1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | https://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Authors: Stig Venaas <venaas@php.net> |
14 | Wez Furlong <wez@thebrainroom.com> |
15 | Sascha Kettler <kettler@gmx.net> |
16 | Pierre-Alain Joye <pierre@php.net> |
17 | Marc Delling <delling@silpion.de> (PKCS12 functions) |
18 | Jakub Zelenka <bukka@php.net> |
19 | Eliot Lear <lear@ofcourseimright.com> |
20 +----------------------------------------------------------------------+
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26
27 #include "php.h"
28 #include "php_ini.h"
29 #include "php_openssl.h"
30 #include "zend_attributes.h"
31 #include "zend_exceptions.h"
32
33 /* PHP Includes */
34 #include "ext/standard/file.h"
35 #include "ext/standard/info.h"
36 #include "ext/standard/php_fopen_wrappers.h"
37 #include "ext/standard/md5.h" /* For make_digest_ex() */
38 #include "ext/standard/base64.h"
39 #ifdef PHP_WIN32
40 # include "win32/winutil.h"
41 #endif
42
43 /* OpenSSL includes */
44 #include <openssl/evp.h>
45 #include <openssl/bn.h>
46 #include <openssl/rsa.h>
47 #include <openssl/dsa.h>
48 #include <openssl/dh.h>
49 #include <openssl/x509.h>
50 #include <openssl/x509v3.h>
51 #include <openssl/crypto.h>
52 #include <openssl/pem.h>
53 #include <openssl/err.h>
54 #include <openssl/conf.h>
55 #include <openssl/rand.h>
56 #include <openssl/ssl.h>
57 #include <openssl/pkcs12.h>
58 #include <openssl/cms.h>
59 #if PHP_OPENSSL_API_VERSION >= 0x30000
60 #include <openssl/core_names.h>
61 #include <openssl/param_build.h>
62 #include <openssl/provider.h>
63 #endif
64
65 #if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ENGINE)
66 #include <openssl/engine.h>
67 #endif
68
69 /* Common */
70 #include <time.h>
71
72 #if (defined(PHP_WIN32) && defined(_MSC_VER) && _MSC_VER >= 1900)
73 #define timezone _timezone /* timezone is called _timezone in LibC */
74 #endif
75
76 #define MIN_KEY_LENGTH 384
77
78 /* constants used in ext/phar/util.c, keep in sync */
79 #define OPENSSL_ALGO_SHA1 1
80 #define OPENSSL_ALGO_MD5 2
81 #ifndef OPENSSL_NO_MD4
82 #define OPENSSL_ALGO_MD4 3
83 #endif
84 #ifndef OPENSSL_NO_MD2
85 #define OPENSSL_ALGO_MD2 4
86 #endif
87 #if PHP_OPENSSL_API_VERSION < 0x10100
88 #define OPENSSL_ALGO_DSS1 5
89 #endif
90 #define OPENSSL_ALGO_SHA224 6
91 #define OPENSSL_ALGO_SHA256 7
92 #define OPENSSL_ALGO_SHA384 8
93 #define OPENSSL_ALGO_SHA512 9
94 #ifndef OPENSSL_NO_RMD160
95 #define OPENSSL_ALGO_RMD160 10
96 #endif
97 #define DEBUG_SMIME 0
98
99 #if !defined(OPENSSL_NO_EC) && defined(EVP_PKEY_EC)
100 #define HAVE_EVP_PKEY_EC 1
101
102 /* the OPENSSL_EC_EXPLICIT_CURVE value was added
103 * in OpenSSL 1.1.0; previous versions should
104 * use 0 instead.
105 */
106 #ifndef OPENSSL_EC_EXPLICIT_CURVE
107 #define OPENSSL_EC_EXPLICIT_CURVE 0x000
108 #endif
109 #endif
110
111 ZEND_DECLARE_MODULE_GLOBALS(openssl)
112
113 /* FIXME: Use the openssl constants instead of
114 * enum. It is now impossible to match real values
115 * against php constants. Also sorry to break the
116 * enum principles here, BC...
117 */
118 enum php_openssl_key_type {
119 OPENSSL_KEYTYPE_RSA,
120 OPENSSL_KEYTYPE_DSA,
121 OPENSSL_KEYTYPE_DH,
122 OPENSSL_KEYTYPE_DEFAULT = OPENSSL_KEYTYPE_RSA,
123 #ifdef HAVE_EVP_PKEY_EC
124 OPENSSL_KEYTYPE_EC = OPENSSL_KEYTYPE_DH +1,
125 #endif
126 #if PHP_OPENSSL_API_VERSION >= 0x30000
127 OPENSSL_KEYTYPE_X25519 = OPENSSL_KEYTYPE_DH +2,
128 OPENSSL_KEYTYPE_ED25519 = OPENSSL_KEYTYPE_DH +3,
129 OPENSSL_KEYTYPE_X448 = OPENSSL_KEYTYPE_DH +4,
130 OPENSSL_KEYTYPE_ED448 = OPENSSL_KEYTYPE_DH +5,
131 #endif
132 };
133
134 enum php_openssl_cipher_type {
135 PHP_OPENSSL_CIPHER_RC2_40,
136 PHP_OPENSSL_CIPHER_RC2_128,
137 PHP_OPENSSL_CIPHER_RC2_64,
138 PHP_OPENSSL_CIPHER_DES,
139 PHP_OPENSSL_CIPHER_3DES,
140 PHP_OPENSSL_CIPHER_AES_128_CBC,
141 PHP_OPENSSL_CIPHER_AES_192_CBC,
142 PHP_OPENSSL_CIPHER_AES_256_CBC,
143
144 PHP_OPENSSL_CIPHER_DEFAULT = PHP_OPENSSL_CIPHER_AES_128_CBC
145 };
146
147 /* Add some encoding rules. This is normally handled through filters
148 * in the OpenSSL code, but we will do that part as if we were one
149 * of the OpenSSL binaries along the lines of -outform {DER|CMS|PEM}
150 */
151 enum php_openssl_encoding {
152 ENCODING_DER,
153 ENCODING_SMIME,
154 ENCODING_PEM,
155 };
156
157 #include "openssl_arginfo.h"
158
159 /* OpenSSLCertificate class */
160
161 zend_class_entry *php_openssl_certificate_ce;
162
163 static zend_object_handlers php_openssl_certificate_object_handlers;
164
php_openssl_certificate_create_object(zend_class_entry * class_type)165 static zend_object *php_openssl_certificate_create_object(zend_class_entry *class_type) {
166 php_openssl_certificate_object *intern = zend_object_alloc(sizeof(php_openssl_certificate_object), class_type);
167
168 zend_object_std_init(&intern->std, class_type);
169 object_properties_init(&intern->std, class_type);
170
171 return &intern->std;
172 }
173
php_openssl_certificate_get_constructor(zend_object * object)174 static zend_function *php_openssl_certificate_get_constructor(zend_object *object) {
175 zend_throw_error(NULL, "Cannot directly construct OpenSSLCertificate, use openssl_x509_read() instead");
176 return NULL;
177 }
178
php_openssl_certificate_free_obj(zend_object * object)179 static void php_openssl_certificate_free_obj(zend_object *object)
180 {
181 php_openssl_certificate_object *x509_object = php_openssl_certificate_from_obj(object);
182
183 X509_free(x509_object->x509);
184 zend_object_std_dtor(&x509_object->std);
185 }
186
187 /* OpenSSLCertificateSigningRequest class */
188
189 typedef struct _php_openssl_x509_request_object {
190 X509_REQ *csr;
191 zend_object std;
192 } php_openssl_request_object;
193
194 static zend_class_entry *php_openssl_request_ce;
195
php_openssl_request_from_obj(zend_object * obj)196 static inline php_openssl_request_object *php_openssl_request_from_obj(zend_object *obj) {
197 return (php_openssl_request_object *)((char *)(obj) - XtOffsetOf(php_openssl_request_object, std));
198 }
199
200 #define Z_OPENSSL_REQUEST_P(zv) php_openssl_request_from_obj(Z_OBJ_P(zv))
201
202 static zend_object_handlers php_openssl_request_object_handlers;
203
php_openssl_request_create_object(zend_class_entry * class_type)204 static zend_object *php_openssl_request_create_object(zend_class_entry *class_type) {
205 php_openssl_request_object *intern = zend_object_alloc(sizeof(php_openssl_request_object), class_type);
206
207 zend_object_std_init(&intern->std, class_type);
208 object_properties_init(&intern->std, class_type);
209
210 return &intern->std;
211 }
212
php_openssl_request_get_constructor(zend_object * object)213 static zend_function *php_openssl_request_get_constructor(zend_object *object) {
214 zend_throw_error(NULL, "Cannot directly construct OpenSSLCertificateSigningRequest, use openssl_csr_new() instead");
215 return NULL;
216 }
217
php_openssl_request_free_obj(zend_object * object)218 static void php_openssl_request_free_obj(zend_object *object)
219 {
220 php_openssl_request_object *x509_request = php_openssl_request_from_obj(object);
221
222 X509_REQ_free(x509_request->csr);
223 zend_object_std_dtor(&x509_request->std);
224 }
225
226 /* OpenSSLAsymmetricKey class */
227
228 typedef struct _php_openssl_pkey_object {
229 EVP_PKEY *pkey;
230 bool is_private;
231 zend_object std;
232 } php_openssl_pkey_object;
233
234 static zend_class_entry *php_openssl_pkey_ce;
235
php_openssl_pkey_from_obj(zend_object * obj)236 static inline php_openssl_pkey_object *php_openssl_pkey_from_obj(zend_object *obj) {
237 return (php_openssl_pkey_object *)((char *)(obj) - XtOffsetOf(php_openssl_pkey_object, std));
238 }
239
240 #define Z_OPENSSL_PKEY_P(zv) php_openssl_pkey_from_obj(Z_OBJ_P(zv))
241
242 static zend_object_handlers php_openssl_pkey_object_handlers;
243
php_openssl_pkey_create_object(zend_class_entry * class_type)244 static zend_object *php_openssl_pkey_create_object(zend_class_entry *class_type) {
245 php_openssl_pkey_object *intern = zend_object_alloc(sizeof(php_openssl_pkey_object), class_type);
246
247 zend_object_std_init(&intern->std, class_type);
248 object_properties_init(&intern->std, class_type);
249
250 return &intern->std;
251 }
252
php_openssl_pkey_object_init(zval * zv,EVP_PKEY * pkey,bool is_private)253 static void php_openssl_pkey_object_init(zval *zv, EVP_PKEY *pkey, bool is_private) {
254 object_init_ex(zv, php_openssl_pkey_ce);
255 php_openssl_pkey_object *obj = Z_OPENSSL_PKEY_P(zv);
256 obj->pkey = pkey;
257 obj->is_private = is_private;
258 }
259
php_openssl_pkey_get_constructor(zend_object * object)260 static zend_function *php_openssl_pkey_get_constructor(zend_object *object) {
261 zend_throw_error(NULL, "Cannot directly construct OpenSSLAsymmetricKey, use openssl_pkey_new() instead");
262 return NULL;
263 }
264
php_openssl_pkey_free_obj(zend_object * object)265 static void php_openssl_pkey_free_obj(zend_object *object)
266 {
267 php_openssl_pkey_object *key_object = php_openssl_pkey_from_obj(object);
268
269 EVP_PKEY_free(key_object->pkey);
270 zend_object_std_dtor(&key_object->std);
271 }
272
273 #if defined(HAVE_OPENSSL_ARGON2)
274 static const zend_module_dep openssl_deps[] = {
275 ZEND_MOD_REQUIRED("standard")
276 ZEND_MOD_END
277 };
278 #endif
279 /* {{{ openssl_module_entry */
280 zend_module_entry openssl_module_entry = {
281 #if defined(HAVE_OPENSSL_ARGON2)
282 STANDARD_MODULE_HEADER_EX, NULL,
283 openssl_deps,
284 #else
285 STANDARD_MODULE_HEADER,
286 #endif
287 "openssl",
288 ext_functions,
289 PHP_MINIT(openssl),
290 PHP_MSHUTDOWN(openssl),
291 NULL,
292 NULL,
293 PHP_MINFO(openssl),
294 PHP_OPENSSL_VERSION,
295 PHP_MODULE_GLOBALS(openssl),
296 PHP_GINIT(openssl),
297 PHP_GSHUTDOWN(openssl),
298 NULL,
299 STANDARD_MODULE_PROPERTIES_EX
300 };
301 /* }}} */
302
303 #ifdef COMPILE_DL_OPENSSL
ZEND_GET_MODULE(openssl)304 ZEND_GET_MODULE(openssl)
305 #endif
306
307 /* {{{ OpenSSL compatibility functions and macros */
308 #if PHP_OPENSSL_API_VERSION < 0x10100
309
310 #define EVP_PKEY_get0_RSA(_pkey) _pkey->pkey.rsa
311 #define EVP_PKEY_get0_DH(_pkey) _pkey->pkey.dh
312 #define EVP_PKEY_get0_DSA(_pkey) _pkey->pkey.dsa
313 #define EVP_PKEY_get0_EC_KEY(_pkey) _pkey->pkey.ec
314
315 static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
316 {
317 r->n = n;
318 r->e = e;
319 r->d = d;
320
321 return 1;
322 }
323
RSA_set0_factors(RSA * r,BIGNUM * p,BIGNUM * q)324 static int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
325 {
326 r->p = p;
327 r->q = q;
328
329 return 1;
330 }
331
RSA_set0_crt_params(RSA * r,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)332 static int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
333 {
334 r->dmp1 = dmp1;
335 r->dmq1 = dmq1;
336 r->iqmp = iqmp;
337
338 return 1;
339 }
340
RSA_get0_key(const RSA * r,const BIGNUM ** n,const BIGNUM ** e,const BIGNUM ** d)341 static void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
342 {
343 *n = r->n;
344 *e = r->e;
345 *d = r->d;
346 }
347
RSA_get0_factors(const RSA * r,const BIGNUM ** p,const BIGNUM ** q)348 static void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
349 {
350 *p = r->p;
351 *q = r->q;
352 }
353
RSA_get0_crt_params(const RSA * r,const BIGNUM ** dmp1,const BIGNUM ** dmq1,const BIGNUM ** iqmp)354 static void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp)
355 {
356 *dmp1 = r->dmp1;
357 *dmq1 = r->dmq1;
358 *iqmp = r->iqmp;
359 }
360
DH_get0_pqg(const DH * dh,const BIGNUM ** p,const BIGNUM ** q,const BIGNUM ** g)361 static void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
362 {
363 *p = dh->p;
364 *q = dh->q;
365 *g = dh->g;
366 }
367
DH_set0_pqg(DH * dh,BIGNUM * p,BIGNUM * q,BIGNUM * g)368 static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
369 {
370 dh->p = p;
371 dh->q = q;
372 dh->g = g;
373
374 return 1;
375 }
376
DH_get0_key(const DH * dh,const BIGNUM ** pub_key,const BIGNUM ** priv_key)377 static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
378 {
379 *pub_key = dh->pub_key;
380 *priv_key = dh->priv_key;
381 }
382
DH_set0_key(DH * dh,BIGNUM * pub_key,BIGNUM * priv_key)383 static int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
384 {
385 dh->pub_key = pub_key;
386 dh->priv_key = priv_key;
387
388 return 1;
389 }
390
DSA_get0_pqg(const DSA * d,const BIGNUM ** p,const BIGNUM ** q,const BIGNUM ** g)391 static void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
392 {
393 *p = d->p;
394 *q = d->q;
395 *g = d->g;
396 }
397
DSA_set0_pqg(DSA * d,BIGNUM * p,BIGNUM * q,BIGNUM * g)398 int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
399 {
400 d->p = p;
401 d->q = q;
402 d->g = g;
403
404 return 1;
405 }
406
DSA_get0_key(const DSA * d,const BIGNUM ** pub_key,const BIGNUM ** priv_key)407 static void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
408 {
409 *pub_key = d->pub_key;
410 *priv_key = d->priv_key;
411 }
412
DSA_set0_key(DSA * d,BIGNUM * pub_key,BIGNUM * priv_key)413 int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
414 {
415 d->pub_key = pub_key;
416 d->priv_key = priv_key;
417
418 return 1;
419 }
420
ASN1_STRING_get0_data(const ASN1_STRING * asn1)421 static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
422 {
423 return M_ASN1_STRING_data(asn1);
424 }
425
EVP_PKEY_up_ref(EVP_PKEY * pkey)426 static int EVP_PKEY_up_ref(EVP_PKEY *pkey)
427 {
428 return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
429 }
430
431 #if PHP_OPENSSL_API_VERSION < 0x10002
432
X509_get_signature_nid(const X509 * x)433 static int X509_get_signature_nid(const X509 *x)
434 {
435 return OBJ_obj2nid(x->sig_alg->algorithm);
436 }
437
438 #endif
439
440 #define OpenSSL_version SSLeay_version
441 #define OPENSSL_VERSION SSLEAY_VERSION
442 #define X509_getm_notBefore X509_get_notBefore
443 #define X509_getm_notAfter X509_get_notAfter
444 #define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_cleanup
445
446 #endif
447 /* }}} */
448
449 /* number conversion flags checks */
450 #define PHP_OPENSSL_CHECK_NUMBER_CONVERSION(_cond, _name, _arg_num) \
451 do { \
452 if (_cond) { \
453 zend_argument_value_error((_arg_num), #_name" is too long"); \
454 RETURN_THROWS(); \
455 } \
456 } while(0)
457 #define PHP_OPENSSL_CHECK_NUMBER_CONVERSION_NULL_RETURN(_cond, _name) \
458 do { \
459 if (_cond) { \
460 zend_value_error(#_name" is too long"); \
461 return NULL; \
462 } \
463 } while(0)
464 /* check if size_t can be safely casted to int */
465 #define PHP_OPENSSL_CHECK_SIZE_T_TO_INT(_var, _name, _arg_num) \
466 PHP_OPENSSL_CHECK_NUMBER_CONVERSION(ZEND_SIZE_T_INT_OVFL(_var), _name, _arg_num)
467 #define PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(_var, _name) \
468 PHP_OPENSSL_CHECK_NUMBER_CONVERSION_NULL_RETURN(ZEND_SIZE_T_INT_OVFL(_var), _name)
469 /* check if size_t can be safely casted to unsigned int */
470 #define PHP_OPENSSL_CHECK_SIZE_T_TO_UINT(_var, _name, _arg_num) \
471 PHP_OPENSSL_CHECK_NUMBER_CONVERSION(ZEND_SIZE_T_UINT_OVFL(_var), _name, _arg_num)
472 /* check if long can be safely casted to int */
473 #define PHP_OPENSSL_CHECK_LONG_TO_INT(_var, _name, _arg_num) \
474 PHP_OPENSSL_CHECK_NUMBER_CONVERSION(ZEND_LONG_EXCEEDS_INT(_var), _name, _arg_num)
475 #define PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(_var, _name) \
476 PHP_OPENSSL_CHECK_NUMBER_CONVERSION_NULL_RETURN(ZEND_LONG_EXCEEDS_INT(_var), _name)
477
478 /* {{{ php_openssl_store_errors */
php_openssl_store_errors(void)479 void php_openssl_store_errors(void)
480 {
481 struct php_openssl_errors *errors;
482 int error_code = ERR_get_error();
483
484 if (!error_code) {
485 return;
486 }
487
488 if (!OPENSSL_G(errors)) {
489 OPENSSL_G(errors) = pecalloc(1, sizeof(struct php_openssl_errors), 1);
490 }
491
492 errors = OPENSSL_G(errors);
493
494 do {
495 errors->top = (errors->top + 1) % ERR_NUM_ERRORS;
496 if (errors->top == errors->bottom) {
497 errors->bottom = (errors->bottom + 1) % ERR_NUM_ERRORS;
498 }
499 errors->buffer[errors->top] = error_code;
500 } while ((error_code = ERR_get_error()));
501
502 }
503 /* }}} */
504
505 /* {{{ php_openssl_errors_set_mark */
php_openssl_errors_set_mark(void)506 static void php_openssl_errors_set_mark(void) {
507 if (!OPENSSL_G(errors)) {
508 return;
509 }
510
511 if (!OPENSSL_G(errors_mark)) {
512 OPENSSL_G(errors_mark) = pecalloc(1, sizeof(struct php_openssl_errors), 1);
513 }
514
515 memcpy(OPENSSL_G(errors_mark), OPENSSL_G(errors), sizeof(struct php_openssl_errors));
516 }
517 /* }}} */
518
519 /* {{{ php_openssl_errors_restore_mark */
php_openssl_errors_restore_mark(void)520 static void php_openssl_errors_restore_mark(void) {
521 if (!OPENSSL_G(errors)) {
522 return;
523 }
524
525 struct php_openssl_errors *errors = OPENSSL_G(errors);
526
527 if (!OPENSSL_G(errors_mark)) {
528 errors->top = 0;
529 errors->bottom = 0;
530 } else {
531 memcpy(errors, OPENSSL_G(errors_mark), sizeof(struct php_openssl_errors));
532 }
533 }
534 /* }}} */
535
536 /* openssl file path check error function */
php_openssl_check_path_error(uint32_t arg_num,int type,const char * format,...)537 static void php_openssl_check_path_error(uint32_t arg_num, int type, const char *format, ...)
538 {
539 va_list va;
540 const char *arg_name;
541
542 va_start(va, format);
543
544 if (type == E_ERROR) {
545 zend_argument_error_variadic(zend_ce_value_error, arg_num, format, va);
546 } else {
547 arg_name = get_active_function_arg_name(arg_num);
548 php_verror(NULL, arg_name, type, format, va);
549 }
550 va_end(va);
551 }
552
553 /* openssl file path check extended */
php_openssl_check_path_ex(const char * file_path,size_t file_path_len,char * real_path,uint32_t arg_num,bool contains_file_protocol,bool is_from_array,const char * option_name)554 bool php_openssl_check_path_ex(
555 const char *file_path, size_t file_path_len, char *real_path, uint32_t arg_num,
556 bool contains_file_protocol, bool is_from_array, const char *option_name)
557 {
558 const char *fs_file_path;
559 size_t fs_file_path_len;
560 const char *error_msg = NULL;
561 int error_type = E_WARNING;
562
563 if (file_path_len == 0) {
564 real_path[0] = '\0';
565 return true;
566 }
567
568 if (contains_file_protocol) {
569 size_t path_prefix_len = sizeof("file://") - 1;
570 if (file_path_len <= path_prefix_len) {
571 return false;
572 }
573 fs_file_path = file_path + path_prefix_len;
574 fs_file_path_len = file_path_len - path_prefix_len;
575 } else {
576 fs_file_path = file_path;
577 fs_file_path_len = file_path_len;
578 }
579
580 if (CHECK_NULL_PATH(fs_file_path, fs_file_path_len)) {
581 error_msg = "must not contain any null bytes";
582 error_type = E_ERROR;
583 } else if (expand_filepath(fs_file_path, real_path) == NULL) {
584 error_msg = "must be a valid file path";
585 }
586
587 if (error_msg != NULL) {
588 if (arg_num == 0) {
589 const char *option_title = option_name ? option_name : "unknown";
590 const char *option_label = is_from_array ? "array item" : "option";
591 php_error_docref(NULL, E_WARNING, "Path for %s %s %s",
592 option_title, option_label, error_msg);
593 } else if (is_from_array && option_name != NULL) {
594 php_openssl_check_path_error(
595 arg_num, error_type, "option %s array item %s", option_name, error_msg);
596 } else if (is_from_array) {
597 php_openssl_check_path_error(arg_num, error_type, "array item %s", error_msg);
598 } else if (option_name != NULL) {
599 php_openssl_check_path_error(
600 arg_num, error_type, "option %s %s", option_name, error_msg);
601 } else {
602 php_openssl_check_path_error(arg_num, error_type, "%s", error_msg);
603 }
604 } else if (!php_check_open_basedir(real_path)) {
605 return true;
606 }
607
608 return false;
609 }
610
611 static int ssl_stream_data_index;
612
php_openssl_get_stream_from_ssl_handle(const SSL * ssl)613 php_stream* php_openssl_get_stream_from_ssl_handle(const SSL *ssl)
614 {
615 return (php_stream*)SSL_get_ex_data(ssl, ssl_stream_data_index);
616 }
617
php_openssl_get_ssl_stream_data_index(void)618 int php_openssl_get_ssl_stream_data_index(void)
619 {
620 return ssl_stream_data_index;
621 }
622
623 /* openssl -> PHP "bridging" */
624 /* true global; readonly after module startup */
625 static char default_ssl_conf_filename[MAXPATHLEN];
626
627 struct php_x509_request { /* {{{ */
628 CONF *global_config; /* Global SSL config */
629 CONF *req_config; /* SSL config for this request */
630 const EVP_MD * md_alg;
631 const EVP_MD * digest;
632 char * section_name,
633 * config_filename,
634 * digest_name,
635 * extensions_section,
636 * request_extensions_section;
637 int priv_key_bits;
638 int priv_key_type;
639
640 int priv_key_encrypt;
641
642 #ifdef HAVE_EVP_PKEY_EC
643 int curve_name;
644 #endif
645
646 EVP_PKEY * priv_key;
647
648 const EVP_CIPHER * priv_key_encrypt_cipher;
649 };
650 /* }}} */
651
652 static X509 *php_openssl_x509_from_param(
653 zend_object *cert_obj, zend_string *cert_str, uint32_t arg_num);
654 static X509 *php_openssl_x509_from_zval(
655 zval *val, bool *free_cert, uint32_t arg_num, bool is_from_array, const char *option_name);
656 static X509_REQ *php_openssl_csr_from_param(
657 zend_object *csr_obj, zend_string *csr_str, uint32_t arg_num);
658 static EVP_PKEY *php_openssl_pkey_from_zval(
659 zval *val, int public_key, char *passphrase, size_t passphrase_len, uint32_t arg_num);
660
661 static X509_STORE * php_openssl_setup_verify(zval * calist, uint32_t arg_num);
662 static STACK_OF(X509) * php_openssl_load_all_certs_from_file(
663 char *cert_file, size_t cert_file_len, uint32_t arg_num);
664 static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req);
665
php_openssl_add_assoc_name_entry(zval * val,char * key,X509_NAME * name,int shortname)666 static void php_openssl_add_assoc_name_entry(zval * val, char * key, X509_NAME * name, int shortname) /* {{{ */
667 {
668 zval *data;
669 zval subitem, tmp;
670 int i;
671 char *sname;
672 int nid;
673 X509_NAME_ENTRY * ne;
674 ASN1_STRING * str = NULL;
675 ASN1_OBJECT * obj;
676
677 if (key != NULL) {
678 array_init(&subitem);
679 } else {
680 ZVAL_COPY_VALUE(&subitem, val);
681 }
682
683 for (i = 0; i < X509_NAME_entry_count(name); i++) {
684 const unsigned char *to_add = NULL;
685 int to_add_len = 0;
686 unsigned char *to_add_buf = NULL;
687
688 ne = X509_NAME_get_entry(name, i);
689 obj = X509_NAME_ENTRY_get_object(ne);
690 nid = OBJ_obj2nid(obj);
691
692 if (shortname) {
693 sname = (char *) OBJ_nid2sn(nid);
694 } else {
695 sname = (char *) OBJ_nid2ln(nid);
696 }
697
698 str = X509_NAME_ENTRY_get_data(ne);
699 if (ASN1_STRING_type(str) != V_ASN1_UTF8STRING) {
700 /* ASN1_STRING_to_UTF8(3): The converted data is copied into a newly allocated buffer */
701 to_add_len = ASN1_STRING_to_UTF8(&to_add_buf, str);
702 to_add = to_add_buf;
703 } else {
704 /* ASN1_STRING_get0_data(3): Since this is an internal pointer it should not be freed or modified in any way */
705 to_add = ASN1_STRING_get0_data(str);
706 to_add_len = ASN1_STRING_length(str);
707 }
708
709 if (to_add_len != -1) {
710 if ((data = zend_hash_str_find(Z_ARRVAL(subitem), sname, strlen(sname))) != NULL) {
711 if (Z_TYPE_P(data) == IS_ARRAY) {
712 add_next_index_stringl(data, (const char *)to_add, to_add_len);
713 } else if (Z_TYPE_P(data) == IS_STRING) {
714 array_init(&tmp);
715 add_next_index_str(&tmp, zend_string_copy(Z_STR_P(data)));
716 add_next_index_stringl(&tmp, (const char *)to_add, to_add_len);
717 zend_hash_str_update(Z_ARRVAL(subitem), sname, strlen(sname), &tmp);
718 }
719 } else {
720 /* it might be better to expand it and pass zval from ZVAL_STRING
721 * to zend_symtable_str_update so we do not silently drop const
722 * but we need a test to cover this part first */
723 add_assoc_stringl(&subitem, sname, (char *)to_add, to_add_len);
724 }
725 } else {
726 php_openssl_store_errors();
727 }
728
729 if (to_add_buf != NULL) {
730 OPENSSL_free(to_add_buf);
731 }
732 }
733
734 if (key != NULL) {
735 zend_hash_str_update(Z_ARRVAL_P(val), key, strlen(key), &subitem);
736 }
737 }
738 /* }}} */
739
php_openssl_add_assoc_asn1_string(zval * val,char * key,ASN1_STRING * str)740 static void php_openssl_add_assoc_asn1_string(zval * val, char * key, ASN1_STRING * str) /* {{{ */
741 {
742 add_assoc_stringl(val, key, (char *)str->data, str->length);
743 }
744 /* }}} */
745
php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr)746 static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
747 {
748 /*
749 This is how the time string is formatted:
750
751 snprintf(p, sizeof(p), "%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
752 ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
753 */
754
755 time_t ret;
756 struct tm thetime;
757 char * strbuf;
758 char * thestr;
759 long gmadjust = 0;
760 size_t timestr_len;
761
762 if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME && ASN1_STRING_type(timestr) != V_ASN1_GENERALIZEDTIME) {
763 php_error_docref(NULL, E_WARNING, "Illegal ASN1 data type for timestamp");
764 return (time_t)-1;
765 }
766
767 timestr_len = (size_t)ASN1_STRING_length(timestr);
768
769 if (timestr_len != strlen((const char *)ASN1_STRING_get0_data(timestr))) {
770 php_error_docref(NULL, E_WARNING, "Illegal length in timestamp");
771 return (time_t)-1;
772 }
773
774 if (timestr_len < 13) {
775 php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", timestr->data);
776 return (time_t)-1;
777 }
778
779 if (ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME && timestr_len < 15) {
780 php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", timestr->data);
781 return (time_t)-1;
782 }
783
784 strbuf = estrdup((const char *)ASN1_STRING_get0_data(timestr));
785
786 memset(&thetime, 0, sizeof(thetime));
787
788 /* we work backwards so that we can use atoi more easily */
789
790 thestr = strbuf + timestr_len - 3;
791
792 thetime.tm_sec = atoi(thestr);
793 *thestr = '\0';
794 thestr -= 2;
795 thetime.tm_min = atoi(thestr);
796 *thestr = '\0';
797 thestr -= 2;
798 thetime.tm_hour = atoi(thestr);
799 *thestr = '\0';
800 thestr -= 2;
801 thetime.tm_mday = atoi(thestr);
802 *thestr = '\0';
803 thestr -= 2;
804 thetime.tm_mon = atoi(thestr)-1;
805
806 *thestr = '\0';
807 if( ASN1_STRING_type(timestr) == V_ASN1_UTCTIME ) {
808 thestr -= 2;
809 thetime.tm_year = atoi(thestr);
810
811 if (thetime.tm_year < 68) {
812 thetime.tm_year += 100;
813 }
814 } else if( ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME ) {
815 thestr -= 4;
816 thetime.tm_year = atoi(thestr) - 1900;
817 }
818
819
820 thetime.tm_isdst = -1;
821 ret = mktime(&thetime);
822
823 #ifdef HAVE_STRUCT_TM_TM_GMTOFF
824 gmadjust = thetime.tm_gmtoff;
825 #else
826 /*
827 ** If correcting for daylight savings time, we set the adjustment to
828 ** the value of timezone - 3600 seconds. Otherwise, we need to overcorrect and
829 ** set the adjustment to the main timezone + 3600 seconds.
830 */
831 gmadjust = -(thetime.tm_isdst ? (long)timezone - 3600 : (long)timezone);
832 #endif
833 ret += gmadjust;
834
835 efree(strbuf);
836
837 return ret;
838 }
839 /* }}} */
840
php_openssl_config_check_syntax(const char * section_label,const char * config_filename,const char * section,CONF * config)841 static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */
842 {
843 X509V3_CTX ctx;
844
845 X509V3_set_ctx_test(&ctx);
846 X509V3_set_nconf(&ctx, config);
847 if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) {
848 php_openssl_store_errors();
849 php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s",
850 section_label,
851 section,
852 config_filename);
853 return FAILURE;
854 }
855 return SUCCESS;
856 }
857 /* }}} */
858
php_openssl_conf_get_string(CONF * conf,const char * group,const char * name)859 static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) {
860 /* OpenSSL reports an error if a configuration value is not found.
