Fix tests and logic for TLS 1.3

bukka · bukka · commit c2e9c71e36c6 · 2019-04-28T17:37:43.000+01:00
diff --git a/ext/openssl/tests/session_meta_capture_tlsv13.phpt b/ext/openssl/tests/session_meta_capture_tlsv13.phpt
@@ -8,30 +8,32 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'session_meta_capture_tlsv13.pem.tmp';
+$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'session_meta_capture_tlsv13-ca.pem.tmp';
+
 $serverCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
     $serverCtx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/bug54992.pem',
+        'local_cert' => '%s',
         'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_3_SERVER,
     ]]);
 
     $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
     phpt_notify();
 
     @stream_socket_accept($server, 1);
-    @stream_socket_accept($server, 1);
-    @stream_socket_accept($server, 1);
-    @stream_socket_accept($server, 1);
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
+$peerName = 'session_meta_capture_tlsv13';
 $clientCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $clientFlags = STREAM_CLIENT_CONNECT;
     $clientCtx = stream_context_create(['ssl' => [
         'verify_peer' => true,
-        'cafile' => __DIR__ . '/bug54992-ca.pem',
-        'peer_name' => 'bug54992.local',
+        'cafile' => '%s',
+        'peer_name' => '%s',
         'capture_session_meta' => true,
     ]]);
 
@@ -42,6 +44,12 @@ $clientCode = <<<'CODE'
     $meta = stream_context_get_options($clientCtx)['ssl']['session_meta'];
     var_dump($meta['protocol']);
 CODE;
+$clientCode = sprintf($clientCode, $cacertFile, $peerName);
+
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveCaCert($cacertFile);
+$certificateGenerator->saveNewCertAsFileWithKey($peerName, $certFile);
 
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
diff --git a/ext/openssl/tests/tlsv1.3_wrapper.phpt b/ext/openssl/tests/tlsv1.3_wrapper.phpt
@@ -34,7 +34,7 @@ $clientCode = <<<'CODE'
     $client = stream_socket_client("tlsv1.3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
     var_dump($client);
 
-    $client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
+    $client = @stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
     var_dump($client);
 
     $client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
@@ -60,15 +60,6 @@
 #define STREAM_CRYPTO_METHOD_TLSv1_2       (1<<5)
 #define STREAM_CRYPTO_METHOD_TLSv1_3       (1<<6)
 
-#ifndef OPENSSL_NO_SSL3
-#define HAVE_SSL3 1
-#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_SSLv3
-#else
-#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_0
-#endif
-#define PHP_OPENSSL_MAX_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_3
-
-
 #define HAVE_TLS11 1
 #define HAVE_TLS12 1
 #if OPENSSL_VERSION_NUMBER >= 0x10101000
@@ -90,6 +81,18 @@
 #define HAVE_SEC_LEVEL 1
 #endif
 
+#ifndef OPENSSL_NO_SSL3
+#define HAVE_SSL3 1
+#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_SSLv3
+#else
+#define PHP_OPENSSL_MIN_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_0
+#endif
+#ifdef HAVE_TLS13
+#define PHP_OPENSSL_MAX_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_3
+#else
+#define PHP_OPENSSL_MAX_PROTO_VERSION STREAM_CRYPTO_METHOD_TLSv1_2
+#endif
+
 /* Simplify ssl context option retrieval */
 #define GET_VER_OPT(name) \
 	(PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)
@@ -1021,7 +1024,7 @@ static inline int php_openssl_get_min_proto_version_flag(int flags) /* {{{ */
 			return ver;
 		}
 	}
-	return STREAM_CRYPTO_METHOD_TLSv1_3;
+	return PHP_OPENSSL_MAX_PROTO_VERSION;
 }
 /* }}} */
 
@@ -1041,22 +1044,22 @@ static inline int php_openssl_get_max_proto_version_flag(int flags) /* {{{ */
 static inline int php_openssl_map_proto_version(int flag) /* {{{ */
 {
 	switch (flag) {
+#ifdef HAVE_TLS13
+		case STREAM_CRYPTO_METHOD_TLSv1_3:
+			return TLS1_3_VERSION;
+#endif
+		case STREAM_CRYPTO_METHOD_TLSv1_2:
+			return TLS1_2_VERSION;
+		case STREAM_CRYPTO_METHOD_TLSv1_1:
+			return TLS1_1_VERSION;
+		case STREAM_CRYPTO_METHOD_TLSv1_0:
+			return TLS1_VERSION;
 #ifdef HAVE_SSL3
 		case STREAM_CRYPTO_METHOD_SSLv3:
 			return SSL3_VERSION;
 #endif
-		case STREAM_CRYPTO_METHOD_TLSv1_0:
-			return TLS1_VERSION;
-		case STREAM_CRYPTO_METHOD_TLSv1_1:
-			return TLS1_1_VERSION;
-                case STREAM_CRYPTO_METHOD_TLSv1_2:
-                        return TLS1_2_VERSION;
-		/* case STREAM_CRYPTO_METHOD_TLSv1_3: */
-#ifdef HAVE_TLS13
 		default:
-			return TLS1_3_VERSION;
-#endif
-
+			return TLS1_2_VERSION;
 	}
 }
 /* }}} */
