#
5d62cfbc |
| 27-Jul-2022 |
Christoph M. Becker |
Tweak openssl_random_pseudo_bytes() upper bound error message As suggested by @guilliamxavier.
|
#
e52946eb |
| 25-Jul-2022 |
Christoph M. Becker |
Restrict range of buffer_length on all platforms to INT_MAX This has only been done for Windows systems so far, and there was a TODO comment about looping for larger values; that appears
Restrict range of buffer_length on all platforms to INT_MAX This has only been done for Windows systems so far, and there was a TODO comment about looping for larger values; that appears to be overkill, though, since 2 million bytes should be sufficient for all use cases, and if there is really the need for more, users can still loop manually. Anyhow, checking the range upfront on all platforms is clearer then silently casting to `int`. We split the error message for the least possible BC break. Closes GH-9126.
show more ...
|
#
b358834c |
| 20-Jul-2022 |
Máté Kocsis |
Declare ext/openssl constants in stubs (#9046)
|
Revision tags: php-8.1.9RC1, php-8.2.0beta1, php-8.0.22RC1, php-8.0.21, php-8.1.8, php-8.2.0alpha3, php-8.1.8RC1, php-8.2.0alpha2, php-8.0.21RC1, php-8.0.20, php-8.1.7, php-8.2.0alpha1, php-7.4.30, php-8.1.7RC1, php-8.0.20RC1, php-8.1.6, php-8.0.19, php-8.1.6RC1, php-8.0.19RC1, php-8.0.18, php-8.1.5 |
|
#
c311ab7e |
| 12-Apr-2022 |
Tim Düsterhus |
Mark parameter in ext/openssl as sensitive
|
#
b765d4cd |
| 21-May-2022 |
Jakub Zelenka |
Fix bug #50293 and #81713: file path checking in OpenSSL functions It introduces a single function to check file paths passed to OpenSSL functions. It expands the path, check null bytes
Fix bug #50293 and #81713: file path checking in OpenSSL functions It introduces a single function to check file paths passed to OpenSSL functions. It expands the path, check null bytes and finally does an open basedir check.
show more ...
|
#
2ecd46f4 |
| 22-May-2022 |
George Peter Banyard |
Initialise zend_stat_t to fix MSAN build
|
Revision tags: php-7.4.29, php-8.1.5RC1, php-8.0.18RC1, php-8.1.4, php-8.0.17, php-8.1.4RC1, php-8.0.17RC1, php-8.1.3, php-8.0.16, php-7.4.28, php-8.1.3RC1, php-8.0.16RC1, php-8.1.2, php-8.0.15, php-8.1.2RC1, php-8.0.15RC1, php-8.0.14, php-8.1.1, php-7.4.27, php-8.1.1RC1, php-8.0.14RC1, php-7.4.27RC1, php-8.1.0, php-8.0.13, php-7.4.26, php-7.3.33, php-8.1.0RC6, php-7.4.26RC1, php-8.0.13RC1, php-8.1.0RC5, php-7.3.32, php-7.4.25, php-8.0.12, php-8.1.0RC4 |
|
#
7f0d3f54 |
| 08-Oct-2021 |
Nikita Popov |
Fixed bug #81502 Allow $tag to be null. This is the value that openssl_encrypt() sets it to for non-AEAD ciphers, so we should also accept this as an input to openssl_decrypt().
Fixed bug #81502 Allow $tag to be null. This is the value that openssl_encrypt() sets it to for non-AEAD ciphers, so we should also accept this as an input to openssl_decrypt(). Prior to PHP 8.1, null was accepted in weak mode due to the special treatment of null arguments to internal functions.
show more ...
|
Revision tags: php-8.0.12RC1, php-7.4.25RC1, php-8.1.0RC3, php-8.0.11, php-7.4.24, php-7.3.31, php-8.1.0RC2 |
|
#
6ee96f09 |
| 10-Sep-2021 |
Remi Collet |
fix [-Wmaybe-uninitialized] build warnings
|
Revision tags: php-7.4.24RC1, php-8.0.11RC1, php-8.1.0RC1, php-7.4.23, php-8.0.10, php-7.3.30, php-8.1.0beta3 |
|
#
7b34db06 |
| 10-Aug-2021 |
Nikita Popov |
Switch default PKCS7/CMS cipher to AES-128-CBC Switch default cipher for openssl_pkcs7_encrypt() and openssl_cms_encrypt() from RC2-40 to AES-128-CBC. The RC2-40 cipher is consi
Switch default PKCS7/CMS cipher to AES-128-CBC Switch default cipher for openssl_pkcs7_encrypt() and openssl_cms_encrypt() from RC2-40 to AES-128-CBC. The RC2-40 cipher is considered insecure and is not loaded by default in OpenSSL 3, which means that these functions will always fail with default arguments. As the used algorithm is embedded in the result (which makes this different from the openssl_encrypt() case) changing the default algorithm should be safe. Closes GH-7357.
show more ...
|
Revision tags: php-8.0.10RC1, php-7.4.23RC1 |
|
#
c51af22f |
| 05-Aug-2021 |
Remi Collet |
implement openssl_256 and openssl_512 for phar singatures
|
#
7d2a2c7d |
| 11-Aug-2021 |
Nikita Popov |
Fix openssl memory leaks Some leaks that snuck in during refactorings.