861 * However, we don't want to generate errors for optional configuration. */
862 ERR_set_mark();
863 char *str = NCONF_get_string(conf, group, name);
864 ERR_pop_to_mark();
865 return str;
866 }
867
php_openssl_conf_get_number(CONF * conf,const char * group,const char * name)868 static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) {
869 /* Same here, ignore errors. */
870 long res = 0;
871 ERR_set_mark();
872 NCONF_get_number(conf, group, name, &res);
873 ERR_pop_to_mark();
874 return res;
875 }
876
php_openssl_add_oid_section(struct php_x509_request * req)877 static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
878 {
879 char * str;
880 STACK_OF(CONF_VALUE) * sktmp;
881 CONF_VALUE * cnf;
882 int i;
883
884 str = php_openssl_conf_get_string(req->req_config, NULL, "oid_section");
885 if (str == NULL) {
886 return SUCCESS;
887 }
888 sktmp = NCONF_get_section(req->req_config, str);
889 if (sktmp == NULL) {
890 php_openssl_store_errors();
891 php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str);
892 return FAILURE;
893 }
894 for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
895 cnf = sk_CONF_VALUE_value(sktmp, i);
896 if (OBJ_sn2nid(cnf->name) == NID_undef && OBJ_ln2nid(cnf->name) == NID_undef &&
897 OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
898 php_openssl_store_errors();
899 php_error_docref(NULL, E_WARNING, "Problem creating object %s=%s", cnf->name, cnf->value);
900 return FAILURE;
901 }
902 }
903 return SUCCESS;
904 }
905 /* }}} */
906
907 #define PHP_SSL_REQ_INIT(req) memset(req, 0, sizeof(*req))
908 #define PHP_SSL_REQ_DISPOSE(req) php_openssl_dispose_config(req)
909 #define PHP_SSL_REQ_PARSE(req, zval) php_openssl_parse_config(req, zval)
910
911 #define PHP_SSL_CONFIG_SYNTAX_CHECK(var) if (req->var && php_openssl_config_check_syntax(#var, \
912 req->config_filename, req->var, req->req_config) == FAILURE) return FAILURE
913
914 #define SET_OPTIONAL_STRING_ARG(key, varname, defval) \
915 do { \
916 if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), key, sizeof(key)-1)) != NULL && Z_TYPE_P(item) == IS_STRING) { \
917 varname = Z_STRVAL_P(item); \
918 } else { \
919 varname = defval; \
920 if (varname == NULL) { \
921 php_openssl_store_errors(); \
922 } \
923 } \
924 } while(0)
925
926 #define SET_OPTIONAL_LONG_ARG(key, varname, defval) \
927 if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), key, sizeof(key)-1)) != NULL && Z_TYPE_P(item) == IS_LONG) \
928 varname = (int)Z_LVAL_P(item); \
929 else \
930 varname = defval
931
932 static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo);
933
934 /* {{{ strip line endings from spkac */
php_openssl_spki_cleanup(const char * src,char * dest)935 static int php_openssl_spki_cleanup(const char *src, char *dest)
936 {
937 int removed = 0;
938
939 while (*src) {
940 if (*src != '\n' && *src != '\r') {
941 *dest++ = *src;
942 } else {
943 ++removed;
944 }
945 ++src;
946 }
947 *dest = 0;
948 return removed;
949 }
950 /* }}} */
951
php_openssl_parse_config(struct php_x509_request * req,zval * optional_args)952 static int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args) /* {{{ */
953 {
954 char * str, path[MAXPATHLEN];
955 zval * item;
956
957 SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename);
958 SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req");
959 req->global_config = NCONF_new(NULL);
960 if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) {
961 php_openssl_store_errors();
962 }
963
964 req->req_config = NCONF_new(NULL);
965 if (!NCONF_load(req->req_config, req->config_filename, NULL)) {
966 return FAILURE;
967 }
968
969 /* read in the oids */
970 str = php_openssl_conf_get_string(req->req_config, NULL, "oid_file");
971 if (str != NULL && php_openssl_check_path_ex(str, strlen(str), path, 0, false, false, "oid_file")) {
972 BIO *oid_bio = BIO_new_file(path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
973 if (oid_bio) {
974 OBJ_create_objects(oid_bio);
975 BIO_free(oid_bio);
976 php_openssl_store_errors();
977 }
978 }
979 if (php_openssl_add_oid_section(req) == FAILURE) {
980 return FAILURE;
981 }
982 SET_OPTIONAL_STRING_ARG("digest_alg", req->digest_name,
983 php_openssl_conf_get_string(req->req_config, req->section_name, "default_md"));
984 SET_OPTIONAL_STRING_ARG("x509_extensions", req->extensions_section,
985 php_openssl_conf_get_string(req->req_config, req->section_name, "x509_extensions"));
986 SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section,
987 php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions"));
988 SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits,
989 php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits"));
990 SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);
991
992 if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) {
993 req->priv_key_encrypt = Z_TYPE_P(item) == IS_TRUE ? 1 : 0;
994 } else {
995 str = php_openssl_conf_get_string(req->req_config, req->section_name, "encrypt_rsa_key");
996 if (str == NULL) {
997 str = php_openssl_conf_get_string(req->req_config, req->section_name, "encrypt_key");
998 }
999 if (str != NULL && strcmp(str, "no") == 0) {
1000 req->priv_key_encrypt = 0;
1001 } else {
1002 req->priv_key_encrypt = 1;
1003 }
1004 }
1005
1006 if (req->priv_key_encrypt &&
1007 optional_args &&
1008 (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher")-1)) != NULL &&
1009 Z_TYPE_P(item) == IS_LONG
1010 ) {
1011 zend_long cipher_algo = Z_LVAL_P(item);
1012 const EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo);
1013 if (cipher == NULL) {
1014 php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm for private key");
1015 return FAILURE;
1016 } else {
1017 req->priv_key_encrypt_cipher = cipher;
1018 }
1019 } else {
1020 req->priv_key_encrypt_cipher = NULL;
1021 }
1022
1023 /* digest alg */
1024 if (req->digest_name == NULL) {
1025 req->digest_name = php_openssl_conf_get_string(req->req_config, req->section_name, "default_md");
1026 }
1027 if (req->digest_name != NULL) {
1028 if (strcmp(req->digest_name, "null") == 0) {
1029 req->digest = req->md_alg = EVP_md_null();
1030 } else {
1031 req->digest = req->md_alg = EVP_get_digestbyname(req->digest_name);
1032 }
1033 }
1034 if (req->md_alg == NULL) {
1035 req->md_alg = req->digest = EVP_sha1();
1036 php_openssl_store_errors();
1037 }
1038
1039 PHP_SSL_CONFIG_SYNTAX_CHECK(extensions_section);
1040 #ifdef HAVE_EVP_PKEY_EC
1041 /* set the ec group curve name */
1042 req->curve_name = NID_undef;
1043 if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "curve_name", sizeof("curve_name")-1)) != NULL
1044 && Z_TYPE_P(item) == IS_STRING) {
1045 req->curve_name = OBJ_sn2nid(Z_STRVAL_P(item));
1046 if (req->curve_name == NID_undef) {
1047 php_error_docref(NULL, E_WARNING, "Unknown elliptic curve (short) name %s", Z_STRVAL_P(item));
1048 return FAILURE;
1049 }
1050 }
1051 #endif
1052
1053 /* set the string mask */
1054 str = php_openssl_conf_get_string(req->req_config, req->section_name, "string_mask");
1055 if (str != NULL && !ASN1_STRING_set_default_mask_asc(str)) {
1056 php_error_docref(NULL, E_WARNING, "Invalid global string mask setting %s", str);
1057 return FAILURE;
1058 }
1059
1060 PHP_SSL_CONFIG_SYNTAX_CHECK(request_extensions_section);
1061
1062 return SUCCESS;
1063 }
1064 /* }}} */
1065
php_openssl_dispose_config(struct php_x509_request * req)1066 static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */
1067 {
1068 if (req->priv_key) {
1069 EVP_PKEY_free(req->priv_key);
1070 req->priv_key = NULL;
1071 }
1072 if (req->global_config) {
1073 NCONF_free(req->global_config);
1074 req->global_config = NULL;
1075 }
1076 if (req->req_config) {
1077 NCONF_free(req->req_config);
1078 req->req_config = NULL;
1079 }
1080 }
1081 /* }}} */
1082
1083 #if defined(PHP_WIN32) || PHP_OPENSSL_API_VERSION >= 0x10100
1084 #define PHP_OPENSSL_RAND_ADD_TIME() ((void) 0)
1085 #else
1086 #define PHP_OPENSSL_RAND_ADD_TIME() php_openssl_rand_add_timeval()
1087
php_openssl_rand_add_timeval(void)1088 static inline void php_openssl_rand_add_timeval(void) /* {{{ */
1089 {
1090 struct timeval tv;
1091
1092 gettimeofday(&tv, NULL);
1093 RAND_add(&tv, sizeof(tv), 0.0);
1094 }
1095 /* }}} */
1096
1097 #endif
1098
php_openssl_load_rand_file(const char * file,int * egdsocket,int * seeded)1099 static int php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded) /* {{{ */
1100 {
1101 char buffer[MAXPATHLEN];
1102
1103 *egdsocket = 0;
1104 *seeded = 0;
1105
1106 if (file == NULL) {
1107 file = RAND_file_name(buffer, sizeof(buffer));
1108 #ifdef HAVE_RAND_EGD
1109 } else if (RAND_egd(file) > 0) {
1110 /* if the given filename is an EGD socket, don't
1111 * write anything back to it */
1112 *egdsocket = 1;
1113 return SUCCESS;
1114 #endif
1115 }
1116 if (file == NULL || !RAND_load_file(file, -1)) {
1117 if (RAND_status() == 0) {
1118 php_openssl_store_errors();
1119 php_error_docref(NULL, E_WARNING, "Unable to load random state; not enough random data!");
1120 return FAILURE;
1121 }
1122 return FAILURE;
1123 }
1124 *seeded = 1;
1125 return SUCCESS;
1126 }
1127 /* }}} */
1128
php_openssl_write_rand_file(const char * file,int egdsocket,int seeded)1129 static int php_openssl_write_rand_file(const char * file, int egdsocket, int seeded) /* {{{ */
1130 {
1131 char buffer[MAXPATHLEN];
1132
1133
1134 if (egdsocket || !seeded) {
1135 /* if we did not manage to read the seed file, we should not write
1136 * a low-entropy seed file back */
1137 return FAILURE;
1138 }
1139 if (file == NULL) {
1140 file = RAND_file_name(buffer, sizeof(buffer));
1141 }
1142 PHP_OPENSSL_RAND_ADD_TIME();
1143 if (file == NULL || !RAND_write_file(file)) {
1144 php_openssl_store_errors();
1145 php_error_docref(NULL, E_WARNING, "Unable to write random state");
1146 return FAILURE;
1147 }
1148 return SUCCESS;
1149 }
1150 /* }}} */
1151
php_openssl_get_evp_md_from_algo(zend_long algo)1152 static EVP_MD * php_openssl_get_evp_md_from_algo(zend_long algo) { /* {{{ */
1153 EVP_MD *mdtype;
1154
1155 switch (algo) {
1156 case OPENSSL_ALGO_SHA1:
1157 mdtype = (EVP_MD *) EVP_sha1();
1158 break;
1159 case OPENSSL_ALGO_MD5:
1160 mdtype = (EVP_MD *) EVP_md5();
1161 break;
1162 #ifndef OPENSSL_NO_MD4
1163 case OPENSSL_ALGO_MD4:
1164 mdtype = (EVP_MD *) EVP_md4();
1165 break;
1166 #endif
1167 #ifndef OPENSSL_NO_MD2
1168 case OPENSSL_ALGO_MD2:
1169 mdtype = (EVP_MD *) EVP_md2();
1170 break;
1171 #endif
1172 #if PHP_OPENSSL_API_VERSION < 0x10100
1173 case OPENSSL_ALGO_DSS1:
1174 mdtype = (EVP_MD *) EVP_dss1();
1175 break;
1176 #endif
1177 case OPENSSL_ALGO_SHA224:
1178 mdtype = (EVP_MD *) EVP_sha224();
1179 break;
1180 case OPENSSL_ALGO_SHA256:
1181 mdtype = (EVP_MD *) EVP_sha256();
1182 break;
1183 case OPENSSL_ALGO_SHA384:
1184 mdtype = (EVP_MD *) EVP_sha384();
1185 break;
1186 case OPENSSL_ALGO_SHA512:
1187 mdtype = (EVP_MD *) EVP_sha512();
1188 break;
1189 #ifndef OPENSSL_NO_RMD160
1190 case OPENSSL_ALGO_RMD160:
1191 mdtype = (EVP_MD *) EVP_ripemd160();
1192 break;
1193 #endif
1194 default:
1195 return NULL;
1196 break;
1197 }
1198 return mdtype;
1199 }
1200 /* }}} */
1201
php_openssl_get_evp_cipher_from_algo(zend_long algo)1202 static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo) { /* {{{ */
1203 switch (algo) {
1204 #ifndef OPENSSL_NO_RC2
1205 case PHP_OPENSSL_CIPHER_RC2_40:
1206 return EVP_rc2_40_cbc();
1207 break;
1208 case PHP_OPENSSL_CIPHER_RC2_64:
1209 return EVP_rc2_64_cbc();
1210 break;
1211 case PHP_OPENSSL_CIPHER_RC2_128:
1212 return EVP_rc2_cbc();
1213 break;
1214 #endif
1215
1216 #ifndef OPENSSL_NO_DES
1217 case PHP_OPENSSL_CIPHER_DES:
1218 return EVP_des_cbc();
1219 break;
1220 case PHP_OPENSSL_CIPHER_3DES:
1221 return EVP_des_ede3_cbc();
1222 break;
1223 #endif
1224
1225 #ifndef OPENSSL_NO_AES
1226 case PHP_OPENSSL_CIPHER_AES_128_CBC:
1227 return EVP_aes_128_cbc();
1228 break;
1229 case PHP_OPENSSL_CIPHER_AES_192_CBC:
1230 return EVP_aes_192_cbc();
1231 break;
1232 case PHP_OPENSSL_CIPHER_AES_256_CBC:
1233 return EVP_aes_256_cbc();
1234 break;
1235 #endif
1236
1237
1238 default:
1239 return NULL;
1240 break;
1241 }
1242 }
1243 /* }}} */
1244
1245 /* {{{ INI Settings */
1246 PHP_INI_BEGIN()
1247 PHP_INI_ENTRY("openssl.cafile", NULL, PHP_INI_PERDIR, NULL)
1248 PHP_INI_ENTRY("openssl.capath", NULL, PHP_INI_PERDIR, NULL)
PHP_INI_END()1249 PHP_INI_END()
1250 /* }}} */
1251
1252 /* {{{ PHP_MINIT_FUNCTION */
1253 PHP_MINIT_FUNCTION(openssl)
1254 {
1255 char * config_filename;
1256
1257 php_openssl_certificate_ce = register_class_OpenSSLCertificate();
1258 php_openssl_certificate_ce->create_object = php_openssl_certificate_create_object;
1259 php_openssl_certificate_ce->default_object_handlers = &php_openssl_certificate_object_handlers;
1260
1261 memcpy(&php_openssl_certificate_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
1262 php_openssl_certificate_object_handlers.offset = XtOffsetOf(php_openssl_certificate_object, std);
1263 php_openssl_certificate_object_handlers.free_obj = php_openssl_certificate_free_obj;
1264 php_openssl_certificate_object_handlers.get_constructor = php_openssl_certificate_get_constructor;
1265 php_openssl_certificate_object_handlers.clone_obj = NULL;
1266 php_openssl_certificate_object_handlers.compare = zend_objects_not_comparable;
1267
1268 php_openssl_request_ce = register_class_OpenSSLCertificateSigningRequest();
1269 php_openssl_request_ce->create_object = php_openssl_request_create_object;
1270 php_openssl_request_ce->default_object_handlers = &php_openssl_request_object_handlers;
1271
1272 memcpy(&php_openssl_request_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
1273 php_openssl_request_object_handlers.offset = XtOffsetOf(php_openssl_request_object, std);
1274 php_openssl_request_object_handlers.free_obj = php_openssl_request_free_obj;
1275 php_openssl_request_object_handlers.get_constructor = php_openssl_request_get_constructor;
1276 php_openssl_request_object_handlers.clone_obj = NULL;
1277 php_openssl_request_object_handlers.compare = zend_objects_not_comparable;
1278
1279 php_openssl_pkey_ce = register_class_OpenSSLAsymmetricKey();
1280 php_openssl_pkey_ce->create_object = php_openssl_pkey_create_object;
1281 php_openssl_pkey_ce->default_object_handlers = &php_openssl_pkey_object_handlers;
1282
1283 memcpy(&php_openssl_pkey_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
1284 php_openssl_pkey_object_handlers.offset = XtOffsetOf(php_openssl_pkey_object, std);
1285 php_openssl_pkey_object_handlers.free_obj = php_openssl_pkey_free_obj;
1286 php_openssl_pkey_object_handlers.get_constructor = php_openssl_pkey_get_constructor;
1287 php_openssl_pkey_object_handlers.clone_obj = NULL;
1288 php_openssl_pkey_object_handlers.compare = zend_objects_not_comparable;
1289
1290 #ifdef LIBRESSL_VERSION_NUMBER
1291 OPENSSL_config(NULL);
1292 SSL_library_init();
1293 OpenSSL_add_all_ciphers();
1294 OpenSSL_add_all_digests();
1295 OpenSSL_add_all_algorithms();
1296 SSL_load_error_strings();
1297 #else
1298 #if PHP_OPENSSL_API_VERSION >= 0x30000 && defined(LOAD_OPENSSL_LEGACY_PROVIDER)
1299 OSSL_PROVIDER_load(NULL, "legacy");
1300 OSSL_PROVIDER_load(NULL, "default");
1301 #endif
1302 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
1303 #endif
1304
1305 /* register a resource id number with OpenSSL so that we can map SSL -> stream structures in
1306 * OpenSSL callbacks */
1307 ssl_stream_data_index = SSL_get_ex_new_index(0, "PHP stream index", NULL, NULL, NULL);
1308
1309 register_openssl_symbols(module_number);
1310
1311 /* Determine default SSL configuration file */
1312 config_filename = getenv("OPENSSL_CONF");
1313 if (config_filename == NULL) {
1314 config_filename = getenv("SSLEAY_CONF");
1315 }
1316
1317 /* default to 'openssl.cnf' if no environment variable is set */
1318 if (config_filename == NULL) {
1319 snprintf(default_ssl_conf_filename, sizeof(default_ssl_conf_filename), "%s/%s",
1320 X509_get_default_cert_area(),
1321 "openssl.cnf");
1322 } else {
1323 strlcpy(default_ssl_conf_filename, config_filename, sizeof(default_ssl_conf_filename));
1324 }
1325
1326 php_stream_xport_register("ssl", php_openssl_ssl_socket_factory);
1327 #ifndef OPENSSL_NO_SSL3
1328 php_stream_xport_register("sslv3", php_openssl_ssl_socket_factory);
1329 #endif
1330 php_stream_xport_register("tls", php_openssl_ssl_socket_factory);
1331 php_stream_xport_register("tlsv1.0", php_openssl_ssl_socket_factory);
1332 php_stream_xport_register("tlsv1.1", php_openssl_ssl_socket_factory);
1333 php_stream_xport_register("tlsv1.2", php_openssl_ssl_socket_factory);
1334 php_stream_xport_register("tlsv1.3", php_openssl_ssl_socket_factory);
1335
1336 /* override the default tcp socket provider */
1337 php_stream_xport_register("tcp", php_openssl_ssl_socket_factory);
1338
1339 php_register_url_stream_wrapper("https", &php_stream_http_wrapper);
1340 php_register_url_stream_wrapper("ftps", &php_stream_ftp_wrapper);
1341
1342 REGISTER_INI_ENTRIES();
1343
1344 #if defined(HAVE_OPENSSL_ARGON2)
1345 if (FAILURE == PHP_MINIT(openssl_pwhash)(INIT_FUNC_ARGS_PASSTHRU)) {
1346 return FAILURE;
1347 }
1348 #endif
1349
1350 return SUCCESS;
1351 }
1352 /* }}} */
1353
1354 /* {{{ PHP_GINIT_FUNCTION */
PHP_GINIT_FUNCTION(openssl)1355 PHP_GINIT_FUNCTION(openssl)
1356 {
1357 #if defined(COMPILE_DL_OPENSSL) && defined(ZTS)
1358 ZEND_TSRMLS_CACHE_UPDATE();
1359 #endif
1360 openssl_globals->errors = NULL;
1361 openssl_globals->errors_mark = NULL;
1362 }
1363 /* }}} */
1364
1365 /* {{{ PHP_GSHUTDOWN_FUNCTION */
PHP_GSHUTDOWN_FUNCTION(openssl)1366 PHP_GSHUTDOWN_FUNCTION(openssl)
1367 {
1368 if (openssl_globals->errors) {
1369 pefree(openssl_globals->errors, 1);
1370 }
1371 if (openssl_globals->errors_mark) {
1372 pefree(openssl_globals->errors_mark, 1);
1373 }
1374 }
1375 /* }}} */
1376
1377 /* {{{ PHP_MINFO_FUNCTION */
PHP_MINFO_FUNCTION(openssl)1378 PHP_MINFO_FUNCTION(openssl)
1379 {
1380 php_info_print_table_start();
1381 php_info_print_table_row(2, "OpenSSL support", "enabled");
1382 php_info_print_table_row(2, "OpenSSL Library Version", OpenSSL_version(OPENSSL_VERSION));
1383 php_info_print_table_row(2, "OpenSSL Header Version", OPENSSL_VERSION_TEXT);
1384 php_info_print_table_row(2, "Openssl default config", default_ssl_conf_filename);
1385 php_info_print_table_end();
1386 DISPLAY_INI_ENTRIES();
1387 }
1388 /* }}} */
1389
1390 /* {{{ PHP_MSHUTDOWN_FUNCTION */
PHP_MSHUTDOWN_FUNCTION(openssl)1391 PHP_MSHUTDOWN_FUNCTION(openssl)
1392 {
1393 #ifdef LIBRESSL_VERSION_NUMBER
1394 EVP_cleanup();
1395
1396 /* prevent accessing locking callback from unloaded extension */
1397 CRYPTO_set_locking_callback(NULL);
1398
1399 #ifndef OPENSSL_NO_ENGINE
1400 /* Free engine list initialized by OPENSSL_config */
1401 ENGINE_cleanup();
1402 #endif
1403
1404 /* free allocated error strings */
1405 ERR_free_strings();
1406 CONF_modules_free();
1407 #endif
1408
1409 php_unregister_url_stream_wrapper("https");
1410 php_unregister_url_stream_wrapper("ftps");
1411
1412 php_stream_xport_unregister("ssl");
1413 #ifndef OPENSSL_NO_SSL3
1414 php_stream_xport_unregister("sslv3");
1415 #endif
1416 php_stream_xport_unregister("tls");
1417 php_stream_xport_unregister("tlsv1.0");
1418 php_stream_xport_unregister("tlsv1.1");
1419 php_stream_xport_unregister("tlsv1.2");
1420 php_stream_xport_unregister("tlsv1.3");
1421
1422 /* reinstate the default tcp handler */
1423 php_stream_xport_register("tcp", php_stream_generic_socket_factory);
1424
1425 UNREGISTER_INI_ENTRIES();
1426
1427 return SUCCESS;
1428 }
1429 /* }}} */
1430
1431 /* {{{ x509 cert functions */
1432
1433 /* {{{ Retrieve an array mapping available certificate locations */
PHP_FUNCTION(openssl_get_cert_locations)1434 PHP_FUNCTION(openssl_get_cert_locations)
1435 {
1436 if (zend_parse_parameters_none() == FAILURE) {
1437 RETURN_THROWS();
1438 }
1439
1440 array_init(return_value);
1441
1442 add_assoc_string(return_value, "default_cert_file", (char *) X509_get_default_cert_file());
1443 add_assoc_string(return_value, "default_cert_file_env", (char *) X509_get_default_cert_file_env());
1444 add_assoc_string(return_value, "default_cert_dir", (char *) X509_get_default_cert_dir());
1445 add_assoc_string(return_value, "default_cert_dir_env", (char *) X509_get_default_cert_dir_env());
1446 add_assoc_string(return_value, "default_private_dir", (char *) X509_get_default_private_dir());
1447 add_assoc_string(return_value, "default_default_cert_area", (char *) X509_get_default_cert_area());
1448 add_assoc_string(return_value, "ini_cafile",
1449 zend_ini_string("openssl.cafile", sizeof("openssl.cafile")-1, 0));
1450 add_assoc_string(return_value, "ini_capath",
1451 zend_ini_string("openssl.capath", sizeof("openssl.capath")-1, 0));
1452 }
1453 /* }}} */
1454
php_openssl_x509_from_str(zend_string * cert_str,uint32_t arg_num,bool is_from_array,const char * option_name)1455 static X509 *php_openssl_x509_from_str(
1456 zend_string *cert_str, uint32_t arg_num, bool is_from_array, const char *option_name) {
1457 X509 *cert = NULL;
1458 char cert_path[MAXPATHLEN];
1459 BIO *in;
1460
1461 if (ZSTR_LEN(cert_str) > 7 && memcmp(ZSTR_VAL(cert_str), "file://", sizeof("file://") - 1) == 0) {
1462 if (!php_openssl_check_path_str_ex(cert_str, cert_path, arg_num, true, is_from_array, option_name)) {
1463 return NULL;
1464 }
1465
1466 in = BIO_new_file(cert_path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
1467 if (in == NULL) {
1468 php_openssl_store_errors();
1469 return NULL;
1470 }
1471 cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
1472 } else {
1473 in = BIO_new_mem_buf(ZSTR_VAL(cert_str), (int) ZSTR_LEN(cert_str));
1474 if (in == NULL) {
1475 php_openssl_store_errors();
1476 return NULL;
1477 }
1478 #ifdef TYPEDEF_D2I_OF
1479 cert = (X509 *) PEM_ASN1_read_bio((d2i_of_void *)d2i_X509, PEM_STRING_X509, in, NULL, NULL, NULL);
1480 #else
1481 cert = (X509 *) PEM_ASN1_read_bio((char *(*)())d2i_X509, PEM_STRING_X509, in, NULL, NULL, NULL);
1482 #endif
1483 }
1484
1485 if (!BIO_free(in)) {
1486 php_openssl_store_errors();
1487 }
1488
1489 if (cert == NULL) {
1490 php_openssl_store_errors();
1491 return NULL;
1492 }
1493
1494 return cert;
1495 }
1496
1497 /* {{{ php_openssl_x509_from_param
1498 Given a parameter, extract it into an X509 object.
1499 The parameter can be:
1500 . X509 object created using openssl_read_x509()
1501 . a path to that cert if it starts with file://
1502 . the cert data otherwise
1503 */
php_openssl_x509_from_param(zend_object * cert_obj,zend_string * cert_str,uint32_t arg_num)1504 static X509 *php_openssl_x509_from_param(
1505 zend_object *cert_obj, zend_string *cert_str, uint32_t arg_num) {
1506 if (cert_obj) {
1507 return php_openssl_certificate_from_obj(cert_obj)->x509;
1508 }
1509
1510 ZEND_ASSERT(cert_str);
1511
1512 return php_openssl_x509_from_str(cert_str, arg_num, false, NULL);
1513 }
1514 /* }}} */
1515
php_openssl_x509_from_zval(zval * val,bool * free_cert,uint32_t arg_num,bool is_from_array,const char * option_name)1516 static X509 *php_openssl_x509_from_zval(
1517 zval *val, bool *free_cert, uint32_t arg_num, bool is_from_array, const char *option_name)
1518 {
1519 if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_certificate_ce) {
1520 *free_cert = 0;
1521
1522 return php_openssl_certificate_from_obj(Z_OBJ_P(val))->x509;
1523 }
1524
1525 *free_cert = 1;
1526
1527 zend_string *str = zval_try_get_string(val);
1528 if (str == NULL) {
1529 return NULL;
1530 }
1531 X509 *cert = php_openssl_x509_from_str(str, arg_num, is_from_array, option_name);
1532 zend_string_release(str);
1533 return cert;
1534 }
1535 /* }}} */
1536
1537 /* {{{ Exports a CERT to file or a var */
PHP_FUNCTION(openssl_x509_export_to_file)1538 PHP_FUNCTION(openssl_x509_export_to_file)
1539 {
1540 X509 *cert;
1541 zend_object *cert_obj;
1542 zend_string *cert_str;
1543
1544 bool notext = 1;
1545 BIO * bio_out;
1546 char * filename, file_path[MAXPATHLEN];
1547 size_t filename_len;
1548
1549 ZEND_PARSE_PARAMETERS_START(2, 3)
1550 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
1551 Z_PARAM_PATH(filename, filename_len)
1552 Z_PARAM_OPTIONAL
1553 Z_PARAM_BOOL(notext)
1554 ZEND_PARSE_PARAMETERS_END();
1555
1556 RETVAL_FALSE;
1557
1558 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
1559 if (cert == NULL) {
1560 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
1561 return;
1562 }
1563
1564 if (!php_openssl_check_path(filename, filename_len, file_path, 2)) {
1565 goto exit_cleanup_cert;
1566 }
1567
1568 bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
1569 if (bio_out) {
1570 if (!notext && !X509_print(bio_out, cert)) {
1571 php_openssl_store_errors();
1572 }
1573 if (!PEM_write_bio_X509(bio_out, cert)) {
1574 php_openssl_store_errors();
1575 }
1576
1577 RETVAL_TRUE;
1578 } else {
1579 php_openssl_store_errors();
1580 php_error_docref(NULL, E_WARNING, "Error opening file %s", file_path);
1581 }
1582
1583 if (!BIO_free(bio_out)) {
1584 php_openssl_store_errors();
1585 }
1586
1587 exit_cleanup_cert:
1588 if (cert_str) {
1589 X509_free(cert);
1590 }
1591 }
1592 /* }}} */
1593
1594 /* {{{ Creates new private key (or uses existing) and creates a new spki cert
1595 outputting results to var */
PHP_FUNCTION(openssl_spki_new)1596 PHP_FUNCTION(openssl_spki_new)
1597 {
1598 size_t challenge_len;
1599 char * challenge = NULL, *spkstr = NULL;
1600 zend_string * s = NULL;
1601 const char *spkac = "SPKAC=";
1602 zend_long algo = OPENSSL_ALGO_MD5;
1603
1604 zval *zpkey = NULL;
1605 EVP_PKEY *pkey = NULL;
1606 NETSCAPE_SPKI *spki=NULL;
1607 const EVP_MD *mdtype;
1608
1609 if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os|l", &zpkey, php_openssl_pkey_ce, &challenge, &challenge_len, &algo) == FAILURE) {
1610 RETURN_THROWS();
1611 }
1612 RETVAL_FALSE;
1613
1614 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(challenge_len, challenge, 2);
1615
1616 pkey = php_openssl_pkey_from_zval(zpkey, 0, challenge, challenge_len, 1);
1617 if (pkey == NULL) {
1618 if (!EG(exception)) {
1619 php_error_docref(NULL, E_WARNING, "Unable to use supplied private key");
1620 }
1621 goto cleanup;
1622 }
1623
1624 mdtype = php_openssl_get_evp_md_from_algo(algo);
1625
1626 if (!mdtype) {
1627 php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
1628 goto cleanup;
1629 }
1630
1631 if ((spki = NETSCAPE_SPKI_new()) == NULL) {
1632 php_openssl_store_errors();
1633 php_error_docref(NULL, E_WARNING, "Unable to create new SPKAC");
1634 goto cleanup;
1635 }
1636
1637 if (challenge) {
1638 if (!ASN1_STRING_set(spki->spkac->challenge, challenge, (int)challenge_len)) {
1639 php_openssl_store_errors();
1640 php_error_docref(NULL, E_WARNING, "Unable to set challenge data");
1641 goto cleanup;
1642 }
1643 }
1644
1645 if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) {
1646 php_openssl_store_errors();
1647 php_error_docref(NULL, E_WARNING, "Unable to embed public key");
1648 goto cleanup;
1649 }
1650
1651 if (!NETSCAPE_SPKI_sign(spki, pkey, mdtype)) {
1652 php_openssl_store_errors();
1653 php_error_docref(NULL, E_WARNING, "Unable to sign with specified digest algorithm");
1654 goto cleanup;
1655 }
1656
1657 spkstr = NETSCAPE_SPKI_b64_encode(spki);
1658 if (!spkstr){
1659 php_openssl_store_errors();
1660 php_error_docref(NULL, E_WARNING, "Unable to encode SPKAC");
1661 goto cleanup;
1662 }
1663
1664 s = zend_string_concat2(spkac, strlen(spkac), spkstr, strlen(spkstr));
1665 OPENSSL_free(spkstr);
1666
1667 RETVAL_STR(s);
1668 goto cleanup;
1669
1670 cleanup:
1671 EVP_PKEY_free(pkey);
1672 if (spki != NULL) {
1673 NETSCAPE_SPKI_free(spki);
1674 }
1675
1676 if (s && ZSTR_LEN(s) <= 0) {
1677 RETVAL_FALSE;
1678 }
1679 }
1680 /* }}} */
1681
1682 /* {{{ Verifies spki returns boolean */
PHP_FUNCTION(openssl_spki_verify)1683 PHP_FUNCTION(openssl_spki_verify)
1684 {
1685 size_t spkstr_len;
1686 int i = 0, spkstr_cleaned_len = 0;
1687 char *spkstr, * spkstr_cleaned = NULL;
1688
1689 EVP_PKEY *pkey = NULL;
1690 NETSCAPE_SPKI *spki = NULL;
1691
1692 if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &spkstr, &spkstr_len) == FAILURE) {
1693 RETURN_THROWS();
1694 }
1695 RETVAL_FALSE;
1696
1697 spkstr_cleaned = emalloc(spkstr_len + 1);
1698 spkstr_cleaned_len = (int)(spkstr_len - php_openssl_spki_cleanup(spkstr, spkstr_cleaned));
1699
1700 if (spkstr_cleaned_len == 0) {
1701 php_error_docref(NULL, E_WARNING, "Invalid SPKAC");
1702 goto cleanup;
1703 }
1704
1705 spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, spkstr_cleaned_len);
1706 if (spki == NULL) {
1707 php_openssl_store_errors();
1708 php_error_docref(NULL, E_WARNING, "Unable to decode supplied SPKAC");
1709 goto cleanup;
1710 }
1711
1712 pkey = X509_PUBKEY_get(spki->spkac->pubkey);
1713 if (pkey == NULL) {
1714 php_openssl_store_errors();
1715 php_error_docref(NULL, E_WARNING, "Unable to acquire signed public key");
1716 goto cleanup;
1717 }
1718
1719 i = NETSCAPE_SPKI_verify(spki, pkey);
1720 goto cleanup;
1721
1722 cleanup:
1723 if (spki != NULL) {
1724 NETSCAPE_SPKI_free(spki);
1725 }
1726 EVP_PKEY_free(pkey);
1727 if (spkstr_cleaned != NULL) {
1728 efree(spkstr_cleaned);
1729 }
1730
1731 if (i > 0) {
1732 RETVAL_TRUE;
1733 } else {
1734 php_openssl_store_errors();
1735 }
1736 }
1737 /* }}} */
1738
1739 /* {{{ Exports public key from existing spki to var */
PHP_FUNCTION(openssl_spki_export)1740 PHP_FUNCTION(openssl_spki_export)
1741 {
1742 size_t spkstr_len;
1743 char *spkstr, * spkstr_cleaned = NULL;
1744 int spkstr_cleaned_len;
1745
1746 EVP_PKEY *pkey = NULL;
1747 NETSCAPE_SPKI *spki = NULL;
1748 BIO *out = NULL;
1749
1750 if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &spkstr, &spkstr_len) == FAILURE) {
1751 RETURN_THROWS();
1752 }
1753 RETVAL_FALSE;
1754
1755 spkstr_cleaned = emalloc(spkstr_len + 1);
1756 spkstr_cleaned_len = (int)(spkstr_len - php_openssl_spki_cleanup(spkstr, spkstr_cleaned));
1757
1758 if (spkstr_cleaned_len == 0) {
1759 php_error_docref(NULL, E_WARNING, "Invalid SPKAC");
1760 goto cleanup;
1761 }
1762
1763 spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, spkstr_cleaned_len);
1764 if (spki == NULL) {
1765 php_openssl_store_errors();
1766 php_error_docref(NULL, E_WARNING, "Unable to decode supplied SPKAC");
1767 goto cleanup;
1768 }
1769
1770 pkey = X509_PUBKEY_get(spki->spkac->pubkey);
1771 if (pkey == NULL) {
1772 php_openssl_store_errors();
1773 php_error_docref(NULL, E_WARNING, "Unable to acquire signed public key");
1774 goto cleanup;
1775 }
1776
1777 out = BIO_new(BIO_s_mem());
1778 if (out && PEM_write_bio_PUBKEY(out, pkey)) {
1779 BUF_MEM *bio_buf;
1780
1781 BIO_get_mem_ptr(out, &bio_buf);
1782 RETVAL_STRINGL((char *)bio_buf->data, bio_buf->length);
1783 } else {
1784 php_openssl_store_errors();
1785 }
1786 goto cleanup;
1787
1788 cleanup:
1789
1790 if (spki != NULL) {
1791 NETSCAPE_SPKI_free(spki);
1792 }
1793 BIO_free_all(out);
1794 EVP_PKEY_free(pkey);
1795 if (spkstr_cleaned != NULL) {
1796 efree(spkstr_cleaned);
1797 }
1798 }
1799 /* }}} */
1800
1801 /* {{{ Exports spkac challenge from existing spki to var */
PHP_FUNCTION(openssl_spki_export_challenge)1802 PHP_FUNCTION(openssl_spki_export_challenge)
1803 {
1804 size_t spkstr_len;
1805 char *spkstr, * spkstr_cleaned = NULL;
1806 int spkstr_cleaned_len;
1807
1808 NETSCAPE_SPKI *spki = NULL;
1809
1810 if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &spkstr, &spkstr_len) == FAILURE) {
1811 RETURN_THROWS();
1812 }
1813 RETVAL_FALSE;
1814
1815 spkstr_cleaned = emalloc(spkstr_len + 1);
1816 spkstr_cleaned_len = (int)(spkstr_len - php_openssl_spki_cleanup(spkstr, spkstr_cleaned));
1817
1818 if (spkstr_cleaned_len == 0) {
1819 php_error_docref(NULL, E_WARNING, "Invalid SPKAC");
1820 goto cleanup;
1821 }
1822
1823 spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, spkstr_cleaned_len);
1824 if (spki == NULL) {
1825 php_openssl_store_errors();
1826 php_error_docref(NULL, E_WARNING, "Unable to decode SPKAC");
1827 goto cleanup;
1828 }
1829
1830 RETVAL_STRING((const char *)ASN1_STRING_get0_data(spki->spkac->challenge));
1831 goto cleanup;
1832
1833 cleanup:
1834 if (spkstr_cleaned != NULL) {
1835 efree(spkstr_cleaned);
1836 }
1837 if (spki) {
1838 NETSCAPE_SPKI_free(spki);
1839 }
1840 }
1841 /* }}} */
1842
1843 /* {{{ Exports a CERT to file or a var */
PHP_FUNCTION(openssl_x509_export)1844 PHP_FUNCTION(openssl_x509_export)
1845 {
1846 X509 *cert;
1847 zend_object *cert_obj;
1848 zend_string *cert_str;
1849 zval *zout;
1850 bool notext = 1;
1851 BIO * bio_out;
1852
1853 ZEND_PARSE_PARAMETERS_START(2, 3)
1854 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
1855 Z_PARAM_ZVAL(zout)
1856 Z_PARAM_OPTIONAL
1857 Z_PARAM_BOOL(notext)
1858 ZEND_PARSE_PARAMETERS_END();
1859
1860 RETVAL_FALSE;
1861
1862 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
1863 if (cert == NULL) {
1864 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
1865 return;
1866 }
1867
1868 bio_out = BIO_new(BIO_s_mem());
1869 if (!bio_out) {
1870 php_openssl_store_errors();
1871 goto cleanup;
1872 }
1873 if (!notext && !X509_print(bio_out, cert)) {
1874 php_openssl_store_errors();
1875 }
1876 if (PEM_write_bio_X509(bio_out, cert)) {
1877 BUF_MEM *bio_buf;
1878
1879 BIO_get_mem_ptr(bio_out, &bio_buf);
1880 ZEND_TRY_ASSIGN_REF_STRINGL(zout, bio_buf->data, bio_buf->length);
1881
1882 RETVAL_TRUE;
1883 } else {
1884 php_openssl_store_errors();
1885 }
1886
1887 BIO_free(bio_out);
1888
1889 cleanup:
1890 if (cert_str) {
1891 X509_free(cert);
1892 }
1893 }
1894 /* }}} */
1895
php_openssl_x509_fingerprint(X509 * peer,const char * method,bool raw)1896 zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, bool raw)
1897 {
1898 unsigned char md[EVP_MAX_MD_SIZE];
1899 const EVP_MD *mdtype;
1900 unsigned int n;
1901 zend_string *ret;
1902
1903 if (!(mdtype = EVP_get_digestbyname(method))) {
1904 php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
1905 return NULL;
1906 } else if (!X509_digest(peer, mdtype, md, &n)) {
1907 php_openssl_store_errors();
1908 php_error_docref(NULL, E_ERROR, "Could not generate signature");
1909 return NULL;
1910 }
1911
1912 if (raw) {
1913 ret = zend_string_init((char*)md, n, 0);
1914 } else {
1915 ret = zend_string_alloc(n * 2, 0);
1916 make_digest_ex(ZSTR_VAL(ret), md, n);
1917 ZSTR_VAL(ret)[n * 2] = '\0';
1918 }
1919
1920 return ret;
1921 }
1922
PHP_FUNCTION(openssl_x509_fingerprint)1923 PHP_FUNCTION(openssl_x509_fingerprint)
1924 {
1925 X509 *cert;
1926 zend_object *cert_obj;
1927 zend_string *cert_str;
1928 bool raw_output = 0;
1929 char *method = "sha1";
1930 size_t method_len;
1931 zend_string *fingerprint;
1932
1933 ZEND_PARSE_PARAMETERS_START(1, 3)
1934 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
1935 Z_PARAM_OPTIONAL
1936 Z_PARAM_STRING(method, method_len)
1937 Z_PARAM_BOOL(raw_output)
1938 ZEND_PARSE_PARAMETERS_END();
1939
1940 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
1941 if (cert == NULL) {
1942 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
1943 RETURN_FALSE;
1944 }
1945
1946 fingerprint = php_openssl_x509_fingerprint(cert, method, raw_output);
1947 if (fingerprint) {
1948 RETVAL_STR(fingerprint);
1949 } else {
1950 RETVAL_FALSE;
1951 }
1952
1953 if (cert_str) {
1954 X509_free(cert);
1955 }
1956 }
1957
1958 /* {{{ Checks if a private key corresponds to a CERT */
PHP_FUNCTION(openssl_x509_check_private_key)1959 PHP_FUNCTION(openssl_x509_check_private_key)
1960 {
1961 X509 *cert;
1962 zend_object *cert_obj;
1963 zend_string *cert_str;
1964 zval *zkey;
1965 EVP_PKEY * key = NULL;
1966
1967 ZEND_PARSE_PARAMETERS_START(2, 2)
1968 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
1969 Z_PARAM_ZVAL(zkey)
1970 ZEND_PARSE_PARAMETERS_END();
1971
1972 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
1973 if (cert == NULL) {
1974 RETURN_FALSE;
1975 }
1976
1977 RETVAL_FALSE;
1978
1979 key = php_openssl_pkey_from_zval(zkey, 0, "", 0, 2);
1980 if (key) {
1981 RETVAL_BOOL(X509_check_private_key(cert, key));
1982 EVP_PKEY_free(key);
1983 }
1984
1985 if (cert_str) {
1986 X509_free(cert);
1987 }
1988 }
1989 /* }}} */
1990
1991 /* {{{ Verifies the signature of certificate cert using public key key */
PHP_FUNCTION(openssl_x509_verify)1992 PHP_FUNCTION(openssl_x509_verify)
1993 {
1994 X509 *cert;
1995 zend_object *cert_obj;
1996 zend_string *cert_str;
1997 zval *zkey;
1998 EVP_PKEY * key = NULL;
1999 int err = -1;
2000
2001 ZEND_PARSE_PARAMETERS_START(2, 2)
2002 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
2003 Z_PARAM_ZVAL(zkey)
2004 ZEND_PARSE_PARAMETERS_END();
2005
2006 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
2007 if (cert == NULL) {
2008 RETURN_LONG(err);
2009 }
2010
2011 key = php_openssl_pkey_from_zval(zkey, 1, NULL, 0, 2);
2012 if (key != NULL) {
2013 err = X509_verify(cert, key);
2014 if (err < 0) {
2015 php_openssl_store_errors();
2016 }
2017
2018 EVP_PKEY_free(key);
2019 }
2020
2021 if (cert_str) {
2022 X509_free(cert);
2023 }
2024
2025 RETURN_LONG(err);
2026 }
2027 /* }}} */
2028
2029 /* Special handling of subjectAltName, see CVE-2013-4073
2030 * Christian Heimes
2031 */
2032
openssl_x509v3_subjectAltName(BIO * bio,X509_EXTENSION * extension)2033 static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
2034 {
2035 GENERAL_NAMES *names;
2036 const X509V3_EXT_METHOD *method = NULL;
2037 ASN1_OCTET_STRING *extension_data;
2038 long i, length, num;
2039 const unsigned char *p;
2040
2041 method = X509V3_EXT_get(extension);
2042 if (method == NULL) {
2043 return -1;
2044 }
2045
2046 extension_data = X509_EXTENSION_get_data(extension);
2047 p = extension_data->data;
2048 length = extension_data->length;
2049 if (method->it) {
2050 names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, &p, length,
2051 ASN1_ITEM_ptr(method->it)));
2052 } else {
2053 names = (GENERAL_NAMES*) (method->d2i(NULL, &p, length));
2054 }
2055 if (names == NULL) {
2056 php_openssl_store_errors();
2057 return -1;
2058 }
2059
2060 num = sk_GENERAL_NAME_num(names);
2061 for (i = 0; i < num; i++) {
2062 GENERAL_NAME *name;
2063 ASN1_STRING *as;
2064 name = sk_GENERAL_NAME_value(names, i);
2065 switch (name->type) {
2066 case GEN_EMAIL:
2067 BIO_puts(bio, "email:");
2068 as = name->d.rfc822Name;
2069 BIO_write(bio, ASN1_STRING_get0_data(as),
2070 ASN1_STRING_length(as));
2071 break;
2072 case GEN_DNS:
2073 BIO_puts(bio, "DNS:");
2074 as = name->d.dNSName;
2075 BIO_write(bio, ASN1_STRING_get0_data(as),
2076 ASN1_STRING_length(as));
2077 break;
2078 case GEN_URI:
2079 BIO_puts(bio, "URI:");
2080 as = name->d.uniformResourceIdentifier;
2081 BIO_write(bio, ASN1_STRING_get0_data(as),
2082 ASN1_STRING_length(as));
2083 break;
2084 default:
2085 /* use builtin print for GEN_OTHERNAME, GEN_X400,
2086 * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
2087 */
2088 GENERAL_NAME_print(bio, name);
2089 }
2090 /* trailing ', ' except for last element */
2091 if (i < (num - 1)) {
2092 BIO_puts(bio, ", ");
2093 }
2094 }
2095 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
2096
2097 return 0;
2098 }
2099
2100 /* {{{ Returns an array of the fields/values of the CERT */
PHP_FUNCTION(openssl_x509_parse)2101 PHP_FUNCTION(openssl_x509_parse)
2102 {
2103 X509 *cert;
2104 zend_object *cert_obj;
2105 zend_string *cert_str;
2106 int i, sig_nid;
2107 bool useshortnames = 1;
2108 char * tmpstr;
2109 zval subitem;
2110 X509_EXTENSION *extension;
2111 X509_NAME *subject_name;
2112 char *cert_name;
2113 char *extname;
2114 BIO *bio_out;
2115 BUF_MEM *bio_buf;
2116 ASN1_INTEGER *asn1_serial;
2117 BIGNUM *bn_serial;
2118 char *str_serial;
2119 char *hex_serial;
2120 char buf[256];
2121
2122 ZEND_PARSE_PARAMETERS_START(1, 2)
2123 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
2124 Z_PARAM_OPTIONAL
2125 Z_PARAM_BOOL(useshortnames)
2126 ZEND_PARSE_PARAMETERS_END();
2127
2128 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
2129 if (cert == NULL) {
2130 // TODO Add Warning?
