archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 13:38:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Use custom OpenSSL libctx in md and cipher handling code (#18516)

Browse source
This commit is contained in:
Jakub Zelenka 2025-06-04 17:46:00 +01:00 committed by GitHub
parent f46f42b2b2
commit 2f5ef4d2b7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 252 additions and 114 deletions
Download patch file Download diff file Expand all files Collapse all files

25
ext/openssl/openssl.c
View file

@ -583,7 +583,7 @@ PHP_FUNCTION(openssl_spki_new)
zval *zpkey = NULL;
EVP_PKEY *pkey = NULL;
NETSCAPE_SPKI *spki=NULL;
const EVP_MD *mdtype;
const EVP_MD *mdtype = NULL;
if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os|l", &zpkey, php_openssl_pkey_ce, &challenge, &challenge_len, &algo) == FAILURE) {
RETURN_THROWS();
@ -647,6 +647,7 @@ PHP_FUNCTION(openssl_spki_new)
goto cleanup;
cleanup:
php_openssl_release_evp_md(mdtype);
EVP_PKEY_free(pkey);
if (spki != NULL) {
NETSCAPE_SPKI_free(spki);
@ -1821,7 +1822,6 @@ cleanup:
X509_free(new_cert);
}
PHP_SSL_REQ_DISPOSE(&req);
EVP_PKEY_free(priv_key);
EVP_PKEY_free(key);
if (csr_str) {
@ -1830,6 +1830,7 @@ cleanup:
if (cert_str && cert && cert != new_cert) {
X509_free(cert);
}
PHP_SSL_REQ_DISPOSE(&req);
}
/* }}} */
@ -2104,7 +2105,8 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
}
if (!php_openssl_check_path(filename, filename_len, file_path, 2)) {
goto clean_exit_key;
EVP_PKEY_free(key);
return;
}
PHP_SSL_REQ_INIT(&req);
@ -2139,10 +2141,9 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
}
clean_exit:
PHP_SSL_REQ_DISPOSE(&req);
BIO_free(bio_out);
clean_exit_key:
EVP_PKEY_free(key);
PHP_SSL_REQ_DISPOSE(&req);
}
/* }}} */
@ -2204,9 +2205,9 @@ PHP_FUNCTION(openssl_pkey_export)
php_openssl_store_errors();
}
}
PHP_SSL_REQ_DISPOSE(&req);
EVP_PKEY_free(key);
BIO_free(bio_out);
PHP_SSL_REQ_DISPOSE(&req);
}
/* }}} */
@ -2686,6 +2687,7 @@ clean_exit:
if (recipcerts) {
sk_X509_pop_free(recipcerts, X509_free);
}
php_openssl_release_evp_cipher(cipher);
}
/* }}} */
@ -3334,6 +3336,7 @@ clean_exit:
if (recipcerts) {
sk_X509_pop_free(recipcerts, X509_free);
}
php_openssl_release_evp_cipher(cipher);
}
/* }}} */
@ -3969,7 +3972,7 @@ PHP_FUNCTION(openssl_sign)
}
if (method_str) {
mdtype = EVP_get_digestbyname(ZSTR_VAL(method_str));
mdtype = php_openssl_get_evp_md_by_name(ZSTR_VAL(method_str));
} else {
mdtype = php_openssl_get_evp_md_from_algo(method_long);
}
@ -3996,6 +3999,7 @@ PHP_FUNCTION(openssl_sign)
RETVAL_FALSE;
}
EVP_MD_CTX_destroy(md_ctx);
php_openssl_release_evp_md(mdtype);
EVP_PKEY_free(pkey);
}
/* }}} */
@ -4027,7 +4031,7 @@ PHP_FUNCTION(openssl_verify)
PHP_OPENSSL_CHECK_SIZE_T_TO_UINT(signature_len, signature, 2);
if (method_str) {
mdtype = EVP_get_digestbyname(ZSTR_VAL(method_str));
mdtype = php_openssl_get_evp_md_by_name(ZSTR_VAL(method_str));
} else {
mdtype = php_openssl_get_evp_md_from_algo(method_long);
}
@ -4041,6 +4045,7 @@ PHP_FUNCTION(openssl_verify)
if (!EG(exception)) {
php_error_docref(NULL, E_WARNING, "Supplied key param cannot be coerced into a public key");
}
php_openssl_release_evp_md(mdtype);
RETURN_FALSE;
}
@ -4051,6 +4056,7 @@ PHP_FUNCTION(openssl_verify)
php_openssl_store_errors();
}
EVP_MD_CTX_destroy(md_ctx);
php_openssl_release_evp_md(mdtype);
EVP_PKEY_free(pkey);
RETURN_LONG(err);
}
@ -4323,7 +4329,7 @@ PHP_FUNCTION(openssl_digest)
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|b", &data, &data_len, &method, &method_len, &raw_output) == FAILURE) {
RETURN_THROWS();
}
mdtype = EVP_get_digestbyname(method);
mdtype = php_openssl_get_evp_md_by_name(method);
if (!mdtype) {
php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
RETURN_FALSE;
@ -4356,6 +4362,7 @@ PHP_FUNCTION(openssl_digest)
}
EVP_MD_CTX_destroy(md_ctx);
php_openssl_release_evp_md(mdtype);
}
/* }}} */

