PHP  
 PHP: Test and Code Coverage Analysis
downloads | QA | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | my php.net 
 

LCOV - code coverage report
Current view: top level - ext/openssl - xp_ssl.c (source / functions) Hit Total Coverage
Test: PHP Code Coverage Lines: 660 923 71.5 %
Date: 2015-04-30 Functions: 40 44 90.9 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*
       2             :   +----------------------------------------------------------------------+
       3             :   | PHP Version 7                                                        |
       4             :   +----------------------------------------------------------------------+
       5             :   | Copyright (c) 1997-2015 The PHP Group                                |
       6             :   +----------------------------------------------------------------------+
       7             :   | This source file is subject to version 3.01 of the PHP license,      |
       8             :   | that is bundled with this package in the file LICENSE, and is        |
       9             :   | available through the world-wide-web at the following url:           |
      10             :   | http://www.php.net/license/3_01.txt                                  |
      11             :   | If you did not receive a copy of the PHP license and are unable to   |
      12             :   | obtain it through the world-wide-web, please send a note to          |
      13             :   | license@php.net so we can mail you a copy immediately.               |
      14             :   +----------------------------------------------------------------------+
      15             :   | Authors: Wez Furlong <wez@thebrainroom.com>                          |
      16             :   |          Daniel Lowrey <rdlowrey@php.net>                            |
      17             :   |          Chris Wright <daverandom@php.net>                           |
      18             :   +----------------------------------------------------------------------+
      19             : */
      20             : 
      21             : /* $Id$ */
      22             : 
      23             : #ifdef HAVE_CONFIG_H
      24             : #include "config.h"
      25             : #endif
      26             : 
      27             : #include "php.h"
      28             : #include "ext/standard/file.h"
      29             : #include "ext/standard/url.h"
      30             : #include "streams/php_streams_int.h"
      31             : #include "zend_smart_str.h"
      32             : #include "php_openssl.h"
      33             : #include "php_network.h"
      34             : #include <openssl/ssl.h>
      35             : #include <openssl/x509.h>
      36             : #include <openssl/x509v3.h>
      37             : #include <openssl/err.h>
      38             : 
      39             : #ifdef PHP_WIN32
      40             : #include "win32/winutil.h"
      41             : #include "win32/time.h"
      42             : #include <Wincrypt.h>
      43             : /* These are from Wincrypt.h, they conflict with OpenSSL */
      44             : #undef X509_NAME
      45             : #undef X509_CERT_PAIR
      46             : #undef X509_EXTENSIONS
      47             : #endif
      48             : 
      49             : #ifdef NETWARE
      50             : #include <sys/select.h>
      51             : #endif
      52             : 
      53             : #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x0090800fL
      54             : #define HAVE_ECDH 1
      55             : #endif
      56             : 
      57             : #if OPENSSL_VERSION_NUMBER >= 0x00908070L && !defined(OPENSSL_NO_TLSEXT)
      58             : #define HAVE_SNI 1
      59             : #endif
      60             : 
      61             : /* Flags for determining allowed stream crypto methods */
      62             : #define STREAM_CRYPTO_IS_CLIENT            (1<<0)
      63             : #define STREAM_CRYPTO_METHOD_SSLv2         (1<<1)
      64             : #define STREAM_CRYPTO_METHOD_SSLv3         (1<<2)
      65             : #define STREAM_CRYPTO_METHOD_TLSv1_0       (1<<3)
      66             : #define STREAM_CRYPTO_METHOD_TLSv1_1       (1<<4)
      67             : #define STREAM_CRYPTO_METHOD_TLSv1_2       (1<<5)
      68             : 
      69             : /* Simplify ssl context option retrieval */
      70             : #define GET_VER_OPT(name)               (PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)
      71             : #define GET_VER_OPT_STRING(name, str)   if (GET_VER_OPT(name)) { convert_to_string_ex(val); str = Z_STRVAL_P(val); }
      72             : #define GET_VER_OPT_LONG(name, num)     if (GET_VER_OPT(name)) { convert_to_long_ex(val); num = Z_LVAL_P(val); }
      73             : 
      74             : /* Used for peer verification in windows */
      75             : #define PHP_X509_NAME_ENTRY_TO_UTF8(ne, i, out) ASN1_STRING_to_UTF8(&out, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(ne, i)))
      76             : 
      77             : extern php_stream* php_openssl_get_stream_from_ssl_handle(const SSL *ssl);
      78             : extern zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_bool raw);
      79             : extern int php_openssl_get_ssl_stream_data_index();
      80             : extern int php_openssl_get_x509_list_id(void);
      81             : static struct timeval subtract_timeval( struct timeval a, struct timeval b );
      82             : static int compare_timeval( struct timeval a, struct timeval b );
      83             : static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, size_t count);
      84             : 
      85             : php_stream_ops php_openssl_socket_ops;
      86             : 
      87             : /* Certificate contexts used for server-side SNI selection */
      88             : typedef struct _php_openssl_sni_cert_t {
      89             :         char *name;
      90             :         SSL_CTX *ctx;
      91             : } php_openssl_sni_cert_t;
      92             : 
      93             : /* Provides leaky bucket handhsake renegotiation rate-limiting  */
      94             : typedef struct _php_openssl_handshake_bucket_t {
      95             :         zend_long prev_handshake;
      96             :         zend_long limit;
      97             :         zend_long window;
      98             :         float tokens;
      99             :         unsigned should_close;
     100             : } php_openssl_handshake_bucket_t;
     101             : 
     102             : /* This implementation is very closely tied to the that of the native
     103             :  * sockets implemented in the core.
     104             :  * Don't try this technique in other extensions!
     105             :  * */
     106             : typedef struct _php_openssl_netstream_data_t {
     107             :         php_netstream_data_t s;
     108             :         SSL *ssl_handle;
     109             :         SSL_CTX *ctx;
     110             :         struct timeval connect_timeout;
     111             :         int enable_on_connect;
     112             :         int is_client;
     113             :         int ssl_active;
     114             :         php_stream_xport_crypt_method_t method;
     115             :         php_openssl_handshake_bucket_t *reneg;
     116             :         php_openssl_sni_cert_t *sni_certs;
     117             :         unsigned sni_cert_count;
     118             :         char *url_name;
     119             :         unsigned state_set:1;
     120             :         unsigned _spare:31;
     121             : } php_openssl_netstream_data_t;
     122             : 
     123             : /* it doesn't matter that we do some hash traversal here, since it is done only
     124             :  * in an error condition arising from a network connection problem */
     125          45 : static int is_http_stream_talking_to_iis(php_stream *stream) /* {{{ */
     126             : {
     127          90 :         if (Z_TYPE(stream->wrapperdata) == IS_ARRAY && stream->wrapper && strcasecmp(stream->wrapper->wops->label, "HTTP") == 0) {
     128             :                 /* the wrapperdata is an array zval containing the headers */
     129             :                 zval *tmp;
     130             : 
     131             : #define SERVER_MICROSOFT_IIS    "Server: Microsoft-IIS"
     132             : #define SERVER_GOOGLE "Server: GFE/"
     133             : 
     134           0 :                 ZEND_HASH_FOREACH_VAL(Z_ARRVAL(stream->wrapperdata), tmp) {
     135           0 :                         if (strncasecmp(Z_STRVAL_P(tmp), SERVER_MICROSOFT_IIS, sizeof(SERVER_MICROSOFT_IIS)-1) == 0) {
     136           0 :                                 return 1;
     137           0 :                         } else if (strncasecmp(Z_STRVAL_P(tmp), SERVER_GOOGLE, sizeof(SERVER_GOOGLE)-1) == 0) {
     138           0 :                                 return 1;
     139             :                         }
     140             :                 } ZEND_HASH_FOREACH_END();
     141             :         }
     142          45 :         return 0;
     143             : }
     144             : /* }}} */
     145             : 
     146         165 : static int handle_ssl_error(php_stream *stream, int nr_bytes, zend_bool is_init) /* {{{ */
     147             : {
     148         165 :         php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
     149         165 :         int err = SSL_get_error(sslsock->ssl_handle, nr_bytes);
     150             :         char esbuf[512];
     151         165 :         smart_str ebuf = {0};
     152             :         unsigned long ecode;
     153         165 :         int retry = 1;
     154             : 
     155         165 :         switch(err) {
     156             :                 case SSL_ERROR_ZERO_RETURN:
     157             :                         /* SSL terminated (but socket may still be active) */
     158           6 :                         retry = 0;
     159           6 :                         break;
     160             :                 case SSL_ERROR_WANT_READ:
     161             :                 case SSL_ERROR_WANT_WRITE:
     162             :                         /* re-negotiation, or perhaps the SSL layer needs more
     163             :                          * packets: retry in next iteration */
     164         108 :                         errno = EAGAIN;
     165         108 :                         retry = is_init ? 1 : sslsock->s.is_blocked;
     166         108 :                         break;
     167             :                 case SSL_ERROR_SYSCALL:
     168          45 :                         if (ERR_peek_error() == 0) {
     169          45 :                                 if (nr_bytes == 0) {
     170          45 :                                         if (!is_http_stream_talking_to_iis(stream) && ERR_get_error() != 0) {
     171           0 :                                                 php_error_docref(NULL, E_WARNING,
     172             :                                                                 "SSL: fatal protocol error");
     173             :                                         }
     174          45 :                                         SSL_set_shutdown(sslsock->ssl_handle, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
     175          45 :                                         stream->eof = 1;
     176          45 :                                         retry = 0;
     177             :                                 } else {
     178           0 :                                         char *estr = php_socket_strerror(php_socket_errno(), NULL, 0);
     179             : 
     180           0 :                                         php_error_docref(NULL, E_WARNING,
     181             :                                                         "SSL: %s", estr);
     182             : 
     183           0 :                                         efree(estr);
     184           0 :                                         retry = 0;
     185             :                                 }
     186          45 :                                 break;
     187             :                         }
     188             : 
     189             : 
     190             :                         /* fall through */
     191             :                 default:
     192             :                         /* some other error */
     193           6 :                         ecode = ERR_get_error();
     194             : 
     195           6 :                         switch (ERR_GET_REASON(ecode)) {
     196             :                                 case SSL_R_NO_SHARED_CIPHER:
     197           0 :                                         php_error_docref(NULL, E_WARNING, "SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used.  This could be because the server is missing an SSL certificate (local_cert context option)");
     198           0 :                                         retry = 0;
     199           0 :                                         break;
     200             : 
     201             :                                 default:
     202             :                                         do {
     203             :                                                 /* NULL is automatically added */
     204           6 :                                                 ERR_error_string_n(ecode, esbuf, sizeof(esbuf));
     205           6 :                                                 if (ebuf.s) {
     206             :                                                         smart_str_appendc(&ebuf, '\n');
     207             :                                                 }
     208           6 :                                                 smart_str_appends(&ebuf, esbuf);
     209           6 :                                         } while ((ecode = ERR_get_error()) != 0);
     210             : 
     211             :                                         smart_str_0(&ebuf);
     212             : 
     213          18 :                                         php_error_docref(NULL, E_WARNING,
     214             :                                                         "SSL operation failed with code %d. %s%s",
     215             :                                                         err,
     216           6 :                                                         ebuf.s ? "OpenSSL Error messages:\n" : "",
     217          12 :                                                         ebuf.s ? ebuf.s->val : "");
     218           6 :                                         if (ebuf.s) {
     219             :                                                 smart_str_free(&ebuf);
     220             :                                         }
     221             :                         }
     222             : 
     223           6 :                         retry = 0;
     224           6 :                         errno = 0;
     225             :         }
     226         165 :         return retry;
     227             : }
     228             : /* }}} */
     229             : 
     230           6 : static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */
     231             : {
     232             :         php_stream *stream;
     233             :         SSL *ssl;
     234             :         int err, depth, ret;
     235             :         zval *val;
     236           6 :         zend_ulong allowed_depth = OPENSSL_DEFAULT_STREAM_VERIFY_DEPTH;
     237             : 
     238             : 
     239           6 :         ret = preverify_ok;
     240             : 
     241             :         /* determine the status for the current cert */
     242           6 :         err = X509_STORE_CTX_get_error(ctx);
     243           6 :         depth = X509_STORE_CTX_get_error_depth(ctx);
     244             : 
     245             :         /* conjure the stream & context to use */
     246           6 :         ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
     247           6 :         stream = (php_stream*)SSL_get_ex_data(ssl, php_openssl_get_ssl_stream_data_index());
     248             : 
     249             :         /* if allow_self_signed is set, make sure that verification succeeds */
     250           6 :         if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT &&
     251           0 :                 GET_VER_OPT("allow_self_signed") &&
     252             :                 zend_is_true(val)
     253           0 :         ) {
     254           0 :                 ret = 1;
     255             :         }
     256             : 
     257             :         /* check the depth */
     258           6 :         GET_VER_OPT_LONG("verify_depth", allowed_depth);
     259           6 :         if ((zend_ulong)depth > allowed_depth) {
     260           0 :                 ret = 0;
     261           0 :                 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_CHAIN_TOO_LONG);
     262             :         }
     263             : 
     264           6 :         return ret;
     265             : }
     266             : /* }}} */
     267             : 
     268           0 : static int php_x509_fingerprint_cmp(X509 *peer, const char *method, const char *expected)
     269             : {
     270             :         zend_string *fingerprint;
     271           0 :         int result = -1;
     272             : 
     273           0 :         fingerprint = php_openssl_x509_fingerprint(peer, method, 0);
     274           0 :         if (fingerprint) {
     275           0 :                 result = strcmp(expected, fingerprint->val);
     276             :                 zend_string_release(fingerprint);
     277             :         }
     278             : 
     279           0 :         return result;
     280             : }
     281             : 
     282           0 : static zend_bool php_x509_fingerprint_match(X509 *peer, zval *val)
     283             : {
     284           0 :         if (Z_TYPE_P(val) == IS_STRING) {
     285           0 :                 const char *method = NULL;
     286             : 
     287           0 :                 switch (Z_STRLEN_P(val)) {
     288             :                         case 32:
     289           0 :                                 method = "md5";
     290           0 :                                 break;
     291             : 
     292             :                         case 40:
     293           0 :                                 method = "sha1";
     294             :                                 break;
     295             :                 }
     296             : 
     297           0 :                 return method && php_x509_fingerprint_cmp(peer, method, Z_STRVAL_P(val)) == 0;
     298           0 :         } else if (Z_TYPE_P(val) == IS_ARRAY) {
     299             :                 zval *current;
     300             :                 zend_string *key;
     301             : 
     302           0 :                 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(val), key, current) {
