[pull] master from php:master

ext/openssl/openssl.c

@@ -562,14 +562,11 @@ PHP_FUNCTION(openssl_x509_export_to_file)
 
 	bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
 	if (bio_out) {
-		if (!notext && !X509_print(bio_out, cert)) {
-			php_openssl_store_errors();
-		}
-		if (!PEM_write_bio_X509(bio_out, cert)) {
+		if ((notext || X509_print(bio_out, cert)) && PEM_write_bio_X509(bio_out, cert)) {
+			RETVAL_TRUE;
+		} else {
 			php_openssl_store_errors();
 		}
-
-		RETVAL_TRUE;
 	} else {
 		php_openssl_store_errors();
 		php_error_docref(NULL, E_WARNING, "Error opening file %s", file_path);
@@ -864,8 +861,7 @@ PHP_FUNCTION(openssl_x509_export)
 	}
 	if (!notext && !X509_print(bio_out, cert)) {
 		php_openssl_store_errors();
-	}
-	if (PEM_write_bio_X509(bio_out, cert)) {
+	} else if (PEM_write_bio_X509(bio_out, cert)) {
 		BUF_MEM *bio_buf;
 
 		BIO_get_mem_ptr(bio_out, &bio_buf);
@@ -1156,7 +1152,7 @@ PHP_FUNCTION(openssl_x509_parse)
 				goto err_subitem;
 			}
 		}
-		else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+		else if (X509V3_EXT_print(bio_out, extension, 0, 0) > 0) {
 			BIO_get_mem_ptr(bio_out, &bio_buf);
 			add_assoc_stringl(&subitem, extname, bio_buf->data, bio_buf->length);
 		} else {
@@ -1518,7 +1514,7 @@ PHP_FUNCTION(openssl_pkcs12_read)
 
 		if (cert) {
 			bio_out = BIO_new(BIO_s_mem());
-			if (PEM_write_bio_X509(bio_out, cert)) {
+			if (bio_out && PEM_write_bio_X509(bio_out, cert)) {
 				BUF_MEM *bio_buf;
 				BIO_get_mem_ptr(bio_out, &bio_buf);
 				ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length);
@@ -1628,9 +1624,9 @@ PHP_FUNCTION(openssl_csr_export_to_file)
 	bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
 	if (bio_out != NULL) {
 		if (!notext && !X509_REQ_print(bio_out, csr)) {
+			/* TODO: warn? */
 			php_openssl_store_errors();
-		}
-		if (!PEM_write_bio_X509_REQ(bio_out, csr)) {
+		} else if (!PEM_write_bio_X509_REQ(bio_out, csr)) {
 			php_error_docref(NULL, E_WARNING, "Error writing PEM to file %s", file_path);
 			php_openssl_store_errors();
 		} else {
@@ -1679,9 +1675,7 @@ PHP_FUNCTION(openssl_csr_export)
 	bio_out = BIO_new(BIO_s_mem());
 	if (!notext && !X509_REQ_print(bio_out, csr)) {
 		php_openssl_store_errors();
-	}
-
-	if (PEM_write_bio_X509_REQ(bio_out, csr)) {
+	} else if (PEM_write_bio_X509_REQ(bio_out, csr)) {
 		BUF_MEM *bio_buf;
 
 		BIO_get_mem_ptr(bio_out, &bio_buf);
@@ -1824,7 +1818,10 @@ PHP_FUNCTION(openssl_csr_sign)
 		PHP_OPENSSL_ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial);
 	}
 
