From 612e3ba1ff869b4282e48c7016029d8cf8e09761 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 16 Jan 2019 20:16:57 +0000 Subject: [PATCH 1/3] Session supports optional OpenSSL encryption. --- ext/session/php_session.h | 13 ++++ ext/session/session.c | 157 +++++++++++++++++++++++++++++++++++++- 2 files changed, 166 insertions(+), 4 deletions(-) diff --git a/ext/session/php_session.h b/ext/session/php_session.h index ef139196ca900..28f2df83633f2 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -20,6 +20,10 @@ #include "ext/standard/php_var.h" #include "ext/hash/php_hash.h" +#if defined(HAVE_OPENSSL_EXT) +# include "ext/openssl/php_openssl.h" +#endif + #define PHP_SESSION_API 20161017 #include "php_version.h" @@ -201,6 +205,15 @@ typedef struct _php_ps_globals { bool lazy_write; /* omit session write when it is possible */ bool in_save_handler; /* state if session is in save handler or not */ bool set_handler; /* state if session module i setting handler or not */ +#if defined(HAVE_OPENSSL_EXT) + bool ssl_encrypt; /* encrypt the session data */ + zend_string *ssl_iv; + char *ssl_tag; + char *ssl_method; + zend_long ssl_method_len; + zend_long ssl_iv_len; + zend_long ssl_tag_len; +#endif zend_string *session_vars; /* serialized original session data */ } php_ps_globals; diff --git a/ext/session/session.c b/ext/session/session.c index 8212ad23cd7bb..55277779c975a 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -116,6 +116,9 @@ static inline void php_rinit_session_globals(void) /* {{{ */ PS(define_sid) = 1; PS(session_vars) = NULL; PS(module_number) = my_module_number; +#if defined(HAVE_OPENSSL_EXT) + PS(ssl_iv) = NULL; +#endif ZVAL_UNDEF(&PS(http_session_vars)); } /* }}} */ @@ -143,6 +146,13 @@ static inline void php_rshutdown_session_globals(void) /* {{{ */ PS(session_vars) = NULL; } +#if defined(HAVE_OPENSSL_EXT) + if (PS(ssl_iv)) { + zend_string_release_ex(PS(ssl_iv), 0); + PS(ssl_iv) = NULL; + } +#endif + /* User save handlers may end up directly here by misuse, bugs in user script, etc. */ /* Set session status to prevent error while restoring save handler INI value. */ PS(session_status) = php_session_none; @@ -462,6 +472,41 @@ static int php_session_initialize(void) /* {{{ */ php_session_decode(val); zend_string_release_ex(val, 0); } +#if defined(HAVE_OPENSSL_EXT) + if (PS(ssl_encrypt)) { + zend_long ssl_method_len = strlen(PS(ssl_method)); + if (!ssl_method_len) { + php_error_docref(NULL, E_WARNING, "A cipher method is needed to encrypt the session"); + PS(ssl_encrypt) = 0; + } else { + zend_string *iv; + zend_long iv_len; + zend_long ssl_tag_len = strlen(PS(ssl_tag)); + + if (PS(ssl_iv)) + zend_string_release_ex(PS(ssl_iv), 0); + + if ((iv_len = php_openssl_cipher_iv_length(PS(ssl_method))) == -1 || iv_len == 0) { + php_error_docref(NULL, E_ERROR, "session.ssl_method `%s` is invalid", PS(ssl_method)); + return FAILURE; + } + + if ((iv = php_openssl_random_pseudo_bytes(iv_len)) == NULL) { + php_error_docref(NULL, E_ERROR, "session iv data failure"); + return FAILURE; + } + + if (!ssl_tag_len) + PS(ssl_tag) = NULL; + PS(ssl_tag_len) = ssl_tag_len; + + ZSTR_VAL(iv)[iv_len] = 0; + PS(ssl_method_len) = ssl_method_len; + PS(ssl_iv) = iv; + PS(ssl_iv_len) = iv_len; + } + } +#endif return SUCCESS; } /* }}} */ @@ -823,6 +868,13 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("session.sid_length", "32", PHP_INI_ALL, OnUpdateSidLength) PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits) STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateLazyWrite, lazy_write, php_ps_globals, ps_globals) +#if defined(HAVE_OPENSSL_EXT) + STD_PHP_INI_BOOLEAN("session.ssl_encrypt", "0", PHP_INI_ALL, OnUpdateBool, ssl_encrypt, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.ssl_method", "", PHP_INI_ALL, OnUpdateSessionString, ssl_method, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.ssl_tag", "", PHP_INI_ALL, OnUpdateSessionString, ssl_tag, php_ps_globals, ps_globals) +#endif + + /* Commented out until future discussion */ /* Upload progress */ STD_PHP_INI_BOOLEAN("session.upload_progress.enabled", @@ -836,15 +888,69 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("session.upload_progress.freq", "1%", ZEND_INI_PERDIR, OnUpdateRfc1867Freq, rfc1867_freq, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.upload_progress.min_freq", "1", ZEND_INI_PERDIR, OnUpdateReal, rfc1867_min_freq,php_ps_globals, ps_globals) - - /* Commented out until future discussion */ /* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */ PHP_INI_END() -/* }}} */ +/* }}} */ /* *************** * Serializers * *************** */ + +#if defined(HAVE_OPENSSL_EXT) +static int php_session_encrypt(smart_str *buf) /* {{{ */ +{ + zend_string* buffer; + smart_str res = {0}; + + if (!PS(ssl_encrypt) || !PS(id) || !buf->a) + return SUCCESS; + + zval *ztag = NULL; + + if (PS(ssl_tag_len) > 0) { + ztag = emalloc(sizeof(*ztag)); + ZVAL_STRINGL(ztag, PS(ssl_tag), PS(ssl_tag_len)); + } + + if ((buffer = php_openssl_encrypt(ZSTR_VAL(buf->s), buf->a, PS(ssl_method), PS(ssl_method_len), + ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 0, ZSTR_VAL(PS(ssl_iv)), PS(ssl_iv_len), + ztag, PS(ssl_tag_len), NULL, 0)) == NULL) { + php_error_docref(NULL, E_WARNING, "Cannot encrypt the session data with method '%s', tag '%s'", + PS(ssl_method), PS(ssl_tag)); + efree(ztag); + return FAILURE; + } + + smart_str_free(buf); + res.s = zend_string_dup(buffer, 0); + res.a = ZSTR_LEN(buffer); + *buf = res; + zend_string_release_ex(buffer, 0); + efree(ztag); + return SUCCESS; +} +/* }}} */ + +static zend_string *php_session_decrypt(PS_SERIALIZER_DECODE_ARGS) /* {{{ */ +{ + zend_string* buffer; + + if (!PS(ssl_encrypt) || !PS(id) || !vallen) + return NULL; + + if ((buffer = php_openssl_decrypt((char *)val, vallen, PS(ssl_method), PS(ssl_method_len), + ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 0, ZSTR_VAL(PS(ssl_iv)), PS(ssl_iv_len), + PS(ssl_tag), PS(ssl_tag_len), NULL, 0)) == NULL) { + php_error_docref(NULL, E_WARNING, "Cannot decrypt the session data with method '%s'", + PS(ssl_method)); + return NULL; + } + + return buffer; +} +/* }}} */ +#endif + PS_SERIALIZER_ENCODE_FUNC(php_serialize) /* {{{ */ { smart_str buf = {0}; @@ -853,6 +959,9 @@ PS_SERIALIZER_ENCODE_FUNC(php_serialize) /* {{{ */ IF_SESSION_VARS() { PHP_VAR_SERIALIZE_INIT(var_hash); php_var_serialize(&buf, Z_REFVAL(PS(http_session_vars)), &var_hash); +#if defined(HAVE_OPENSSL_EXT) + php_session_encrypt(&buf); +#endif PHP_VAR_SERIALIZE_DESTROY(var_hash); } return buf.s; @@ -867,6 +976,13 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ int result; zend_string *var_name = zend_string_init("_SESSION", sizeof("_SESSION") - 1, 0); +#if defined(HAVE_OPENSSL_EXT) + zend_string* buffer = php_session_decrypt(val, vallen); + if (buffer) { + val = ZSTR_VAL(buffer); + endptr = val + ZSTR_LEN(buffer); + } +#endif ZVAL_NULL(&session_vars); PHP_VAR_UNSERIALIZE_INIT(var_hash); result = php_var_unserialize( @@ -887,9 +1003,14 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ Z_ADDREF_P(&PS(http_session_vars)); zend_hash_update_ind(&EG(symbol_table), var_name, &PS(http_session_vars)); zend_string_release_ex(var_name, 0); +#if defined(HAVE_OPENSSL_EXT) + if (buffer) + zend_string_release_ex(buffer, 0); +#endif + return result || !vallen ? SUCCESS : FAILURE; } -/* }}} */ +/* }}} */ #define PS_BIN_NR_OF_BITS 8 #define PS_BIN_UNDEF (1<<(PS_BIN_NR_OF_BITS-1)) @@ -911,6 +1032,9 @@ PS_SERIALIZER_ENCODE_FUNC(php_binary) /* {{{ */ ); smart_str_0(&buf); +#if defined(HAVE_OPENSSL_EXT) + php_session_encrypt(&buf); +#endif PHP_VAR_SERIALIZE_DESTROY(var_hash); return buf.s; @@ -925,6 +1049,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ zend_string *name; php_unserialize_data_t var_hash; zval *current, rv; +#if defined(HAVE_OPENSSL_EXT) + zend_string* buffer = php_session_decrypt(val, vallen); + if (buffer) { + val = ZSTR_VAL(buffer); + endptr = val + ZSTR_LEN(buffer); + } +#endif PHP_VAR_UNSERIALIZE_INIT(var_hash); @@ -954,6 +1085,10 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ php_session_normalize_vars(); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); +#if defined(HAVE_OPENSSL_EXT) + if (buffer) + zend_string_release_ex(buffer, 0); +#endif return SUCCESS; } @@ -981,6 +1116,9 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */ ); smart_str_0(&buf); +#if defined(HAVE_OPENSSL_EXT) + php_session_encrypt(&buf); +#endif PHP_VAR_SERIALIZE_DESTROY(var_hash); return buf.s; @@ -997,6 +1135,13 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ php_unserialize_data_t var_hash; zval *current, rv; +#if defined(HAVE_OPENSSL_EXT) + zend_string* buffer = php_session_decrypt(val, vallen); + if (buffer) { + val = ZSTR_VAL(buffer); + endptr = val + ZSTR_LEN(buffer); + } +#endif PHP_VAR_UNSERIALIZE_INIT(var_hash); p = val; @@ -1031,6 +1176,10 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ php_session_normalize_vars(); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); +#if defined(HAVE_OPENSSL_EXT) + if (buffer) + zend_string_release_ex(buffer, 0); +#endif return retval; } From 1db97ca9a0408f21d7aabf71ce96eac7dae7d4d9 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 16 Feb 2019 09:09:24 +0000 Subject: [PATCH 2/3] Using random token --- ext/openssl/openssl.c | 2 +- ext/session/php_session.h | 1 + ext/session/session.c | 57 +++++++++++++++++++++++++++++---------- 3 files changed, 45 insertions(+), 15 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 506074172a3b3..e36e603d29fc0 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -7433,7 +7433,7 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt( PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(data_len, data); PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(password_len, password); PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(aad_len, aad); - PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(tag_len, tag_len); + PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(tag_len, tag); cipher_type = EVP_get_cipherbyname(method); diff --git a/ext/session/php_session.h b/ext/session/php_session.h index 28f2df83633f2..3d9bd14511281 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -208,6 +208,7 @@ typedef struct _php_ps_globals { #if defined(HAVE_OPENSSL_EXT) bool ssl_encrypt; /* encrypt the session data */ zend_string *ssl_iv; + zend_string *ssl_pw_tok; char *ssl_tag; char *ssl_method; zend_long ssl_method_len; diff --git a/ext/session/session.c b/ext/session/session.c index 55277779c975a..505ba40a38ad4 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -74,6 +74,7 @@ zend_class_entry *php_session_id_iface_entry; zend_class_entry *php_session_update_timestamp_iface_entry; #define PS_MAX_SID_LENGTH 256 +#define PW_TOK_LEN 32 /* *********** * Helpers * @@ -118,6 +119,7 @@ static inline void php_rinit_session_globals(void) /* {{{ */ PS(module_number) = my_module_number; #if defined(HAVE_OPENSSL_EXT) PS(ssl_iv) = NULL; + PS(ssl_pw_tok) = NULL; #endif ZVAL_UNDEF(&PS(http_session_vars)); } @@ -151,6 +153,11 @@ static inline void php_rshutdown_session_globals(void) /* {{{ */ zend_string_release_ex(PS(ssl_iv), 0); PS(ssl_iv) = NULL; } + + if (PS(ssl_pw_tok)) { + zend_string_release_ex(PS(ssl_pw_tok), 0); + PS(ssl_pw_tok) = NULL; + } #endif /* User save handlers may end up directly here by misuse, bugs in user script, etc. */ @@ -480,8 +487,9 @@ static int php_session_initialize(void) /* {{{ */ PS(ssl_encrypt) = 0; } else { zend_string *iv; + zend_string *pw_tok; zend_long iv_len; - zend_long ssl_tag_len = strlen(PS(ssl_tag)); + zend_long ssl_tag_len = PS(ssl_tag) ? strlen(PS(ssl_tag)) : 0; if (PS(ssl_iv)) zend_string_release_ex(PS(ssl_iv), 0); @@ -496,14 +504,21 @@ static int php_session_initialize(void) /* {{{ */ return FAILURE; } - if (!ssl_tag_len) + if ((pw_tok = php_openssl_random_pseudo_bytes(PW_TOK_LEN)) == NULL) { + php_error_docref(NULL, E_ERROR, "session token data failure"); + return FAILURE; + } + + if (!ssl_tag_len) { PS(ssl_tag) = NULL; + } + PS(ssl_tag_len) = ssl_tag_len; - ZSTR_VAL(iv)[iv_len] = 0; PS(ssl_method_len) = ssl_method_len; PS(ssl_iv) = iv; PS(ssl_iv_len) = iv_len; + PS(ssl_pw_tok) = pw_tok; } } #endif @@ -869,12 +884,11 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits) STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateLazyWrite, lazy_write, php_ps_globals, ps_globals) #if defined(HAVE_OPENSSL_EXT) - STD_PHP_INI_BOOLEAN("session.ssl_encrypt", "0", PHP_INI_ALL, OnUpdateBool, ssl_encrypt, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.ssl_method", "", PHP_INI_ALL, OnUpdateSessionString, ssl_method, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.ssl_tag", "", PHP_INI_ALL, OnUpdateSessionString, ssl_tag, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.ssl_encrypt", "0", PHP_INI_ALL, OnUpdateBool, ssl_encrypt, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.ssl_method", "", PHP_INI_ALL, OnUpdateSessionString, ssl_method, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.ssl_tag", "", PHP_INI_ALL, OnUpdateSessionString, ssl_tag, php_ps_globals, ps_globals) #endif - /* Commented out until future discussion */ /* Upload progress */ STD_PHP_INI_BOOLEAN("session.upload_progress.enabled", @@ -888,9 +902,10 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("session.upload_progress.freq", "1%", ZEND_INI_PERDIR, OnUpdateRfc1867Freq, rfc1867_freq, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.upload_progress.min_freq", "1", ZEND_INI_PERDIR, OnUpdateReal, rfc1867_min_freq,php_ps_globals, ps_globals) + /* Commented out until future discussion */ /* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */ PHP_INI_END() -/* }}} */ +/* }}} */ /* *************** * Serializers * @@ -902,8 +917,9 @@ static int php_session_encrypt(smart_str *buf) /* {{{ */ zend_string* buffer; smart_str res = {0}; - if (!PS(ssl_encrypt) || !PS(id) || !buf->a) + if (!PS(ssl_encrypt) || !PS(ssl_pw_tok) || !buf->a) { return SUCCESS; + } zval *ztag = NULL; @@ -913,7 +929,7 @@ static int php_session_encrypt(smart_str *buf) /* {{{ */ } if ((buffer = php_openssl_encrypt(ZSTR_VAL(buf->s), buf->a, PS(ssl_method), PS(ssl_method_len), - ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 0, ZSTR_VAL(PS(ssl_iv)), PS(ssl_iv_len), + ZSTR_VAL(PS(ssl_pw_tok)), PW_TOK_LEN, 0, ZSTR_VAL(PS(ssl_iv)), PS(ssl_iv_len), ztag, PS(ssl_tag_len), NULL, 0)) == NULL) { php_error_docref(NULL, E_WARNING, "Cannot encrypt the session data with method '%s', tag '%s'", PS(ssl_method), PS(ssl_tag)); @@ -921,7 +937,7 @@ static int php_session_encrypt(smart_str *buf) /* {{{ */ return FAILURE; } - smart_str_free(buf); + smart_str_free(buf); res.s = zend_string_dup(buffer, 0); res.a = ZSTR_LEN(buffer); *buf = res; @@ -935,11 +951,11 @@ static zend_string *php_session_decrypt(PS_SERIALIZER_DECODE_ARGS) /* {{{ */ { zend_string* buffer; - if (!PS(ssl_encrypt) || !PS(id) || !vallen) + if (!PS(ssl_encrypt) || !PS(ssl_pw_tok) || !vallen) return NULL; if ((buffer = php_openssl_decrypt((char *)val, vallen, PS(ssl_method), PS(ssl_method_len), - ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 0, ZSTR_VAL(PS(ssl_iv)), PS(ssl_iv_len), + ZSTR_VAL(PS(ssl_pw_tok)), PW_TOK_LEN, 0, ZSTR_VAL(PS(ssl_iv)), PS(ssl_iv_len), PS(ssl_tag), PS(ssl_tag_len), NULL, 0)) == NULL) { php_error_docref(NULL, E_WARNING, "Cannot