124
ext/openssl/openssl_backend_common.c
View file

@ -369,11 +369,11 @@ int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args
if (strcmp(req->digest_name, "null") == 0) {
req->digest = req->md_alg = EVP_md_null();
} else {
req->digest = req->md_alg = EVP_get_digestbyname(req->digest_name);
req->digest = req->md_alg = php_openssl_get_evp_md_by_name(req->digest_name);
}
}
if (req->md_alg == NULL) {
req->md_alg = req->digest = EVP_sha1();
req->md_alg = req->digest = php_openssl_get_evp_md_by_name("sha1");
php_openssl_store_errors();
}
@ -417,6 +417,10 @@ void php_openssl_dispose_config(struct php_x509_request * req)
NCONF_free(req->req_config);
req->req_config = NULL;
}
if (req->md_alg != NULL && req->md_alg != EVP_md_null()) {
php_openssl_release_evp_md(req->md_alg);
}
php_openssl_release_evp_cipher(req->priv_key_encrypt_cipher);
}
zend_result php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded)
@ -469,92 +473,6 @@ zend_result php_openssl_write_rand_file(const char * file, int egdsocket, int se
return SUCCESS;
}
EVP_MD * php_openssl_get_evp_md_from_algo(zend_long algo) {
EVP_MD *mdtype;
switch (algo) {
case OPENSSL_ALGO_SHA1:
mdtype = (EVP_MD *) EVP_sha1();
break;
case OPENSSL_ALGO_MD5:
mdtype = (EVP_MD *) EVP_md5();
break;
#ifndef OPENSSL_NO_MD4
case OPENSSL_ALGO_MD4:
mdtype = (EVP_MD *) EVP_md4();
break;
#endif
#ifndef OPENSSL_NO_MD2
case OPENSSL_ALGO_MD2:
mdtype = (EVP_MD *) EVP_md2();
break;
#endif
case OPENSSL_ALGO_SHA224:
mdtype = (EVP_MD *) EVP_sha224();
break;
case OPENSSL_ALGO_SHA256:
mdtype = (EVP_MD *) EVP_sha256();
break;
case OPENSSL_ALGO_SHA384:
mdtype = (EVP_MD *) EVP_sha384();
break;
case OPENSSL_ALGO_SHA512:
mdtype = (EVP_MD *) EVP_sha512();
break;
#ifndef OPENSSL_NO_RMD160
case OPENSSL_ALGO_RMD160:
mdtype = (EVP_MD *) EVP_ripemd160();
break;
#endif
default:
return NULL;
break;
}
return mdtype;
}
const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo) {
switch (algo) {
#ifndef OPENSSL_NO_RC2
case PHP_OPENSSL_CIPHER_RC2_40:
return EVP_rc2_40_cbc();
break;
case PHP_OPENSSL_CIPHER_RC2_64:
return EVP_rc2_64_cbc();
break;
case PHP_OPENSSL_CIPHER_RC2_128:
return EVP_rc2_cbc();
break;
#endif
#ifndef OPENSSL_NO_DES
case PHP_OPENSSL_CIPHER_DES:
return EVP_des_cbc();
break;
case PHP_OPENSSL_CIPHER_3DES:
return EVP_des_ede3_cbc();
break;
#endif
#ifndef OPENSSL_NO_AES
case PHP_OPENSSL_CIPHER_AES_128_CBC:
return EVP_aes_128_cbc();
break;
case PHP_OPENSSL_CIPHER_AES_192_CBC:
return EVP_aes_192_cbc();
break;
case PHP_OPENSSL_CIPHER_AES_256_CBC:
return EVP_aes_256_cbc();
break;
#endif
default:
return NULL;
break;
}
}
void php_openssl_backend_init(void)
{
#ifdef LIBRESSL_VERSION_NUMBER
@ -1932,7 +1850,7 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt(
PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(tag_len, tag_len);
cipher_type = EVP_get_cipherbyname(method);