-	X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr));
+	if (!X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr))) {
+		php_openssl_store_errors();
+		goto cleanup;
+	}
 
 	if (cert == NULL) {
 		cert = new_cert;
@@ -2224,6 +2221,10 @@ PHP_FUNCTION(openssl_pkey_export)
 
 	if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
 		bio_out = BIO_new(BIO_s_mem());
+		if (!bio_out) {
+			php_openssl_store_errors();
+			goto cleanup;
+		}
 
 		if (passphrase && req.priv_key_encrypt) {
 			if (req.priv_key_encrypt_cipher) {
@@ -2252,6 +2253,7 @@ PHP_FUNCTION(openssl_pkey_export)
 			php_openssl_store_errors();
 		}
 	}
+cleanup:
 	EVP_PKEY_free(key);
 	BIO_free(bio_out);
 	PHP_SSL_REQ_DISPOSE(&req);
@@ -2327,7 +2329,7 @@ PHP_FUNCTION(openssl_pkey_get_details)
 	EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey;
 
 	BIO *out = BIO_new(BIO_s_mem());
-	if (!PEM_write_bio_PUBKEY(out, pkey)) {
+	if (!out || !PEM_write_bio_PUBKEY(out, pkey)) {
 		BIO_free(out);
 		php_openssl_store_errors();
 		RETURN_FALSE;
@@ -4410,18 +4412,20 @@ PHP_FUNCTION(openssl_open)
 	cipher = php_openssl_get_evp_cipher_by_name(method);
 	if (!cipher) {
 		php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
-		RETURN_FALSE;
+		RETVAL_FALSE;
+		goto out_pkey;
 	}
 
 	cipher_iv_len = EVP_CIPHER_iv_length(cipher);
 	if (cipher_iv_len > 0) {
 		if (!iv) {
 			zend_argument_value_error(6, "cannot be null for the chosen cipher algorithm");
-			RETURN_THROWS();
+			goto out_pkey;
 		}
 		if ((size_t)cipher_iv_len != iv_len) {
 			php_error_docref(NULL, E_WARNING, "IV length is invalid");
-			RETURN_FALSE;
+			RETVAL_FALSE;
+			goto out_pkey;
 		}
 		iv_buf = (unsigned char *)iv;
 	} else {
@@ -4443,8 +4447,9 @@ PHP_FUNCTION(openssl_open)
 	}
 
 	efree(buf);
-	EVP_PKEY_free(pkey);
 	EVP_CIPHER_CTX_free(ctx);
+out_pkey:
+	EVP_PKEY_free(pkey);
 }
 /* }}} */
 
@@ -4524,7 +4529,8 @@ PHP_FUNCTION(openssl_digest)
 	sigbuf = zend_string_alloc(siglen, 0);
 
 	md_ctx = EVP_MD_CTX_create();
-	if (EVP_DigestInit(md_ctx, mdtype) &&
+	if (md_ctx &&
+			EVP_DigestInit(md_ctx, mdtype) &&
 			EVP_DigestUpdate(md_ctx, (unsigned char *)data, data_len) &&
 			EVP_DigestFinal (md_ctx, (unsigned char *)ZSTR_VAL(sigbuf), &siglen)) {
 		if (raw_output) {

ext/openssl/tests/bug74796.phpt

@@ -12,13 +12,24 @@ if (substr(PHP_OS, 0, 3) == 'WIN') {
 --FILE--
 <?php
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$caFile = __DIR__ . '/bug74796_ca.pem.tmp';
+$csFile = __DIR__ . '/bug74796_cs.pem.tmp';
+$ukFile = __DIR__ . '/bug74796_uk.pem.tmp';
+$usFile = __DIR__ . '/bug74796_us.pem.tmp';
+$certificateGenerator->saveCaCert($caFile);
+$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile);
+$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile);
+$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile);
+
 $serverCode = <<<'CODE'
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
         'SNI_server_certs' => [
-            "cs.php.net" => __DIR__ . "/sni_server_cs.pem",
-            "uk.php.net" => __DIR__ . "/sni_server_uk.pem",
-            "us.php.net" => __DIR__ . "/sni_server_us.pem"
+            "cs.php.net" => '%s',
+            "uk.php.net" => '%s',
+            "us.php.net" => '%s',
         ]
     ]]);
 
@@ -33,6 +44,7 @@ $serverCode = <<<'CODE'
 
     phpt_wait();
 CODE;
+$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile);
 
