#
80dd5a03 |
| 09-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix wrong merge
|
#
994e866c |
| 03-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix memory leak in php_openssl_pkey_from_zval() Closes GH-16691.
|
#
2f4f09f7 |
| 03-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix various memory leaks related to openssl exports Closes GH-16692.
|
#
ac8d0e57 |
| 03-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Prevent unexpected array entry conversion when reading key When passing an array, the key entry can get converted to a string if it is an object, but this actually modifies the original
Prevent unexpected array entry conversion when reading key When passing an array, the key entry can get converted to a string if it is an object, but this actually modifies the original array entry. The test originally outputted: ``` array(2) { [0]=> string(...) => ... [1]=> string(0) "" } ``` This is unexpected. Use zval_try_get_string() to prevent this behaviour. Closes GH-16693.
show more ...
|
#
5ddb7566 |
| 03-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix various memory leaks on error conditions in openssl_x509_parse() Closes GH-16690.
|
#
2bdf2f91 |
| 14-Oct-2024 |
Christoph M. Becker |
Fix GH-16433: Large values for openssl_csr_sign() $days overflow The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but the `$days` parameter of `openssl_csr_sign()` a `
Fix GH-16433: Large values for openssl_csr_sign() $days overflow The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must avoid signed integer overflow (UB), but also must not silently truncate. Thus we check the given `$days` for the permissible range, and bail out otherwise. Closes GH-16437.
show more ...
|
#
549bcdb7 |
| 11-Oct-2024 |
Christoph M. Becker |
Fix GH-16357: openssl may modify member types of certificate arrays We must not use `try_convert_to_string()` on members of unseparated array arguments; instead of separating, we use `zv
Fix GH-16357: openssl may modify member types of certificate arrays We must not use `try_convert_to_string()` on members of unseparated array arguments; instead of separating, we use `zval_try_get_string()`. Closes GH-16370.
show more ...
|
#
32c5ce34 |
| 02-Sep-2024 |
Remi Collet |
Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 (#13635) * Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 * simplify init/shutdown * use php_base64_encode_ex
Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 (#13635) * Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 * simplify init/shutdown * use php_base64_encode_ex * - rename macros - use openssl RAND_bytes - CS * add --with-openssl-argon2 build option * check OSSL_KDF_PARAM_ARGON2_LANES instead of OSSL_set_max_threads * Cleanup and CS * save/restore old threads config + CS * remove unneeded check
show more ...
|
#
5853cdb7 |
| 20-Aug-2024 |
Gina Peter Bnayard |
Use "must not" instead of "cannot" wording
|
#
e7c4d54d |
| 18-Aug-2024 |
Gina Peter Bnayard |
Use new helper function for "cannot be empty" ValueErrors
|
#
11accb5c |
| 25-Jun-2024 |
Arnaud Le Blanc |
Preferably include from build dir (#13516) * Include from build dir first This fixes out of tree builds by ensuring that configure artifacts are included from the build dir.
Preferably include from build dir (#13516) * Include from build dir first This fixes out of tree builds by ensuring that configure artifacts are included from the build dir. Before, out of tree builds would preferably include files from the src dir, as the include path was defined as follows (ignoring includes from ext/ and sapi/) : -I$(top_builddir)/main -I$(top_srcdir) -I$(top_builddir)/TSRM -I$(top_builddir)/Zend -I$(top_srcdir)/main -I$(top_srcdir)/Zend -I$(top_srcdir)/TSRM -I$(top_builddir)/ As a result, an out of tree build would include configure artifacts such as `main/php_config.h` from the src dir. After this change, the include path is defined as follows: -I$(top_builddir)/main -I$(top_builddir) -I$(top_srcdir)/main -I$(top_srcdir) -I$(top_builddir)/TSRM -I$(top_builddir)/Zend -I$(top_srcdir)/Zend -I$(top_srcdir)/TSRM * Fix extension include path for out of tree builds * Include config.h with the brackets form `#include "config.h"` searches in the directory containing the including-file before any other include path. This can include the wrong config.h when building out of tree and a config.h exists in the source tree. Using `#include <config.h>` uses exclusively the include path, and gives priority to the build dir.
show more ...
