Skip to content

Commit 509d349

Browse files
cmb69cmb69
committed
Merge branch 'PHP-8.0'
* PHP-8.0: Fix #76694: native Windows cert verification uses CN as sever name
2 parents fa9cb6c + 108105b commit 509d349

File tree

1 file changed

+3
-45
lines changed

1 file changed

+3
-45
lines changed

ext/openssl/xp_ssl.c

Lines changed: 3 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -710,56 +710,14 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx,
710710
LPWSTR server_name = NULL;
711711
BOOL verify_result;
712712

713-
{ /* This looks ridiculous and it is - but we validate the name ourselves using the peer_name
714-
ctx option, so just use the CN from the cert here */
715-
716-
X509_NAME *cert_name;
717-
unsigned char *cert_name_utf8;
718-
int index, cert_name_utf8_len;
719-
DWORD num_wchars;
720-
721-
cert_name = X509_get_subject_name(cert);
722-
index = X509_NAME_get_index_by_NID(cert_name, NID_commonName, -1);
723-
if (index < 0) {
724-
php_error_docref(NULL, E_WARNING, "Unable to locate certificate CN");
725-
CertFreeCertificateChain(cert_chain_ctx);
726-
CertFreeCertificateContext(cert_ctx);
727-
RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
728-
}
729-
730-
cert_name_utf8_len = PHP_X509_NAME_ENTRY_TO_UTF8(cert_name, index, cert_name_utf8);
731-
732-
num_wchars = MultiByteToWideChar(CP_UTF8, 0, (char*)cert_name_utf8, -1, NULL, 0);
733-
if (num_wchars == 0) {
734-
php_error_docref(NULL, E_WARNING, "Unable to convert %s to wide character string", cert_name_utf8);
735-
OPENSSL_free(cert_name_utf8);
736-
CertFreeCertificateChain(cert_chain_ctx);
737-
CertFreeCertificateContext(cert_ctx);
738-
RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
739-
}
740-
741-
server_name = emalloc((num_wchars * sizeof(WCHAR)) + sizeof(WCHAR));
742-
743-
num_wchars = MultiByteToWideChar(CP_UTF8, 0, (char*)cert_name_utf8, -1, server_name, num_wchars);
744-
if (num_wchars == 0) {
745-
php_error_docref(NULL, E_WARNING, "Unable to convert %s to wide character string", cert_name_utf8);
746-
efree(server_name);
747-
OPENSSL_free(cert_name_utf8);
748-
CertFreeCertificateChain(cert_chain_ctx);
749-
CertFreeCertificateContext(cert_ctx);
750-
RETURN_CERT_VERIFY_FAILURE(SSL_R_CERTIFICATE_VERIFY_FAILED);
751-
}
752-
753-
OPENSSL_free(cert_name_utf8);
754-
}
755-
756713
ssl_policy_params.dwAuthType = (sslsock->is_client) ? AUTHTYPE_SERVER : AUTHTYPE_CLIENT;
757-
ssl_policy_params.pwszServerName = server_name;
714+
/* we validate the name ourselves using the peer_name
715+
ctx option, so no need to use a server name here */
716+
ssl_policy_params.pwszServerName = NULL;
758717
chain_policy_params.pvExtraPolicyPara = &ssl_policy_params;
759718

760719
verify_result = CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, cert_chain_ctx, &chain_policy_params, &chain_policy_status);
761720

762-
efree(server_name);
763721
CertFreeCertificateChain(cert_chain_ctx);
764722
CertFreeCertificateContext(cert_ctx);
765723

0 commit comments

Comments
 (0)