diff --git a/ext/openssl/tests/gh9310.phpt b/ext/openssl/tests/gh9310.phpt index 874ed4c781d3..f9eed03573d9 100644 --- a/ext/openssl/tests/gh9310.phpt +++ b/ext/openssl/tests/gh9310.phpt @@ -176,31 +176,31 @@ $baseDir = __DIR__ . '/gh9310'; @rmdir($baseDir); ?> --EXPECTF-- -PHP Warning: stream_socket_accept(): Path for local_cert in ssl stream context option must not contain any null bytes in %s -PHP Warning: stream_socket_accept(): Unable to get real path of certificate file `%scert.crt' in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Path for local_cert in ssl stream context option must not contain any null bytes in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): Path for local_pk in ssl stream context option must not contain any null bytes in %s -PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sprivate.key' in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Unable to get real path of certificate file `%scert.crt' in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Path for local_pk in ssl stream context option must not contain any null bytes in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310.crt) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Unable to get real path of certificate file `%sgh9310.crt' in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sprivate.key' in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310.crt) is not within the allowed path(s): (%sgh9310) in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310.key) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sgh9310.key' in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Unable to get real path of certificate file `%sgh9310.crt' in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310.key) is not within the allowed path(s): (%sgh9310) in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_cs.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_cs.pem.tmp'; file not found in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Unable to get real path of private key file `%sgh9310.key' in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_cs.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_uk_key.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Failed setting local private key file `%sgh9310_sni_uk_key.pem.tmp'; could not open file in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_cs.pem.tmp'; file not found in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_uk_key.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s -PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_us_cert.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s -PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_us_cert.pem.tmp'; could not open file in %s -PHP Warning: stream_socket_accept(): Failed to enable crypto in %s +PHP Warning: stream_socket_accept(): Failed setting local private key file `%sgh9310_sni_uk_key.pem.tmp'; could not open file in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310_sni_us_cert.pem.tmp) is not within the allowed path(s): (%sgh9310) in %s : eval()'d code on line %d PHP Warning: stream_socket_accept(): Accept failed: %s +PHP Warning: stream_socket_accept(): Failed setting local cert chain file `%sgh9310_sni_us_cert.pem.tmp'; could not open file in %s : eval()'d code on line %d +PHP Warning: stream_socket_accept(): Failed to enable crypto in %s : eval()'d code on line %d diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index a154aa4572f7..da28c534a0b4 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -281,16 +281,14 @@ static int php_openssl_handle_ssl_error(php_stream *stream, int nr_bytes, bool i if (ERR_peek_error() == 0) { if (nr_bytes == 0) { if (!php_openssl_is_http_stream_talking_to_iis(stream) && ERR_get_error() != 0) { - php_error_docref(NULL, E_WARNING, "SSL: fatal protocol error"); + php_stream_warn(stream, ProtocolError, "SSL: fatal protocol error"); } SSL_set_shutdown(sslsock->ssl_handle, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); stream->eof = 1; retry = false; } else { char *estr = php_socket_strerror(php_socket_errno(), NULL, 0); - - php_error_docref(NULL, E_WARNING, - "SSL: %s", estr); + php_stream_warn(stream, ProtocolError, "SSL: %s", estr); efree(estr); retry = false; @@ -305,7 +303,7 @@ static int php_openssl_handle_ssl_error(php_stream *stream, int nr_bytes, bool i switch (ERR_GET_REASON(ecode)) { case SSL_R_NO_SHARED_CIPHER: - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolError, "SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used. " "This could be because the server is missing an SSL certificate " "(local_cert context option)"); @@ -324,7 +322,7 @@ static int php_openssl_handle_ssl_error(php_stream *stream, int