2131 RETURN_FALSE;
2132 }
2133 array_init(return_value);
2134
2135 subject_name = X509_get_subject_name(cert);
2136 cert_name = X509_NAME_oneline(subject_name, NULL, 0);
2137 add_assoc_string(return_value, "name", cert_name);
2138 OPENSSL_free(cert_name);
2139
2140 php_openssl_add_assoc_name_entry(return_value, "subject", subject_name, useshortnames);
2141 /* hash as used in CA directories to lookup cert by subject name */
2142 {
2143 char buf[32];
2144 snprintf(buf, sizeof(buf), "%08lx", X509_subject_name_hash(cert));
2145 add_assoc_string(return_value, "hash", buf);
2146 }
2147
2148 php_openssl_add_assoc_name_entry(return_value, "issuer", X509_get_issuer_name(cert), useshortnames);
2149 add_assoc_long(return_value, "version", X509_get_version(cert));
2150
2151 asn1_serial = X509_get_serialNumber(cert);
2152
2153 bn_serial = ASN1_INTEGER_to_BN(asn1_serial, NULL);
2154 /* Can return NULL on error or memory allocation failure */
2155 if (!bn_serial) {
2156 php_openssl_store_errors();
2157 goto err;
2158 }
2159
2160 hex_serial = BN_bn2hex(bn_serial);
2161 BN_free(bn_serial);
2162 /* Can return NULL on error or memory allocation failure */
2163 if (!hex_serial) {
2164 php_openssl_store_errors();
2165 goto err;
2166 }
2167
2168 str_serial = i2s_ASN1_INTEGER(NULL, asn1_serial);
2169 add_assoc_string(return_value, "serialNumber", str_serial);
2170 OPENSSL_free(str_serial);
2171
2172 /* Return the hex representation of the serial number, as defined by OpenSSL */
2173 add_assoc_string(return_value, "serialNumberHex", hex_serial);
2174 OPENSSL_free(hex_serial);
2175
2176 php_openssl_add_assoc_asn1_string(return_value, "validFrom", X509_getm_notBefore(cert));
2177 php_openssl_add_assoc_asn1_string(return_value, "validTo", X509_getm_notAfter(cert));
2178
2179 add_assoc_long(return_value, "validFrom_time_t", php_openssl_asn1_time_to_time_t(X509_getm_notBefore(cert)));
2180 add_assoc_long(return_value, "validTo_time_t", php_openssl_asn1_time_to_time_t(X509_getm_notAfter(cert)));
2181
2182 tmpstr = (char *)X509_alias_get0(cert, NULL);
2183 if (tmpstr) {
2184 add_assoc_string(return_value, "alias", tmpstr);
2185 }
2186
2187 sig_nid = X509_get_signature_nid(cert);
2188 add_assoc_string(return_value, "signatureTypeSN", (char*)OBJ_nid2sn(sig_nid));
2189 add_assoc_string(return_value, "signatureTypeLN", (char*)OBJ_nid2ln(sig_nid));
2190 add_assoc_long(return_value, "signatureTypeNID", sig_nid);
2191 array_init(&subitem);
2192
2193 /* NOTE: the purposes are added as integer keys - the keys match up to the X509_PURPOSE_SSL_XXX defines
2194 in x509v3.h */
2195 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
2196 int id, purpset;
2197 char * pname;
2198 X509_PURPOSE * purp;
2199 zval subsub;
2200
2201 array_init(&subsub);
2202
2203 purp = X509_PURPOSE_get0(i);
2204 id = X509_PURPOSE_get_id(purp);
2205
2206 purpset = X509_check_purpose(cert, id, 0);
2207 add_index_bool(&subsub, 0, purpset);
2208
2209 purpset = X509_check_purpose(cert, id, 1);
2210 add_index_bool(&subsub, 1, purpset);
2211
2212 pname = useshortnames ? X509_PURPOSE_get0_sname(purp) : X509_PURPOSE_get0_name(purp);
2213 add_index_string(&subsub, 2, pname);
2214
2215 /* NOTE: if purpset > 1 then it's a warning - we should mention it ? */
2216
2217 add_index_zval(&subitem, id, &subsub);
2218 }
2219 add_assoc_zval(return_value, "purposes", &subitem);
2220
2221 array_init(&subitem);
2222
2223
2224 for (i = 0; i < X509_get_ext_count(cert); i++) {
2225 int nid;
2226 extension = X509_get_ext(cert, i);
2227 nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
2228 if (nid != NID_undef) {
2229 extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
2230 } else {
2231 OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
2232 extname = buf;
2233 }
2234 bio_out = BIO_new(BIO_s_mem());
2235 if (bio_out == NULL) {
2236 php_openssl_store_errors();
2237 goto err_subitem;
2238 }
2239 if (nid == NID_subject_alt_name) {
2240 if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
2241 BIO_get_mem_ptr(bio_out, &bio_buf);
2242 add_assoc_stringl(&subitem, extname, bio_buf->data, bio_buf->length);
2243 } else {
2244 BIO_free(bio_out);
2245 goto err_subitem;
2246 }
2247 }
2248 else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
2249 BIO_get_mem_ptr(bio_out, &bio_buf);
2250 add_assoc_stringl(&subitem, extname, bio_buf->data, bio_buf->length);
2251 } else {
2252 php_openssl_add_assoc_asn1_string(&subitem, extname, X509_EXTENSION_get_data(extension));
2253 }
2254 BIO_free(bio_out);
2255 }
2256 add_assoc_zval(return_value, "extensions", &subitem);
2257 if (cert_str) {
2258 X509_free(cert);
2259 }
2260 return;
2261
2262 err_subitem:
2263 zval_ptr_dtor(&subitem);
2264 err:
2265 zend_array_destroy(Z_ARR_P(return_value));
2266 if (cert_str) {
2267 X509_free(cert);
2268 }
2269 RETURN_FALSE;
2270 }
2271 /* }}} */
2272
2273 /* {{{ php_openssl_load_all_certs_from_file */
STACK_OF(X509)2274 static STACK_OF(X509) *php_openssl_load_all_certs_from_file(
2275 char *cert_file, size_t cert_file_len, uint32_t arg_num)
2276 {
2277 STACK_OF(X509_INFO) *sk=NULL;
2278 STACK_OF(X509) *stack=NULL, *ret=NULL;
2279 BIO *in=NULL;
2280 X509_INFO *xi;
2281 char cert_path[MAXPATHLEN];
2282
2283 if(!(stack = sk_X509_new_null())) {
2284 php_openssl_store_errors();
2285 php_error_docref(NULL, E_ERROR, "Memory allocation failure");
2286 goto end;
2287 }
2288
2289 if (!php_openssl_check_path(cert_file, cert_file_len, cert_path, arg_num)) {
2290 sk_X509_free(stack);
2291 goto end;
2292 }
2293
2294 if (!(in = BIO_new_file(cert_path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)))) {
2295 php_openssl_store_errors();
2296 php_error_docref(NULL, E_WARNING, "Error opening the file, %s", cert_path);
2297 sk_X509_free(stack);
2298 goto end;
2299 }
2300
2301 /* This loads from a file, a stack of x509/crl/pkey sets */
2302 if (!(sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL))) {
2303 php_openssl_store_errors();
2304 php_error_docref(NULL, E_WARNING, "Error reading the file, %s", cert_path);
2305 sk_X509_free(stack);
2306 goto end;
2307 }
2308
2309 /* scan over it and pull out the certs */
2310 while (sk_X509_INFO_num(sk)) {
2311 xi=sk_X509_INFO_shift(sk);
2312 if (xi->x509 != NULL) {
2313 sk_X509_push(stack,xi->x509);
2314 xi->x509=NULL;
2315 }
2316 X509_INFO_free(xi);
2317 }
2318 if (!sk_X509_num(stack)) {
2319 php_error_docref(NULL, E_WARNING, "No certificates in file, %s", cert_path);
2320 sk_X509_free(stack);
2321 goto end;
2322 }
2323 ret = stack;
2324 end:
2325 BIO_free(in);
2326 sk_X509_INFO_free(sk);
2327
2328 return ret;
2329 }
2330 /* }}} */
2331
2332 /* {{{ check_cert */
check_cert(X509_STORE * ctx,X509 * x,STACK_OF (X509)* untrustedchain,int purpose)2333 static int check_cert(X509_STORE *ctx, X509 *x, STACK_OF(X509) *untrustedchain, int purpose)
2334 {
2335 int ret=0;
2336 X509_STORE_CTX *csc;
2337
2338 csc = X509_STORE_CTX_new();
2339 if (csc == NULL) {
2340 php_openssl_store_errors();
2341 php_error_docref(NULL, E_ERROR, "Memory allocation failure");
2342 return 0;
2343 }
2344 if (!X509_STORE_CTX_init(csc, ctx, x, untrustedchain)) {
2345 php_openssl_store_errors();
2346 php_error_docref(NULL, E_WARNING, "Certificate store initialization failed");
2347 return 0;
2348 }
2349 if (purpose >= 0 && !X509_STORE_CTX_set_purpose(csc, purpose)) {
2350 php_openssl_store_errors();
2351 }
2352 ret = X509_verify_cert(csc);
2353 if (ret < 0) {
2354 php_openssl_store_errors();
2355 }
2356 X509_STORE_CTX_free(csc);
2357
2358 return ret;
2359 }
2360 /* }}} */
2361
2362 /* {{{ Checks the CERT to see if it can be used for the purpose in purpose. cainfo holds information about trusted CAs */
PHP_FUNCTION(openssl_x509_checkpurpose)2363 PHP_FUNCTION(openssl_x509_checkpurpose)
2364 {
2365 X509 *cert;
2366 zend_object *cert_obj;
2367 zend_string *cert_str;
2368 zval *zcainfo = NULL;
2369 X509_STORE *cainfo = NULL;
2370 STACK_OF(X509) *untrustedchain = NULL;
2371 zend_long purpose;
2372 char * untrusted = NULL;
2373 size_t untrusted_len = 0;
2374 int ret;
2375
2376 ZEND_PARSE_PARAMETERS_START(2, 4)
2377 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
2378 Z_PARAM_LONG(purpose)
2379 Z_PARAM_OPTIONAL
2380 Z_PARAM_ARRAY(zcainfo)
2381 Z_PARAM_STRING_OR_NULL(untrusted, untrusted_len)
2382 ZEND_PARSE_PARAMETERS_END();
2383
2384 RETVAL_LONG(-1);
2385
2386 if (untrusted) {
2387 untrustedchain = php_openssl_load_all_certs_from_file(untrusted, untrusted_len, 4);
2388 if (untrustedchain == NULL) {
2389 goto clean_exit;
2390 }
2391 }
2392
2393 cainfo = php_openssl_setup_verify(zcainfo, 3);
2394 if (cainfo == NULL) {
2395 goto clean_exit;
2396 }
2397 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
2398 if (cert == NULL) {
2399 // TODO Add Warning?
2400 goto clean_exit;
2401 }
2402
2403 ret = check_cert(cainfo, cert, untrustedchain, (int)purpose);
2404 if (ret != 0 && ret != 1) {
2405 RETVAL_LONG(ret);
2406 } else {
2407 RETVAL_BOOL(ret);
2408 }
2409 if (cert_str) {
2410 X509_free(cert);
2411 }
2412 clean_exit:
2413 if (cainfo) {
2414 X509_STORE_free(cainfo);
2415 }
2416 if (untrustedchain) {
2417 sk_X509_pop_free(untrustedchain, X509_free);
2418 }
2419 }
2420 /* }}} */
2421
2422 /* {{{ php_openssl_setup_verify
2423 * calist is an array containing file and directory names. create a
2424 * certificate store and add those certs to it for use in verification.
2425 */
php_openssl_setup_verify(zval * calist,uint32_t arg_num)2426 static X509_STORE *php_openssl_setup_verify(zval *calist, uint32_t arg_num)
2427 {
2428 X509_STORE *store;
2429 X509_LOOKUP * dir_lookup, * file_lookup;
2430 int ndirs = 0, nfiles = 0;
2431 zval * item;
2432 zend_stat_t sb = {0};
2433 char file_path[MAXPATHLEN];
2434
2435 store = X509_STORE_new();
2436
2437 if (store == NULL) {
2438 php_openssl_store_errors();
2439 return NULL;
2440 }
2441
2442 if (calist && (Z_TYPE_P(calist) == IS_ARRAY)) {
2443 ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(calist), item) {
2444 zend_string *str = zval_try_get_string(item);
2445 if (UNEXPECTED(!str)) {
2446 return NULL;
2447 }
2448
2449 if (!php_openssl_check_path_str_ex(str, file_path, arg_num, false, true, NULL)) {
2450 zend_string_release(str);
2451 continue;
2452 }
2453 zend_string_release(str);
2454
2455 if (VCWD_STAT(file_path, &sb) == -1) {
2456 php_error_docref(NULL, E_WARNING, "Unable to stat %s", file_path);
2457 continue;
2458 }
2459
2460 if ((sb.st_mode & S_IFREG) == S_IFREG) {
2461 file_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
2462 if (file_lookup == NULL || !X509_LOOKUP_load_file(file_lookup, file_path, X509_FILETYPE_PEM)) {
2463 php_openssl_store_errors();
2464 php_error_docref(NULL, E_WARNING, "Error loading file %s", file_path);
2465 } else {
2466 nfiles++;
2467 }
2468 file_lookup = NULL;
2469 } else {
2470 dir_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
2471 if (dir_lookup == NULL || !X509_LOOKUP_add_dir(dir_lookup, file_path, X509_FILETYPE_PEM)) {
2472 php_openssl_store_errors();
2473 php_error_docref(NULL, E_WARNING, "Error loading directory %s", file_path);
2474 } else {
2475 ndirs++;
2476 }
2477 dir_lookup = NULL;
2478 }
2479 } ZEND_HASH_FOREACH_END();
2480 }
2481 if (nfiles == 0) {
2482 file_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
2483 if (file_lookup == NULL || !X509_LOOKUP_load_file(file_lookup, NULL, X509_FILETYPE_DEFAULT)) {
2484 php_openssl_store_errors();
2485 }
2486 }
2487 if (ndirs == 0) {
2488 dir_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
2489 if (dir_lookup == NULL || !X509_LOOKUP_add_dir(dir_lookup, NULL, X509_FILETYPE_DEFAULT)) {
2490 php_openssl_store_errors();
2491 }
2492 }
2493 return store;
2494 }
2495 /* }}} */
2496
2497 /* {{{ Reads X.509 certificates */
PHP_FUNCTION(openssl_x509_read)2498 PHP_FUNCTION(openssl_x509_read)
2499 {
2500 X509 *cert;
2501 php_openssl_certificate_object *x509_cert_obj;
2502 zend_object *cert_obj;
2503 zend_string *cert_str;
2504
2505 ZEND_PARSE_PARAMETERS_START(1, 1)
2506 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
2507 ZEND_PARSE_PARAMETERS_END();
2508
2509 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
2510 if (cert == NULL) {
2511 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
2512 RETURN_FALSE;
2513 }
2514
2515 object_init_ex(return_value, php_openssl_certificate_ce);
2516 x509_cert_obj = Z_OPENSSL_CERTIFICATE_P(return_value);
2517 x509_cert_obj->x509 = cert_obj ? X509_dup(cert) : cert;
2518 }
2519 /* }}} */
2520
2521 /* {{{ Frees X.509 certificates */
PHP_FUNCTION(openssl_x509_free)2522 PHP_FUNCTION(openssl_x509_free)
2523 {
2524 zval *x509;
2525
2526 ZEND_PARSE_PARAMETERS_START(1, 1)
2527 Z_PARAM_OBJECT_OF_CLASS(x509, php_openssl_certificate_ce)
2528 ZEND_PARSE_PARAMETERS_END();
2529 }
2530 /* }}} */
2531
2532 /* }}} */
2533
2534 /* Pop all X509 from Stack and free them, free the stack afterwards */
php_sk_X509_free(STACK_OF (X509)* sk)2535 static void php_sk_X509_free(STACK_OF(X509) * sk) /* {{{ */
2536 {
2537 for (;;) {
2538 X509* x = sk_X509_pop(sk);
2539 if (!x) break;
2540 X509_free(x);
2541 }
2542 sk_X509_free(sk);
2543 }
2544 /* }}} */
2545
STACK_OF(X509)2546 static STACK_OF(X509) *php_array_to_X509_sk(zval * zcerts, uint32_t arg_num, const char *option_name) /* {{{ */
2547 {
2548 zval * zcertval;
2549 STACK_OF(X509) * sk = NULL;
2550 X509 * cert;
2551 bool free_cert;
2552
2553 sk = sk_X509_new_null();
2554
2555 /* get certs */
2556 if (Z_TYPE_P(zcerts) == IS_ARRAY) {
2557 ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zcerts), zcertval) {
2558 cert = php_openssl_x509_from_zval(zcertval, &free_cert, arg_num, true, option_name);
2559 if (cert == NULL) {
2560 // TODO Add Warning?
2561 goto clean_exit;
2562 }
2563
2564 if (!free_cert) {
2565 cert = X509_dup(cert);
2566
2567 if (cert == NULL) {
2568 php_openssl_store_errors();
2569 goto clean_exit;
2570 }
2571
2572 }
2573 sk_X509_push(sk, cert);
2574 } ZEND_HASH_FOREACH_END();
2575 } else {
2576 /* a single certificate */
2577 cert = php_openssl_x509_from_zval(zcerts, &free_cert, arg_num, false, option_name);
2578
2579 if (cert == NULL) {
2580 // TODO Add Warning?
2581 goto clean_exit;
2582 }
2583
2584 if (!free_cert) {
2585 cert = X509_dup(cert);
2586 if (cert == NULL) {
2587 php_openssl_store_errors();
2588 goto clean_exit;
2589 }
2590 }
2591 sk_X509_push(sk, cert);
2592 }
2593
2594 clean_exit:
2595 return sk;
2596 }
2597 /* }}} */
2598
2599 /* {{{ Creates and exports a PKCS to file */
PHP_FUNCTION(openssl_pkcs12_export_to_file)2600 PHP_FUNCTION(openssl_pkcs12_export_to_file)
2601 {
2602 X509 *cert;
2603 zend_object *cert_obj;
2604 zend_string *cert_str;
2605 BIO * bio_out = NULL;
2606 PKCS12 * p12 = NULL;
2607 char * filename, file_path[MAXPATHLEN];
2608 char * friendly_name = NULL;
2609 size_t filename_len;
2610 char * pass;
2611 size_t pass_len;
2612 zval *zpkey = NULL, *args = NULL;
2613 EVP_PKEY *priv_key = NULL;
2614 zval * item;
2615 STACK_OF(X509) *ca = NULL;
2616
2617 ZEND_PARSE_PARAMETERS_START(4, 5)
2618 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
2619 Z_PARAM_PATH(filename, filename_len)
2620 Z_PARAM_ZVAL(zpkey)
2621 Z_PARAM_STRING(pass, pass_len)
2622 Z_PARAM_OPTIONAL
2623 Z_PARAM_ARRAY(args)
2624 ZEND_PARSE_PARAMETERS_END();
2625
2626 RETVAL_FALSE;
2627
2628 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
2629 if (cert == NULL) {
2630 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
2631 return;
2632 }
2633
2634 priv_key = php_openssl_pkey_from_zval(zpkey, 0, "", 0, 3);
2635 if (priv_key == NULL) {
2636 if (!EG(exception)) {
2637 php_error_docref(NULL, E_WARNING, "Cannot get private key from parameter 3");
2638 }
2639 goto cleanup;
2640 }
2641 if (!X509_check_private_key(cert, priv_key)) {
2642 php_openssl_store_errors();
2643 php_error_docref(NULL, E_WARNING, "Private key does not correspond to cert");
2644 goto cleanup;
2645 }
2646 if (!php_openssl_check_path(filename, filename_len, file_path, 2)) {
2647 goto cleanup;
2648 }
2649
2650 /* parse extra config from args array, promote this to an extra function */
2651 if (args &&
2652 (item = zend_hash_str_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name")-1)) != NULL &&
2653 Z_TYPE_P(item) == IS_STRING
2654 ) {
2655 friendly_name = Z_STRVAL_P(item);
2656 }
2657 /* certpbe (default RC2-40)
2658 keypbe (default 3DES)
2659 friendly_caname
2660 */
2661
2662 if (args && (item = zend_hash_str_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts")-1)) != NULL) {
2663 ca = php_array_to_X509_sk(item, 5, "extracerts");
2664 }
2665 /* end parse extra config */
2666
2667 /*PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca,
2668 int nid_key, int nid_cert, int iter, int mac_iter, int keytype);*/
2669
2670 p12 = PKCS12_create(pass, friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0);
2671 if (p12 != NULL) {
2672 bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
2673 if (bio_out != NULL) {
2674 if (i2d_PKCS12_bio(bio_out, p12) == 0) {
2675 php_openssl_store_errors();
2676 php_error_docref(NULL, E_WARNING, "Error writing to file %s", file_path);
2677 } else {
2678 RETVAL_TRUE;
2679 }
2680 BIO_free(bio_out);
2681 } else {
2682 php_openssl_store_errors();
2683 php_error_docref(NULL, E_WARNING, "Error opening file %s", file_path);
2684 }
2685
2686 PKCS12_free(p12);
2687 } else {
2688 php_openssl_store_errors();
2689 }
2690
2691 php_sk_X509_free(ca);
2692
2693 cleanup:
2694 EVP_PKEY_free(priv_key);
2695
2696 if (cert_str) {
2697 X509_free(cert);
2698 }
2699 }
2700 /* }}} */
2701
2702 /* {{{ Creates and exports a PKCS12 to a var */
PHP_FUNCTION(openssl_pkcs12_export)2703 PHP_FUNCTION(openssl_pkcs12_export)
2704 {
2705 X509 *cert;
2706 zend_object *cert_obj;
2707 zend_string *cert_str;
2708 BIO * bio_out;
2709 PKCS12 * p12 = NULL;
2710 zval *zout = NULL, *zpkey, *args = NULL;
2711 EVP_PKEY *priv_key = NULL;
2712 char * pass;
2713 size_t pass_len;
2714 char * friendly_name = NULL;
2715 zval * item;
2716 STACK_OF(X509) *ca = NULL;
2717
2718 ZEND_PARSE_PARAMETERS_START(4, 5)
2719 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
2720 Z_PARAM_ZVAL(zout)
2721 Z_PARAM_ZVAL(zpkey)
2722 Z_PARAM_STRING(pass, pass_len)
2723 Z_PARAM_OPTIONAL
2724 Z_PARAM_ARRAY(args)
2725 ZEND_PARSE_PARAMETERS_END();
2726
2727 RETVAL_FALSE;
2728
2729 cert = php_openssl_x509_from_param(cert_obj, cert_str, 1);
2730 if (cert == NULL) {
2731 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
2732 return;
2733 }
2734
2735 priv_key = php_openssl_pkey_from_zval(zpkey, 0, "", 0, 3);
2736 if (priv_key == NULL) {
2737 if (!EG(exception)) {
2738 php_error_docref(NULL, E_WARNING, "Cannot get private key from parameter 3");
2739 }
2740 goto cleanup;
2741 }
2742 if (!X509_check_private_key(cert, priv_key)) {
2743 php_error_docref(NULL, E_WARNING, "Private key does not correspond to cert");
2744 goto cleanup;
2745 }
2746
2747 /* parse extra config from args array, promote this to an extra function */
2748 if (args &&
2749 (item = zend_hash_str_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name")-1)) != NULL &&
2750 Z_TYPE_P(item) == IS_STRING
2751 ) {
2752 friendly_name = Z_STRVAL_P(item);
2753 }
2754
2755 if (args && (item = zend_hash_str_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts")-1)) != NULL) {
2756 ca = php_array_to_X509_sk(item, 5, "extracerts");
2757 }
2758 /* end parse extra config */
2759
2760 p12 = PKCS12_create(pass, friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0);
2761
2762 if (p12 != NULL) {
2763 bio_out = BIO_new(BIO_s_mem());
2764 if (i2d_PKCS12_bio(bio_out, p12)) {
2765 BUF_MEM *bio_buf;
2766
2767 BIO_get_mem_ptr(bio_out, &bio_buf);
2768 ZEND_TRY_ASSIGN_REF_STRINGL(zout, bio_buf->data, bio_buf->length);
2769
2770 RETVAL_TRUE;
2771 } else {
2772 php_openssl_store_errors();
2773 }
2774
2775 BIO_free(bio_out);
2776 PKCS12_free(p12);
2777 } else {
2778 php_openssl_store_errors();
2779 }
2780 php_sk_X509_free(ca);
2781
2782 cleanup:
2783 EVP_PKEY_free(priv_key);
2784 if (cert_str) {
2785 X509_free(cert);
2786 }
2787 }
2788 /* }}} */
2789
2790 /* {{{ Parses a PKCS12 to an array */
PHP_FUNCTION(openssl_pkcs12_read)2791 PHP_FUNCTION(openssl_pkcs12_read)
2792 {
2793 zval *zout = NULL, zextracerts, zcert, zpkey;
2794 char *pass, *zp12;
2795 size_t pass_len, zp12_len;
2796 PKCS12 * p12 = NULL;
2797 EVP_PKEY * pkey = NULL;
2798 X509 * cert = NULL;
2799 STACK_OF(X509) * ca = NULL;
2800 BIO * bio_in = NULL;
2801 int i;
2802
2803 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szs", &zp12, &zp12_len, &zout, &pass, &pass_len) == FAILURE) {
2804 RETURN_THROWS();
2805 }
2806
2807 RETVAL_FALSE;
2808
2809 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(zp12_len, pkcs12, 1);
2810
2811 bio_in = BIO_new(BIO_s_mem());
2812
2813 if (0 >= BIO_write(bio_in, zp12, (int)zp12_len)) {
2814 php_openssl_store_errors();
2815 goto cleanup;
2816 }
2817
2818 if (d2i_PKCS12_bio(bio_in, &p12) && PKCS12_parse(p12, pass, &pkey, &cert, &ca)) {
2819 BIO * bio_out;
2820 int cert_num;
2821
2822 zout = zend_try_array_init(zout);
2823 if (!zout) {
2824 goto cleanup;
2825 }
2826
2827 if (cert) {
2828 bio_out = BIO_new(BIO_s_mem());
2829 if (PEM_write_bio_X509(bio_out, cert)) {
2830 BUF_MEM *bio_buf;
2831 BIO_get_mem_ptr(bio_out, &bio_buf);
2832 ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length);
2833 add_assoc_zval(zout, "cert", &zcert);
2834 } else {
2835 php_openssl_store_errors();
2836 }
2837 BIO_free(bio_out);
2838 }
2839
2840 if (pkey) {
2841 bio_out = BIO_new(BIO_s_mem());
2842 if (PEM_write_bio_PrivateKey(bio_out, pkey, NULL, NULL, 0, 0, NULL)) {
2843 BUF_MEM *bio_buf;
2844 BIO_get_mem_ptr(bio_out, &bio_buf);
2845 ZVAL_STRINGL(&zpkey, bio_buf->data, bio_buf->length);
2846 add_assoc_zval(zout, "pkey", &zpkey);
2847 } else {
2848 php_openssl_store_errors();
2849 }
2850 BIO_free(bio_out);
2851 }
2852
2853 cert_num = sk_X509_num(ca);
2854 if (ca && cert_num) {
2855 array_init(&zextracerts);
2856
2857 for (i = 0; i < cert_num; i++) {
2858 zval zextracert;
2859 X509* aCA = sk_X509_pop(ca);
2860 if (!aCA) break;
2861
2862 bio_out = BIO_new(BIO_s_mem());
2863 if (PEM_write_bio_X509(bio_out, aCA)) {
2864 BUF_MEM *bio_buf;
2865 BIO_get_mem_ptr(bio_out, &bio_buf);
2866 ZVAL_STRINGL(&zextracert, bio_buf->data, bio_buf->length);
2867 add_index_zval(&zextracerts, i, &zextracert);
2868 }
2869
2870 X509_free(aCA);
2871 BIO_free(bio_out);
2872 }
2873
2874 sk_X509_free(ca);
2875 add_assoc_zval(zout, "extracerts", &zextracerts);
2876 }
2877
2878 RETVAL_TRUE;
2879 } else {
2880 php_openssl_store_errors();
2881 }
2882
2883 cleanup:
2884 BIO_free(bio_in);
2885 EVP_PKEY_free(pkey);
2886 if (cert) {
2887 X509_free(cert);
2888 }
2889 if (p12) {
2890 PKCS12_free(p12);
2891 }
2892 }
2893 /* }}} */
2894
2895 /* {{{ x509 CSR functions */
2896
php_openssl_csr_add_subj_entry(zval * item,X509_NAME * subj,int nid)2897 static zend_result php_openssl_csr_add_subj_entry(zval *item, X509_NAME *subj, int nid)
2898 {
2899 zend_string *str_item = zval_try_get_string(item);
2900 if (UNEXPECTED(!str_item)) {
2901 return FAILURE;
2902 }
2903 if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8,
2904 (unsigned char*)ZSTR_VAL(str_item), -1, -1, 0))
2905 {
2906 php_openssl_store_errors();
2907 php_error_docref(NULL, E_WARNING,
2908 "dn: add_entry_by_NID %d -> %s (failed; check error"
2909 " queue and value of string_mask OpenSSL option "
2910 "if illegal characters are reported)",
2911 nid, ZSTR_VAL(str_item));
2912 zend_string_release(str_item);
2913 return FAILURE;
2914 }
2915 zend_string_release(str_item);
2916 return SUCCESS;
2917 }
2918
php_openssl_csr_make(struct php_x509_request * req,X509_REQ * csr,zval * dn,zval * attribs)2919 static zend_result php_openssl_csr_make(struct php_x509_request * req, X509_REQ * csr, zval * dn, zval * attribs)
2920 {
2921 STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;
2922 char * str, *dn_sect, *attr_sect;
2923
2924 dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name");
2925 if (dn_sect == NULL) {
2926 php_openssl_store_errors();
2927 return FAILURE;
2928 }
2929 dn_sk = NCONF_get_section(req->req_config, dn_sect);
2930 if (dn_sk == NULL) {
2931 php_openssl_store_errors();
2932 return FAILURE;
2933 }
2934 attr_sect = php_openssl_conf_get_string(req->req_config, req->section_name, "attributes");
2935 if (attr_sect == NULL) {
2936 attr_sk = NULL;
2937 } else {
2938 attr_sk = NCONF_get_section(req->req_config, attr_sect);
2939 if (attr_sk == NULL) {
2940 php_openssl_store_errors();
2941 return FAILURE;
2942 }
2943 }
2944 /* setup the version number: version 1 */
2945 if (X509_REQ_set_version(csr, 0L)) {
2946 int i, nid;
2947 char *type;
2948 CONF_VALUE *v;
2949 X509_NAME *subj;
2950 zval *item, *subitem;
2951 zend_string *strindex = NULL;
2952
2953 subj = X509_REQ_get_subject_name(csr);
2954 /* apply values from the dn hash */
2955 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(dn), strindex, item) {
2956 if (strindex) {
2957 int nid = OBJ_txt2nid(ZSTR_VAL(strindex));
2958 if (nid != NID_undef) {
2959 if (Z_TYPE_P(item) == IS_ARRAY) {
2960 ZEND_HASH_FOREACH_NUM_KEY_VAL(Z_ARRVAL_P(item), i, subitem) {
2961 if (php_openssl_csr_add_subj_entry(subitem, subj, nid) == FAILURE) {
2962 return FAILURE;
2963 }
2964 } ZEND_HASH_FOREACH_END();
2965 } else if (php_openssl_csr_add_subj_entry(item, subj, nid) == FAILURE) {
2966 return FAILURE;
2967 }
2968 } else {
2969 php_error_docref(NULL, E_WARNING, "dn: %s is not a recognized name", ZSTR_VAL(strindex));
2970 }
2971 }
2972 } ZEND_HASH_FOREACH_END();
2973
2974 /* Finally apply defaults from config file */
2975 for(i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
2976 size_t len;
2977 char buffer[200 + 1]; /*200 + \0 !*/
2978
2979 v = sk_CONF_VALUE_value(dn_sk, i);
2980 type = v->name;
2981
2982 len = strlen(type);
2983 if (len < sizeof("_default")) {
2984 continue;
2985 }
2986 len -= sizeof("_default") - 1;
2987 if (strcmp("_default", type + len) != 0) {
2988 continue;
2989 }
2990 if (len > 200) {
2991 len = 200;
2992 }
2993 memcpy(buffer, type, len);
2994 buffer[len] = '\0';
2995 type = buffer;
2996
2997 /* Skip past any leading X. X: X, etc to allow for multiple
2998 * instances */
2999 for (str = type; *str; str++) {
3000 if (*str == ':' || *str == ',' || *str == '.') {
3001 str++;
3002 if (*str) {
3003 type = str;
3004 }
3005 break;
3006 }
3007 }
3008 /* if it is already set, skip this */
3009 nid = OBJ_txt2nid(type);
3010 if (X509_NAME_get_index_by_NID(subj, nid, -1) >= 0) {
3011 continue;
3012 }
3013 if (!X509_NAME_add_entry_by_txt(subj, type, MBSTRING_UTF8, (unsigned char*)v->value, -1, -1, 0)) {
3014 php_openssl_store_errors();
3015 php_error_docref(NULL, E_WARNING, "add_entry_by_txt %s -> %s (failed)", type, v->value);
3016 return FAILURE;
3017 }
3018 if (!X509_NAME_entry_count(subj)) {
3019 php_error_docref(NULL, E_WARNING, "No objects specified in config file");
3020 return FAILURE;
3021 }
3022 }
3023 if (attribs) {
3024 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(attribs), strindex, item) {
3025 int nid;
3026
3027 if (NULL == strindex) {
3028 php_error_docref(NULL, E_WARNING, "attributes: numeric fild names are not supported");
3029 continue;
3030 }
3031
3032 nid = OBJ_txt2nid(ZSTR_VAL(strindex));
3033 if (nid != NID_undef) {
3034 zend_string *str_item = zval_try_get_string(item);
3035 if (UNEXPECTED(!str_item)) {
3036 return FAILURE;
3037 }
3038 if (!X509_REQ_add1_attr_by_NID(csr, nid, MBSTRING_UTF8, (unsigned char*)ZSTR_VAL(str_item), (int)ZSTR_LEN(str_item))) {
3039 php_openssl_store_errors();
3040 php_error_docref(NULL, E_WARNING, "attributes: add_attr_by_NID %d -> %s (failed)", nid, ZSTR_VAL(str_item));
3041 zend_string_release(str_item);
3042 return FAILURE;
3043 }
3044 zend_string_release(str_item);
3045 } else {
3046 php_error_docref(NULL, E_WARNING, "attributes: %s is not a recognized attribute name", ZSTR_VAL(strindex));
3047 }
3048 } ZEND_HASH_FOREACH_END();
3049 for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
3050 v = sk_CONF_VALUE_value(attr_sk, i);
3051 /* if it is already set, skip this */
3052 nid = OBJ_txt2nid(v->name);
3053 if (X509_REQ_get_attr_by_NID(csr, nid, -1) >= 0) {
3054 continue;
3055 }
3056 if (!X509_REQ_add1_attr_by_txt(csr, v->name, MBSTRING_UTF8, (unsigned char*)v->value, -1)) {
3057 php_openssl_store_errors();
3058 php_error_docref(NULL, E_WARNING,
3059 "add1_attr_by_txt %s -> %s (failed; check error queue "
3060 "and value of string_mask OpenSSL option if illegal "
3061 "characters are reported)",
3062 v->name, v->value);
3063 return FAILURE;
3064 }
3065 }
3066 }
3067 } else {
3068 php_openssl_store_errors();
3069 }
3070
3071 if (!X509_REQ_set_pubkey(csr, req->priv_key)) {
3072 php_openssl_store_errors();
3073 }
3074 return SUCCESS;
3075 }
3076
php_openssl_csr_from_str(zend_string * csr_str,uint32_t arg_num)3077 static X509_REQ *php_openssl_csr_from_str(zend_string *csr_str, uint32_t arg_num)
3078 {
3079 X509_REQ * csr = NULL;
3080 char file_path[MAXPATHLEN];
3081 BIO * in;
3082
3083 if (ZSTR_LEN(csr_str) > 7 && memcmp(ZSTR_VAL(csr_str), "file://", sizeof("file://") - 1) == 0) {
3084 if (!php_openssl_check_path_str(csr_str, file_path, arg_num)) {
3085 return NULL;
3086 }
3087 in = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
3088 } else {
3089 in = BIO_new_mem_buf(ZSTR_VAL(csr_str), (int) ZSTR_LEN(csr_str));
3090 }
3091
3092 if (in == NULL) {
3093 php_openssl_store_errors();
3094 return NULL;
3095 }
3096
3097 csr = PEM_read_bio_X509_REQ(in, NULL,NULL,NULL);
3098 if (csr == NULL) {
3099 php_openssl_store_errors();
3100 }
3101
3102 BIO_free(in);
3103
3104 return csr;
3105 }
3106
php_openssl_csr_from_param(zend_object * csr_obj,zend_string * csr_str,uint32_t arg_num)3107 static X509_REQ *php_openssl_csr_from_param(
3108 zend_object *csr_obj, zend_string *csr_str, uint32_t arg_num)