cipher_type = php_openssl_get_evp_cipher_by_name(method);
if (!cipher_type) {
php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
return NULL;
@ -1940,6 +1858,7 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt(
cipher_ctx = EVP_CIPHER_CTX_new();
if (!cipher_ctx) {
php_openssl_release_evp_cipher(cipher_type);
php_error_docref(NULL, E_WARNING, "Failed to create cipher context");
return NULL;
}
@ -1998,6 +1917,7 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt(
}
EVP_CIPHER_CTX_reset(cipher_ctx);
EVP_CIPHER_CTX_free(cipher_ctx);
php_openssl_release_evp_cipher(cipher_type);
return outbuf;
}
@ -2024,7 +1944,7 @@ PHP_OPENSSL_API zend_string* php_openssl_decrypt(
PHP_OPENSSL_CHECK_SIZE_T_TO_INT_NULL_RETURN(tag_len, tag);
cipher_type = EVP_get_cipherbyname(method);
cipher_type = php_openssl_get_evp_cipher_by_name(method);
if (!cipher_type) {
php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
return NULL;
@ -2032,6 +1952,7 @@ PHP_OPENSSL_API zend_string* php_openssl_decrypt(
cipher_ctx = EVP_CIPHER_CTX_new();
if (!cipher_ctx) {
php_openssl_release_evp_cipher(cipher_type);
php_error_docref(NULL, E_WARNING, "Failed to create cipher context");
return NULL;
}
@ -2077,14 +1998,15 @@ PHP_OPENSSL_API zend_string* php_openssl_decrypt(
}
EVP_CIPHER_CTX_reset(cipher_ctx);
EVP_CIPHER_CTX_free(cipher_ctx);
php_openssl_release_evp_cipher(cipher_type);
return outbuf;
}
const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *method)
const EVP_CIPHER *php_openssl_get_evp_cipher_by_name_with_warning(const char *method)
{
const EVP_CIPHER *cipher_type;
cipher_type = EVP_get_cipherbyname(method);
cipher_type = php_openssl_get_evp_cipher_by_name(method);
if (!cipher_type) {
php_error_docref(NULL, E_WARNING, "Unknown cipher algorithm");
return NULL;
@ -2096,16 +2018,26 @@ const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *method)
PHP_OPENSSL_API zend_long php_openssl_cipher_iv_length(const char *method)
{
const EVP_CIPHER *cipher_type = php_openssl_get_evp_cipher_by_name(method);
const EVP_CIPHER *cipher_type = php_openssl_get_evp_cipher_by_name_with_warning(method);
if (cipher_type == NULL) {
return -1;
}
int iv_length = EVP_CIPHER_iv_length(cipher_type);
php_openssl_release_evp_cipher(cipher_type);
return cipher_type == NULL ? -1 : EVP_CIPHER_iv_length(cipher_type);
return iv_length;
}
PHP_OPENSSL_API zend_long php_openssl_cipher_key_length(const char *method)
{
const EVP_CIPHER *cipher_type = php_openssl_get_evp_cipher_by_name(method);
const EVP_CIPHER *cipher_type = php_openssl_get_evp_cipher_by_name_with_warning(method);
if (cipher_type == NULL) {
return -1;
}
int key_length = EVP_CIPHER_key_length(cipher_type);
php_openssl_release_evp_cipher(cipher_type);
return cipher_type == NULL ? -1 : EVP_CIPHER_key_length(cipher_type);
return key_length;
}
PHP_OPENSSL_API zend_string* php_openssl_random_pseudo_bytes(zend_long buffer_length)