nr_bytes, bool i smart_str_0(&ebuf); - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolError, "SSL operation failed with code %d. %s%s", err, ebuf.s ? "OpenSSL Error messages:\n" : "", @@ -393,7 +391,7 @@ static int php_openssl_x509_fingerprint_cmp(X509 *peer, const char *method, cons return result; } -static bool php_openssl_x509_fingerprint_match(X509 *peer, zval *val) +static bool php_openssl_x509_fingerprint_match(php_stream *stream, X509 *peer, const zval *val) { if (Z_TYPE_P(val) == IS_STRING) { const char *method = NULL; @@ -414,13 +412,15 @@ static bool php_openssl_x509_fingerprint_match(X509 *peer, zval *val) zend_string *key; if (!zend_hash_num_elements(Z_ARRVAL_P(val))) { - php_error_docref(NULL, E_WARNING, "Invalid peer_fingerprint array; [algo => fingerprint] form required"); + // TODO: Should this be a ValueError (also must not be empty error)? + php_stream_warn(stream, Generic, "Invalid peer_fingerprint array; [algo => fingerprint] form required"); return false; } ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(val), key, current) { if (key == NULL || Z_TYPE_P(current) != IS_STRING) { - php_error_docref(NULL, E_WARNING, "Invalid peer_fingerprint array; [algo => fingerprint] form required"); + // TODO: Should this be a ValueError? + php_stream_warn(stream, Generic, "Invalid peer_fingerprint array; [algo => fingerprint] form required"); return false; } if (php_openssl_x509_fingerprint_cmp(peer, ZSTR_VAL(key), Z_STRVAL_P(current)) != 0) { @@ -430,7 +430,8 @@ static bool php_openssl_x509_fingerprint_match(X509 *peer, zval *val) return true; } else { - php_error_docref(NULL, E_WARNING, + // TODO: Should this be a TypeError? + php_stream_warn(stream, Generic, "Invalid peer_fingerprint value; fingerprint string or array of the form [algo => fingerprint] required"); } @@ -555,7 +556,7 @@ static bool php_openssl_matches_san_list(X509 *peer, const char *subject_name) / } /* }}} */ -static bool php_openssl_matches_common_name(X509 *peer, const char *subject_name) /* {{{ */ +static bool php_openssl_matches_common_name(php_stream *stream, const X509 *peer, const char *subject_name) /* {{{ */ { char buf[1024]; X509_NAME *cert_name; @@ -566,13 +567,13 @@ static bool php_openssl_matches_common_name(X509 *peer, const char *subject_name cert_name_len = X509_NAME_get_text_by_NID(cert_name, NID_commonName, buf, sizeof(buf)); if (cert_name_len == -1) { - php_error_docref(NULL, E_WARNING, "Unable to locate peer certificate CN"); + php_stream_warn(stream, NetworkRecvFailed, "Unable to locate peer certificate CN"); } else if ((size_t)cert_name_len != strlen(buf)) { - php_error_docref(NULL, E_WARNING, "Peer certificate CN=`%.*s' is malformed", cert_name_len, buf); + php_stream_warn(stream, AuthFailed, "Peer certificate CN=`%.*s' is malformed", cert_name_len, buf); } else if (php_openssl_matches_wildcard_name(subject_name, buf)) { is_match = true; } else { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, AuthFailed, "Peer certificate CN=`%.*s' did not match expected CN=`%s'", cert_name_len, buf, subject_name); } @@ -605,7 +606,7 @@ static zend_result php_openssl_apply_peer_verification_policy(SSL *ssl, X509 *pe peer_fingerprint = val; if ((must_verify_peer || must_verify_peer_name || must_verify_fingerprint) && peer == NULL) { - php_error_docref(NULL, E_WARNING, "Could not get peer certificate"); + php_stream_warn(stream, NetworkRecvFailed, "Could not get peer certificate"); return FAILURE; } @@ -624,8 +625,7 @@ static zend_result php_openssl_apply_peer_verification_policy(SSL *ssl, X509 *pe /* not allowed, so fall through */ ZEND_FALLTHROUGH; default: - php_error_docref(NULL, E_WARNING, - "Could not verify peer: code:%d %s", + php_stream_warn(stream, AuthFailed, "Could not verify peer: code:%d %s", err, X509_verify_cert_error_string(err) ); @@ -636,14 +636,14 @@ static zend_result php_openssl_apply_peer_verification_policy(SSL *ssl, X509 *pe /* If a peer_fingerprint match is required this trumps peer and peer_name verification */ if (must_verify_fingerprint) { if (Z_TYPE_P(peer_fingerprint) == IS_STRING || Z_TYPE_P(peer_fingerprint) == IS_ARRAY) { - if (!php_openssl_x509_fingerprint_match(peer, peer_fingerprint)) { - php_error_docref(NULL, E_WARNING, + if (!php_openssl_x509_fingerprint_match(stream, peer, peer_fingerprint)) { + php_stream_warn(stream, AuthFailed, "peer_fingerprint match failure" ); return FAILURE; } } else { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, AuthFailed, "Expected peer fingerprint must be a string or an array" ); return FAILURE; @@ -662,7 +662,7 @@ static zend_result php_openssl_apply_peer_verification_policy(SSL *ssl, X509 *pe if (peer_name) { if (php_openssl_matches_san_list(peer, peer_name)) { return