1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | https://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Authors: Stig Venaas <venaas@php.net> |
14 | Wez Furlong <wez@thebrainroom.com |
15 +----------------------------------------------------------------------+
16 */
17
18 #ifndef PHP_OPENSSL_H
19 #define PHP_OPENSSL_H
20
21 #ifdef HAVE_OPENSSL_EXT
22 extern zend_module_entry openssl_module_entry;
23 #define phpext_openssl_ptr &openssl_module_entry
24
25 #include "php_version.h"
26 #define PHP_OPENSSL_VERSION PHP_VERSION
27
28 #include <openssl/opensslv.h>
29 #ifdef LIBRESSL_VERSION_NUMBER
30 /* LibreSSL version check */
31 #if LIBRESSL_VERSION_NUMBER < 0x20700000L
32 #define PHP_OPENSSL_API_VERSION 0x10001
33 #else
34 #define PHP_OPENSSL_API_VERSION 0x10100
35 #endif
36 #else
37 /* OpenSSL version check */
38 #if OPENSSL_VERSION_NUMBER < 0x30000000L
39 #define PHP_OPENSSL_API_VERSION 0x10100
40 #elif OPENSSL_VERSION_NUMBER < 0x30200000L
41 #define PHP_OPENSSL_API_VERSION 0x30000
42 #else
43 #define PHP_OPENSSL_API_VERSION 0x30200
44 #endif
45 #endif
46
47 #define OPENSSL_RAW_DATA 1
48 #define OPENSSL_ZERO_PADDING 2
49 #define OPENSSL_DONT_ZERO_PAD_KEY 4
50
51 #define OPENSSL_ERROR_X509_PRIVATE_KEY_VALUES_MISMATCH 0x0B080074
52
53 /* Used for client-initiated handshake renegotiation DoS protection*/
54 #define OPENSSL_DEFAULT_RENEG_LIMIT 2
55 #define OPENSSL_DEFAULT_RENEG_WINDOW 300
56 #define OPENSSL_DEFAULT_STREAM_VERIFY_DEPTH 9
57 #define OPENSSL_DEFAULT_STREAM_CIPHERS "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:" \
58 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
59 "DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:" \
60 "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:" \
61 "ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:" \
62 "DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:" \
63 "AES256-GCM-SHA384:AES128:AES256:HIGH:!SSLv2:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!RC4:!ADH"
64
65 #include <openssl/err.h>
66
67 #ifdef PHP_WIN32
68 # define PHP_OPENSSL_API __declspec(dllexport)
69 #elif defined(__GNUC__) && __GNUC__ >= 4
70 # define PHP_OPENSSL_API __attribute__((visibility("default")))
71 #else
72 # define PHP_OPENSSL_API
73 #endif
74
75 struct php_openssl_errors {
76 int buffer[ERR_NUM_ERRORS];
77 int top;
78 int bottom;
79 };
80
81 ZEND_BEGIN_MODULE_GLOBALS(openssl)
82 struct php_openssl_errors *errors;
83 struct php_openssl_errors *errors_mark;
84 ZEND_END_MODULE_GLOBALS(openssl)
85
86 #define OPENSSL_G(v) ZEND_MODULE_GLOBALS_ACCESSOR(openssl, v)
87
88 #if defined(ZTS) && defined(COMPILE_DL_OPENSSL)
89 ZEND_TSRMLS_CACHE_EXTERN();
90 #endif
91
92 php_stream_transport_factory_func php_openssl_ssl_socket_factory;
93
94 void php_openssl_store_errors(void);
95
96 /* openssl file path extra */
97 bool php_openssl_check_path_ex(
98 const char *file_path, size_t file_path_len, char *real_path, uint32_t arg_num,
99 bool contains_file_protocol, bool is_from_array, const char *option_name);
100
101 /* openssl file path check */
php_openssl_check_path(const char * file_path,size_t file_path_len,char * real_path,uint32_t arg_num)102 static inline bool php_openssl_check_path(
103 const char *file_path, size_t file_path_len, char *real_path, uint32_t arg_num)
104 {
105 return php_openssl_check_path_ex(
106 file_path, file_path_len, real_path, arg_num, false, false, NULL);
107 }
108
109 /* openssl file path extra check with zend string */
php_openssl_check_path_str_ex(zend_string * file_path,char * real_path,uint32_t arg_num,bool contains_file_protocol,bool is_from_array,const char * option_name)110 static inline bool php_openssl_check_path_str_ex(