108
ext/openssl/openssl_backend_v1.c
View file

@ -561,6 +561,114 @@ zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pu
return data;
}
const EVP_MD *php_openssl_get_evp_md_by_name(const char *name)
{
return EVP_get_digestbyname(name);
}
const EVP_MD *php_openssl_get_evp_md_from_algo(zend_long algo)
{
EVP_MD *mdtype;
switch (algo) {
case OPENSSL_ALGO_SHA1:
mdtype = (EVP_MD *) EVP_sha1();
break;
case OPENSSL_ALGO_MD5:
mdtype = (EVP_MD *) EVP_md5();
break;
#ifndef OPENSSL_NO_MD4
case OPENSSL_ALGO_MD4:
mdtype = (EVP_MD *) EVP_md4();
break;
#endif
#ifndef OPENSSL_NO_MD2
case OPENSSL_ALGO_MD2:
mdtype = (EVP_MD *) EVP_md2();
break;
#endif
case OPENSSL_ALGO_SHA224:
mdtype = (EVP_MD *) EVP_sha224();
break;
case OPENSSL_ALGO_SHA256:
mdtype = (EVP_MD *) EVP_sha256();
break;
case OPENSSL_ALGO_SHA384:
mdtype = (EVP_MD *) EVP_sha384();
break;
case OPENSSL_ALGO_SHA512:
mdtype = (EVP_MD *) EVP_sha512();
break;
#ifndef OPENSSL_NO_RMD160
case OPENSSL_ALGO_RMD160:
mdtype = (EVP_MD *) EVP_ripemd160();
break;
#endif
default:
return NULL;
break;
}
return mdtype;
}
void php_openssl_release_evp_md(const EVP_MD *md)
{
// Do nothing as MD is static
}
const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *name)
{
return EVP_get_cipherbyname(name);
}
const EVP_CIPHER *php_openssl_get_evp_cipher_from_algo(zend_long algo)
{
switch (algo) {
#ifndef OPENSSL_NO_RC2
case PHP_OPENSSL_CIPHER_RC2_40:
return EVP_rc2_40_cbc();
break;
case PHP_OPENSSL_CIPHER_RC2_64:
return EVP_rc2_64_cbc();
break;
case PHP_OPENSSL_CIPHER_RC2_128:
return EVP_rc2_cbc();
break;
#endif
#ifndef OPENSSL_NO_DES
case PHP_OPENSSL_CIPHER_DES:
return EVP_des_cbc();
break;
case PHP_OPENSSL_CIPHER_3DES:
return EVP_des_ede3_cbc();
break;
#endif
#ifndef OPENSSL_NO_AES
case PHP_OPENSSL_CIPHER_AES_128_CBC:
return EVP_aes_128_cbc();
break;
case PHP_OPENSSL_CIPHER_AES_192_CBC:
return EVP_aes_192_cbc();
break;
case PHP_OPENSSL_CIPHER_AES_256_CBC:
return EVP_aes_256_cbc();
break;
#endif
default:
return NULL;
break;
}
}
void php_openssl_release_evp_cipher(const EVP_CIPHER *cipher)
{
// Do nothing as the cipher is static
}
void php_openssl_get_cipher_methods(zval *return_value, bool aliases)
{
array_init(return_value);

85
ext/openssl/openssl_backend_v3.c
View file

@ -696,6 +696,89 @@ zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pu
return result;
}
const EVP_MD *php_openssl_get_evp_md_by_name(const char *name)
{
return EVP_MD_fetch(OPENSSL_G(libctx), name, OPENSSL_G(propq));
}
static const char *php_openssl_digest_names[] = {
[OPENSSL_ALGO_SHA1] = "SHA1",
[OPENSSL_ALGO_MD5] = "MD5",
#ifndef OPENSSL_NO_MD4
[OPENSSL_ALGO_MD4] = "MD4",
#endif
#ifndef OPENSSL_NO_MD2
[OPENSSL_ALGO_MD2] = "MD2",
#endif
[OPENSSL_ALGO_SHA224] = "SHA224",
[OPENSSL_ALGO_SHA256] = "SHA256",
[OPENSSL_ALGO_SHA384] = "SHA384",
[OPENSSL_ALGO_SHA512] = "SHA512",
#ifndef OPENSSL_NO_RMD160
[OPENSSL_ALGO_RMD160] = "RIPEMD160",
#endif
};
const EVP_MD *php_openssl_get_evp_md_from_algo(zend_long algo)
{
if (algo < 0 || algo >= (zend_long)(sizeof(php_openssl_digest_names) / sizeof(*php_openssl_digest_names))) {
return NULL;
}
const char *name = php_openssl_digest_names[algo];
if (!name) {
return NULL;
}
return php_openssl_get_evp_md_by_name(name);
}
void php_openssl_release_evp_md(const EVP_MD *md)
{
if (md != NULL) {
// It is fine to remove const as the md is from EVP_MD_fetch
EVP_MD_free((EVP_MD *) md);
}
}
static const char *php_openssl_cipher_names[] = {
[PHP_OPENSSL_CIPHER_RC2_40] = "RC2-40-CBC",
[PHP_OPENSSL_CIPHER_RC2_128] = "RC2-CBC",
[PHP_OPENSSL_CIPHER_RC2_64] = "RC2-64-CBC",
[PHP_OPENSSL_CIPHER_DES] = "DES-CBC",
[PHP_OPENSSL_CIPHER_3DES] = "DES-EDE3-CBC",
[PHP_OPENSSL_CIPHER_AES_128_CBC]= "AES-128-CBC",
[PHP_OPENSSL_CIPHER_AES_192_CBC]= "AES-192-CBC",
[PHP_OPENSSL_CIPHER_AES_256_CBC]= "AES-256-CBC",
};
const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *name)
{
return EVP_CIPHER_fetch(OPENSSL_G(libctx), name, OPENSSL_G(propq));
}
const EVP_CIPHER *php_openssl_get_evp_cipher_from_algo(zend_long algo)
{
if (algo < 0 || algo >= (zend_long)(sizeof(php_openssl_cipher_names) / sizeof(*php_openssl_cipher_names))) {
return NULL;
}
const char *name = php_openssl_cipher_names[algo];
if (!name) {
return NULL;
}
return php_openssl_get_evp_cipher_by_name(name);
}
void php_openssl_release_evp_cipher(const EVP_CIPHER *cipher)
{
if (cipher != NULL) {
// It is fine to remove const as the cipher is from EVP_CIPHER_fetch
EVP_CIPHER_free((EVP_CIPHER *) cipher);
}
}
static void php_openssl_add_cipher_name(const char *name, void *arg)
{
size_t len = strlen(name);
@ -722,7 +805,7 @@ static int php_openssl_compare_func(Bucket *a, Bucket *b)
void php_openssl_get_cipher_methods(zval *return_value, bool aliases)
{
array_init(return_value);
EVP_CIPHER_do_all_provided(NULL,
EVP_CIPHER_do_all_provided(OPENSSL_G(libctx),
aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher,
return_value);
zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1);