|
#
5fffdaa4 |
| 09-Jun-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
openssl: change uses of sprintf into snprintf and zend_string_concat2
|
#
98736e8b |
| 02-Jun-2024 |
Jakub Zelenka |
Fix GH-13343: openssl_x509_parse should not allow omitted seconds in UTCTimes Closes GH-14439 Signed-off-by: Jakub Zelenka <bukka@php.net>
|
#
fd2d8696 |
| 08-Jun-2024 |
Gina Peter Banyard |
Clean-up some more headers (#14416) Remove unused headers (such as php_ini.h for extensions that don't define INI settings) Use more specific headers when possible
|
#
5f2a0c83 |
| 26-Apr-2024 |
Manuel Mausz |
Add support for Curve25519 + Curve448 based keys For openssl_pkey_get_details we export the priv+pub parameters. ED25519/ED448 do not support streaming, so we need to use EVP_Di
Add support for Curve25519 + Curve448 based keys For openssl_pkey_get_details we export the priv+pub parameters. ED25519/ED448 do not support streaming, so we need to use EVP_Digest{Sign,Verify} instead. In general the older EVP_{Sign,Verify} interface should be avoided as the key is passed very late. See BUGS section in OpenSSL manpages of EVP_{Sign,Verify}Final Additionally per requirement we need to allow sign/verify without digest. So we need to allow passing 0 as digest. In OpenSSL 3.0+ this also corresponds to the default digest (see EVP_PKEY_get_default_digest_name). For CSR creation we need to allow "null" as digest_alg option. Closes GH-14052
show more ...
|
#
8e62e2b8 |
| 22-May-2024 |
Cristian Rodríguez |
Mark multple functions as static (#13864) * Mark many functions as static Multiple functions are missing the static qualifier. * remove unused struct sigactions st
Mark multple functions as static (#13864) * Mark many functions as static Multiple functions are missing the static qualifier. * remove unused struct sigactions struct sigaction act, old_term, old_quit, old_int; all unused. * optimizer: minXOR and maxXOR are unused
show more ...
|
#
956c3c2c |
| 12-Apr-2024 |
Adam Saponara |
ext/openssl: Add option to load legacy algorithm provider OpenSSL 3.x relegated a set of insecure algorithms to a "legacy" provider which is not loaded by default. Some of these algorith
ext/openssl: Add option to load legacy algorithm provider OpenSSL 3.x relegated a set of insecure algorithms to a "legacy" provider which is not loaded by default. Some of these algorithms have utility beyond encryption such as for hashing, e.g., DES[1] Add a compile-time option to load the legacy provider in 3.x. When enabled, also load the default provider because loading any provider explicitly disables auto-loading the default provider. [1] https://github.com/vitessio/vitess/blob/9e40015748ede158357bd7291f583db138abc3df/go/vt/vtgate/vindexes/hash.go#L157 Closes GH-13951
show more ...
|
#
3de3e137 |
| 25-Feb-2024 |
Ayesh Karunaratne |
ext/openssl: Bump minimum required OpenSSL version to 1.1.1 Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1. OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL
ext/openssl: Bump minimum required OpenSSL version to 1.1.1 Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1. OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached EOL in 2018. Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere. - Debian buster: 1.1.1[^2] - Ubuntu 20.04: 1.1.1[^3] - CentOS/RHEL 7: 1.0.2 - RHEL 8/Rocky 8/EL 8: 1.1.1 - Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well) RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely bump the minimum OpenSSL version. [^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html [^2]: https://packages.debian.org/buster/libssl-dev [^3]: https://packages.ubuntu.com/focal/libssl-dev
show more ...
|
#
5e2a586c |
| 10-Dec-2023 |
David Carlier |
ext/openssl: fix libressl build. Close GH-12919
|
#
e0679f3d |
| 22-Dec-2023 |
Jakub Zelenka |
Introduce new serial_hex parameter to openssl_csr_sign Co-authored-by: Florian Sowade <f.sowade@suora.com> Closes GH-13023 Closes GH-9851
|
#
48ebe588 |
| 20-Dec-2023 |
Jakub Zelenka |
Implement request #48520: openssl_csr_new should allow multiple values/fields in dn Closes GH-12984
|
#
e8fde6bd |
| 19-Dec-2023 |
Jakub Zelenka |
Fix bug #80269: OpenSSL sets Subject wrong with extraattribs parameter Closes GH-12979
|
#
7c4763ab |
| 21-Dec-2023 |
Jakub Zelenka |
Fix GH-12987: openssl_csr_sign might leak new cert on error Closes GH-12988
|
#
55e07484 |
| 23-Oct-2023 |
Jakub Zelenka |
Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs Closes GH-12499
|
#
f90b4041 |
| 23-Oct-2023 |
Jakub Zelenka |
Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs Closes GH-12499
|