Fix session errors, session_id_context handling and tests

Author: bukka

ext/openssl/tests/ServerClientTestCase.inc

@@ -179,6 +179,9 @@ class ServerClientTestCase
                 if (empty($addr)) {
                     throw new \Exception("Failed server start");
                 }
+				if (strpos($addr, 'SERVER_EXCEPTION') !== false) {
+					echo $addr;
+				}
                 if ($code === false) {
                     $clientCode = preg_replace('/{{\s*ADDR\s*}}/', $addr, $clientCode);
                 } else {

ext/openssl/tests/session_resumption_client_basic.phpt

@@ -15,6 +15,7 @@ $serverCode = <<<'CODE'
     $ctx = stream_context_create(['ssl' => [
         'local_cert' => '%s',
         'session_cache' => true,
+        'session_id_context' => 'test-basic',
     ]]);
 
     $server = stream_socket_server('tls://127.0.0.1:0', $errno, $errstr, $flags, $ctx);

ext/openssl/tests/session_resumption_get_cb_num_tickets_zero.phpt

@@ -103,9 +103,10 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 <?php
 @unlink(__DIR__ . DIRECTORY_SEPARATOR . 'session_no_tickets_zero.pem.tmp');
 ?>
---EXPECTF--
+--EXPECT--
+Client first connection resumed: no
 Response 1
 Client received tickets on first connection: 0
+Client second connection resumed: no
 Response 2
-Client second connection resumed: yes
 Server: NEW_CB_CALLS:0

ext/openssl/tests/session_resumption_new_cb_no_context.phpt

@@ -28,12 +28,16 @@ $serverCode = <<<'CODE'
     $server = @stream_socket_server('tls://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
     phpt_notify_server_start($server);
 
-    $client = @stream_socket_accept($server, 30);
-    if ($client === false) {
-        phpt_notify(message: "SERVER_FAILED_AS_EXPECTED");
-    } else {
-        phpt_notify(message: "SERVER_CREATED_UNEXPECTEDLY");
-        fclose($server);
+    try {
+        $client = @stream_socket_accept($server, 30);
+        if ($client === false) {
+            phpt_notify(message: "SERVER_FAILED_UNEXPECTEDLY");
+        } else {
+            phpt_notify(message: "SERVER_CREATED_UNEXPECTEDLY");
+            fclose($server);
+        }
+    } catch (\Throwable $e) {
+        phpt_notify(message: "SERVER_EXCEPTION: " . $e->getMessage());
     }
 CODE;
 $serverCode = sprintf($serverCode, $certFile, $caCertFile);
@@ -73,4 +77,4 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
 --EXPECT--
 Connection failed as expected
-SERVER_FAILED_AS_EXPECTED
+SERVER_EXCEPTION: session_id_context must be set if session_new_cb is set

ext/openssl/tests/session_resumption_require_new_cb.phpt

@@ -21,16 +21,19 @@ $serverCode = <<<'CODE'
         }
     ]]);
 
-    $server = @stream_socket_server('tls://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
-    phpt_notify_server_start($server);
+    try {
+        $server = @stream_socket_server('tls://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
+        phpt_notify_server_start($server);
 
-    $client = @stream_socket_accept($server, 30);
-
-    if ($client === false) {
-        phpt_notify(message: "SERVER_FAILED_AS_EXPECTED");
-    } else {
-        phpt_notify(message: "SERVER_CREATED_UNEXPECTEDLY");
-        fclose($server);
+        $client = @stream_socket_accept($server, 30);
+        if ($client === false) {
+            phpt_notify(message: "SERVER_FAILED_UNEXPECTEDLY");
+        } else {
+            phpt_notify(message: "SERVER_CREATED_UNEXPECTEDLY");
+            fclose($server);
+        }
+    } catch (\Throwable $e) {
+        phpt_notify(message: "SERVER_EXCEPTION: " . $e->getMessage());
     }
 CODE;
 $serverCode = sprintf($serverCode, $certFile);
@@ -67,5 +70,4 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 @unlink(__DIR__ . DIRECTORY_SEPARATOR . 'session_require_new_cb.pem.tmp');
 ?>
 --EXPECT--
-Connection failed as expected
-SERVER_FAILED_AS_EXPECTED
+SERVER_EXCEPTION: session_new_cb is required when session_get_cb is providedConnection failed as expected

