Fix tests and logic for TLS 1.3

2024-12-19 23:11:42 +08:00 · 2019-03-03 14:22:14 +00:00 · 2019-03-03 14:22:14 +00:00 · c2e9c71e36
commit c2e9c71e36
parent 5c05f5e6d3
3 changed files with 39 additions and 28 deletions
--- a/ext/openssl/tests/session_meta_capture_tlsv13.phpt
+++ b/ext/openssl/tests/session_meta_capture_tlsv13.phpt
@ -8,11 +8,14 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'session_meta_capture_tlsv13.pem.tmp';
+$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'session_meta_capture_tlsv13-ca.pem.tmp';
+
 $serverCode = <<<'CODE'
    $serverUri = "ssl://127.0.0.1:64321";
    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
    $serverCtx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/bug54992.pem',
+        'local_cert' => '%s',
        'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_3_SERVER,
    ]]);

@ -20,18 +23,17 @@ $serverCode = <<<'CODE'
    phpt_notify();

    @stream_socket_accept($server, 1);
-    @stream_socket_accept($server, 1);
-    @stream_socket_accept($server, 1);
-    @stream_socket_accept($server, 1);
 CODE;
+$serverCode = sprintf($serverCode, $certFile);

+$peerName = 'session_meta_capture_tlsv13';
 $clientCode = <<<'CODE'
    $serverUri = "ssl://127.0.0.1:64321";
    $clientFlags = STREAM_CLIENT_CONNECT;
    $clientCtx = stream_context_create(['ssl' => [
        'verify_peer' => true,
-        'cafile' => __DIR__ . '/bug54992-ca.pem',
-        'peer_name' => 'bug54992.local',
+        'cafile' => '%s',
+        'peer_name' => '%s',
        'capture_session_meta' => true,
    ]]);

@ -42,6 +44,12 @@ $clientCode = <<<'CODE'
    $meta = stream_context_get_options($clientCtx)['ssl']['session_meta'];
    var_dump($meta['protocol']);
 CODE;
+$clientCode = sprintf($clientCode, $cacertFile, $peerName);
+
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveCaCert($cacertFile);
+$certificateGenerator->saveNewCertAsFileWithKey($peerName, $certFile);

 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
--- a/ext/openssl/tests/tlsv1.3_wrapper.phpt
+++ b/ext/openssl/tests/tlsv1.3_wrapper.phpt
@ -34,7 +34,7 @@ $clientCode = <<<'CODE'
    $client = stream_socket_client("tlsv1.3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
    var_dump($client);

-    $client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
+    $client = @stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
    var_dump($client);

    $client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@ -60,15 +60,6 @@
 #define STREAM_CRYPTO_METHOD_TLSv1_2       (1<<5)
 #define STREAM_CRYPTO_METHOD_TLSv1_3       (1<<6)

-#ifndef OPENSSL_NO_SSL3
-#define HAVE_SSL3 1
-#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_SSLv3
-#else
-#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_0
-#endif
-#define PHP_OPENSSL_MAX_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_3
-
-
 #define HAVE_TLS11 1
 #define HAVE_TLS12 1
 #if OPENSSL_VERSION_NUMBER >= 0x10101000
@ -90,6 +81,18 @@
 #define HAVE_SEC_LEVEL 1
 #endif

+#ifndef OPENSSL_NO_SSL3
+#define HAVE_SSL3 1
+#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_SSLv3
+#else
+#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_0
+#endif
+#ifdef HAVE_TLS13
+#define PHP_OPENSSL_MAX_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_3
+#else
+#define PHP_OPENSSL_MAX_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_2
+#endif
+
 /* Simplify ssl context option retrieval */
 #define GET_VER_OPT(name) \
 	(PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)
@ -1021,7 +1024,7 @@ static inline int php_openssl_get_min_proto_version_flag(int flags) /* {{{ */
 			return ver;
 		}
 	}
-	return STREAM_CRYPTO_METHOD_TLSv1_3;
+	return PHP_OPENSSL_MAX_PROTO_VERSION;
 }
 /* }}} */

@ -1041,22 +1044,22 @@ static inline int php_openssl_get_max_proto_version_flag(int flags) /* {{{ */
 static inline int php_openssl_map_proto_version(int flag) /* {{{ */
 {
 	switch (flag) {
+#ifdef HAVE_TLS13
+		case STREAM_CRYPTO_METHOD_TLSv1_3:
+			return TLS1_3_VERSION;
+#endif
+		case STREAM_CRYPTO_METHOD_TLSv1_2:
+			return TLS1_2_VERSION;
+		case STREAM_CRYPTO_METHOD_TLSv1_1:
+			return TLS1_1_VERSION;
+		case STREAM_CRYPTO_METHOD_TLSv1_0:
+			return TLS1_VERSION;
 #ifdef HAVE_SSL3
 		case STREAM_CRYPTO_METHOD_SSLv3:
 			return SSL3_VERSION;
 #endif
-		case STREAM_CRYPTO_METHOD_TLSv1_0:
-			return TLS1_VERSION;
-		case STREAM_CRYPTO_METHOD_TLSv1_1:
-			return TLS1_1_VERSION;
-                case STREAM_CRYPTO_METHOD_TLSv1_2:
-                        return TLS1_2_VERSION;
-		/* case STREAM_CRYPTO_METHOD_TLSv1_3: */
-#ifdef HAVE_TLS13
 		default:
-			return TLS1_3_VERSION;
-#endif
-
+			return TLS1_2_VERSION;
 	}
 }
 /* }}} */