name' => true, ], @@ -155,16 +167,21 @@ $clientCode = <<<'CODE' phpt_notify('server'); CODE; +$clientCode = sprintf($clientCode, $caFile); include 'ServerClientTestCase.inc'; ServerClientTestCase::getInstance()->run($clientCode, [ - 'server' => $serverCode, - 'proxy' => $proxyCode, + 'server' => $serverCode, + 'proxy' => $proxyCode, ]); ?> --CLEAN-- --EXPECT-- string(19) "Hello from server 0" diff --git a/ext/openssl/tests/bug80770.phpt b/ext/openssl/tests/bug80770.phpt index 9100aaa5aa18..21860dc78eb7 100644 --- a/ext/openssl/tests/bug80770.phpt +++ b/ext/openssl/tests/bug80770.phpt @@ -11,14 +11,25 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required"); saveCaCert($caCertFile); +$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile); +$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile); +$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile); +$certificateGenerator->saveNewCertAsFileWithKey('Bug80770 Test Client', $clientCertFile); $serverCode = <<<'CODE' $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; $ctx = stream_context_create(['ssl' => [ 'SNI_server_certs' => [ - "cs.php.net" => __DIR__ . "/sni_server_cs.pem", - "uk.php.net" => __DIR__ . "/sni_server_uk.pem", - "us.php.net" => __DIR__ . "/sni_server_us.pem" + "cs.php.net" => '%s', + "uk.php.net" => '%s', + "us.php.net" => '%s', ], 'verify_peer' => true, 'cafile' => '%s', @@ -28,7 +39,6 @@ $serverCode = <<<'CODE' ]]); $server = stream_socket_server('tcp://127.0.0.1:0', $errno, $errstr, $flags, $ctx); phpt_notify_server_start($server); - $client = stream_socket_accept($server, 30); if ($client) { $success = stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_SERVER); @@ -43,7 +53,7 @@ $serverCode = <<<'CODE' phpt_notify(message: "ACCEPT_FAILED"); } CODE; -$serverCode = sprintf($serverCode, $caCertFile); +$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile, $caCertFile); $clientCode = <<<'CODE' $flags = STREAM_CLIENT_CONNECT; @@ -58,19 +68,11 @@ $clientCode = <<<'CODE' if ($client) { stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_CLIENT); } - $result = phpt_wait(); echo trim($result); CODE; $clientCode = sprintf($clientCode, $clientCertFile); -include 'CertificateGenerator.inc'; - -// Generate CA and client certificate signed by that CA -$certificateGenerator = new CertificateGenerator(); -$certificateGenerator->saveCaCert($caCertFile); -$certificateGenerator->saveNewCertAsFileWithKey('Bug80770 Test Client', $clientCertFile); - include 'ServerClientTestCase.inc'; ServerClientTestCase::getInstance()->run($clientCode, $serverCode); ?