From b09be29ac12fbd5deb11e47465441c73cc260855 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 25 Feb 2023 23:39:00 +0100 Subject: [PATCH] Fix incorrect error checking in php_openssl_set_server_dh_param() SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success and 0 on error. But only < 0 was checked which means that errors were never caught. Closes GH-10705. --- NEWS | 3 +++ ext/openssl/xp_ssl.c | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 76b9e953af3..5f048e0f89a 100644 --- a/NEWS +++ b/NEWS @@ -54,6 +54,9 @@ PHP NEWS - Opcache: . Fix incorrect page_size check. (nielsdos) +- OpenSSL: + . Fixed php_openssl_set_server_dh_param() DH params errors handling. (nielsdos) + - PDO OCI: . Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars). (Michael Voříšek) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 58ba4b0499c..9aac4a0b70a 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -1222,7 +1222,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* return FAILURE; } - if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) { + if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) == 0) { php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); EVP_PKEY_free(pkey); return FAILURE; @@ -1236,7 +1236,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* return FAILURE; } - if (SSL_CTX_set_tmp_dh(ctx, dh) < 0) { + if (SSL_CTX_set_tmp_dh(ctx, dh) == 0) { php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); DH_free(dh); return FAILURE; @@ -1305,7 +1305,10 @@ static int php_openssl_set_server_specific_opts(php_stream *stream, SSL_CTX *ctx php_error_docref(NULL, E_WARNING, "rsa_key_size context option has been removed"); } - php_openssl_set_server_dh_param(stream, ctx); + if (php_openssl_set_server_dh_param(stream, ctx) == FAILURE) { + return FAILURE; + } + zv = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "single_dh_use"); if (zv == NULL || zend_is_true(zv)) { ssl_ctx_options |= SSL_OP_SINGLE_DH_USE;