Fix bug# 69215 (Crypto servers should send client CA list)

Author: rdlowrey

NEWS

@@ -18,6 +18,8 @@
     in stream_select() contexts) (Chris Wright)
   . Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly)
     (Daniel Lowrey)
+  . Fixed bug #69215 (Crypto servers should send client CA list)
+    (Daniel Lowrey)
 
 19 Mar 2015, PHP 5.6.7
 

ext/openssl/tests/bug69215-ca.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIJAMO7Amv3ZHJBMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+Q29tcGFueSBMdGQxFDASBgNVBAMMC3BocCB0ZXN0IGNhMB4XDTE1MDMwMzE3NTQz
+OVoXDTI1MDIyODE3NTQzOVowWDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1
+bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEUMBIGA1UEAwwL
+cGhwIHRlc3QgY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKac+r8AzEEk
+Cdnue7nx3gxmsXTYzwnywjjGJSknoWCdNEE+LqtT8RU0J+V76w4ehWRnhLVtu//v
+3InsrpcniGfTcov60NelHQOfn5XCCV5zqVi628WddwwdVw4AI58K3YrNk450VCBu
+dMy6m2Tm+dQwgVbtR+nIwzfm47CMWW2DAgMBAAGjUDBOMB0GA1UdDgQWBBTtMxRr
+plep4RW3PjhosYsIdIoMojAfBgNVHSMEGDAWgBTtMxRrplep4RW3PjhosYsIdIoM
+ojAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBADMF2pL8jCF6PFPhMuFN
+zxoLSuy6uLAkjkujo5e33kSUW5MI4jT/aoL2hnBPA4uJPC/TZXoBHKBpnPES2GkJ
+r7tOR51Jsk7HRTdvOMkcdD9Fe+M+Q5rOMUlCtyX/SRhc1uFnC2//Y/rx4Tc8djGl
+RqrH/Oi38u1083krmNRQNw/Z
+-----END CERTIFICATE-----

ext/openssl/tests/bug69215-client.pem

@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,CE3DEB59F7DF7AF4
+
+9REujZuwDkwoN949Gw77c3aJiQvwoPiUXJ+cDirn4ii56OsHBSCWfCe4Mqn976GK
+9IAPwHJ5yRewPpFvb+xRqtMtnm8S7HIfVtZqW4FkG+g/paEg6rwqVpW78Jco/gww
+6XFGrmU1bwKWrB05YV1BWnbB4L7Q+/U0ZcNvdNISOBW//2HuHeKVWe1DKoaRtoVz
+v4BFQxr7F3A9tm3vz9Jn2JreVrihdWQVlVTVOsfiQk/yPVA7twxiT2Hfimp/gFSX
+l28rA+jB7xd6IhpA/EXAYnCbxSp9kSXYtba26dO3rQHlgRv1a38AwvCD/3igQzF/
+XjetX2a75ITi5c7bUT4ZpVX8ZPU8oVBqSo6MXisFWBT0Svx+KhWyyn2V0z66APdR
+X1V6dZiAcqN7giRg3Yj/lMDo0nV4Ph+Ce7p3Mv/p4qU0mxf7O8sPhp7DloHQFEF0
+HyooNp26YT4V47NDxwIlkoj9YZ5nkO/svQ1qxiTKWNUdfWw5r3lFiAw5xTyDDiBs
+Sz776DaFo3Ss3JSUr5RLe4rEEc02iVqYB9OPXoUaUwS+//1KKgzF3xq/yxsJM5dR
+ljphraCViZzJPw4z69Lmao9CPRfDxKChVOSLkKgmFIOeronLdTypieanc3/o002c
+2ecb/x9f7G2XAn0iwcfylMkSZHirxqaos8LodsPxg8GdNJT89C66n+EJerrFwi6i
+qT0EvNfkbxYd3zj82+j1weNFLsQuB0O1UJBWEdyj74gIX+4HkZpSYLQ2O8MTz3yE
+52JcRRyl9ECdNJw15jkDQIusUreYMHb7YW+u+3+ci21H94Iay5XSYw==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICKDCCAZECCQD2yFUU99QJdzANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJY
+WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
+bnkgTHRkMRQwEgYDVQQDDAtwaHAgdGVzdCBjYTAeFw0xNTAzMTAyMzM0MDNaFw0y
+NTAzMDcyMzM0MDNaMFkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJTQzEVMBMGA1UE
+BwwMTXlydGxlIEJlYWNoMQwwCgYDVQQLDANQSFAxGDAWBgNVBAMMD2J1ZzY5MjE1
+LWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyLTbIGryqx0wGDD+
+xdrJsrcwXFyTYpCOHUaxl1wt/6j6u7yW5m4TJFEDUtIGnqBGYiPE9iynkLkOwUF/
+IpheONJENIjXkdSJPUEy/Ggz9WOa0qO6dQZU44NpGO7LFW97HglBIsbhioOsdcf/
+INAgidoMJNizkuTBNRGW7iKp0lsCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBKkZLQ
+aU12/cPvW5e9AXArnE9jxMhnzuCKy81eHj30CC/nHpId9i5YZytHcZEZyEOWE6DQ
+IsqmsP5ZheXq26mUtHOcEdEgcqcXTRotKXFwIxTZxP5jkCRn0xGbeHh7H9pg6TP0
+QekWTkWCh5qcf3NXvJtk4TCfLC6FSjehHkq9yQ==
+-----END CERTIFICATE-----

