diff --git a/config.m4 b/config.m4 index b44fc51..7dad7c8 100644 --- a/config.m4 +++ b/config.m4 @@ -175,6 +175,9 @@ if test "$PHONGO" != "no"; then src/MongoDB/WriteConcernException.c \ src/MongoDB/BulkWriteException.c \ "; + PHONGO_CONTRIB="\ + src/contrib/php-ssl.c \ + "; YAJL_SOURCES="\ yajl_version.c \ @@ -269,11 +272,13 @@ MONGOC_SOURCES_SASL=mongoc-sasl.c if test "$ext_shared" = "no"; then PHP_ADD_SOURCES(PHP_EXT_DIR(phongo), $PHONGO_BSON) + PHP_ADD_SOURCES(PHP_EXT_DIR(phongo), $PHONGO_CONTRIB) PHP_ADD_SOURCES(PHP_EXT_DIR(phongo), $PHONGO_BSON_CLASSES) PHP_ADD_SOURCES(PHP_EXT_DIR(phongo), $PHONGO_MONGODB_CLASSES) PHP_ADD_SOURCES(PHP_EXT_DIR(phongo), $PHONGO_MONGODB_EXCEPTIONS) else PHP_ADD_SOURCES_X(PHP_EXT_DIR(phongo), $PHONGO_BSON, [$STD_CFLAGS $MAINTAINER_CFLAGS $COVERAGE_CFLAGS], shared_objects_phongo, yes) + PHP_ADD_SOURCES_X(PHP_EXT_DIR(phongo), $PHONGO_CONTRIB, [$STD_CFLAGS $MAINTAINER_CFLAGS $COVERAGE_CFLAGS], shared_objects_phongo, yes) PHP_ADD_SOURCES_X(PHP_EXT_DIR(phongo), $PHONGO_BSON_CLASSES, [$STD_CFLAGS $MAINTAINER_CFLAGS $COVERAGE_CFLAGS], shared_objects_phongo, yes) PHP_ADD_SOURCES_X(PHP_EXT_DIR(phongo), $PHONGO_MONGODB_CLASSES, [$STD_CFLAGS $MAINTAINER_CFLAGS $COVERAGE_CFLAGS], shared_objects_phongo, yes) PHP_ADD_SOURCES_X(PHP_EXT_DIR(phongo), $PHONGO_MONGODB_EXCEPTIONS, [$STD_CFLAGS $MAINTAINER_CFLAGS $COVERAGE_CFLAGS], shared_objects_phongo, yes) diff --git a/php_phongo.c b/php_phongo.c index a699b98..219668d 100644 --- a/php_phongo.c +++ b/php_phongo.c @@ -26,7 +26,13 @@ /* YCM */ #include + /* External libs */ +#include "src/contrib/php-ssl.h" +#include +#include +#include + #include #include #include @@ -799,6 +805,71 @@ ssize_t phongo_stream_poll (mongoc_stream_poll_t *streams, size_t nstreams, int3 return rval; } /* }}} */ +# if PHP_VERSION_ID < 50600 +int php_mongo_verify_hostname(const mongoc_host_list_t *host, X509 *cert TSRMLS_DC) +{ + if (php_mongo_matches_san_list(cert, host->host) == SUCCESS) { + return SUCCESS; + } + + if (php_mongo_matches_common_name(cert, host->host TSRMLS_CC) == SUCCESS) { + return SUCCESS; + } + + return FAILURE; +} +# endif +int php_phongo_validate_tls(const mongoc_host_list_t *host, php_stream *stream, bson_error_t *error TSRMLS_DC) +{ + zval **zcert; + + if (php_stream_context_get_option(stream->context, "ssl", "peer_certificate", &zcert) == SUCCESS && Z_TYPE_PP(zcert) == IS_RESOURCE) { + zval **verify_peer_name, **verify_expiry; + int resource_type; + X509 *cert; + int type; + + + zend_list_find(Z_LVAL_PP(zcert), &resource_type); + cert = (X509 *)zend_fetch_resource(zcert TSRMLS_CC, -1, "OpenSSL X.509", &type, 1, resource_type); + + if (!cert) { + bson_set_error (error, MONGOC_ERROR_STREAM, MONGOC_ERROR_STREAM_INVALID_TYPE, "Could not capture certificate of %s:%d", host->host, host->port); + return -1; + } + +#if PHP_VERSION_ID < 50600 + /* This option is available since PHP 5.6.0 */ + if (php_stream_context_get_option(stream->context, "ssl", "verify_peer_name", &verify_peer_name) == SUCCESS && zend_is_true(*verify_peer_name)) { + if (php_mongo_verify_hostname(host, cert TSRMLS_CC) == FAILURE) { + bson_set_error (error, MONGOC_ERROR_STREAM, MONGOC_ERROR_STREAM_INVALID_TYPE, "Remote certificate SubjectAltName or CN