Fix GH-18529: additional inheriting of TLS int options

bukka · bukka · commit d34aeced2ef9 · 2025-06-08T14:16:06.000+02:00
This is for LDAP_OPT_X_TLS_PROTOCOL_MIN and LDAP_OPT_X_TLS_PROTOCOL_MAX It also adds a test that uses LDAPCONF with TLS max version lower than the minimum TLS server version so it should always fail. However it does not fial for the second case without this change which confirms that the change works as expected. Closes GH-18676
diff --git a/.github/scripts/setup-slapd.sh b/.github/scripts/setup-slapd.sh
@@ -72,6 +72,9 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
 add: olcTLSVerifyClient
 olcTLSVerifyClient: never
 -
+add: olcTLSProtocolMin
+olcTLSProtocolMin: 3.3
+-
 add: olcAuthzRegexp
 olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
 -
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
@@ -3732,7 +3732,8 @@ PHP_FUNCTION(ldap_rename_ext)
  */
 static int _php_ldap_tls_newctx(LDAP *ld)
 {
-	int val = 0, i, opts[] = {
+	int val = 0, i;
+	int str_opts[] = {
 #if (LDAP_API_VERSION > 2000)
 		LDAP_OPT_X_TLS_CACERTDIR,
 		LDAP_OPT_X_TLS_CACERTFILE,
@@ -3752,21 +3753,42 @@ static int _php_ldap_tls_newctx(LDAP *ld)
 #endif
 	0};
 
-	for (i=0 ; opts[i] ; i++) {
+	for (i=0 ; str_opts[i] ; i++) {
 		char *path = NULL;
 
-		ldap_get_option(ld, opts[i], &path);
+		ldap_get_option(ld, str_opts[i], &path);
 		if (path) {			/* already set locally */
 			ldap_memfree(path);
 		} else {
-			ldap_get_option(NULL, opts[i], &path);
+			ldap_get_option(NULL, str_opts[i], &path);
 			if (path) { 	/* set globally, inherit */
-				ldap_set_option(ld, opts[i], path);
+				ldap_set_option(ld, str_opts[i], path);
 				ldap_memfree(path);
 			}
 		}
 	}
 
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+	int int_opts[] = {
+		LDAP_OPT_X_TLS_PROTOCOL_MIN,
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
+		LDAP_OPT_X_TLS_PROTOCOL_MAX,
+#endif
+		0
+	};
+	for (i=0 ; int_opts[i] ; i++) {
+		int value = 0;
+
+		ldap_get_option(ld, int_opts[i], &value);
+		if (value <= 0) { 	/* if value is not set already */
+			ldap_get_option(NULL, int_opts[i], &value);
+			if (value > 0) { 	/* set globally, inherit */
+				ldap_set_option(ld, int_opts[i], &value);
+			}
+		}
+	}
+#endif
+
 	return ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val);
 }
 
diff --git a/ext/ldap/tests/ldap_start_tls_rc_max_version.conf b/ext/ldap/tests/ldap_start_tls_rc_max_version.conf
@@ -0,0 +1 @@
+TLS_PROTOCOL_MAX 3.2
diff --git a/ext/ldap/tests/ldap_start_tls_rc_max_version.phpt b/ext/ldap/tests/ldap_start_tls_rc_max_version.phpt
@@ -0,0 +1,41 @@
+--TEST--
+ldap_start_tls() - Basic ldap_start_tls test
+--EXTENSIONS--
+ldap
+--ENV--
+LDAPCONF={PWD}/ldap_start_tls_rc_max_version.conf
+--SKIPIF--
+<?php
+$require_vendor = [
+    "name" => "OpenLDAP",
+    "min_version" => 20500,
+];
+require_once __DIR__ .'/skipifbindfailure.inc';
+?>
+--FILE--
+<?php
+require_once "connect.inc";
+
+// CI uses self signed certificate
+
+// No cert option - fails
+$link = ldap_connect($uri);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+var_dump(@ldap_start_tls($link));
+
+// No cert check - should pass but due to ldaps check, it fails as well
+$link = ldap_connect($uri);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+var_dump(@ldap_start_tls($link));
+
+// With cert check - fails
+$link = ldap_connect($uri);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
+var_dump(@ldap_start_tls($link));
+?>
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
diff --git a/ext/ldap/tests/skipifbindfailure.inc b/ext/ldap/tests/skipifbindfailure.inc
@@ -10,4 +10,37 @@ if ($skip_on_bind_failure) {
 
     ldap_unbind($link);
 }
+
+if (isset($require_vendor)) {
+    ob_start();
+    phpinfo(INFO_MODULES);
+    $phpinfo = ob_get_clean();
+
+    // Extract the LDAP section specifically
+    if (preg_match('/^ldap\s*$(.*?)^[a-z_]+\s*$/ims', $phpinfo, $ldap_section_match)) {
+        $ldap_section = $ldap_section_match[1];
+
+        // Extract vendor info from the LDAP section only
+        if (preg_match('/Vendor Name\s*=>\s*(.+)/i', $ldap_section, $name_match) &&
+            preg_match('/Vendor Version\s*=>\s*(\d+)/i', $ldap_section, $version_match)) {
+
+            $vendor_name = trim($name_match[1]);
+            $vendor_version = (int)$version_match[1];
+
+            // Check vendor name if specified
+            if (isset($require_vendor['name']) && $vendor_name !== $require_vendor['name']) {
+                die("skip Requires {$require_vendor['name']} (detected: $vendor_name)");
+            }
+
+            // Check minimum version if specified
+            if (isset($require_vendor['min_version']) && $vendor_version < $require_vendor['min_version']) {
+                die("skip Requires minimum version {$require_vendor['min_version']} (detected: $vendor_version)");
+            }
+        } else {
+            die("skip Cannot determine LDAP vendor information");
+        }
+    } else {
+        die("skip LDAP extension information not found");
+    }
+}
 ?>

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,9 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key`
`72`	`72`	`add: olcTLSVerifyClient`
`73`	`73`	`olcTLSVerifyClient: never`
`74`	`74`	`-`
	`75`	`+add: olcTLSProtocolMin`
	`76`	`+olcTLSProtocolMin: 3.3`
	`77`	`+-`
`75`	`78`	`add: olcAuthzRegexp`
`76`	`79`	`olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com`
`77`	`80`	`-`