ext/openssl/tests/session_resumption_server_external_with_context_id.phpt

@@ -18,7 +18,7 @@ $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
         'local_cert' => '%s',
-        'session_id_context' => 'test-server',  // Proper configuration
+        'session_id_context' => 'test-server',
         'session_new_cb' => function($stream, $sessionId, $sessionData) use (&$sessionStore, &$newCbCalled) {
             $key = bin2hex($sessionId);
             $sessionStore[$key] = $sessionData;

ext/openssl/tests/session_resumption_server_internal.phpt

@@ -14,6 +14,7 @@ $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
         'local_cert' => '%s',
+        'session_id_context' => 'test-server',
         'session_cache' => true,
         'session_cache_size' => 1024,
         'session_timeout' => 300,

ext/openssl/xp_ssl.c

@@ -1816,15 +1816,14 @@ static zend_result php_openssl_setup_server_session(php_stream *stream,
 
 		if (!has_session_id_context &&
 				(SSL_CTX_get_verify_mode(sslsock->ctx) & SSL_VERIFY_PEER) != 0) {
-			php_error_docref(NULL, E_WARNING,
-				"session_new_cb is ignored as no session_id_context is set and verify_peer is enabled");
+			zend_value_error("session_id_context must be set if session_new_cb is set");
+			return FAILURE;
 		}
 	}
 
 	/* Validate: if session_get_cb is provided, session_new_cb is required */
 	if (has_get_cb && !has_new_cb) {
-		php_error_docref(NULL, E_WARNING,
-			"session_new_cb is required when session_get_cb is provided");
+		zend_value_error("session_new_cb is required when session_get_cb is provided");
 		return FAILURE;
 	}
 
@@ -1856,34 +1855,24 @@ static zend_result php_openssl_setup_server_session(php_stream *stream,
 		// Disable tickets (they won't work anyway) and warn if explicity enabled
 		SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_TICKET);
 		if (GET_VER_OPT("no_ticket") && !zend_is_true(val)) {
-			php_error_docref(NULL, E_WARNING,
-					"Session tickets cannot be enabled when session_get_cb is set");
+			zend_value_error("Session tickets cannot be enabled when session_get_cb is set");
 		}
 	} else if (php_openssl_is_session_cache_enabled(stream, true)) {
+		if (!has_session_id_context &&
+				(SSL_CTX_get_verify_mode(sslsock->ctx) & SSL_VERIFY_PEER) != 0) {
+			zend_value_error("session_id_context must be set for internal session cache");
+		}
+
 		 /* Internal cache mode */
 		SSL_CTX_set_session_cache_mode(sslsock->ctx, SSL_SESS_CACHE_SERVER);
 
-		/* Set ID context */
-		char *session_id_context = NULL;
-		GET_VER_OPT_STRING("session_id_context", session_id_context);
-
-		if (session_id_context == NULL) {
-			/* Default context - could also use script path or similar */
-			static const unsigned char default_ctx[] = "PHP";
-			SSL_CTX_set_session_id_context(sslsock->ctx, default_ctx, sizeof(default_ctx) - 1);
-		} else {
-			SSL_CTX_set_session_id_context(sslsock->ctx,
-				(unsigned char *)session_id_context,
-				strlen(session_id_context));
-		}
-
 		/* Handle session_cache_size */
 		if (GET_VER_OPT("session_cache_size")) {
 			zend_long cache_size = zval_get_long(val);
 			if (cache_size > 0) {
 				SSL_CTX_sess_set_cache_size(sslsock->ctx, cache_size);
 			} else {
-				php_error_docref(NULL, E_WARNING, "session_cache_size must be positive");
+				zend_value_error("session_cache_size must be positive");
 			}
 		} else {
 			/* Default cache size from RFC */
@@ -1896,7 +1885,7 @@ static zend_result php_openssl_setup_server_session(php_stream *stream,
 			if (timeout > 0) {
 				SSL_CTX_set_timeout(sslsock->ctx, timeout);
 			} else {
-				php_error_docref(NULL, E_WARNING, "session_timeout must be positive");
+				zend_value_error("session_timeout must be positive");
 			}
 		} else {
 			/* Default timeout from RFC */
@@ -2118,8 +2107,6 @@ static zend_result php_openssl_setup_crypto(php_stream *stream,
 		}
 	}
 
-	sslsock->session_callbacks = NULL;
-
 	ERR_clear_error();
 
 	/* We need to do slightly different things based on client/server method