Skip to content

Commit df587dd

Browse files
alcaeusalcaeus
committed
PHPC-1288: Apply TLS driver options to URI options
1 parent 929e2ca commit df587dd

File tree

1 file changed

+102
-47
lines changed

1 file changed

+102
-47
lines changed

php_phongo.c

Lines changed: 102 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -2049,15 +2049,16 @@ static bool php_phongo_apply_wc_options_to_uri(mongoc_uri_t* uri, bson_t* option
20492049

20502050
static void php_phongo_mongoc_ssl_opts_from_uri(mongoc_ssl_opt_t* ssl_opt, mongoc_uri_t* uri, bool* any_ssl_option_set)
20512051
{
2052-
const char* pem_file = mongoc_uri_get_option_as_utf8(uri, MONGOC_URI_SSLCLIENTCERTIFICATEKEYFILE, NULL);
2053-
const char* pem_pwd = mongoc_uri_get_option_as_utf8(uri, MONGOC_URI_SSLCLIENTCERTIFICATEKEYPASSWORD, NULL);
2054-
const char* ca_file = mongoc_uri_get_option_as_utf8(uri, MONGOC_URI_SSLCERTIFICATEAUTHORITYFILE, NULL);
2052+
bool insecure = mongoc_uri_get_option_as_bool(uri, MONGOC_URI_TLSINSECURE, false);
2053+
const char* pem_file = mongoc_uri_get_option_as_utf8(uri, MONGOC_URI_TLSCERTIFICATEKEYFILE, NULL);
2054+
const char* pem_pwd = mongoc_uri_get_option_as_utf8(uri, MONGOC_URI_TLSCERTIFICATEKEYFILEPASSWORD, NULL);
2055+
const char* ca_file = mongoc_uri_get_option_as_utf8(uri, MONGOC_URI_TLSCAFILE, NULL);
20552056

20562057
ssl_opt->pem_file = pem_file ? estrdup(pem_file) : NULL;
20572058
ssl_opt->pem_pwd = pem_pwd ? estrdup(pem_pwd) : NULL;
20582059
ssl_opt->ca_file = ca_file ? estrdup(ca_file) : NULL;
2059-
ssl_opt->weak_cert_validation = mongoc_uri_get_option_as_bool(uri, MONGOC_URI_SSLALLOWINVALIDCERTIFICATES, false);
2060-
ssl_opt->allow_invalid_hostname = mongoc_uri_get_option_as_bool(uri, MONGOC_URI_SSLALLOWINVALIDHOSTNAMES, false);
2060+
ssl_opt->weak_cert_validation = mongoc_uri_get_option_as_bool(uri, MONGOC_URI_TLSALLOWINVALIDCERTIFICATES, insecure);
2061+
ssl_opt->allow_invalid_hostname = mongoc_uri_get_option_as_bool(uri, MONGOC_URI_TLSALLOWINVALIDHOSTNAMES, insecure);
20612062

20622063
/* Boolean options default to false, so we cannot consider them for
20632064
* any_ssl_option_set. This isn't actually a problem as libmongoc will
@@ -2069,14 +2070,14 @@ static void php_phongo_mongoc_ssl_opts_from_uri(mongoc_ssl_opt_t* ssl_opt, mongo
20692070
}
20702071
}
20712072

2072-
static inline char* php_phongo_fetch_ssl_opt_string(zval* zoptions, const char* key, int key_len)
2073+
static inline char* php_phongo_fetch_ssl_opt_string(zval* zoptions, const char* key)
20732074
{
20742075
int plen;
20752076
zend_bool pfree;
20762077
char* pval;
20772078
char* value;
20782079

2079-
pval = php_array_fetchl_string(zoptions, key, key_len, &plen, &pfree);
2080+
pval = php_array_fetch_string(zoptions, key, &plen, &pfree);
20802081
value = pfree ? pval : estrndup(pval, plen);
20812082