     303           0 :                         if (key && Z_TYPE_P(current) == IS_STRING
     304           0 :                                 && php_x509_fingerprint_cmp(peer, key->val, Z_STRVAL_P(current)) != 0
     305             :                         ) {
     306           0 :                                 return 0;
     307             :                         }
     308             :                 } ZEND_HASH_FOREACH_END();
     309           0 :                 return 1;
     310             :         }
     311           0 :         return 0;
     312             : }
     313             : 
     314          15 : static zend_bool matches_wildcard_name(const char *subjectname, const char *certname) /* {{{ */
     315             : {
     316          15 :         char *wildcard = NULL;
     317             :         ptrdiff_t prefix_len;
     318             :         size_t suffix_len, subject_len;
     319             : 
     320          15 :         if (strcasecmp(subjectname, certname) == 0) {
     321          11 :                 return 1;
     322             :         }
     323             : 
     324             :         /* wildcard, if present, must only be present in the left-most component */
     325           4 :         if (!(wildcard = strchr(certname, '*')) || memchr(certname, '.', wildcard - certname)) {
     326           3 :                 return 0;
     327             :         }
     328             : 
     329             :         /* 1) prefix, if not empty, must match subject */
     330           1 :         prefix_len = wildcard - certname;
     331           1 :         if (prefix_len && strncasecmp(subjectname, certname, prefix_len) != 0) {
     332           0 :                 return 0;
     333             :         }
     334             : 
     335           1 :         suffix_len = strlen(wildcard + 1);
     336           1 :         subject_len = strlen(subjectname);
     337           1 :         if (suffix_len <= subject_len) {
     338             :                 /* 2) suffix must match
     339             :                  * 3) no . between prefix and suffix
     340             :                  **/
     341           2 :                 return strcasecmp(wildcard + 1, subjectname + subject_len - suffix_len) == 0 &&
     342           1 :                         memchr(subjectname + prefix_len, '.', subject_len - suffix_len - prefix_len) == NULL;
     343             :         }
     344             : 
     345           0 :         return 0;
     346             : }
     347             : /* }}} */
     348             : 
     349           9 : static zend_bool matches_san_list(X509 *peer, const char *subject_name) /* {{{ */
     350             : {
     351             :         int i, san_name_len;
     352           9 :         zend_bool is_match = 0;
     353           9 :         unsigned char *cert_name = NULL;
     354             : 
     355           9 :         GENERAL_NAMES *alt_names = X509_get_ext_d2i(peer, NID_subject_alt_name, 0, 0);
     356           9 :         int alt_name_count = sk_GENERAL_NAME_num(alt_names);
     357             : 
     358           9 :         for (i = 0; i < alt_name_count; i++) {
     359           6 :                 GENERAL_NAME *san = sk_GENERAL_NAME_value(alt_names, i);
     360           6 :                 if (san->type != GEN_DNS) {
     361             :                         /* we only care about DNS names */
     362           0 :                         continue;
     363             :                 }
     364             : 
     365           6 :                 san_name_len = ASN1_STRING_length(san->d.dNSName);
     366           6 :                 ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName);
     367             : 
     368             :                 /* prevent null byte poisoning */
     369           6 :                 if (san_name_len != strlen((const char*)cert_name)) {
     370           0 :                         php_error_docref(NULL, E_WARNING, "Peer SAN entry is malformed");
     371             :                 } else {
     372           6 :                         is_match = matches_wildcard_name(subject_name, (const char *)cert_name);
     373             :                 }
     374             : 
     375           6 :                 OPENSSL_free(cert_name);
     376             : 
     377           6 :                 if (is_match) {
     378           6 :                         break;
     379             :                 }
     380             :         }
     381             : 
     382           9 :         return is_match;
     383             : }
     384             : /* }}} */
     385             : 
     386           3 : static zend_bool matches_common_name(X509 *peer, const char *subject_name) /* {{{ */
     387             : {
     388             :         char buf[1024];
     389             :         X509_NAME *cert_name;
     390           3 :         zend_bool is_match = 0;
     391             :         int cert_name_len;
     392             : 
     393           3 :         cert_name = X509_get_subject_name(peer);
     394           3 :         cert_name_len = X509_NAME_get_text_by_NID(cert_name, NID_commonName, buf, sizeof(buf));
     395             : 
     396           3 :         if (cert_name_len == -1) {
     397           0 :                 php_error_docref(NULL, E_WARNING, "Unable to locate peer certificate CN");
     398           3 :         } else if (cert_name_len != strlen(buf)) {
     399           0 :                 php_error_docref(NULL, E_WARNING, "Peer certificate CN=`%.*s' is malformed", cert_name_len, buf);
     400           3 :         } else if (matches_wildcard_name(subject_name, buf)) {
     401           3 :                 is_match = 1;
     402             :         } else {
     403           0 :                 php_error_docref(NULL, E_WARNING, "Peer certificate CN=`%.*s' did not match expected CN=`%s'", cert_name_len, buf, subject_name);
     404             :         }
     405             : 
     406           3 :         return is_match;
     407             : }
     408             : /* }}} */
     409             : 
     410          24 : static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stream) /* {{{ */
     411             : {
     412          24 :         zval *val = NULL;
     413          24 :         char *peer_name = NULL;
     414             :         int err,
     415             :                 must_verify_peer,
     416             :                 must_verify_peer_name,
     417             :                 must_verify_fingerprint,
     418             :                 has_cnmatch_ctx_opt;
     419             : 
     420          24 :         php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
     421             : 
     422          39 :         must_verify_peer = GET_VER_OPT("verify_peer")
     423          15 :                 ? zend_is_true(val)
     424             :                 : sslsock->is_client;
     425             : 
     426          24 :         has_cnmatch_ctx_opt = GET_VER_OPT("CN_match");
     427          33 :         must_verify_peer_name = (has_cnmatch_ctx_opt || GET_VER_OPT("verify_peer_name"))
     428           9 :                 ? zend_is_true(val)
     429             :                 : sslsock->is_client;
     430             : 
     431          24 :         must_verify_fingerprint = (GET_VER_OPT("peer_fingerprint") && zend_is_true(val));
     432             : 
     433          24 :         if ((must_verify_peer || must_verify_peer_name || must_verify_fingerprint) && peer == NULL) {
     434           0 :                 php_error_docref(NULL, E_WARNING, "Could not get peer certificate");
     435           0 :                 return FAILURE;
     436             :         }
     437             : 
     438             :         /* Verify the peer against using CA file/path settings */
     439          24 :         if (must_verify_peer) {
     440           3 :                 err = SSL_get_verify_result(ssl);
     441           3 :                 switch (err) {
     442             :                         case X509_V_OK:
     443             :                                 /* fine */
     444           3 :                                 break;
     445             :                         case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
     446           0 :                                 if (GET_VER_OPT("allow_self_signed") && zend_is_true(val)) {
     447             :                                         /* allowed */
     448           0 :                                         break;
     449             :                                 }
     450             :                                 /* not allowed, so fall through */
     451             :                         default:
     452           0 :                                 php_error_docref(NULL, E_WARNING,
     453             :                                                 "Could not verify peer: code:%d %s",
     454             :                                                 err,
     455             :                                                 X509_verify_cert_error_string(err)
     456             :                                 );
     457           0 :                                 return FAILURE;
     458             :                 }
     459             :         }
     460             : 
     461             :         /* If a peer_fingerprint match is required this trumps peer and peer_name verification */
     462          24 :         if (must_verify_fingerprint) {
     463           0 :                 if (Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_ARRAY) {
     464           0 :                         if (!php_x509_fingerprint_match(peer, val)) {
     465           0 :                                 php_error_docref(NULL, E_WARNING,
     466             :                                         "Peer fingerprint doesn't match"
     467             :                                 );
     468           0 :                                 return FAILURE;
     469             :                         }
     470             :                 } else {
     471           0 :                         php_error_docref(NULL, E_WARNING,
     472             :                                 "Expected peer fingerprint must be a string or an array"
     473             :                         );
     474             :                 }
     475             :         }
     476             : 
     477             :         /* verify the host name presented in the peer certificate */
     478          24 :         if (must_verify_peer_name) {
     479          18 :                 GET_VER_OPT_STRING("peer_name", peer_name);
     480             : 
     481           9 :                 if (has_cnmatch_ctx_opt) {
     482           0 :                         GET_VER_OPT_STRING("CN_match", peer_name);
     483           0 :                         php_error(E_DEPRECATED,
     484             :                                 "the 'CN_match' SSL context option is deprecated in favor of 'peer_name'"
     485             :                         );
     486             :                 }
     487             :                 /* If no peer name was specified we use the autodetected url name in client environments */
     488           9 :                 if (peer_name == NULL && sslsock->is_client) {
     489           0 :                         peer_name = sslsock->url_name;
     490             :                 }
     491             : 
     492           9 :                 if (peer_name) {
     493           9 :                         if (matches_san_list(peer, peer_name)) {
     494           6 :                                 return SUCCESS;
     495           3 :                         } else if (matches_common_name(peer, peer_name)) {
     496           3 :                                 return SUCCESS;
     497             :                         } else {
     498           0 :                                 return FAILURE;
     499             :                         }
     500             :                 } else {
     501           0 :                         return FAILURE;
     502             :                 }
     503             :         }
     504             : 
     505          15 :         return SUCCESS;
     506             : }
     507             : /* }}} */
     508             : 
     509           1 : static int passwd_callback(char *buf, int num, int verify, void *data) /* {{{ */
     510             : {
     511           1 :         php_stream *stream = (php_stream *)data;
     512           1 :         zval *val = NULL;
     513           1 :         char *passphrase = NULL;
     514             :         /* TODO: could expand this to make a callback into PHP user-space */
     515             : 
     516           2 :         GET_VER_OPT_STRING("passphrase", passphrase);
     517             : 
     518           1 :         if (passphrase) {
     519           1 :                 if (Z_STRLEN_P(val) < num - 1) {
     520           1 :                         memcpy(buf, Z_STRVAL_P(val), Z_STRLEN_P(val)+1);
     521           1 :                         return (int)Z_STRLEN_P(val);
     522             :                 }
     523             :         }
     524           0 :         return 0;
     525             : }
     526             : /* }}} */
     527             : 
     528             : #if defined(PHP_WIN32) && OPENSSL_VERSION_NUMBER >= 0x00907000L
     529             : #define RETURN_CERT_VERIFY_FAILURE(code) X509_STORE_CTX_set_error(x509_store_ctx, code); return 0;
     530             : static int win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, void *arg) /* {{{ */
     531             : {
     532             :         PCCERT_CONTEXT cert_ctx = NULL;
     533             :         PCCERT_CHAIN_CONTEXT cert_chain_ctx = NULL;
     534             : 
     535             :         php_stream *stream;
     536             :         php_openssl_netstream_data_t *sslsock;
     537             :         zval *val;
     538             :         zend_bool is_self_signed = 0;
     539             : 
     540             : 
     541             :         stream = (php_stream*)arg;
     542             :         sslsock = (php_openssl_netstream_data_t*)stream->abstract;
     543             : 
     544             :         { /* First convert the x509 struct back to a DER encoded buffer and let Windows decode it into a form it can work with */
     545             :                 unsigned char *der_buf = NULL;
     546             :                 int der_len;
     547             : 
     548             :                 der_len = i2d_X509(x509_store_ctx->cert, &der_buf);
     549             :                 if (der_len < 0) {
     550             :                         unsigned long err_code, e;
     551             :                         char err_buf[512];
     552             : 
     553             :                         while ((e = ERR_get_error()) != 0) {
     554             :                                 err_code = e;
     555             :                         }
     556             : 
     557             :                         php_error_docref(NULL, E_WARNING, "Error encoding X509 certificate: %d: %s", err_code, ERR_error_string(err_code, err_buf));
     558             :                         RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     559             :                 }
     560             : 
     561             :                 cert_ctx = CertCreateCertificateContext(X509_ASN_ENCODING, der_buf, der_len);
     562             :                 OPENSSL_free(der_buf);
     563             : 
     564             :                 if (cert_ctx == NULL) {
     565             :                         php_error_docref(NULL, E_WARNING, "Error creating certificate context: %s", php_win_err());
     566             :                         RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     567             :                 }
     568             :         }
     569             : 
     570             :         { /* Next fetch the relevant cert chain from the store */
     571             :                 CERT_ENHKEY_USAGE enhkey_usage = {0};
     572             :                 CERT_USAGE_MATCH cert_usage = {0};
     573             :                 CERT_CHAIN_PARA chain_params = {sizeof(CERT_CHAIN_PARA)};
     574             :                 LPSTR usages[] = {szOID_PKIX_KP_SERVER_AUTH, szOID_SERVER_GATED_CRYPTO, szOID_SGC_NETSCAPE};
     575             :                 DWORD chain_flags = 0;
     576             :                 unsigned long allowed_depth = OPENSSL_DEFAULT_STREAM_VERIFY_DEPTH;
     577             :                 unsigned int i;
     578             : 
     579             :                 enhkey_usage.cUsageIdentifier = 3;
     580             :                 enhkey_usage.rgpszUsageIdentifier = usages;
     581             :                 cert_usage.dwType = USAGE_MATCH_TYPE_OR;
     582             :                 cert_usage.Usage = enhkey_usage;
     583             :                 chain_params.RequestedUsage = cert_usage;
     584             :                 chain_flags = CERT_CHAIN_CACHE_END_CERT | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
     585             : 
     586             :                 if (!CertGetCertificateChain(NULL, cert_ctx, NULL, NULL, &chain_params, chain_flags, NULL, &cert_chain_ctx)) {
     587             :                         php_error_docref(NULL, E_WARNING, "Error getting certificate chain: %s", php_win_err());
     588             :                         CertFreeCertificateContext(cert_ctx);
     589             :                         RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     590             :                 }
     591             : 
     592             :                 /* check if the cert is self-signed */
     593             :                 if (cert_chain_ctx->cChain > 0 && cert_chain_ctx->rgpChain[0]->cElement > 0
     594             :                         && (cert_chain_ctx->rgpChain[0]->rgpElement[0]->TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) != 0) {
     595             :                         is_self_signed = 1;
     596             :                 }
     597             : 
     598             :                 /* check the depth */
     599             :                 GET_VER_OPT_LONG("verify_depth", allowed_depth);
     600             : 
     601             :                 for (i = 0; i < cert_chain_ctx->cChain; i++) {
     602             :                         if (cert_chain_ctx->rgpChain[i]->cElement > allowed_depth) {
     603             :                                 CertFreeCertificateChain(cert_chain_ctx);
     604             :                                 CertFreeCertificateContext(cert_ctx);
     605             :                                 RETURN_CERT_VERIFY_FAILURE(X509_V_ERR_CERT_CHAIN_TOO_LONG);
     606             :                         }
     607             :                 }
     608             :         }
     609             : 
