mirror of
https://github.com/php/php-src.git
synced 2024-11-24 10:24:11 +08:00
Fixed bug #68265 (SAN match fails with trailing DNS dot)
This commit is contained in:
Daniel Lowrey
parent
1de1ff75f5
commit
65a9a5ca12
1
NEWS
1
NEWS
@ -38,6 +38,7 @@
|
||||
(Daniel Lowrey)
|
||||
. Fixed bug #68879 (IP Address fields in subjectAltNames not used)
|
||||
(Daniel Lowrey)
|
||||
. Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
|
||||
|
||||
- pgsql:
|
||||
. Fixed bug #68638 (pg_update() fails to store infinite values).
|
||||
|
||||
33
ext/openssl/tests/bug68265.pem
Normal file
33
ext/openssl/tests/bug68265.pem
Normal file
@ -0,0 +1,33 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuw/AFD7RWcMCAggA
|
||||
MBQGCCqGSIb3DQMHBAh98F6GmaGn1ASCAoBpzaFxyttEhyh4dhMjarJIqTz24DjO
|
||||
yZnp1K5qthejSYx2P28uUsh+gQOh6F2jbVAq++eAWkTBGuc4pWhhoT7nY8vhf0Y0
|
||||
6yTlVrTxuI/8MNo/lfa0xE/+ZD4B5zp0hQxfij4GTd8l6V/kpXMgiYD1JmIXArm7
|
||||
sucn+9XV3RucsTBpeIJ1nLEDfpbyEWqNfhoyskQ+S3I6HkMgELI9JpsO6OR9fh1Q
|
||||
ttdoYxBU+YjoDYcSWRGkTGrJFeGGhTQzz+L2ijgoqNWDSfrLBoQR1bqNVUuw6gcE
|
||||
9PpA/vpRlxcHbUNNkOWft+4e0tV3I2EqscEcsYeNbd2Ta4yu7f6pk4/Kxn40wrQ8
|
||||
6Ss9GZylghaFth2xppL/vpmGaCC7FqpZRh+NKqjlcBobIkwyRcsQrPHB0CYLPHA4
|
||||
yak/dNTY8L5K8Rtd5XG3+E41CoDF6ssNY0Kw7l9kAn/neDVh+WnQkWIiWPmq210a
|
||||
p4L/uiXRK7aYi+UqKJ5+svayNw2w1dkqpbeejwLq2F1+ek/447JFPVJcvP8Nm7sr
|
||||
04Mcg+ZHusZdjiWEv4W6CBq8o6eF2JdhfpSDgPkHwiZ/EarHfx0vcYIMJhlEQBmk
|
||||
a/XsZPk2wnamKSPfJautO3MIus0M6SniWF6eDA4/AZzSjXV8Vc0unb6lc+Nc8tJa
|
||||
6MU1soTsmki/YraCmQswqpL+kXFZVeHuLowOC5oH+CimQoscmiZ9tBvpnYo6XwEZ
|
||||
S9jZRIBQ77oMku+rlMPfz2FURgVXZpEfrGmxKvA5Vt3ojrYfTwwD2YqZHVcm39zy
|
||||
iKqA1qVt7A2A90ILMAzYnN0VRE4SO3yIDN1ZBp5OOY61AduPrhpaHl81
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICdjCCAd+gAwIBAgIJAPbIVRT31Al2MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
|
||||
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
|
||||
Q29tcGFueSBMdGQxFDASBgNVBAMMC3BocCB0ZXN0IGNhMB4XDTE1MDMwNTA2MTYz
|
||||
MFoXDTI1MDMwMjA2MTYzMFowUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlNDMRUw
|
||||
EwYDVQQHDAxNeXJ0bGUgQmVhY2gxDDAKBgNVBAsMA1BIUDERMA8GA1UEAwwIdGVz
|
||||
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKp5gxUbKvY5eFwZJti0
|
||||
6d6YBo400Or6M+bLfIMnz5C1WQ7dMfiQpeFLpSIlOIaFqyrqkeeR9k5dsx1K9FOu
|
||||
PAJ4+lmWA4R93RpdJFz8kmQoNu3P59JMATXi8wvNBIrN/Vc08NT0wBRImeyQSVHd
|
||||
UcFIXBEbBM0dQsPKQ1k8n5WDAgMBAAGjTjBMMAkGA1UdEwQCMAAwCwYDVR0PBAQD
|
||||
AgXgMDIGA1UdEQQrMCmCEmRlYnMuYWstb25saW5lLmJlLoITZGVicy5hay1vbmxp
|
||||
