Fix wrong merge

Fix memory leak in php_openssl_pkey_from_zval()

Closes GH-16691.

Fix various memory leaks related to openssl exports

Closes GH-16692.

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original array entry.
The test originally outputted:

```
array(2) {
[0]=>
string(...) => ...
[1]=>
string(0) ""
}
```

This is unexpected. Use zval_try_get_string() to prevent this behaviour.

Closes GH-16693.

show more ...

Fix various memory leaks on error conditions in openssl_x509_parse()

Closes GH-16690.

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zv

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.

Closes GH-16370.

show more ...

Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 (#13635)

* Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2

* simplify init/shutdown

* use php_base64_encode_ex

Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 (#13635)

* Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2

* simplify init/shutdown

* use php_base64_encode_ex

* - rename macros - use openssl RAND_bytes - CS

* add --with-openssl-argon2 build option

* check OSSL_KDF_PARAM_ARGON2_LANES instead of OSSL_set_max_threads

* Cleanup and CS

* save/restore old threads config + CS

* remove unneeded check

show more ...

Use "must not" instead of "cannot" wording

Use new helper function for "cannot be empty" ValueErrors

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Before, out of tree builds would preferably include files from the src dir, as
the include path was defined as follows (ignoring includes from ext/ and sapi/) :

-I$(top_builddir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/main
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM
-I$(top_builddir)/

As a result, an out of tree build would include configure artifacts such as
`main/php_config.h` from the src dir.

After this change, the include path is defined as follows:

-I$(top_builddir)/main
-I$(top_builddir)
-I$(top_srcdir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM

* Fix extension include path for out of tree builds

* Include config.h with the brackets form

`#include "config.h"` searches in the directory containing the including-file
before any other include path. This can include the wrong config.h when building
out of tree and a config.h exists in the source tree.

Using `#include <config.h>` uses exclusively the include path, and gives
priority to the build dir.

show more ...

openssl: change uses of sprintf into snprintf and zend_string_concat2

Fix GH-13343: openssl_x509_parse should not allow omitted seconds in UTCTimes

Closes GH-14439

Signed-off-by: Jakub Zelenka <bukka@php.net>

Clean-up some more headers (#14416)

Remove unused headers (such as php_ini.h for extensions that don't define INI settings)
Use more specific headers when possible

Add support for Curve25519 + Curve448 based keys

For openssl_pkey_get_details we export the priv+pub parameters.

ED25519/ED448 do not support streaming, so we need to use
EVP_Di

Add support for Curve25519 + Curve448 based keys

For openssl_pkey_get_details we export the priv+pub parameters.

ED25519/ED448 do not support streaming, so we need to use
EVP_Digest{Sign,Verify} instead. In general the older EVP_{Sign,Verify}
interface should be avoided as the key is passed very late.
See BUGS section in OpenSSL manpages of EVP_{Sign,Verify}Final

Additionally per requirement we need to allow sign/verify without
digest. So we need to allow passing 0 as digest. In OpenSSL 3.0+ this also
corresponds to the default digest (see EVP_PKEY_get_default_digest_name).

For CSR creation we need to allow "null" as digest_alg option.

Closes GH-14052

show more ...

Mark multple functions as static (#13864)

* Mark many functions as static

Multiple functions are missing the static qualifier.

* remove unused struct sigactions

st

Mark multple functions as static (#13864)

* Mark many functions as static

Multiple functions are missing the static qualifier.

* remove unused struct sigactions

struct sigaction act, old_term, old_quit, old_int;
all unused.

* optimizer: minXOR and maxXOR are unused

show more ...

ext/openssl: Add option to load legacy algorithm provider

OpenSSL 3.x relegated a set of insecure algorithms to a "legacy"
provider which is not loaded by default. Some of these algorith

ext/openssl: Add option to load legacy algorithm provider

OpenSSL 3.x relegated a set of insecure algorithms to a "legacy"
provider which is not loaded by default. Some of these algorithms
have utility beyond encryption such as for hashing, e.g., DES[1]

Add a compile-time option to load the legacy provider in 3.x. When
enabled, also load the default provider because loading any provider
explicitly disables auto-loading the default provider.

[1] https://github.com/vitessio/vitess/blob/9e40015748ede158357bd7291f583db138abc3df/go/vt/vtgate/vindexes/hash.go#L157

Closes GH-13951

show more ...

ext/openssl: Bump minimum required OpenSSL version to 1.1.1

Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.

OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL

ext/openssl: Bump minimum required OpenSSL version to 1.1.1

Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.

OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors
continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached
EOL in 2018.

Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of
conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere.

- Debian buster: 1.1.1[^2]
- Ubuntu 20.04: 1.1.1[^3]
- CentOS/RHEL 7: 1.0.2
- RHEL 8/Rocky 8/EL 8: 1.1.1
- Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well)

RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely
bump the minimum OpenSSL version.

[^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html
[^2]: https://packages.debian.org/buster/libssl-dev
[^3]: https://packages.ubuntu.com/focal/libssl-dev

show more ...

Introduce new serial_hex parameter to openssl_csr_sign

Co-authored-by: Florian Sowade <f.sowade@suora.com>

Closes GH-13023
Closes GH-9851

Implement request #48520: openssl_csr_new should allow multiple values/fields in dn

Closes GH-12984

Fix bug #80269: OpenSSL sets Subject wrong with extraattribs parameter

Closes GH-12979

ext/openssl: fix libressl build.

Close GH-12919

Fix GH-12987: openssl_csr_sign might leak new cert on error

Closes GH-12988

Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs

Closes GH-12499

Fix GH-12489: Missing sigbio creation checking in openssl_cms_verify

Closes GH-12490