     610             :         { /* Then verify it against a policy */
     611             :                 SSL_EXTRA_CERT_CHAIN_POLICY_PARA ssl_policy_params = {sizeof(SSL_EXTRA_CERT_CHAIN_POLICY_PARA)};
     612             :                 CERT_CHAIN_POLICY_PARA chain_policy_params = {sizeof(CERT_CHAIN_POLICY_PARA)};
     613             :                 CERT_CHAIN_POLICY_STATUS chain_policy_status = {sizeof(CERT_CHAIN_POLICY_STATUS)};
     614             :                 LPWSTR server_name = NULL;
     615             :                 BOOL verify_result;
     616             : 
     617             :                 { /* This looks ridiculous and it is - but we validate the name ourselves using the peer_name
     618             :                      ctx option, so just use the CN from the cert here */
     619             : 
     620             :                         X509_NAME *cert_name;
     621             :                         unsigned char *cert_name_utf8;
     622             :                         int index, cert_name_utf8_len;
     623             :                         DWORD num_wchars;
     624             : 
     625             :                         cert_name = X509_get_subject_name(x509_store_ctx->cert);
     626             :                         index = X509_NAME_get_index_by_NID(cert_name, NID_commonName, -1);
     627             :                         if (index < 0) {
     628             :                                 php_error_docref(NULL, E_WARNING, "Unable to locate certificate CN");
     629             :                                 CertFreeCertificateChain(cert_chain_ctx);
     630             :                                 CertFreeCertificateContext(cert_ctx);
     631             :                                 RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     632             :                         }
     633             : 
     634             :                         cert_name_utf8_len = PHP_X509_NAME_ENTRY_TO_UTF8(cert_name, index, cert_name_utf8);
     635             : 
     636             :                         num_wchars = MultiByteToWideChar(CP_UTF8, 0, (char*)cert_name_utf8, -1, NULL, 0);
     637             :                         if (num_wchars == 0) {
     638             :                                 php_error_docref(NULL, E_WARNING, "Unable to convert %s to wide character string", cert_name_utf8);
     639             :                                 OPENSSL_free(cert_name_utf8);
     640             :                                 CertFreeCertificateChain(cert_chain_ctx);
     641             :                                 CertFreeCertificateContext(cert_ctx);
     642             :                                 RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     643             :                         }
     644             : 
     645             :                         server_name = emalloc((num_wchars * sizeof(WCHAR)) + sizeof(WCHAR));
     646             : 
     647             :                         num_wchars = MultiByteToWideChar(CP_UTF8, 0, (char*)cert_name_utf8, -1, server_name, num_wchars);
     648             :                         if (num_wchars == 0) {
     649             :                                 php_error_docref(NULL, E_WARNING, "Unable to convert %s to wide character string", cert_name_utf8);
     650             :                                 efree(server_name);
     651             :                                 OPENSSL_free(cert_name_utf8);
     652             :                                 CertFreeCertificateChain(cert_chain_ctx);
     653             :                                 CertFreeCertificateContext(cert_ctx);
     654             :                                 RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     655             :                         }
     656             : 
     657             :                         OPENSSL_free(cert_name_utf8);
     658             :                 }
     659             : 
     660             :                 ssl_policy_params.dwAuthType = (sslsock->is_client) ? AUTHTYPE_SERVER : AUTHTYPE_CLIENT;
     661             :                 ssl_policy_params.pwszServerName = server_name;
     662             :                 chain_policy_params.pvExtraPolicyPara = &ssl_policy_params;
     663             : 
     664             :                 verify_result = CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, cert_chain_ctx, &chain_policy_params, &chain_policy_status);
     665             : 
     666             :                 efree(server_name);
     667             :                 CertFreeCertificateChain(cert_chain_ctx);
     668             :                 CertFreeCertificateContext(cert_ctx);
     669             : 
     670             :                 if (!verify_result) {
     671             :                         php_error_docref(NULL, E_WARNING, "Error verifying certificate chain policy: %s", php_win_err());
     672             :                         RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     673             :                 }
     674             : 
     675             :                 if (chain_policy_status.dwError != 0) {
     676             :                         /* The chain does not match the policy */
     677             :                         if (is_self_signed && chain_policy_status.dwError == CERT_E_UNTRUSTEDROOT
     678             :                                 && GET_VER_OPT("allow_self_signed") && zend_is_true(val)) {
     679             :                                 /* allow self-signed certs */
     680             :                                 X509_STORE_CTX_set_error(x509_store_ctx, X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
     681             :                         } else {
     682             :                                 RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
     683             :                         }
     684             :                 }
     685             :         }
     686             : 
     687             :         return 1;
     688             : }
     689             : /* }}} */
     690             : #endif
     691             : 
     692           3 : static long load_stream_cafile(X509_STORE *cert_store, const char *cafile) /* {{{ */
     693             : {
     694             :         php_stream *stream;
     695             :         X509 *cert;
     696             :         BIO *buffer;
     697           3 :         int buffer_active = 0;
     698           3 :         char *line = NULL;
     699             :         size_t line_len;
     700           3 :         long certs_added = 0;
     701             : 
     702           3 :         stream = php_stream_open_wrapper(cafile, "rb", 0, NULL);
     703             : 
     704           3 :         if (stream == NULL) {
     705           0 :                 php_error(E_WARNING, "failed loading cafile stream: `%s'", cafile);
     706           0 :                 return 0;
     707           3 :         } else if (stream->wrapper->is_url) {
     708           1 :                 php_stream_close(stream);
     709           1 :                 php_error(E_WARNING, "remote cafile streams are disabled for security purposes");
     710           1 :                 return 0;
     711             :         }
     712             : 
     713             :         cert_start: {
     714           4 :                 line = php_stream_get_line(stream, NULL, 0, &line_len);
     715           4 :                 if (line == NULL) {
     716           2 :                         goto stream_complete;
     717           2 :                 } else if (!strcmp(line, "-----BEGIN CERTIFICATE-----\n") ||
     718           0 :                         !strcmp(line, "-----BEGIN CERTIFICATE-----\r\n")
     719             :                 ) {
     720           2 :                         buffer = BIO_new(BIO_s_mem());
     721           2 :                         buffer_active = 1;
     722           2 :                         goto cert_line;
     723             :                 } else {
     724           0 :                         efree(line);
     725           0 :                         goto cert_start;
     726             :                 }
     727             :         }
     728             : 
     729             :         cert_line: {
     730          82 :                 BIO_puts(buffer, line);
     731          82 :                 efree(line);
     732          82 :                 line = php_stream_get_line(stream, NULL, 0, &line_len);
     733          82 :                 if (line == NULL) {
     734           0 :                         goto stream_complete;
     735         244 :                 } else if (!strcmp(line, "-----END CERTIFICATE-----") ||
     736          82 :                         !strcmp(line, "-----END CERTIFICATE-----\n") ||
     737          80 :                         !strcmp(line, "-----END CERTIFICATE-----\r\n")
     738             :                 ) {
     739             :                         goto add_cert;
     740             :                 } else {
     741             :                         goto cert_line;
     742             :                 }
     743             :         }
     744             : 
     745             :         add_cert: {
     746           2 :                 BIO_puts(buffer, line);
     747           2 :                 efree(line);
     748           2 :                 cert = PEM_read_bio_X509(buffer, NULL, 0, NULL);
     749           2 :                 BIO_free(buffer);
     750           2 :                 buffer_active = 0;
     751           2 :                 if (cert && X509_STORE_add_cert(cert_store, cert)) {
     752           2 :                         ++certs_added;
     753             :                 }
     754           2 :                 goto cert_start;
     755             :         }
     756             : 
     757             :         stream_complete: {
     758           2 :                 php_stream_close(stream);
     759           2 :                 if (buffer_active == 1) {
     760           0 :                         BIO_free(buffer);
     761             :                 }
     762             :         }
     763             : 
     764           2 :         if (certs_added == 0) {
     765           0 :                 php_error(E_WARNING, "no valid certs found cafile stream: `%s'", cafile);
     766             :         }
     767             : 
     768           2 :         return certs_added;
     769             : }
     770             : /* }}} */
     771             : 
     772          94 : static int enable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
     773             : {
     774          94 :         zval *val = NULL;
     775          94 :         char *cafile = NULL;
     776          94 :         char *capath = NULL;
     777             : 
     778         127 :         GET_VER_OPT_STRING("cafile", cafile);
     779          94 :         GET_VER_OPT_STRING("capath", capath);
     780             : 
     781          94 :         if (!cafile) {
     782          61 :                 cafile = zend_ini_string("openssl.cafile", sizeof("openssl.cafile")-1, 0);
     783          61 :                 cafile = strlen(cafile) ? cafile : NULL;
     784             :         }
     785             : 
     786          94 :         if (!capath) {
     787          94 :                 capath = zend_ini_string("openssl.capath", sizeof("openssl.capath")-1, 0);
     788          94 :                 capath = strlen(capath) ? capath : NULL;
     789             :         }
     790             : 
     791         126 :         if (cafile || capath) {
     792          33 :                 if (!SSL_CTX_load_verify_locations(ctx, cafile, capath)) {
     793           3 :                         if (cafile && !load_stream_cafile(SSL_CTX_get_cert_store(ctx), cafile)) {
     794           1 :                                 return FAILURE;
     795             :                         }
     796             :                 }
     797             :         } else {
     798             : #if defined(PHP_WIN32) && OPENSSL_VERSION_NUMBER >= 0x00907000L
     799             :                 SSL_CTX_set_cert_verify_callback(ctx, win_cert_verify_callback, (void *)stream);
     800             :                 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
     801             : #else
     802             :                 php_openssl_netstream_data_t *sslsock;
     803          61 :                 sslsock = (php_openssl_netstream_data_t*)stream->abstract;
     804             : 
     805          61 :                 if (sslsock->is_client && !SSL_CTX_set_default_verify_paths(ctx)) {
     806           0 :                         php_error_docref(NULL, E_WARNING,
     807             :                                 "Unable to set default verify locations and no CA settings specified");
     808           0 :                         return FAILURE;
     809             :                 }
     810             : #endif
     811             :         }
     812             : 
     813          93 :         SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
     814             : 
     815          93 :         return SUCCESS;
     816             : }
     817             : /* }}} */
     818             : 
     819          29 : static void disable_peer_verification(SSL_CTX *ctx, php_stream *stream) /* {{{ */
     820             : {
     821          29 :         SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
     822          29 : }
     823             : /* }}} */
     824             : 
     825         122 : static int set_local_cert(SSL_CTX *ctx, php_stream *stream) /* {{{ */
     826             : {
     827         122 :         zval *val = NULL;
     828         122 :         char *certfile = NULL;
     829             : 
     830         177 :         GET_VER_OPT_STRING("local_cert", certfile);
     831             : 
     832         122 :         if (certfile) {
     833             :                 char resolved_path_buff[MAXPATHLEN];
     834          55 :                 const char * private_key = NULL;
     835             : 
     836          55 :                 if (VCWD_REALPATH(certfile, resolved_path_buff)) {
     837             :                         /* a certificate to use for authentication */
     838          52 :                         if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
     839           0 :                                 php_error_docref(NULL, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
     840           0 :                                 return FAILURE;
     841             :                         }
     842          52 :                         GET_VER_OPT_STRING("local_pk", private_key);
     843             : 
     844          52 :                         if (private_key) {
     845             :                                 char resolved_path_buff_pk[MAXPATHLEN];
     846           0 :                                 if (VCWD_REALPATH(private_key, resolved_path_buff_pk)) {
     847           0 :                                         if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff_pk, SSL_FILETYPE_PEM) != 1) {
     848           0 :                                                 php_error_docref(NULL, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff_pk);
     849           0 :                                                 return FAILURE;
     850             :                                         }
     851             :                                 }
     852             :                         } else {
     853          52 :                                 if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
     854           0 :                                         php_error_docref(NULL, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
     855           0 :                                         return FAILURE;
     856             :                                 }
     857             :                         }
     858             : 
     859             : #if OPENSSL_VERSION_NUMBER < 0x10001001L
     860             :                         do {
     861             :                                 /* Unnecessary as of OpenSSLv1.0.1 (will segfault if used with >= 10001001 ) */
     862             :                                 X509 *cert = NULL;
     863             :                                 EVP_PKEY *key = NULL;
     864             :                                 SSL *tmpssl = SSL_new(ctx);
     865             :                                 cert = SSL_get_certificate(tmpssl);
     866             : 
     867             :                                 if (cert) {
     868             :                                         key = X509_get_pubkey(cert);
     869             :                                         EVP_PKEY_copy_parameters(key, SSL_get_privatekey(tmpssl));
     870             :                                         EVP_PKEY_free(key);
     871             :                                 }
     872             :                                 SSL_free(tmpssl);
     873             :                         } while (0);
     874             : #endif
     875          52 :                         if (!SSL_CTX_check_private_key(ctx)) {
     876           0 :                                 php_error_docref(NULL, E_WARNING, "Private key does not match certificate!");
     877             :                         }
     878             :                 }
     879             :         }
     880             : 
     881         122 :         return SUCCESS;
     882             : }
     883             : /* }}} */
     884             : 
     885          39 : static const SSL_METHOD *php_select_crypto_method(zend_long method_value, int is_client) /* {{{ */
     886             : {
     887          39 :         if (method_value == STREAM_CRYPTO_METHOD_SSLv2) {
     888             : #ifndef OPENSSL_NO_SSL2
     889           0 :                 return is_client ? SSLv2_client_method() : SSLv2_server_method();
     890             : #else
     891             :                 php_error_docref(NULL, E_WARNING,
     892             :                                 "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
     893             :                 return NULL;
     894             : #endif
     895          39 :         } else if (method_value == STREAM_CRYPTO_METHOD_SSLv3) {
     896             : #ifndef OPENSSL_NO_SSL3
     897           7 :                 return is_client ? SSLv3_client_method() : SSLv3_server_method();
     898             : #else
     899             :                 php_error_docref(NULL, E_WARNING,
     900             :                                 "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
     901             :                 return NULL;
     902             : #endif
     903          32 :         } else if (method_value == STREAM_CRYPTO_METHOD_TLSv1_0) {
     904          13 :                 return is_client ? TLSv1_client_method() : TLSv1_server_method();