SUCCESS; - } else if (php_openssl_matches_common_name(peer, peer_name)) { + } else if (php_openssl_matches_common_name(stream, peer, peer_name)) { return SUCCESS; } else { return FAILURE; @@ -725,7 +725,8 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, err_code = e; } - php_error_docref(NULL, E_WARNING, "Error encoding X509 certificate: %lu: %s", err_code, ERR_error_string(err_code, err_buf)); + php_stream_warn(stream, EncodingFailed, + "Error encoding X509 certificate: %lu: %s", err_code, ERR_error_string(err_code, err_buf)); RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED); } @@ -734,7 +735,7 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, if (cert_ctx == NULL) { char *err = php_win_err(); - php_error_docref(NULL, E_WARNING, "Error creating certificate context: %s", err); + php_stream_warn(stream, CreateFailed, "Error creating certificate context: %s", err); php_win_err_free(err); RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED); } @@ -758,7 +759,7 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, if (!CertGetCertificateChain(NULL, cert_ctx, NULL, NULL, &chain_params, chain_flags, NULL, &cert_chain_ctx)) { char *err = php_win_err(); - php_error_docref(NULL, E_WARNING, "Error getting certificate chain: %s", err); + php_stream_warn(stream, NetworkRecvFailed, "Error getting certificate chain: %s", err); php_win_err_free(err); CertFreeCertificateContext(cert_ctx); RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED); @@ -801,7 +802,7 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, if (!verify_result) { char *err = php_win_err(); - php_error_docref(NULL, E_WARNING, "Error verifying certificate chain policy: %s", err); + php_stream_warn(stream, AuthFailed, "Error verifying certificate chain policy: %s", err); php_win_err_free(err); RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED); } @@ -836,11 +837,12 @@ static long php_openssl_load_stream_cafile(X509_STORE *cert_store, const char *c stream = php_stream_open_wrapper(cafile, "rb", 0, NULL); if (stream == NULL) { + // TODO no stream, can use php_stream_warn(stream, ReadFailed, ...) ? php_error(E_WARNING, "failed loading cafile stream: `%s'", cafile); return 0; } else if (stream->wrapper->is_url) { + php_stream_warn(stream, PermissionDenied, "remote cafile streams are disabled for security purposes"); php_stream_close(stream); - php_error(E_WARNING, "remote cafile streams are disabled for security purposes"); return 0; } @@ -898,7 +900,7 @@ static long php_openssl_load_stream_cafile(X509_STORE *cert_store, const char *c } if (certs_added == 0) { - php_error(E_WARNING, "no valid certs found cafile stream: `%s'", cafile); + php_stream_warn(stream, DecodingFailed, "no valid certs found cafile stream: `%s'", cafile); } return certs_added; @@ -924,7 +926,7 @@ static zend_result php_openssl_enable_peer_verification(SSL_CTX *ctx, php_stream if (cert_names != NULL) { SSL_CTX_set_client_CA_list(ctx, cert_names); } else { - php_error(E_WARNING, "SSL: failed loading CA names from cafile"); + php_stream_warn(stream, InvalidFormat, "SSL: failed loading CA names from cafile"); return FAILURE; } } @@ -946,7 +948,7 @@ static zend_result php_openssl_enable_peer_verification(SSL_CTX *ctx, php_stream SSL_CTX_set_cert_verify_callback(ctx, php_openssl_win_cert_verify_callback, (void *)stream); #else if (sslsock->is_client && !SSL_CTX_set_default_verify_paths(ctx)) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolError, "Unable to set default verify locations and no CA settings specified"); return FAILURE; } @@ -981,12 +983,12 @@ static zend_result php_openssl_set_local_cert(SSL_CTX *ctx, php_stream *stream) if (!php_openssl_check_path_ex( certfile, certfile_len, resolved_path_buff, 0, false, false, "local_cert in ssl stream context")) { - php_error_docref(NULL, E_WARNING, "Unable to get real path of certificate file `%s'", certfile); + php_stream_warn(stream, NotFound, "Unable to get real path of certificate file `%s'", certfile); return FAILURE; } /* a certificate to use for authentication */ if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, WriteFailed, "Unable to set local cert chain file `%s'; Check that your cafile/capath " "settings include details of your certificate and its issuer", certfile); @@ -997,15 +999,15 @@ static zend_result php_openssl_set_local_cert(SSL_CTX *ctx, php_stream *stream) if (private_key && !php_openssl_check_path_ex( private_key, private_key_len, resolved_path_buff, 0, false, false, "local_pk in ssl stream context")) { - php_error_docref(NULL, E_WARNING, "Unable to get real path of private key file `%s'", private_key); + php_stream_warn(stream, NotFound, "Unable to get real path of private key file `%s'", private_key); return FAILURE; } if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) { - php_error_docref(NULL, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff); + php_stream_warn(stream, WriteFailed, "Unable to set private key file `%s'", resolved_path_buff); return FAILURE; } if (!SSL_CTX_check_private_key(ctx)) { - php_error_docref(NULL, E_WARNING, "Private key does not match certificate!"); + php_stream_warn(stream, PermissionDenied, "Private key does not match certificate!"); } } @@ -1140,7 +1142,7 @@ static void php_openssl_limit_handshake_reneg(const SSL *ssl) /* {{{ */ /* Closing the stream inside this callback would segfault! */ stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE; if (FAILURE == call_user_function(NULL, NULL, val, &retval, 1, ¶m)) { - php_error(E_WARNING, "SSL: failed invoking reneg limit notification callback"); + php_stream_warn(stream, UserspaceCallFailed, "SSL: failed invoking reneg limit notification callback"); } stream->flags ^= PHP_STREAM_FLAG_NO_FCLOSE; @@ -1151,7 +1153,7 @@ static void php_openssl_limit_handshake_reneg(const SSL *ssl) /* {{{ */ zval_ptr_dtor(&retval); } else { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolError, "SSL: client-initiated handshake rate limit exceeded by peer"); } } @@ -1224,7 +1226,7 @@ static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); if (bio == NULL) { - php_error_docref(NULL, E_WARNING, "Invalid dh_param"); + php_stream_warn(stream, NotFound, "Invalid dh_param"); return FAILURE; } @@ -1233,12 +1235,12 @@ static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX BIO_free(bio); if (pkey == NULL) { - php_error_docref(NULL, E_WARNING, "Failed reading DH params"); + php_stream_warn(stream, ReadFailed, "Failed reading DH params"); return FAILURE; } if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) == 0) { - php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); + php_stream_warn(stream, WriteFailed, "Failed assigning DH params"); EVP_PKEY_free(pkey); return FAILURE; } @@ -1247,12 +1249,12 @@ static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX BIO_free(bio); if (dh == NULL) { - php_error_docref(NULL, E_WARNING, "Failed reading DH params"); + php_stream_warn(stream, ReadFailed, "Failed reading DH params"); return FAILURE; } if (SSL_CTX_set_tmp_dh(ctx, dh) == 0) { - php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); + php_stream_warn(stream, WriteFailed, "Failed assigning DH params"); DH_free(dh); return FAILURE; } @@ -1271,7 +1273,8 @@ static zend_result php_openssl_set_server_specific_opts(php_stream *stream, SSL_ /* We now use php_openssl_tmp_rsa_cb to generate a key of appropriate size whenever necessary */ if (php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "rsa_key_size") != NULL) { - php_error_docref(NULL, E_WARNING, "rsa_key_size context option has been removed"); + // TODO Should this be E_DEPRECATED instead? + php_stream_warn(stream, Generic, "rsa_key_size context option has been removed"); } if (php_openssl_set_server_dh_param(stream, ctx) == FAILURE) { @@ -1326,18 +1329,18 @@ static int php_openssl_server_sni_callback(SSL *ssl_handle, int *al, void *arg) } /* }}} */ -static SSL_CTX *php_openssl_create_sni_server_ctx(char *cert_path, char *key_path) /* {{{ */ +static SSL_CTX *php_openssl_create_sni_server_ctx(php_stream *stream, char *cert_path, char *key_path) /* {{{ */ { /* The hello method is not inherited by SSL structs when assigning a new context * inside the SNI callback, so the just use SSLv23 */ SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { - php_error_docref(NULL, E_WARNING, "Failed to create the SSL context"); + php_stream_warn(stream, CreateFailed, "Failed to create the SSL context"); return NULL; } if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) != 1) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ReadFailed, "Failed setting local cert chain file `%s'; " \ "check that your cafile/capath settings include " \ "details of your certificate and its issuer", @@ -1346,7 +1349,7 @@ static SSL_CTX *php_openssl_create_sni_server_ctx(char *cert_path, char *key_pat SSL_CTX_free(ctx); return NULL; } else if (SSL_CTX_use_PrivateKey_file(ctx, key_path, SSL_FILETYPE_PEM) != 1) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ReadFailed, "Failed setting private key from file `%s'", key_path ); @@ -1380,7 +1383,8 @@ static zend_result php_openssl_enable_server_sni( } if (Z_TYPE_P(val) != IS_ARRAY) { - php_error_docref(NULL, E_WARNING, + // TODO: should this be a TypeError? + php_stream_warn(stream, Generic, "SNI_server_certs requires an array mapping host names to cert paths" ); return FAILURE; @@ -1388,7 +1392,8 @@ static zend_result php_openssl_enable_server_sni( sslsock->sni_cert_count = zend_hash_num_elements(Z_ARRVAL_P(val)); if (sslsock->sni_cert_count == 0) { - php_error_docref(NULL, E_WARNING, + // TODO: should this be a ValueError? + php_stream_warn(stream, Generic, "SNI_server_certs host cert array must not be empty" ); return FAILURE; @@ -1403,7 +1408,8 @@ static zend_result php_openssl_enable_server_sni( (void) key_index; if (!key) { - php_error_docref(NULL, E_WARNING, + // TODO: should this be a ValueError? + php_stream_warn(stream, Generic, "SNI_server_certs array requires string host name keys" ); return FAILURE; @@ -1418,7 +1424,8 @@ static zend_result php_openssl_enable_server_sni( local_cert = zend_hash_str_find(Z_ARRVAL_P(current), "local_cert", sizeof("local_cert")-1); if (local_cert == NULL) { - php_error_docref(NULL, E_WARNING, + // TODO: should this be a ValueError? + php_stream_warn(stream, Generic, "local_cert not present in the array" ); return FAILURE; @@ -1431,7 +1438,7 @@ static zend_result php_openssl_enable_server_sni( if (!php_openssl_check_path_str_ex( local_cert_str, resolved_cert_path_buff, 0, false, false, "SNI_server_certs local_cert in ssl stream context")) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, OpenFailed, "Failed setting local cert chain file `%s'; could not open file", ZSTR_VAL(local_cert_str) ); @@ -1442,7 +1449,8 @@ static zend_result php_openssl_enable_server_sni( local_pk = zend_hash_str_find(Z_ARRVAL_P(current), "local_pk", sizeof("local_pk")-1); if (local_pk == NULL) { - php_error_docref(NULL, E_WARNING, + // TODO: should this be a ValueError? + php_stream_warn(stream, Generic, "local_pk not present in the array" ); return FAILURE; @@ -1455,7 +1463,7 @@ static zend_result php_openssl_enable_server_sni( if (!php_openssl_check_path_str_ex( local_pk_str, resolved_pk_path_buff, 0, false, false, "SNI_server_certs local_pk in ssl stream context")) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, OpenFailed, "Failed setting local private key file `%s'; could not open file", ZSTR_VAL(local_pk_str) ); @@ -1464,18 +1472,19 @@ static zend_result php_openssl_enable_server_sni( } zend_string_release(local_pk_str); - ctx = php_openssl_create_sni_server_ctx(resolved_cert_path_buff, resolved_pk_path_buff); + ctx = php_openssl_create_sni_server_ctx(stream, resolved_cert_path_buff, resolved_pk_path_buff); } else if (Z_TYPE_P(current) == IS_STRING) { if (php_openssl_check_path_str_ex(Z_STR_P(current), resolved_path_buff, 0, false, false, "SNI_server_certs in ssl stream context")) { - ctx = php_openssl_create_sni_server_ctx(resolved_path_buff, resolved_path_buff); + ctx = php_openssl_create_sni_server_ctx(stream, resolved_path_buff, resolved_path_buff); } else { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, NotFound, "Failed setting local cert chain file `%s'; file not found", Z_STRVAL_P(current) ); } } else { - php_error_docref(NULL, E_WARNING, "SNI_server_certs options values must be of type array|string"); + // TODO: should this be a TypeError? + php_stream_warn(stream, Generic, "SNI_server_certs options values must be of type array|string"); } if (ctx == NULL) { @@ -1902,12 +1911,13 @@ static int php_openssl_psk_find_session_cb(SSL *ssl, const unsigned char *identi /* PSK setup */ static zend_result php_openssl_validate_and_allocate_psk_callback( + php_stream *stream, php_openssl_netstream_data_t *sslsock, const zval *callable, bool is_client, bool is_persistent) { const char *callback_name = is_client ? "psk_client_cb" : "psk_server_cb"; if (is_persistent) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, PersistentNotSupported, "%s is not supported for persistent streams", callback_name); return FAILURE; } @@ -1950,7 +1960,7 @@ static zend_result php_openssl_setup_client_psk(php_stream *stream, } if (FAILURE == php_openssl_validate_and_allocate_psk_callback( - sslsock, val, true, php_stream_is_persistent(stream))) { + stream, sslsock, val, true, php_stream_is_persistent(stream))) { return FAILURE; } @@ -1972,7 +1982,7 @@ static zend_result php_openssl_setup_server_psk(php_stream *stream, } if (FAILURE == php_openssl_validate_and_allocate_psk_callback( - sslsock, val, false, php_stream_is_persistent(stream))) { + stream, sslsock, val, false, php_stream_is_persistent(stream))) { return FAILURE; } @@ -2103,6 +2113,7 @@ enum php_openssl_session_callback_type { * Validate callable and allocate callback structure if needed. */ static zend_result php_openssl_validate_and_allocate_session_callback( + php_stream *stream, php_openssl_netstream_data_t *sslsock, const zval *callable, enum php_openssl_session_callback_type cb_type, bool is_persistent) { @@ -2123,7 +2134,7 @@ static zend_result php_openssl_validate_and_allocate_session_callback( /* Callbacks