Skip to content

Fix GH-18529: additional inheriting of TLS int options #18676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: PHP-8.3
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/scripts/setup-slapd.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
-
add: olcAuthzRegexp
olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
-
Expand Down
32 changes: 27 additions & 5 deletions ext/ldap/ldap.c
Original file line number Diff line number Diff line change
Expand Up @@ -3732,7 +3732,8 @@ PHP_FUNCTION(ldap_rename_ext)
*/
static int _php_ldap_tls_newctx(LDAP *ld)
{
int val = 0, i, opts[] = {
int val = 0, i;
int str_opts[] = {
#if (LDAP_API_VERSION > 2000)
LDAP_OPT_X_TLS_CACERTDIR,
LDAP_OPT_X_TLS_CACERTFILE,
Expand All @@ -3752,21 +3753,42 @@ static int _php_ldap_tls_newctx(LDAP *ld)
#endif
0};

for (i=0 ; opts[i] ; i++) {
for (i=0 ; str_opts[i] ; i++) {
char *path = NULL;

ldap_get_option(ld, opts[i], &path);
ldap_get_option(ld, str_opts[i], &path);
if (path) { /* already set locally */
ldap_memfree(path);
} else {
ldap_get_option(NULL, opts[i], &path);
ldap_get_option(NULL, str_opts[i], &path);
if (path) { /* set globally, inherit */
ldap_set_option(ld, opts[i], path);
ldap_set_option(ld, str_opts[i], path);
ldap_memfree(path);
}
}
}

#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
int int_opts[] = {
LDAP_OPT_X_TLS_PROTOCOL_MIN,
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
LDAP_OPT_X_TLS_PROTOCOL_MAX,
#endif
0
};
for (i=0 ; int_opts[i] ; i++) {
int value = 0;

ldap_get_option(ld, int_opts[i], &value);
if (value <= 0) { /* if value is not set already */
ldap_get_option(NULL, int_opts[i], &value);
if (value > 0) { /* set globally, inherit */
ldap_set_option(ld, int_opts[i], &value);
}
}
}
#endif

return ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val);
}

Expand Down
1 change: 1 addition & 0 deletions ext/ldap/tests/ldap_start_tls_rc_max_version.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TLS_PROTOCOL_MAX 3.2
41 changes: 41 additions & 0 deletions ext/ldap/tests/ldap_start_tls_rc_max_version.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
--TEST--
ldap_start_tls() - Basic ldap_start_tls test
--EXTENSIONS--
ldap
--ENV--
LDAPCONF={PWD}/ldap_start_tls_rc_max_version.conf
--SKIPIF--
<?php
$require_vendor = [
"name" => "OpenLDAP",
"min_version" => 20500,
];
require_once __DIR__ .'/skipifbindfailure.inc';
?>
--FILE--
<?php
require_once "connect.inc";

// CI uses self signed certificate

// No cert option - fails
$link = ldap_connect($uri);
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
var_dump(@ldap_start_tls($link));

// No cert check - should pass but due to ldaps check, it fails as well
$link = ldap_connect($uri);
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
var_dump(@ldap_start_tls($link));

// With cert check - fails
$link = ldap_connect($uri);
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
var_dump(@ldap_start_tls($link));
?>
--EXPECT--
bool(false)
bool(false)
bool(false)
33 changes: 33 additions & 0 deletions ext/ldap/tests/skipifbindfailure.inc
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,37 @@ if ($skip_on_bind_failure) {

ldap_unbind($link);
}

if (isset($require_vendor)) {
ob_start();
phpinfo(INFO_MODULES);
$phpinfo = ob_get_clean();

// Extract the LDAP section specifically
if (preg_match('/^ldap\s*$(.*?)^[a-z_]+\s*$/ims', $phpinfo, $ldap_section_match)) {
$ldap_section = $ldap_section_match[1];

// Extract vendor info from the LDAP section only
if (preg_match('/Vendor Name\s*=>\s*(.+)/i', $ldap_section, $name_match) &&
preg_match('/Vendor Version\s*=>\s*(\d+)/i', $ldap_section, $version_match)) {

$vendor_name = trim($name_match[1]);
$vendor_version = (int)$version_match[1];

// Check vendor name if specified
if (isset($require_vendor['name']) && $vendor_name !== $require_vendor['name']) {
die("skip Requires {$require_vendor['name']} (detected: $vendor_name)");
}

// Check minimum version if specified
if (isset($require_vendor['min_version']) && $vendor_version < $require_vendor['min_version']) {
die("skip Requires minimum version {$require_vendor['min_version']} (detected: $vendor_version)");
}
} else {
die("skip Cannot determine LDAP vendor information");
}
} else {
die("skip LDAP extension information not found");
}
}
?>
Loading