     905          19 :         } else if (method_value == STREAM_CRYPTO_METHOD_TLSv1_1) {
     906             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
     907           9 :                 return is_client ? TLSv1_1_client_method() : TLSv1_1_server_method();
     908             : #else
     909             :                 php_error_docref(NULL, E_WARNING,
     910             :                                 "TLSv1.1 support is not compiled into the OpenSSL library PHP is linked against");
     911             :                 return NULL;
     912             : #endif
     913          10 :         } else if (method_value == STREAM_CRYPTO_METHOD_TLSv1_2) {
     914             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
     915          10 :                 return is_client ? TLSv1_2_client_method() : TLSv1_2_server_method();
     916             : #else
     917             :                 php_error_docref(NULL, E_WARNING,
     918             :                                 "TLSv1.2 support is not compiled into the OpenSSL library PHP is linked against");
     919             :                 return NULL;
     920             : #endif
     921             :         } else {
     922           0 :                 php_error_docref(NULL, E_WARNING,
     923             :                                 "Invalid crypto method");
     924           0 :                 return NULL;
     925             :         }
     926             : }
     927             : /* }}} */
     928             : 
     929          84 : static int php_get_crypto_method_ctx_flags(int method_flags) /* {{{ */
     930             : {
     931          84 :         int ssl_ctx_options = SSL_OP_ALL;
     932             : 
     933             : #ifndef OPENSSL_NO_SSL2
     934          84 :         if (!(method_flags & STREAM_CRYPTO_METHOD_SSLv2)) {
     935          17 :                 ssl_ctx_options |= SSL_OP_NO_SSLv2;
     936             :         }
     937             : #endif
     938             : #ifndef OPENSSL_NO_SSL3
     939          84 :         if (!(method_flags & STREAM_CRYPTO_METHOD_SSLv3)) {
     940          13 :                 ssl_ctx_options |= SSL_OP_NO_SSLv3;
     941             :         }
     942             : #endif
     943             : #ifndef OPENSSL_NO_TLS1
     944          84 :         if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_0)) {
     945           5 :                 ssl_ctx_options |= SSL_OP_NO_TLSv1;
     946             :         }
     947             : #endif
     948             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
     949          84 :         if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_1)) {
     950           5 :                 ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
     951             :         }
     952             : 
     953          84 :         if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_2)) {
     954           1 :                 ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
     955             :         }
     956             : #endif
     957             : 
     958          84 :         return ssl_ctx_options;
     959             : }
     960             : /* }}} */
     961             : 
     962          56 : static void limit_handshake_reneg(const SSL *ssl) /* {{{ */
     963             : {
     964             :         php_stream *stream;
     965             :         php_openssl_netstream_data_t *sslsock;
     966             :         struct timeval now;
     967             :         zend_long elapsed_time;
     968             : 
     969          56 :         stream = php_openssl_get_stream_from_ssl_handle(ssl);
     970          56 :         sslsock = (php_openssl_netstream_data_t*)stream->abstract;
     971          56 :         gettimeofday(&now, NULL);
     972             : 
     973             :         /* The initial handshake is never rate-limited */
     974          56 :         if (sslsock->reneg->prev_handshake == 0) {
     975          55 :                 sslsock->reneg->prev_handshake = now.tv_sec;
     976          55 :                 return;
     977             :         }
     978             : 
     979           1 :         elapsed_time = (now.tv_sec - sslsock->reneg->prev_handshake);
     980           1 :         sslsock->reneg->prev_handshake = now.tv_sec;
     981           1 :         sslsock->reneg->tokens -= (elapsed_time * (sslsock->reneg->limit / sslsock->reneg->window));
     982             : 
     983           1 :         if (sslsock->reneg->tokens < 0) {
     984           0 :                 sslsock->reneg->tokens = 0;
     985             :         }
     986           1 :         ++sslsock->reneg->tokens;
     987             : 
     988             :         /* The token level exceeds our allowed limit */
     989           1 :         if (sslsock->reneg->tokens > sslsock->reneg->limit) {
     990             :                 zval *val;
     991             : 
     992             : 
     993           1 :                 sslsock->reneg->should_close = 1;
     994             : 
     995           2 :                 if (PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
     996             :                                 "ssl", "reneg_limit_callback")) != NULL
     997             :                 ) {
     998             :                         zval param, retval;
     999             : 
    1000           1 :                         php_stream_to_zval(stream, &param);
    1001             : 
    1002             :                         /* Closing the stream inside this callback would segfault! */
    1003           1 :                         stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
    1004           1 :                         if (FAILURE == call_user_function_ex(EG(function_table), NULL, val, &retval, 1, &param, 0, NULL)) {
    1005           0 :                                 php_error(E_WARNING, "SSL: failed invoking reneg limit notification callback");
    1006             :                         }
    1007           1 :                         stream->flags ^= PHP_STREAM_FLAG_NO_FCLOSE;
    1008             : 
    1009             :                         /* If the reneg_limit_callback returned true don't auto-close */
    1010           1 :                         if (Z_TYPE(retval) == IS_TRUE) {
    1011           0 :                                 sslsock->reneg->should_close = 0;
    1012             :                         }
    1013             : 
    1014           1 :                         zval_ptr_dtor(&retval);
    1015             :                 } else {
    1016           0 :                         php_error_docref(NULL, E_WARNING,
    1017             :                                 "SSL: client-initiated handshake rate limit exceeded by peer");
    1018             :                 }
    1019             :         }
    1020             : }
    1021             : /* }}} */
    1022             : 
    1023         544 : static void info_callback(const SSL *ssl, int where, int ret) /* {{{ */
    1024             : {
    1025             :         /* Rate-limit client-initiated handshake renegotiation to prevent DoS */
    1026         544 :         if (where & SSL_CB_HANDSHAKE_START) {
    1027          56 :                 limit_handshake_reneg(ssl);
    1028             :         }
    1029         544 : }
    1030             : /* }}} */
    1031             : 
    1032          55 : static void init_server_reneg_limit(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
    1033             : {
    1034             :         zval *val;
    1035          55 :         zend_long limit = OPENSSL_DEFAULT_RENEG_LIMIT;
    1036          55 :         zend_long window = OPENSSL_DEFAULT_RENEG_WINDOW;
    1037             : 
    1038         110 :         if (PHP_STREAM_CONTEXT(stream) &&
    1039          55 :                 NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
    1040             :                                 "ssl", "reneg_limit"))
    1041             :         ) {
    1042           1 :                 convert_to_long(val);
    1043           1 :                 limit = Z_LVAL_P(val);
    1044             :         }
    1045             : 
    1046             :         /* No renegotiation rate-limiting */
    1047          55 :         if (limit < 0) {
    1048           0 :                 return;
    1049             :         }
    1050             : 
    1051         110 :         if (PHP_STREAM_CONTEXT(stream) &&
    1052          55 :                 NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
    1053             :                                 "ssl", "reneg_window"))
    1054             :         ) {
    1055           1 :                 convert_to_long(val);
    1056           1 :                 window = Z_LVAL_P(val);
    1057             :         }
    1058             : 
    1059         110 :         sslsock->reneg = (void*)pemalloc(sizeof(php_openssl_handshake_bucket_t),
    1060             :                 php_stream_is_persistent(stream)
    1061             :         );
    1062             : 
    1063          55 :         sslsock->reneg->limit = limit;
    1064          55 :         sslsock->reneg->window = window;
    1065          55 :         sslsock->reneg->prev_handshake = 0;
    1066          55 :         sslsock->reneg->tokens = 0;
    1067          55 :         sslsock->reneg->should_close = 0;
    1068             : 
    1069          55 :         SSL_set_info_callback(sslsock->ssl_handle, info_callback);
    1070             : }
    1071             : /* }}} */
    1072             : 
    1073          55 : static int set_server_rsa_key(php_stream *stream, SSL_CTX *ctx) /* {{{ */
    1074             : {
    1075             :         zval *val;
    1076             :         int rsa_key_size;
    1077             :         RSA* rsa;
    1078             : 
    1079          55 :         if ((val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "rsa_key_size")) != NULL) {
    1080           0 :                 rsa_key_size = (int) Z_LVAL_P(val);
    1081           0 :                 if ((rsa_key_size != 1) && (rsa_key_size & (rsa_key_size - 1))) {
    1082           0 :                         php_error_docref(NULL, E_WARNING, "RSA key size requires a power of 2: %d", rsa_key_size);
    1083           0 :                         rsa_key_size = 2048;
    1084             :                 }
    1085             :         } else {
    1086          55 :                 rsa_key_size = 2048;
    1087             :         }
    1088             : 
    1089          55 :         rsa = RSA_generate_key(rsa_key_size, RSA_F4, NULL, NULL);
    1090             : 
    1091          55 :         if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
    1092           0 :                 php_error_docref(NULL, E_WARNING, "Failed setting RSA key");
    1093           0 :                 RSA_free(rsa);
    1094           0 :                 return FAILURE;
    1095             :         }
    1096             : 
    1097          55 :         RSA_free(rsa);
    1098             : 
    1099          55 :         return SUCCESS;
    1100             : }
    1101             : /* }}} */
    1102             : 
    1103           0 : static int set_server_dh_param(SSL_CTX *ctx, char *dh_path) /* {{{ */
    1104             : {
    1105             :         DH *dh;
    1106             :         BIO* bio;
    1107             : 
    1108           0 :         bio = BIO_new_file(dh_path, "r");
    1109             : 
    1110           0 :         if (bio == NULL) {
    1111           0 :                 php_error_docref(NULL, E_WARNING, "Invalid dh_param file: %s", dh_path);
    1112           0 :                 return FAILURE;
    1113             :         }
    1114             : 
    1115           0 :         dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
    1116           0 :         BIO_free(bio);
    1117             : 
    1118           0 :         if (dh == NULL) {
    1119           0 :                 php_error_docref(NULL, E_WARNING, "Failed reading DH params from file: %s", dh_path);
    1120           0 :                 return FAILURE;
    1121             :         }
    1122             : 
    1123           0 :         if (SSL_CTX_set_tmp_dh(ctx, dh) < 0) {
    1124           0 :                 php_error_docref(NULL, E_WARNING, "DH param assignment failed");
    1125           0 :                 DH_free(dh);
    1126           0 :                 return FAILURE;
    1127             :         }
    1128             : 
    1129           0 :         DH_free(dh);
    1130             : 
    1131           0 :         return SUCCESS;
    1132             : }
    1133             : /* }}} */
    1134             : 
    1135             : #ifdef HAVE_ECDH
    1136          55 : static int set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) /* {{{ */
    1137             : {
    1138             :         zval *val;
    1139             :         int curve_nid;
    1140             :         char *curve_str;
    1141             :         EC_KEY *ecdh;
    1142             : 
    1143          55 :         if ((val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "ecdh_curve")) != NULL) {
    1144           0 :                 convert_to_string_ex(val);
    1145           0 :                 curve_str = Z_STRVAL_P(val);
    1146           0 :                 curve_nid = OBJ_sn2nid(curve_str);
    1147           0 :                 if (curve_nid == NID_undef) {
    1148           0 :                         php_error_docref(NULL, E_WARNING, "Invalid ECDH curve: %s", curve_str);
    1149           0 :                         return FAILURE;
    1150             :                 }
    1151             :         } else {
    1152          55 :                 curve_nid = NID_X9_62_prime256v1;
    1153             :         }
    1154             : 
    1155          55 :         ecdh = EC_KEY_new_by_curve_name(curve_nid);
    1156          55 :         if (ecdh == NULL) {
    1157           0 :                 php_error_docref(NULL, E_WARNING,
    1158             :                         "Failed generating ECDH curve");
    1159             : 
    1160           0 :                 return FAILURE;
    1161             :         }
    1162             : 
    1163          55 :         SSL_CTX_set_tmp_ecdh(ctx, ecdh);
    1164          55 :         EC_KEY_free(ecdh);
    1165             : 
    1166          55 :         return SUCCESS;
    1167             : }
    1168             : /* }}} */
    1169             : #endif
    1170             : 
    1171          55 : static int set_server_specific_opts(php_stream *stream, SSL_CTX *ctx) /* {{{ */
    1172             : {
    1173             :         zval *val;
    1174          55 :         long ssl_ctx_options = SSL_CTX_get_options(ctx);
    1175             : 
    1176             : #ifdef HAVE_ECDH
    1177          55 :         if (FAILURE == set_server_ecdh_curve(stream, ctx)) {
    1178           0 :                 return FAILURE;
    1179             :         }
    1180             : #else
    1181             :         val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "ecdh_curve");
    1182             :         if (val != NULL) {
    1183             :                 php_error_docref(NULL, E_WARNING,
    1184             :                         "ECDH curve support not compiled into the OpenSSL lib against which PHP is linked");
    1185             : 
    1186             :                 return FAILURE;
    1187             :         }
    1188             : #endif
    1189             : 
    1190          55 :         if ((val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param")) != NULL) {
    1191           0 :                 convert_to_string_ex(val);
    1192           0 :                 if (FAILURE == set_server_dh_param(ctx,  Z_STRVAL_P(val))) {
    1193           0 :                         return FAILURE;
    1194             :                 }
    1195             :         }
    1196             : 
    1197          55 :         if (FAILURE == set_server_rsa_key(stream, ctx)) {
    1198           0 :                 return FAILURE;
    1199             :         }
    1200             : 
    1201         110 :         if (NULL != (val = php_stream_context_get_option(
    1202         110 :                                 PHP_STREAM_CONTEXT(stream), "ssl", "honor_cipher_order")) &&
    1203             :                         zend_is_true(val)
    1204           0 :         ) {
    1205           0 :                 ssl_ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
    1206             :         }
    1207             : 
    1208         110 :         if (NULL != (val = php_stream_context_get_option(
    1209         110 :                                 PHP_STREAM_CONTEXT(stream), "ssl", "single_dh_use")) &&
    1210             :                         zend_is_true(val)
    1211           0 :         ) {
    1212           0 :                 ssl_ctx_options |= SSL_OP_SINGLE_DH_USE;
    1213             :         }
    1214             : 
    1215             : #ifdef HAVE_ECDH
    1216         110 :         if (NULL != (val = php_stream_context_get_option(
    1217         110 :                                 PHP_STREAM_CONTEXT(stream), "ssl", "single_ecdh_use")) &&
    1218           0 :                         zend_is_true(val)) {
    1219           0 :                 ssl_ctx_options |= SSL_OP_SINGLE_ECDH_USE;
    1220             :         }
    1221             : #endif
    1222             : 
    1223          55 :         SSL_CTX_set_options(ctx, ssl_ctx_options);
    1224             : 
    1225          55 :         return SUCCESS;
    1226             : }
    1227             : /* }}} */
    1228             : 
    1229             : #ifdef HAVE_SNI
    1230           3 : static int server_sni_callback(SSL *ssl_handle, int *al, void *arg) /* {{{ */
    1231             : {
    1232             :         php_stream *stream;
    1233             :         php_openssl_netstream_data_t *sslsock;
    1234             :         unsigned i;
    1235             :         const char *server_name;
    1236             : 
    1237           3 :         server_name = SSL_get_servername(ssl_handle, TLSEXT_NAMETYPE_host_name);
    1238             : 
    1239           3 :         if (!server_name) {
    1240           0 :                 return SSL_TLSEXT_ERR_NOACK;
    1241             :         }
    1242             : 
    1243           3 :         stream = (php_stream*)SSL_get_ex_data(ssl_handle, php_openssl_get_ssl_stream_data_index());
    1244           3 :         sslsock = (php_openssl_netstream_data_t*)stream->abstract;
    1245             : 
    1246           3 :         if (!(sslsock->sni_cert_count && sslsock->sni_certs)) {
    1247           0 :                 return SSL_TLSEXT_ERR_NOACK;
    1248             :         }
    1249             : 
    1250           6 :         for (i=0; i < sslsock->sni_cert_count; i++) {
    1251           6 :                 if (matches_wildcard_name(server_name, sslsock->sni_certs[i].name)) {
    1252           3 :                         SSL_set_SSL_CTX(ssl_handle, sslsock->sni_certs[i].ctx);