 $proxyCode = <<<'CODE'
     function parse_sni_from_client_hello($data) {
@@ -134,7 +146,7 @@ CODE;
 $clientCode = <<<'CODE'
     $clientCtx = stream_context_create([
         'ssl' => [
-            'cafile' => __DIR__ . '/sni_server_ca.pem',
+            'cafile' => '%s',
             'verify_peer' => true,
             'verify_peer_name' => true,
         ],
@@ -155,16 +167,21 @@ $clientCode = <<<'CODE'
 
     phpt_notify('server');
 CODE;
+$clientCode = sprintf($clientCode, $caFile);
 
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, [
-    'server' => $serverCode,
-    'proxy' => $proxyCode,
+        'server' => $serverCode,
+        'proxy' => $proxyCode,
 ]);
 ?>
 --CLEAN--
 <?php
 @unlink(__DIR__ . "/bug74796_proxy_sni.log");
+@unlink(__DIR__ . '/bug74796_ca.pem.tmp');
+@unlink(__DIR__ . '/bug74796_cs.pem.tmp');
+@unlink(__DIR__ . '/bug74796_uk.pem.tmp');
+@unlink(__DIR__ . '/bug74796_us.pem.tmp');
 ?>
 --EXPECT--
 string(19) "Hello from server 0"

ext/openssl/tests/bug80770.phpt

@@ -11,14 +11,25 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
 <?php
 $clientCertFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_client.pem.tmp';
 $caCertFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_ca.pem.tmp';
+$csFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_cs.pem.tmp';
+$ukFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_uk.pem.tmp';
+$usFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug80770_us.pem.tmp';
+
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveCaCert($caCertFile);
+$certificateGenerator->saveNewCertAsFileWithKey('cs.php.net', $csFile);
+$certificateGenerator->saveNewCertAsFileWithKey('uk.php.net', $ukFile);
+$certificateGenerator->saveNewCertAsFileWithKey('us.php.net', $usFile);
+$certificateGenerator->saveNewCertAsFileWithKey('Bug80770 Test Client', $clientCertFile);
 
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
         'SNI_server_certs' => [
-            "cs.php.net" => __DIR__ . "/sni_server_cs.pem",
-            "uk.php.net" => __DIR__ . "/sni_server_uk.pem",
-            "us.php.net" => __DIR__ . "/sni_server_us.pem"
+            "cs.php.net" => '%s',
+            "uk.php.net" => '%s',
+            "us.php.net" => '%s',
         ],
         'verify_peer' => true,
         'cafile' => '%s',
@@ -28,7 +39,6 @@ $serverCode = <<<'CODE'
     ]]);
     $server = stream_socket_server('tcp://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
     phpt_notify_server_start($server);
-
     $client = stream_socket_accept($server, 30);
     if ($client) {
         $success = stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_SERVER);
@@ -43,7 +53,7 @@ $serverCode = <<<'CODE'
         phpt_notify(message: "ACCEPT_FAILED");
     }
 CODE;
-$serverCode = sprintf($serverCode, $caCertFile);
+$serverCode = sprintf($serverCode, $csFile, $ukFile, $usFile, $caCertFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
@@ -58,26 +68,21 @@ $clientCode = <<<'CODE'
     if ($client) {
         stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
     }
-
     $result = phpt_wait();
     echo trim($result);
 CODE;
 $clientCode = sprintf($clientCode, $clientCertFile);
 
-include 'CertificateGenerator.inc';
-
-// Generate CA and client certificate signed by that CA
-$certificateGenerator = new CertificateGenerator();
-$certificateGenerator->saveCaCert($caCertFile);
-$certificateGenerator->saveNewCertAsFileWithKey('Bug80770 Test Client', $clientCertFile);
-
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
 --CLEAN--
 <?php
 @unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_client.pem.tmp');
 @unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_ca.pem.tmp');
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_cs.pem.tmp');
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_uk.pem.tmp');
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug80770_us.pem.tmp');
 ?>
 --EXPECTF--
 CLIENT_CERT_CAPTURED