3109 {
3110 if (csr_obj) {
3111 return php_openssl_request_from_obj(csr_obj)->csr;
3112 }
3113
3114 ZEND_ASSERT(csr_str);
3115
3116 return php_openssl_csr_from_str(csr_str, arg_num);
3117 }
3118
3119 /* {{{ Exports a CSR to file */
PHP_FUNCTION(openssl_csr_export_to_file)3120 PHP_FUNCTION(openssl_csr_export_to_file)
3121 {
3122 X509_REQ *csr;
3123 zend_object *csr_obj;
3124 zend_string *csr_str;
3125 bool notext = 1;
3126 char * filename = NULL;
3127 size_t filename_len;
3128 char file_path[MAXPATHLEN];
3129 BIO * bio_out;
3130
3131 ZEND_PARSE_PARAMETERS_START(2, 3)
3132 Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str)
3133 Z_PARAM_PATH(filename, filename_len)
3134 Z_PARAM_OPTIONAL
3135 Z_PARAM_BOOL(notext)
3136 ZEND_PARSE_PARAMETERS_END();
3137
3138 RETVAL_FALSE;
3139
3140 csr = php_openssl_csr_from_param(csr_obj, csr_str, 1);
3141 if (csr == NULL) {
3142 php_error_docref(NULL, E_WARNING, "X.509 Certificate Signing Request cannot be retrieved");
3143 return;
3144 }
3145
3146 if (!php_openssl_check_path(filename, filename_len, file_path, 2)) {
3147 goto exit_cleanup;
3148 }
3149
3150 bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
3151 if (bio_out != NULL) {
3152 if (!notext && !X509_REQ_print(bio_out, csr)) {
3153 php_openssl_store_errors();
3154 }
3155 if (!PEM_write_bio_X509_REQ(bio_out, csr)) {
3156 php_error_docref(NULL, E_WARNING, "Error writing PEM to file %s", file_path);
3157 php_openssl_store_errors();
3158 } else {
3159 RETVAL_TRUE;
3160 }
3161 BIO_free(bio_out);
3162 } else {
3163 php_openssl_store_errors();
3164 php_error_docref(NULL, E_WARNING, "Error opening file %s", file_path);
3165 }
3166
3167 exit_cleanup:
3168 if (csr_str) {
3169 X509_REQ_free(csr);
3170 }
3171 }
3172 /* }}} */
3173
3174 /* {{{ Exports a CSR to file or a var */
PHP_FUNCTION(openssl_csr_export)3175 PHP_FUNCTION(openssl_csr_export)
3176 {
3177 X509_REQ *csr;
3178 zend_object *csr_obj;
3179 zend_string *csr_str;
3180 zval *zout;
3181 bool notext = 1;
3182 BIO * bio_out;
3183
3184 ZEND_PARSE_PARAMETERS_START(2, 3)
3185 Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str)
3186 Z_PARAM_ZVAL(zout)
3187 Z_PARAM_OPTIONAL
3188 Z_PARAM_BOOL(notext)
3189 ZEND_PARSE_PARAMETERS_END();
3190
3191 RETVAL_FALSE;
3192
3193 csr = php_openssl_csr_from_param(csr_obj, csr_str, 1);
3194 if (csr == NULL) {
3195 php_error_docref(NULL, E_WARNING, "X.509 Certificate Signing Request cannot be retrieved");
3196 return;
3197 }
3198
3199 /* export to a var */
3200
3201 bio_out = BIO_new(BIO_s_mem());
3202 if (!notext && !X509_REQ_print(bio_out, csr)) {
3203 php_openssl_store_errors();
3204 }
3205
3206 if (PEM_write_bio_X509_REQ(bio_out, csr)) {
3207 BUF_MEM *bio_buf;
3208
3209 BIO_get_mem_ptr(bio_out, &bio_buf);
3210 ZEND_TRY_ASSIGN_REF_STRINGL(zout, bio_buf->data, bio_buf->length);
3211
3212 RETVAL_TRUE;
3213 } else {
3214 php_openssl_store_errors();
3215 }
3216
3217 if (csr_str) {
3218 X509_REQ_free(csr);
3219 }
3220 BIO_free(bio_out);
3221 }
3222 /* }}} */
3223
3224 #if PHP_OPENSSL_API_VERSION >= 0x10100 && !defined (LIBRESSL_VERSION_NUMBER)
3225 #define PHP_OPENSSL_ASN1_INTEGER_set ASN1_INTEGER_set_int64
3226 #else
3227 #define PHP_OPENSSL_ASN1_INTEGER_set ASN1_INTEGER_set
3228 #endif
3229
3230 /* {{{ Signs a cert with another CERT */
PHP_FUNCTION(openssl_csr_sign)3231 PHP_FUNCTION(openssl_csr_sign)
3232 {
3233 X509_REQ *csr;
3234 zend_object *csr_obj;
3235 zend_string *csr_str;
3236
3237 php_openssl_certificate_object *cert_object;
3238 zend_object *cert_obj;
3239 zend_string *cert_str;
3240 zval *zpkey, *args = NULL;
3241 zend_long num_days;
3242 zend_long serial = Z_L(0);
3243 zend_string *serial_hex = NULL;
3244 X509 *cert = NULL, *new_cert = NULL;
3245 EVP_PKEY * key = NULL, *priv_key = NULL;
3246 int i;
3247 bool new_cert_used = false;
3248 struct php_x509_request req;
3249
3250 ZEND_PARSE_PARAMETERS_START(4, 7)
3251 Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str)
3252 Z_PARAM_OBJ_OF_CLASS_OR_STR_OR_NULL(cert_obj, php_openssl_certificate_ce, cert_str)
3253 Z_PARAM_ZVAL(zpkey)
3254 Z_PARAM_LONG(num_days)
3255 Z_PARAM_OPTIONAL
3256 Z_PARAM_ARRAY_OR_NULL(args)
3257 Z_PARAM_LONG(serial)
3258 Z_PARAM_STR_OR_NULL(serial_hex)
3259 ZEND_PARSE_PARAMETERS_END();
3260
3261 RETVAL_FALSE;
3262
3263 csr = php_openssl_csr_from_param(csr_obj, csr_str, 1);
3264 if (csr == NULL) {
3265 php_error_docref(NULL, E_WARNING, "X.509 Certificate Signing Request cannot be retrieved");
3266 return;
3267 }
3268
3269 PHP_SSL_REQ_INIT(&req);
3270
3271 if (cert_str || cert_obj) {
3272 cert = php_openssl_x509_from_param(cert_obj, cert_str, 2);
3273 if (cert == NULL) {
3274 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
3275 goto cleanup;
3276 }
3277 }
3278
3279 priv_key = php_openssl_pkey_from_zval(zpkey, 0, "", 0, 3);
3280 if (priv_key == NULL) {
3281 if (!EG(exception)) {
3282 php_error_docref(NULL, E_WARNING, "Cannot get private key from parameter 3");
3283 }
3284 goto cleanup;
3285 }
3286 if (cert && !X509_check_private_key(cert, priv_key)) {
3287 php_openssl_store_errors();
3288 php_error_docref(NULL, E_WARNING, "Private key does not correspond to signing cert");
3289 goto cleanup;
3290 }
3291
3292 if (num_days < 0 || num_days > LONG_MAX / 86400) {
3293 php_error_docref(NULL, E_WARNING, "Days must be between 0 and %ld", LONG_MAX / 86400);
3294 goto cleanup;
3295 }
3296
3297 if (PHP_SSL_REQ_PARSE(&req, args) == FAILURE) {
3298 goto cleanup;
3299 }
3300 /* Check that the request matches the signature */
3301 key = X509_REQ_get_pubkey(csr);
3302 if (key == NULL) {
3303 php_openssl_store_errors();
3304 php_error_docref(NULL, E_WARNING, "Error unpacking public key");
3305 goto cleanup;
3306 }
3307 i = X509_REQ_verify(csr, key);
3308
3309 if (i < 0) {
3310 php_openssl_store_errors();
3311 php_error_docref(NULL, E_WARNING, "Signature verification problems");
3312 goto cleanup;
3313 }
3314 else if (i == 0) {
3315 php_error_docref(NULL, E_WARNING, "Signature did not match the certificate request");
3316 goto cleanup;
3317 }
3318
3319 /* Now we can get on with it */
3320
3321 new_cert = X509_new();
3322 if (new_cert == NULL) {
3323 php_openssl_store_errors();
3324 php_error_docref(NULL, E_WARNING, "No memory");
3325 goto cleanup;
3326 }
3327 /* Version 3 cert */
3328 if (!X509_set_version(new_cert, 2)) {
3329 goto cleanup;
3330 }
3331
3332 if (serial_hex != NULL) {
3333 char buffer[256];
3334 if (ZSTR_LEN(serial_hex) > 200) {
3335 php_error_docref(NULL, E_WARNING, "Error parsing serial number because it is too long");
3336 goto cleanup;
3337 }
3338 BIO *in = BIO_new_mem_buf(ZSTR_VAL(serial_hex), ZSTR_LEN(serial_hex));
3339 if (in == NULL) {
3340 php_openssl_store_errors();
3341 php_error_docref(NULL, E_WARNING, "Error parsing serial number because memory allocation failed");
3342 goto cleanup;
3343 }
3344 int success = a2i_ASN1_INTEGER(in, X509_get_serialNumber(new_cert), buffer, sizeof(buffer));
3345 BIO_free(in);
3346 if (!success) {
3347 php_openssl_store_errors();
3348 php_error_docref(NULL, E_WARNING, "Error parsing serial number");
3349 goto cleanup;
3350 }
3351 } else {
3352 PHP_OPENSSL_ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial);
3353 }
3354
3355 X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr));
3356
3357 if (cert == NULL) {
3358 cert = new_cert;
3359 }
3360 if (!X509_set_issuer_name(new_cert, X509_get_subject_name(cert))) {
3361 php_openssl_store_errors();
3362 goto cleanup;
3363 }
3364 X509_gmtime_adj(X509_getm_notBefore(new_cert), 0);
3365 X509_gmtime_adj(X509_getm_notAfter(new_cert), 60*60*24*num_days);
3366 i = X509_set_pubkey(new_cert, key);
3367 if (!i) {
3368 php_openssl_store_errors();
3369 goto cleanup;
3370 }
3371 if (req.extensions_section) {
3372 X509V3_CTX ctx;
3373
3374 X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0);
3375 X509V3_set_nconf(&ctx, req.req_config);
3376 if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) {
3377 php_openssl_store_errors();
3378 goto cleanup;
3379 }
3380 }
3381
3382 /* Now sign it */
3383 if (!X509_sign(new_cert, priv_key, req.digest)) {
3384 php_openssl_store_errors();
3385 php_error_docref(NULL, E_WARNING, "Failed to sign it");
3386 goto cleanup;
3387 }
3388
3389 object_init_ex(return_value, php_openssl_certificate_ce);
3390 cert_object = Z_OPENSSL_CERTIFICATE_P(return_value);
3391 cert_object->x509 = new_cert;
3392 new_cert_used = true;
3393
3394 cleanup:
3395
3396 if (!new_cert_used && new_cert) {
3397 X509_free(new_cert);
3398 }
3399
3400 PHP_SSL_REQ_DISPOSE(&req);
3401 EVP_PKEY_free(priv_key);
3402 EVP_PKEY_free(key);
3403 if (csr_str) {
3404 X509_REQ_free(csr);
3405 }
3406 if (cert_str && cert && cert != new_cert) {
3407 X509_free(cert);
3408 }
3409 }
3410 /* }}} */
3411
3412 /* {{{ Generates a privkey and CSR */
PHP_FUNCTION(openssl_csr_new)3413 PHP_FUNCTION(openssl_csr_new)
3414 {
3415 struct php_x509_request req;
3416 php_openssl_request_object *x509_request_obj;
3417 zval *args = NULL, *dn, *attribs = NULL;
3418 zval *out_pkey;
3419 X509_REQ *csr = NULL;
3420
3421 if (zend_parse_parameters(ZEND_NUM_ARGS(), "az|a!a!", &dn, &out_pkey, &args, &attribs) == FAILURE) {
3422 RETURN_THROWS();
3423 }
3424 RETVAL_FALSE;
3425
3426 PHP_SSL_REQ_INIT(&req);
3427
3428 if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
3429 int we_made_the_key = 0;
3430 zval *out_pkey_val = out_pkey;
3431 ZVAL_DEREF(out_pkey_val);
3432
3433 /* Generate or use a private key */
3434 if (Z_TYPE_P(out_pkey_val) != IS_NULL) {
3435 req.priv_key = php_openssl_pkey_from_zval(out_pkey_val, 0, NULL, 0, 2);
3436 }
3437 if (req.priv_key == NULL) {
3438 php_openssl_generate_private_key(&req);
3439 we_made_the_key = 1;
3440 }
3441 if (req.priv_key == NULL) {
3442 php_error_docref(NULL, E_WARNING, "Unable to generate a private key");
3443 } else {
3444 csr = X509_REQ_new();
3445 if (csr) {
3446 if (php_openssl_csr_make(&req, csr, dn, attribs) == SUCCESS) {
3447 X509V3_CTX ext_ctx;
3448
3449 X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0);
3450 X509V3_set_nconf(&ext_ctx, req.req_config);
3451
3452 /* Add extensions */
3453 if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config,
3454 &ext_ctx, req.request_extensions_section, csr))
3455 {
3456 php_openssl_store_errors();
3457 php_error_docref(NULL, E_WARNING, "Error loading extension section %s", req.request_extensions_section);
3458 } else {
3459 RETVAL_TRUE;
3460
3461 if (X509_REQ_sign(csr, req.priv_key, req.digest)) {
3462 object_init_ex(return_value, php_openssl_request_ce);
3463 x509_request_obj = Z_OPENSSL_REQUEST_P(return_value);
3464 x509_request_obj->csr = csr;
3465 csr = NULL;
3466 } else {
3467 php_openssl_store_errors();
3468 php_error_docref(NULL, E_WARNING, "Error signing request");
3469 }
3470
3471 if (we_made_the_key) {
3472 /* and an object for the private key */
3473 zval zkey_object;
3474 php_openssl_pkey_object_init(
3475 &zkey_object, req.priv_key, /* is_private */ true);
3476 ZEND_TRY_ASSIGN_REF_TMP(out_pkey, &zkey_object);
3477 req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */
3478 }
3479 }
3480 }
3481 } else {
3482 php_openssl_store_errors();
3483 }
3484
3485 }
3486 }
3487 if (csr) {
3488 X509_REQ_free(csr);
3489 }
3490 PHP_SSL_REQ_DISPOSE(&req);
3491 }
3492 /* }}} */
3493
3494 /* {{{ Returns the subject of a CERT or FALSE on error */
PHP_FUNCTION(openssl_csr_get_subject)3495 PHP_FUNCTION(openssl_csr_get_subject)
3496 {
3497 X509_REQ *csr;
3498 zend_object *csr_obj;
3499 zend_string *csr_str;
3500 bool use_shortnames = 1;
3501 X509_NAME *subject;
3502
3503 ZEND_PARSE_PARAMETERS_START(1, 2)
3504 Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str)
3505 Z_PARAM_OPTIONAL
3506 Z_PARAM_BOOL(use_shortnames)
3507 ZEND_PARSE_PARAMETERS_END();
3508
3509 csr = php_openssl_csr_from_param(csr_obj, csr_str, 1);
3510 if (csr == NULL) {
3511 RETURN_FALSE;
3512 }
3513
3514 subject = X509_REQ_get_subject_name(csr);
3515
3516 array_init(return_value);
3517 php_openssl_add_assoc_name_entry(return_value, NULL, subject, use_shortnames);
3518
3519 if (csr_str) {
3520 X509_REQ_free(csr);
3521 }
3522 }
3523 /* }}} */
3524
php_openssl_extract_public_key(EVP_PKEY * priv_key)3525 static EVP_PKEY *php_openssl_extract_public_key(EVP_PKEY *priv_key)
3526 {
3527 /* Extract public key portion by round-tripping through PEM. */
3528 BIO *bio = BIO_new(BIO_s_mem());
3529 if (!bio || !PEM_write_bio_PUBKEY(bio, priv_key)) {
3530 BIO_free(bio);
3531 return NULL;
3532 }
3533
3534 EVP_PKEY *pub_key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
3535 BIO_free(bio);
3536 return pub_key;
3537 }
3538
3539 /* {{{ Returns the subject of a CERT or FALSE on error */
PHP_FUNCTION(openssl_csr_get_public_key)3540 PHP_FUNCTION(openssl_csr_get_public_key)
3541 {
3542 zend_object *csr_obj;
3543 zend_string *csr_str;
3544 bool use_shortnames = 1;
3545
3546 ZEND_PARSE_PARAMETERS_START(1, 2)
3547 Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str)
3548 Z_PARAM_OPTIONAL
3549 Z_PARAM_BOOL(use_shortnames)
3550 ZEND_PARSE_PARAMETERS_END();
3551
3552 X509_REQ *csr = php_openssl_csr_from_param(csr_obj, csr_str, 1);
3553 if (csr == NULL) {
3554 RETURN_FALSE;
3555 }
3556
3557 /* Retrieve the public key from the CSR */
3558 EVP_PKEY *orig_key = X509_REQ_get_pubkey(csr);
3559 EVP_PKEY *tpubkey = php_openssl_extract_public_key(orig_key);
3560 EVP_PKEY_free(orig_key);
3561
3562 if (csr_str) {
3563 /* We need to free the original CSR if it was freshly created */
3564 X509_REQ_free(csr);
3565 }
3566
3567 if (tpubkey == NULL) {
3568 php_openssl_store_errors();
3569 RETURN_FALSE;
3570 }
3571
3572 php_openssl_pkey_object_init(return_value, tpubkey, /* is_private */ false);
3573 }
3574 /* }}} */
3575
3576 /* }}} */
3577
3578 /* {{{ EVP Public/Private key functions */
3579
3580 struct php_openssl_pem_password {
3581 char *key;
3582 int len;
3583 };
3584
3585 /* {{{ php_openssl_pem_password_cb */
php_openssl_pem_password_cb(char * buf,int size,int rwflag,void * userdata)3586 static int php_openssl_pem_password_cb(char *buf, int size, int rwflag, void *userdata)
3587 {
3588 struct php_openssl_pem_password *password = userdata;
3589
3590 if (password == NULL || password->key == NULL) {
3591 return -1;
3592 }
3593
3594 size = (password->len > size) ? size : password->len;
3595 memcpy(buf, password->key, size);
3596
3597 return size;
3598 }
3599 /* }}} */
3600
php_openssl_pkey_from_zval(zval * val,int public_key,char * passphrase,size_t passphrase_len,uint32_t arg_num)3601 static EVP_PKEY *php_openssl_pkey_from_zval(
3602 zval *val, int public_key, char *passphrase, size_t passphrase_len, uint32_t arg_num)
3603 {
3604 EVP_PKEY *key = NULL;
3605 X509 *cert = NULL;
3606 bool free_cert = false, is_file = false;
3607 char file_path[MAXPATHLEN];
3608 zval tmp;
3609
3610 ZVAL_NULL(&tmp);
3611
3612 #define TMP_CLEAN \
3613 if (Z_TYPE(tmp) == IS_STRING) {\
3614 zval_ptr_dtor_str(&tmp); \
3615 } \
3616 return NULL;
3617
3618 if (Z_TYPE_P(val) == IS_ARRAY) {
3619 zval * zphrase;
3620
3621 /* get passphrase */
3622
3623 if ((zphrase = zend_hash_index_find(Z_ARRVAL_P(val), 1)) == NULL) {
3624 zend_value_error("Key array must be of the form array(0 => key, 1 => phrase)");
3625 return NULL;
3626 }
3627
3628 if (Z_TYPE_P(zphrase) == IS_STRING) {
3629 passphrase = Z_STRVAL_P(zphrase);
3630 passphrase_len = Z_STRLEN_P(zphrase);
3631 } else {
3632 ZVAL_COPY(&tmp, zphrase);
3633 if (!try_convert_to_string(&tmp)) {
3634 zval_ptr_dtor(&tmp);
3635 return NULL;
3636 }
3637
3638 passphrase = Z_STRVAL(tmp);
3639 passphrase_len = Z_STRLEN(tmp);
3640 }
3641
3642 /* now set val to be the key param and continue */
3643 if ((val = zend_hash_index_find(Z_ARRVAL_P(val), 0)) == NULL) {
3644 zend_value_error("Key array must be of the form array(0 => key, 1 => phrase)");
3645 TMP_CLEAN;
3646 }
3647 }
3648
3649 if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_pkey_ce) {
3650 php_openssl_pkey_object *obj = php_openssl_pkey_from_obj(Z_OBJ_P(val));
3651 key = obj->pkey;
3652 bool is_priv = obj->is_private;
3653
3654 /* check whether it is actually a private key if requested */
3655 if (!public_key && !is_priv) {
3656 php_error_docref(NULL, E_WARNING, "Supplied key param is a public key");
3657 TMP_CLEAN;
3658 }
3659
3660 if (public_key && is_priv) {
3661 php_error_docref(NULL, E_WARNING, "Don't know how to get public key from this private key");
3662 TMP_CLEAN;
3663 } else {
3664 if (Z_TYPE(tmp) == IS_STRING) {
3665 zval_ptr_dtor_str(&tmp);
3666 }
3667
3668 EVP_PKEY_up_ref(key);
3669 return key;
3670 }
3671 } else if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_certificate_ce) {
3672 cert = php_openssl_certificate_from_obj(Z_OBJ_P(val))->x509;
3673 } else {
3674 /* force it to be a string and check if it refers to a file */
3675 /* passing non string values leaks, object uses toString, it returns NULL
3676 * See bug38255.phpt
3677 */
3678 if (!(Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_OBJECT)) {
3679 TMP_CLEAN;
3680 }
3681 zend_string *val_str = zval_try_get_string(val);
3682 if (!val_str) {
3683 TMP_CLEAN;
3684 }
3685
3686 if (ZSTR_LEN(val_str) > 7 && memcmp(ZSTR_VAL(val_str), "file://", sizeof("file://") - 1) == 0) {
3687 if (!php_openssl_check_path_str(val_str, file_path, arg_num)) {
3688 zend_string_release_ex(val_str, false);
3689 TMP_CLEAN;
3690 }
3691 is_file = true;
3692 }
3693 /* it's an X509 file/cert of some kind, and we need to extract the data from that */
3694 if (public_key) {
3695 php_openssl_errors_set_mark();
3696 cert = php_openssl_x509_from_str(val_str, arg_num, false, NULL);
3697
3698 if (cert) {
3699 free_cert = 1;
3700 } else {
3701 /* not a X509 certificate, try to retrieve public key */
3702 php_openssl_errors_restore_mark();
3703 BIO* in;
3704 if (is_file) {
3705 in = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
3706 } else {
3707 in = BIO_new_mem_buf(ZSTR_VAL(val_str), (int)ZSTR_LEN(val_str));
3708 }
3709 if (in == NULL) {
3710 php_openssl_store_errors();
3711 zend_string_release_ex(val_str, false);
3712 TMP_CLEAN;
3713 }
3714 key = PEM_read_bio_PUBKEY(in, NULL,NULL, NULL);
3715 BIO_free(in);
3716 }
3717 } else {
3718 /* we want the private key */
3719 BIO *in;
3720
3721 if (is_file) {
3722 in = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
3723 } else {
3724 in = BIO_new_mem_buf(ZSTR_VAL(val_str), (int)ZSTR_LEN(val_str));
3725 }
3726
3727 if (in == NULL) {
3728 zend_string_release_ex(val_str, false);
3729 TMP_CLEAN;
3730 }
3731 if (passphrase == NULL) {
3732 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
3733 } else {
3734 struct php_openssl_pem_password password;
3735 password.key = passphrase;
3736 password.len = passphrase_len;
3737 key = PEM_read_bio_PrivateKey(in, NULL, php_openssl_pem_password_cb, &password);
3738 }
3739 BIO_free(in);
3740 }
3741
3742 zend_string_release_ex(val_str, false);
3743 }
3744
3745 if (key == NULL) {
3746 php_openssl_store_errors();
3747
3748 if (public_key && cert) {
3749 /* extract public key from X509 cert */
3750 key = (EVP_PKEY *) X509_get_pubkey(cert);
3751 if (key == NULL) {
3752 php_openssl_store_errors();
3753 }
3754 }
3755 }
3756
3757 if (free_cert) {
3758 X509_free(cert);
3759 }
3760
3761 if (Z_TYPE(tmp) == IS_STRING) {
3762 zval_ptr_dtor_str(&tmp);
3763 }
3764
3765 return key;
3766 }
3767
php_openssl_get_evp_pkey_type(int key_type)3768 static int php_openssl_get_evp_pkey_type(int key_type) {
3769 switch (key_type) {
3770 case OPENSSL_KEYTYPE_RSA:
3771 return EVP_PKEY_RSA;
3772 #if !defined(OPENSSL_NO_DSA)
3773 case OPENSSL_KEYTYPE_DSA:
3774 return EVP_PKEY_DSA;
3775 #endif
3776 #if !defined(NO_DH)
3777 case OPENSSL_KEYTYPE_DH:
3778 return EVP_PKEY_DH;
3779 #endif
3780 #ifdef HAVE_EVP_PKEY_EC
3781 case OPENSSL_KEYTYPE_EC:
3782 return EVP_PKEY_EC;
3783 #endif
3784 #if PHP_OPENSSL_API_VERSION >= 0x30000
3785 case OPENSSL_KEYTYPE_X25519:
3786 return EVP_PKEY_X25519;
3787 case OPENSSL_KEYTYPE_ED25519:
3788 return EVP_PKEY_ED25519;
3789 case OPENSSL_KEYTYPE_X448:
3790 return EVP_PKEY_X448;
3791 case OPENSSL_KEYTYPE_ED448:
3792 return EVP_PKEY_ED448;
3793 #endif
3794 default:
3795 return -1;
3796 }
3797 }
3798
3799 /* {{{ php_openssl_generate_private_key */
php_openssl_generate_private_key(struct php_x509_request * req)3800 static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)
3801 {
3802 if (req->priv_key_bits < MIN_KEY_LENGTH) {
3803 php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d",
3804 MIN_KEY_LENGTH, req->priv_key_bits);
3805 return NULL;
3806 }
3807
3808 int type = php_openssl_get_evp_pkey_type(req->priv_key_type);
3809 if (type < 0) {
3810 php_error_docref(NULL, E_WARNING, "Unsupported private key type");
3811 return NULL;
3812 }
3813
3814 int egdsocket, seeded;
3815 char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE");
3816 php_openssl_load_rand_file(randfile, &egdsocket, &seeded);
3817 PHP_OPENSSL_RAND_ADD_TIME();
3818
3819 EVP_PKEY *key = NULL;
3820 EVP_PKEY *params = NULL;
3821 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(type, NULL);
3822 if (!ctx) {
3823 php_openssl_store_errors();
3824 goto cleanup;
3825 }
3826
3827 if (type != EVP_PKEY_RSA) {
3828 if (EVP_PKEY_paramgen_init(ctx) <= 0) {
3829 php_openssl_store_errors();
3830 goto cleanup;
3831 }
3832
3833 switch (type) {
3834 #if !defined(OPENSSL_NO_DSA)
3835 case EVP_PKEY_DSA:
3836 if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, req->priv_key_bits) <= 0) {
3837 php_openssl_store_errors();
3838 goto cleanup;
3839 }
3840 break;
3841 #endif
3842 #if !defined(NO_DH)
3843 case EVP_PKEY_DH:
3844 if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, req->priv_key_bits) <= 0) {
3845 php_openssl_store_errors();
3846 goto cleanup;
3847 }
3848 break;
3849 #endif
3850 #ifdef HAVE_EVP_PKEY_EC
3851 case EVP_PKEY_EC:
3852 if (req->curve_name == NID_undef) {
3853 php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set");
3854 goto cleanup;
3855 }
3856
3857 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, req->curve_name) <= 0 ||
3858 EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE) <= 0) {
3859 php_openssl_store_errors();
3860 goto cleanup;
3861 }
3862 break;
3863 #endif
3864 #if PHP_OPENSSL_API_VERSION >= 0x30000
3865 case EVP_PKEY_X25519:
3866 break;
3867 case EVP_PKEY_ED25519:
3868 break;
3869 case EVP_PKEY_X448:
3870 break;
3871 case EVP_PKEY_ED448:
3872 break;
3873 #endif
3874 EMPTY_SWITCH_DEFAULT_CASE()
3875 }
3876
3877 if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) {
3878 php_openssl_store_errors();
3879 goto cleanup;
3880 }
3881
3882 EVP_PKEY_CTX_free(ctx);
3883 ctx = EVP_PKEY_CTX_new(params, NULL);
3884 if (!ctx) {
3885 php_openssl_store_errors();
3886 goto cleanup;
3887 }
3888 }
3889
3890 if (EVP_PKEY_keygen_init(ctx) <= 0) {
3891 php_openssl_store_errors();
3892 goto cleanup;
3893 }
3894
3895 if (type == EVP_PKEY_RSA && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, req->priv_key_bits) <= 0) {
3896 php_openssl_store_errors();
3897 goto cleanup;
3898 }
3899
3900 if (EVP_PKEY_keygen(ctx, &key) <= 0) {
3901 php_openssl_store_errors();
3902 goto cleanup;
3903 }
3904
3905 req->priv_key = key;
3906
3907 cleanup:
3908 php_openssl_write_rand_file(randfile, egdsocket, seeded);
3909 EVP_PKEY_free(params);
3910 EVP_PKEY_CTX_free(ctx);
3911 return key;
3912 }
3913 /* }}} */
3914
php_openssl_add_bn_to_array(zval * ary,const BIGNUM * bn,const char * name)3915 static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char *name) {
3916 if (bn != NULL) {
3917 int len = BN_num_bytes(bn);
3918 zend_string *str = zend_string_alloc(len, 0);
3919 BN_bn2bin(bn, (unsigned char *)ZSTR_VAL(str));
3920 ZSTR_VAL(str)[len] = 0;
3921 add_assoc_str(ary, name, str);
3922 }
3923 }
3924
3925 #define OPENSSL_PKEY_GET_BN(_type, _name) php_openssl_add_bn_to_array(&_type, _name, #_name)
3926
3927 #define OPENSSL_PKEY_SET_BN(_data, _name) do { \
3928 zval *bn; \
3929 if ((bn = zend_hash_str_find(Z_ARRVAL_P(_data), #_name, sizeof(#_name)-1)) != NULL && \
3930 Z_TYPE_P(bn) == IS_STRING) { \
3931 _name = BN_bin2bn( \
3932 (unsigned char*)Z_STRVAL_P(bn), \
3933 (int)Z_STRLEN_P(bn), NULL); \
3934 } else { \
3935 _name = NULL; \
3936 } \
3937 } while (0);
3938
3939 #if PHP_OPENSSL_API_VERSION < 0x30000
php_openssl_pkey_init_legacy_rsa(RSA * rsa,zval * data)3940 static bool php_openssl_pkey_init_legacy_rsa(RSA *rsa, zval *data)
3941 {
3942 BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
3943
3944 OPENSSL_PKEY_SET_BN(data, n);
3945 OPENSSL_PKEY_SET_BN(data, e);
3946 OPENSSL_PKEY_SET_BN(data, d);
3947 if (!n || !d || !RSA_set0_key(rsa, n, e, d)) {
3948 return 0;
3949 }
3950
3951 OPENSSL_PKEY_SET_BN(data, p);
3952 OPENSSL_PKEY_SET_BN(data, q);
3953 if ((p || q) && !RSA_set0_factors(rsa, p, q)) {
3954 return 0;
3955 }
3956
3957 OPENSSL_PKEY_SET_BN(data, dmp1);
3958 OPENSSL_PKEY_SET_BN(data, dmq1);
3959 OPENSSL_PKEY_SET_BN(data, iqmp);
3960 if ((dmp1 || dmq1 || iqmp) && !RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp)) {
3961 return 0;
3962 }
3963
3964 return 1;
3965 }
3966 #endif
3967
php_openssl_pkey_init_rsa(zval * data)3968 static EVP_PKEY *php_openssl_pkey_init_rsa(zval *data)
3969 {
3970 #if PHP_OPENSSL_API_VERSION >= 0x30000
3971 BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL;
3972 BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
3973 EVP_PKEY *pkey = NULL;
3974 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
3975 OSSL_PARAM *params = NULL;
3976 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
3977
3978 OPENSSL_PKEY_SET_BN(data, n);
3979 OPENSSL_PKEY_SET_BN(data, e);
3980 OPENSSL_PKEY_SET_BN(data, d);
3981 OPENSSL_PKEY_SET_BN(data, p);
3982 OPENSSL_PKEY_SET_BN(data, q);
3983 OPENSSL_PKEY_SET_BN(data, dmp1);
3984 OPENSSL_PKEY_SET_BN(data, dmq1);
3985 OPENSSL_PKEY_SET_BN(data, iqmp);
3986
3987 if (!ctx || !bld || !n || !d) {
3988 goto cleanup;
3989 }
3990
3991 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n);
3992 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d);
3993 if (e) {
3994 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e);
3995 }
3996 if (p) {
3997 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, p);
3998 }
3999 if (q) {
4000 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, q);
4001 }
4002 if (dmp1) {
4003 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1);
4004 }
4005 if (dmq1) {
4006 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1);
4007 }
4008 if (iqmp) {
4009 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp);
4010 }
4011
4012 params = OSSL_PARAM_BLD_to_param(bld);
4013 if (!params) {
4014 goto cleanup;
4015 }
4016
4017 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
4018 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) {
4019 goto cleanup;
4020 }
4021
4022 cleanup:
4023 php_openssl_store_errors();
4024 EVP_PKEY_CTX_free(ctx);
4025 OSSL_PARAM_free(params);
4026 OSSL_PARAM_BLD_free(bld);
4027 BN_free(n);
4028 BN_free(e);
4029 BN_free(d);
4030 BN_free(p);
4031 BN_free(q);
4032 BN_free(dmp1);
4033 BN_free(dmq1);
4034 BN_free(iqmp);
4035 return pkey;
4036 #else
4037 EVP_PKEY *pkey = EVP_PKEY_new();
4038 if (!pkey) {
4039 php_openssl_store_errors();
4040 return NULL;
4041 }
4042
4043 RSA *rsa = RSA_new();
4044 if (!rsa) {
4045 php_openssl_store_errors();
4046 EVP_PKEY_free(pkey);
4047 return NULL;
4048 }
4049
4050 if (!php_openssl_pkey_init_legacy_rsa(rsa, data)
4051 || !EVP_PKEY_assign_RSA(pkey, rsa)) {
4052 php_openssl_store_errors();
4053 EVP_PKEY_free(pkey);
4054 RSA_free(rsa);
4055 return NULL;
4056 }
4057
4058 return pkey;
4059 #endif
4060 }
4061
4062 #if PHP_OPENSSL_API_VERSION < 0x30000
php_openssl_pkey_init_legacy_dsa(DSA * dsa,zval * data,bool * is_private)4063 static bool php_openssl_pkey_init_legacy_dsa(DSA *dsa, zval *data, bool *is_private)
4064 {
4065 BIGNUM *p, *q, *g, *priv_key, *pub_key;
4066 const BIGNUM *priv_key_const, *pub_key_const;
4067
4068 OPENSSL_PKEY_SET_BN(data, p);
4069 OPENSSL_PKEY_SET_BN(data, q);
4070 OPENSSL_PKEY_SET_BN(data, g);
4071 if (!p || !q || !g || !DSA_set0_pqg(dsa, p, q, g)) {
4072 return 0;
4073 }
4074
4075 OPENSSL_PKEY_SET_BN(data, pub_key);
4076 OPENSSL_PKEY_SET_BN(data, priv_key);
4077 *is_private = priv_key != NULL;
4078 if (pub_key) {
4079 return DSA_set0_key(dsa, pub_key, priv_key);
4080 }
4081
4082 /* generate key */
4083 PHP_OPENSSL_RAND_ADD_TIME();
4084 if (!DSA_generate_key(dsa)) {
4085 php_openssl_store_errors();
4086 return 0;
4087 }
4088
4089 /* if BN_mod_exp return -1, then DSA_generate_key succeed for failed key
4090 * so we need to double check that public key is created */
4091 DSA_get0_key(dsa, &pub_key_const, &priv_key_const);
4092 if (!pub_key_const || BN_is_zero(pub_key_const)) {
4093 return 0;
4094 }
4095 /* all good */
4096 *is_private = true;
4097 return 1;
4098 }
4099 #endif
4100
php_openssl_pkey_init_dsa(zval * data,bool * is_private)4101 static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private)
4102 {
4103 #if PHP_OPENSSL_API_VERSION >= 0x30000
4104 BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL;
4105 EVP_PKEY *param_key = NULL, *pkey = NULL;
4106 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL);
4107 OSSL_PARAM *params = NULL;
4108 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
4109
4110 OPENSSL_PKEY_SET_BN(data, p);
4111 OPENSSL_PKEY_SET_BN(data, q);
4112 OPENSSL_PKEY_SET_BN(data, g);
4113 OPENSSL_PKEY_SET_BN(data, priv_key);
4114 OPENSSL_PKEY_SET_BN(data, pub_key);
4115
4116 *is_private = false;
4117
4118 if (!ctx || !bld || !p || !q || !g) {
4119 goto cleanup;
4120 }
4121
4122 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p);
4123 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q);
4124 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g);
4125 // TODO: We silently ignore priv_key if pub_key is not given, unlike in the DH case.