    1253           3 :                         return SSL_TLSEXT_ERR_OK;
    1254             :                 }
    1255             :         }
    1256             : 
    1257           0 :         return SSL_TLSEXT_ERR_NOACK;
    1258             : }
    1259             : /* }}} */
    1260             : 
    1261          55 : static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock)
    1262             : {
    1263             :         zval *val;
    1264             :         zval *current;
    1265             :         zend_string *key;
    1266             :         zend_ulong key_index;
    1267          55 :         int i = 0;
    1268             :         char resolved_path_buff[MAXPATHLEN];
    1269             :         SSL_CTX *ctx;
    1270             : 
    1271             :         /* If the stream ctx disables SNI we're finished here */
    1272          55 :         if (GET_VER_OPT("SNI_enabled") && !zend_is_true(val)) {
    1273           0 :                 return SUCCESS;
    1274             :         }
    1275             : 
    1276             :         /* If no SNI cert array is specified we're finished here */
    1277          55 :         if (!GET_VER_OPT("SNI_server_certs")) {
    1278          52 :                 return SUCCESS;
    1279             :         }
    1280             : 
    1281           3 :         if (Z_TYPE_P(val) != IS_ARRAY) {
    1282           0 :                 php_error_docref(NULL, E_WARNING,
    1283             :                         "SNI_server_certs requires an array mapping host names to cert paths"
    1284             :                 );
    1285           0 :                 return FAILURE;
    1286             :         }
    1287             : 
    1288           3 :         sslsock->sni_cert_count = zend_hash_num_elements(Z_ARRVAL_P(val));
    1289           3 :         if (sslsock->sni_cert_count == 0) {
    1290           0 :                 php_error_docref(NULL, E_WARNING,
    1291             :                         "SNI_server_certs host cert array must not be empty"
    1292             :                 );
    1293           0 :                 return FAILURE;
    1294             :         }
    1295             : 
    1296           3 :         sslsock->sni_certs = (php_openssl_sni_cert_t*)safe_pemalloc(sslsock->sni_cert_count,
    1297             :                 sizeof(php_openssl_sni_cert_t), 0, php_stream_is_persistent(stream)
    1298             :         );
    1299             : 
    1300          21 :         ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(val), key_index, key, current) {
    1301             :                 (void) key_index;
    1302             : 
    1303           9 :                 if (!key) {
    1304           0 :                         php_error_docref(NULL, E_WARNING,
    1305             :                                 "SNI_server_certs array requires string host name keys"
    1306             :                         );
    1307           0 :                         return FAILURE;
    1308             :                 }
    1309             : 
    1310           9 :                 if (VCWD_REALPATH(Z_STRVAL_P(current), resolved_path_buff)) {
    1311             :                         /* The hello method is not inherited by SSL structs when assigning a new context
    1312             :                          * inside the SNI callback, so the just use SSLv23 */
    1313           9 :                         ctx = SSL_CTX_new(SSLv23_server_method());
    1314             : 
    1315           9 :                         if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
    1316           0 :                                 php_error_docref(NULL, E_WARNING,
    1317             :                                         "failed setting local cert chain file `%s'; " \
    1318             :                                         "check that your cafile/capath settings include " \
    1319             :                                         "details of your certificate and its issuer",
    1320             :                                         resolved_path_buff
    1321             :                                 );
    1322           0 :                                 SSL_CTX_free(ctx);
    1323           0 :                                 return FAILURE;
    1324           9 :                         } else if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
    1325           0 :                                 php_error_docref(NULL, E_WARNING,
    1326             :                                         "failed setting private key from file `%s'",
    1327             :                                         resolved_path_buff
    1328             :                                 );
    1329           0 :                                 SSL_CTX_free(ctx);
    1330           0 :                                 return FAILURE;
    1331             :                         } else {
    1332           9 :                                 sslsock->sni_certs[i].name = pestrdup(key->val, php_stream_is_persistent(stream));
    1333           9 :                                 sslsock->sni_certs[i].ctx = ctx;
    1334           9 :                                 ++i;
    1335             :                         }
    1336             :                 } else {
    1337           0 :                         php_error_docref(NULL, E_WARNING,
    1338             :                                 "failed setting local cert chain file `%s'; file not found",
    1339           0 :                                 Z_STRVAL_P(current)
    1340             :                         );
    1341           0 :                         return FAILURE;
    1342             :                 }
    1343             :         } ZEND_HASH_FOREACH_END();
    1344             : 
    1345           3 :         SSL_CTX_set_tlsext_servername_callback(sslsock->ctx, server_sni_callback);
    1346             : 
    1347           3 :         return SUCCESS;
    1348             : }
    1349             : 
    1350          67 : static void enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
    1351             : {
    1352             :         zval *val;
    1353             :         char *sni_server_name;
    1354             : 
    1355             :         /* If SNI is explicitly disabled we're finished here */
    1356          67 :         if (GET_VER_OPT("SNI_enabled") && !zend_is_true(val)) {
    1357           3 :                 return;
    1358             :         }
    1359             : 
    1360          64 :         sni_server_name = sslsock->url_name;
    1361             : 
    1362         109 :         GET_VER_OPT_STRING("peer_name", sni_server_name);
    1363             : 
    1364          64 :         if (GET_VER_OPT("SNI_server_name")) {
    1365           0 :                 GET_VER_OPT_STRING("SNI_server_name", sni_server_name);
    1366           0 :                 php_error(E_DEPRECATED, "SNI_server_name is deprecated in favor of peer_name");
    1367             :         }
    1368             : 
    1369          64 :         if (sni_server_name) {
    1370          64 :                 SSL_set_tlsext_host_name(sslsock->ssl_handle, sni_server_name);
    1371             :         }
    1372             : }
    1373             : /* }}} */
    1374             : #endif
    1375             : 
    1376         123 : int php_openssl_setup_crypto(php_stream *stream,
    1377             :                 php_openssl_netstream_data_t *sslsock,
    1378             :                 php_stream_xport_crypto_param *cparam
    1379             :                 ) /* {{{ */
    1380             : {
    1381             :         const SSL_METHOD *method;
    1382             :         int ssl_ctx_options;
    1383             :         int method_flags;
    1384         123 :         char *cipherlist = NULL;
    1385             :         zval *val;
    1386             : 
    1387         123 :         if (sslsock->ssl_handle) {
    1388           0 :                 if (sslsock->s.is_blocked) {
    1389           0 :                         php_error_docref(NULL, E_WARNING, "SSL/TLS already set-up for this stream");
    1390           0 :                         return FAILURE;
    1391             :                 } else {
    1392           0 :                         return SUCCESS;
    1393             :                 }
    1394             :         }
    1395             : 
    1396         123 :         ERR_clear_error();
    1397             : 
    1398             :         /* We need to do slightly different things based on client/server method
    1399             :          * so lets remember which method was selected */
    1400         123 :         sslsock->is_client = cparam->inputs.method & STREAM_CRYPTO_IS_CLIENT;
    1401         123 :         method_flags = ((cparam->inputs.method >> 1) << 1);
    1402             : 
    1403             :         /* Should we use a specific crypto method or is generic SSLv23 okay? */
    1404         123 :         if ((method_flags & (method_flags-1)) == 0) {
    1405          39 :                 ssl_ctx_options = SSL_OP_ALL;
    1406          39 :                 method = php_select_crypto_method(method_flags, sslsock->is_client);
    1407          39 :                 if (method == NULL) {
    1408           0 :                         return FAILURE;
    1409             :                 }
    1410             :         } else {
    1411          84 :                 method = sslsock->is_client ? SSLv23_client_method() : SSLv23_server_method();
    1412          84 :                 ssl_ctx_options = php_get_crypto_method_ctx_flags(method_flags);
    1413          84 :                 if (ssl_ctx_options == -1) {
    1414           0 :                         return FAILURE;
    1415             :                 }
    1416             :         }
    1417             : 
    1418             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
    1419         123 :         sslsock->ctx = SSL_CTX_new(method);
    1420             : #else
    1421             :         /* Avoid const warning with old versions */
    1422             :         sslsock->ctx = SSL_CTX_new((SSL_METHOD*)method);
    1423             : #endif
    1424             : 
    1425         123 :         if (sslsock->ctx == NULL) {
    1426           0 :                 php_error_docref(NULL, E_WARNING, "SSL context creation failure");
    1427           0 :                 return FAILURE;
    1428             :         }
    1429             : 
    1430             : #if OPENSSL_VERSION_NUMBER >= 0x0090806fL
    1431         123 :         if (GET_VER_OPT("no_ticket") && zend_is_true(val)) {
    1432           0 :                 ssl_ctx_options |= SSL_OP_NO_TICKET;
    1433             :         }
    1434             : #endif
    1435             : 
    1436             : #if OPENSSL_VERSION_NUMBER >= 0x0090605fL
    1437         123 :         ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
    1438             : #endif
    1439             : 
    1440             : #if OPENSSL_VERSION_NUMBER >= 0x10000000L
    1441         123 :         if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
    1442         123 :                 ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
    1443             :         }
    1444             : #endif
    1445             : 
    1446         152 :         if (GET_VER_OPT("verify_peer") && !zend_is_true(val)) {
    1447          29 :                 disable_peer_verification(sslsock->ctx, stream);
    1448          94 :         } else if (FAILURE == enable_peer_verification(sslsock->ctx, stream)) {
    1449           1 :                 return FAILURE;
    1450             :         }
    1451             : 
    1452             :         /* callback for the passphrase (for localcert) */
    1453         122 :         if (GET_VER_OPT("passphrase")) {
    1454           1 :                 SSL_CTX_set_default_passwd_cb_userdata(sslsock->ctx, stream);
    1455           1 :                 SSL_CTX_set_default_passwd_cb(sslsock->ctx, passwd_callback);
    1456             :         }
    1457             : 
    1458         122 :         GET_VER_OPT_STRING("ciphers", cipherlist);
    1459             : #ifndef USE_OPENSSL_SYSTEM_CIPHERS
    1460         122 :         if (!cipherlist) {
    1461         122 :                 cipherlist = OPENSSL_DEFAULT_STREAM_CIPHERS;
    1462             :         }
    1463             : #endif
    1464         122 :         if (cipherlist) {
    1465         122 :                 if (SSL_CTX_set_cipher_list(sslsock->ctx, cipherlist) != 1) {
    1466           0 :                         return FAILURE;
    1467             :                 }
    1468             :         }
    1469         122 :         if (FAILURE == set_local_cert(sslsock->ctx, stream)) {
    1470           0 :                 return FAILURE;
    1471             :         }
    1472             : 
    1473         122 :         SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options);
    1474             : 
    1475         287 :         if (sslsock->is_client == 0 &&
    1476         110 :                 PHP_STREAM_CONTEXT(stream) &&
    1477          55 :                 FAILURE == set_server_specific_opts(stream, sslsock->ctx)
    1478             :         ) {
    1479           0 :                 return FAILURE;
    1480             :         }
    1481             : 
    1482         122 :         sslsock->ssl_handle = SSL_new(sslsock->ctx);
    1483         122 :         if (sslsock->ssl_handle == NULL) {
    1484           0 :                 php_error_docref(NULL, E_WARNING, "SSL handle creation failure");
    1485           0 :                 SSL_CTX_free(sslsock->ctx);
    1486           0 :                 sslsock->ctx = NULL;
    1487           0 :                 return FAILURE;
    1488             :         } else {
    1489         122 :                 SSL_set_ex_data(sslsock->ssl_handle, php_openssl_get_ssl_stream_data_index(), stream);
    1490             :         }
    1491             : 
    1492         122 :         if (!SSL_set_fd(sslsock->ssl_handle, sslsock->s.socket)) {
    1493           0 :                 handle_ssl_error(stream, 0, 1);
    1494             :         }
    1495             : 
    1496             : #ifdef HAVE_SNI
    1497             :         /* Enable server-side SNI */
    1498         122 :         if (sslsock->is_client == 0 && enable_server_sni(stream, sslsock) == FAILURE) {
    1499           0 :                 return FAILURE;
    1500             :         }
    1501             : #endif
    1502             : 
    1503             :         /* Enable server-side handshake renegotiation rate-limiting */
    1504         122 :         if (sslsock->is_client == 0) {
    1505          55 :                 init_server_reneg_limit(stream, sslsock);
    1506             :         }
    1507             : 
    1508             : #ifdef SSL_MODE_RELEASE_BUFFERS
    1509             :         do {
    1510         122 :                 long mode = SSL_get_mode(sslsock->ssl_handle);
    1511         122 :                 SSL_set_mode(sslsock->ssl_handle, mode | SSL_MODE_RELEASE_BUFFERS);
    1512             :         } while (0);
    1513             : #endif
    1514             : 
    1515         122 :         if (cparam->inputs.session) {
    1516           0 :                 if (cparam->inputs.session->ops != &php_openssl_socket_ops) {
    1517           0 :                         php_error_docref(NULL, E_WARNING, "supplied session stream must be an SSL enabled stream");
    1518           0 :                 } else if (((php_openssl_netstream_data_t*)cparam->inputs.session->abstract)->ssl_handle == NULL) {
    1519           0 :                         php_error_docref(NULL, E_WARNING, "supplied SSL session stream is not initialized");
    1520             :                 } else {
    1521           0 :                         SSL_copy_session_id(sslsock->ssl_handle, ((php_openssl_netstream_data_t*)cparam->inputs.session->abstract)->ssl_handle);
    1522             :                 }
    1523             :         }
    1524             : 
    1525         122 :         return SUCCESS;
    1526             : }
    1527             : /* }}} */
    1528             : 
    1529           0 : static zend_array *capture_session_meta(SSL *ssl_handle) /* {{{ */
    1530             : {
    1531             :         zval meta_arr;
    1532             :         char *proto_str;
    1533           0 :         long proto = SSL_version(ssl_handle);
    1534           0 :         const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl_handle);
    1535             : 
    1536           0 :         switch (proto) {
    1537             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
    1538           0 :                 case TLS1_2_VERSION: proto_str = "TLSv1.2"; break;
    1539           0 :                 case TLS1_1_VERSION: proto_str = "TLSv1.1"; break;
    1540             : #endif
    1541           0 :                 case TLS1_VERSION: proto_str = "TLSv1"; break;
    1542           0 :                 case SSL3_VERSION: proto_str = "SSLv3"; break;
    1543           0 :                 case SSL2_VERSION: proto_str = "SSLv2"; break;
    1544           0 :                 default: proto_str = "UNKNOWN";
    1545             :         }
    1546             : 
    1547           0 :         array_init(&meta_arr);
    1548           0 :         add_assoc_string(&meta_arr, "protocol", proto_str);
    1549           0 :         add_assoc_string(&meta_arr, "cipher_name", (char *) SSL_CIPHER_get_name(cipher));
    1550           0 :         add_assoc_long(&meta_arr, "cipher_bits", SSL_CIPHER_get_bits(cipher, NULL));
    1551           0 :         add_assoc_string(&meta_arr, "cipher_version", SSL_CIPHER_get_version(cipher));
    1552             : 
    1553           0 :         return Z_ARR(meta_arr);
    1554             : }
    1555             : /* }}} */
    1556             : 
    1557          18 : static int capture_peer_certs(php_stream *stream, php_openssl_netstream_data_t *sslsock, X509 *peer_cert) /* {{{ */
    1558             : {
    1559             :         zval *val, zcert;
    1560          18 :         int cert_captured = 0;
    1561             : 
    1562          32 :         if (NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
    1563             :                         "ssl", "capture_peer_cert")) &&
    1564             :                 zend_is_true(val)
    1565          14 :         ) {
    1566          14 :                 ZVAL_RES(&zcert, zend_register_resource(peer_cert, php_openssl_get_x509_list_id()));
    1567          14 :                 php_stream_context_set_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_certificate", &zcert);
    1568          14 :                 cert_captured = 1;
    1569             :         }
    1570             : 
    1571          18 :         if (NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
    1572             :                         "ssl", "capture_peer_cert_chain")) &&
    1573             :                 zend_is_true(val)