20822083
return value;
@@ -2119,51 +2120,14 @@ static mongoc_ssl_opt_t* php_phongo_make_ssl_opt(mongoc_uri_t* uri, zval* zoptio
21192120
php_phongo_mongoc_ssl_opts_from_uri(ssl_opt, uri, &any_ssl_option_set);
21202121
}
21212122

2122-
/* Check canonical option names first and fall back to SSL context options
2123-
* for backwards compatibility. */
2124-
if (php_array_existsc(zoptions, "allow_invalid_hostname")) {
2125-
ssl_opt->allow_invalid_hostname = php_array_fetchc_bool(zoptions, "allow_invalid_hostname");
2126-
any_ssl_option_set = true;
2127-
}
2128-
2129-
if (php_array_existsc(zoptions, "weak_cert_validation")) {
2130-
ssl_opt->weak_cert_validation = php_array_fetchc_bool(zoptions, "weak_cert_validation");
2131-
any_ssl_option_set = true;
2132-
} else if (php_array_existsc(zoptions, "allow_self_signed")) {
2133-
ssl_opt->weak_cert_validation = php_array_fetchc_bool(zoptions, "allow_self_signed");
2134-
any_ssl_option_set = true;
2135-
}
2136-
21372123
#define PHONGO_SSL_OPTION_SWAP_STRING(o, n) \
21382124
if ((o)) { \
21392125
efree((char*) (o)); \
21402126
} \
2141-
(o) = php_phongo_fetch_ssl_opt_string(zoptions, ZEND_STRL((n)));
2142-
2143-
if (php_array_existsc(zoptions, "pem_file")) {
2144-
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->pem_file, "pem_file");
2145-
any_ssl_option_set = true;
2146-
} else if (php_array_existsc(zoptions, "local_cert")) {
2147-
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->pem_file, "local_cert");
2148-
any_ssl_option_set = true;
2149-
}
2150-
2151-
if (php_array_existsc(zoptions, "pem_pwd")) {
2152-
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->pem_pwd, "pem_pwd");
2153-
any_ssl_option_set = true;
2154-
} else if (php_array_existsc(zoptions, "passphrase")) {
2155-
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->pem_pwd, "passphrase");
2156-
any_ssl_option_set = true;
2157-
}
2158-
2159-
if (php_array_existsc(zoptions, "ca_file")) {
2160-
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->ca_file, "ca_file");
2161-
any_ssl_option_set = true;
2162-
} else if (php_array_existsc(zoptions, "cafile")) {
2163-
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->ca_file, "cafile");
2164-
any_ssl_option_set = true;
2165-
}
2127+
(o) = php_phongo_fetch_ssl_opt_string(zoptions, n);
21662128

2129+
/* Apply driver options that don't have a corresponding URI option. These
2130+
* are set directly on the SSL options struct. */
21672131
if (php_array_existsc(zoptions, "ca_dir")) {
21682132
PHONGO_SSL_OPTION_SWAP_STRING(ssl_opt->ca_dir, "ca_dir");
21692133
any_ssl_option_set = true;
@@ -2211,6 +2175,92 @@ static void php_phongo_free_ssl_opt(mongoc_ssl_opt_t* ssl_opt)
22112175