not supported for persistent streams */ if (is_persistent) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, PersistentNotSupported, "%s is not supported for persistent streams", callback_name); return FAILURE; } @@ -2184,7 +2195,7 @@ static zend_result php_openssl_setup_client_session(php_stream *stream, if (GET_VER_OPT("session_new_cb")) { if (FAILURE == php_openssl_validate_and_allocate_session_callback( - sslsock, val, PHP_OPENSSL_NEW_CB, is_persistent)) { + stream, sslsock, val, PHP_OPENSSL_NEW_CB, is_persistent)) { return FAILURE; } @@ -2231,7 +2242,7 @@ static zend_result php_openssl_setup_server_session(php_stream *stream, /* Check for session_get_cb first (determines cache mode) */ if (GET_VER_OPT("session_get_cb")) { if (FAILURE == php_openssl_validate_and_allocate_session_callback( - sslsock, val, PHP_OPENSSL_GET_CB, is_persistent)) { + stream, sslsock, val, PHP_OPENSSL_GET_CB, is_persistent)) { return FAILURE; } has_get_cb = true; @@ -2250,7 +2261,7 @@ static zend_result php_openssl_setup_server_session(php_stream *stream, /* Check for session_new_cb */ if (GET_VER_OPT("session_new_cb")) { if (FAILURE == php_openssl_validate_and_allocate_session_callback( - sslsock, val, PHP_OPENSSL_NEW_CB, is_persistent)) { + stream, sslsock, val, PHP_OPENSSL_NEW_CB, is_persistent)) { return FAILURE; } has_new_cb = true; @@ -2271,7 +2282,7 @@ static zend_result php_openssl_setup_server_session(php_stream *stream, /* Check for session_remove_cb (optional) */ if (GET_VER_OPT("session_remove_cb")) { if (FAILURE == php_openssl_validate_and_allocate_session_callback( - sslsock, val, PHP_OPENSSL_REMOVE_CB, is_persistent)) { + stream, sslsock, val, PHP_OPENSSL_REMOVE_CB, is_persistent)) { return FAILURE; } @@ -2356,7 +2367,8 @@ static zend_result php_openssl_apply_client_session_data(php_stream *stream, if (php_openssl_is_session_ce(val)) { session = php_openssl_session_from_zval(val); if (!session) { - php_error_docref(NULL, E_WARNING, + // TODO: Should this be a TypeError? + php_stream_warn(stream, Generic, "Invalid OpenSSLSession object, falling back to full handshake"); return FAILURE; } @@ -2369,7 +2381,7 @@ static zend_result php_openssl_apply_client_session_data(php_stream *stream, if (session) { if (SSL_set_session(sslsock->ssl_handle, session) != 1) { - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ResumptionFailed, "Failed to set session for resumption, falling back to full handshake"); if (needs_free) { SSL_SESSION_free(session); @@ -2396,7 +2408,7 @@ static zend_result php_openssl_create_server_ctx(php_stream *stream, sslsock->ctx = SSL_CTX_new(method); if (sslsock->ctx == NULL) { - php_error_docref(NULL, E_WARNING, "SSL context creation failure"); + php_stream_warn(stream, CreateFailed, "SSL context creation failure"); return FAILURE; } @@ -2462,7 +2474,8 @@ static zend_result php_openssl_create_server_ctx(php_stream *stream, if (GET_VER_OPT("security_level")) { zend_long lval = zval_get_long(val); if (lval < 0 || lval > 5) { - php_error_docref(NULL, E_WARNING, "Security level must be between 0 and 5"); + // TODO: Should this be a ValueError? + php_stream_warn(stream, Generic, "Security level must be between 0 and 5"); } #ifdef HAVE_SEC_LEVEL SSL_CTX_set_security_level(sslsock->ctx, lval); @@ -2478,7 +2491,7 @@ static zend_result php_openssl_create_server_ctx(php_stream *stream, unsigned char *alpn = php_openssl_alpn_protos_parse(&alpn_len, alpn_protocols); if (alpn == NULL) { - php_error_docref(NULL, E_WARNING, "Failed parsing comma-separated TLS ALPN protocol string"); + php_stream_warn(stream, DecodingFailed, "Failed parsing comma-separated TLS ALPN protocol string"); SSL_CTX_free(sslsock->ctx); sslsock->ctx = NULL; return FAILURE; @@ -2494,7 +2507,7 @@ static zend_result php_openssl_create_server_ctx(php_stream *stream, efree(alpn); } #else - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolUnsupported, "alpn_protocols support is not compiled into the OpenSSL library against which PHP is linked"); #endif } @@ -2544,7 +2557,7 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, { if (sslsock->ssl_handle) { if (sslsock->s.is_blocked) { - php_error_docref(NULL, E_WARNING, "SSL/TLS already set-up for this stream"); + php_stream_warn(stream, Generic, "SSL/TLS already set-up for this stream"); return FAILURE; } else { return SUCCESS; @@ -2563,11 +2576,11 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, php_openssl_netstream_data_t *parent_sslsock; if (cparam->inputs.session->ops != &php_openssl_socket_ops) { - php_error_docref(NULL, E_WARNING, "Supplied session stream must be an SSL enabled stream"); + php_stream_warn(stream, SslNotSupported, "Supplied session stream must be an SSL enabled stream"); } else