    1574           0 :         ) {
    1575             :                 zval arr;
    1576             :                 STACK_OF(X509) *chain;
    1577             : 
    1578           0 :                 chain = SSL_get_peer_cert_chain(sslsock->ssl_handle);
    1579             : 
    1580           0 :                 if (chain && sk_X509_num(chain) > 0) {
    1581             :                         int i;
    1582           0 :                         array_init(&arr);
    1583             : 
    1584           0 :                         for (i = 0; i < sk_X509_num(chain); i++) {
    1585           0 :                                 X509 *mycert = X509_dup(sk_X509_value(chain, i));
    1586           0 :                                 ZVAL_RES(&zcert, zend_register_resource(mycert, php_openssl_get_x509_list_id()));
    1587           0 :                                 add_next_index_zval(&arr, &zcert);
    1588             :                         }
    1589             : 
    1590             :                 } else {
    1591           0 :                         ZVAL_NULL(&arr);
    1592             :                 }
    1593             : 
    1594           0 :                 php_stream_context_set_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_certificate_chain", &arr);
    1595             :                 zval_dtor(&arr);
    1596             :         }
    1597             : 
    1598          18 :         return cert_captured;
    1599             : }
    1600             : /* }}} */
    1601             : 
    1602         122 : static int php_openssl_enable_crypto(php_stream *stream,
    1603             :                 php_openssl_netstream_data_t *sslsock,
    1604             :                 php_stream_xport_crypto_param *cparam
    1605             :                 )
    1606             : {
    1607             :         int n;
    1608         122 :         int retry = 1;
    1609             :         int cert_captured;
    1610             :         X509 *peer_cert;
    1611             : 
    1612         122 :         if (cparam->inputs.activate && !sslsock->ssl_active) {
    1613             :                 struct timeval  start_time,
    1614             :                                                 *timeout;
    1615         122 :                 int                             blocked         = sslsock->s.is_blocked,
    1616         122 :                                                 has_timeout = 0;
    1617             : 
    1618             : #ifdef HAVE_SNI
    1619         122 :                 if (sslsock->is_client) {
    1620          67 :                         enable_client_sni(stream, sslsock);
    1621             :                 }
    1622             : #endif
    1623             : 
    1624         122 :                 if (!sslsock->state_set) {
    1625         122 :                         if (sslsock->is_client) {
    1626          67 :                                 SSL_set_connect_state(sslsock->ssl_handle);
    1627             :                         } else {
    1628          55 :                                 SSL_set_accept_state(sslsock->ssl_handle);
    1629             :                         }
    1630         122 :                         sslsock->state_set = 1;
    1631             :                 }
    1632             : 
    1633         122 :                 if (SUCCESS == php_set_sock_blocking(sslsock->s.socket, 0)) {
    1634         122 :                         sslsock->s.is_blocked = 0;
    1635             :                 }
    1636             : 
    1637         122 :                 timeout = sslsock->is_client ? &sslsock->connect_timeout : &sslsock->s.timeout;
    1638         122 :                 has_timeout = !sslsock->s.is_blocked && (timeout->tv_sec || timeout->tv_usec);
    1639             :                 /* gettimeofday is not monotonic; using it here is not strictly correct */
    1640         122 :                 if (has_timeout) {
    1641         122 :                         gettimeofday(&start_time, NULL);
    1642             :                 }
    1643             : 
    1644             :                 do {
    1645             :                         struct timeval  cur_time,
    1646             :                                                         elapsed_time;
    1647             :                         
    1648         213 :                         if (sslsock->is_client) {
    1649         152 :                                 n = SSL_connect(sslsock->ssl_handle);
    1650             :                         } else {
    1651          61 :                                 n = SSL_accept(sslsock->ssl_handle);
    1652             :                         }
    1653             : 
    1654         213 :                         if (has_timeout) {
    1655         213 :                                 gettimeofday(&cur_time, NULL);
    1656         213 :                                 elapsed_time = subtract_timeval( cur_time, start_time );
    1657             :                         
    1658         213 :                                 if (compare_timeval( elapsed_time, *timeout) > 0) {
    1659          47 :                                         php_error_docref(NULL, E_WARNING, "SSL: Handshake timed out");
    1660          47 :                                         return -1;
    1661             :                                 }
    1662             :                         }
    1663             : 
    1664         166 :                         if (n <= 0) {
    1665             :                                 /* in case of SSL_ERROR_WANT_READ/WRITE, do not retry in non-blocking mode */
    1666         142 :                                 retry = handle_ssl_error(stream, n, blocked);
    1667         142 :                                 if (retry) {
    1668             :                                         /* wait until something interesting happens in the socket. It may be a
    1669             :                                          * timeout. Also consider the unlikely of possibility of a write block  */
    1670          91 :                                         int err = SSL_get_error(sslsock->ssl_handle, n);
    1671             :                                         struct timeval left_time;
    1672             : 
    1673          91 :                                         if (has_timeout) {
    1674          91 :                                                 left_time = subtract_timeval( *timeout, elapsed_time );
    1675             :                                         }
    1676          91 :                                         php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_READ) ?
    1677             :                                                 (POLLIN|POLLPRI) : POLLOUT, has_timeout ? &left_time : NULL);
    1678             :                                 }
    1679             :                         } else {
    1680          24 :                                 retry = 0;
    1681             :                         }
    1682         166 :                 } while (retry);
    1683             : 
    1684          75 :                 if (sslsock->s.is_blocked != blocked && SUCCESS == php_set_sock_blocking(sslsock->s.socket, blocked)) {
    1685          75 :                         sslsock->s.is_blocked = blocked;
    1686             :                 }
    1687             : 
    1688          75 :                 if (n == 1) {
    1689          24 :                         peer_cert = SSL_get_peer_certificate(sslsock->ssl_handle);
    1690          24 :                         if (peer_cert && PHP_STREAM_CONTEXT(stream)) {
    1691          18 :                                 cert_captured = capture_peer_certs(stream, sslsock, peer_cert);
    1692             :                         }
    1693             : 
    1694          24 :                         if (FAILURE == apply_peer_verification_policy(sslsock->ssl_handle, peer_cert, stream)) {
    1695           0 :                                 SSL_shutdown(sslsock->ssl_handle);
    1696           0 :                                 n = -1;
    1697             :                         } else {
    1698          24 :                                 sslsock->ssl_active = 1;
    1699             : 
    1700          24 :                                 if (PHP_STREAM_CONTEXT(stream)) {
    1701             :                                         zval *val;
    1702             : 
    1703          24 :                                         if (NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
    1704             :                                                         "ssl", "capture_session_meta")) &&
    1705             :                                                 zend_is_true(val)
    1706           0 :                                         ) {
    1707             :                                                 zval meta_arr;
    1708           0 :                                                 ZVAL_ARR(&meta_arr, capture_session_meta(sslsock->ssl_handle));
    1709           0 :                                                 php_stream_context_set_option(PHP_STREAM_CONTEXT(stream), "ssl", "session_meta", &meta_arr);
    1710             :                                                 zval_dtor(&meta_arr);
    1711             :                                         }
    1712             :                                 }
    1713             :                         }
    1714          51 :                 } else if (errno == EAGAIN) {
    1715           0 :                         n = 0;
    1716             :                 } else {
    1717          51 :                         n = -1;
    1718          51 :                         peer_cert = SSL_get_peer_certificate(sslsock->ssl_handle);
    1719          51 :                         if (peer_cert && PHP_STREAM_CONTEXT(stream)) {
    1720           0 :                                 cert_captured = capture_peer_certs(stream, sslsock, peer_cert);
    1721             :                         }
    1722             :                 }
    1723             : 
    1724          75 :                 if (n && peer_cert && cert_captured == 0) {
    1725           4 :                         X509_free(peer_cert);
    1726             :                 }
    1727             : 
    1728          75 :                 return n;
    1729             : 
    1730           0 :         } else if (!cparam->inputs.activate && sslsock->ssl_active) {
    1731             :                 /* deactivate - common for server/client */
    1732           0 :                 SSL_shutdown(sslsock->ssl_handle);
    1733           0 :                 sslsock->ssl_active = 0;
    1734             :         }
    1735             : 
    1736           0 :         return -1;
    1737             : }
    1738             : 
    1739         349 : static size_t php_openssl_sockop_read(php_stream *stream, char *buf, size_t count) /* {{{ */
    1740             : {
    1741         349 :         return php_openssl_sockop_io( 1, stream, buf, count );
    1742             : }
    1743             : /* }}} */
    1744             : 
    1745         644 : static size_t php_openssl_sockop_write(php_stream *stream, const char *buf, size_t count) /* {{{ */
    1746             : {
    1747         644 :         return php_openssl_sockop_io( 0, stream, (char*)buf, count );
    1748             : }
    1749             : /* }}} */
    1750             : 
    1751             : /**
    1752             :  * Factored out common functionality (blocking, timeout, loop management) for read and write.
    1753             :  * Perform IO (read or write) to an SSL socket. If we have a timeout, we switch to non-blocking mode
    1754             :  * for the duration of the operation, using select to do our waits. If we time out, or we have an error
    1755             :  * report that back to PHP
    1756             :  *
    1757             :  */
    1758         993 : static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, size_t count) /* {{{ */
    1759             : {
    1760         993 :         php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
    1761             : 
    1762             :         /* Only do this if SSL is active. */
    1763         993 :         if (sslsock->ssl_active) {
    1764          72 :                 int retry = 1;
    1765             :                 struct timeval start_time;
    1766             :                 struct timeval *timeout;
    1767          72 :                 int blocked = sslsock->s.is_blocked;
    1768          72 :                 int has_timeout = 0;
    1769          72 :                 int nr_bytes = 0;
    1770             : 
    1771             :                 /* prevent overflow in openssl */
    1772          72 :                 if (count > INT_MAX) {
    1773           0 :                         count = INT_MAX;
    1774             :                 }
    1775             : 
    1776             :                 /* Begin by making the socket non-blocking. This allows us to check the timeout. */
    1777          72 :                 if (SUCCESS == php_set_sock_blocking(sslsock->s.socket, 0)) {
    1778          72 :                         sslsock->s.is_blocked = 0;
    1779             :                 }
    1780             : 
    1781             :                 /* Get the timeout value (and make sure we are to check it. */
    1782          72 :                 timeout = sslsock->is_client ? &sslsock->connect_timeout : &sslsock->s.timeout;
    1783          72 :                 has_timeout = !sslsock->s.is_blocked && (timeout->tv_sec || timeout->tv_usec);
    1784             : 
    1785             :                 /* gettimeofday is not monotonic; using it here is not strictly correct */
    1786          72 :                 if (has_timeout) {
    1787          72 :                         gettimeofday(&start_time, NULL);
    1788             :                 }
    1789             : 
    1790             :                 /* Main IO loop. */
    1791             :                 do {
    1792             :                         struct timeval cur_time, elapsed_time, left_time;
    1793             : 
    1794             :                         /* If we have a timeout to check, figure out how much time has elapsed since we started. */
    1795          89 :                         if (has_timeout) {
    1796          89 :                                 gettimeofday(&cur_time, NULL);
    1797             : 
    1798             :                                 /* Determine how much time we've taken so far. */
    1799          89 :                                 elapsed_time = subtract_timeval( cur_time, start_time );
    1800             : 
    1801             :                                 /* and return an error if we've taken too long. */
    1802          89 :                                 if (compare_timeval( elapsed_time, *timeout) > 0 ) {
    1803             :                                         /* If the socket was originally blocking, set it back. */
    1804           0 :                                         if (blocked) {
    1805           0 :                                                 php_set_sock_blocking(sslsock->s.socket, 1);
    1806           0 :                                                 sslsock->s.is_blocked = 1;
    1807             :                                         }
    1808           0 :                                         return -1;
    1809             :                                 }
    1810             :                         }
    1811             : 
    1812             :                         /* Now, do the IO operation. Don't block if we can't complete... */
    1813          89 :                         if (read) {
    1814          50 :                                 nr_bytes = SSL_read(sslsock->ssl_handle, buf, (int)count);
    1815             : 
    1816          50 :                                 if (sslsock->reneg && sslsock->reneg->should_close) {
    1817             :                                         /* renegotiation rate limiting triggered */
    1818           1 :                                         php_stream_xport_shutdown(stream, (stream_shutdown_t)SHUT_RDWR);
    1819           1 :                                         nr_bytes = 0;
    1820           1 :                                         stream->eof = 1;
    1821           1 :                                          break;
    1822             :                                 }
    1823             :                         } else {
    1824          39 :                                 nr_bytes = SSL_write(sslsock->ssl_handle, buf, (int)count);
    1825             :                         }
    1826             : 
    1827             :                         /* Now, how much time until we time out? */
    1828          88 :                         if (has_timeout) {
    1829          88 :                                 left_time = subtract_timeval( *timeout, elapsed_time );
    1830             :                         }
    1831             : 
    1832             :                         /* If we didn't do anything on the last loop (or an error) check to see if we should retry or exit. */
    1833          88 :                         if (nr_bytes <= 0) {
    1834             : 
    1835             :                                 /* Get the error code from SSL, and check to see if it's an error or not. */
    1836          23 :                                 int err = SSL_get_error(sslsock->ssl_handle, nr_bytes );
    1837          23 :                                 retry = handle_ssl_error(stream, nr_bytes, 0);
    1838             : 
    1839             :                                 /* If we get this (the above doesn't check) then we'll retry as well. */
    1840          23 :                                 if (errno == EAGAIN && err == SSL_ERROR_WANT_READ && read) {
    1841          17 :                                         retry = 1;
    1842             :                                 }
    1843          23 :                                 if (errno == EAGAIN && err == SSL_ERROR_WANT_WRITE && read == 0) {
    1844           0 :                                         retry = 1;
    1845             :                                 }
    1846             :                                 
    1847             :                                 /* Also, on reads, we may get this condition on an EOF. We should check properly. */
    1848          23 :                                 if (read) {
    1849          23 :                                         stream->eof = (retry == 0 && errno != EAGAIN && !SSL_pending(sslsock->ssl_handle));
    1850             :                                 }
    1851             : 
    1852             :                                 /* Now, if we have to wait some time, and we're supposed to be blocking, wait for the socket to become
    1853             :                                  * available. Now, php_pollfd_for uses select to wait up to our time_left value only...