4126 if (pub_key) {
4127 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key);
4128 if (priv_key) {
4129 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key);
4130 }
4131 }
4132
4133 params = OSSL_PARAM_BLD_to_param(bld);
4134 if (!params) {
4135 goto cleanup;
4136 }
4137
4138 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
4139 EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) {
4140 goto cleanup;
4141 }
4142
4143 if (pub_key) {
4144 *is_private = priv_key != NULL;
4145 EVP_PKEY_up_ref(param_key);
4146 pkey = param_key;
4147 } else {
4148 *is_private = true;
4149 PHP_OPENSSL_RAND_ADD_TIME();
4150 EVP_PKEY_CTX_free(ctx);
4151 ctx = EVP_PKEY_CTX_new(param_key, NULL);
4152 if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
4153 goto cleanup;
4154 }
4155 }
4156
4157 cleanup:
4158 php_openssl_store_errors();
4159 EVP_PKEY_free(param_key);
4160 EVP_PKEY_CTX_free(ctx);
4161 OSSL_PARAM_free(params);
4162 OSSL_PARAM_BLD_free(bld);
4163 BN_free(p);
4164 BN_free(q);
4165 BN_free(g);
4166 BN_free(priv_key);
4167 BN_free(pub_key);
4168 return pkey;
4169 #else
4170 EVP_PKEY *pkey = EVP_PKEY_new();
4171 if (!pkey) {
4172 php_openssl_store_errors();
4173 return NULL;
4174 }
4175
4176 DSA *dsa = DSA_new();
4177 if (!dsa) {
4178 php_openssl_store_errors();
4179 EVP_PKEY_free(pkey);
4180 return NULL;
4181 }
4182
4183 if (!php_openssl_pkey_init_legacy_dsa(dsa, data, is_private)
4184 || !EVP_PKEY_assign_DSA(pkey, dsa)) {
4185 php_openssl_store_errors();
4186 EVP_PKEY_free(pkey);
4187 DSA_free(dsa);
4188 return NULL;
4189 }
4190
4191 return pkey;
4192 #endif
4193 }
4194
4195 /* {{{ php_openssl_dh_pub_from_priv */
php_openssl_dh_pub_from_priv(BIGNUM * priv_key,BIGNUM * g,BIGNUM * p)4196 static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM *p)
4197 {
4198 BIGNUM *pub_key, *priv_key_const_time;
4199 BN_CTX *ctx;
4200
4201 pub_key = BN_new();
4202 if (pub_key == NULL) {
4203 php_openssl_store_errors();
4204 return NULL;
4205 }
4206
4207 priv_key_const_time = BN_new();
4208 if (priv_key_const_time == NULL) {
4209 BN_free(pub_key);
4210 php_openssl_store_errors();
4211 return NULL;
4212 }
4213 ctx = BN_CTX_new();
4214 if (ctx == NULL) {
4215 BN_free(pub_key);
4216 BN_free(priv_key_const_time);
4217 php_openssl_store_errors();
4218 return NULL;
4219 }
4220
4221 BN_with_flags(priv_key_const_time, priv_key, BN_FLG_CONSTTIME);
4222
4223 if (!BN_mod_exp_mont(pub_key, g, priv_key_const_time, p, ctx, NULL)) {
4224 BN_free(pub_key);
4225 php_openssl_store_errors();
4226 pub_key = NULL;
4227 }
4228
4229 BN_free(priv_key_const_time);
4230 BN_CTX_free(ctx);
4231
4232 return pub_key;
4233 }
4234 /* }}} */
4235
4236 #if PHP_OPENSSL_API_VERSION < 0x30000
php_openssl_pkey_init_legacy_dh(DH * dh,zval * data,bool * is_private)4237 static bool php_openssl_pkey_init_legacy_dh(DH *dh, zval *data, bool *is_private)
4238 {
4239 BIGNUM *p, *q, *g, *priv_key, *pub_key;
4240
4241 OPENSSL_PKEY_SET_BN(data, p);
4242 OPENSSL_PKEY_SET_BN(data, q);
4243 OPENSSL_PKEY_SET_BN(data, g);
4244 if (!p || !g || !DH_set0_pqg(dh, p, q, g)) {
4245 return 0;
4246 }
4247
4248 OPENSSL_PKEY_SET_BN(data, priv_key);
4249 OPENSSL_PKEY_SET_BN(data, pub_key);
4250 *is_private = priv_key != NULL;
4251 if (pub_key) {
4252 return DH_set0_key(dh, pub_key, priv_key);
4253 }
4254 if (priv_key) {
4255 pub_key = php_openssl_dh_pub_from_priv(priv_key, g, p);
4256 if (pub_key == NULL) {
4257 return 0;
4258 }
4259 return DH_set0_key(dh, pub_key, priv_key);
4260 }
4261
4262 /* generate key */
4263 PHP_OPENSSL_RAND_ADD_TIME();
4264 if (!DH_generate_key(dh)) {
4265 php_openssl_store_errors();
4266 return 0;
4267 }
4268 /* all good */
4269 *is_private = true;
4270 return 1;
4271 }
4272 #endif
4273
php_openssl_pkey_init_dh(zval * data,bool * is_private)4274 static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private)
4275 {
4276 #if PHP_OPENSSL_API_VERSION >= 0x30000
4277 BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL;
4278 EVP_PKEY *param_key = NULL, *pkey = NULL;
4279 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
4280 OSSL_PARAM *params = NULL;
4281 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
4282
4283 OPENSSL_PKEY_SET_BN(data, p);
4284 OPENSSL_PKEY_SET_BN(data, q);
4285 OPENSSL_PKEY_SET_BN(data, g);
4286 OPENSSL_PKEY_SET_BN(data, priv_key);
4287 OPENSSL_PKEY_SET_BN(data, pub_key);
4288
4289 *is_private = false;
4290
4291 if (!ctx || !bld || !p || !g) {
4292 goto cleanup;
4293 }
4294
4295 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p);
4296 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g);
4297 if (q) {
4298 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q);
4299 }
4300 if (priv_key) {
4301 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key);
4302 if (!pub_key) {
4303 pub_key = php_openssl_dh_pub_from_priv(priv_key, g, p);
4304 if (!pub_key) {
4305 goto cleanup;
4306 }
4307 }
4308 }
4309 if (pub_key) {
4310 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key);
4311 }
4312
4313 params = OSSL_PARAM_BLD_to_param(bld);
4314 if (!params) {
4315 goto cleanup;
4316 }
4317
4318 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
4319 EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) {
4320 goto cleanup;
4321 }
4322
4323 if (pub_key || priv_key) {
4324 *is_private = priv_key != NULL;
4325 EVP_PKEY_up_ref(param_key);
4326 pkey = param_key;
4327 } else {
4328 *is_private = true;
4329 PHP_OPENSSL_RAND_ADD_TIME();
4330 EVP_PKEY_CTX_free(ctx);
4331 ctx = EVP_PKEY_CTX_new(param_key, NULL);
4332 if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
4333 goto cleanup;
4334 }
4335 }
4336
4337 cleanup:
4338 php_openssl_store_errors();
4339 EVP_PKEY_free(param_key);
4340 EVP_PKEY_CTX_free(ctx);
4341 OSSL_PARAM_free(params);
4342 OSSL_PARAM_BLD_free(bld);
4343 BN_free(p);
4344 BN_free(q);
4345 BN_free(g);
4346 BN_free(priv_key);
4347 BN_free(pub_key);
4348 return pkey;
4349 #else
4350 EVP_PKEY *pkey = EVP_PKEY_new();
4351 if (!pkey) {
4352 php_openssl_store_errors();
4353 return NULL;
4354 }
4355
4356 DH *dh = DH_new();
4357 if (!dh) {
4358 EVP_PKEY_free(pkey);
4359 return NULL;
4360 }
4361
4362 if (!php_openssl_pkey_init_legacy_dh(dh, data, is_private)
4363 || !EVP_PKEY_assign_DH(pkey, dh)) {
4364 php_openssl_store_errors();
4365 EVP_PKEY_free(pkey);
4366 DH_free(dh);
4367 return NULL;
4368 }
4369
4370 return pkey;
4371 #endif
4372 }
4373
4374 #ifdef HAVE_EVP_PKEY_EC
4375 #if PHP_OPENSSL_API_VERSION < 0x30000
php_openssl_pkey_init_legacy_ec(EC_KEY * eckey,zval * data,bool * is_private)4376 static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) {
4377 BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL, *g_x = NULL, *g_y = NULL , *cofactor = NULL;
4378 BIGNUM *x = NULL, *y = NULL, *d = NULL;
4379 EC_POINT *point_g = NULL;
4380 EC_POINT *point_q = NULL;
4381 EC_GROUP *group = NULL;
4382 BN_CTX *bctx = BN_CTX_new();
4383
4384 *is_private = false;
4385
4386 zval *curve_name_zv = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1);
4387 if (curve_name_zv && Z_TYPE_P(curve_name_zv) == IS_STRING && Z_STRLEN_P(curve_name_zv) > 0) {
4388 int nid = OBJ_sn2nid(Z_STRVAL_P(curve_name_zv));
4389 if (nid == NID_undef) {
4390 php_error_docref(NULL, E_WARNING, "Unknown elliptic curve (short) name %s", Z_STRVAL_P(curve_name_zv));
4391 goto clean_exit;
4392 }
4393
4394 if (!(group = EC_GROUP_new_by_curve_name(nid))) {
4395 goto clean_exit;
4396 }
4397 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
4398 } else {
4399 OPENSSL_PKEY_SET_BN(data, p);
4400 OPENSSL_PKEY_SET_BN(data, a);
4401 OPENSSL_PKEY_SET_BN(data, b);
4402 OPENSSL_PKEY_SET_BN(data, order);
4403
4404 if (!(p && a && b && order)) {
4405 if (!p && !a && !b && !order) {
4406 php_error_docref(NULL, E_WARNING, "Missing params: curve_name");
4407 } else {
4408 php_error_docref(
4409 NULL, E_WARNING, "Missing params: curve_name or p, a, b, order");
4410 }
4411 goto clean_exit;
4412 }
4413
4414 if (!(group = EC_GROUP_new_curve_GFp(p, a, b, bctx))) {
4415 goto clean_exit;
4416 }
4417
4418 if (!(point_g = EC_POINT_new(group))) {
4419 goto clean_exit;
4420 }
4421
4422 zval *generator_zv = zend_hash_str_find(Z_ARRVAL_P(data), "generator", sizeof("generator") - 1);
4423 if (generator_zv && Z_TYPE_P(generator_zv) == IS_STRING && Z_STRLEN_P(generator_zv) > 0) {
4424 if (!(EC_POINT_oct2point(group, point_g, (unsigned char *)Z_STRVAL_P(generator_zv), Z_STRLEN_P(generator_zv), bctx))) {
4425 goto clean_exit;
4426 }
4427 } else {
4428 OPENSSL_PKEY_SET_BN(data, g_x);
4429 OPENSSL_PKEY_SET_BN(data, g_y);
4430
4431 if (!g_x || !g_y) {
4432 php_error_docref(
4433 NULL, E_WARNING, "Missing params: generator or g_x and g_y");
4434 goto clean_exit;
4435 }
4436
4437 if (!EC_POINT_set_affine_coordinates_GFp(group, point_g, g_x, g_y, bctx)) {
4438 goto clean_exit;
4439 }
4440 }
4441
4442 zval *seed_zv = zend_hash_str_find(Z_ARRVAL_P(data), "seed", sizeof("seed") - 1);
4443 if (seed_zv && Z_TYPE_P(seed_zv) == IS_STRING && Z_STRLEN_P(seed_zv) > 0) {
4444 if (!EC_GROUP_set_seed(group, (unsigned char *)Z_STRVAL_P(seed_zv), Z_STRLEN_P(seed_zv))) {
4445 goto clean_exit;
4446 }
4447 }
4448
4449 /*
4450 * OpenSSL uses 0 cofactor as a marker for "unknown cofactor".
4451 * So accept cofactor == NULL or cofactor >= 0.
4452 * Internally, the lib will check the cofactor value.
4453 */
4454 OPENSSL_PKEY_SET_BN(data, cofactor);
4455 if (!EC_GROUP_set_generator(group, point_g, order, cofactor)) {
4456 goto clean_exit;
4457 }
4458 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
4459 }
4460
4461 EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED);
4462
4463 if (!EC_KEY_set_group(eckey, group)) {
4464 goto clean_exit;
4465 }
4466
4467 OPENSSL_PKEY_SET_BN(data, d);
4468 OPENSSL_PKEY_SET_BN(data, x);
4469 OPENSSL_PKEY_SET_BN(data, y);
4470
4471 if (d) {
4472 *is_private = true;
4473 if (!EC_KEY_set_private_key(eckey, d)) {
4474 goto clean_exit;
4475 }
4476
4477 point_q = EC_POINT_new(group);
4478 if (!point_q || !EC_POINT_mul(group, point_q, d, NULL, NULL, bctx)) {
4479 goto clean_exit;
4480 }
4481 } else if (x && y) {
4482 /* OpenSSL does not allow setting EC_PUB_X/EC_PUB_Y, so convert to encoded format. */
4483 point_q = EC_POINT_new(group);
4484 if (!point_q || !EC_POINT_set_affine_coordinates_GFp(group, point_q, x, y, bctx)) {
4485 goto clean_exit;
4486 }
4487 }
4488
4489 if (point_q != NULL) {
4490 if (!EC_KEY_set_public_key(eckey, point_q)) {
4491 goto clean_exit;
4492 }
4493 }
4494
4495 if (!EC_KEY_check_key(eckey)) {
4496 *is_private = true;
4497 PHP_OPENSSL_RAND_ADD_TIME();
4498 EC_KEY_generate_key(eckey);
4499 }
4500
4501 clean_exit:
4502 php_openssl_store_errors();
4503 BN_CTX_free(bctx);
4504 EC_GROUP_free(group);
4505 EC_POINT_free(point_g);
4506 EC_POINT_free(point_q);
4507 BN_free(p);
4508 BN_free(a);
4509 BN_free(b);
4510 BN_free(order);
4511 BN_free(g_x);
4512 BN_free(g_y);
4513 BN_free(cofactor);
4514 BN_free(d);
4515 BN_free(x);
4516 BN_free(y);
4517 return EC_KEY_check_key(eckey);
4518 }
4519 #endif
4520
php_openssl_pkey_init_ec(zval * data,bool * is_private)4521 static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
4522 #if PHP_OPENSSL_API_VERSION >= 0x30000
4523 int nid = NID_undef;
4524 BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL, *g_x = NULL, *g_y = NULL, *cofactor = NULL;
4525 BIGNUM *x = NULL, *y = NULL, *d = NULL;
4526 EC_POINT *point_g = NULL;
4527 EC_POINT *point_q = NULL;
4528 unsigned char *point_g_buf = NULL;
4529 unsigned char *point_q_buf = NULL;
4530 EC_GROUP *group = NULL;
4531 EVP_PKEY *param_key = NULL, *pkey = NULL;
4532 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
4533 BN_CTX *bctx = BN_CTX_new();
4534 OSSL_PARAM *params = NULL;
4535 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
4536
4537 *is_private = false;
4538
4539 if (!ctx || !bld || !bctx) {
4540 goto cleanup;
4541 }
4542
4543 zval *curve_name_zv = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1);
4544 if (curve_name_zv && Z_TYPE_P(curve_name_zv) == IS_STRING && Z_STRLEN_P(curve_name_zv) > 0) {
4545 nid = OBJ_sn2nid(Z_STRVAL_P(curve_name_zv));
4546 if (nid == NID_undef) {
4547 php_error_docref(NULL, E_WARNING, "Unknown elliptic curve (short) name %s", Z_STRVAL_P(curve_name_zv));
4548 goto cleanup;
4549 }
4550
4551 if (!(group = EC_GROUP_new_by_curve_name(nid))) {
4552 goto cleanup;
4553 }
4554
4555 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, Z_STRVAL_P(curve_name_zv), Z_STRLEN_P(curve_name_zv))) {
4556 goto cleanup;
4557 }
4558 } else {
4559 OPENSSL_PKEY_SET_BN(data, p);
4560 OPENSSL_PKEY_SET_BN(data, a);
4561 OPENSSL_PKEY_SET_BN(data, b);
4562 OPENSSL_PKEY_SET_BN(data, order);
4563
4564 if (!(p && a && b && order)) {
4565 if (!p && !a && !b && !order) {
4566 php_error_docref(NULL, E_WARNING, "Missing params: curve_name");
4567 } else {
4568 php_error_docref(NULL, E_WARNING, "Missing params: curve_name or p, a, b, order");
4569 }
4570 goto cleanup;
4571 }
4572
4573 if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p) ||
4574 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a) ||
4575 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b) ||
4576 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER, order) ||
4577 !OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_EC_FIELD_TYPE, SN_X9_62_prime_field, 0)) {
4578 goto cleanup;
4579 }
4580
4581 if (!(group = EC_GROUP_new_curve_GFp(p, a, b, bctx))) {
4582 goto cleanup;
4583 }
4584
4585 if (!(point_g = EC_POINT_new(group))) {
4586 goto cleanup;
4587 }
4588
4589 zval *generator_zv = zend_hash_str_find(Z_ARRVAL_P(data), "generator", sizeof("generator") - 1);
4590 if (generator_zv && Z_TYPE_P(generator_zv) == IS_STRING && Z_STRLEN_P(generator_zv) > 0) {
4591 if (!EC_POINT_oct2point(group, point_g, (unsigned char *)Z_STRVAL_P(generator_zv), Z_STRLEN_P(generator_zv), bctx) ||
4592 !OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_EC_GENERATOR, Z_STRVAL_P(generator_zv), Z_STRLEN_P(generator_zv))) {
4593 goto cleanup;
4594 }
4595 } else {
4596 OPENSSL_PKEY_SET_BN(data, g_x);
4597 OPENSSL_PKEY_SET_BN(data, g_y);
4598
4599 if (!g_x || !g_y) {
4600 php_error_docref(
4601 NULL, E_WARNING, "Missing params: generator or g_x and g_y");
4602 goto cleanup;
4603 }
4604
4605 if (!EC_POINT_set_affine_coordinates(group, point_g, g_x, g_y, bctx)) {
4606 goto cleanup;
4607 }
4608
4609 size_t point_g_buf_len =
4610 EC_POINT_point2buf(group, point_g, POINT_CONVERSION_COMPRESSED, &point_g_buf, bctx);
4611 if (!point_g_buf_len) {
4612 goto cleanup;
4613 }
4614
4615 if (!OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_EC_GENERATOR, point_g_buf, point_g_buf_len)) {
4616 goto cleanup;
4617 }
4618 }
4619
4620 zval *seed_zv = zend_hash_str_find(Z_ARRVAL_P(data), "seed", sizeof("seed") - 1);
4621 if (seed_zv && Z_TYPE_P(seed_zv) == IS_STRING && Z_STRLEN_P(seed_zv) > 0) {
4622 if (!EC_GROUP_set_seed(group, (unsigned char *)Z_STRVAL_P(seed_zv), Z_STRLEN_P(seed_zv)) ||
4623 !OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_EC_SEED, Z_STRVAL_P(seed_zv), Z_STRLEN_P(seed_zv))) {
4624 goto cleanup;
4625 }
4626 }
4627
4628 OPENSSL_PKEY_SET_BN(data, cofactor);
4629 if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR, cofactor) ||
4630 !EC_GROUP_set_generator(group, point_g, order, cofactor)) {
4631 goto cleanup;
4632 }
4633
4634 nid = EC_GROUP_check_named_curve(group, 0, bctx);
4635 }
4636
4637 /* custom params not supported with SM2, SKIP */
4638 if (nid != NID_sm2) {
4639 OPENSSL_PKEY_SET_BN(data, d);
4640 OPENSSL_PKEY_SET_BN(data, x);
4641 OPENSSL_PKEY_SET_BN(data, y);
4642
4643 if (d) {
4644 point_q = EC_POINT_new(group);
4645 if (!point_q || !EC_POINT_mul(group, point_q, d, NULL, NULL, bctx) ||
4646 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, d)) {
4647 goto cleanup;
4648 }
4649 } else if (x && y) {
4650 /* OpenSSL does not allow setting EC_PUB_X/EC_PUB_Y, so convert to encoded format. */
4651 point_q = EC_POINT_new(group);
4652 if (!point_q || !EC_POINT_set_affine_coordinates(group, point_q, x, y, bctx)) {
4653 goto cleanup;
4654 }
4655 }
4656
4657 if (point_q) {
4658 size_t point_q_buf_len =
4659 EC_POINT_point2buf(group, point_q, POINT_CONVERSION_COMPRESSED, &point_q_buf, bctx);
4660 if (!point_q_buf_len ||
4661 !OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, point_q_buf, point_q_buf_len)) {
4662 goto cleanup;
4663 }
4664 }
4665 }
4666
4667 params = OSSL_PARAM_BLD_to_param(bld);
4668 if (!params) {
4669 goto cleanup;
4670 }
4671
4672 if (d || (x && y)) {
4673 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
4674 EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) {
4675 goto cleanup;
4676 }
4677 EVP_PKEY_CTX_free(ctx);
4678 ctx = EVP_PKEY_CTX_new(param_key, NULL);
4679 }
4680
4681 if (EVP_PKEY_check(ctx) || EVP_PKEY_public_check_quick(ctx)) {
4682 *is_private = d != NULL;
4683 EVP_PKEY_up_ref(param_key);
4684 pkey = param_key;
4685 } else {
4686 *is_private = true;
4687 PHP_OPENSSL_RAND_ADD_TIME();
4688 if (EVP_PKEY_keygen_init(ctx) != 1 ||
4689 EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
4690 EVP_PKEY_generate(ctx, &pkey) != 1) {
4691 goto cleanup;
4692 }
4693 }
4694
4695 cleanup:
4696 php_openssl_store_errors();
4697 EVP_PKEY_free(param_key);
4698 EVP_PKEY_CTX_free(ctx);
4699 BN_CTX_free(bctx);
4700 OSSL_PARAM_free(params);
4701 OSSL_PARAM_BLD_free(bld);
4702 EC_GROUP_free(group);
4703 EC_POINT_free(point_g);
4704 EC_POINT_free(point_q);
4705 OPENSSL_free(point_g_buf);
4706 OPENSSL_free(point_q_buf);
4707 BN_free(p);
4708 BN_free(a);
4709 BN_free(b);
4710 BN_free(order);
4711 BN_free(g_x);
4712 BN_free(g_y);
4713 BN_free(cofactor);
4714 BN_free(d);
4715 BN_free(x);
4716 BN_free(y);
4717 return pkey;
4718 #else
4719 EVP_PKEY *pkey = EVP_PKEY_new();
4720 if (!pkey) {
4721 php_openssl_store_errors();
4722 return NULL;
4723 }
4724
4725 EC_KEY *ec = EC_KEY_new();
4726 if (!ec) {
4727 EVP_PKEY_free(pkey);
4728 return NULL;
4729 }
4730
4731 if (!php_openssl_pkey_init_legacy_ec(ec, data, is_private)
4732 || !EVP_PKEY_assign_EC_KEY(pkey, ec)) {
4733 php_openssl_store_errors();
4734 EVP_PKEY_free(pkey);
4735 EC_KEY_free(ec);
4736 return NULL;
4737 }
4738
4739 return pkey;
4740 #endif
4741 }
4742 #endif
4743
4744 #if PHP_OPENSSL_API_VERSION >= 0x30000
php_openssl_pkey_object_curve_25519_448(zval * return_value,int key_type,zval * data)4745 static void php_openssl_pkey_object_curve_25519_448(zval *return_value, int key_type, zval *data) {
4746 EVP_PKEY *pkey = NULL;
4747 EVP_PKEY_CTX *ctx = NULL;
4748 OSSL_PARAM *params = NULL;
4749 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
4750 bool is_private;
4751
4752 RETVAL_FALSE;
4753
4754 if (!bld) {
4755 goto cleanup;
4756 }
4757
4758 zval *priv_key = zend_hash_str_find(Z_ARRVAL_P(data), "priv_key", sizeof("priv_key") - 1);
4759 if (priv_key && Z_TYPE_P(priv_key) == IS_STRING && Z_STRLEN_P(priv_key) > 0) {
4760 if (!OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PRIV_KEY, Z_STRVAL_P(priv_key), Z_STRLEN_P(priv_key))) {
4761 goto cleanup;
4762 }
4763 }
4764
4765 zval *pub_key = zend_hash_str_find(Z_ARRVAL_P(data), "pub_key", sizeof("pub_key") - 1);
4766 if (pub_key && Z_TYPE_P(pub_key) == IS_STRING && Z_STRLEN_P(pub_key) > 0) {
4767 if (!OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, Z_STRVAL_P(pub_key), Z_STRLEN_P(pub_key))) {
4768 goto cleanup;
4769 }
4770 }
4771
4772 params = OSSL_PARAM_BLD_to_param(bld);
4773 ctx = EVP_PKEY_CTX_new_id(key_type, NULL);
4774 if (!params || !ctx) {
4775 goto cleanup;
4776 }
4777
4778 if (pub_key || priv_key) {
4779 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
4780 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) {
4781 goto cleanup;
4782 }
4783 is_private = priv_key != NULL;
4784 } else {
4785 is_private = true;
4786 PHP_OPENSSL_RAND_ADD_TIME();
4787 if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
4788 goto cleanup;
4789 }
4790 }
4791
4792 if (pkey) {
4793 php_openssl_pkey_object_init(return_value, pkey, is_private);
4794 }
4795
4796 cleanup:
4797 php_openssl_store_errors();
4798 EVP_PKEY_CTX_free(ctx);
4799 OSSL_PARAM_free(params);
4800 OSSL_PARAM_BLD_free(bld);
4801 }
4802 #endif
4803
4804 /* {{{ Generates a new private key */
PHP_FUNCTION(openssl_pkey_new)4805 PHP_FUNCTION(openssl_pkey_new)
4806 {
4807 struct php_x509_request req;
4808 zval * args = NULL;
4809 zval *data;
4810
4811 if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a!", &args) == FAILURE) {
4812 RETURN_THROWS();
4813 }
4814 RETVAL_FALSE;
4815
4816 if (args && Z_TYPE_P(args) == IS_ARRAY) {
4817 EVP_PKEY *pkey;
4818
4819 if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "rsa", sizeof("rsa")-1)) != NULL &&
4820 Z_TYPE_P(data) == IS_ARRAY) {
4821 pkey = php_openssl_pkey_init_rsa(data);
4822 if (!pkey) {
4823 RETURN_FALSE;
4824 }
4825 php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true);
4826 return;
4827 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL &&
4828 Z_TYPE_P(data) == IS_ARRAY) {
4829 bool is_private;
4830 pkey = php_openssl_pkey_init_dsa(data, &is_private);
4831 if (!pkey) {
4832 RETURN_FALSE;
4833 }
4834 php_openssl_pkey_object_init(return_value, pkey, is_private);
4835 return;
4836 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL &&
4837 Z_TYPE_P(data) == IS_ARRAY) {
4838 bool is_private;
4839 pkey = php_openssl_pkey_init_dh(data, &is_private);
4840 if (!pkey) {
4841 RETURN_FALSE;
4842 }
4843 php_openssl_pkey_object_init(return_value, pkey, is_private);
4844 return;
4845 #ifdef HAVE_EVP_PKEY_EC
4846 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL &&
4847 Z_TYPE_P(data) == IS_ARRAY) {
4848 bool is_private;
4849 pkey = php_openssl_pkey_init_ec(data, &is_private);
4850 if (!pkey) {
4851 RETURN_FALSE;
4852 }
4853 php_openssl_pkey_object_init(return_value, pkey, is_private);
4854 return;
4855 #endif
4856 #if PHP_OPENSSL_API_VERSION >= 0x30000
4857 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "x25519", sizeof("x25519") - 1)) != NULL &&
4858 Z_TYPE_P(data) == IS_ARRAY) {
4859 php_openssl_pkey_object_curve_25519_448(return_value, EVP_PKEY_X25519, data);
4860 return;
4861 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ed25519", sizeof("ed25519") - 1)) != NULL &&
4862 Z_TYPE_P(data) == IS_ARRAY) {
4863 php_openssl_pkey_object_curve_25519_448(return_value, EVP_PKEY_ED25519, data);
4864 return;
4865 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "x448", sizeof("x448") - 1)) != NULL &&
4866 Z_TYPE_P(data) == IS_ARRAY) {
4867 php_openssl_pkey_object_curve_25519_448(return_value, EVP_PKEY_X448, data);
4868 return;
4869 } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ed448", sizeof("ed448") - 1)) != NULL &&
4870 Z_TYPE_P(data) == IS_ARRAY) {
4871 php_openssl_pkey_object_curve_25519_448(return_value, EVP_PKEY_ED448, data);
4872 return;
4873 #endif
4874 }
4875 }
4876
4877 PHP_SSL_REQ_INIT(&req);
4878
4879 if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
4880 if (php_openssl_generate_private_key(&req)) {
4881 /* pass back a key resource */
4882 php_openssl_pkey_object_init(return_value, req.priv_key, /* is_private */ true);
4883 /* make sure the cleanup code doesn't zap it! */
4884 req.priv_key = NULL;
4885 }
4886 }
4887 PHP_SSL_REQ_DISPOSE(&req);
4888 }
4889 /* }}} */
4890
4891 /* {{{ Gets an exportable representation of a key into a file */
PHP_FUNCTION(openssl_pkey_export_to_file)4892 PHP_FUNCTION(openssl_pkey_export_to_file)
4893 {
4894 struct php_x509_request req;
4895 zval * zpkey, * args = NULL;
4896 char * passphrase = NULL;
4897 size_t passphrase_len = 0;
4898 char * filename = NULL, file_path[MAXPATHLEN];
4899 size_t filename_len = 0;
4900 int pem_write = 0;
4901 EVP_PKEY * key;
4902 BIO * bio_out = NULL;
4903 const EVP_CIPHER * cipher;
4904
4905 if (zend_parse_parameters(ZEND_NUM_ARGS(), "zp|s!a!", &zpkey, &filename, &filename_len, &passphrase, &passphrase_len, &args) == FAILURE) {
4906 RETURN_THROWS();
4907 }
4908 RETVAL_FALSE;
4909
4910 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(passphrase_len, passphrase, 3);
4911
4912 key = php_openssl_pkey_from_zval(zpkey, 0, passphrase, passphrase_len, 1);
4913 if (key == NULL) {
4914 if (!EG(exception)) {
4915 php_error_docref(NULL, E_WARNING, "Cannot get key from parameter 1");
4916 }
4917 RETURN_FALSE;
4918 }
4919
4920 if (!php_openssl_check_path(filename, filename_len, file_path, 2)) {
4921 goto clean_exit_key;
4922 }
4923
4924 PHP_SSL_REQ_INIT(&req);
4925
4926 if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
4927 bio_out = BIO_new_file(file_path, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
4928 if (bio_out == NULL) {
4929 php_openssl_store_errors();
4930 goto clean_exit;
4931 }
4932
4933 if (passphrase && req.priv_key_encrypt) {
4934 if (req.priv_key_encrypt_cipher) {
4935 cipher = req.priv_key_encrypt_cipher;
4936 } else {
4937 cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
4938 }
4939 } else {
4940 cipher = NULL;
4941 }
4942
4943 pem_write = PEM_write_bio_PrivateKey(
4944 bio_out, key, cipher,
4945 (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
4946 if (pem_write) {
4947 /* Success!
4948 * If returning the output as a string, do so now */
4949 RETVAL_TRUE;
4950 } else {
4951 php_openssl_store_errors();
4952 }
4953 }
4954
4955 clean_exit:
4956 PHP_SSL_REQ_DISPOSE(&req);
4957 BIO_free(bio_out);
4958 clean_exit_key:
4959 EVP_PKEY_free(key);
4960 }
4961 /* }}} */
4962
4963 /* {{{ Gets an exportable representation of a key into a string or file */
PHP_FUNCTION(openssl_pkey_export)4964 PHP_FUNCTION(openssl_pkey_export)
4965 {
4966 struct php_x509_request req;
4967 zval * zpkey, * args = NULL, *out;
4968 char * passphrase = NULL; size_t passphrase_len = 0;
4969 int pem_write = 0;
4970 EVP_PKEY * key;
4971 BIO * bio_out = NULL;
4972 const EVP_CIPHER * cipher;
4973
4974 if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|s!a!", &zpkey, &out, &passphrase, &passphrase_len, &args) == FAILURE) {
4975 RETURN_THROWS();
4976 }
4977 RETVAL_FALSE;
4978
4979 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(passphrase_len, passphrase, 3);
4980
4981 key = php_openssl_pkey_from_zval(zpkey, 0, passphrase, passphrase_len, 1);
4982 if (key == NULL) {
4983 if (!EG(exception)) {
4984 php_error_docref(NULL, E_WARNING, "Cannot get key from parameter 1");
4985 }
4986 RETURN_FALSE;
4987 }
4988
4989 PHP_SSL_REQ_INIT(&req);
4990
4991 if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
4992 bio_out = BIO_new(BIO_s_mem());
4993
4994 if (passphrase && req.priv_key_encrypt) {
4995 if (req.priv_key_encrypt_cipher) {
4996 cipher = req.priv_key_encrypt_cipher;
4997 } else {
4998 cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
4999 }
5000 } else {
5001 cipher = NULL;
5002 }
5003
5004 pem_write = PEM_write_bio_PrivateKey(
5005 bio_out, key, cipher,
5006 (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
5007 if (pem_write) {
5008 /* Success!
5009 * If returning the output as a string, do so now */
5010
5011 char * bio_mem_ptr;
5012 long bio_mem_len;
5013 RETVAL_TRUE;
5014
5015 bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);
5016 ZEND_TRY_ASSIGN_REF_STRINGL(out, bio_mem_ptr, bio_mem_len);
5017 } else {
5018 php_openssl_store_errors();
5019 }
5020 }
5021 PHP_SSL_REQ_DISPOSE(&req);
5022 EVP_PKEY_free(key);
5023 BIO_free(bio_out);
5024 }
5025 /* }}} */
5026
5027 /* {{{ Gets public key from X.509 certificate */
PHP_FUNCTION(openssl_pkey_get_public)5028 PHP_FUNCTION(openssl_pkey_get_public)
5029 {
5030 zval *cert;
5031 EVP_PKEY *pkey;
5032
5033 if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) {
5034 RETURN_THROWS();
5035 }
5036 pkey = php_openssl_pkey_from_zval(cert, 1, NULL, 0, 1);
5037 if (pkey == NULL) {
5038 RETURN_FALSE;
5039 }
5040
5041 php_openssl_pkey_object_init(return_value, pkey, /* is_private */ false);
5042 }
5043 /* }}} */
5044
5045 /* {{{ Frees a key */
PHP_FUNCTION(openssl_pkey_free)5046 PHP_FUNCTION(openssl_pkey_free)
5047 {
5048 zval *key;
5049
5050 if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &key, php_openssl_pkey_ce) == FAILURE) {
5051 RETURN_THROWS();
5052 }
5053 }
5054 /* }}} */
5055
5056 /* {{{ Gets private keys */
PHP_FUNCTION(openssl_pkey_get_private)5057 PHP_FUNCTION(openssl_pkey_get_private)
5058 {
5059 zval *cert;
5060 EVP_PKEY *pkey;
5061 char * passphrase = "";
5062 size_t passphrase_len = sizeof("")-1;
5063
5064 if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|s!", &cert, &passphrase, &passphrase_len) == FAILURE) {
5065 RETURN_THROWS();
5066 }
5067
5068 if (passphrase) {
5069 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(passphrase_len, passphrase, 2);
5070 }
5071
5072 pkey = php_openssl_pkey_from_zval(cert, 0, passphrase, passphrase_len, 1);
5073 if (pkey == NULL) {
5074 RETURN_FALSE;
5075 }
5076
5077 php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true);
5078 }
5079
5080 /* }}} */
5081
5082 #if PHP_OPENSSL_API_VERSION >= 0x30000
php_openssl_copy_bn_param(zval * ary,EVP_PKEY * pkey,const char * param,const char * name)5083 static void php_openssl_copy_bn_param(
5084 zval *ary, EVP_PKEY *pkey, const char *param, const char *name) {
5085 BIGNUM *bn = NULL;
5086 if (EVP_PKEY_get_bn_param(pkey, param, &bn) > 0) {
5087 php_openssl_add_bn_to_array(ary, bn, name);
5088 BN_free(bn);
5089 }
5090 }
5091
5092 #ifdef HAVE_EVP_PKEY_EC
php_openssl_get_utf8_param(EVP_PKEY * pkey,const char * param,const char * name)5093 static zend_string *php_openssl_get_utf8_param(
5094 EVP_PKEY *pkey, const char *param, const char *name) {
5095 char buf[64];
5096 size_t len;
5097 if (EVP_PKEY_get_utf8_string_param(pkey, param, buf, sizeof(buf), &len) > 0) {
5098 zend_string *str = zend_string_alloc(len, 0);
5099 memcpy(ZSTR_VAL(str), buf, len);
5100 ZSTR_VAL(str)[len] = '\0';
5101 return str;
5102 }
5103 return NULL;
5104 }
5105 #endif
5106
php_openssl_copy_octet_string_param(zval * ary,EVP_PKEY * pkey,const char * param,const char * name)5107 static void php_openssl_copy_octet_string_param(
5108 zval *ary, EVP_PKEY *pkey, const char *param, const char *name) {
5109 unsigned char buf[64];
5110 size_t len;
5111 if (EVP_PKEY_get_octet_string_param(pkey, param, buf, sizeof(buf), &len) > 0) {
5112 zend_string *str = zend_string_alloc(len, 0);
5113 memcpy(ZSTR_VAL(str), buf, len);
5114 ZSTR_VAL(str)[len] = '\0';
5115 add_assoc_str(ary, name, str);
5116 }
5117 }
5118
php_openssl_copy_curve_25519_448_params(zval * return_value,const char * assoc_name,EVP_PKEY * pkey)5119 static void php_openssl_copy_curve_25519_448_params(
5120 zval *return_value, const char *assoc_name, EVP_PKEY *pkey) {
5121 zval ary;
5122 array_init(&ary);
5123 add_assoc_zval(return_value, assoc_name, &ary);
5124 php_openssl_copy_octet_string_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key");
5125 php_openssl_copy_octet_string_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key");
5126 }
5127 #endif
5128
5129 /* {{{ returns an array with the key details (bits, pkey, type)*/
PHP_FUNCTION(openssl_pkey_get_details)5130 PHP_FUNCTION(openssl_pkey_get_details)
5131 {
5132 zval *key;
5133 unsigned int pbio_len;
5134 char *pbio;
5135 zend_long ktype;
5136
5137 if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &key, php_openssl_pkey_ce) == FAILURE) {
5138 RETURN_THROWS();
5139 }
5140
5141 EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey;
5142
5143 BIO *out = BIO_new(BIO_s_mem());
5144 if (!PEM_write_bio_PUBKEY(out, pkey)) {
5145 BIO_free(out);
5146 php_openssl_store_errors();
5147 RETURN_FALSE;
5148 }
5149 pbio_len = BIO_get_mem_data(out, &pbio);
5150
5151 array_init(return_value);
5152 add_assoc_long(return_value, "bits", EVP_PKEY_bits(pkey));
5153 add_assoc_stringl(return_value, "key", pbio, pbio_len);
5154 /*TODO: Use the real values once the openssl constants are used
5155 * See the enum at the top of this file
5156 */
5157 #if PHP_OPENSSL_API_VERSION >= 0x30000
5158 zval ary;
5159 int base_id = 0;
5160
5161 if (EVP_PKEY_id(pkey) != EVP_PKEY_KEYMGMT) {
5162 base_id = EVP_PKEY_base_id(pkey);
5163 } else {
5164 const char *type_name = EVP_PKEY_get0_type_name(pkey);
5165 if (type_name) {
5166 int nid = OBJ_txt2nid(type_name);
5167 if (nid != NID_undef) {
5168 base_id = EVP_PKEY_type(nid);
5169 }
5170 }
5171 }
5172
5173 switch (base_id) {
5174 case EVP_PKEY_RSA:
5175 ktype = OPENSSL_KEYTYPE_RSA;
5176 array_init(&ary);
5177 add_assoc_zval(return_value, "rsa", &ary);
5178 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_N, "n");
5179 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_E, "e");
5180 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_D, "d");
5181 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, "p");
5182 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, "q");
5183 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, "dmp1");
5184 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, "dmq1");
5185 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, "iqmp");
5186 break;
5187 case EVP_PKEY_DSA:
5188 ktype = OPENSSL_KEYTYPE_DSA;
5189 array_init(&ary);
5190 add_assoc_zval(return_value, "dsa", &ary);
5191 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p");
5192 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_Q, "q");
5193 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g");
5194 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key");
5195 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key");
5196 break;
5197 case EVP_PKEY_DH:
5198 ktype = OPENSSL_KEYTYPE_DH;
5199 array_init(&ary);
5200 add_assoc_zval(return_value, "dh", &ary);
5201 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p");
5202 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g");
5203 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key");
5204 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key");
5205 break;
5206 #ifdef HAVE_EVP_PKEY_EC
5207 case EVP_PKEY_EC: {
5208 ktype = OPENSSL_KEYTYPE_EC;
5209 array_init(&ary);
5210 add_assoc_zval(return_value, "ec", &ary);
5211
5212 zend_string *curve_name = php_openssl_get_utf8_param(
5213 pkey, OSSL_PKEY_PARAM_GROUP_NAME, "curve_name");
5214 if (curve_name) {
5215 add_assoc_str(&ary, "curve_name", curve_name);
5216
5217 int nid = OBJ_sn2nid(ZSTR_VAL(curve_name));
5218 if (nid != NID_undef) {
5219 ASN1_OBJECT *obj = OBJ_nid2obj(nid);
5220 if (obj) {
5221 // OpenSSL recommends a buffer length of 80.
