| #
255e08ac |
| 03-Jan-2023 |
Gabriel Caruso |
Revert "Make build work with newer OpenSSL"
This reverts commit 5f90134bb69a345c7edb5013e6461e84caa32dbc.
|
| #
5f90134b |
| 19-Dec-2022 |
Stanislav Malyshev |
Make build work with newer OpenSSL
|
| #
fa1b6ab5 |
| 22-Oct-2022 |
Jakub Zelenka |
Fix GH-8430: OpenSSL compiled with old disgests does not build
Specifically no-md2, no-md4 or no-rmd160 were not supported
|
| #
84dcf578 |
| 15-Aug-2022 |
Jakub Zelenka |
Fix GH-9339: OpenSSL oid_file path check warning contains uninitialized path
|
| #
b765d4cd |
| 21-May-2022 |
Jakub Zelenka |
Fix bug #50293 and #81713: file path checking in OpenSSL functions
It introduces a single function to check file paths passed to OpenSSL
functions. It expands the path, check null bytes
Fix bug #50293 and #81713: file path checking in OpenSSL functions
It introduces a single function to check file paths passed to OpenSSL
functions. It expands the path, check null bytes and finally does
an open basedir check.
show more ...
|
| #
6724d5d4 |
| 04-Aug-2021 |
Christoph M. Becker |
Fix #81327: Error build openssl extension on php 7.4.22
The recent fix for bug 52093 is not compatible with LibreSSL ≥ 2.7.0,
which we recognize as mostly OpenSSL 1.1.0 compatible, but t
Fix #81327: Error build openssl extension on php 7.4.22
The recent fix for bug 52093 is not compatible with LibreSSL ≥ 2.7.0,
which we recognize as mostly OpenSSL 1.1.0 compatible, but they still
do not support `ASN1_INTEGER_set_int64()`.
Closes GH-7339.
show more ...
|
| #
334387bb |
| 01-Jul-2021 |
Christoph M. Becker |
Fix #52093: openssl_csr_sign truncates $serial
We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.
[1] <https://www.openssl.org/docs/man1.
Fix #52093: openssl_csr_sign truncates $serial
We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.
[1] <https://www.openssl.org/docs/man1.1.0/man3/ASN1_INTEGER_set_int64.html#HISTORY>
Closes GH-7209.
show more ...
|
| #
b63ea104 |
| 16-Feb-2021 |
Nikita Popov |
Mark resource-like objects as non-comparable
As these hold on to some internal resource, there can't be two
"equal" objects with different identity. Make sure the lack of
public prop
Mark resource-like objects as non-comparable
As these hold on to some internal resource, there can't be two
"equal" objects with different identity. Make sure the lack of
public properties doesn't result in these being treated as always
equal.
show more ...
|
| #
75667427 |
| 15-Feb-2021 |
Nikita Popov |
Suppress OpenSSL error on missing optional config
openssl_pkey_new() fetches various options from the config file --
most of these are optional, and not specifying them is not an error
Suppress OpenSSL error on missing optional config
openssl_pkey_new() fetches various options from the config file --
most of these are optional, and not specifying them is not an error
condition from the perspective of the user. Unfortunately, the
CONF_get_string() API pushes an error when accessing a key that
doesn't exist (_CONF_get_string does not, but that is presumably a
private API). This commit adds a helper php_openssl_conf_get_string()
that automatically clears the error in this case. I've found that
OpenSSL occasionally does the same thing internally:
https://github.com/openssl/openssl/blob/22040fb790c854cefb04bed98ed38ea6357daf83/apps/req.c#L515-L517
Closes GH-6699.
show more ...
|
| #
64b10854 |
| 15-Feb-2021 |
Nikita Popov |
Fixed bug #80747
If RSA key generation fails, actually report that failure.
|
| #
ecee3f12 |
| 30-Nov-2020 |
Nikita Popov |
Next attempt to fix bug #80368
Apparently treating LibreSSL as OpenSSL 1.1 is not just something
we did in our code, it's something that upstream LibreSSL claims,
despite not actuall
Next attempt to fix bug #80368
Apparently treating LibreSSL as OpenSSL 1.1 is not just something
we did in our code, it's something that upstream LibreSSL claims,
despite not actually being compatible. Duh.
Check for EVP_CIPH_OCB_MODE instead, which should reliably
determine support...
show more ...
|
| #
0f579fd7 |
| 27-Nov-2020 |
Nikita Popov |
Fixed bug #80368
We assume that usually LibreSSL supports everything OpenSSL 1.1 does.
