From 261404a565629c476f88b0357d3ed3044e34d949 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 27 Jul 2025 13:40:16 +0200 Subject: [PATCH] LDAP: Test TLS_PROTOCOL_MAX --- .github/scripts/setup-slapd.sh | 18 + .github/workflows/push.yml | 472 +++++++++--------- .../tests/ldap_start_tls_rc_max_version.phpt | 4 - 3 files changed, 254 insertions(+), 240 deletions(-) diff --git a/.github/scripts/setup-slapd.sh b/.github/scripts/setup-slapd.sh index f6b976783c77e..9487abcc21aa4 100755 --- a/.github/scripts/setup-slapd.sh +++ b/.github/scripts/setup-slapd.sh @@ -163,6 +163,23 @@ EOF sudo service slapd restart +# Debug: Test TLS_PROTOCOL_MAX setting like the failing PHP test +echo "=== TLS DEBUG: Testing TLS_PROTOCOL_MAX 3.2 ===" +TEMP_LDAP_CONF=$(mktemp) +echo 'TLS_PROTOCOL_MAX 3.2' > "$TEMP_LDAP_CONF" + +echo "Testing START_TLS with TLS_PROTOCOL_MAX 3.2 (should fail since server min is 3.3):" +LDAPCONF="$TEMP_LDAP_CONF" ldapsearch -H ldap://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com -Z 'objectclass=*' >/dev/null 2>&1 +debug_rt=$? +if [ $debug_rt -eq 0 ]; then + echo "TLS_PROTOCOL_MAX test: UNEXPECTED SUCCESS - TLS version restriction not working" + exit 1 +else + echo "TLS_PROTOCOL_MAX test: FAILED as expected (exit code $debug_rt)" +fi +rm -f "$TEMP_LDAP_CONF" +echo "" + # Verify TLS connection tries=0 while : ; do @@ -182,3 +199,4 @@ while : ; do fi fi done + diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index ab25ec96888e9..f4edcb3eeae2d 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -135,239 +135,239 @@ jobs: - name: Verify generated files are up to date if: ${{ !matrix.asan }} uses: ./.github/actions/verify-generated-files - LINUX_X32: - if: github.repository == 'php/php-src' || github.event_name == 'pull_request' - name: LINUX_X32_DEBUG_ZTS - runs-on: ubuntu-latest - timeout-minutes: 50 - container: - image: ubuntu:24.04 - env: - MYSQL_TEST_HOST: mysql - PDO_MYSQL_TEST_DSN: mysql:host=mysql;dbname=test - PDO_MYSQL_TEST_HOST: mysql - PDO_FIREBIRD_TEST_DSN: firebird:dbname=firebird:test.fdb - services: - mysql: - image: mysql:8.3 - ports: - - 3306:3306 - env: - MYSQL_DATABASE: test - MYSQL_ROOT_PASSWORD: root - firebird: - image: jacobalberty/firebird - ports: - - 3050:3050 - env: - ISC_PASSWORD: test - FIREBIRD_DATABASE: test.fdb - FIREBIRD_USER: test - FIREBIRD_PASSWORD: test - steps: - - name: git checkout - uses: actions/checkout@v4 - - name: apt - uses: ./.github/actions/apt-x32 - - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 - with: - key: "${{github.job}}-${{hashFiles('main/php_version.h')}}" - append-timestamp: false - - name: ./configure - uses: ./.github/actions/configure-x32 - with: - configurationParameters: >- - --enable-debug - --enable-zts - - name: make - run: make -j$(/usr/bin/nproc) >/dev/null - - name: make install - uses: ./.github/actions/install-linux-x32 - - name: Test Tracing JIT - uses: ./.github/actions/test-linux - with: - jitType: tracing - runTestsParameters: >- - -d opcache.enable_cli=1 - MACOS_DEBUG_NTS: - if: github.repository == 'php/php-src' || github.event_name == 'pull_request' - strategy: - fail-fast: false - matrix: - include: - - os: 15 - arch: ARM64 - name: MACOS_${{ matrix.arch }}_DEBUG_NTS - runs-on: macos-${{ matrix.os }} - timeout-minutes: 50 - steps: - - name: git checkout - uses: actions/checkout@v4 - - name: brew - uses: ./.github/actions/brew - - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 - with: - key: "${{github.job}}-${{matrix.os}}-${{hashFiles('main/php_version.h')}}" - append-timestamp: false - save: ${{ github.event_name != 'pull_request' }} - - name: ./configure - uses: ./.github/actions/configure-macos - with: - configurationParameters: --enable-debug --disable-zts - - name: make - run: |- - export PATH="$(brew --prefix)/opt/bison/bin:$PATH" - make -j$(sysctl -n hw.logicalcpu) >/dev/null - - name: make install - run: sudo make install - - name: Test Tracing JIT - uses: ./.github/actions/test-macos - with: - jitType: tracing - runTestsParameters: >- - -d opcache.enable_cli=1 - - name: Verify generated files are up to date - uses: ./.github/actions/verify-generated-files - WINDOWS: - if: github.repository == 'php/php-src' || github.event_name == 'pull_request' - name: WINDOWS_X64_ZTS - runs-on: windows-2022 - timeout-minutes: 50 - env: - PHP_BUILD_CACHE_BASE_DIR: C:\build-cache - PHP_BUILD_OBJ_DIR: C:\obj - PHP_BUILD_CACHE_SDK_DIR: C:\build-cache\sdk - PHP_BUILD_SDK_BRANCH: php-sdk-2.3.0 - PHP_BUILD_CRT: vs17 - PLATFORM: x64 - THREAD_SAFE: "1" - INTRINSICS: AVX2 - PARALLEL: -j2 - OPCACHE: "1" - steps: - - name: git config - run: git config --global core.autocrlf false && git config --global core.eol lf - - name: git checkout - uses: actions/checkout@v4 - - name: Setup - uses: ./.github/actions/setup-windows - - name: Build - run: .github/scripts/windows/build.bat - - name: Test - run: .github/scripts/windows/test.bat - BENCHMARKING: - name: BENCHMARKING - if: github.repository == 'php/php-src' || github.event_name == 'pull_request' - runs-on: ubuntu-24.04 - timeout-minutes: 50 - steps: - - name: git checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - # ASLR can cause a lot of noise due to missed sse opportunities for memcpy - # and other operations, so we disable it during benchmarking. - - name: Disable ASLR - run: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space - - name: apt - run: | - set -x - sudo apt-get update - sudo apt-get install \ - bison \ - libgmp-dev \ - libonig-dev \ - libsqlite3-dev \ - openssl \ - re2c \ - valgrind - - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 - with: - key: "${{github.job}}-${{hashFiles('main/php_version.h')}}" - append-timestamp: false - save: ${{ github.event_name != 'pull_request' }} - - name: ./configure - run: | - set -x - ./buildconf --force - ./configure \ - --disable-debug \ - --enable-mbstring \ - --enable-option-checking=fatal \ - --enable-sockets \ - --enable-werror \ - --prefix=/usr \ - --with-config-file-scan-dir=/etc/php.d \ - --with-gmp \ - --with-mysqli=mysqlnd \ - --with-openssl \ - --with-pdo-sqlite \ - --with-valgrind - - name: make - run: make -j$(/usr/bin/nproc) >/dev/null - - name: make install - run: | - set -x - sudo make install - sudo mkdir -p /etc/php.d - sudo chmod 777 /etc/php.d - echo mysqli.default_socket=/var/run/mysqld/mysqld.sock > /etc/php.d/mysqli.ini - echo opcache.enable=1 >> /etc/php.d/opcache.ini - echo opcache.enable_cli=1 >> /etc/php.d/opcache.ini - - name: Setup - run: | - git config --global user.name "Benchmark" - git config --global user.email "benchmark@php.net" - sudo service mysql start - mysql -uroot -proot -e "CREATE DATABASE IF NOT EXISTS wordpress" - mysql -uroot -proot -e "CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'wordpress'; FLUSH PRIVILEGES;" - mysql -uroot -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'wordpress'@'localhost' WITH GRANT OPTION;" - - name: git checkout benchmarking-data - uses: actions/checkout@v4 - with: - repository: php/benchmarking-data - ssh-key: ${{ secrets.BENCHMARKING_DATA_DEPLOY_KEY }} - path: benchmark/repos/data - - name: Benchmark - run: php benchmark/benchmark.php true - - name: Store result - if: github.event_name == 'push' - run: | - set -x - cd benchmark/repos/data - git pull --autostash - if [ -e ".git/MERGE_HEAD" ]; then - echo "Merging, can't proceed" - exit 1 - fi - git add . - if git diff --cached --quiet; then - exit 0 - fi - git commit -m "Add result for ${{ github.repository }}@${{ github.sha }}" - git push - - name: Show diff - if: github.event_name == 'pull_request' - run: |- - set -x - php benchmark/generate_diff.php \ - ${{ github.sha }} \ - $(git merge-base ${{ github.event.pull_request.base.sha }} ${{ github.sha }}) \ - > $GITHUB_STEP_SUMMARY - - uses: actions/upload-artifact@v4 - with: - name: profiles - path: ${{ github.workspace }}/benchmark/profiles - retention-days: 30 - FREEBSD: - if: github.repository == 'php/php-src' || github.event_name == 'pull_request' - name: FREEBSD - runs-on: ubuntu-latest - steps: - - name: git checkout - uses: actions/checkout@v4 - - name: FreeBSD - uses: ./.github/actions/freebsd + # LINUX_X32: + # if: github.repository == 'php/php-src' || github.event_name == 'pull_request' + # name: LINUX_X32_DEBUG_ZTS + # runs-on: ubuntu-latest + # timeout-minutes: 50 + # container: + # image: ubuntu:24.04 + # env: + # MYSQL_TEST_HOST: mysql + # PDO_MYSQL_TEST_DSN: mysql:host=mysql;dbname=test + # PDO_MYSQL_TEST_HOST: mysql + # PDO_FIREBIRD_TEST_DSN: firebird:dbname=firebird:test.fdb + # services: + # mysql: + # image: mysql:8.3 + # ports: + # - 3306:3306 + # env: + # MYSQL_DATABASE: test + # MYSQL_ROOT_PASSWORD: root + # firebird: + # image: jacobalberty/firebird + # ports: + # - 3050:3050 + # env: + # ISC_PASSWORD: test + # FIREBIRD_DATABASE: test.fdb + # FIREBIRD_USER: test + # FIREBIRD_PASSWORD: test + # steps: + # - name: git checkout + # uses: actions/checkout@v4 + # - name: apt + # uses: ./.github/actions/apt-x32 + # - name: ccache + # uses: hendrikmuhs/ccache-action@v1.2 + # with: + # key: "${{github.job}}-${{hashFiles('main/php_version.h')}}" + # append-timestamp: false + # - name: ./configure + # uses: ./.github/actions/configure-x32 + # with: + # configurationParameters: >- + # --enable-debug + # --enable-zts + # - name: make + # run: make -j$(/usr/bin/nproc) >/dev/null + # - name: make install + # uses: ./.github/actions/install-linux-x32 + # - name: Test Tracing JIT + # uses: ./.github/actions/test-linux + # with: + # jitType: tracing + # runTestsParameters: >- + # -d opcache.enable_cli=1 + # MACOS_DEBUG_NTS: + # if: github.repository == 'php/php-src' || github.event_name == 'pull_request' + # strategy: + # fail-fast: false + # matrix: + # include: + # - os: 15 + # arch: ARM64 + # name: MACOS_${{ matrix.arch }}_DEBUG_NTS + # runs-on: macos-${{ matrix.os }} + # timeout-minutes: 50 + # steps: + # - name: git checkout + # uses: actions/checkout@v4 + # - name: brew + # uses: ./.github/actions/brew + # - name: ccache + # uses: hendrikmuhs/ccache-action@v1.2 + # with: + # key: "${{github.job}}-${{matrix.os}}-${{hashFiles('main/php_version.h')}}" + # append-timestamp: false + # save: ${{ github.event_name != 'pull_request' }} + # - name: ./configure + # uses: ./.github/actions/configure-macos + # with: + # configurationParameters: --enable-debug --disable-zts + # - name: make + # run: |- + # export PATH="$(brew --prefix)/opt/bison/bin:$PATH" + # make -j$(sysctl -n hw.logicalcpu) >/dev/null + # - name: make install + # run: sudo make install + # - name: Test Tracing JIT + # uses: ./.github/actions/test-macos + # with: + # jitType: tracing + # runTestsParameters: >- + # -d opcache.enable_cli=1 + # - name: Verify generated files are up to date + # uses: ./.github/actions/verify-generated-files + # WINDOWS: + # if: github.repository == 'php/php-src' || github.event_name == 'pull_request' + # name: WINDOWS_X64_ZTS + # runs-on: windows-2022 + # timeout-minutes: 50 + # env: + # PHP_BUILD_CACHE_BASE_DIR: C:\build-cache + # PHP_BUILD_OBJ_DIR: C:\obj + # PHP_BUILD_CACHE_SDK_DIR: C:\build-cache\sdk + # PHP_BUILD_SDK_BRANCH: php-sdk-2.3.0 + # PHP_BUILD_CRT: vs17 + # PLATFORM: x64 + # THREAD_SAFE: "1" + # INTRINSICS: AVX2 + # PARALLEL: -j2 + # OPCACHE: "1" + # steps: + # - name: git config + # run: git config --global core.autocrlf false && git config --global core.eol lf + # - name: git checkout + # uses: actions/checkout@v4 + # - name: Setup + # uses: ./.github/actions/setup-windows + # - name: Build + # run: .github/scripts/windows/build.bat + # - name: Test + # run: .github/scripts/windows/test.bat + # BENCHMARKING: + # name: BENCHMARKING + # if: github.repository == 'php/php-src' || github.event_name == 'pull_request' + # runs-on: ubuntu-24.04 + # timeout-minutes: 50 + # steps: + # - name: git checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 + # # ASLR can cause a lot of noise due to missed sse opportunities for memcpy + # # and other operations, so we disable it during benchmarking. + # - name: Disable ASLR + # run: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space + # - name: apt + # run: | + # set -x + # sudo apt-get update + # sudo apt-get install \ + # bison \ + # libgmp-dev \ + # libonig-dev \ + # libsqlite3-dev \ + # openssl \ + # re2c \ + # valgrind + # - name: ccache + # uses: hendrikmuhs/ccache-action@v1.2 + # with: + # key: "${{github.job}}-${{hashFiles('main/php_version.h')}}" + # append-timestamp: false + # save: ${{ github.event_name != 'pull_request' }} + # - name: ./configure + # run: | + # set -x + # ./buildconf --force + # ./configure \ + # --disable-debug \ + # --enable-mbstring \ + # --enable-option-checking=fatal \ + # --enable-sockets \ + # --enable-werror \ + # --prefix=/usr \ + # --with-config-file-scan-dir=/etc/php.d \ + # --with-gmp \ + # --with-mysqli=mysqlnd \ + # --with-openssl \ + # --with-pdo-sqlite \ + # --with-valgrind + # - name: make + # run: make -j$(/usr/bin/nproc) >/dev/null + # - name: make install + # run: | + # set -x + # sudo make install + # sudo mkdir -p /etc/php.d + # sudo chmod 777 /etc/php.d + # echo mysqli.default_socket=/var/run/mysqld/mysqld.sock > /etc/php.d/mysqli.ini + # echo opcache.enable=1 >> /etc/php.d/opcache.ini + # echo opcache.enable_cli=1 >> /etc/php.d/opcache.ini + # - name: Setup + # run: | + # git config --global user.name "Benchmark" + # git config --global user.email "benchmark@php.net" + # sudo service mysql start + # mysql -uroot -proot -e "CREATE DATABASE IF NOT EXISTS wordpress" + # mysql -uroot -proot -e "CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'wordpress'; FLUSH PRIVILEGES;" + # mysql -uroot -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'wordpress'@'localhost' WITH GRANT OPTION;" + # - name: git checkout benchmarking-data + # uses: actions/checkout@v4 + # with: + # repository: php/benchmarking-data + # ssh-key: ${{ secrets.BENCHMARKING_DATA_DEPLOY_KEY }} + # path: benchmark/repos/data + # - name: Benchmark + # run: php benchmark/benchmark.php true + # - name: Store result + # if: github.event_name == 'push' + # run: | + # set -x + # cd benchmark/repos/data + # git pull --autostash + # if [ -e ".git/MERGE_HEAD" ]; then + # echo "Merging, can't proceed" + # exit 1 + # fi + # git add . + # if git diff --cached --quiet; then + # exit 0 + # fi + # git commit -m "Add result for ${{ github.repository }}@${{ github.sha }}" + # git push + # - name: Show diff + # if: github.event_name == 'pull_request' + # run: |- + # set -x + # php benchmark/generate_diff.php \ + # ${{ github.sha }} \ + # $(git merge-base ${{ github.event.pull_request.base.sha }} ${{ github.sha }}) \ + # > $GITHUB_STEP_SUMMARY + # - uses: actions/upload-artifact@v4 + # with: + # name: profiles + # path: ${{ github.workspace }}/benchmark/profiles + # retention-days: 30 + # FREEBSD: + # if: github.repository == 'php/php-src' || github.event_name == 'pull_request' + # name: FREEBSD + # runs-on: ubuntu-latest + # steps: + # - name: git checkout + # uses: actions/checkout@v4 + # - name: FreeBSD + # uses: ./.github/actions/freebsd diff --git a/ext/ldap/tests/ldap_start_tls_rc_max_version.phpt b/ext/ldap/tests/ldap_start_tls_rc_max_version.phpt index e983b97c4b4ea..359785f8b5a34 100644 --- a/ext/ldap/tests/ldap_start_tls_rc_max_version.phpt +++ b/ext/ldap/tests/ldap_start_tls_rc_max_version.phpt @@ -6,10 +6,6 @@ ldap LDAPCONF={PWD}/ldap_start_tls_rc_max_version.conf --SKIPIF-- "OpenLDAP", "min_version" => 20600,