5222 char oir_buf[80];
5223 int oir_len = OBJ_obj2txt(oir_buf, sizeof(oir_buf), obj, 1);
5224 add_assoc_stringl(&ary, "curve_oid", oir_buf, oir_len);
5225 ASN1_OBJECT_free(obj);
5226 }
5227 }
5228 }
5229
5230 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_X, "x");
5231 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_Y, "y");
5232 php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "d");
5233 break;
5234 }
5235 #endif
5236 #if PHP_OPENSSL_API_VERSION >= 0x30000
5237 case EVP_PKEY_X25519: {
5238 ktype = OPENSSL_KEYTYPE_X25519;
5239 php_openssl_copy_curve_25519_448_params(return_value, "x25519", pkey);
5240 break;
5241 }
5242 case EVP_PKEY_ED25519: {
5243 ktype = OPENSSL_KEYTYPE_ED25519;
5244 php_openssl_copy_curve_25519_448_params(return_value, "ed25519", pkey);
5245 break;
5246 }
5247 case EVP_PKEY_X448: {
5248 ktype = OPENSSL_KEYTYPE_X448;
5249 php_openssl_copy_curve_25519_448_params(return_value, "x448", pkey);
5250 break;
5251 }
5252 case EVP_PKEY_ED448: {
5253 ktype = OPENSSL_KEYTYPE_ED448;
5254 php_openssl_copy_curve_25519_448_params(return_value, "ed448", pkey);
5255 break;
5256 }
5257 #endif
5258 default:
5259 ktype = -1;
5260 break;
5261 }
5262 #else
5263 switch (EVP_PKEY_base_id(pkey)) {
5264 case EVP_PKEY_RSA:
5265 case EVP_PKEY_RSA2:
5266 {
5267 RSA *rsa = EVP_PKEY_get0_RSA(pkey);
5268 ktype = OPENSSL_KEYTYPE_RSA;
5269
5270 if (rsa != NULL) {
5271 zval z_rsa;
5272 const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
5273
5274 RSA_get0_key(rsa, &n, &e, &d);
5275 RSA_get0_factors(rsa, &p, &q);
5276 RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
5277
5278 array_init(&z_rsa);
5279 OPENSSL_PKEY_GET_BN(z_rsa, n);
5280 OPENSSL_PKEY_GET_BN(z_rsa, e);
5281 OPENSSL_PKEY_GET_BN(z_rsa, d);
5282 OPENSSL_PKEY_GET_BN(z_rsa, p);
5283 OPENSSL_PKEY_GET_BN(z_rsa, q);
5284 OPENSSL_PKEY_GET_BN(z_rsa, dmp1);
5285 OPENSSL_PKEY_GET_BN(z_rsa, dmq1);
5286 OPENSSL_PKEY_GET_BN(z_rsa, iqmp);
5287 add_assoc_zval(return_value, "rsa", &z_rsa);
5288 }
5289 }
5290 break;
5291 case EVP_PKEY_DSA:
5292 case EVP_PKEY_DSA2:
5293 case EVP_PKEY_DSA3:
5294 case EVP_PKEY_DSA4:
5295 {
5296 DSA *dsa = EVP_PKEY_get0_DSA(pkey);
5297 ktype = OPENSSL_KEYTYPE_DSA;
5298
5299 if (dsa != NULL) {
5300 zval z_dsa;
5301 const BIGNUM *p, *q, *g, *priv_key, *pub_key;
5302
5303 DSA_get0_pqg(dsa, &p, &q, &g);
5304 DSA_get0_key(dsa, &pub_key, &priv_key);
5305
5306 array_init(&z_dsa);
5307 OPENSSL_PKEY_GET_BN(z_dsa, p);
5308 OPENSSL_PKEY_GET_BN(z_dsa, q);
5309 OPENSSL_PKEY_GET_BN(z_dsa, g);
5310 OPENSSL_PKEY_GET_BN(z_dsa, priv_key);
5311 OPENSSL_PKEY_GET_BN(z_dsa, pub_key);
5312 add_assoc_zval(return_value, "dsa", &z_dsa);
5313 }
5314 }
5315 break;
5316 case EVP_PKEY_DH:
5317 {
5318 DH *dh = EVP_PKEY_get0_DH(pkey);
5319 ktype = OPENSSL_KEYTYPE_DH;
5320
5321 if (dh != NULL) {
5322 zval z_dh;
5323 const BIGNUM *p, *q, *g, *priv_key, *pub_key;
5324
5325 DH_get0_pqg(dh, &p, &q, &g);
5326 DH_get0_key(dh, &pub_key, &priv_key);
5327
5328 array_init(&z_dh);
5329 OPENSSL_PKEY_GET_BN(z_dh, p);
5330 OPENSSL_PKEY_GET_BN(z_dh, g);
5331 OPENSSL_PKEY_GET_BN(z_dh, priv_key);
5332 OPENSSL_PKEY_GET_BN(z_dh, pub_key);
5333 add_assoc_zval(return_value, "dh", &z_dh);
5334 }
5335 }
5336 break;
5337 #ifdef HAVE_EVP_PKEY_EC
5338 case EVP_PKEY_EC:
5339 ktype = OPENSSL_KEYTYPE_EC;
5340 if (EVP_PKEY_get0_EC_KEY(pkey) != NULL) {
5341 zval ec;
5342 const EC_GROUP *ec_group;
5343 const EC_POINT *pub;
5344 int nid;
5345 char *crv_sn;
5346 ASN1_OBJECT *obj;
5347 // openssl recommends a buffer length of 80
5348 char oir_buf[80];
5349 const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
5350 BIGNUM *x = BN_new();
5351 BIGNUM *y = BN_new();
5352 const BIGNUM *d;
5353
5354 ec_group = EC_KEY_get0_group(ec_key);
5355
5356 array_init(&ec);
5357
5358 /** Curve nid (numerical identifier) used for ASN1 mapping */
5359 nid = EC_GROUP_get_curve_name(ec_group);
5360 if (nid != NID_undef) {
5361 crv_sn = (char*) OBJ_nid2sn(nid);
5362 if (crv_sn != NULL) {
5363 add_assoc_string(&ec, "curve_name", crv_sn);
5364 }
5365
5366 obj = OBJ_nid2obj(nid);
5367 if (obj != NULL) {
5368 int oir_len = OBJ_obj2txt(oir_buf, sizeof(oir_buf), obj, 1);
5369 add_assoc_stringl(&ec, "curve_oid", (char*) oir_buf, oir_len);
5370 ASN1_OBJECT_free(obj);
5371 }
5372 }
5373
5374 pub = EC_KEY_get0_public_key(ec_key);
5375
5376 if (EC_POINT_get_affine_coordinates_GFp(ec_group, pub, x, y, NULL)) {
5377 php_openssl_add_bn_to_array(&ec, x, "x");
5378 php_openssl_add_bn_to_array(&ec, y, "y");
5379 } else {
5380 php_openssl_store_errors();
5381 }
5382
5383 if ((d = EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(pkey))) != NULL) {
5384 php_openssl_add_bn_to_array(&ec, d, "d");
5385 }
5386
5387 add_assoc_zval(return_value, "ec", &ec);
5388
5389 BN_free(x);
5390 BN_free(y);
5391 }
5392 break;
5393 #endif
5394 default:
5395 ktype = -1;
5396 break;
5397 }
5398 #endif
5399 add_assoc_long(return_value, "type", ktype);
5400
5401 BIO_free(out);
5402 }
5403 /* }}} */
5404
php_openssl_pkey_derive(EVP_PKEY * key,EVP_PKEY * peer_key,size_t key_size)5405 static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, size_t key_size) {
5406 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key, NULL);
5407 if (!ctx) {
5408 return NULL;
5409 }
5410
5411 if (EVP_PKEY_derive_init(ctx) <= 0 ||
5412 EVP_PKEY_derive_set_peer(ctx, peer_key) <= 0 ||
5413 (key_size == 0 && EVP_PKEY_derive(ctx, NULL, &key_size) <= 0)) {
5414 php_openssl_store_errors();
5415 EVP_PKEY_CTX_free(ctx);
5416 return NULL;
5417 }
5418
5419 zend_string *result = zend_string_alloc(key_size, 0);
5420 if (EVP_PKEY_derive(ctx, (unsigned char *)ZSTR_VAL(result), &key_size) <= 0) {
5421 php_openssl_store_errors();
5422 zend_string_release_ex(result, 0);
5423 EVP_PKEY_CTX_free(ctx);
5424 return NULL;
5425 }
5426
5427 ZSTR_LEN(result) = key_size;
5428 ZSTR_VAL(result)[key_size] = 0;
5429 EVP_PKEY_CTX_free(ctx);
5430 return result;
5431 }
5432
php_openssl_dh_compute_key(EVP_PKEY * pkey,char * pub_str,size_t pub_len)5433 static zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pub_len) {
5434 #if PHP_OPENSSL_API_VERSION >= 0x30000
5435 EVP_PKEY *peer_key = EVP_PKEY_new();
5436 if (!peer_key || EVP_PKEY_copy_parameters(peer_key, pkey) <= 0 ||
5437 EVP_PKEY_set1_encoded_public_key(peer_key, (unsigned char *) pub_str, pub_len) <= 0) {
5438 php_openssl_store_errors();
5439 EVP_PKEY_free(peer_key);
5440 return NULL;
5441 }
5442
5443 zend_string *result = php_openssl_pkey_derive(pkey, peer_key, 0);
5444 EVP_PKEY_free(peer_key);
5445 return result;
5446 #else
5447 DH *dh = EVP_PKEY_get0_DH(pkey);
5448 if (dh == NULL) {
5449 return NULL;
5450 }
5451
5452 BIGNUM *pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL);
5453 zend_string *data = zend_string_alloc(DH_size(dh), 0);
5454 int len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh);
5455 BN_free(pub);
5456
5457 if (len < 0) {
5458 php_openssl_store_errors();
5459 zend_string_release_ex(data, 0);
5460 return NULL;
5461 }
5462
5463 ZSTR_LEN(data) = len;
5464 ZSTR_VAL(data)[len] = 0;
5465 return data;
5466 #endif
5467 }
5468
5469 /* {{{ Computes shared secret for public value of remote DH key and local DH key */
PHP_FUNCTION(openssl_dh_compute_key)5470 PHP_FUNCTION(openssl_dh_compute_key)
5471 {
5472 zval *key;
5473 char *pub_str;
5474 size_t pub_len;
5475
5476 if (zend_parse_parameters(ZEND_NUM_ARGS(), "sO", &pub_str, &pub_len, &key, php_openssl_pkey_ce) == FAILURE) {
5477 RETURN_THROWS();
5478 }
5479
5480 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1);
5481
5482 EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey;
5483 if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) {
5484 RETURN_FALSE;
5485 }
5486
5487 zend_string *result = php_openssl_dh_compute_key(pkey, pub_str, pub_len);
5488 if (result) {
5489 RETURN_NEW_STR(result);
5490 } else {
5491 RETURN_FALSE;
5492 }
5493 }
5494 /* }}} */
5495
5496 /* {{{ Computes shared secret for public value of remote and local DH or ECDH key */
PHP_FUNCTION(openssl_pkey_derive)5497 PHP_FUNCTION(openssl_pkey_derive)
5498 {
5499 zval *priv_key;
5500 zval *peer_pub_key;
5501 zend_long key_len = 0;
5502
5503 if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|l", &peer_pub_key, &priv_key, &key_len) == FAILURE) {
5504 RETURN_THROWS();
5505 }
5506
5507 if (key_len < 0) {
5508 zend_argument_value_error(3, "must be greater than or equal to 0");
5509 RETURN_THROWS();
5510 }
5511
5512 EVP_PKEY *pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0, 2);
5513 if (!pkey) {
5514 RETURN_FALSE;
5515 }
5516
5517 EVP_PKEY *peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0, 1);
5518 if (!peer_key) {
5519 EVP_PKEY_free(pkey);
5520 RETURN_FALSE;
5521 }
5522
5523 zend_string *result = php_openssl_pkey_derive(pkey, peer_key, key_len);
5524 EVP_PKEY_free(pkey);
5525 EVP_PKEY_free(peer_key);
5526
5527 if (result) {
5528 RETURN_NEW_STR(result);
5529 } else {
5530 RETURN_FALSE;
5531 }
5532 }
5533 /* }}} */
5534
5535
5536 /* {{{ Generates a PKCS5 v2 PBKDF2 string, defaults to sha1 */
PHP_FUNCTION(openssl_pbkdf2)5537 PHP_FUNCTION(openssl_pbkdf2)
5538 {
5539 zend_long key_length = 0, iterations = 0;
5540 char *password;
5541 size_t password_len;
5542 char *salt;
5543 size_t salt_len;
5544 char *method;
5545 size_t method_len = 0;
5546 zend_string *out_buffer;
5547
5548 const EVP_MD *digest;
5549
5550 if (zend_parse_parameters(ZEND_NUM_ARGS(), "ssll|s",
5551 &password, &password_len,
5552 &salt, &salt_len,
5553 &key_length, &iterations,
5554 &method, &method_len) == FAILURE) {
5555 RETURN_THROWS();
5556 }
5557
5558 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(password_len, password, 1);
5559 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(salt_len, salt, 2);
5560 PHP_OPENSSL_CHECK_LONG_TO_INT(key_length, key, 3);
5561 PHP_OPENSSL_CHECK_LONG_TO_INT(iterations, iterations, 4);
5562
5563 if (key_length <= 0) {
5564 zend_argument_value_error(3, "must be greater than 0");
5565 RETURN_THROWS();
5566 }
5567
5568 if (method_len) {
5569 digest = EVP_get_digestbyname(method);
5570 } else {
5571 digest = EVP_sha1();
5572 }
5573
5574 if (!digest) {
5575 php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
5576 RETURN_FALSE;
5577 }
5578
5579 out_buffer = zend_string_alloc(key_length, 0);
5580
5581 if (PKCS5_PBKDF2_HMAC(password, (int)password_len, (unsigned char *)salt, (int)salt_len, (int)iterations, digest, (int)key_length, (unsigned char*)ZSTR_VAL(out_buffer)) == 1) {
5582 ZSTR_VAL(out_buffer)[key_length] = 0;
5583 RETURN_NEW_STR(out_buffer);
5584 } else {
5585 php_openssl_store_errors();
5586 zend_string_release_ex(out_buffer, 0);
5587 RETURN_FALSE;
5588 }
5589 }
5590 /* }}} */
5591
5592 /** openssl bio new file helper */
php_openssl_bio_new_file(const char * filename,size_t filename_len,uint32_t arg_num,const char * mode)5593 static BIO *php_openssl_bio_new_file(
5594 const char *filename, size_t filename_len, uint32_t arg_num, const char *mode) {
5595 char file_path[MAXPATHLEN];
5596 BIO *bio;
5597
5598 if (!php_openssl_check_path(filename, filename_len, file_path, arg_num)) {
5599 return NULL;
5600 }
5601
5602 bio = BIO_new_file(file_path, mode);
5603 if (bio == NULL) {
5604 php_openssl_store_errors();
5605 return NULL;
5606 }
5607
5608 return bio;
5609 }
5610
5611 /* {{{ PKCS7 S/MIME functions */
5612
5613 /* {{{ Verifys that the data block is intact, the signer is who they say they are, and returns the CERTs of the signers */
PHP_FUNCTION(openssl_pkcs7_verify)5614 PHP_FUNCTION(openssl_pkcs7_verify)
5615 {
5616 X509_STORE * store = NULL;
5617 zval * cainfo = NULL;
5618 STACK_OF(X509) *signers= NULL;
5619 STACK_OF(X509) *others = NULL;
5620 PKCS7 * p7 = NULL;
5621 BIO * in = NULL, * datain = NULL, * dataout = NULL, * p7bout = NULL;
5622 zend_long flags = 0;
5623 char * filename;
5624 size_t filename_len;
5625 char * extracerts = NULL;
5626 size_t extracerts_len = 0;
5627 char * signersfilename = NULL;
5628 size_t signersfilename_len = 0;
5629 char * datafilename = NULL;
5630 size_t datafilename_len = 0;
5631 char * p7bfilename = NULL;
5632 size_t p7bfilename_len = 0;
5633
5634 RETVAL_LONG(-1);
5635
5636 if (zend_parse_parameters(ZEND_NUM_ARGS(), "pl|p!ap!p!p!", &filename, &filename_len,
5637 &flags, &signersfilename, &signersfilename_len, &cainfo,
5638 &extracerts, &extracerts_len, &datafilename, &datafilename_len, &p7bfilename, &p7bfilename_len) == FAILURE) {
5639 RETURN_THROWS();
5640 }
5641
5642 if (extracerts) {
5643 others = php_openssl_load_all_certs_from_file(extracerts, extracerts_len, 5);
5644 if (others == NULL) {
5645 goto clean_exit;
5646 }
5647 }
5648
5649 flags = flags & ~PKCS7_DETACHED;
5650
5651 store = php_openssl_setup_verify(cainfo, 4);
5652
5653 if (!store) {
5654 goto clean_exit;
5655 }
5656
5657 in = php_openssl_bio_new_file(filename, filename_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
5658 if (in == NULL) {
5659 goto clean_exit;
5660 }
5661
5662 p7 = SMIME_read_PKCS7(in, &datain);
5663 if (p7 == NULL) {
5664 #if DEBUG_SMIME
5665 zend_printf("SMIME_read_PKCS7 failed\n");
5666 #endif
5667 php_openssl_store_errors();
5668 goto clean_exit;
5669 }
5670 if (datafilename) {
5671 dataout = php_openssl_bio_new_file(
5672 datafilename, datafilename_len, 6, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
5673 if (dataout == NULL) {
5674 goto clean_exit;
5675 }
5676 }
5677 if (p7bfilename) {
5678 p7bout = php_openssl_bio_new_file(
5679 p7bfilename, p7bfilename_len, 7, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
5680 if (p7bout == NULL) {
5681 goto clean_exit;
5682 }
5683 }
5684 #if DEBUG_SMIME
5685 zend_printf("Calling PKCS7 verify\n");
5686 #endif
5687
5688 if (PKCS7_verify(p7, others, store, datain, dataout, (int)flags)) {
5689
5690 RETVAL_TRUE;
5691
5692 if (signersfilename) {
5693 BIO *certout;
5694
5695 certout = php_openssl_bio_new_file(
5696 signersfilename, signersfilename_len, 3, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
5697 if (certout) {
5698 int i;
5699 signers = PKCS7_get0_signers(p7, others, (int)flags);
5700 if (signers != NULL) {
5701
5702 for (i = 0; i < sk_X509_num(signers); i++) {
5703 if (!PEM_write_bio_X509(certout, sk_X509_value(signers, i))) {
5704 php_openssl_store_errors();
5705 RETVAL_LONG(-1);
5706 php_error_docref(NULL, E_WARNING, "Failed to write signer %d", i);
5707 }
5708 }
5709
5710 sk_X509_free(signers);
5711 } else {
5712 RETVAL_LONG(-1);
5713 php_openssl_store_errors();
5714 }
5715
5716 BIO_free(certout);
5717 } else {
5718 php_error_docref(NULL, E_WARNING, "Signature OK, but cannot open %s for writing", signersfilename);
5719 RETVAL_LONG(-1);
5720 }
5721
5722 if (p7bout) {
5723 if (PEM_write_bio_PKCS7(p7bout, p7) == 0) {
5724 php_error_docref(NULL, E_WARNING, "Failed to write PKCS7 to file");
5725 php_openssl_store_errors();
5726 RETVAL_FALSE;
5727 }
5728 }
5729 }
5730 } else {
5731 php_openssl_store_errors();
5732 RETVAL_FALSE;
5733 }
5734 clean_exit:
5735 if (p7bout) {
5736 BIO_free(p7bout);
5737 }
5738 X509_STORE_free(store);
5739 BIO_free(datain);
5740 BIO_free(in);
5741 BIO_free(dataout);
5742 PKCS7_free(p7);
5743 sk_X509_pop_free(others, X509_free);
5744 }
5745 /* }}} */
5746
5747 /* {{{ Encrypts the message in the file named infile with the certificates in recipcerts and output the result to the file named outfile */
PHP_FUNCTION(openssl_pkcs7_encrypt)5748 PHP_FUNCTION(openssl_pkcs7_encrypt)
5749 {
5750 zval * zrecipcerts, * zheaders = NULL;
5751 STACK_OF(X509) * recipcerts = NULL;
5752 BIO * infile = NULL, * outfile = NULL;
5753 zend_long flags = 0;
5754 PKCS7 * p7 = NULL;
5755 zval * zcertval;
5756 X509 * cert;
5757 const EVP_CIPHER *cipher = NULL;
5758 zend_long cipherid = PHP_OPENSSL_CIPHER_DEFAULT;
5759 zend_string * strindex;
5760 char * infilename = NULL;
5761 size_t infilename_len;
5762 char * outfilename = NULL;
5763 size_t outfilename_len;
5764
5765 RETVAL_FALSE;
5766
5767 if (zend_parse_parameters(ZEND_NUM_ARGS(), "ppza!|ll", &infilename, &infilename_len,
5768 &outfilename, &outfilename_len, &zrecipcerts, &zheaders, &flags, &cipherid) == FAILURE) {
5769 RETURN_THROWS();
5770 }
5771
5772 infile = php_openssl_bio_new_file(infilename, infilename_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
5773 if (infile == NULL) {
5774 goto clean_exit;
5775 }
5776
5777 outfile = php_openssl_bio_new_file(outfilename, outfilename_len, 2, PHP_OPENSSL_BIO_MODE_W(flags));
5778 if (outfile == NULL) {
5779 goto clean_exit;
5780 }
5781
5782 recipcerts = sk_X509_new_null();
5783
5784 /* get certs */
5785 if (Z_TYPE_P(zrecipcerts) == IS_ARRAY) {
5786 ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zrecipcerts), zcertval) {
5787 bool free_cert;
5788
5789 cert = php_openssl_x509_from_zval(zcertval, &free_cert, 3, true, NULL);
5790 if (cert == NULL) {
5791 // TODO Add warning?
5792 goto clean_exit;
5793 }
5794
5795 if (!free_cert) {
5796 /* we shouldn't free this particular cert, as it is a resource.
5797 make a copy and push that on the stack instead */
5798 cert = X509_dup(cert);
5799 if (cert == NULL) {
5800 php_openssl_store_errors();
5801 goto clean_exit;
5802 }
5803 }
5804 sk_X509_push(recipcerts, cert);
5805 } ZEND_HASH_FOREACH_END();
5806 } else {
5807 /* a single certificate */
5808 bool free_cert;
5809
5810 cert = php_openssl_x509_from_zval(zrecipcerts, &free_cert, 3, false, NULL);
5811 if (cert == NULL) {
5812 // TODO Add warning?
5813 goto clean_exit;
5814 }
5815
5816 if (!free_cert) {
5817 /* we shouldn't free this particular cert, as it is a resource.
5818 make a copy and push that on the stack instead */
5819 cert = X509_dup(cert);
5820 if (cert == NULL) {
5821 php_openssl_store_errors();
5822 goto clean_exit;
5823 }
5824 }
5825 sk_X509_push(recipcerts, cert);
5826 }
5827
5828 /* sanity check the cipher */
5829 cipher = php_openssl_get_evp_cipher_from_algo(cipherid);
5830 if (cipher == NULL) {
5831 /* shouldn't happen */
5832 php_error_docref(NULL, E_WARNING, "Failed to get cipher");
5833 goto clean_exit;
5834 }
5835
5836 p7 = PKCS7_encrypt(recipcerts, infile, (EVP_CIPHER*)cipher, (int)flags);
5837
5838 if (p7 == NULL) {
5839 php_openssl_store_errors();
5840 goto clean_exit;
5841 }
5842
5843 /* tack on extra headers */
5844 if (zheaders) {
5845 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zheaders), strindex, zcertval) {
5846 zend_string *str = zval_try_get_string(zcertval);
5847 if (UNEXPECTED(!str)) {
5848 goto clean_exit;
5849 }
5850 if (strindex) {
5851 BIO_printf(outfile, "%s: %s\n", ZSTR_VAL(strindex), ZSTR_VAL(str));
5852 } else {
5853 BIO_printf(outfile, "%s\n", ZSTR_VAL(str));
5854 }
5855 zend_string_release(str);
5856 } ZEND_HASH_FOREACH_END();
5857 }
5858
5859 (void)BIO_reset(infile);
5860
5861 /* write the encrypted data */
5862 if (!SMIME_write_PKCS7(outfile, p7, infile, (int)flags)) {
5863 php_openssl_store_errors();
5864 goto clean_exit;
5865 }
5866
5867 RETVAL_TRUE;
5868
5869 clean_exit:
5870 PKCS7_free(p7);
5871 BIO_free(infile);
5872 BIO_free(outfile);
5873 if (recipcerts) {
5874 sk_X509_pop_free(recipcerts, X509_free);
5875 }
5876 }
5877 /* }}} */
5878
5879 /* {{{ Exports the PKCS7 file to an array of PEM certificates */
PHP_FUNCTION(openssl_pkcs7_read)5880 PHP_FUNCTION(openssl_pkcs7_read)
5881 {
5882 zval * zout = NULL, zcert;
5883 char *p7b;
5884 size_t p7b_len;
5885 STACK_OF(X509) *certs = NULL;
5886 STACK_OF(X509_CRL) *crls = NULL;
5887 BIO * bio_in = NULL, * bio_out = NULL;
5888 PKCS7 * p7 = NULL;
5889 int i;
5890
5891 if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz", &p7b, &p7b_len,
5892 &zout) == FAILURE) {
5893 RETURN_THROWS();
5894 }
5895
5896 RETVAL_FALSE;
5897
5898 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(p7b_len, p7b, 1);
5899
5900 bio_in = BIO_new(BIO_s_mem());
5901 if (bio_in == NULL) {
5902 goto clean_exit;
5903 }
5904
5905 if (0 >= BIO_write(bio_in, p7b, (int)p7b_len)) {
5906 php_openssl_store_errors();
5907 goto clean_exit;
5908 }
5909
5910 p7 = PEM_read_bio_PKCS7(bio_in, NULL, NULL, NULL);
5911 if (p7 == NULL) {
5912 php_openssl_store_errors();
5913 goto clean_exit;
5914 }
5915
5916 switch (OBJ_obj2nid(p7->type)) {
5917 case NID_pkcs7_signed:
5918 if (p7->d.sign != NULL) {
5919 certs = p7->d.sign->cert;
5920 crls = p7->d.sign->crl;
5921 }
5922 break;
5923 case NID_pkcs7_signedAndEnveloped:
5924 if (p7->d.signed_and_enveloped != NULL) {
5925 certs = p7->d.signed_and_enveloped->cert;
5926 crls = p7->d.signed_and_enveloped->crl;
5927 }
5928 break;
5929 default:
5930 break;
5931 }
5932
5933 zout = zend_try_array_init(zout);
5934 if (!zout) {
5935 goto clean_exit;
5936 }
5937
5938 if (certs != NULL) {
5939 for (i = 0; i < sk_X509_num(certs); i++) {
5940 X509* ca = sk_X509_value(certs, i);
5941
5942 bio_out = BIO_new(BIO_s_mem());
5943 if (bio_out && PEM_write_bio_X509(bio_out, ca)) {
5944 BUF_MEM *bio_buf;
5945 BIO_get_mem_ptr(bio_out, &bio_buf);
5946 ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length);
5947 add_index_zval(zout, i, &zcert);
5948 BIO_free(bio_out);
5949 }
5950 }
5951 }
5952
5953 if (crls != NULL) {
5954 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
5955 X509_CRL* crl = sk_X509_CRL_value(crls, i);
5956
5957 bio_out = BIO_new(BIO_s_mem());
5958 if (bio_out && PEM_write_bio_X509_CRL(bio_out, crl)) {
5959 BUF_MEM *bio_buf;
5960 BIO_get_mem_ptr(bio_out, &bio_buf);
5961 ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length);
5962 add_index_zval(zout, i, &zcert);
5963 BIO_free(bio_out);
5964 }
5965 }
5966 }
5967
5968 RETVAL_TRUE;
5969
5970 clean_exit:
5971 BIO_free(bio_in);
5972
5973 if (p7 != NULL) {
5974 PKCS7_free(p7);
5975 }
5976 }
5977 /* }}} */
5978
5979 /* {{{ Signs the MIME message in the file named infile with signcert/signkey and output the result to file name outfile. headers lists plain text headers to exclude from the signed portion of the message, and should include to, from and subject as a minimum */
5980
PHP_FUNCTION(openssl_pkcs7_sign)5981 PHP_FUNCTION(openssl_pkcs7_sign)
5982 {
5983 X509 *cert = NULL;
5984 zend_object *cert_obj;
5985 zend_string *cert_str;
5986 zval *zprivkey, * zheaders;
5987 zval * hval;
5988 EVP_PKEY * privkey = NULL;
5989 zend_long flags = PKCS7_DETACHED;
5990 PKCS7 * p7 = NULL;
5991 BIO * infile = NULL, * outfile = NULL;
5992 STACK_OF(X509) *others = NULL;
5993 zend_string * strindex;
5994 char * infilename;
5995 size_t infilename_len;
5996 char * outfilename;
5997 size_t outfilename_len;
5998 char * extracertsfilename = NULL;
5999 size_t extracertsfilename_len;
6000
6001 ZEND_PARSE_PARAMETERS_START(5, 7)
6002 Z_PARAM_PATH(infilename, infilename_len)
6003 Z_PARAM_PATH(outfilename, outfilename_len)
6004 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
6005 Z_PARAM_ZVAL(zprivkey)
6006 Z_PARAM_ARRAY_OR_NULL(zheaders)
6007 Z_PARAM_OPTIONAL
6008 Z_PARAM_LONG(flags)
6009 Z_PARAM_PATH_OR_NULL(extracertsfilename, extracertsfilename_len)
6010 ZEND_PARSE_PARAMETERS_END();
6011
6012 RETVAL_FALSE;
6013
6014 if (extracertsfilename) {
6015 others = php_openssl_load_all_certs_from_file(
6016 extracertsfilename, extracertsfilename_len, 7);
6017 if (others == NULL) {
6018 goto clean_exit;
6019 }
6020 }
6021
6022 privkey = php_openssl_pkey_from_zval(zprivkey, 0, "", 0, 4);
6023 if (privkey == NULL) {
6024 if (!EG(exception)) {
6025 php_error_docref(NULL, E_WARNING, "Error getting private key");
6026 }
6027 goto clean_exit;
6028 }
6029
6030 cert = php_openssl_x509_from_param(cert_obj, cert_str, 3);
6031 if (cert == NULL) {
6032 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
6033 goto clean_exit;
6034 }
6035
6036 infile = php_openssl_bio_new_file(infilename, infilename_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
6037 if (infile == NULL) {
6038 php_error_docref(NULL, E_WARNING, "Error opening input file %s!", infilename);
6039 goto clean_exit;
6040 }
6041
6042 outfile = php_openssl_bio_new_file(outfilename, outfilename_len, 2, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
6043 if (outfile == NULL) {
6044 php_error_docref(NULL, E_WARNING, "Error opening output file %s!", outfilename);
6045 goto clean_exit;
6046 }
6047
6048 p7 = PKCS7_sign(cert, privkey, others, infile, (int)flags);
6049 if (p7 == NULL) {
6050 php_openssl_store_errors();
6051 php_error_docref(NULL, E_WARNING, "Error creating PKCS7 structure!");
6052 goto clean_exit;
6053 }
6054
6055 (void)BIO_reset(infile);
6056
6057 /* tack on extra headers */
6058 if (zheaders) {
6059 int ret;
6060
6061 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zheaders), strindex, hval) {
6062 zend_string *str = zval_try_get_string(hval);
6063 if (UNEXPECTED(!str)) {
6064 goto clean_exit;
6065 }
6066 if (strindex) {
6067 ret = BIO_printf(outfile, "%s: %s\n", ZSTR_VAL(strindex), ZSTR_VAL(str));
6068 } else {
6069 ret = BIO_printf(outfile, "%s\n", ZSTR_VAL(str));
6070 }
6071 zend_string_release(str);
6072 if (ret < 0) {
6073 php_openssl_store_errors();
6074 }
6075 } ZEND_HASH_FOREACH_END();
6076 }
6077 /* write the signed data */
6078 if (!SMIME_write_PKCS7(outfile, p7, infile, (int)flags)) {
6079 php_openssl_store_errors();
6080 goto clean_exit;
6081 }
6082
6083 RETVAL_TRUE;
6084
6085 clean_exit:
6086 PKCS7_free(p7);
6087 BIO_free(infile);
6088 BIO_free(outfile);
6089 if (others) {
6090 sk_X509_pop_free(others, X509_free);
6091 }
6092 EVP_PKEY_free(privkey);
6093 if (cert && cert_str) {
6094 X509_free(cert);
6095 }
6096 }
6097 /* }}} */
6098
6099 /* {{{ Decrypts the S/MIME message in the file name infilename and output the results to the file name outfilename. recipcert is a CERT for one of the recipients. recipkey specifies the private key matching recipcert, if recipcert does not include the key */
6100
PHP_FUNCTION(openssl_pkcs7_decrypt)6101 PHP_FUNCTION(openssl_pkcs7_decrypt)
6102 {
6103 X509 *cert;
6104 zval *recipcert, *recipkey = NULL;
6105 bool free_recipcert;
6106 EVP_PKEY * key = NULL;
6107 BIO * in = NULL, *out = NULL, *datain = NULL;
6108 PKCS7 * p7 = NULL;
6109 char * infilename;
6110 size_t infilename_len;
6111 char * outfilename;
6112 size_t outfilename_len;
6113
6114 ZEND_PARSE_PARAMETERS_START(3, 4)
6115 Z_PARAM_PATH(infilename, infilename_len)
6116 Z_PARAM_PATH(outfilename, outfilename_len)
6117 Z_PARAM_ZVAL(recipcert)
6118 Z_PARAM_OPTIONAL
6119 Z_PARAM_ZVAL_OR_NULL(recipkey)
6120 ZEND_PARSE_PARAMETERS_END();
6121
6122 RETVAL_FALSE;
6123
6124 cert = php_openssl_x509_from_zval(recipcert, &free_recipcert, 3, false, NULL);
6125 if (cert == NULL) {
6126 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
6127 goto clean_exit;
6128 }
6129
6130 key = php_openssl_pkey_from_zval(recipkey ? recipkey : recipcert, 0, "", 0, 4);
6131 if (key == NULL) {
6132 if (!EG(exception)) {
6133 php_error_docref(NULL, E_WARNING, "Unable to get private key");
6134 }
6135 goto clean_exit;
6136 }
6137
6138 in = php_openssl_bio_new_file(
6139 infilename, infilename_len, 1, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
6140 if (in == NULL) {
6141 goto clean_exit;
6142 }
6143
6144 out = php_openssl_bio_new_file(
6145 outfilename, outfilename_len, 2, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY));
6146 if (out == NULL) {
6147 goto clean_exit;
6148 }
6149
6150 p7 = SMIME_read_PKCS7(in, &datain);
6151
6152 if (p7 == NULL) {
6153 php_openssl_store_errors();
6154 goto clean_exit;
6155 }
6156 if (PKCS7_decrypt(p7, key, cert, out, PKCS7_DETACHED)) {
6157 RETVAL_TRUE;
6158 } else {
6159 php_openssl_store_errors();
6160 }
6161 clean_exit:
6162 PKCS7_free(p7);
6163 BIO_free(datain);
6164 BIO_free(in);
6165 BIO_free(out);
6166 if (cert && free_recipcert) {
6167 X509_free(cert);
6168 }
6169 EVP_PKEY_free(key);
6170 }
6171 /* }}} */
6172
6173 /* }}} */
6174
6175 /* {{{ CMS S/MIME functions taken from PKCS#7 functions */
6176
6177 /* {{{ Verifies that the data block is intact, the signer is who they say they are, and returns the CERTs of the signers */
PHP_FUNCTION(openssl_cms_verify)6178 PHP_FUNCTION(openssl_cms_verify)
6179 {
6180 X509_STORE * store = NULL;
6181 zval * cainfo = NULL;
6182 STACK_OF(X509) *signers= NULL;
6183 STACK_OF(X509) *others = NULL;
6184 CMS_ContentInfo * cms = NULL;
6185 BIO * in = NULL, * datain = NULL, * dataout = NULL, * p7bout = NULL;
6186 BIO *certout = NULL, *sigbio = NULL;
6187 zend_long flags = 0;
6188 char * filename;
6189 size_t filename_len;
6190 char * extracerts = NULL;
6191 size_t extracerts_len = 0;
6192 char * signersfilename = NULL;
6193 size_t signersfilename_len = 0;
6194 char * datafilename = NULL;
6195 size_t datafilename_len = 0;
6196 char * p7bfilename = NULL;
6197 size_t p7bfilename_len = 0;
6198 char * sigfile = NULL;
6199 size_t sigfile_len = 0;
6200 zend_long encoding = ENCODING_SMIME;
6201
6202 RETVAL_FALSE;
6203
6204 if (zend_parse_parameters(ZEND_NUM_ARGS(), "pl|p!ap!p!p!p!l", &filename, &filename_len,
6205 &flags, &signersfilename, &signersfilename_len, &cainfo,
6206 &extracerts, &extracerts_len, &datafilename, &datafilename_len,
6207 &p7bfilename, &p7bfilename_len,
6208 &sigfile, &sigfile_len, &encoding) == FAILURE) {
6209 RETURN_THROWS();
6210 }
6211
6212 in = php_openssl_bio_new_file(filename, filename_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
6213 if (in == NULL) {
6214 goto clean_exit;
6215 }
6216 if (sigfile && (flags & CMS_DETACHED)) {
6217 if (encoding == ENCODING_SMIME) {
6218 php_error_docref(NULL, E_WARNING,
6219 "Detached signatures not possible with S/MIME encoding");
6220 goto clean_exit;
6221 }
6222 sigbio = php_openssl_bio_new_file(sigfile, sigfile_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
6223 if (sigbio == NULL) {
6224 goto clean_exit;
6225 }
6226 } else {
6227 sigbio = in; /* non-detached signature */
6228 }
6229
6230 switch (encoding) {
6231 case ENCODING_PEM:
6232 cms = PEM_read_bio_CMS(sigbio, NULL, 0, NULL);
6233 datain = in;
6234 break;
6235 case ENCODING_DER:
6236 cms = d2i_CMS_bio(sigbio, NULL);
6237 datain = in;
6238 break;
6239 case ENCODING_SMIME:
6240 cms = SMIME_read_CMS(sigbio, &datain);
6241 break;
6242 default:
6243 php_error_docref(NULL, E_WARNING, "Unknown encoding");
6244 goto clean_exit;
6245 }
6246 if (cms == NULL) {
6247 php_openssl_store_errors();
6248 goto clean_exit;
6249 }
6250 if (encoding != ENCODING_SMIME && !(flags & CMS_DETACHED)) {
6251 datain = NULL; /* when not detached, don't pass a real BIO */
6252 }
6253
6254 if (extracerts) {
6255 others = php_openssl_load_all_certs_from_file(extracerts, extracerts_len, 5);
6256 if (others == NULL) {
6257 goto clean_exit;
6258 }
6259 }
6260
6261 store = php_openssl_setup_verify(cainfo, 4);
6262
6263 if (!store) {
6264 goto clean_exit;
6265 }
6266
6267 if (datafilename) {
6268 dataout = php_openssl_bio_new_file(
6269 datafilename, datafilename_len, 6, PHP_OPENSSL_BIO_MODE_W(CMS_BINARY));
6270 if (dataout == NULL) {
6271 goto clean_exit;
6272 }
6273 }
6274
6275 if (p7bfilename) {
6276 p7bout = php_openssl_bio_new_file(
6277 p7bfilename, p7bfilename_len, 7, PHP_OPENSSL_BIO_MODE_W(CMS_BINARY));
6278 if (p7bout == NULL) {
6279 goto clean_exit;
6280 }
6281 }
6282 #if DEBUG_SMIME
6283 zend_printf("Calling CMS verify\n");
6284 #endif
6285 if (CMS_verify(cms, others, store, datain, dataout, (unsigned int)flags)) {
6286 RETVAL_TRUE;
6287
6288 if (signersfilename) {
6289 certout = php_openssl_bio_new_file(
6290 signersfilename, signersfilename_len, 3, PHP_OPENSSL_BIO_MODE_W(CMS_BINARY));
6291 if (certout) {
6292 int i;
6293 signers = CMS_get0_signers(cms);
6294 if (signers != NULL) {
6295
6296 for (i = 0; i < sk_X509_num(signers); i++) {
6297 if (!PEM_write_bio_X509(certout, sk_X509_value(signers, i))) {
6298 php_openssl_store_errors();
6299 RETVAL_FALSE;
6300 php_error_docref(NULL, E_WARNING, "Failed to write signer %d", i);
6301 }
6302 }
6303
6304 sk_X509_free(signers);
6305 } else {
6306 RETVAL_FALSE;
6307 php_openssl_store_errors();
6308 }
6309 } else {
6310 php_error_docref(NULL, E_WARNING, "Signature OK, but cannot open %s for writing", signersfilename);
6311 RETVAL_FALSE;
6312 }
6313
6314 if (p7bout) {
6315 if (PEM_write_bio_CMS(p7bout, cms) == 0) {
6316 php_error_docref(NULL, E_WARNING, "Failed to write CMS to file");
6317 php_openssl_store_errors();
6318 RETVAL_FALSE;
6319 }
6320 }
6321 }
6322 } else {
6323 php_openssl_store_errors();
6324 RETVAL_FALSE;
6325 }
6326 clean_exit:
6327 BIO_free(p7bout);
6328 if (store) {
6329 X509_STORE_free(store);
6330 }
6331 if (datain != in) {
6332 BIO_free(datain);
6333 }
6334 if (sigbio != in) {
6335 BIO_free(sigbio);
6336 }
6337 BIO_free(in);
6338 BIO_free(dataout);
6339 BIO_free(certout);
6340 if (cms) {
6341 CMS_ContentInfo_free(cms);
6342 }
6343 if (others) {
6344 sk_X509_pop_free(others, X509_free);
6345 }
6346 }
6347 /* }}} */
6348
6349 /* {{{ Encrypts the message in the file named infile with the certificates in recipcerts and output the result to the file named outfile */
PHP_FUNCTION(openssl_cms_encrypt)6350 PHP_FUNCTION(openssl_cms_encrypt)
6351 {
6352 zval * zrecipcerts, * zheaders = NULL;
6353 STACK_OF(X509) * recipcerts = NULL;
6354 BIO * infile = NULL, * outfile = NULL;
6355 zend_long flags = 0;
6356 zend_long encoding = ENCODING_SMIME;
6357 CMS_ContentInfo * cms = NULL;
6358 zval * zcertval;
6359 X509 * cert;
6360 const EVP_CIPHER *cipher = NULL;
6361 zend_long cipherid = PHP_OPENSSL_CIPHER_DEFAULT;
6362 zend_string * strindex;
6363 char * infilename = NULL;
6364 size_t infilename_len;
6365 char * outfilename = NULL;
6366 size_t outfilename_len;
6367 int need_final = 0;
6368
6369 RETVAL_FALSE;
6370
6371 if (zend_parse_parameters(ZEND_NUM_ARGS(), "ppza!|lll", &infilename, &infilename_len,
6372 &outfilename, &outfilename_len, &zrecipcerts, &zheaders, &flags, &encoding, &cipherid) == FAILURE) {
6373 RETURN_THROWS();
6374 }
6375
6376
6377 infile = php_openssl_bio_new_file(
6378 infilename, infilename_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
6379 if (infile == NULL) {
6380 goto clean_exit;
6381 }
6382
6383 outfile = php_openssl_bio_new_file(
6384 outfilename, outfilename_len, 2, PHP_OPENSSL_BIO_MODE_W(flags));
6385 if (outfile == NULL) {
6386 goto clean_exit;
6387 }
6388
6389 recipcerts = sk_X509_new_null();
6390
6391 /* get certs */
6392 if (Z_TYPE_P(zrecipcerts) == IS_ARRAY) {
6393 ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zrecipcerts), zcertval) {
6394 bool free_cert;
6395
6396 cert = php_openssl_x509_from_zval(zcertval, &free_cert, 3, true, NULL);
6397 if (cert == NULL) {
6398 goto clean_exit;
6399 }
6400
6401 if (!free_cert) {
6402 /* we shouldn't free this particular cert, as it is a resource.
