Use PEM by default for import, export, serialize and test it

bukka · bukka · commit a3268f8ebaf1 · 2026-03-04T23:04:52.000+01:00
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
@@ -239,7 +239,7 @@ static void php_openssl_session_free_obj(zend_object *object)
 
 PHP_METHOD(OpenSSLSession, export)
 {
-	zend_long format = ENCODING_DER;
+	zend_long format = ENCODING_PEM;
 
 	ZEND_PARSE_PARAMETERS_START(0, 1)
 		Z_PARAM_OPTIONAL
@@ -291,7 +291,7 @@ PHP_METHOD(OpenSSLSession, export)
 PHP_METHOD(OpenSSLSession, import)
 {
 	zend_string *data;
-	zend_long format = ENCODING_DER;
+	zend_long format = ENCODING_PEM;
 
 	ZEND_PARSE_PARAMETERS_START(1, 2)
 		Z_PARAM_STR(data)
@@ -311,7 +311,7 @@ PHP_METHOD(OpenSSLSession, import)
 			BIO_free(bio);
 		}
 	} else {
-		zend_argument_value_error(2, "must be OPENSSL_ENCODING_DER or  OPENSSL_ENCODING_PEM");
+		zend_argument_value_error(2, "must be OPENSSL_ENCODING_DER or OPENSSL_ENCODING_PEM");
 		RETURN_THROWS();
 	}
 
@@ -402,26 +402,31 @@ PHP_METHOD(OpenSSLSession, getTicketLifetimeHint)
 
 	RETURN_LONG((zend_long)SSL_SESSION_get_ticket_lifetime_hint(obj->session));
 }
-
 PHP_METHOD(OpenSSLSession, __serialize)
 {
 	ZEND_PARSE_PARAMETERS_NONE();
 
 	PHP_OPENSSL_SESSION_CHECK();
 
-	int len = i2d_SSL_SESSION(obj->session, NULL);
-	if (len <= 0) {
+	BIO *bio = BIO_new(BIO_s_mem());
+	if (!bio) {
 		zend_throw_exception(php_openssl_exception_ce, "Failed to serialize session", 0);
 		RETURN_THROWS();
 	}
 
-	zend_string *der = zend_string_alloc(len, 0);
-	unsigned char *p = (unsigned char *)ZSTR_VAL(der);
-	i2d_SSL_SESSION(obj->session, &p);
-	ZSTR_VAL(der)[len] = '\0';
+	if (!PEM_write_bio_SSL_SESSION(bio, obj->session)) {
+		BIO_free(bio);
+		zend_throw_exception(php_openssl_exception_ce, "Failed to serialize session", 0);
+		RETURN_THROWS();
+	}
+
+	char *data;
+	long len = BIO_get_mem_data(bio, &data);
+	zend_string *pem = zend_string_init(data, len, 0);
+	BIO_free(bio);
 
 	array_init(return_value);
-	add_assoc_str(return_value, "der", der);
+	add_assoc_str(return_value, "pem", pem);
 }
 
 PHP_METHOD(OpenSSLSession, __unserialize)
@@ -432,14 +437,20 @@ PHP_METHOD(OpenSSLSession, __unserialize)
 		Z_PARAM_ARRAY_HT(data)
 	ZEND_PARSE_PARAMETERS_END();
 
-	zval *der_zv = zend_hash_str_find(data, ZEND_STRL("der"));
-	if (!der_zv || Z_TYPE_P(der_zv) != IS_STRING) {
+	zval *pem_zv = zend_hash_str_find(data, ZEND_STRL("pem"));
+	if (!pem_zv || Z_TYPE_P(pem_zv) != IS_STRING) {
 		zend_throw_exception(php_openssl_exception_ce, "Invalid serialization data", 0);
 		RETURN_THROWS();
 	}
 
-	const unsigned char *p = (const unsigned char *)Z_STRVAL_P(der_zv);
-	SSL_SESSION *session = d2i_SSL_SESSION(NULL, &p, Z_STRLEN_P(der_zv));
+	BIO *bio = BIO_new_mem_buf(Z_STRVAL_P(pem_zv), Z_STRLEN_P(pem_zv));
+	if (!bio) {
+		zend_throw_exception(php_openssl_exception_ce, "Failed to unserialize session", 0);
+		RETURN_THROWS();
+	}
+
+	SSL_SESSION *session = PEM_read_bio_SSL_SESSION(bio, NULL, NULL, NULL);
+	BIO_free(bio);
 