|
#
3724b49a |
| 09-Aug-2021 |
Nikita Popov |
Use param API to create RSA key Instead of deprecated low-level API. A caveat here is that when using the high-level API, OpenSSL 3 requires that if the prime factors are set, t
Use param API to create RSA key Instead of deprecated low-level API. A caveat here is that when using the high-level API, OpenSSL 3 requires that if the prime factors are set, the CRT parameters are also set. See https://github.com/openssl/openssl/issues/16271. As such, add CRT parameters to the manual construction test. This fixes the last deprecation warnings in openssl.c, but there are more elsewhere.
show more ...
|
#
ff2a39e6 |
| 09-Aug-2021 |
Nikita Popov |
Add missing unsigned qualifier This previously got lost in the deprecation warning noise.
|
#
6db2c2db |
| 06-Aug-2021 |
Nikita Popov |
Use param API for openssl_pkey_get_details() Now that the DSA/DH/EC keys are not created using the legacy API, we can fetch the details using the param API as well, and not run into
Use param API for openssl_pkey_get_details() Now that the DSA/DH/EC keys are not created using the legacy API, we can fetch the details using the param API as well, and not run into buggy priv_key handling.
show more ...
|
#
26a51e8d |
| 09-Aug-2021 |
Nikita Popov |
Extract public key portion via PEM roundtrip The workaround with cloning the X509_REQ no longer works in OpenSSL 3. Instead extract the public key portion by round tripping through P
Extract public key portion via PEM roundtrip The workaround with cloning the X509_REQ no longer works in OpenSSL 3. Instead extract the public key portion by round tripping through PEM.
show more ...
|
#
f9e701cd |
| 09-Aug-2021 |
Nikita Popov |
Use param API for creating EC keys Rather than the deprecated low level APIs.
|
#
14d7c7e9 |
| 09-Aug-2021 |
Nikita Popov |
Extract EC key initialization
|
#
94bc5fce |
| 08-Aug-2021 |
Nikita Popov |
Use OpenSSL NCONF APIs (#7337)
|
#
a0972deb |
| 08-Aug-2021 |
Remi Collet |
minimal fix for openssl 3.0 (#7002)
|
#
2bf316fd |
| 06-Aug-2021 |
Nikita Popov |
Switch manual DSA key generation to param API This is very similar to the DH case, with the primary difference that priv_key is ignored if pub_key is not given, rather than generatin
Switch manual DSA key generation to param API This is very similar to the DH case, with the primary difference that priv_key is ignored if pub_key is not given, rather than generating pub_key from priv_key. Would be nice if these worked the same (in which case we should probably also unify the keygen for FFC algorithms, as it's very similar).
show more ...
|
#
a7740a0b |
| 06-Aug-2021 |
Nikita Popov |
Switch manual DH key generation to param API Instead of using the deprecated low-level interface. This should also avoid issues with fetching parameters from legacy keys, cf. ht
Switch manual DH key generation to param API Instead of using the deprecated low-level interface. This should also avoid issues with fetching parameters from legacy keys, cf. https://github.com/openssl/openssl/issues/16247.
show more ...
|
#
f2d3e759 |
| 06-Aug-2021 |
Nikita Popov |
Do not special case export of EC keys All other private keys are exported in PKCS#8 format, while EC keys use traditional format. Switch them to use PKCS#8 format as well. A
Do not special case export of EC keys All other private keys are exported in PKCS#8 format, while EC keys use traditional format. Switch them to use PKCS#8 format as well. As the OpenSSL docs say: > PEM_write_bio_PrivateKey_traditional() writes out a private key > in the "traditional" format with a simple private key marker and > should only be used for compatibility with legacy programs.
show more ...
|
#
cb48260f |
| 05-Aug-2021 |
Nikita Popov |
Avoid DH_compute_key() with OpenSSL 3 Instead construct a proper EVP_PKEY for the public key and perform a derive operation. Unfortunately we can't use a common code path here,
Avoid DH_compute_key() with OpenSSL 3 Instead construct a proper EVP_PKEY for the public key and perform a derive operation. Unfortunately we can't use a common code path here, because EVP_PKEY_set1_encoded_public_key() formerly known as EVP_PKEY_set1_tls_encodedpoint() does not appear to work with DH keys prior to OpenSSL 3.
show more ...
|
#
c6542b2a |
| 05-Aug-2021 |
Nikita Popov |
Extract php_openssl_pkey_derive() function To allow sharing it with the openssl_dh_compute_key() implementation.
|
#
f878bbd9 |
| 05-Aug-2021 |
Nikita Popov |
Store whether pkey object contains private key Rather than querying whether the EVP_PKEY contains private key information, determine this at time of construction and store it in the
Store whether pkey object contains private key Rather than querying whether the EVP_PKEY contains private key information, determine this at time of construction and store it in the PHP object. OpenSSL doesn't provide an API for this purpose, and seems somewhat reluctant to add one, see https://github.com/openssl/openssl/issues/9467. To avoid using deprecated low-level APIs to determine whether something is a private key ourselves, remember it at the point of construction.
show more ...
|