. /** * PayPal enrolment plugin utility class. * * @package core * @copyright 2016 Cameron Ball * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later */ namespace core\upgrade; defined('MOODLE_INTERNAL') || die(); /** * Core upgrade utility class. * * @package core * @copyright 2016 Cameron Ball * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later */ final class util { /** * Gets the minimum version of a SSL/TLS library required for TLS 1.2 support. * * @param string $sslflavour The SSL/TLS library * @return string|false The version string if it exists. False otherwise */ private static function get_min_ssl_lib_version_for_tls12($sslflavour) { // Min versions for TLS 1.2. $versionmatrix = [ 'OpenSSL' => '1.0.1c', 'GnuTLS' => '1.7.1', 'NSS' => '3.15.1', // This number is usually followed by something like "Basic ECC". 'CyaSSL' => '1.1.0', 'wolfSSL' => '1.1.0', 'PolarSSL' => '1.2.0', 'WinSSL' => '*', // Does not specify a version but needs Windows >= 7. 'SecureTransport' => '*' // Does not specify a version but needs iOS >= 5.0 or OS X >= 10.8.0. ]; return isset($versionmatrix[$sslflavour]) ? $versionmatrix[$sslflavour] : false; } /** * Validates PHP/cURL extension for use with SSL/TLS. * * @param array $curlinfo array of cURL information as returned by curl_version() * @param int $zts 0 or 1 as defined by PHP_ZTS * @return bool */ public static function validate_php_curl_tls(array $curlinfo, $zts) { if (empty($curlinfo['ssl_version'])) { return false; } $flavour = explode('/', $curlinfo['ssl_version'])[0]; // In threadsafe mode the only valid choices are OpenSSL and GnuTLS. if ($zts === 1 && $flavour != 'OpenSSL' && $flavour !== 'GnuTLS') { return false; } return true; } /** * Tests if the system is capable of using TLS 1.2 for requests. * * @param array $curlinfo array of cURL information as returned by curl_version() * @param string $uname server uname * @return bool */ public static function can_use_tls12(array $curlinfo, $uname) { // Do not compare the cURL version, e.g. $curlinfo['version_number'], with v7.34.0 (467456): // some Linux distros backport security issues and keep lower version numbers. if (!defined('CURL_SSLVERSION_TLSv1_2')) { return false; } $sslversion = explode('/', $curlinfo['ssl_version']); // NSS has a space in the version number 😦. $flavour = explode(' ', $sslversion[0])[0]; $version = count($sslversion) == 2 ? $sslversion[1] : null; $minversion = self::get_min_ssl_lib_version_for_tls12($flavour); if (!$minversion) { return false; } // Special case (see $versionmatrix above). if ($flavour == 'WinSSL') { return $uname >= '6.1'; } // Special case (see $versionmatrix above). if ($flavour == 'SecureTransport') { return $uname >= '10.8.0'; } return $version >= $minversion; } }