 	if (!session) {
 		zend_throw_exception(php_openssl_exception_ce, "Failed to unserialize session", 0);
diff --git a/ext/openssl/tests/session_resumption_import_export_session.phpt b/ext/openssl/tests/session_resumption_import_export_session.phpt
@@ -0,0 +1,98 @@
+--TEST--
+TLS session resumption - import and export session
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (!function_exists("proc_open")) die("skip no proc_open");
+?>
+--FILE--
+<?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'session_resumption_serialize.pem.tmp';
+
+$serverCode = <<<'CODE'
+    $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+    $ctx = stream_context_create(['ssl' => [
+        'local_cert' => '%s',
+        'session_cache' => true,
+        'session_id_context' => 'test-basic',
+    ]]);
+
+    $server = stream_socket_server('tls://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
+    phpt_notify_server_start($server);
+
+    /* Accept single connections */
+    $client = @stream_socket_accept($server, 30);
+    if ($client) {
+        fwrite($client, "Hello from server\n");
+        fclose($client);
+    }
+CODE;
+$serverCode = sprintf($serverCode, $certFile);
+
+$clientCode = <<<'CODE'
+    $sessionData = '';
+
+    $flags = STREAM_CLIENT_CONNECT;
+    $ctx = stream_context_create(['ssl' => [
+        'verify_peer' => false,
+        'verify_peer_name' => false,
+        'session_new_cb' => function($stream, $session) use (&$sessionData) {
+            if (empty($sessionData)) {
+                // default should be pem
+                $pemSessionData = $session->export();
+                var_dump($pemSessionData);
+                $session = OpenSSLSession::import($pemSessionData);
+                $pemSessionData = $session->export(OPENSSL_ENCODING_PEM);
+                var_dump($pemSessionData);
+                $session = OpenSSLSession::import($pemSessionData, OPENSSL_ENCODING_PEM);
+                $derSessionData = $session->export(OPENSSL_ENCODING_DER);
+                var_dump(strlen($derSessionData) > 0);
+                var_dump(strpos($derSessionData, 'BEGIN SSL SESSION PARAMETERS') === false);
+                $session = OpenSSLSession::import($derSessionData, OPENSSL_ENCODING_DER);
+                var_dump($session);
+            }
+            $sessionData = $session;
+        }
+    ]]);
+
+    /* First connection - full handshake */
+    $client1 = stream_socket_client("tls://{{ ADDR }}", $errno, $errstr, 30, $flags, $ctx);
+    if ($client1) {
+        echo trim(fgets($client1)) . "\n";
+        $meta1 = stream_get_meta_data($client1);
+        echo "First connection resumed: " . ($meta1['crypto']['session_reused'] ? "yes" : "no") . "\n";
+        echo "Session data received: " . (!empty($sessionData) ? "yes" : "no") . "\n";
+        fclose($client1);
+    }
+CODE;
+
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('session_resumption_test', $certFile);
+
+include 'ServerClientTestCase.inc';
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'session_resumption_serialize.pem.tmp');
+?>
+--EXPECTF--
+string(%d) "-----BEGIN SSL SESSION PARAMETERS-----
+%a
+-----END SSL SESSION PARAMETERS-----
+"
+string(%d) "-----BEGIN SSL SESSION PARAMETERS-----
+%a
+-----END SSL SESSION PARAMETERS-----
+"
+bool(true)
+bool(true)
+object(OpenSSLSession)#%d (1) {
+  ["id"]=>
+  string(32) "%s"
+}
+Hello from server
+First connection resumed: no
+Session data received: yes
diff --git a/ext/openssl/tests/session_resumption_invalid_session_import.phpt b/ext/openssl/tests/session_resumption_invalid_session_import.phpt
@@ -1,5 +1,5 @@
 --TEST--
-TLS session resumption - server with cache disabled
+TLS session resumption - invalid session import
 --EXTENSIONS--
 openssl
 --SKIPIF--
diff --git a/ext/openssl/tests/session_resumption_serialize_session.phpt b/ext/openssl/tests/session_resumption_serialize_session.phpt
@@ -0,0 +1,84 @@
+--TEST--
+TLS session resumption - serialize session
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (!function_exists("proc_open")) die("skip no proc_open");
+?>
+--FILE--
+<?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'session_resumption_serialize.pem.tmp';
+
+$serverCode = <<<'CODE'
+    $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+    $ctx = stream_context_create(['ssl' => [
+        'local_cert' => '%s',
+        'session_cache' => true,
+        'session_id_context' => 'test-basic',
+    ]]);
+
+    $server = stream_socket_server('tls://127.0.0.1:0', $errno, $errstr, $flags, $ctx);
+    phpt_notify_server_start($server);
+
+    /* Accept single connections */
+    $client = @stream_socket_accept($server, 30);
+    if ($client) {
+        fwrite($client, "Hello from server\n");
+        fclose($client);
+    }
+CODE;
+$serverCode = sprintf($serverCode, $certFile);
+
+$clientCode = <<<'CODE'
+    $sessionData = '';
+
+    $flags = STREAM_CLIENT_CONNECT;
+    $ctx = stream_context_create(['ssl' => [
+        'verify_peer' => false,
+        'verify_peer_name' => false,
+        'session_new_cb' => function($stream, $session) use (&$sessionData) {
+            if (empty($sessionData)) {
+                $serializedSessionData = serialize($session);
+                var_dump($serializedSessionData);
+                $session = unserialize($serializedSessionData);
+                var_dump($session);
+            }
+            $sessionData = $session;
+        }
+    ]]);
+
+    /* First connection - full handshake */
+    $client1 = stream_socket_client("tls://{{ ADDR }}", $errno, $errstr, 30, $flags, $ctx);
+    if ($client1) {
+        echo trim(fgets($client1)) . "\n";
+        $meta1 = stream_get_meta_data($client1);
+        echo "First connection resumed: " . ($meta1['crypto']['session_reused'] ? "yes" : "no") . "\n";
+        echo "Session data received: " . (!empty($sessionData) ? "yes" : "no") . "\n";
+        fclose($client1);
+    }
+CODE;
+
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('session_resumption_test', $certFile);
+
+include 'ServerClientTestCase.inc';
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'session_resumption_serialize.pem.tmp');
+?>
+--EXPECTF--
+string(%d) "O:14:"OpenSSLSession":1:{s:3:"pem";s:%d:"-----BEGIN SSL SESSION PARAMETERS-----
+%a
+-----END SSL SESSION PARAMETERS-----
+";}"
+object(OpenSSLSession)#9 (1) {
+  ["id"]=>
+%a
+}
+Hello from server
+First connection resumed: no
+Session data received: yes