In this instance, this is not the case.
|
|
Revision tags: php-8.0.0, php-7.3.25, php-7.4.13, php-8.0.0RC5, php-7.4.13RC1, php-8.0.0RC4, php-7.3.25RC1, php-7.4.12, php-8.0.0RC3, php-7.3.24 |
|
| #
1359f793 |
| 20-Oct-2020 |
Nikita Popov |
Fix CCM tag length setting for old OpenSSL versions
While OpenSSL 1.1 allows unconditionally setting the CCM tag length
even for decryption, some older versions apparently do not. As suc
Fix CCM tag length setting for old OpenSSL versions
While OpenSSL 1.1 allows unconditionally setting the CCM tag length
even for decryption, some older versions apparently do not. As such,
we do need to treat CCM and OCB separately after all.
show more ...
|
| #
750a74ed |
| 14-Oct-2020 |
Nikita Popov |
Fix bug #79983: Add support for OCB mode
OCB mode ciphers were already exposed to openssl_encrypt/decrypt,
but misbehaved, because they were not treated as AEAD ciphers.
From that pe
Fix bug #79983: Add support for OCB mode
OCB mode ciphers were already exposed to openssl_encrypt/decrypt,
but misbehaved, because they were not treated as AEAD ciphers.
From that perspective, OCB should be treated the same way as GCM.
In OpenSSL 1.1 the necessary controls were unified under
EVP_CTRL_AEAD_* (and OCB is only supported since OpenSSL 1.1).
Closes GH-6337.
show more ...
|
| #
251af732 |
| 14-Oct-2020 |
Nikita Popov |
Fix nullability of openssl_cms_sign() parameter
|
|
Revision tags: php-8.0.0RC2 |
|
| #
6c6a58e9 |
| 13-Oct-2020 |
Nikita Popov |
Allow passing $tag for non-authenticated encryption
openssl_encrypt() currently throws a warning if the $tag out
parameter is passed for a non-authenticated cipher. This violates
the
Allow passing $tag for non-authenticated encryption
openssl_encrypt() currently throws a warning if the $tag out
parameter is passed for a non-authenticated cipher. This violates
the principle that a function should behave the same if a parameter
is not passed, and if the default value is passed for the parameter.
I believe this warning should simply be dropped and the $tag be
populated with null, as is already the case. Otherwise, it is not
possible to use openssl_encrypt() in generic wrapper APIs, that are
compatible with both authenticated and non-authenticated encryption.
Closes GH-6333.
show more ...
|
|
Revision tags: php-7.4.12RC1, php-7.3.24RC1 |
|
| #
41e4a770 |
| 12-Oct-2020 |
Nikita Popov |
Revert "Add missing X509 purpose constants"
This reverts commit 1e53e14bc31aec98a408e517c7c8493ef4bf80cd.
This fails on Travis.
|
| #
1e53e14b |
| 09-Oct-2020 |
Vincent JARDIN |
Add missing X509 purpose constants
X509_PURPOSE_OCSP_HELPER, X509_PURPOSE_TIMESTAMP_SIGN are available
from OpenSSL for many years:
- X509_PURPOSE_OCSP_HELPER, since 2001
Add missing X509 purpose constants
X509_PURPOSE_OCSP_HELPER, X509_PURPOSE_TIMESTAMP_SIGN are available
from OpenSSL for many years:
- X509_PURPOSE_OCSP_HELPER, since 2001
- X509_PURPOSE_TIMESTAMP_SIGN, since 2006
Also drop the ifdef check for X509_PURPOSE_ANY, as it is always
available in supported OpenSSL versions.
Closes GH-6312.
show more ...
|
| #
62c6d695 |
| 01-Oct-2020 |
Nikita Popov |
Add test instantiating all objects
Intended to find issues in opaque object destructors.
Closes GH-6251.
|
|
Revision tags: php-7.2.34, php-8.0.0rc1, php-7.4.11, php-7.3.23 |
|
| #
2f5cb702 |
| 27-Sep-2020 |
Stanislav Malyshev |
Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)
|
| #
0216630e |
| 27-Sep-2020 |
Stanislav Malyshev |
Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)
|
|
Revision tags: php-8.0.0beta4, php-7.4.11RC1, php-7.3.23RC1, php-8.0.0beta3, php-7.4.10, php-7.3.22 |
|
| #
e8e4ddce |
| 20-Aug-2020 |
Máté Kocsis |
Improve parameter handling in ext/openssl
Closes GH-6025
|
| #
c98d4769 |
| 10-Sep-2020 |
Máté Kocsis |
Consolidate new union type ZPP macro names
They will now follow the canonical order of types. Older macros are
left intact due to maintaining BC.
Closes GH-6112
|
| #
3e149427 |
| 08-Sep-2020 |
Nikita Popov |
Require $method parameter in openssl_seal/openssl_open
RC4 is considered insecure, and it's not possible to change the
default of these functions. As such, require the method to be
p
Require $method parameter in openssl_seal/openssl_open
RC4 is considered insecure, and it's not possible to change the
default of these functions. As such, require the method to be
passed explicitly.
Closes GH-6093.
show more ...
|
|
Revision tags: php-8.0.0beta2, php-7.3.22RC1, php-7.4.10RC1 |
|
| #
4522cbb7 |
| 16-Aug-2020 |
George Peter Banyard |
Promote various OpenSSL warnings into Errors
Closes GH-5111
|