decrypt the session data with method '%s'", PS(ssl_method)); @@ -1010,7 +1026,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ return result || !vallen ? SUCCESS : FAILURE; } -/* }}} */ +/* }}} */ #define PS_BIN_NR_OF_BITS 8 #define PS_BIN_UNDEF (1<<(PS_BIN_NR_OF_BITS-1)) @@ -2411,6 +2427,19 @@ PHP_FUNCTION(session_regenerate_id) } zend_string_release_ex(PS(id), 0); PS(id) = NULL; +#if defined(HAVE_OPENSSL_EXT) + if (PS(ssl_pw_tok)) { + zend_string_release_ex(PS(ssl_pw_tok), 0); + PS(ssl_pw_tok) = NULL; + } + + PS(ssl_pw_tok) = php_openssl_random_pseudo_bytes(PW_TOK_LEN); + if (!PS(ssl_pw_tok)) { + PS(session_status) = php_session_none; + zend_throw_error(NULL, "Failed to create new session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path)); + RETURN_FALSE; + } +#endif if (PS(mod)->s_open(&PS(mod_data), PS(save_path), PS(session_name)) == FAILURE) { PS(session_status) = php_session_none; From 8b4fce3fe0cc170a23477d6f9a058c4ae3c11f95 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 19 May 2022 22:28:01 +0100 Subject: [PATCH 3/3] disable for ZTS build --- ext/openssl/openssl.c | 2 +- ext/session/php_session.h | 2 +- ext/session/session.c | 43 +++++++++++++++++++++------------------ 3 files changed, 25 insertions(+), 22 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index e36e603d29fc0..506074172a3b3 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -7433,7 +7433,7 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt( PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(data_len, data); PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(password_len, password); PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(aad_len, aad); - PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(tag_len, tag); + PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(tag_len, tag_len); cipher_type = EVP_get_cipherbyname(method); diff --git a/ext/session/php_session.h b/ext/session/php_session.h index 3d9bd14511281..dcc6f1caf2baf 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -205,7 +205,7 @@ typedef struct _php_ps_globals { bool lazy_write; /* omit session write when it is possible */ bool in_save_handler; /* state if session is in save handler or not */ bool set_handler; /* state if session module i setting handler or not */ -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) bool ssl_encrypt; /* encrypt the session data */ zend_string *ssl_iv; zend_string *ssl_pw_tok; diff --git a/ext/session/session.c b/ext/session/session.c index 505ba40a38ad4..d473beffb5392 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -117,7 +117,8 @@ static inline void php_rinit_session_globals(void) /* {{{ */ PS(define_sid) = 1; PS(session_vars) = NULL; PS(module_number) = my_module_number; -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) + PS(ssl_iv_len) = 0; PS(ssl_iv) = NULL; PS(ssl_pw_tok) = NULL; #endif @@ -148,7 +149,7 @@ static inline void php_rshutdown_session_globals(void) /* {{{ */ PS(session_vars) = NULL; } -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) if (PS(ssl_iv)) { zend_string_release_ex(PS(ssl_iv), 0); PS(ssl_iv) = NULL; @@ -479,7 +480,7 @@ static int php_session_initialize(void) /* {{{ */ php_session_decode(val); zend_string_release_ex(val, 0); } -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) if (PS(ssl_encrypt)) { zend_long ssl_method_len = strlen(PS(ssl_method)); if (!ssl_method_len) { @@ -883,7 +884,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("session.sid_length", "32", PHP_INI_ALL, OnUpdateSidLength) PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits) STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateLazyWrite, lazy_write, php_ps_globals, ps_globals) -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) STD_PHP_INI_BOOLEAN("session.ssl_encrypt", "0", PHP_INI_ALL, OnUpdateBool, ssl_encrypt, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.ssl_method", "", PHP_INI_ALL, OnUpdateSessionString, ssl_method, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.ssl_tag", "", PHP_INI_ALL, OnUpdateSessionString, ssl_tag, php_ps_globals, ps_globals) @@ -911,7 +912,7 @@ PHP_INI_END() * Serializers * *************** */ -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) static int php_session_encrypt(smart_str *buf) /* {{{ */ { zend_string* buffer; @@ -935,9 +936,9 @@ static int php_session_encrypt(smart_str *buf) /* {{{ */ PS(ssl_method), PS(ssl_tag)); efree(ztag); return FAILURE; - } + } - smart_str_free(buf); + smart_str_free(buf); res.s = zend_string_dup(buffer, 0); res.a = ZSTR_LEN(buffer); *buf = res; @@ -945,7 +946,7 @@ static int php_session_encrypt(smart_str *buf) /* {{{ */ efree(ztag); return SUCCESS; } -/* }}} */ +/* }}} */ static zend_string *php_session_decrypt(PS_SERIALIZER_DECODE_ARGS) /* {{{ */ { @@ -975,7 +976,7 @@ PS_SERIALIZER_ENCODE_FUNC(php_serialize) /* {{{ */ IF_SESSION_VARS() { PHP_VAR_SERIALIZE_INIT(var_hash); php_var_serialize(&buf, Z_REFVAL(PS(http_session_vars)), &var_hash); -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) php_session_encrypt(&buf); #endif PHP_VAR_SERIALIZE_DESTROY(var_hash); @@ -992,7 +993,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ int result; zend_string *var_name = zend_string_init("_SESSION", sizeof("_SESSION") - 1, 0); -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) zend_string* buffer = php_session_decrypt(val, vallen); if (buffer) { val = ZSTR_VAL(buffer); @@ -1019,9 +1020,10 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ Z_ADDREF_P(&PS(http_session_vars)); zend_hash_update_ind(&EG(symbol_table), var_name, &PS(http_session_vars)); zend_string_release_ex(var_name, 0); -#if defined(HAVE_OPENSSL_EXT) - if (buffer) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) + if (buffer) { zend_string_release_ex(buffer, 0); + } #endif return result || !vallen ? SUCCESS : FAILURE; @@ -1048,7 +1050,7 @@ PS_SERIALIZER_ENCODE_FUNC(php_binary) /* {{{ */ ); smart_str_0(&buf); -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) php_session_encrypt(&buf); #endif PHP_VAR_SERIALIZE_DESTROY(var_hash); @@ -1065,7 +1067,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ zend_string *name; php_unserialize_data_t var_hash; zval *current, rv; -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) zend_string* buffer = php_session_decrypt(val, vallen); if (buffer) { val = ZSTR_VAL(buffer); @@ -1101,7 +1103,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ php_session_normalize_vars(); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) if (buffer) zend_string_release_ex(buffer, 0); #endif @@ -1132,7 +1134,7 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */ ); smart_str_0(&buf); -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) php_session_encrypt(&buf); #endif @@ -1151,7 +1153,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ php_unserialize_data_t var_hash; zval *current, rv; -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) zend_string* buffer = php_session_decrypt(val, vallen); if (buffer) { val = ZSTR_VAL(buffer); @@ -1192,9 +1194,10 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ php_session_normalize_vars(); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); -#if defined(HAVE_OPENSSL_EXT) - if (buffer) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) + if (buffer) { zend_string_release_ex(buffer, 0); + } #endif return retval; @@ -2427,7 +2430,7 @@ PHP_FUNCTION(session_regenerate_id) } zend_string_release_ex(PS(id), 0); PS(id) = NULL; -#if defined(HAVE_OPENSSL_EXT) +#if defined(HAVE_OPENSSL_EXT) && !defined(ZTS) if (PS(ssl_pw_tok)) { zend_string_release_ex(PS(ssl_pw_tok), 0); PS(ssl_pw_tok) = NULL;