This change extends supported parameter when generating EC keys.
Specifically following parameters are now supported: p, a, b, order,
generator, seed, cofactory, g_x, g_y, x, y and d.
Those parameters can be passed to ec field in openssl_pkey_new options.
It also fixes some issues openssl_pkey_get_details related to SM2
support.
Closes GH-9991
The error happens when the PEM contains a public key, as it will be
first tried to be parsed as a certificate. The parsing as a certificate
fails, which then leads to a corresponding error tracked by PHP with
the next call to php_openssl_store_errors().
This change introduces an error marking to be able to reset the stored
errors to the state before trying the certificate.
Closes GH-11055
This function returns 0 on error and 1 on success. The error case was
not checked and the function therefore would've returned true.
The only other caller of i2d_PKCS12_bio() in the file has
a correct error check.
Closes GH-10761.
This reverts commit 94ee4f9834.
The commit was a bit too late to be included in PHP 8.2 RC1. Given it's a massive ABI break, we decide to postpone the change to PHP 8.3.
This function works in exactly the same way as openssl_cipher_iv_length
but for a key length. This is especially useful to make sure that the
right key length is provided to openssl_encrypt and openssl_decrypt.
In addtion the change also updates implementation of
openssl_cipher_iv_length and adds a test for it.
This adds support for ChaCha20-Poly1305 AEAD algorithm so it is possible
to use it in the same way as AES GCM and other AEAD algorithms. This is
available in OpenSSL 1.1.0+.
Despite commit 69c3f8c[1] claiming otherwise, there is no need for any
Windows specific implementation here. Users can use random_bytes(), if
they desire so.
[1] <69c3f8cbba>
Closes GH-9153.
This has only been done for Windows systems so far, and there was a
TODO comment about looping for larger values; that appears to be
overkill, though, since 2 million bytes should be sufficient for all
use cases, and if there is really the need for more, users can still
loop manually. Anyhow, checking the range upfront on all platforms
is clearer then silently casting to `int`.
We split the error message for the least possible BC break.
Closes GH-9126.
It introduces a single function to check file paths passed to OpenSSL
functions. It expands the path, check null bytes and finally does
an open basedir check.