bmUubmV0LjANBgkqhkiG9w0BAQsFAAOBgQB8PaLt+IX690UIbHKuko4qAdc5SzWA
|
||||
Vbm3D4StZeFwWQbZbBGFCDn0/0ON0iDv4JUgZnaX84mBDPczN26QG2PJND0Cggmi
|
||||
umylEVYhclPF4RoGcoKd3jT2igzDNyzk/lu+NUtRv/Nj161ds9vb9XiOrEkPn8Ne
|
||||
mzz3wA0D5A65lw==
|
||||
-----END CERTIFICATE-----
|
||||
41
ext/openssl/tests/bug68265.phpt
Normal file
41
ext/openssl/tests/bug68265.phpt
Normal file
@ -0,0 +1,41 @@
|
||||
--TEST--
|
||||
Bug #68265: SAN match fails with trailing DNS dot
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded("openssl")) die("skip openssl not loaded");
|
||||
if (!function_exists("proc_open")) die("skip no proc_open");
|
||||
--FILE--
|
||||
<?php
|
||||
$serverCode = <<<'CODE'
|
||||
$serverUri = "ssl://127.0.0.1:64321";
|
||||
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
|
||||
$serverCtx = stream_context_create(['ssl' => [
|
||||
'local_cert' => __DIR__ . '/bug68265.pem',
|
||||
'passphrase' => 'elephpant',
|
||||
]]);
|
||||
|
||||
$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
|
||||
phpt_notify();
|
||||
|
||||
stream_socket_accept($server, 30);
|
||||
CODE;
|
||||
|
||||
$clientCode = <<<'CODE'
|
||||
$serverUri = "ssl://127.0.0.1:64321";
|
||||
$clientFlags = STREAM_CLIENT_CONNECT;
|
||||
$clientCtx = stream_context_create(['ssl' => [
|
||||
'verify_peer' => false,
|
||||
'verify_peer_name' => true,
|
||||
'peer_name' => 'debs.ak-online.net',
|
||||
]]);
|
||||
|
||||
phpt_wait();
|
||||
|
||||
var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx));
|
||||
CODE;
|
||||
|
||||
include 'ServerClientTestCase.inc';
|
||||
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
|
||||
--EXPECTF--
|
||||
resource(%d) of type (stream)
|
||||
|
||||
@ -372,7 +372,7 @@ static zend_bool matches_wildcard_name(const char *subjectname, const char *cert
|
||||
|
||||
static zend_bool matches_san_list(X509 *peer, const char *subject_name) /* {{{ */
|
||||
{
|
||||
int i;
|
||||
int i, len;
|
||||
unsigned char *cert_name = NULL;
|
||||
char ipbuffer[64];
|
||||
|
||||
@ -390,6 +390,12 @@ static zend_bool matches_san_list(X509 *peer, const char *subject_name) /* {{{ *
|
||||
continue;
|
||||
}
|
||||
|
||||
/* accommodate valid FQDN entries ending in "." */
|
||||
len = strlen((const char*)cert_name);
|
||||
if (len && strcmp((const char *)&cert_name[len-1], ".") == 0) {
|
||||
cert_name[len-1] = '\0';
|
||||
}
|
||||
|
||||
if (matches_wildcard_name(subject_name, (const char *)cert_name)) {
|
||||
OPENSSL_free(cert_name);
|
||||
return 1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user