ext/openssl/tests/bug69215-server.pem

@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,4C7155D678EDABFA
+
+NdOGB8UpC5xrnCFIOzxV6s4y4PZlxgX8s+iL/JeGVmS7a8pDSTzbb6wjauYy3n/2
+KCywHsFdAjifi8SGHJOJBVep3GS7dWw979vWdiKjQEAlJpoouv6P58Xpn4jDf1uX
+ZrpmSTXI0iH7HYE2pzrkxPbg0Cz5GV2d2VlL7U5d4+UxXh8fSBndgHligmoc8mCU
+1AG7ZmvPhMDTewhR333qKBYi9TBZuw75Crpy5CjPO30vBMfZpseOvtEnmI0JYGwe
+75Q3e6sgY0o9b7Q42+g9v+FpGBTHhmldwYD7k1TtOC/PT4eO68E3mDawR2v+X9r8
+4jL22d3tB4Q4qAfBwbR37umTaQHLIxtjzc2OjXb/Ju35LW9d0hEuaAQK3oY8yeEi
+gctYWrCN4K+cxZQwq1+ulpkHXULGs9QxXT9KJYfV1+HWkauWUSycFhA74jWW0mL5
+InlGaFf6oiRrP4lgRVXD3rtTLCwkCD2JcvTbF+re9+vCpui7zPW2peGwcE/W7TiK
+wHFJhQQyYGcAWsal7ekXshTLoz4jeaPgak7dg50ZjjwcWr0bJuJ3RRaocMhYZ6Bd
+DiF30nCijVSJfrLhugN2RJmSysT4WNXn5qaDGEOhVgkXZscZ3ClFGsMnxAz9sqbJ
+J+ZMbqxkwSIf/+dPfhnjOWm3HPpP3T9wioYZT7KuI98pfGnHMZmX5CaJ6d/uBO5G
+8jMvQLWOx+1WoDfWDkn7SfNDyTg4/dEo5IJFXv2S9zSPynCnQcBkYUevIfJ7vDo/
+7pXCkcY+C1zssW8R1J+WNbHI1syzVbvSg6hlgyEPXuDbErCRqiFm1g==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICKDCCAZECCQD2yFUU99QJeDANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJY
+WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
+bnkgTHRkMRQwEgYDVQQDDAtwaHAgdGVzdCBjYTAeFw0xNTAzMTAyMzM1MjFaFw0y
+NTAzMDcyMzM1MjFaMFkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJTQzEVMBMGA1UE
+BwwMTXlydGxlIEJlYWNoMQwwCgYDVQQLDANQSFAxGDAWBgNVBAMMD2J1ZzY5MjE1
+LXNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAup0kaIwQufxQWXmE
+QWbd7yxMQ69UHRhbb2stAo7qxmYMeH3bWCaR/oAPOswjtkXZQgyj0slLAWJDXKDg
+zCnEKsU2yWLnvQy/h1rq/kBIybMoLKMIkRZQtrGcApKJtyrq8OtTz6odKQ7k9hym
+DtPF+2lcVhSAd+qjngF3txrVKjsCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCfXuL4
+TODLV54uKKVdVGwr8U3EQ3JdYOqN3Hr9kpmxe6StIcLxQ1e+mSDgKcixzw6CXN3P
+f++8NugAt4Ja2SDqqw1gzrX+9u6KZpnMKpEDIK0Z3Ss51ZwqilAXmFVybNTyYeVo
+HweM1IY/zrBpSTQv/aKs1R2Pyb0Heindnp0PUQ==
+-----END CERTIFICATE-----