    1854             :                                  */
    1855          23 :                                 if (retry && blocked) {
    1856          17 :                                         if (read) {
    1857          17 :                                                 php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_WRITE) ?
    1858             :                                                         (POLLOUT|POLLPRI) : (POLLIN|POLLPRI), has_timeout ? &left_time : NULL);
    1859             :                                         } else {
    1860           0 :                                                 php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_READ) ?
    1861             :                                                         (POLLIN|POLLPRI) : (POLLOUT|POLLPRI), has_timeout ? &left_time : NULL);
    1862             :                                         }
    1863             :                                 }
    1864             :                         } else {
    1865             :                                 /* Else, if we got bytes back, check for possible errors. */
    1866          65 :                                 int err = SSL_get_error(sslsock->ssl_handle, nr_bytes);
    1867             : 
    1868             :                                 /* If we didn't get any error, then let's return it to PHP. */
    1869          65 :                                 if (err == SSL_ERROR_NONE) {
    1870          65 :                                         break;
    1871             :                                 }
    1872             : 
    1873             :                                 /* Otherwise, we need to wait again (up to time_left or we get an error) */
    1874           0 :                                 if (blocked) {
    1875           0 :                                         if (read) {
    1876           0 :                                                 php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_WRITE) ?
    1877             :                                                         (POLLOUT|POLLPRI) : (POLLIN|POLLPRI), has_timeout ? &left_time : NULL);
    1878             :                                         } else {
    1879           0 :                                                 php_pollfd_for(sslsock->s.socket, (err == SSL_ERROR_WANT_READ) ?
    1880             :                                                         (POLLIN|POLLPRI) : (POLLOUT|POLLPRI), has_timeout ? &left_time : NULL);
    1881             :                                         }
    1882             :                                 }
    1883             :                         }
    1884             : 
    1885             :                         /* Finally, we keep going until we got data, and an SSL_ERROR_NONE, unless we had an error. */                  
    1886          23 :                 } while (retry);
    1887             : 
    1888             :                 /* Tell PHP if we read / wrote bytes. */
    1889          72 :                 if (nr_bytes > 0) {
    1890          65 :                         php_stream_notify_progress_increment(PHP_STREAM_CONTEXT(stream), nr_bytes, 0);
    1891             :                 }
    1892             : 
    1893             :                 /* And if we were originally supposed to be blocking, let's reset the socket to that. */
    1894          72 :                 if (blocked) {
    1895          72 :                         php_set_sock_blocking(sslsock->s.socket, 1);
    1896          72 :                         sslsock->s.is_blocked = 1;
    1897             :                 }
    1898             : 
    1899          72 :                 return 0 > nr_bytes ? 0 : nr_bytes;
    1900             :         } else {
    1901         921 :                 size_t nr_bytes = 0;
    1902             : 
    1903             :                 /*
    1904             :                          * This block is if we had no timeout... We will just sit and wait forever on the IO operation.
    1905             :                  */
    1906         921 :                 if (read) {
    1907         316 :                         nr_bytes = php_stream_socket_ops.read(stream, buf, count);
    1908             :                 } else {
    1909         605 :                         nr_bytes = php_stream_socket_ops.write(stream, buf, count);
    1910             :                 }
    1911             : 
    1912         921 :                 return nr_bytes;
    1913             :         }
    1914             : }
    1915             : /* }}} */
    1916             : 
    1917         481 : static struct timeval subtract_timeval( struct timeval a, struct timeval b )
    1918             : {
    1919             :         struct timeval difference;
    1920             : 
    1921         481 :         difference.tv_sec  = a.tv_sec  - b.tv_sec;
    1922         481 :         difference.tv_usec = a.tv_usec - b.tv_usec;
    1923             : 
    1924         481 :         if (a.tv_usec < b.tv_usec) {
    1925         208 :                 b.tv_sec  -= 1L;
    1926         208 :                 b.tv_usec += 1000000L;
    1927             :         }
    1928             : 
    1929         481 :         return difference;
    1930             : }
    1931             : 
    1932         302 : static int compare_timeval( struct timeval a, struct timeval b )
    1933             : {
    1934         302 :         if (a.tv_sec > b.tv_sec || (a.tv_sec == b.tv_sec && a.tv_usec > b.tv_usec) ) {
    1935          47 :                 return 1;
    1936         255 :         } else if( a.tv_sec == b.tv_sec && a.tv_usec == b.tv_usec ) {
    1937           0 :                 return 0;
    1938             :         } else {
    1939         255 :                 return -1;
    1940             :         }
    1941             : }
    1942             : 
    1943        1349 : static int php_openssl_sockop_close(php_stream *stream, int close_handle) /* {{{ */
    1944             : {
    1945        1349 :         php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
    1946             : #ifdef PHP_WIN32
    1947             :         int n;
    1948             : #endif
    1949             :         unsigned i;
    1950             : 
    1951        1349 :         if (close_handle) {
    1952        1349 :                 if (sslsock->ssl_active) {
    1953          24 :                         SSL_shutdown(sslsock->ssl_handle);
    1954          24 :                         sslsock->ssl_active = 0;
    1955             :                 }
    1956        1349 :                 if (sslsock->ssl_handle) {
    1957         122 :                         SSL_free(sslsock->ssl_handle);
    1958         122 :                         sslsock->ssl_handle = NULL;
    1959             :                 }
    1960        1349 :                 if (sslsock->ctx) {
    1961         123 :                         SSL_CTX_free(sslsock->ctx);
    1962         123 :                         sslsock->ctx = NULL;
    1963             :                 }
    1964             : #ifdef PHP_WIN32
    1965             :                 if (sslsock->s.socket == -1)
    1966             :                         sslsock->s.socket = SOCK_ERR;
    1967             : #endif
    1968        1349 :                 if (sslsock->s.socket != SOCK_ERR) {
    1969             : #ifdef PHP_WIN32
    1970             :                         /* prevent more data from coming in */
    1971             :                         shutdown(sslsock->s.socket, SHUT_RD);
    1972             : 
    1973             :                         /* try to make sure that the OS sends all data before we close the connection.
    1974             :                          * Essentially, we are waiting for the socket to become writeable, which means
    1975             :                          * that all pending data has been sent.
    1976             :                          * We use a small timeout which should encourage the OS to send the data,
    1977             :                          * but at the same time avoid hanging indefinitely.
    1978             :                          * */
    1979             :                         do {
    1980             :                                 n = php_pollfd_for_ms(sslsock->s.socket, POLLOUT, 500);
    1981             :                         } while (n == -1 && php_socket_errno() == EINTR);
    1982             : #endif
    1983         397 :                         closesocket(sslsock->s.socket);
    1984         397 :                         sslsock->s.socket = SOCK_ERR;
    1985             :                 }
    1986             :         }
    1987             : 
    1988        1349 :         if (sslsock->sni_certs) {
    1989          12 :                 for (i=0; i<sslsock->sni_cert_count; i++) {
    1990           9 :                         SSL_CTX_free(sslsock->sni_certs[i].ctx);
    1991           9 :                         pefree(sslsock->sni_certs[i].name, php_stream_is_persistent(stream));
    1992             :                 }
    1993           3 :                 pefree(sslsock->sni_certs, php_stream_is_persistent(stream));
    1994           3 :                 sslsock->sni_certs = NULL;
    1995             :         }
    1996             : 
    1997        1349 :         if (sslsock->url_name) {
    1998        1241 :                 pefree(sslsock->url_name, php_stream_is_persistent(stream));
    1999             :         }
    2000             : 
    2001        1349 :         if (sslsock->reneg) {
    2002          55 :                 pefree(sslsock->reneg, php_stream_is_persistent(stream));
    2003             :         }
    2004             : 
    2005        1349 :         pefree(sslsock, php_stream_is_persistent(stream));
    2006             : 
    2007        1349 :         return 0;
    2008             : }
    2009             : /* }}} */
    2010             : 
    2011        1349 : static int php_openssl_sockop_flush(php_stream *stream) /* {{{ */
    2012             : {
    2013        1349 :         return php_stream_socket_ops.flush(stream);
    2014             : }
    2015             : /* }}} */
    2016             : 
    2017           2 : static int php_openssl_sockop_stat(php_stream *stream, php_stream_statbuf *ssb) /* {{{ */
    2018             : {
    2019           2 :         return php_stream_socket_ops.stat(stream, ssb);
    2020             : }
    2021             : /* }}} */
    2022             : 
    2023          96 : static inline int php_openssl_tcp_sockop_accept(php_stream *stream, php_openssl_netstream_data_t *sock,
    2024             :                 php_stream_xport_param *xparam STREAMS_DC)
    2025             : {
    2026             :         int clisock;
    2027             : 
    2028          96 :         xparam->outputs.client = NULL;
    2029             : 
    2030         480 :         clisock = php_network_accept_incoming(sock->s.socket,
    2031          96 :                         xparam->want_textaddr ? &xparam->outputs.textaddr : NULL,
    2032          96 :                         xparam->want_addr ? &xparam->outputs.addr : NULL,
    2033          96 :                         xparam->want_addr ? &xparam->outputs.addrlen : NULL,
    2034             :                         xparam->inputs.timeout,
    2035          96 :                         xparam->want_errortext ? &xparam->outputs.error_text : NULL,
    2036             :                         &xparam->outputs.error_code
    2037             :                         );
    2038             : 
    2039          96 :         if (clisock >= 0) {
    2040             :                 php_openssl_netstream_data_t *clisockdata;
    2041             : 
    2042          95 :                 clisockdata = emalloc(sizeof(*clisockdata));
    2043             : 
    2044          95 :                 if (clisockdata == NULL) {
    2045           0 :                         closesocket(clisock);
    2046             :                         /* technically a fatal error */
    2047             :                 } else {
    2048             :                         /* copy underlying tcp fields */
    2049          95 :                         memset(clisockdata, 0, sizeof(*clisockdata));
    2050          95 :                         memcpy(clisockdata, sock, sizeof(clisockdata->s));
    2051             : 
    2052          95 :                         clisockdata->s.socket = clisock;
    2053             : 
    2054          95 :                         xparam->outputs.client = php_stream_alloc_rel(stream->ops, clisockdata, NULL, "r+");
    2055          95 :                         if (xparam->outputs.client) {
    2056          95 :                                 xparam->outputs.client->ctx = stream->ctx;
    2057          95 :                                 if (stream->ctx) {
    2058          95 :                                         GC_REFCOUNT(stream->ctx)++;
    2059             :                                 }
    2060             :                         }
    2061             :                 }
    2062             : 
    2063          95 :                 if (xparam->outputs.client && sock->enable_on_connect) {
    2064             :                         /* remove the client bit */
    2065          54 :                         if (sock->method & STREAM_CRYPTO_IS_CLIENT) {
    2066          24 :                                 sock->method = ((sock->method >> 1) << 1);
    2067             :                         }
    2068             : 
    2069          54 :                         clisockdata->method = sock->method;
    2070             : 
    2071         108 :                         if (php_stream_xport_crypto_setup(xparam->outputs.client, clisockdata->method,
    2072          54 :                                         NULL) < 0 || php_stream_xport_crypto_enable(
    2073          54 :                                         xparam->outputs.client, 1) < 0) {
    2074          49 :                                 php_error_docref(NULL, E_WARNING, "Failed to enable crypto");
    2075             : 
    2076          48 :                                 php_stream_close(xparam->outputs.client);
    2077          48 :                                 xparam->outputs.client = NULL;
    2078          48 :                                 xparam->outputs.returncode = -1;
    2079             :                         }
    2080             :                 }
    2081             :         }
    2082             : 
    2083          95 :         return xparam->outputs.client == NULL ? -1 : 0;
    2084             : }
    2085             : 
    2086        1833 : static int php_openssl_sockop_set_option(php_stream *stream, int option, int value, void *ptrparam)
    2087             : {
    2088        1833 :         php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
    2089        1833 :         php_stream_xport_crypto_param *cparam = (php_stream_xport_crypto_param *)ptrparam;
    2090        1833 :         php_stream_xport_param *xparam = (php_stream_xport_param *)ptrparam;
    2091             : 
    2092        1833 :         switch (option) {
    2093             :                 case PHP_STREAM_OPTION_CHECK_LIVENESS:
    2094             :                         {
    2095             :                                 struct timeval tv;
    2096             :                                 char buf;
    2097          63 :                                 int alive = 1;
    2098             : 
    2099          63 :                                 if (value == -1) {
    2100           0 :                                         if (sslsock->s.timeout.tv_sec == -1) {
    2101             : #ifdef _WIN32
    2102             :                                                 tv.tv_sec = (long)FG(default_socket_timeout);
    2103             : #else
    2104           0 :                                                 tv.tv_sec = (time_t)FG(default_socket_timeout);
    2105             : #endif
    2106           0 :                                                 tv.tv_usec = 0;
    2107             :                                         } else {
    2108           0 :                                                 tv = sslsock->connect_timeout;
    2109             :                                         }
    2110             :                                 } else {
    2111          63 :                                         tv.tv_sec = value;
    2112          63 :                                         tv.tv_usec = 0;
    2113             :                                 }
    2114             : 
    2115          63 :                                 if (sslsock->s.socket == -1) {
    2116           0 :                                         alive = 0;
    2117          63 :                                 } else if (php_pollfd_for(sslsock->s.socket, PHP_POLLREADABLE|POLLPRI, &tv) > 0) {
    2118           3 :                                         if (sslsock->ssl_active) {
    2119             :                                                 int n;
    2120             : 
    2121             :                                                 do {
    2122           0 :                                                         n = SSL_peek(sslsock->ssl_handle, &buf, sizeof(buf));
    2123           0 :                                                         if (n <= 0) {
    2124           0 :                                                                 int err = SSL_get_error(sslsock->ssl_handle, n);
    2125             : 
    2126           0 :                                                                 if (err == SSL_ERROR_SYSCALL) {
