[php-src] PHP-8.3: Fix GH-19245: Success error message on TLS stream accept failure
Author: Jakub Zelenka (bukka)
Date: 2025-08-12T17:28:33+02:00
Commit: https://github.com/php/php-src/commit/2b415e416edc557a5222cbb37da98cfecd575076
Raw diff: https://github.com/php/php-src/commit/2b415e416edc557a5222cbb37da98cfecd575076.diff
Fix GH-19245: Success error message on TLS stream accept failure
This overwrites the previous message from the successful accept call.
Closes GH-19246
Changed paths:
A ext/openssl/tests/gh19245.phpt
M NEWS
M ext/openssl/xp_ssl.c
Diff:
diff --git a/NEWS b/NEWS
index 84f0b1f10348e..de12a9a775e42 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.3.26
+- OpenSSL:
+ . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
+ (Jakub Zelenka)
28 Aug 2025, PHP 8.3.25
diff --git a/ext/openssl/tests/gh19245.phpt b/ext/openssl/tests/gh19245.phpt
new file mode 100644
index 0000000000000..13433cc42a325
--- /dev/null
+++ b/ext/openssl/tests/gh19245.phpt
@@ -0,0 +1,53 @@
+--TEST--
+GH-19245: Success error message on TLS stream accept failure
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (!function_exists("proc_open")) die("skip no proc_open");
+?>
+--FILE--
+<?php
+include 'ServerClientTestCase.inc';
+
+$baseDir = __DIR__ . '/gh19245';
+$baseDirCertFile = $baseDir . '/cert.crt';
+$baseDirPkFile = $baseDir . '/private.key';
+
+$serverCodeTemplate = <<<'CODE'
+ ini_set('log_errors', 'On');
+ ini_set('open_basedir', __DIR__ . '/gh19245');
+ $serverUri = "ssl://127.0.0.1:0";
+ $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+ $serverCtx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+ 'local_pk' => '%s',
+ ]]);
+
+ $sock = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+ phpt_notify_server_start($sock);
+
+ $link = stream_socket_accept($sock);
+CODE;
+
+$clientCode = <<<'CODE'
+ $serverUri = "ssl://{{ ADDR }}";
+ $clientFlags = STREAM_CLIENT_CONNECT;
+
+ $clientCtx = stream_context_create(['ssl' => [
+ 'verify_peer' => false,
+ 'verify_peer_name' => false
+ ]]);
+
+ @stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx);
+CODE;
+
+$serverCode = sprintf($serverCodeTemplate, $baseDirCertFile . "\0test", $baseDirPkFile);
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+
+?>
+--EXPECTF--
+PHP Warning: stream_socket_accept(): Path for local_cert in ssl stream context option must not
contain any null bytes in %s
+PHP Warning: stream_socket_accept(): Unable to get real path of certificate file `%scert.crt'
in %s
+PHP Warning: stream_socket_accept(): Failed to enable crypto in %s
+PHP Warning: stream_socket_accept(): Accept failed: Cannot enable crypto in %s
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 37ab9c4012d84..a9f5e277e78cf 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -2398,6 +2398,12 @@ static inline int php_openssl_tcp_sockop_accept(php_stream *stream,
php_openssl_
php_stream_close(xparam->outputs.client);
xparam->outputs.client = NULL;
xparam->outputs.returncode = -1;
+ if (xparam->want_errortext) {
+ if (xparam->outputs.error_text) {
+ zend_string_free(xparam->outputs.error_text);
+ }
+ xparam->outputs.error_text = ZSTR_INIT_LITERAL("Cannot enable crypto", 0);
+ }
}
}
}
Thread (1 message)
- Jakub Zelenka