History log of /PHP-8.4/ext/openssl/openssl.c (Results 1 – 25 of 760)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 80dd5a03 09-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix wrong merge


# 994e866c 03-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix memory leak in php_openssl_pkey_from_zval()

Closes GH-16691.


# 2f4f09f7 03-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix various memory leaks related to openssl exports

Closes GH-16692.


# ac8d0e57 03-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original array entry.
The test originally outputted:

```
array(2) {
[0]=>
string(...) => ...
[1]=>
string(0) ""
}
```

This is unexpected. Use zval_try_get_string() to prevent this behaviour.

Closes GH-16693.

show more ...


# 5ddb7566 03-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix various memory leaks on error conditions in openssl_x509_parse()

Closes GH-16690.


# 2bdf2f91 14-Oct-2024 Christoph M. Becker

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...


# 549bcdb7 11-Oct-2024 Christoph M. Becker

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zv

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.

Closes GH-16370.

show more ...


# 32c5ce34 02-Sep-2024 Remi Collet

Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 (#13635)

* Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2

* simplify init/shutdown

* use php_base64_encode_ex

Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 (#13635)

* Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2

* simplify init/shutdown

* use php_base64_encode_ex

* - rename macros - use openssl RAND_bytes - CS

* add --with-openssl-argon2 build option

* check OSSL_KDF_PARAM_ARGON2_LANES instead of OSSL_set_max_threads

* Cleanup and CS

* save/restore old threads config + CS

* remove unneeded check

show more ...


# 5853cdb7 20-Aug-2024 Gina Peter Bnayard

Use "must not" instead of "cannot" wording


# e7c4d54d 18-Aug-2024 Gina Peter Bnayard

Use new helper function for "cannot be empty" ValueErrors


# 11accb5c 25-Jun-2024 Arnaud Le Blanc

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Before, out of tree builds would preferably include files from the src dir, as
the include path was defined as follows (ignoring includes from ext/ and sapi/) :

-I$(top_builddir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/main
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM
-I$(top_builddir)/

As a result, an out of tree build would include configure artifacts such as
`main/php_config.h` from the src dir.

After this change, the include path is defined as follows:

-I$(top_builddir)/main
-I$(top_builddir)
-I$(top_srcdir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM

* Fix extension include path for out of tree builds

* Include config.h with the brackets form

`#include "config.h"` searches in the directory containing the including-file
before any other include path. This can include the wrong config.h when building
out of tree and a config.h exists in the source tree.

Using `#include <config.h>` uses exclusively the include path, and gives
priority to the build dir.

show more ...


# 5fffdaa4 09-Jun-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

openssl: change uses of sprintf into snprintf and zend_string_concat2


# 98736e8b 02-Jun-2024 Jakub Zelenka

Fix GH-13343: openssl_x509_parse should not allow omitted seconds in UTCTimes

Closes GH-14439

Signed-off-by: Jakub Zelenka <bukka@php.net>


# fd2d8696 08-Jun-2024 Gina Peter Banyard

Clean-up some more headers (#14416)

Remove unused headers (such as php_ini.h for extensions that don't define INI settings)
Use more specific headers when possible


# 5f2a0c83 26-Apr-2024 Manuel Mausz

Add support for Curve25519 + Curve448 based keys

For openssl_pkey_get_details we export the priv+pub parameters.

ED25519/ED448 do not support streaming, so we need to use
EVP_Di

Add support for Curve25519 + Curve448 based keys

For openssl_pkey_get_details we export the priv+pub parameters.

ED25519/ED448 do not support streaming, so we need to use
EVP_Digest{Sign,Verify} instead. In general the older EVP_{Sign,Verify}
interface should be avoided as the key is passed very late.
See BUGS section in OpenSSL manpages of EVP_{Sign,Verify}Final

Additionally per requirement we need to allow sign/verify without
digest. So we need to allow passing 0 as digest. In OpenSSL 3.0+ this also
corresponds to the default digest (see EVP_PKEY_get_default_digest_name).

For CSR creation we need to allow "null" as digest_alg option.

Closes GH-14052

show more ...


# 8e62e2b8 22-May-2024 Cristian Rodríguez

Mark multple functions as static (#13864)

* Mark many functions as static

Multiple functions are missing the static qualifier.

* remove unused struct sigactions

st

Mark multple functions as static (#13864)

* Mark many functions as static

Multiple functions are missing the static qualifier.

* remove unused struct sigactions

struct sigaction act, old_term, old_quit, old_int;
all unused.

* optimizer: minXOR and maxXOR are unused

show more ...


# 956c3c2c 12-Apr-2024 Adam Saponara

ext/openssl: Add option to load legacy algorithm provider

OpenSSL 3.x relegated a set of insecure algorithms to a "legacy"
provider which is not loaded by default. Some of these algorith

ext/openssl: Add option to load legacy algorithm provider

OpenSSL 3.x relegated a set of insecure algorithms to a "legacy"
provider which is not loaded by default. Some of these algorithms
have utility beyond encryption such as for hashing, e.g., DES[1]

Add a compile-time option to load the legacy provider in 3.x. When
enabled, also load the default provider because loading any provider
explicitly disables auto-loading the default provider.

[1] https://github.com/vitessio/vitess/blob/9e40015748ede158357bd7291f583db138abc3df/go/vt/vtgate/vindexes/hash.go#L157

Closes GH-13951

show more ...


# 3de3e137 25-Feb-2024 Ayesh Karunaratne

ext/openssl: Bump minimum required OpenSSL version to 1.1.1

Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.

OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL

ext/openssl: Bump minimum required OpenSSL version to 1.1.1

Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.

OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors
continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached
EOL in 2018.

Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of
conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere.

- Debian buster: 1.1.1[^2]
- Ubuntu 20.04: 1.1.1[^3]
- CentOS/RHEL 7: 1.0.2
- RHEL 8/Rocky 8/EL 8: 1.1.1
- Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well)

RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely
bump the minimum OpenSSL version.

[^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html
[^2]: https://packages.debian.org/buster/libssl-dev
[^3]: https://packages.ubuntu.com/focal/libssl-dev

show more ...


# 5e2a586c 10-Dec-2023 David Carlier

ext/openssl: fix libressl build.

Close GH-12919


# e0679f3d 22-Dec-2023 Jakub Zelenka

Introduce new serial_hex parameter to openssl_csr_sign

Co-authored-by: Florian Sowade <f.sowade@suora.com>

Closes GH-13023
Closes GH-9851


# 48ebe588 20-Dec-2023 Jakub Zelenka

Implement request #48520: openssl_csr_new should allow multiple values/fields in dn

Closes GH-12984


# e8fde6bd 19-Dec-2023 Jakub Zelenka

Fix bug #80269: OpenSSL sets Subject wrong with extraattribs parameter

Closes GH-12979


# 7c4763ab 21-Dec-2023 Jakub Zelenka

Fix GH-12987: openssl_csr_sign might leak new cert on error

Closes GH-12988


# 55e07484 23-Oct-2023 Jakub Zelenka

Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs

Closes GH-12499


# f90b4041 23-Oct-2023 Jakub Zelenka

Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs

Closes GH-12499


12345678910>>...31