6403 make a copy and push that on the stack instead */
6404 cert = X509_dup(cert);
6405 if (cert == NULL) {
6406 php_openssl_store_errors();
6407 goto clean_exit;
6408 }
6409 }
6410 sk_X509_push(recipcerts, cert);
6411 } ZEND_HASH_FOREACH_END();
6412 } else {
6413 /* a single certificate */
6414 bool free_cert;
6415
6416 cert = php_openssl_x509_from_zval(zrecipcerts, &free_cert, 3, false, NULL);
6417 if (cert == NULL) {
6418 goto clean_exit;
6419 }
6420
6421 if (!free_cert) {
6422 /* we shouldn't free this particular cert, as it is a resource.
6423 make a copy and push that on the stack instead */
6424 cert = X509_dup(cert);
6425 if (cert == NULL) {
6426 php_openssl_store_errors();
6427 goto clean_exit;
6428 }
6429 }
6430 sk_X509_push(recipcerts, cert);
6431 }
6432
6433 /* sanity check the cipher */
6434 cipher = php_openssl_get_evp_cipher_from_algo(cipherid);
6435 if (cipher == NULL) {
6436 /* shouldn't happen */
6437 php_error_docref(NULL, E_WARNING, "Failed to get cipher");
6438 goto clean_exit;
6439 }
6440
6441 cms = CMS_encrypt(recipcerts, infile, (EVP_CIPHER*)cipher, (unsigned int)flags);
6442
6443 if (cms == NULL) {
6444 php_openssl_store_errors();
6445 goto clean_exit;
6446 }
6447
6448 if (flags & CMS_PARTIAL && !(flags & CMS_STREAM)) {
6449 need_final=1;
6450 }
6451
6452 /* tack on extra headers */
6453 if (zheaders && encoding == ENCODING_SMIME) {
6454 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zheaders), strindex, zcertval) {
6455 zend_string *str = zval_try_get_string(zcertval);
6456 if (UNEXPECTED(!str)) {
6457 goto clean_exit;
6458 }
6459 if (strindex) {
6460 BIO_printf(outfile, "%s: %s\n", ZSTR_VAL(strindex), ZSTR_VAL(str));
6461 } else {
6462 BIO_printf(outfile, "%s\n", ZSTR_VAL(str));
6463 }
6464 zend_string_release(str);
6465 } ZEND_HASH_FOREACH_END();
6466 }
6467
6468 (void)BIO_reset(infile);
6469
6470 switch (encoding) {
6471 case ENCODING_SMIME:
6472 if (!SMIME_write_CMS(outfile, cms, infile, (int)flags)) {
6473 php_openssl_store_errors();
6474 goto clean_exit;
6475 }
6476 break;
6477 case ENCODING_DER:
6478 if (need_final) {
6479 if (CMS_final(cms, infile, NULL, (unsigned int) flags) != 1) {
6480 php_openssl_store_errors();
6481 goto clean_exit;
6482 }
6483 }
6484 if (i2d_CMS_bio(outfile, cms) != 1) {
6485 php_openssl_store_errors();
6486 goto clean_exit;
6487 }
6488 break;
6489 case ENCODING_PEM:
6490 if (need_final) {
6491 if (CMS_final(cms, infile, NULL, (unsigned int) flags) != 1) {
6492 php_openssl_store_errors();
6493 goto clean_exit;
6494 }
6495 }
6496 if (flags & CMS_STREAM) {
6497 if (PEM_write_bio_CMS_stream(outfile, cms, infile, flags) == 0) {
6498 php_openssl_store_errors();
6499 goto clean_exit;
6500 }
6501 } else {
6502 if (PEM_write_bio_CMS(outfile, cms) == 0) {
6503 php_openssl_store_errors();
6504 goto clean_exit;
6505 }
6506 }
6507 break;
6508 default:
6509 php_error_docref(NULL, E_WARNING, "Unknown OPENSSL encoding");
6510 goto clean_exit;
6511 }
6512
6513 RETVAL_TRUE;
6514
6515 clean_exit:
6516 if (cms) {
6517 CMS_ContentInfo_free(cms);
6518 }
6519 BIO_free(infile);
6520 BIO_free(outfile);
6521 if (recipcerts) {
6522 sk_X509_pop_free(recipcerts, X509_free);
6523 }
6524 }
6525 /* }}} */
6526
6527 /* {{{ Exports the CMS file to an array of PEM certificates */
PHP_FUNCTION(openssl_cms_read)6528 PHP_FUNCTION(openssl_cms_read)
6529 {
6530 zval * zout = NULL, zcert;
6531 char *p7b;
6532 size_t p7b_len;
6533 STACK_OF(X509) *certs = NULL;
6534 STACK_OF(X509_CRL) *crls = NULL;
6535 BIO * bio_in = NULL, * bio_out = NULL;
6536 CMS_ContentInfo * cms = NULL;
6537 int i;
6538
6539 if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz", &p7b, &p7b_len,
6540 &zout) == FAILURE) {
6541 RETURN_THROWS();
6542 }
6543
6544 RETVAL_FALSE;
6545
6546 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(p7b_len, p7b, 1);
6547
6548 bio_in = BIO_new(BIO_s_mem());
6549 if (bio_in == NULL) {
6550 goto clean_exit;
6551 }
6552
6553 if (0 >= BIO_write(bio_in, p7b, (int)p7b_len)) {
6554 php_openssl_store_errors();
6555 goto clean_exit;
6556 }
6557
6558 cms = PEM_read_bio_CMS(bio_in, NULL, NULL, NULL);
6559 if (cms == NULL) {
6560 php_openssl_store_errors();
6561 goto clean_exit;
6562 }
6563
6564 switch (OBJ_obj2nid(CMS_get0_type(cms))) {
6565 case NID_pkcs7_signed:
6566 case NID_pkcs7_signedAndEnveloped:
6567 certs = CMS_get1_certs(cms);
6568 crls = CMS_get1_crls(cms);
6569 break;
6570 default:
6571 break;
6572 }
6573
6574 zout = zend_try_array_init(zout);
6575 if (!zout) {
6576 goto clean_exit;
6577 }
6578
6579 if (certs != NULL) {
6580 for (i = 0; i < sk_X509_num(certs); i++) {
6581 X509* ca = sk_X509_value(certs, i);
6582
6583 bio_out = BIO_new(BIO_s_mem());
6584 if (bio_out && PEM_write_bio_X509(bio_out, ca)) {
6585 BUF_MEM *bio_buf;
6586 BIO_get_mem_ptr(bio_out, &bio_buf);
6587 ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length);
6588 add_index_zval(zout, i, &zcert);
6589 BIO_free(bio_out);
6590 }
6591 }
6592 }
6593
6594 if (crls != NULL) {
6595 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
6596 X509_CRL* crl = sk_X509_CRL_value(crls, i);
6597
6598 bio_out = BIO_new(BIO_s_mem());
6599 if (bio_out && PEM_write_bio_X509_CRL(bio_out, crl)) {
6600 BUF_MEM *bio_buf;
6601 BIO_get_mem_ptr(bio_out, &bio_buf);
6602 ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length);
6603 add_index_zval(zout, i, &zcert);
6604 BIO_free(bio_out);
6605 }
6606 }
6607 }
6608
6609 RETVAL_TRUE;
6610
6611 clean_exit:
6612 BIO_free(bio_in);
6613 if (cms != NULL) {
6614 CMS_ContentInfo_free(cms);
6615 }
6616 if (certs != NULL) {
6617 sk_X509_pop_free(certs, X509_free);
6618 }
6619 if (crls != NULL) {
6620 sk_X509_CRL_pop_free(crls, X509_CRL_free);
6621 }
6622 }
6623 /* }}} */
6624
6625 /* {{{ Signs the MIME message in the file named infile with signcert/signkey and output the result to file name outfile. headers lists plain text headers to exclude from the signed portion of the message, and should include to, from and subject as a minimum */
6626
PHP_FUNCTION(openssl_cms_sign)6627 PHP_FUNCTION(openssl_cms_sign)
6628 {
6629 X509 *cert = NULL;
6630 zend_object *cert_obj;
6631 zend_string *cert_str;
6632 zval *zprivkey, *zheaders;
6633 zval * hval;
6634 EVP_PKEY * privkey = NULL;
6635 zend_long flags = 0;
6636 zend_long encoding = ENCODING_SMIME;
6637 CMS_ContentInfo * cms = NULL;
6638 BIO * infile = NULL, * outfile = NULL;
6639 STACK_OF(X509) *others = NULL;
6640 zend_string * strindex;
6641 char * infilename;
6642 size_t infilename_len;
6643 char * outfilename;
6644 size_t outfilename_len;
6645 char * extracertsfilename = NULL;
6646 size_t extracertsfilename_len;
6647 int need_final = 0;
6648
6649 ZEND_PARSE_PARAMETERS_START(5, 8)
6650 Z_PARAM_PATH(infilename, infilename_len)
6651 Z_PARAM_PATH(outfilename, outfilename_len)
6652 Z_PARAM_OBJ_OF_CLASS_OR_STR(cert_obj, php_openssl_certificate_ce, cert_str)
6653 Z_PARAM_ZVAL(zprivkey)
6654 Z_PARAM_ARRAY_OR_NULL(zheaders)
6655 Z_PARAM_OPTIONAL
6656 Z_PARAM_LONG(flags)
6657 Z_PARAM_LONG(encoding)
6658 Z_PARAM_PATH_OR_NULL(extracertsfilename, extracertsfilename_len)
6659 ZEND_PARSE_PARAMETERS_END();
6660
6661 RETVAL_FALSE;
6662
6663 if (extracertsfilename) {
6664 others = php_openssl_load_all_certs_from_file(
6665 extracertsfilename, extracertsfilename_len, 8);
6666 if (others == NULL) {
6667 goto clean_exit;
6668 }
6669 }
6670
6671 privkey = php_openssl_pkey_from_zval(zprivkey, 0, "", 0, 4);
6672 if (privkey == NULL) {
6673 if (!EG(exception)) {
6674 php_error_docref(NULL, E_WARNING, "Error getting private key");
6675 }
6676 goto clean_exit;
6677 }
6678
6679 cert = php_openssl_x509_from_param(cert_obj, cert_str, 3);
6680 if (cert == NULL) {
6681 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
6682 goto clean_exit;
6683 }
6684
6685 if ((encoding & ENCODING_SMIME) && (flags & CMS_DETACHED)) {
6686 php_error_docref(NULL,
6687 E_WARNING, "Detached signatures not possible with S/MIME encoding");
6688 goto clean_exit;
6689 }
6690
6691 /* a CMS struct will not be complete if either CMS_PARTIAL or CMS_STREAM is set.
6692 * However, CMS_PARTIAL requires a CMS_final call whereas CMS_STREAM requires
6693 * a different write routine below. There may be a more efficient way to do this
6694 * with function pointers, but the readability goes down.
6695 * References: CMS_sign(3SSL), CMS_final(3SSL)
6696 */
6697
6698 if (flags & CMS_PARTIAL && !(flags & CMS_STREAM)) {
6699 need_final=1;
6700 }
6701
6702 infile = php_openssl_bio_new_file(
6703 infilename, infilename_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
6704 if (infile == NULL) {
6705 php_error_docref(NULL, E_WARNING, "Error opening input file %s!", infilename);
6706 goto clean_exit;
6707 }
6708
6709 outfile = php_openssl_bio_new_file(
6710 outfilename, outfilename_len, 2, PHP_OPENSSL_BIO_MODE_W(CMS_BINARY));
6711 if (outfile == NULL) {
6712 php_error_docref(NULL, E_WARNING, "Error opening output file %s!", outfilename);
6713 goto clean_exit;
6714 }
6715
6716 cms = CMS_sign(cert, privkey, others, infile, (unsigned int)flags);
6717 if (cms == NULL) {
6718 php_openssl_store_errors();
6719 php_error_docref(NULL, E_WARNING, "Error creating CMS structure!");
6720 goto clean_exit;
6721 }
6722 if (BIO_reset(infile) != 0) {
6723 php_openssl_store_errors();
6724 goto clean_exit;
6725 }
6726
6727 /* tack on extra headers */
6728 if (zheaders && encoding == ENCODING_SMIME) {
6729 int ret;
6730
6731 ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zheaders), strindex, hval) {
6732 zend_string *str = zval_try_get_string(hval);
6733 if (UNEXPECTED(!str)) {
6734 goto clean_exit;
6735 }
6736 if (strindex) {
6737 ret = BIO_printf(outfile, "%s: %s\n", ZSTR_VAL(strindex), ZSTR_VAL(str));
6738 } else {
6739 ret = BIO_printf(outfile, "%s\n", ZSTR_VAL(str));
6740 }
6741 zend_string_release(str);
6742 if (ret < 0) {
6743 php_openssl_store_errors();
6744 }
6745 } ZEND_HASH_FOREACH_END();
6746 }
6747 /* writing the signed data depends on the encoding */
6748 switch (encoding) {
6749 case ENCODING_SMIME:
6750 if (!SMIME_write_CMS(outfile, cms, infile, (int)flags)) {
6751 php_openssl_store_errors();
6752 goto clean_exit;
6753 }
6754 break;
6755 case ENCODING_DER:
6756 if (need_final) {
6757 if (CMS_final(cms, infile, NULL, (unsigned int) flags) != 1) {
6758 php_openssl_store_errors();
6759 goto clean_exit;
6760 }
6761 }
6762 if (i2d_CMS_bio(outfile, cms) != 1) {
6763 php_openssl_store_errors();
6764 goto clean_exit;
6765 }
6766 break;
6767 case ENCODING_PEM:
6768 if (need_final) {
6769 if (CMS_final(cms, infile, NULL, (unsigned int) flags) != 1) {
6770 php_openssl_store_errors();
6771 goto clean_exit;
6772 }
6773 }
6774 if (flags & CMS_STREAM) {
6775 if (PEM_write_bio_CMS_stream(outfile, cms, infile, flags) == 0) {
6776 php_openssl_store_errors();
6777 goto clean_exit;
6778 }
6779 } else {
6780 if (PEM_write_bio_CMS(outfile, cms) == 0) {
6781 php_openssl_store_errors();
6782 goto clean_exit;
6783 }
6784 }
6785 break;
6786 default:
6787 php_error_docref(NULL, E_WARNING, "Unknown OPENSSL encoding");
6788 goto clean_exit;
6789 }
6790 RETVAL_TRUE;
6791
6792 clean_exit:
6793 if (cms) {
6794 CMS_ContentInfo_free(cms);
6795 }
6796 BIO_free(infile);
6797 BIO_free(outfile);
6798 if (others) {
6799 sk_X509_pop_free(others, X509_free);
6800 }
6801 EVP_PKEY_free(privkey);
6802 if (cert && cert_str) {
6803 X509_free(cert);
6804 }
6805 }
6806 /* }}} */
6807
6808 /* {{{ Decrypts the S/MIME message in the file name infilename and output the results to the file name outfilename. recipcert is a CERT for one of the recipients. recipkey specifies the private key matching recipcert, if recipcert does not include the key */
6809
PHP_FUNCTION(openssl_cms_decrypt)6810 PHP_FUNCTION(openssl_cms_decrypt)
6811 {
6812 X509 *cert;
6813 zval *recipcert, *recipkey = NULL;
6814 bool free_recipcert;
6815 EVP_PKEY * key = NULL;
6816 zend_long encoding = ENCODING_SMIME;
6817 BIO * in = NULL, * out = NULL, * datain = NULL;
6818 CMS_ContentInfo * cms = NULL;
6819 char * infilename;
6820 size_t infilename_len;
6821 char * outfilename;
6822 size_t outfilename_len;
6823
6824 ZEND_PARSE_PARAMETERS_START(3, 5)
6825 Z_PARAM_PATH(infilename, infilename_len)
6826 Z_PARAM_PATH(outfilename, outfilename_len)
6827 Z_PARAM_ZVAL(recipcert)
6828 Z_PARAM_OPTIONAL
6829 Z_PARAM_ZVAL_OR_NULL(recipkey)
6830 Z_PARAM_LONG(encoding)
6831 ZEND_PARSE_PARAMETERS_END();
6832
6833 RETVAL_FALSE;
6834
6835 cert = php_openssl_x509_from_zval(recipcert, &free_recipcert, 3, false, NULL);
6836 if (cert == NULL) {
6837 php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
6838 goto clean_exit;
6839 }
6840
6841 key = php_openssl_pkey_from_zval(recipkey ? recipkey : recipcert, 0, "", 0, recipkey ? 4 : 3);
6842 if (key == NULL) {
6843 if (!EG(exception)) {
6844 php_error_docref(NULL, E_WARNING, "Unable to get private key");
6845 }
6846 goto clean_exit;
6847 }
6848
6849 in = php_openssl_bio_new_file(
6850 infilename, infilename_len, 1, PHP_OPENSSL_BIO_MODE_R(CMS_BINARY));
6851 if (in == NULL) {
6852 goto clean_exit;
6853 }
6854
6855 out = php_openssl_bio_new_file(
6856 outfilename, outfilename_len, 2, PHP_OPENSSL_BIO_MODE_W(CMS_BINARY));
6857 if (out == NULL) {
6858 goto clean_exit;
6859 }
6860
6861 switch (encoding) {
6862 case ENCODING_DER:
6863 cms = d2i_CMS_bio(in, NULL);
6864 break;
6865 case ENCODING_PEM:
6866 cms = PEM_read_bio_CMS(in, NULL, 0, NULL);
6867 break;
6868 case ENCODING_SMIME:
6869 cms = SMIME_read_CMS(in, &datain);
6870 break;
6871 default:
6872 zend_argument_value_error(5, "must be an OPENSSL_ENCODING_* constant");
6873 goto clean_exit;
6874 }
6875
6876 if (cms == NULL) {
6877 php_openssl_store_errors();
6878 goto clean_exit;
6879 }
6880 if (CMS_decrypt(cms, key, cert, NULL, out, 0)) {
6881 RETVAL_TRUE;
6882 } else {
6883 php_openssl_store_errors();
6884 }
6885 clean_exit:
6886 if (cms) {
6887 CMS_ContentInfo_free(cms);
6888 }
6889 BIO_free(datain);
6890 BIO_free(in);
6891 BIO_free(out);
6892 if (cert && free_recipcert) {
6893 X509_free(cert);
6894 }
6895 EVP_PKEY_free(key);
6896 }
6897 /* }}} */
6898
6899 /* }}} */
6900
6901
6902
6903 /* {{{ Encrypts data with private key */
PHP_FUNCTION(openssl_private_encrypt)6904 PHP_FUNCTION(openssl_private_encrypt)
6905 {
6906 zval *key, *crypted;
6907 char * data;
6908 size_t data_len;
6909 zend_long padding = RSA_PKCS1_PADDING;
6910
6911 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szz|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) {
6912 RETURN_THROWS();
6913 }
6914
6915 EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3);
6916 if (pkey == NULL) {
6917 if (!EG(exception)) {
6918 php_error_docref(NULL, E_WARNING, "key param is not a valid private key");
6919 }
6920 RETURN_FALSE;
6921 }
6922
6923 size_t out_len = 0;
6924 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
6925 if (!ctx || EVP_PKEY_sign_init(ctx) <= 0 ||
6926 EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
6927 EVP_PKEY_sign(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
6928 php_openssl_store_errors();
6929 RETVAL_FALSE;
6930 goto cleanup;
6931 }
6932
6933 zend_string *out = zend_string_alloc(out_len, 0);
6934 if (EVP_PKEY_sign(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
6935 (unsigned char *) data, data_len) <= 0) {
6936 zend_string_release(out);
6937 php_openssl_store_errors();
6938 RETVAL_FALSE;
6939 goto cleanup;
6940 }
6941
6942 ZSTR_VAL(out)[out_len] = '\0';
6943 ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
6944 RETVAL_TRUE;
6945
6946 cleanup:
6947 EVP_PKEY_CTX_free(ctx);
6948 EVP_PKEY_free(pkey);
6949 }
6950 /* }}} */
6951
6952 /* {{{ Decrypts data with private key */
PHP_FUNCTION(openssl_private_decrypt)6953 PHP_FUNCTION(openssl_private_decrypt)
6954 {
6955 zval *key, *crypted;
6956 zend_long padding = RSA_PKCS1_PADDING;
6957 char * data;
6958 size_t data_len;
6959
6960 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szz|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) {
6961 RETURN_THROWS();
6962 }
6963
6964 EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3);
6965 if (pkey == NULL) {
6966 if (!EG(exception)) {
6967 php_error_docref(NULL, E_WARNING, "key parameter is not a valid private key");
6968 }
6969 RETURN_FALSE;
6970 }
6971
6972 size_t out_len = 0;
6973 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
6974 if (!ctx || EVP_PKEY_decrypt_init(ctx) <= 0 ||
6975 EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
6976 EVP_PKEY_decrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
6977 php_openssl_store_errors();
6978 RETVAL_FALSE;
6979 goto cleanup;
6980 }
6981
6982 zend_string *out = zend_string_alloc(out_len, 0);
6983 if (EVP_PKEY_decrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
6984 (unsigned char *) data, data_len) <= 0) {
6985 zend_string_release(out);
6986 php_openssl_store_errors();
6987 RETVAL_FALSE;
6988 goto cleanup;
6989 }
6990
6991 out = zend_string_truncate(out, out_len, 0);
6992 ZSTR_VAL(out)[out_len] = '\0';
6993 ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
6994 RETVAL_TRUE;
6995
6996 cleanup:
6997 EVP_PKEY_CTX_free(ctx);
6998 EVP_PKEY_free(pkey);
6999 }
7000 /* }}} */
7001
7002 /* {{{ Encrypts data with public key */
PHP_FUNCTION(openssl_public_encrypt)7003 PHP_FUNCTION(openssl_public_encrypt)
7004 {
7005 zval *key, *crypted;
7006 zend_long padding = RSA_PKCS1_PADDING;
7007 char * data;
7008 size_t data_len;
7009
7010 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szz|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) {
7011 RETURN_THROWS();
7012 }
7013
7014 EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3);
7015 if (pkey == NULL) {
7016 if (!EG(exception)) {
7017 php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key");
7018 }
7019 RETURN_FALSE;
7020 }
7021
7022 size_t out_len = 0;
7023 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
7024 if (!ctx || EVP_PKEY_encrypt_init(ctx) <= 0 ||
7025 EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
7026 EVP_PKEY_encrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
7027 php_openssl_store_errors();
7028 RETVAL_FALSE;
7029 goto cleanup;
7030 }
7031
7032 zend_string *out = zend_string_alloc(out_len, 0);
7033 if (EVP_PKEY_encrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
7034 (unsigned char *) data, data_len) <= 0) {
7035 zend_string_release(out);
7036 php_openssl_store_errors();
7037 RETVAL_FALSE;
7038 goto cleanup;
7039 }
7040
7041 ZSTR_VAL(out)[out_len] = '\0';
7042 ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
7043 RETVAL_TRUE;
7044
7045 cleanup:
7046 EVP_PKEY_CTX_free(ctx);
7047 EVP_PKEY_free(pkey);
7048 }
7049 /* }}} */
7050
7051 /* {{{ Decrypts data with public key */
PHP_FUNCTION(openssl_public_decrypt)7052 PHP_FUNCTION(openssl_public_decrypt)
7053 {
7054 zval *key, *crypted;
7055 zend_long padding = RSA_PKCS1_PADDING;
7056 char * data;
7057 size_t data_len;
7058
7059 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szz|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) {
7060 RETURN_THROWS();
7061 }
7062
7063 EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3);
7064 if (pkey == NULL) {
7065 if (!EG(exception)) {
7066 php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key");
7067 }
7068 RETURN_FALSE;
7069 }
7070
7071 size_t out_len = 0;
7072 EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
7073 if (!ctx || EVP_PKEY_verify_recover_init(ctx) <= 0 ||
7074 EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
7075 EVP_PKEY_verify_recover(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
7076 php_openssl_store_errors();
7077 RETVAL_FALSE;
7078 goto cleanup;
7079 }
7080
7081 zend_string *out = zend_string_alloc(out_len, 0);
7082 if (EVP_PKEY_verify_recover(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
7083 (unsigned char *) data, data_len) <= 0) {
7084 zend_string_release(out);
7085 php_openssl_store_errors();
7086 RETVAL_FALSE;
7087 goto cleanup;
7088 }
7089
7090 out = zend_string_truncate(out, out_len, 0);
7091 ZSTR_VAL(out)[out_len] = '\0';
7092 ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
7093 RETVAL_TRUE;
7094
7095 cleanup:
7096 EVP_PKEY_CTX_free(ctx);
7097 EVP_PKEY_free(pkey);
7098 }
7099 /* }}} */
7100
7101 /* {{{ Returns a description of the last error, and alters the index of the error messages. Returns false when the are no more messages */
PHP_FUNCTION(openssl_error_string)7102 PHP_FUNCTION(openssl_error_string)
7103 {
7104 char buf[256];
7105 unsigned long val;
7106
7107 if (zend_parse_parameters_none() == FAILURE) {
7108 RETURN_THROWS();
7109 }
7110
7111 php_openssl_store_errors();
7112
7113 if (OPENSSL_G(errors) == NULL || OPENSSL_G(errors)->top == OPENSSL_G(errors)->bottom) {
7114 RETURN_FALSE;
7115 }
7116
7117 OPENSSL_G(errors)->bottom = (OPENSSL_G(errors)->bottom + 1) % ERR_NUM_ERRORS;
7118 val = OPENSSL_G(errors)->buffer[OPENSSL_G(errors)->bottom];
7119
7120 if (val) {
7121 ERR_error_string_n(val, buf, 256);
7122 RETURN_STRING(buf);
7123 } else {
7124 RETURN_FALSE;
7125 }
7126 }
7127 /* }}} */
7128
7129 /* {{{ Signs data */
PHP_FUNCTION(openssl_sign)7130 PHP_FUNCTION(openssl_sign)
7131 {
7132 zval *key, *signature;
7133 EVP_PKEY *pkey;
7134 zend_string *sigbuf = NULL;
7135 char * data;
7136 size_t data_len;
7137 EVP_MD_CTX *md_ctx;
7138 zend_string *method_str = NULL;
7139 zend_long method_long = OPENSSL_ALGO_SHA1;
7140 const EVP_MD *mdtype;
7141 bool can_default_digest = ZEND_THREEWAY_COMPARE(PHP_OPENSSL_API_VERSION, 0x30000) >= 0;
7142
7143 ZEND_PARSE_PARAMETERS_START(3, 4)
7144 Z_PARAM_STRING(data, data_len)
7145 Z_PARAM_ZVAL(signature)
7146 Z_PARAM_ZVAL(key)
7147 Z_PARAM_OPTIONAL
7148 Z_PARAM_STR_OR_LONG(method_str, method_long)
7149 ZEND_PARSE_PARAMETERS_END();
7150
7151 pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3);
7152 if (pkey == NULL) {
7153 if (!EG(exception)) {
7154 php_error_docref(NULL, E_WARNING, "Supplied key param cannot be coerced into a private key");
7155 }
7156 RETURN_FALSE;
7157 }
7158
7159 if (method_str) {
7160 mdtype = EVP_get_digestbyname(ZSTR_VAL(method_str));
7161 } else {
7162 mdtype = php_openssl_get_evp_md_from_algo(method_long);
7163 }
7164 if (!mdtype && (!can_default_digest || method_long != 0)) {
7165 php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
7166 RETURN_FALSE;
7167 }
7168
7169 md_ctx = EVP_MD_CTX_create();
7170 size_t siglen;
7171 #if PHP_OPENSSL_API_VERSION >= 0x10100
7172 if (md_ctx != NULL &&
7173 EVP_DigestSignInit(md_ctx, NULL, mdtype, NULL, pkey) &&
7174 EVP_DigestSign(md_ctx, NULL, &siglen, (unsigned char*)data, data_len) &&
7175 (sigbuf = zend_string_alloc(siglen, 0)) != NULL &&
7176 EVP_DigestSign(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), &siglen, (unsigned char*)data, data_len)) {
7177 #else
7178 if (md_ctx != NULL &&
7179 EVP_SignInit(md_ctx, mdtype) &&
7180 EVP_SignUpdate(md_ctx, data, data_len) &&
7181 (siglen = EVP_PKEY_size(pkey)) &&
7182 (sigbuf = zend_string_alloc(siglen, 0)) != NULL &&
7183 EVP_SignFinal(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), (unsigned int*)&siglen, pkey)) {
7184 #endif
7185 ZSTR_VAL(sigbuf)[siglen] = '\0';
7186 ZSTR_LEN(sigbuf) = siglen;
7187 ZEND_TRY_ASSIGN_REF_NEW_STR(signature, sigbuf);
7188 RETVAL_TRUE;
7189 } else {
7190 php_openssl_store_errors();
7191 efree(sigbuf);
7192 RETVAL_FALSE;
7193 }
7194 EVP_MD_CTX_destroy(md_ctx);
7195 EVP_PKEY_free(pkey);
7196 }
7197 /* }}} */
7198
7199 /* {{{ Verifys data */
7200 PHP_FUNCTION(openssl_verify)
7201 {
7202 zval *key;
7203 EVP_PKEY *pkey;
7204 int err = 0;
7205 EVP_MD_CTX *md_ctx;
7206 const EVP_MD *mdtype;
7207 char * data;
7208 size_t data_len;
7209 char * signature;
7210 size_t signature_len;
7211 zend_string *method_str = NULL;
7212 zend_long method_long = OPENSSL_ALGO_SHA1;
7213 bool can_default_digest = ZEND_THREEWAY_COMPARE(PHP_OPENSSL_API_VERSION, 0x30000) >= 0;
7214
7215 ZEND_PARSE_PARAMETERS_START(3, 4)
7216 Z_PARAM_STRING(data, data_len)
7217 Z_PARAM_STRING(signature, signature_len)
7218 Z_PARAM_ZVAL(key)
7219 Z_PARAM_OPTIONAL
7220 Z_PARAM_STR_OR_LONG(method_str, method_long)
7221 ZEND_PARSE_PARAMETERS_END();
7222
7223 PHP_OPENSSL_CHECK_SIZE_T_TO_UINT(signature_len, signature, 2);
7224
7225 if (method_str) {
7226 mdtype = EVP_get_digestbyname(ZSTR_VAL(method_str));
7227 } else {
7228 mdtype = php_openssl_get_evp_md_from_algo(method_long);
7229 }
7230 if (!mdtype && (!can_default_digest || method_long != 0)) {
7231 php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
7232 RETURN_FALSE;
7233 }
7234
7235 pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3);
7236 if (pkey == NULL) {
7237 if (!EG(exception)) {
7238 php_error_docref(NULL, E_WARNING, "Supplied key param cannot be coerced into a public key");
7239 }
7240 RETURN_FALSE;
7241 }
7242
7243 md_ctx = EVP_MD_CTX_create();
7244 if (md_ctx == NULL ||
7245 #if PHP_OPENSSL_API_VERSION >= 0x10100
7246 !EVP_DigestVerifyInit(md_ctx, NULL, mdtype, NULL, pkey) ||
7247 (err = EVP_DigestVerify(md_ctx, (unsigned char *)signature, signature_len, (unsigned char*)data, data_len)) < 0) {
7248 #else
7249 !EVP_VerifyInit (md_ctx, mdtype) ||
7250 !EVP_VerifyUpdate (md_ctx, data, data_len) ||
7251 (err = EVP_VerifyFinal(md_ctx, (unsigned char *)signature, (unsigned int)signature_len, pkey)) < 0) {
7252 #endif
7253 php_openssl_store_errors();
7254 }
7255 EVP_MD_CTX_destroy(md_ctx);
7256 EVP_PKEY_free(pkey);
7257 RETURN_LONG(err);
7258 }
7259 /* }}} */
7260
7261 /* {{{ Seals data */
7262 PHP_FUNCTION(openssl_seal)
7263 {
7264 zval *pubkeys, *pubkey, *sealdata, *ekeys, *iv = NULL;
7265 HashTable *pubkeysht;
7266 EVP_PKEY **pkeys;
7267 int i, len1, len2, *eksl, nkeys, iv_len;
7268 unsigned char iv_buf[EVP_MAX_IV_LENGTH + 1], *buf = NULL, **eks;
7269 char * data;
7270 size_t data_len;
7271 char *method;
7272 size_t method_len;
7273 const EVP_CIPHER *cipher;
7274 EVP_CIPHER_CTX *ctx;
7275
7276 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szzas|z", &data, &data_len,
7277 &sealdata, &ekeys, &pubkeys, &method, &method_len, &iv) == FAILURE) {
7278 RETURN_THROWS();
7279 }
7280
7281 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1);
7282
7283 pubkeysht = Z_ARRVAL_P(pubkeys);
7284 nkeys = pubkeysht ? zend_hash_num_elements(pubkeysht) : 0;
7285 if (!nkeys) {
7286 zend_argument_must_not_be_empty_error(4);
7287 RETURN_THROWS();
7288 }
7289
7290 cipher = EVP_get_cipherbyname(method);
7291 if (!cipher) {
7292 php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
7293 RETURN_FALSE;
7294 }
7295
7296 iv_len = EVP_CIPHER_iv_length(cipher);
7297 if (!iv && iv_len > 0) {
7298 zend_argument_value_error(6, "cannot be null for the chosen cipher algorithm");
7299 RETURN_THROWS();
7300 }
7301
7302 pkeys = safe_emalloc(nkeys, sizeof(*pkeys), 0);
7303 eksl = safe_emalloc(nkeys, sizeof(*eksl), 0);
7304 eks = safe_emalloc(nkeys, sizeof(*eks), 0);
7305 memset(eks, 0, sizeof(*eks) * nkeys);
7306 memset(pkeys, 0, sizeof(*pkeys) * nkeys);
7307
7308 /* get the public keys we are using to seal this data */
7309 i = 0;
7310 ZEND_HASH_FOREACH_VAL(pubkeysht, pubkey) {
7311 pkeys[i] = php_openssl_pkey_from_zval(pubkey, 1, NULL, 0, 4);
7312 if (pkeys[i] == NULL) {
7313 if (!EG(exception)) {
7314 php_error_docref(NULL, E_WARNING, "Not a public key (%dth member of pubkeys)", i+1);
7315 }
7316 RETVAL_FALSE;
7317 goto clean_exit;
7318 }
7319 eks[i] = emalloc(EVP_PKEY_size(pkeys[i]) + 1);
7320 i++;
7321 } ZEND_HASH_FOREACH_END();
7322
7323 ctx = EVP_CIPHER_CTX_new();
7324 if (ctx == NULL || !EVP_EncryptInit(ctx,cipher,NULL,NULL)) {
7325 EVP_CIPHER_CTX_free(ctx);
7326 php_openssl_store_errors();
7327 RETVAL_FALSE;
7328 goto clean_exit;
7329 }
7330
7331 /* allocate one byte extra to make room for \0 */