22122176
efree(ssl_opt);
22132177
}
2178+
2179+
static inline bool php_phongo_apply_driver_option_to_uri(mongoc_uri_t* uri, zval* zoptions, const char* driverOptionKey, const char* optionKey)
2180+
{
2181+
bool ret;
2182+
char* value;
2183+
2184+
value = php_phongo_fetch_ssl_opt_string(zoptions, driverOptionKey);
2185+
ret = mongoc_uri_set_option_as_utf8(uri, optionKey, value);
2186+
efree(value);
2187+
2188+
return ret;
2189+
}
2190+
2191+
static bool php_phongo_apply_driver_options_to_uri(mongoc_uri_t* uri, zval* zoptions TSRMLS_DC)
2192+
{
2193+
if (!zoptions) {
2194+
return true;
2195+
}
2196+
2197+
/* Map TLS driver options to the canonical tls options in the URI. */
2198+
if (php_array_existsc(zoptions, "allow_invalid_hostname")) {
2199+
if (!mongoc_uri_set_option_as_bool(uri, MONGOC_URI_TLSALLOWINVALIDHOSTNAMES, php_array_fetchc_bool(zoptions, "allow_invalid_hostname"))) {
2200+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "allow_invalid_hostname");
2201+
2202+
return false;
2203+
}
2204+
}
2205+
2206+
if (php_array_existsc(zoptions, "weak_cert_validation")) {
2207+
if (!mongoc_uri_set_option_as_bool(uri, MONGOC_URI_TLSALLOWINVALIDCERTIFICATES, php_array_fetchc_bool(zoptions, "weak_cert_validation"))) {
2208+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "weak_cert_validation");
2209+
2210+
return false;
2211+
}
2212+
} else if (php_array_existsc(zoptions, "allow_self_signed")) {
2213+
if (!mongoc_uri_set_option_as_bool(uri, MONGOC_URI_TLSALLOWINVALIDCERTIFICATES, php_array_fetchc_bool(zoptions, "allow_self_signed"))) {
2214+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "allow_self_signed");
2215+
2216+
return false;
2217+
}
2218+
}
2219+
2220+
if (php_array_existsc(zoptions, "pem_file")) {
2221+
if (!php_phongo_apply_driver_option_to_uri(uri, zoptions, "pem_file", MONGOC_URI_TLSCERTIFICATEKEYFILE)) {
2222+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "pem_file");
2223+
2224+
return false;
2225+
}
2226+
} else if (php_array_existsc(zoptions, "local_cert")) {
2227+
if (!php_phongo_apply_driver_option_to_uri(uri, zoptions, "local_cert", MONGOC_URI_TLSCERTIFICATEKEYFILE)) {
2228+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "local_cert");
2229+
2230+
return false;
2231+
}
2232+
}
2233+
2234+
if (php_array_existsc(zoptions, "pem_pwd")) {
2235+
if (!php_phongo_apply_driver_option_to_uri(uri, zoptions, "pem_pwd", MONGOC_URI_TLSCERTIFICATEKEYFILEPASSWORD)) {
2236+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "pem_pwd");
2237+
2238+
return false;
2239+
}
2240+
} else if (php_array_existsc(zoptions, "passphrase")) {
2241+
if (!php_phongo_apply_driver_option_to_uri(uri, zoptions, "passphrase", MONGOC_URI_TLSCERTIFICATEKEYFILEPASSWORD)) {
2242+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "passphrase");
2243+
2244+
return false;
2245+
}
2246+
}
2247+
2248+
if (php_array_existsc(zoptions, "ca_file")) {
2249+
if (!php_phongo_apply_driver_option_to_uri(uri, zoptions, "ca_file", MONGOC_URI_TLSCAFILE)) {
2250+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "ca_file");
2251+
2252+
return false;
2253+
}
2254+
} else if (php_array_existsc(zoptions, "cafile")) {
2255+
if (!php_phongo_apply_driver_option_to_uri(uri, zoptions, "cafile", MONGOC_URI_TLSCAFILE)) {
2256+
phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Failed to parse \"%s\" driver option", "cafile");
2257+
2258+
return false;
2259+
}
2260+
}
2261+
2262+
return true;
2263+
}
22142264
#endif
22152265

22162266
/* APM callbacks */
@@ -2599,6 +2649,11 @@ void phongo_manager_init(php_phongo_manager_t* manager, const char* uri_string,
25992649
}
26002650

26012651
#ifdef MONGOC_ENABLE_SSL
2652+
if (!php_phongo_apply_driver_options_to_uri(uri, driverOptions TSRMLS_CC)) {
2653+
/* Exception should already have been thrown */
2654+
goto cleanup;
2655+
}
2656+
26022657
ssl_opt = php_phongo_make_ssl_opt(uri, driverOptions TSRMLS_CC);
26032658

26042659
/* An exception may be thrown during SSL option creation */

0 commit comments

Comments
 (0)