24
ext/openssl/php_openssl_backend.h
View file

@ -75,14 +75,17 @@ enum php_openssl_key_type {
OPENSSL_KEYTYPE_RSA,
OPENSSL_KEYTYPE_DSA,
OPENSSL_KEYTYPE_DH,
OPENSSL_KEYTYPE_EC,
OPENSSL_KEYTYPE_X25519,
OPENSSL_KEYTYPE_ED25519,
OPENSSL_KEYTYPE_X448,
OPENSSL_KEYTYPE_ED448,
OPENSSL_KEYTYPE_DEFAULT = OPENSSL_KEYTYPE_RSA,
OPENSSL_KEYTYPE_EC = OPENSSL_KEYTYPE_DH +1,
OPENSSL_KEYTYPE_X25519 = OPENSSL_KEYTYPE_DH +2,
OPENSSL_KEYTYPE_ED25519 = OPENSSL_KEYTYPE_DH +3,
OPENSSL_KEYTYPE_X448 = OPENSSL_KEYTYPE_DH +4,
OPENSSL_KEYTYPE_ED448 = OPENSSL_KEYTYPE_DH +5,
};
/* Cipher constants, do not forget to update php_openssl_cipher_names in
* openssl_backend_v3.c if new constant added. */
enum php_openssl_cipher_type {
PHP_OPENSSL_CIPHER_RC2_40,
PHP_OPENSSL_CIPHER_RC2_128,
@ -106,10 +109,10 @@ enum php_openssl_encoding {
ENCODING_PEM,
};
#define MIN_KEY_LENGTH 384
/* constants used in ext/phar/util.c, keep in sync */
/* Constants used in ext/phar/util.c, keep in sync and do not forget to update
* php_openssl_digest_names in openssl_backend_v3.c if new constant added. */
#define OPENSSL_ALGO_SHA1 1
#define OPENSSL_ALGO_MD5 2
#ifndef OPENSSL_NO_MD4
@ -126,6 +129,7 @@ enum php_openssl_encoding {
#ifndef OPENSSL_NO_RMD160
#define OPENSSL_ALGO_RMD160 10
#endif
#define DEBUG_SMIME 0
#if !defined(OPENSSL_NO_EC) && defined(EVP_PKEY_EC)
@ -221,8 +225,12 @@ void php_openssl_dispose_config(struct php_x509_request * req);
zend_result php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded);
zend_result php_openssl_write_rand_file(const char * file, int egdsocket, int seeded);
EVP_MD * php_openssl_get_evp_md_from_algo(zend_long algo);
const EVP_MD *php_openssl_get_evp_md_by_name(const char *name);
const EVP_MD *php_openssl_get_evp_md_from_algo(zend_long algo);
void php_openssl_release_evp_md(const EVP_MD *md);
const EVP_CIPHER * php_openssl_get_evp_cipher_by_name(const char *name);
const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo);
void php_openssl_release_evp_cipher(const EVP_CIPHER *cipher);
void php_openssl_backend_init(void);
void php_openssl_backend_init_common(void);