if ((parent_sslsock = cparam->inputs.session->abstract)->ctx == NULL) { - php_error_docref(NULL, E_WARNING, "Supplied SSL session stream is not set up"); + php_stream_warn(stream, SslNotSupported, "Supplied SSL session stream is not set up"); } else if (sslsock->is_client && parent_sslsock->ssl_handle == NULL) { - php_error_docref(NULL, E_WARNING, "Supplied SSL session stream is not initialized"); + php_stream_warn(stream, SslNotSupported, "Supplied SSL session stream is not initialized"); } else { SSL_CTX_up_ref(parent_sslsock->ctx); sslsock->ctx = parent_sslsock->ctx; @@ -2582,7 +2595,7 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, sslsock->ssl_handle = SSL_new(sslsock->ctx); if (!sslsock->ssl_handle) { - php_error_docref(NULL, E_WARNING, "SSL handle creation failure"); + php_stream_warn(stream, CreateFailed, "SSL handle creation failure"); SSL_CTX_free(sslsock->ctx); sslsock->ctx = NULL; return FAILURE; @@ -2598,7 +2611,7 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, if (SSL_copy_session_id(sslsock->ssl_handle, parent_sslsock->ssl_handle)) { SSL_CTX_set_session_cache_mode(sslsock->ctx, SSL_SESS_CACHE_CLIENT); } else { - php_error_docref(NULL, E_WARNING, "SSL session copying failed creation failure"); + php_stream_warn(stream, CreateFailed, "SSL session copying failed creation failure"); } } @@ -2614,7 +2627,7 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, if (sslsock->ssl_handle == NULL || !SSL_set_ex_data(sslsock->ssl_handle, php_openssl_get_ssl_stream_data_index(), stream)) { - php_error_docref(NULL, E_WARNING, "SSL handle creation failure"); + php_stream_warn(stream, CreateFailed, "SSL handle creation failure"); SSL_CTX_free(sslsock->ctx); sslsock->ctx = NULL; #ifdef HAVE_TLS_ALPN @@ -2764,7 +2777,7 @@ static int php_openssl_enable_crypto(php_stream *stream, elapsed_time = php_openssl_subtract_timeval(cur_time, start_time); if (php_openssl_compare_timeval( elapsed_time, *timeout) > 0) { - php_error_docref(NULL, E_WARNING, "SSL: Handshake timed out"); + php_stream_warn(stream, TimeOut, "SSL: Handshake timed out"); return -1; } } @@ -3220,7 +3233,7 @@ static inline int php_openssl_tcp_sockop_accept(php_stream *stream, php_openssl_ if (php_stream_xport_crypto_setup(xparam->outputs.client, clisockdata->method, sock->ctx ? stream : NULL) < 0 || php_stream_xport_crypto_enable( xparam->outputs.client, 1) < 0) { - php_error_docref(NULL, E_WARNING, "Failed to enable crypto"); + php_stream_warn(stream, ProtocolError, "Failed to enable crypto"); php_stream_close(xparam->outputs.client); xparam->outputs.client = NULL; @@ -3490,7 +3503,7 @@ static int php_openssl_sockop_set_option(php_stream *stream, int option, int val if (php_stream_xport_crypto_setup(stream, sslsock->method, session_stream) < 0 || php_stream_xport_crypto_enable(stream, 1) < 0) { - php_error_docref(NULL, E_WARNING, "Failed to enable crypto"); + php_stream_warn(stream, ProtocolError, "Failed to enable crypto"); xparam->outputs.returncode = -1; } } @@ -3686,7 +3699,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, sslsock->enable_on_connect = 1; sslsock->method = php_openssl_get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT); } else if (strncmp(proto, "sslv2", protolen) == 0) { - php_error_docref(NULL, E_WARNING, "SSLv2 unavailable in this PHP version"); + php_stream_warn(stream, ProtocolUnsupported, "SSLv2 unavailable in this PHP version"); php_stream_close(stream); return NULL; } else if (strncmp(proto, "sslv3", protolen) == 0) { @@ -3694,7 +3707,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, sslsock->enable_on_connect = 1; sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; #else - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolUnsupported, "SSLv3 support is not compiled into the OpenSSL library against which PHP is linked"); php_stream_close(stream); return NULL; @@ -3710,7 +3723,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, sslsock->enable_on_connect = 1; sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; #else - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolUnsupported, "TLSv1.1 support is not compiled into the OpenSSL library against which PHP is linked"); php_stream_close(stream); return NULL; @@ -3720,7 +3733,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, sslsock->enable_on_connect = 1; sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; #else - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolUnsupported, "TLSv1.2 support is not compiled into the OpenSSL library against which PHP is linked"); php_stream_close(stream); return NULL; @@ -3730,7 +3743,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, sslsock->enable_on_connect = 1; sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT; #else - php_error_docref(NULL, E_WARNING, + php_stream_warn(stream, ProtocolUnsupported, "TLSv1.3 support is not compiled into the OpenSSL library against which PHP is linked"); php_stream_close(stream); return NULL; diff --git a/main/streams/stream_errors.stub.php b/main/streams/stream_errors.stub.php index 2c56932c4850..7996a67943c7 100644 --- a/main/streams/stream_errors.stub.php +++ b/main/streams/stream_errors.stub.php @@ -86,6 +86,7 @@ enum StreamErrorCode case InvalidParam; case RedirectLimit; case AuthFailed; + case TimeOut; /* Encoding/decoding/archiving operations */ case ArchivingFailed; diff --git a/main/streams/stream_errors_arginfo.h b/main/streams/stream_errors_arginfo.h index 3a10e9bc5a40..408a18a03d2c 100644 --- a/main/streams/stream_errors_arginfo.h +++ b/main/streams/stream_errors_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit stream_errors.stub.php instead. - * Stub hash: 3e9ee6f0fdd8ecf3ded82728487a9e774137036a + * Stub hash: 425ea51156dba004bcc2a04ef916439e83e74f4a * Has decl header: yes */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_StreamException_getErrors, 0, 0, IS_ARRAY, 0) @@ -146,6 +146,8 @@ static zend_class_entry *register_class_StreamErrorCode(void) zend_enum_add_case_cstr(class_entry, "AuthFailed", NULL); + zend_enum_add_case_cstr(class_entry, "TimeOut", NULL); + zend_enum_add_case_cstr(class_entry, "ArchivingFailed", NULL); zend_enum_add_case_cstr(class_entry, "EncodingFailed", NULL); diff --git a/main/streams/stream_errors_decl.h b/main/streams/stream_errors_decl.h index 4748768195f1..2c2991ca3a7e 100644 --- a/main/streams/stream_errors_decl.h +++ b/main/streams/stream_errors_decl.h @@ -1,8 +1,8 @@ /* This is a generated file, edit stream_errors.stub.php instead. - * Stub hash: 3e9ee6f0fdd8ecf3ded82728487a9e774137036a */ + * Stub hash: 425ea51156dba004bcc2a04ef916439e83e74f4a */ -#ifndef ZEND_STREAM_ERRORS_DECL_3e9ee6f0fdd8ecf3ded82728487a9e774137036a_H -#define ZEND_STREAM_ERRORS_DECL_3e9ee6f0fdd8ecf3ded82728487a9e774137036a_H +#ifndef ZEND_STREAM_ERRORS_DECL_425ea51156dba004bcc2a04ef916439e83e74f4a_H +#define ZEND_STREAM_ERRORS_DECL_425ea51156dba004bcc2a04ef916439e83e74f4a_H typedef enum zend_enum_StreamErrorCode { ZEND_ENUM_StreamErrorCode_None = 1, @@ -70,20 +70,21 @@ typedef enum zend_enum_StreamErrorCode { ZEND_ENUM_StreamErrorCode_InvalidParam = 63, ZEND_ENUM_StreamErrorCode_RedirectLimit = 64, ZEND_ENUM_StreamErrorCode_AuthFailed = 65, - ZEND_ENUM_StreamErrorCode_ArchivingFailed = 66, - ZEND_ENUM_StreamErrorCode_EncodingFailed = 67, - ZEND_ENUM_StreamErrorCode_DecodingFailed = 68, - ZEND_ENUM_StreamErrorCode_InvalidFormat = 69, - ZEND_ENUM_StreamErrorCode_AllocationFailed = 70, - ZEND_ENUM_StreamErrorCode_TemporaryFileFailed = 71, - ZEND_ENUM_StreamErrorCode_LockFailed = 72, - ZEND_ENUM_StreamErrorCode_LockNotSupported = 73, - ZEND_ENUM_StreamErrorCode_UserspaceNotImplemented = 74, - ZEND_ENUM_StreamErrorCode_UserspaceInvalidReturn = 75, - ZEND_ENUM_StreamErrorCode_UserspaceCallFailed = 76, + ZEND_ENUM_StreamErrorCode_TimeOut = 66, + ZEND_ENUM_StreamErrorCode_ArchivingFailed = 67, + ZEND_ENUM_StreamErrorCode_EncodingFailed = 68, + ZEND_ENUM_StreamErrorCode_DecodingFailed = 69, + ZEND_ENUM_StreamErrorCode_InvalidFormat = 70, + ZEND_ENUM_StreamErrorCode_AllocationFailed = 71, + ZEND_ENUM_StreamErrorCode_TemporaryFileFailed = 72, + ZEND_ENUM_StreamErrorCode_LockFailed = 73, + ZEND_ENUM_StreamErrorCode_LockNotSupported = 74, + ZEND_ENUM_StreamErrorCode_UserspaceNotImplemented = 75, + ZEND_ENUM_StreamErrorCode_UserspaceInvalidReturn = 76, + ZEND_ENUM_StreamErrorCode_UserspaceCallFailed = 77, } zend_enum_StreamErrorCode; -#define ZEND_ENUM_StreamErrorCode_CASE_COUNT 76 +#define ZEND_ENUM_StreamErrorCode_CASE_COUNT 77 #ifdef ZEND_ENUM_StreamErrorCode_USE_NAME_TABLE static const char *zend_enum_StreamErrorCode_case_names[ZEND_ENUM_StreamErrorCode_CASE_COUNT + 1] = { @@ -152,6 +153,7 @@ static const char *zend_enum_StreamErrorCode_case_names[ZEND_ENUM_StreamErrorCod [ZEND_ENUM_StreamErrorCode_InvalidParam] = "InvalidParam", [ZEND_ENUM_StreamErrorCode_RedirectLimit] = "RedirectLimit", [ZEND_ENUM_StreamErrorCode_AuthFailed] = "AuthFailed", + [ZEND_ENUM_StreamErrorCode_TimeOut] = "TimeOut", [ZEND_ENUM_StreamErrorCode_ArchivingFailed] = "ArchivingFailed", [ZEND_ENUM_StreamErrorCode_EncodingFailed] = "EncodingFailed", [ZEND_ENUM_StreamErrorCode_DecodingFailed] = "DecodingFailed", @@ -180,4 +182,4 @@ typedef enum zend_enum_StreamErrorStore { ZEND_ENUM_StreamErrorStore_All = 5, } zend_enum_StreamErrorStore; -#endif /* ZEND_STREAM_ERRORS_DECL_3e9ee6f0fdd8ecf3ded82728487a9e774137036a_H */ +#endif /* ZEND_STREAM_ERRORS_DECL_425ea51156dba004bcc2a04ef916439e83e74f4a_H */