    2127           0 :                                                                         alive = php_socket_errno() == EAGAIN;
    2128           0 :                                                                         break;
    2129             :                                                                 }
    2130             : 
    2131           0 :                                                                 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
    2132             :                                                                         /* re-negotiate */
    2133           0 :                                                                         continue;
    2134             :                                                                 }
    2135             : 
    2136             :                                                                 /* any other problem is a fatal error */
    2137           0 :                                                                 alive = 0;
    2138             :                                                         }
    2139             :                                                         /* either peek succeeded or there was an error; we
    2140             :                                                          * have set the alive flag appropriately */
    2141           0 :                                                         break;
    2142           0 :                                                 } while (1);
    2143           3 :                                         } else if (0 == recv(sslsock->s.socket, &buf, sizeof(buf), MSG_PEEK) && php_socket_errno() != EAGAIN) {
    2144           3 :                                                 alive = 0;
    2145             :                                         }
    2146             :                                 }
    2147          63 :                                 return alive ? PHP_STREAM_OPTION_RETURN_OK : PHP_STREAM_OPTION_RETURN_ERR;
    2148             :                         }
    2149             : 
    2150             :                 case PHP_STREAM_OPTION_CRYPTO_API:
    2151             : 
    2152         245 :                         switch(cparam->op) {
    2153             : 
    2154             :                                 case STREAM_XPORT_CRYPTO_OP_SETUP:
    2155         123 :                                         cparam->outputs.returncode = php_openssl_setup_crypto(stream, sslsock, cparam);
    2156         123 :                                         return PHP_STREAM_OPTION_RETURN_OK;
    2157             :                                         break;
    2158             :                                 case STREAM_XPORT_CRYPTO_OP_ENABLE:
    2159         122 :                                         cparam->outputs.returncode = php_openssl_enable_crypto(stream, sslsock, cparam);
    2160         122 :                                         return PHP_STREAM_OPTION_RETURN_OK;
    2161             :                                         break;
    2162             :                                 default:
    2163             :                                         /* fall through */
    2164             :                                         break;
    2165             :                         }
    2166             : 
    2167           0 :                         break;
    2168             : 
    2169             :                 case PHP_STREAM_OPTION_XPORT_API:
    2170        1432 :                         switch(xparam->op) {
    2171             : 
    2172             :                                 case STREAM_XPORT_OP_CONNECT:
    2173             :                                 case STREAM_XPORT_OP_CONNECT_ASYNC:
    2174             :                                         /* TODO: Async connects need to check the enable_on_connect option when
    2175             :                                          * we notice that the connect has actually been established */
    2176        1111 :                                         php_stream_socket_ops.set_option(stream, option, value, ptrparam);
    2177             : 
    2178        1177 :                                         if ((sslsock->enable_on_connect) &&
    2179          63 :                                                 ((xparam->outputs.returncode == 0) ||
    2180           1 :                                                 (xparam->op == STREAM_XPORT_OP_CONNECT_ASYNC &&
    2181           2 :                                                 xparam->outputs.returncode == 1 && xparam->outputs.error_code == EINPROGRESS)))
    2182             :                                         {
    2183         125 :                                                 if (php_stream_xport_crypto_setup(stream, sslsock->method, NULL) < 0 ||
    2184          62 :                                                                 php_stream_xport_crypto_enable(stream, 1) < 0) {
    2185          50 :                                                         php_error_docref(NULL, E_WARNING, "Failed to enable crypto");
    2186          50 :                                                         xparam->outputs.returncode = -1;
    2187             :                                                 }
    2188             :                                         }
    2189        1111 :                                         return PHP_STREAM_OPTION_RETURN_OK;
    2190             : 
    2191             :                                 case STREAM_XPORT_OP_ACCEPT:
    2192             :                                         /* we need to copy the additional fields that the underlying tcp transport
    2193             :                                          * doesn't know about */
    2194          96 :                                         xparam->outputs.returncode = php_openssl_tcp_sockop_accept(stream, sslsock, xparam STREAMS_CC);
    2195             : 
    2196             : 
    2197          95 :                                         return PHP_STREAM_OPTION_RETURN_OK;
    2198             : 
    2199             :                                 default:
    2200             :                                         /* fall through */
    2201             :                                         break;
    2202             :                         }
    2203             :         }
    2204             : 
    2205         318 :         return php_stream_socket_ops.set_option(stream, option, value, ptrparam);
    2206             : }
    2207             : 
    2208           6 : static int php_openssl_sockop_cast(php_stream *stream, int castas, void **ret)
    2209             : {
    2210           6 :         php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
    2211             : 
    2212           6 :         switch(castas)  {
    2213             :                 case PHP_STREAM_AS_STDIO:
    2214           0 :                         if (sslsock->ssl_active) {
    2215           0 :                                 return FAILURE;
    2216             :                         }
    2217           0 :                         if (ret)        {
    2218           0 :                                 *ret = fdopen(sslsock->s.socket, stream->mode);
    2219           0 :                                 if (*ret) {
    2220           0 :                                         return SUCCESS;
    2221             :                                 }
    2222           0 :                                 return FAILURE;
    2223             :                         }
    2224           0 :                         return SUCCESS;
    2225             : 
    2226             :                 case PHP_STREAM_AS_FD_FOR_SELECT:
    2227           6 :                         if (ret) {
    2228           6 :                                 *(php_socket_t *)ret = sslsock->s.socket;
    2229             :                         }
    2230           6 :                         return SUCCESS;
    2231             : 
    2232             :                 case PHP_STREAM_AS_FD:
    2233             :                 case PHP_STREAM_AS_SOCKETD:
    2234           0 :                         if (sslsock->ssl_active) {
    2235           0 :                                 return FAILURE;
    2236             :                         }
    2237           0 :                         if (ret) {
    2238           0 :                                 *(php_socket_t *)ret = sslsock->s.socket;
    2239             :                         }
    2240           0 :                         return SUCCESS;
    2241             :                 default:
    2242           0 :                         return FAILURE;
    2243             :         }
    2244             : }
    2245             : 
    2246             : php_stream_ops php_openssl_socket_ops = {
    2247             :         php_openssl_sockop_write, php_openssl_sockop_read,
    2248             :         php_openssl_sockop_close, php_openssl_sockop_flush,
    2249             :         "tcp_socket/ssl",
    2250             :         NULL, /* seek */
    2251             :         php_openssl_sockop_cast,
    2252             :         php_openssl_sockop_stat,
    2253             :         php_openssl_sockop_set_option,
    2254             : };
    2255             : 
    2256          75 : static zend_long get_crypto_method(php_stream_context *ctx, zend_long crypto_method)
    2257             : {
    2258             :         zval *val;
    2259             : 
    2260          75 :         if (ctx && (val = php_stream_context_get_option(ctx, "ssl", "crypto_method")) != NULL) {
    2261          21 :                 convert_to_long_ex(val);
    2262          21 :                 crypto_method = (zend_long)Z_LVAL_P(val);
    2263          21 :                 crypto_method |= STREAM_CRYPTO_IS_CLIENT;
    2264             :         }
    2265             : 
    2266          75 :         return crypto_method;
    2267             : }
    2268             : 
    2269        1223 : static char *get_url_name(const char *resourcename, size_t resourcenamelen, int is_persistent)
    2270             : {
    2271             :         php_url *url;
    2272             : 
    2273        1223 :         if (!resourcename) {
    2274           0 :                 return NULL;
    2275             :         }
    2276             : 
    2277        1223 :         url = php_url_parse_ex(resourcename, resourcenamelen);
    2278        1223 :         if (!url) {
    2279           0 :                 return NULL;
    2280             :         }
    2281             : 
    2282        1223 :         if (url->host) {
    2283        1210 :                 const char * host = url->host;
    2284        1210 :                 char * url_name = NULL;
    2285        1210 :                 size_t len = strlen(host);
    2286             : 
    2287             :                 /* skip trailing dots */
    2288        2421 :                 while (len && host[len-1] == '.') {
    2289           1 :                         --len;
    2290             :                 }
    2291             : 
    2292        1210 :                 if (len) {
    2293        1210 :                         url_name = pestrndup(host, len, is_persistent);
    2294             :                 }
    2295             : 
    2296        1210 :                 php_url_free(url);
    2297        1210 :                 return url_name;
    2298             :         }
    2299             : 
    2300          13 :         php_url_free(url);
    2301          13 :         return NULL;
    2302             : }
    2303             : 
    2304        1223 : php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,
    2305             :                 const char *resourcename, size_t resourcenamelen,
    2306             :                 const char *persistent_id, int options, int flags,
    2307             :                 struct timeval *timeout,
    2308             :                 php_stream_context *context STREAMS_DC)
    2309             : {
    2310        1223 :         php_stream *stream = NULL;
    2311        1223 :         php_openssl_netstream_data_t *sslsock = NULL;
    2312             : 
    2313        2446 :         sslsock = pemalloc(sizeof(php_openssl_netstream_data_t), persistent_id ? 1 : 0);
    2314        1223 :         memset(sslsock, 0, sizeof(*sslsock));
    2315             : 
    2316        1223 :         sslsock->s.is_blocked = 1;
    2317             :         /* this timeout is used by standard stream funcs, therefor it should use the default value */
    2318             : #ifdef _WIN32
    2319             :         sslsock->s.timeout.tv_sec = (long)FG(default_socket_timeout);
    2320             : #else
    2321        1223 :         sslsock->s.timeout.tv_sec = (time_t)FG(default_socket_timeout);
    2322             : #endif
    2323        1223 :         sslsock->s.timeout.tv_usec = 0;
    2324             : 
    2325             :         /* use separate timeout for our private funcs */
    2326        1223 :         sslsock->connect_timeout.tv_sec = timeout->tv_sec;
    2327        1223 :         sslsock->connect_timeout.tv_usec = timeout->tv_usec;
    2328             : 
    2329             :         /* we don't know the socket until we have determined if we are binding or
    2330             :          * connecting */
    2331        1223 :         sslsock->s.socket = -1;
    2332             : 
    2333             :         /* Initialize context as NULL */
    2334        1223 :         sslsock->ctx = NULL;
    2335             : 
    2336        1223 :         stream = php_stream_alloc_rel(&php_openssl_socket_ops, sslsock, persistent_id, "r+");
    2337             : 
    2338        1223 :         if (stream == NULL)     {
    2339           0 :                 pefree(sslsock, persistent_id ? 1 : 0);
    2340           0 :                 return NULL;
    2341             :         }
    2342             : 
    2343        1223 :         if (strncmp(proto, "ssl", protolen) == 0) {
    2344          71 :                 sslsock->enable_on_connect = 1;
    2345          71 :                 sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_ANY_CLIENT);
    2346        1152 :         } else if (strncmp(proto, "sslv2", protolen) == 0) {
    2347             : #ifdef OPENSSL_NO_SSL2
    2348             :                 php_error_docref(NULL, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
    2349             :                 return NULL;
    2350             : #else
    2351           0 :                 sslsock->enable_on_connect = 1;
    2352           0 :                 sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
    2353             : #endif
    2354        1152 :         } else if (strncmp(proto, "sslv3", protolen) == 0) {
    2355             : #ifdef OPENSSL_NO_SSL3
    2356             :                 php_error_docref(NULL, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
    2357             :                 return NULL;
    2358             : #else
    2359           3 :                 sslsock->enable_on_connect = 1;
    2360           3 :                 sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
    2361             : #endif
    2362        1149 :         } else if (strncmp(proto, "tls", protolen) == 0) {
    2363           4 :                 sslsock->enable_on_connect = 1;
    2364           4 :                 sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_CLIENT);
    2365        1145 :         } else if (strncmp(proto, "tlsv1.0", protolen) == 0) {
    2366           2 :                 sslsock->enable_on_connect = 1;
    2367           2 :                 sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
    2368        1143 :         } else if (strncmp(proto, "tlsv1.1", protolen) == 0) {
    2369             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
    2370           3 :                 sslsock->enable_on_connect = 1;
    2371           3 :                 sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
    2372             : #else
    2373             :                 php_error_docref(NULL, E_WARNING, "TLSv1.1 support is not compiled into the OpenSSL library PHP is linked against");
    2374             :                 return NULL;
    2375             : #endif
    2376        1140 :         } else if (strncmp(proto, "tlsv1.2", protolen) == 0) {
    2377             : #if OPENSSL_VERSION_NUMBER >= 0x10001001L
    2378           4 :                 sslsock->enable_on_connect = 1;
    2379           4 :                 sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
    2380             : #else
    2381             :                 php_error_docref(NULL, E_WARNING, "TLSv1.2 support is not compiled into the OpenSSL library PHP is linked against");
    2382             :                 return NULL;
    2383             : #endif
    2384             :         }
    2385             : 
    2386        1223 :         sslsock->url_name = get_url_name(resourcename, resourcenamelen, !!persistent_id);
    2387             : 
    2388        1223 :         return stream;
    2389             : }
    2390             : 
    2391             : 
    2392             : 
    2393             : /*
    2394             :  * Local variables:
    2395             :  * tab-width: 4
    2396             :  * c-basic-offset: 4
    2397             :  * End:
    2398             :  * vim600: noet sw=4 ts=4 fdm=marker
    2399             :  * vim<600: noet sw=4 ts=4
    2400             :  */

Generated by: LCOV version 1.10

Generated at Thu, 30 Apr 2015 23:10:07 +0000 (2 days ago)

Copyright © 2005-2015 The PHP Group
All rights reserved.