111 zend_string *file_path, char *real_path, uint32_t arg_num,
112 bool contains_file_protocol, bool is_from_array, const char *option_name)
113 {
114 return php_openssl_check_path_ex(
115 ZSTR_VAL(file_path), ZSTR_LEN(file_path), real_path, arg_num, contains_file_protocol,
116 is_from_array, option_name);
117 }
118
119 /* openssl file path check with zend string */
php_openssl_check_path_str(zend_string * file_path,char * real_path,uint32_t arg_num)120 static inline bool php_openssl_check_path_str(
121 zend_string *file_path, char *real_path, uint32_t arg_num)
122 {
123 return php_openssl_check_path_str_ex(file_path, real_path, arg_num, true, false, NULL);
124 }
125
126 PHP_OPENSSL_API zend_long php_openssl_cipher_iv_length(const char *method);
127 PHP_OPENSSL_API zend_long php_openssl_cipher_key_length(const char *method);
128 PHP_OPENSSL_API zend_string* php_openssl_random_pseudo_bytes(zend_long length);
129 PHP_OPENSSL_API zend_string* php_openssl_encrypt(
130 const char *data, size_t data_len,
131 const char *method, size_t method_len,
132 const char *password, size_t password_len,
133 zend_long options,
134 const char *iv, size_t iv_len,
135 zval *tag, zend_long tag_len,
136 const char *aad, size_t aad_len);
137 PHP_OPENSSL_API zend_string* php_openssl_decrypt(
138 const char *data, size_t data_len,
139 const char *method, size_t method_len,
140 const char *password, size_t password_len,
141 zend_long options,
142 const char *iv, size_t iv_len,
143 const char *tag, zend_long tag_len,
144 const char *aad, size_t aad_len);
145
146 /* OpenSSLCertificate class */
147
148 typedef struct _php_openssl_certificate_object {
149 X509 *x509;
150 zend_object std;
151 } php_openssl_certificate_object;
152
153 extern zend_class_entry *php_openssl_certificate_ce;
154
php_openssl_certificate_from_obj(zend_object * obj)155 static inline php_openssl_certificate_object *php_openssl_certificate_from_obj(zend_object *obj) {
156 return (php_openssl_certificate_object *)((char *)(obj) - XtOffsetOf(php_openssl_certificate_object, std));
157 }
158
159 #define Z_OPENSSL_CERTIFICATE_P(zv) php_openssl_certificate_from_obj(Z_OBJ_P(zv))
160
161 #if defined(HAVE_OPENSSL_ARGON2)
162
163 /**
164 * MEMLIMIT is normalized to KB even though sodium uses Bytes in order to
165 * present a consistent user-facing API.
166 *
167 * When updating these values, synchronize ext/standard/php_password.h values.
168 */
169 #if defined(PHP_PASSWORD_ARGON2_MEMORY_COST)
170 #define PHP_OPENSSL_PWHASH_MEMLIMIT PHP_PASSWORD_ARGON2_MEMORY_COST
171 #else
172 #define PHP_OPENSSL_PWHASH_MEMLIMIT (64 << 10)
173 #endif
174 #if defined(PHP_PASSWORD_ARGON2_TIME_COST)
175 #define PHP_OPENSSL_PWHASH_ITERLIMIT PHP_PASSWORD_ARGON2_TIME_COST
176 #else
177 #define PHP_OPENSSL_PWHASH_ITERLIMIT 4
178 #endif
179 #if defined(PHP_PASSWORD_ARGON2_THREADS)
180 #define PHP_OPENSSL_PWHASH_THREADS PHP_PASSWORD_ARGON2_THREADS
181 #else
182 #define PHP_OPENSSL_PWHASH_THREADS 1
183 #endif
184
185 #endif
186
187 PHP_MINIT_FUNCTION(openssl);
188 PHP_MSHUTDOWN_FUNCTION(openssl);
189 PHP_MINFO_FUNCTION(openssl);
190 PHP_GINIT_FUNCTION(openssl);
191 PHP_GSHUTDOWN_FUNCTION(openssl);
192 #if defined(HAVE_OPENSSL_ARGON2)
193 PHP_MINIT_FUNCTION(openssl_pwhash);
194 #endif
195
196 #ifdef PHP_WIN32
197 #define PHP_OPENSSL_BIO_MODE_R(flags) (((flags) & PKCS7_BINARY) ? "rb" : "r")
198 #define PHP_OPENSSL_BIO_MODE_W(flags) (((flags) & PKCS7_BINARY) ? "wb" : "w")
199 #else
200 #define PHP_OPENSSL_BIO_MODE_R(flags) "r"
201 #define PHP_OPENSSL_BIO_MODE_W(flags) "w"
202 #endif
203
204 #else
205
206 #define phpext_openssl_ptr NULL
207
208 #endif
209
210
211 #endif
212