ext/curl: Add CURLOPT_SSL_SIGNATURE_ALGORITHMS option

Adds support for `CURLOPT_SSL_SIGNATURE_ALGORITHMS`[^1], supported since Curl version 8.14.0. [^1]: https://curl.se/libcurl/c/CURLOPT_SSL_SIGNATURE_ALGORITHMS.html Closes GH-18692
2025-08-15 13:38:49 +02:00 · 2025-05-28 22:29:46 +05:30 · 2025-05-28 22:29:46 +05:30 · 6f3bc59950
commit 6f3bc59950
parent 73b1ebfa20
7 changed files with 64 additions and 1 deletions
--- a/1
+++ b/1
@ -10,6 +10,7 @@ PHP                                                                        NEWS
 - Curl:
  . Add support for CURLINFO_CONN_ID in curl_getinfo() (thecaliskan)
  . Add support for CURLINFO_QUEUE_TIME_T in curl_getinfo() (thecaliskan)
+  . Add support for CURLOPT_SSL_SIGNATURE_ALGORITHMS. (Ayesh Karunaratne)

 - OPcache:
  . Disallow changing opcache.memory_consumption when SHM is already set up.
--- a/2
+++ b/2
@ -198,6 +198,8 @@ PHP 8.5 UPGRADE NOTES
    request spent in libcurl’s connection queue before it was sent.
    This value can also be retrieved by passing CURLINFO_QUEUE_TIME_T to the
    curl_getinfo() $option parameter.
+  . Added support for CURLOPT_SSL_SIGNATURE_ALGORITHMS to specify the signature
+    algorithms to use for TLS.

 - DOM:
  . Added Dom\Element::$outerHTML.
--- a/ext/curl/curl.stub.php
+++ b/ext/curl/curl.stub.php
@ -3339,6 +3339,13 @@ const CURLINFO_PROXY_ERROR = UNKNOWN;
 * @cvalue CURLOPT_SSL_EC_CURVES
 */
 const CURLOPT_SSL_EC_CURVES = UNKNOWN;
+#if LIBCURL_VERSION_NUM >= 0x080e00 /* Available since 8.14.0 */
+/**
+ * @var int
+ * @cvalue CURLOPT_SSL_SIGNATURE_ALGORITHMS
+ */
+const CURLOPT_SSL_SIGNATURE_ALGORITHMS = UNKNOWN;
+#endif
 /**
 * @var int
 * @cvalue CURLPX_BAD_ADDRESS_TYPE
--- a/ext/curl/curl_arginfo.h
+++ b/ext/curl/curl_arginfo.h
@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: c2245ec496551980ca17ff4472cc1790653e41bd */
+ * Stub hash: 682d257b0235e5f6f81ffe3ddf563f384125a271 */

 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_curl_close, 0, 1, IS_VOID, 0)
 	ZEND_ARG_OBJ_INFO(0, handle, CurlHandle, 0)
@ -891,6 +891,11 @@ static void register_curl_symbols(int module_number)
 	REGISTER_LONG_CONSTANT("CURLE_PROXY", CURLE_PROXY, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("CURLINFO_PROXY_ERROR", CURLINFO_PROXY_ERROR, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("CURLOPT_SSL_EC_CURVES", CURLOPT_SSL_EC_CURVES, CONST_PERSISTENT);
+#endif
+#if LIBCURL_VERSION_NUM >= 0x074900 /* Available since 7.73.0 */ && LIBCURL_VERSION_NUM >= 0x080e00 /* Available since 8.14.0 */
+	REGISTER_LONG_CONSTANT("CURLOPT_SSL_SIGNATURE_ALGORITHMS", CURLOPT_SSL_SIGNATURE_ALGORITHMS, CONST_PERSISTENT);
+#endif
+#if LIBCURL_VERSION_NUM >= 0x074900 /* Available since 7.73.0 */
 	REGISTER_LONG_CONSTANT("CURLPX_BAD_ADDRESS_TYPE", CURLPX_BAD_ADDRESS_TYPE, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("CURLPX_BAD_VERSION", CURLPX_BAD_VERSION, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("CURLPX_CLOSED", CURLPX_CLOSED, CONST_PERSISTENT);
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@ -1944,6 +1944,9 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_USERPWD:
 		case CURLOPT_USERNAME:
 		case CURLOPT_PASSWORD:
+#if LIBCURL_VERSION_NUM >= 0x080e00 /* Available since 8.14.0 */
+		case CURLOPT_SSL_SIGNATURE_ALGORITHMS:
+#endif
 		{
 			if (Z_ISNULL_P(zvalue)) {
 				error = curl_easy_setopt(ch->cp, option, NULL);
--- a/ext/curl/tests/Caddyfile
+++ b/ext/curl/tests/Caddyfile
@ -21,3 +21,8 @@ basic_auth /http-basic-auth {
 	# bcrypt password hash for "password", calculated with 'caddy hash-password'
 	user $2a$14$yUKl9SGqVTAAqPTzLup.DefsbXXx3kfreNnzpJOUHcIrKnr5lgef2
 }
+
+route /ping {
+	templates
+	respond `pong`
+}
--- a/ext/curl/tests/curl_setopt_CURLOPT_SSL_SIGNATURE_ALGORITHMS.phpt
+++ b/ext/curl/tests/curl_setopt_CURLOPT_SSL_SIGNATURE_ALGORITHMS.phpt
@ -0,0 +1,40 @@
+--TEST--
+Curl option CURLOPT_SSL_SIGNATURE_ALGORITHMS
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x080e00) die("skip: test works only with curl >= 8.14.0");
+
+include 'skipif-nocaddy.inc';
+?>
+--FILE--
+<?php
+
+$ch = curl_init('https://localhost/ping');
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+
+var_dump(curl_exec($ch));
+
+var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, 'invalid-value'));
+var_dump(curl_exec($ch));
+var_dump(curl_error($ch));
+
+var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, 'ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ed25519'));
+var_dump(curl_exec($ch));
+
+var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, null));
+var_dump(curl_exec($ch));
+
+?>
+--EXPECT--
+string(4) "pong"
+bool(true)
+bool(false)
+string(52) "failed setting signature algorithms: 'invalid-value'"
+bool(true)
+string(4) "pong"
+bool(true)
+string(4) "pong"