7332 buf = emalloc(data_len + EVP_CIPHER_CTX_block_size(ctx));
7333 EVP_CIPHER_CTX_reset(ctx);
7334
7335 if (EVP_SealInit(ctx, cipher, eks, eksl, &iv_buf[0], pkeys, nkeys) <= 0 ||
7336 !EVP_SealUpdate(ctx, buf, &len1, (unsigned char *)data, (int)data_len) ||
7337 !EVP_SealFinal(ctx, buf + len1, &len2)) {
7338 efree(buf);
7339 EVP_CIPHER_CTX_free(ctx);
7340 php_openssl_store_errors();
7341 RETVAL_FALSE;
7342 goto clean_exit;
7343 }
7344
7345 if (len1 + len2 > 0) {
7346 ZEND_TRY_ASSIGN_REF_NEW_STR(sealdata, zend_string_init((char*)buf, len1 + len2, 0));
7347 efree(buf);
7348
7349 ekeys = zend_try_array_init(ekeys);
7350 if (!ekeys) {
7351 EVP_CIPHER_CTX_free(ctx);
7352 goto clean_exit;
7353 }
7354
7355 for (i=0; i<nkeys; i++) {
7356 eks[i][eksl[i]] = '\0';
7357 add_next_index_stringl(ekeys, (const char*)eks[i], eksl[i]);
7358 efree(eks[i]);
7359 eks[i] = NULL;
7360 }
7361
7362 if (iv) {
7363 iv_buf[iv_len] = '\0';
7364 ZEND_TRY_ASSIGN_REF_NEW_STR(iv, zend_string_init((char*)iv_buf, iv_len, 0));
7365 }
7366 } else {
7367 efree(buf);
7368 }
7369 RETVAL_LONG(len1 + len2);
7370 EVP_CIPHER_CTX_free(ctx);
7371
7372 clean_exit:
7373 for (i=0; i<nkeys; i++) {
7374 if (pkeys[i] != NULL) {
7375 EVP_PKEY_free(pkeys[i]);
7376 }
7377 if (eks[i]) {
7378 efree(eks[i]);
7379 }
7380 }
7381 efree(eks);
7382 efree(eksl);
7383 efree(pkeys);
7384 }
7385 /* }}} */
7386
7387 /* {{{ Opens data */
7388 PHP_FUNCTION(openssl_open)
7389 {
7390 zval *privkey, *opendata;
7391 EVP_PKEY *pkey;
7392 int len1, len2, cipher_iv_len;
7393 unsigned char *buf, *iv_buf;
7394 EVP_CIPHER_CTX *ctx;
7395 char * data;
7396 size_t data_len;
7397 char * ekey;
7398 size_t ekey_len;
7399 char *method, *iv = NULL;
7400 size_t method_len, iv_len = 0;
7401 const EVP_CIPHER *cipher;
7402
7403 if (zend_parse_parameters(ZEND_NUM_ARGS(), "szszs|s!", &data, &data_len, &opendata,
7404 &ekey, &ekey_len, &privkey, &method, &method_len, &iv, &iv_len) == FAILURE) {
7405 RETURN_THROWS();
7406 }
7407
7408 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1);
7409 PHP_OPENSSL_CHECK_SIZE_T_TO_INT(ekey_len, ekey, 3);
7410 pkey = php_openssl_pkey_from_zval(privkey, 0, "", 0, 4);
7411
7412 if (pkey == NULL) {
7413 if (!EG(exception)) {
7414 php_error_docref(NULL, E_WARNING, "Unable to coerce parameter 4 into a private key");
7415 }
7416 RETURN_FALSE;
7417 }
7418
7419 cipher = EVP_get_cipherbyname(method);
7420 if (!cipher) {
7421 php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
7422 RETURN_FALSE;
7423 }
7424
7425 cipher_iv_len = EVP_CIPHER_iv_length(cipher);
7426 if (cipher_iv_len > 0) {
7427 if (!iv) {
7428 zend_argument_value_error(6, "cannot be null for the chosen cipher algorithm");
7429 RETURN_THROWS();
7430 }
7431 if ((size_t)cipher_iv_len != iv_len) {
7432 php_error_docref(NULL, E_WARNING, "IV length is invalid");
7433 RETURN_FALSE;
7434 }
7435 iv_buf = (unsigned char *)iv;
7436 } else {
7437 iv_buf = NULL;
7438 }
7439
7440 buf = emalloc(data_len + 1);
7441
7442 ctx = EVP_CIPHER_CTX_new();
7443 if (ctx != NULL && EVP_OpenInit(ctx, cipher, (unsigned char *)ekey, (int)ekey_len, iv_buf, pkey) &&
7444 EVP_OpenUpdate(ctx, buf, &len1, (unsigned char *)data, (int)data_len) &&
7445 EVP_OpenFinal(ctx, buf + len1, &len2) && (len1 + len2 > 0)) {
7446 buf[len1 + len2] = '\0';
7447 ZEND_TRY_ASSIGN_REF_NEW_STR(opendata, zend_string_init((char*)buf, len1 + len2, 0));
7448 RETVAL_TRUE;
7449 } else {
7450 php_openssl_store_errors();
7451 RETVAL_FALSE;
7452 }
7453
7454 efree(buf);
7455 EVP_PKEY_free(pkey);
7456 EVP_CIPHER_CTX_free(ctx);
7457 }
7458 /* }}} */
7459
7460 static void php_openssl_add_method_or_alias(const OBJ_NAME *name, void *arg) /* {{{ */
7461 {
7462 add_next_index_string((zval*)arg, (char*)name->name);
7463 }
7464 /* }}} */
7465
7466 static void php_openssl_add_method(const OBJ_NAME *name, void *arg) /* {{{ */
7467 {
7468 if (name->alias == 0) {
7469 add_next_index_string((zval*)arg, (char*)name->name);
7470 }
7471 }
7472 /* }}} */
7473
7474 /* {{{ Return array of available digest algorithms */
7475 PHP_FUNCTION(openssl_get_md_methods)
7476 {
7477 bool aliases = 0;
7478
7479 if (zend_parse_parameters(ZEND_NUM_ARGS(), "|b", &aliases) == FAILURE) {
7480 RETURN_THROWS();
7481 }
7482 array_init(return_value);
7483 OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
7484 aliases ? php_openssl_add_method_or_alias: php_openssl_add_method,
7485 return_value);
7486 }
7487 /* }}} */
7488
7489 #if PHP_OPENSSL_API_VERSION >= 0x30000
7490 static void php_openssl_add_cipher_name(const char *name, void *arg)
7491 {
7492 size_t len = strlen(name);
7493 zend_string *str = zend_string_alloc(len, 0);
7494 zend_str_tolower_copy(ZSTR_VAL(str), name, len);
7495 add_next_index_str((zval*)arg, str);
7496 }
7497
7498 static void php_openssl_add_cipher_or_alias(EVP_CIPHER *cipher, void *arg)
7499 {
7500 EVP_CIPHER_names_do_all(cipher, php_openssl_add_cipher_name, arg);
7501 }
7502
7503 static void php_openssl_add_cipher(EVP_CIPHER *cipher, void *arg)
7504 {
7505 php_openssl_add_cipher_name(EVP_CIPHER_get0_name(cipher), arg);
7506 }
7507
7508 static int php_openssl_compare_func(Bucket *a, Bucket *b)
7509 {
7510 return string_compare_function(&a->val, &b->val);
7511 }
7512 #endif
7513
7514 /* {{{ Return array of available cipher algorithms */
7515 PHP_FUNCTION(openssl_get_cipher_methods)
7516 {
7517 bool aliases = 0;
7518
7519 if (zend_parse_parameters(ZEND_NUM_ARGS(), "|b", &aliases) == FAILURE) {
7520 RETURN_THROWS();
7521 }
7522 array_init(return_value);
7523 #if PHP_OPENSSL_API_VERSION >= 0x30000
7524 EVP_CIPHER_do_all_provided(NULL,
7525 aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher,
7526 return_value);
7527 zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1);
7528 #else
7529 OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
7530 aliases ? php_openssl_add_method_or_alias : php_openssl_add_method,
7531 return_value);
7532 #endif
7533 }
7534 /* }}} */
7535
7536 /* {{{ Return array of available elliptic curves */
7537 #ifdef HAVE_EVP_PKEY_EC
7538 PHP_FUNCTION(openssl_get_curve_names)
7539 {
7540 EC_builtin_curve *curves = NULL;
7541 const char *sname;
7542 size_t i;
7543 size_t len = EC_get_builtin_curves(NULL, 0);
7544
7545 if (zend_parse_parameters_none() == FAILURE) {
7546 RETURN_THROWS();
7547 }
7548
7549 curves = emalloc(sizeof(EC_builtin_curve) * len);
7550 if (!EC_get_builtin_curves(curves, len)) {
7551 RETURN_FALSE;
7552 }
7553
7554 array_init(return_value);
7555 for (i = 0; i < len; i++) {
7556 sname = OBJ_nid2sn(curves[i].nid);
7557 if (sname != NULL) {
7558 add_next_index_string(return_value, sname);
7559 }
7560 }
7561 efree(curves);
7562 }
7563 #endif
7564 /* }}} */
7565
7566 /* {{{ Computes digest hash value for given data using given method, returns raw or binhex encoded string */
7567 PHP_FUNCTION(openssl_digest)
7568 {
7569 bool raw_output = 0;
7570 char *data, *method;
7571 size_t data_len, method_len;
7572 const EVP_MD *mdtype;
7573 EVP_MD_CTX *md_ctx;
7574 unsigned int siglen;
7575 zend_string *sigbuf;
7576
7577 if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|b", &data, &data_len, &method, &method_len, &raw_output) == FAILURE) {
7578 RETURN_THROWS();
7579 }
7580 mdtype = EVP_get_digestbyname(method);
7581 if (!mdtype) {
7582 php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
7583 RETURN_FALSE;
7584 }
7585
7586 siglen = EVP_MD_size(mdtype);
7587 sigbuf = zend_string_alloc(siglen, 0);
7588
7589 md_ctx = EVP_MD_CTX_create();
7590 if (EVP_DigestInit(md_ctx, mdtype) &&
7591 EVP_DigestUpdate(md_ctx, (unsigned char *)data, data_len) &&
7592 EVP_DigestFinal (md_ctx, (unsigned char *)ZSTR_VAL(sigbuf), &siglen)) {
7593 if (raw_output) {
7594 ZSTR_VAL(sigbuf)[siglen] = '\0';
7595 ZSTR_LEN(sigbuf) = siglen;
7596 RETVAL_STR(sigbuf);
7597 } else {
7598 int digest_str_len = siglen * 2;
7599 zend_string *digest_str = zend_string_alloc(digest_str_len, 0);
7600
7601 make_digest_ex(ZSTR_VAL(digest_str), (unsigned char*)ZSTR_VAL(sigbuf), siglen);
7602 ZSTR_VAL(digest_str)[digest_str_len] = '\0';
7603 zend_string_release_ex(sigbuf, 0);
7604 RETVAL_NEW_STR(digest_str);
7605 }
7606 } else {
7607 php_openssl_store_errors();
7608 zend_string_release_ex(sigbuf, 0);
7609 RETVAL_FALSE;
7610 }
7611
7612 EVP_MD_CTX_destroy(md_ctx);
7613 }
7614 /* }}} */
7615
7616 /* Cipher mode info */
7617 struct php_openssl_cipher_mode {
7618 bool is_aead;
7619 bool is_single_run_aead;
7620 bool set_tag_length_always;
7621 bool set_tag_length_when_encrypting;
7622 int aead_get_tag_flag;
7623 int aead_set_tag_flag;
7624 int aead_ivlen_flag;
7625 };
7626
7627 #if PHP_OPENSSL_API_VERSION >= 0x10100
7628 static inline void php_openssl_set_aead_flags(struct php_openssl_cipher_mode *mode) {
7629 mode->is_aead = true;
7630 mode->aead_get_tag_flag = EVP_CTRL_AEAD_GET_TAG;
7631 mode->aead_set_tag_flag = EVP_CTRL_AEAD_SET_TAG;
7632 mode->aead_ivlen_flag = EVP_CTRL_AEAD_SET_IVLEN;
7633 }
7634 #endif
7635
7636 static void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EVP_CIPHER *cipher_type)
7637 {
7638 int cipher_mode = EVP_CIPHER_mode(cipher_type);
7639 memset(mode, 0, sizeof(struct php_openssl_cipher_mode));
7640 switch (cipher_mode) {
7641 #if PHP_OPENSSL_API_VERSION >= 0x10100
7642 /* Since OpenSSL 1.1, all AEAD ciphers use a common framework. We check for
7643 * EVP_CIPH_OCB_MODE, because LibreSSL does not support it. */
7644 case EVP_CIPH_GCM_MODE:
7645 case EVP_CIPH_CCM_MODE:
7646 # ifdef EVP_CIPH_OCB_MODE
7647 case EVP_CIPH_OCB_MODE:
7648 /* For OCB mode, explicitly set the tag length even when decrypting,
7649 * see https://github.com/openssl/openssl/issues/8331. */
7650 mode->set_tag_length_always = cipher_mode == EVP_CIPH_OCB_MODE;
7651 # endif
7652 php_openssl_set_aead_flags(mode);
7653 mode->set_tag_length_when_encrypting = cipher_mode == EVP_CIPH_CCM_MODE;
7654 mode->is_single_run_aead = cipher_mode == EVP_CIPH_CCM_MODE;
7655 break;
7656 # ifdef NID_chacha20_poly1305
7657 default:
7658 if (EVP_CIPHER_nid(cipher_type) == NID_chacha20_poly1305) {
7659 php_openssl_set_aead_flags(mode);
7660 }
7661 break;
7662
7663 # endif
7664 #else
7665 # ifdef EVP_CIPH_GCM_MODE
7666 case EVP_CIPH_GCM_MODE:
7667 mode->is_aead = 1;
7668 mode->aead_get_tag_flag = EVP_CTRL_GCM_GET_TAG;
7669 mode->aead_set_tag_flag = EVP_CTRL_GCM_SET_TAG;
7670 mode->aead_ivlen_flag = EVP_CTRL_GCM_SET_IVLEN;
7671 break;
7672 # endif
7673 # ifdef EVP_CIPH_CCM_MODE
7674 case EVP_CIPH_CCM_MODE:
7675 mode->is_aead = 1;
7676 mode->is_single_run_aead = 1;
7677 mode->set_tag_length_when_encrypting = 1;
7678 mode->aead_get_tag_flag = EVP_CTRL_CCM_GET_TAG;
7679 mode->aead_set_tag_flag = EVP_CTRL_CCM_SET_TAG;
7680 mode->aead_ivlen_flag = EVP_CTRL_CCM_SET_IVLEN;
7681 break;
7682 # endif
7683 #endif
7684 }
7685 }
7686
7687 static int php_openssl_validate_iv(const char **piv, size_t *piv_len, size_t iv_required_len,
7688 bool *free_iv, EVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode) /* {{{ */
7689 {
7690 char *iv_new;
7691
7692 if (mode->is_aead) {
7693 if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) {
7694 php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed");
7695 return FAILURE;
7696 }
7697 return SUCCESS;
7698 }
7699
7700 /* Best case scenario, user behaved */
7701 if (*piv_len == iv_required_len) {
7702 return SUCCESS;
7703 }
7704
7705 iv_new = ecalloc(1, iv_required_len + 1);
7706
7707 if (*piv_len == 0) {
7708 /* BC behavior */
7709 *piv_len = iv_required_len;
7710 *piv = iv_new;
7711 *free_iv = 1;
7712 return SUCCESS;
7713
7714 }
7715
7716 if (*piv_len < iv_required_len) {
7717 php_error_docref(NULL, E_WARNING,
7718 "IV passed is only %zd bytes long, cipher expects an IV of precisely %zd bytes, padding with \\0",
7719 *piv_len, iv_required_len);
7720 memcpy(iv_new, *piv, *piv_len);
7721 *piv_len = iv_required_len;
7722 *piv = iv_new;
7723 *free_iv = 1;
7724 return SUCCESS;
7725 }
7726
7727 php_error_docref(NULL, E_WARNING,
7728 "IV passed is %zd bytes long which is longer than the %zd expected by selected cipher, truncating",
7729 *piv_len, iv_required_len);
7730 memcpy(iv_new, *piv, iv_required_len);
7731 *piv_len = iv_required_len;
7732 *piv = iv_new;
7733 *free_iv = 1;
7734 return SUCCESS;
7735
7736 }
7737 /* }}} */
7738
7739 static int php_openssl_cipher_init(const EVP_CIPHER *cipher_type,
7740 EVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode,
7741 const char **ppassword, size_t *ppassword_len, bool *free_password,
7742 const char **piv, size_t *piv_len, bool *free_iv,
7743 const char *tag, int tag_len, zend_long options, int enc) /* {{{ */
7744 {
7745 unsigned char *key;
7746 int key_len, password_len;
7747 size_t max_iv_len;
7748
7749 *free_password = 0;
7750
7751 max_iv_len = EVP_CIPHER_iv_length(cipher_type);
7752 if (enc && *piv_len == 0 && max_iv_len > 0 && !mode->is_aead) {
7753 php_error_docref(NULL, E_WARNING,
7754 "Using an empty Initialization Vector (iv) is potentially insecure and not recommended");
7755 }
7756
7757 if (!EVP_CipherInit_ex(cipher_ctx, cipher_type, NULL, NULL, NULL, enc)) {
7758 php_openssl_store_errors();
7759 return FAILURE;
7760 }
7761 if (php_openssl_validate_iv(piv, piv_len, max_iv_len, free_iv, cipher_ctx, mode) == FAILURE) {
7762 return FAILURE;
7763 }
7764 if (mode->set_tag_length_always || (enc && mode->set_tag_length_when_encrypting)) {
7765 if (!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, NULL)) {
7766 php_error_docref(NULL, E_WARNING, "Setting tag length for AEAD cipher failed");
7767 return FAILURE;
7768 }
7769 }
7770 if (!enc && tag && tag_len > 0) {
7771 if (!mode->is_aead) {
7772 php_error_docref(NULL, E_WARNING, "The tag cannot be used because the cipher algorithm does not support AEAD");
7773 } else if (!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, (unsigned char *) tag)) {
7774 php_error_docref(NULL, E_WARNING, "Setting tag for AEAD cipher decryption failed");
7775 return FAILURE;
7776 }
7777 }
7778 /* check and set key */
7779 password_len = (int) *ppassword_len;
7780 key_len = EVP_CIPHER_key_length(cipher_type);
7781 if (key_len > password_len) {
7782 if ((OPENSSL_DONT_ZERO_PAD_KEY & options) && !EVP_CIPHER_CTX_set_key_length(cipher_ctx, password_len)) {
7783 php_openssl_store_errors();
7784 php_error_docref(NULL, E_WARNING, "Key length cannot be set for the cipher algorithm");
7785 return FAILURE;
7786 }
7787 key = emalloc(key_len);
7788 memset(key, 0, key_len);
7789 memcpy(key, *ppassword, password_len);
7790 *ppassword = (char *) key;
7791 *ppassword_len = key_len;
7792 *free_password = 1;
7793 } else {
7794 if (password_len > key_len && !EVP_CIPHER_CTX_set_key_length(cipher_ctx, password_len)) {
7795 php_openssl_store_errors();
7796 }
7797 key = (unsigned char*)*ppassword;
7798 }
7799
7800 if (!EVP_CipherInit_ex(cipher_ctx, NULL, NULL, key, (unsigned char *)*piv, enc)) {
7801 php_openssl_store_errors();
7802 return FAILURE;
7803 }
7804 if (options & OPENSSL_ZERO_PADDING) {
7805 EVP_CIPHER_CTX_set_padding(cipher_ctx, 0);
7806 }
7807
7808 return SUCCESS;
7809 }
7810 /* }}} */
7811
7812 static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
7813 EVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode,
7814 zend_string **poutbuf, int *poutlen, const char *data, size_t data_len,
7815 const char *aad, size_t aad_len, int enc) /* {{{ */
7816 {
7817 int i = 0;
7818
7819 if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) {
7820 php_openssl_store_errors();
7821 php_error_docref(NULL, E_WARNING, "Setting of data length failed");
7822 return FAILURE;
7823 }
7824
7825 if (mode->is_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, (const unsigned char *) aad, (int) aad_len)) {
7826 php_openssl_store_errors();
7827 php_error_docref(NULL, E_WARNING, "Setting of additional application data failed");
7828 return FAILURE;
7829 }
7830
7831 *poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0);
7832
7833 if (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf),
7834 &i, (const unsigned char *)data, (int)data_len)) {
7835 /* we don't show warning when we fail but if we ever do, then it should look like this:
7836 if (mode->is_single_run_aead && !enc) {
7837 php_error_docref(NULL, E_WARNING, "Tag verifycation failed");
7838 } else {
7839 php_error_docref(NULL, E_WARNING, enc ? "Encryption failed" : "Decryption failed");
7840 }
7841 */
7842 php_openssl_store_errors();
7843 zend_string_release_ex(*poutbuf, 0);
7844 return FAILURE;
7845 }
7846
7847 *poutlen = i;
7848
7849 return SUCCESS;
7850 }
7851 /* }}} */
7852
7853
7854 PHP_OPENSSL_API zend_string* php_openssl_encrypt(
7855 const char *data, size_t data_len,
7856 const char *method, size_t method_len,
7857 const char *password, size_t password_len,
7858 zend_long options,
7859 const char *iv, size_t iv_len,
7860 zval *tag, zend_long tag_len,
7861 const char *aad, size_t aad_len)
7862 {
7863 const EVP_CIPHER *cipher_type;
7864 EVP_CIPHER_CTX *cipher_ctx;
7865 struct php_openssl_cipher_mode mode;
7866 int i = 0, outlen;
7867 bool free_iv = 0, free_password = 0;
7868 zend_string *outbuf = NULL;
7869
7870 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(data_len, data);
7871 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(password_len, password);
7872 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(aad_len, aad);
7873 PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(tag_len, tag_len);
7874
7875
7876 cipher_type = EVP_get_cipherbyname(method);
7877 if (!cipher_type) {
7878 php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
7879 return NULL;
7880 }
7881
7882 cipher_ctx = EVP_CIPHER_CTX_new();
7883 if (!cipher_ctx) {
7884 php_error_docref(NULL, E_WARNING, "Failed to create cipher context");
7885 return NULL;
7886 }
7887
7888 php_openssl_load_cipher_mode(&mode, cipher_type);
7889
7890 if (php_openssl_cipher_init(cipher_type, cipher_ctx, &mode,
7891 &password, &password_len, &free_password,
7892 &iv, &iv_len, &free_iv, NULL, tag_len, options, 1) == FAILURE ||
7893 php_openssl_cipher_update(cipher_type, cipher_ctx, &mode, &outbuf, &outlen,
7894 data, data_len, aad, aad_len, 1) == FAILURE) {
7895 outbuf = NULL;
7896 } else if (EVP_EncryptFinal(cipher_ctx, (unsigned char *)ZSTR_VAL(outbuf) + outlen, &i)) {
7897 outlen += i;
7898 if (options & OPENSSL_RAW_DATA) {
7899 ZSTR_VAL(outbuf)[outlen] = '\0';
7900 ZSTR_LEN(outbuf) = outlen;
7901 } else {
7902 zend_string *base64_str;
7903
7904 base64_str = php_base64_encode((unsigned char*)ZSTR_VAL(outbuf), outlen);
7905 zend_string_release_ex(outbuf, 0);
7906 outbuf = base64_str;
7907 }
7908 if (mode.is_aead && tag) {
7909 zend_string *tag_str = zend_string_alloc(tag_len, 0);
7910
7911 if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode.aead_get_tag_flag, tag_len, ZSTR_VAL(tag_str)) == 1) {
7912 ZSTR_VAL(tag_str)[tag_len] = '\0';
7913 ZSTR_LEN(tag_str) = tag_len;
7914 ZEND_TRY_ASSIGN_REF_NEW_STR(tag, tag_str);
7915 } else {
7916 php_error_docref(NULL, E_WARNING, "Retrieving verification tag failed");
7917 zend_string_release_ex(tag_str, 0);
7918 zend_string_release_ex(outbuf, 0);
7919 outbuf = NULL;
7920 }
7921 } else if (tag) {
7922 ZEND_TRY_ASSIGN_REF_NULL(tag);
7923 } else if (mode.is_aead) {
7924 php_error_docref(NULL, E_WARNING, "A tag should be provided when using AEAD mode");
7925 zend_string_release_ex(outbuf, 0);
7926 outbuf = NULL;
7927 }
7928 } else {
7929 php_openssl_store_errors();
7930 zend_string_release_ex(outbuf, 0);
7931 outbuf = NULL;
7932 }
7933
7934 if (free_password) {
7935 efree((void *) password);
7936 }
7937 if (free_iv) {
7938 efree((void *) iv);
7939 }
7940 EVP_CIPHER_CTX_reset(cipher_ctx);
7941 EVP_CIPHER_CTX_free(cipher_ctx);
7942 return outbuf;
7943 }
7944
7945 /* {{{ Encrypts given data with given method and key, returns raw or base64 encoded string */
7946 PHP_FUNCTION(openssl_encrypt)
7947 {
7948 zend_long options = 0, tag_len = 16;
7949 char *data, *method, *password, *iv = "", *aad = "";
7950 size_t data_len, method_len, password_len, iv_len = 0, aad_len = 0;
7951 zend_string *ret;
7952 zval *tag = NULL;
7953
7954 if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|lszsl", &data, &data_len, &method, &method_len,
7955 &password, &password_len, &options, &iv, &iv_len, &tag, &aad, &aad_len, &tag_len) == FAILURE) {
7956 RETURN_THROWS();
7957 }
7958
7959 if ((ret = php_openssl_encrypt(data, data_len, method, method_len, password, password_len, options, iv, iv_len, tag, tag_len, aad, aad_len))) {
7960 RETVAL_STR(ret);
7961 } else {
7962 RETVAL_FALSE;
7963 }
7964 }
7965 /* }}} */
7966
7967 PHP_OPENSSL_API zend_string* php_openssl_decrypt(
7968 const char *data, size_t data_len,
7969 const char *method, size_t method_len,
7970 const char *password, size_t password_len,
7971 zend_long options,
7972 const char *iv, size_t iv_len,
7973 const char *tag, zend_long tag_len,
7974 const char *aad, size_t aad_len)
7975 {
7976 const EVP_CIPHER *cipher_type;
7977 EVP_CIPHER_CTX *cipher_ctx;
7978 struct php_openssl_cipher_mode mode;
7979 int i = 0, outlen;
7980 zend_string *base64_str = NULL;
7981 bool free_iv = 0, free_password = 0;
7982 zend_string *outbuf = NULL;
7983
7984 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(data_len, data);
7985 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(password_len, password);
7986 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(aad_len, aad);
7987 PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(tag_len, tag);
7988
7989
7990 cipher_type = EVP_get_cipherbyname(method);
7991 if (!cipher_type) {
7992 php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
7993 return NULL;
7994 }
7995
7996 cipher_ctx = EVP_CIPHER_CTX_new();
7997 if (!cipher_ctx) {
7998 php_error_docref(NULL, E_WARNING, "Failed to create cipher context");
7999 return NULL;
8000 }
8001
8002 php_openssl_load_cipher_mode(&mode, cipher_type);
8003
8004 if (!(options & OPENSSL_RAW_DATA)) {
8005 base64_str = php_base64_decode((unsigned char*)data, data_len);
8006 if (!base64_str) {
8007 php_error_docref(NULL, E_WARNING, "Failed to base64 decode the input");
8008 EVP_CIPHER_CTX_free(cipher_ctx);
8009 return NULL;
8010 }
8011 data_len = ZSTR_LEN(base64_str);
8012 data = ZSTR_VAL(base64_str);
8013 }
8014
8015 if (php_openssl_cipher_init(cipher_type, cipher_ctx, &mode,
8016 &password, &password_len, &free_password,
8017 &iv, &iv_len, &free_iv, tag, tag_len, options, 0) == FAILURE ||
8018 php_openssl_cipher_update(cipher_type, cipher_ctx, &mode, &outbuf, &outlen,
8019 data, data_len, aad, aad_len, 0) == FAILURE) {
8020 outbuf = NULL;
8021 } else if (mode.is_single_run_aead ||
8022 EVP_DecryptFinal(cipher_ctx, (unsigned char *)ZSTR_VAL(outbuf) + outlen, &i)) {
8023 outlen += i;
8024 ZSTR_VAL(outbuf)[outlen] = '\0';
8025 ZSTR_LEN(outbuf) = outlen;
8026 } else {
8027 php_openssl_store_errors();
8028 zend_string_release_ex(outbuf, 0);
8029 outbuf = NULL;
8030 }
8031
8032 if (free_password) {
8033 efree((void *) password);
8034 }
8035 if (free_iv) {
8036 efree((void *) iv);
8037 }
8038 if (base64_str) {
8039 zend_string_release_ex(base64_str, 0);
8040 }
8041 EVP_CIPHER_CTX_reset(cipher_ctx);
8042 EVP_CIPHER_CTX_free(cipher_ctx);
8043 return outbuf;
8044 }
8045
8046 /* {{{ Takes raw or base64 encoded string and decrypts it using given method and key */
8047 PHP_FUNCTION(openssl_decrypt)
8048 {
8049 zend_long options = 0;
8050 char *data, *method, *password, *iv = "", *tag = NULL, *aad = "";
8051 size_t data_len, method_len, password_len, iv_len = 0, tag_len = 0, aad_len = 0;
8052 zend_string *ret;
8053
8054 if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|lss!s", &data, &data_len, &method, &method_len,
8055 &password, &password_len, &options, &iv, &iv_len, &tag, &tag_len, &aad, &aad_len) == FAILURE) {
8056 RETURN_THROWS();
8057 }
8058
8059 if (!method_len) {
8060 zend_argument_must_not_be_empty_error(2);
8061 RETURN_THROWS();
8062 }
8063
8064 if ((ret = php_openssl_decrypt(data, data_len, method, method_len, password, password_len, options, iv, iv_len, tag, tag_len, aad, aad_len))) {
8065 RETVAL_STR(ret);
8066 } else {
8067 RETVAL_FALSE;
8068 }
8069 }
8070 /* }}} */
8071
8072 static inline const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *method)
8073 {
8074 const EVP_CIPHER *cipher_type;
8075
8076 cipher_type = EVP_get_cipherbyname(method);
8077 if (!cipher_type) {
8078 php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
8079 return NULL;
8080 }
8081
8082 return cipher_type;
8083 }
8084
8085 PHP_OPENSSL_API zend_long php_openssl_cipher_iv_length(const char *method)
8086 {
8087 const EVP_CIPHER *cipher_type = php_openssl_get_evp_cipher_by_name(method);
8088
8089 return cipher_type == NULL ? -1 : EVP_CIPHER_iv_length(cipher_type);
8090 }
8091
8092 PHP_FUNCTION(openssl_cipher_iv_length)
8093 {
8094 zend_string *method;
8095 zend_long ret;
8096
8097 if (zend_parse_parameters(ZEND_NUM_ARGS(), "S", &method) == FAILURE) {
8098 RETURN_THROWS();
8099 }
8100
8101 if (ZSTR_LEN(method) == 0) {
8102 zend_argument_must_not_be_empty_error(1);
8103 RETURN_THROWS();
8104 }
8105
8106 /* Warning is emitted in php_openssl_cipher_iv_length */
8107 if ((ret = php_openssl_cipher_iv_length(ZSTR_VAL(method))) == -1) {
8108 RETURN_FALSE;
8109 }
8110
8111 RETURN_LONG(ret);
8112 }
8113
8114 PHP_OPENSSL_API zend_long php_openssl_cipher_key_length(const char *method)
8115 {
8116 const EVP_CIPHER *cipher_type = php_openssl_get_evp_cipher_by_name(method);
8117
8118 return cipher_type == NULL ? -1 : EVP_CIPHER_key_length(cipher_type);
8119 }
8120
8121 PHP_FUNCTION(openssl_cipher_key_length)
8122 {
8123 zend_string *method;
8124 zend_long ret;
8125
8126 if (zend_parse_parameters(ZEND_NUM_ARGS(), "S", &method) == FAILURE) {
8127 RETURN_THROWS();
8128 }
8129
8130 if (ZSTR_LEN(method) == 0) {
8131 zend_argument_must_not_be_empty_error(1);
8132 RETURN_THROWS();
8133 }
8134
8135 /* Warning is emitted in php_openssl_cipher_key_length */
8136 if ((ret = php_openssl_cipher_key_length(ZSTR_VAL(method))) == -1) {
8137 RETURN_FALSE;
8138 }
8139
8140 RETURN_LONG(ret);
8141 }
8142
8143 PHP_OPENSSL_API zend_string* php_openssl_random_pseudo_bytes(zend_long buffer_length)
8144 {
8145 zend_string *buffer = NULL;
8146 if (buffer_length <= 0) {
8147 zend_argument_value_error(1, "must be greater than 0");
8148 return NULL;
8149 }
8150 if (ZEND_LONG_INT_OVFL(buffer_length)) {
8151 zend_argument_value_error(1, "must be less than or equal to %d", INT_MAX);
8152 return NULL;
8153 }
8154 buffer = zend_string_alloc(buffer_length, 0);
8155
8156 PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(buffer_length, length);
8157 PHP_OPENSSL_RAND_ADD_TIME();
8158 if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
8159 zend_string_release_ex(buffer, 0);
8160 zend_throw_exception(zend_ce_exception, "Error reading from source device", 0);
8161 return NULL;
8162 } else {
8163 php_openssl_store_errors();
8164 }
8165
8166 return buffer;
8167 }
8168
8169 /* {{{ Returns a string of the length specified filled with random pseudo bytes */
8170 PHP_FUNCTION(openssl_random_pseudo_bytes)
8171 {
8172 zend_string *buffer = NULL;
8173 zend_long buffer_length;
8174 zval *zstrong_result_returned = NULL;
8175
8176 if (zend_parse_parameters(ZEND_NUM_ARGS(), "l|z", &buffer_length, &zstrong_result_returned) == FAILURE) {
8177 RETURN_THROWS();
8178 }
8179
8180 if (zstrong_result_returned) {
8181 ZEND_TRY_ASSIGN_REF_FALSE(zstrong_result_returned);
8182 }
8183
8184 if ((buffer = php_openssl_random_pseudo_bytes(buffer_length))) {
8185 ZSTR_VAL(buffer)[buffer_length] = 0;
8186 RETVAL_NEW_STR(buffer);
8187 }
8188
8189 if (zstrong_result_returned) {
8190 ZEND_TRY_ASSIGN_REF_TRUE(zstrong_result_returned);
8191 }
8192 }
8193 /* }}} */
8194