does not match '%s'", host->host); + return -1; + } + mongoc_log(MONGOC_LOG_LEVEL_DEBUG, MONGOC_LOG_DOMAIN, "Valid peer name for %s:%d", host->host, host->port); + } else { + mongoc_log(MONGOC_LOG_LEVEL_DEBUG, MONGOC_LOG_DOMAIN, "Not verifying peer name for %s:%d, please use 'verify_peer_name' SSL context option", host->host, host->port); + } +#endif + if (php_stream_context_get_option(stream->context, "ssl", "verify_expiry", &verify_expiry) == SUCCESS && zend_is_true(*verify_expiry)) { + time_t current = time(NULL); + time_t valid_from = php_mongo_asn1_time_to_time_t(X509_get_notBefore(cert) TSRMLS_CC); + time_t valid_until = php_mongo_asn1_time_to_time_t(X509_get_notAfter(cert) TSRMLS_CC); + + if (valid_from > current) { + bson_set_error (error, MONGOC_ERROR_STREAM, MONGOC_ERROR_STREAM_INVALID_TYPE, "Certificate is not valid yet on %s:%d", host->host, host->port); + return -1; + } + if (current > valid_until) { + bson_set_error (error, MONGOC_ERROR_STREAM, MONGOC_ERROR_STREAM_INVALID_TYPE, "Certificate has expired on %s:%d", host->host, host->port); + return -1; + } + mongoc_log(MONGOC_LOG_LEVEL_WARNING, MONGOC_LOG_DOMAIN, "Valid issue and expire dates for %s:%d", host->host, host->port); + } else { + mongoc_log(MONGOC_LOG_LEVEL_WARNING, MONGOC_LOG_DOMAIN, "Certificate expiration checks disabled for %s:%d", host->host, host->port); + } + } + return true; +} mongoc_stream_t* phongo_stream_initiator(const mongoc_uri_t *uri, const mongoc_host_list_t *host, void *user_data, bson_error_t *error) /* {{{ */ { php_phongo_stream_socket *base_stream = NULL; @@ -882,6 +953,13 @@ mongoc_stream_t* phongo_stream_initiator(const mongoc_uri_t *uri, const mongoc_h zend_replace_error_handling(EH_THROW, php_phongo_sslconnectionexception_ce, &error_handling TSRMLS_CC); + /* Capture the server certificate so we can do further verification */ + if (stream->context) { + zval capture; + ZVAL_BOOL(&capture, 1); + php_stream_context_set_option(stream->context, "ssl", "capture_peer_cert", &capture); + } + mongoc_log(MONGOC_LOG_LEVEL_DEBUG, MONGOC_LOG_DOMAIN, "Enabling SSL"); if (php_stream_xport_crypto_setup(stream, PHONGO_CRYPTO_METHOD, NULL TSRMLS_CC) < 0) { zend_restore_error_handling(&error_handling TSRMLS_CC); @@ -899,6 +977,13 @@ mongoc_stream_t* phongo_stream_initiator(const mongoc_uri_t *uri, const mongoc_h return NULL; } + if (php_phongo_validate_tls(host, stream, error TSRMLS_CC) < 0) { + zend_restore_error_handling(&error_handling TSRMLS_CC); + php_stream_free(stream, PHP_STREAM_FREE_CLOSE_PERSISTENT | PHP_STREAM_FREE_RSRC_DTOR); + efree(dsn); + return NULL; + } + zend_restore_error_handling(&error_handling TSRMLS_CC); } efree(dsn); diff --git a/tests/connect/standalone-ssl-0002.phpt b/tests/connect/standalone-ssl-0002.phpt index 1be3ee2..effec80 100644 --- a/tests/connect/standalone-ssl-0002.phpt +++ b/tests/connect/standalone-ssl-0002.phpt @@ -55,6 +55,7 @@ echo throws(function() use($manager) { echo "Changing to server\n"; stream_context_set_option($context, "ssl", "peer_name", "server"); +$manager = new MongoDB\Driver\Manager($dsn, array(), array("context" => $context)); $bulk = new MongoDB\Driver\BulkWrite; $bulk->insert(array("my" => "value")); $retval = $manager->executeBulkWrite(NS, $bulk);