> @@ -78,6 +80,9 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode); --EXPECTF-- CLIENT_CERT_CAPTURED diff --git a/php-8.3.30.manifest b/php-8.3.30.manifest new file mode 100644 index 000000000000..ef6ffe8aa803 --- /dev/null +++ b/php-8.3.30.manifest @@ -0,0 +1,36 @@ +php-8.3.30.tar.bz2 +SHA256 hash: 800b7b6ed50b73c8ee7844ee5f2f7cc612faa7875a0aa7c4529e8ed5866a5030 +PGP signature: +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQTCjZN1dWA+tKu3JYYcB3ncXAqd5AUCaWbJsAAKCRAcB3ncXAqd +5FioAPwK1gjqwBbGr5g3y1TikqxgKVWMHCtir1n46yGN2hYvtwD/flOR9EqRejNU +wW4RMkmRwXGsXY28V1DH+NKnDKTEWQ8= +=jkCu +-----END PGP SIGNATURE----- + + +php-8.3.30.tar.gz +SHA256 hash: e587dc95fb7f62730299fa7b36b6e4f91e6708aaefa2fff68a0098d320c16386 +PGP signature: +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQTCjZN1dWA+tKu3JYYcB3ncXAqd5AUCaWbJsAAKCRAcB3ncXAqd +5F4eAP44IkpP3p3FRq3S9pDm9Y6bJnrpzxafqfXlZ949ECmUIgEAxFb+m5Tz7gcb +DSU+taIv2W6EQeijjaXPvAE2t1dGswo= +=kn1U +-----END PGP SIGNATURE----- + + +php-8.3.30.tar.xz +SHA256 hash: 67f084d36852daab6809561a7c8023d130ca07fc6af8fb040684dd1414934d48 +PGP signature: +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQTCjZN1dWA+tKu3JYYcB3ncXAqd5AUCaWbJsQAKCRAcB3ncXAqd +5NYpAP9Is0pCLlEuLiSRdAbgWPDee0jPA5JGoriGOFNkdMk67AD/WTzYCx7+dEVG +8Gb54wK005bk9nRGYQqwvZb+r1gqaQU= +=vSr4 +-----END PGP SIGNATURE----- + + From 1d8643deb7c2d6a5534cbc1a18c5d69fc003f9d2 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 4 Apr 2026 00:29:54 +0200 Subject: [PATCH 17/17] Add back sni_server_ca for expired cert test --- ext/openssl/tests/sni_server_ca.pem | 63 +++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ext/openssl/tests/sni_server_ca.pem diff --git a/ext/openssl/tests/sni_server_ca.pem b/ext/openssl/tests/sni_server_ca.pem new file mode 100644 index 000000000000..b2522884565d --- /dev/null +++ b/ext/openssl/tests/sni_server_ca.pem @@ -0,0 +1,63 @@ +-----BEGIN CERTIFICATE----- +MIIFejCCA2KgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwQzELMAkGA1UEBhMCR0Ix +EDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQxEDAOBgNVBAMMB3Bo +cC5uZXQwHhcNMTcxMTIyMTQyODIzWhcNMjcxMTIwMTQyODIzWjBVMQswCQYDVQQG +EwJHQjEQMA4GA1UECAwHRW5nbGFuZDEQMA4GA1UECgwHUEhQLm5ldDEQMA4GA1UE +CwwHb3BlbnNzbDEQMA4GA1UEAwwHcGhwLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAMeENPus84HfIaypUVybbn5ZZyu1gXSYZAnDYYHhOlHu5kFh +26ohnHnoheapXVRbUtDZgUW5BztA+vDhKkM5G3U4p+YsqcSA/IkF2JQBkJH1jrxs +XMDtXIA4/MzYAVtyySqoMsrbkSCDzvI8imsbZI9O1x02VgaqoaQ9JZvglt1nhTIY +YpTbTKGCzMmrnFGHITeBsVose1ACFIAtqKqvUaA6TxcCtVcrENY3T3N/vEmoHHBg +O7j9+UvYN/WRPNcv0aIOlro83O9xQuJdRCygPmcv/jkqWRKm2Pu0lEkvbMCvOJr/ +Fz/kQg/6EVmIMsR/dgOMIjWjmpeTx24UJaNHUdNCeUbxIyTIyl9ISLWLM0Ipoq3L +95ygH6FSESAOpc8rVE2A5YZCtKlwvogMx3C/tMH1gWwMlfxn0CopP4Jx6lngw3yn +IpP0hnuCauQikBkyhsGu4J0Lbx5BsyDWQLwjiq4s8EcEy0vTdAvhDMRUGvpnjWaa +zBDVVrzHaRFvp6ueh35xf+dYieGL5UTICyrrQX9wwSafHV90a87y6XU+RwA25Dmc +V/kTn8/xkFv/4CbZp+0yArKpwXjqBMsQFbkFjT+Ky9MN+nedoFUMl7slgjpBs6RI +T08Hoa7/kMZGtLCiGcRXlwiIhB00gDz2avUvFTxwik9ssjDqBJGzNbBvZGb/AgMB +AAGjZjBkMB0GA1UdDgQWBBTjyuOBGnHnb+x20diIHG3sPuJFGjAfBgNVHSMEGDAW +gBQ0s99BNsV4Dszph6PArogA8HP4TDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud +DwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAFrQMmCoSe8uJbJLqPGMPW4ZE +0U81WWboc9FrSfezBYkTKuCjMTjQFv8oLp4pnuWZw22mHrOiz9izjNnXcR/rdVbG +Cip/JSHlTzHd3gnxSSd2diXvVrSb4zuLyN6WIficlsj3QdIP4Cdfv1pdHBTsRPbW +vuHpwYqqjxPBjqvoVZyZRyRM1pqpxLCvxOt4S3z4uZXyIH2UI7yWxI6MvdHBZg5m +TwiVi1gEQuRnYRy4sK9qJlBo5jERvzDr46W1e9Yz5sNMPfwWb64Hkkys3GqJt5am +OKxvgF3lvIK90vBjenGDfYEENP+0qdmdpHQkxGM2cl9iPqW8iyRGBVjdbzTIeRgB +u+CEbffSKWCpbm1Zcszv3FHMlsU4Px2pUTdLwEMgBQUPW/ngBMdRgVZE01GI7D1k +AM3hO347eehQTWoyuHgsnB2uaANEeR/XFBGDFmbs5ggAzxxRsH1FxoHXrv3iDIPW +9lKnSow+OZGcPKgaY5Nsregt4jO+pQqhzxlMa2QMfrMoGkEvrKNcDqeEI6KQa1SI +Zbq7sjf2w+VL0oQcse+gtg4q771dKy9V/XcfnPbiBAXfQqGj/v0LmZRn3ZRrkgzl +CaZocqVRJZbqu7/iu/p9pDRMR03vhBWPn7iM8VqzkhKjAlD0rolnQqvOAXyPpd/O +qYuYP+6Ymt/rUWXGVh0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFbDCCA1SgAwIBAgIJAJcrLHeFQrGEMA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV +BAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRAwDgYDVQQKDAdQSFAubmV0MRAwDgYD +VQQDDAdwaHAubmV0MB4XDTE3MTExNTE5MTEwMVoXDTM4MDUyOTE5MTEwMVowQzEL +MAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEDAOBgNVBAoMB1BIUC5uZXQx +EDAOBgNVBAMMB3BocC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQC4bIXbh+e+OCbLum2FYB8i6ZnOShp1teWNEE/8A4ot20wkPxLeXFSU1Egn+3BG +fxHKrWxV/FOiL7bims/SfwptFkgNZkwE52HVk49zgQevG38smsnIGuBMXMKebLPT +wlsIWRqCmZqEmh1wNcC9+qwoHoYjvJvMYfFvofiSc7qkTFsjoBVe+ho90vjYMznr +Bs9DlD88iXO0kKN0Bsu2igz68JWkUsoNeD6UKSir16SmQZxdFPCM0O0gxmOyz4NZ +w8pJ5XGDJyS82fVp13tYCOBFhK0QBvvzaz/gN6De5arefm6cer9TX0HE+VvGhx4T +2lqydFLfAVKTTNoZHOQk2mFVUm7dlMzLvsgNKdEZH6wAa12eBImCea+CyJNkbGLC +nrN6a93iGqTft75sbDyvzRk/BdnxadkAPlOxgK1qGrOgeS0+7chPMh24MRoKj5bU +lYGdcp7Y9qIW1hZXFfgPJO0yMOug/7J14jybp+YhymBIBTZYi1zbGqGNXdLPyp77 +9KTfyJE9KkbGegBvwqJmZTW8QoUDllopDjr1zaIqHWJqfAK7vGivu0iLVJHBRbRs +w9c48RCjfIh7AkvFKsdIDt9SMdZOdm9D8SXosYPM1zMFQsFFRPh/nKyl9QnhWbwd +Vs1tIFDrb10Z2sn0pF/V0F0gubR5rvYs+3h/dLciLVFobQIDAQABo2MwYTAdBgNV +HQ4EFgQUNLPfQTbFeA7M6YejwK6IAPBz+EwwHwYDVR0jBBgwFoAUNLPfQTbFeA7M +6YejwK6IAPBz+EwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJ +KoZIhvcNAQELBQADggIBAIkctDRCNcNVs2qP/O3zZsVZ1cqlqYNjcHIVHqNZRvVb +bPtInZ/i/6BbwA5QM/giKpl2aMwetUnezjHVD+7/m24Mfs1FWyPD3joCMIANj7hR +MNbmX1LQBMt/bD3E5trq9S9rZ++/ny4gn/z2jH3x+lzDMBDiam/wXbvSmyIUPUX6 +V8FFpkTBNERpurUvX1NEFLuiilWKrI7/u1qS11PGBcX3pNQNfhKNMtuFz74hAE7C +RE8756CGu2bZzydYCarUXSNTXqNm5ly2J0UN6Al4myFwj/6XnLnDhXDAI8CaqDMD +MwmxUzJvzuphNS085ZIntrSgPJESGozevEsf9bGD8GyoBQN/cSqOJCFfnJqxtKHb +wNa2F78SXYsiWkRb5EzoyCeon+0tygG6gLBouVY8ouCerExkH9qzRLLzFInxmCm2 +ill7c8Xmml4H2BxJE33dz/Qh7PM3eF2A2VriioLDj4+HOiWq/1BjdW6/Xiwx5iP2 +nC6Cex+lBt6HkP9WIiJbGxVeamF5jxNWWvLoUkrjFhpukjb5BPR9zFt7mAty9J/T +iQt26yylP4ucmL9KB6lv4ISW4Ri8mhMcYh6nF3tIYWZMCSQKqkyvymhKdLMZa20A +IME2oxnfZcmsfMpM6BYsN4XDfGBeYctqqt2AFRNLkI4wFkFFdPTMcTi1q0iRH2Xk +-----END CERTIFICATE-----