Fix #81327: Error build openssl extension on php 7.4.22

The recent fix for bug 52093 is not compatible with LibreSSL ≥ 2.7.0,
which we recognize as mostly OpenSSL 1.1.0 compatible, but t

Fix #81327: Error build openssl extension on php 7.4.22

The recent fix for bug 52093 is not compatible with LibreSSL ≥ 2.7.0,
which we recognize as mostly OpenSSL 1.1.0 compatible, but they still
do not support `ASN1_INTEGER_set_int64()`.

Closes GH-7339.

show more ...

Fix #52093: openssl_csr_sign truncates $serial

We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.

[1] <https://www.openssl.org/docs/man1.

Fix #52093: openssl_csr_sign truncates $serial

We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.

[1] <https://www.openssl.org/docs/man1.1.0/man3/ASN1_INTEGER_set_int64.html#HISTORY>

Closes GH-7209.

show more ...

Suppress OpenSSL error on missing optional config

openssl_pkey_new() fetches various options from the config file --
most of these are optional, and not specifying them is not an error

Suppress OpenSSL error on missing optional config

openssl_pkey_new() fetches various options from the config file --
most of these are optional, and not specifying them is not an error
condition from the perspective of the user. Unfortunately, the
CONF_get_string() API pushes an error when accessing a key that
doesn't exist (_CONF_get_string does not, but that is presumably a
private API). This commit adds a helper php_openssl_conf_get_string()
that automatically clears the error in this case. I've found that
OpenSSL occasionally does the same thing internally:
https://github.com/openssl/openssl/blob/22040fb790c854cefb04bed98ed38ea6357daf83/apps/req.c#L515-L517

Closes GH-6699.

show more ...

Fixed bug #80747

If RSA key generation fails, actually report that failure.

Next attempt to fix bug #80368

Apparently treating LibreSSL as OpenSSL 1.1 is not just something
we did in our code, it's something that upstream LibreSSL claims,
despite not actuall

Next attempt to fix bug #80368

Apparently treating LibreSSL as OpenSSL 1.1 is not just something
we did in our code, it's something that upstream LibreSSL claims,
despite not actually being compatible. Duh.

Check for EVP_CIPH_OCB_MODE instead, which should reliably
determine support...

show more ...

Fixed bug #80368

We assume that usually LibreSSL supports everything OpenSSL 1.1 does.
In this instance, this is not the case.

Fix CCM tag length setting for old OpenSSL versions

While OpenSSL 1.1 allows unconditionally setting the CCM tag length
even for decryption, some older versions apparently do not. As suc

Fix CCM tag length setting for old OpenSSL versions

While OpenSSL 1.1 allows unconditionally setting the CCM tag length
even for decryption, some older versions apparently do not. As such,
we do need to treat CCM and OCB separately after all.

show more ...

Fix bug #79983: Add support for OCB mode

OCB mode ciphers were already exposed to openssl_encrypt/decrypt,
but misbehaved, because they were not treated as AEAD ciphers.
From that pe

Fix bug #79983: Add support for OCB mode

OCB mode ciphers were already exposed to openssl_encrypt/decrypt,
but misbehaved, because they were not treated as AEAD ciphers.
From that perspective, OCB should be treated the same way as GCM.
In OpenSSL 1.1 the necessary controls were unified under
EVP_CTRL_AEAD_* (and OCB is only supported since OpenSSL 1.1).

Closes GH-6337.

show more ...

Allow passing $tag for non-authenticated encryption

openssl_encrypt() currently throws a warning if the $tag out
parameter is passed for a non-authenticated cipher. This violates
the

Allow passing $tag for non-authenticated encryption

openssl_encrypt() currently throws a warning if the $tag out
parameter is passed for a non-authenticated cipher. This violates
the principle that a function should behave the same if a parameter
is not passed, and if the default value is passed for the parameter.

I believe this warning should simply be dropped and the $tag be
populated with null, as is already the case. Otherwise, it is not
possible to use openssl_encrypt() in generic wrapper APIs, that are
compatible with both authenticated and non-authenticated encryption.

Closes GH-6333.

show more ...

Revert "Add missing X509 purpose constants"

This reverts commit 1e53e14bc31aec98a408e517c7c8493ef4bf80cd.

This fails on Travis.

Add missing X509 purpose constants

X509_PURPOSE_OCSP_HELPER, X509_PURPOSE_TIMESTAMP_SIGN are available
from OpenSSL for many years:

- X509_PURPOSE_OCSP_HELPER, since 2001

Add missing X509 purpose constants

X509_PURPOSE_OCSP_HELPER, X509_PURPOSE_TIMESTAMP_SIGN are available
from OpenSSL for many years:

- X509_PURPOSE_OCSP_HELPER, since 2001
- X509_PURPOSE_TIMESTAMP_SIGN, since 2006

Also drop the ifdef check for X509_PURPOSE_ANY, as it is always
available in supported OpenSSL versions.

Closes GH-6312.

show more ...

Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)

Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)

Fixed bug #79881

Fix #79145: openssl memory leak

We must increase the refcount of `return_value` only if `cert` is a
resource; this is already done in `php_openssl_evp_from_zval()`,
though.

Fixed bug #78391

Fix PKCS12 leak in openssl

Fix d leak in ecc openssl_pkey_new

Fix netscape spki leak in openssl

Fix X509 leak in openssl_pkcs7_verify()

Fix CSR leaks in openssl

Fix compilation without deprecated OpenSSL 1.1 APIs

Cheaper checks for exceptions thrown from __toString()

Allow exceptions in __toString()

RFC: https://wiki.php.net/rfc/tostring_exceptions

And convert some object to string conversion related recoverable
fatal errors into Error excep

Allow exceptions in __toString()

RFC: https://wiki.php.net/rfc/tostring_exceptions

And convert some object to string conversion related recoverable
fatal errors into Error exceptions.

Improve exception safety of internal code performing string
conversions.

show more ...

Fix bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c)

It also fixes invalid setting of tag length