The allows cipher_algo to be specified as a string. It means the not
only predefined ID ciphers are available which means that also auth
enveloped data can be created using AES GCM.
Closes GH-19459
This adds PKCS7_NOSMIMECAP, PKCS7_CRLFEOL, PKCS7_NOCRL and
PKCS7_NO_DUAL_CONTENT constants. They might be potentially useful
in some scenarious.
Test is not added as it is not clear if there is much need for those and
it would require much bigger effort just to test OpenSSL functionality.
Closes GH-19450
This does not seem like an issue as the aliases seem to be already
fetched most of the time. But there might be cases when it could be
failing like it was failing for MD in GH-19369.
It should be noted that the test does not fail without this change but
it seems useful anyway so it is added as part of this change. I
actually have not found the case where alias is not fetched for cipher
but there might be some.
Closes GH-19437
* Fix Windows test for openssl-3.5 upgrade
* Update ext/openssl/tests/check_default_conf_path.phpt
Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>
---------
Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>
Avoid initializing the same string content multiple times and make use of the
fact that the strings created to initialize attribute values are not freed by
simply making use of an existing zend_string with the same content if one is
available.
Specifically, it is added to openssl_public_encrypt() and
openssl_private_decrypt() functions. The purpose is to specify digest
algorithm for OEAP padding. It currently defaults to SHA1 for some
OpenSSL versions which is not preferred for modern setup and causes
problems in compatibility with web crypto.
Closes GH-19223
Instead of
* adding a zval on the stack
* initializing it
* copying the value to the attribute
Just initialize the value directly in the zend_attribute_arg
As noted by the LibreSSL maintainer, these functions return -1 on error.
This is further confirmed by my static analyzer that inferred the same
thing for OpenSSL.
Closes GH-19013.
The issue is about not being able to connect as cafile for SNI
is not used in its SSL context. This sets it up so it is possible
to capture the client certificate which is only possible when
verify_peer is true.
Closes GH-18893
When global constants' or class constants' availability is based on some
preprocessor condition, the generated arginfo header files wrap the
declarations in the preprocessor `#if` conditional blocks, one per declaration,
even if they are in the same conditional block based on comments in the stub
file. Instead of having multiple conditional blocks one after the other with
the same condition, combine them into a single conditional block.
If s is not NULL, the length can't be <= 0 because we at least append
`spkac` in the string, which is non-empty.
I noticed this condition because if it were actually possible to
execute, then it would leak memory.
This issue happens because http wrapper sets peer_name but then does not
remove so it stays in the context. The fix removes the peer name from
the context after enabling crypto.
In addition to bug #74796, this also fixes bug #76196.
In addition it should be a final fix for those SOAP bugs:
bug #69783
bug #52913
bug #61463