ext/openssl/tests/bug69215.phpt

@@ -0,0 +1,48 @@
+--TEST--
+Bug #69215: Crypto servers should send client CA list
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip openssl not loaded");
+if (!function_exists("proc_open")) die("skip no proc_open");
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+    $serverUri = "ssl://127.0.0.1:64321";
+    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+    $serverCtx = stream_context_create(['ssl' => [
+        'local_cert' => __DIR__ . '/bug69215-server.pem',
+        'passphrase' => 'elephpant',
+        'cafile' => __DIR__ . '/bug69215-ca.pem',
+        'verify_peer' => true,
+        'verify_peer_name' => true,
+        'peer_name' => 'bug69215-client',
+    ]]);
+
+    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+    phpt_notify();
+
+    stream_socket_accept($server, 30);
+CODE;
+
+$clientCode = <<<'CODE'
+    $serverUri = "ssl://127.0.0.1:64321";
+    $clientFlags = STREAM_CLIENT_CONNECT;
+    $clientCtx = stream_context_create(['ssl' => [
+        'local_cert' => __DIR__ . '/bug69215-client.pem',
+        'passphrase' => 'elephpant',
+        'cafile' => __DIR__ . '/bug69215-ca.pem',
+        'verify_peer' => true,
+        'verify_peer_name' => true,
+        'peer_name' => 'bug69215-server',
+    ]]);
+
+    phpt_wait();
+
+    var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx));
+CODE;
+
+include 'ServerClientTestCase.inc';
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+--EXPECTF--
+resource(%d) of type (stream)
+

ext/openssl/xp_ssl.c

@@ -817,16 +817,26 @@ static int enable_peer_verification(SSL_CTX *ctx, php_stream *stream TSRMLS_DC)
 	zval **val = NULL;
 	char *cafile = NULL;
 	char *capath = NULL;
+	php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
 
 	GET_VER_OPT_STRING("cafile", cafile);
 	GET_VER_OPT_STRING("capath", capath);
 
-	if (!cafile) {
+	if (cafile == NULL) {
 		cafile = zend_ini_string("openssl.cafile", sizeof("openssl.cafile"), 0);
 		cafile = strlen(cafile) ? cafile : NULL;
+	} else if (!sslsock->is_client) {
+		/* Servers need to load and assign CA names from the cafile */
+		STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(cafile);
+		if (cert_names != NULL) {
+			SSL_CTX_set_client_CA_list(ctx, cert_names);
+		} else {
+			php_error(E_WARNING, "SSL: failed loading CA names from cafile");
+			return FAILURE;
+		}
 	}
 
-	if (!capath) {
+	if (capath == NULL) {
 		capath = zend_ini_string("openssl.capath", sizeof("openssl.capath"), 0);
 		capath = strlen(capath) ? capath : NULL;
 	}
@@ -842,9 +852,6 @@ static int enable_peer_verification(SSL_CTX *ctx, php_stream *stream TSRMLS_DC)
 		SSL_CTX_set_cert_verify_callback(ctx, win_cert_verify_callback, (void *)stream);
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 #else
-		php_openssl_netstream_data_t *sslsock;
-		sslsock = (php_openssl_netstream_data_t*)stream->abstract;
-
 		if (sslsock->is_client && !SSL_CTX_set_default_verify_paths(ctx)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING,
 				"Unable to set default verify locations and no CA settings specified");