Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4:
  Allow passing $tag for non-authenticated encryption

4 files changed, 7 insertions, 13 deletions

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index abaf88f15a..efb0d9c626 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -7156,8 +7156,6 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt(
 			}
 		} else if (tag) {
 			ZEND_TRY_ASSIGN_REF_NULL(tag);
-			php_error_docref(NULL, E_WARNING,
-					"The authenticated tag cannot be provided for cipher that doesn not support AEAD");
 		} else if (mode.is_aead) {
 			php_error_docref(NULL, E_WARNING, "A tag should be provided when using AEAD mode");
 			zend_string_release_ex(outbuf, 0);
diff --git a/ext/openssl/tests/openssl_decrypt_basic.phpt b/ext/openssl/tests/openssl_decrypt_basic.phpt
index 37d17150fb..4175e703d2 100644
--- a/ext/openssl/tests/openssl_decrypt_basic.phpt
+++ b/ext/openssl/tests/openssl_decrypt_basic.phpt
@@ -28,9 +28,16 @@ var_dump(rtrim($output));
 $encrypted = openssl_encrypt($data, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
 $output = openssl_decrypt($encrypted, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
 var_dump($output);
+
+// It's okay to pass $tag for a non-authenticated cipher.
+// It will be populated with null in that case.
+openssl_encrypt($data, $method, $password, 0, $iv, $tag);
+var_dump($tag);
+
 ?>
 --EXPECT--
 string(45) "openssl_encrypt() and openssl_decrypt() tests"
 string(45) "openssl_encrypt() and openssl_decrypt() tests"
 string(45) "openssl_encrypt() and openssl_decrypt() tests"
 string(45) "openssl_encrypt() and openssl_decrypt() tests"
+NULL
diff --git a/ext/openssl/tests/openssl_decrypt_error.phpt b/ext/openssl/tests/openssl_decrypt_error.phpt
index 5f79cd86c2..7564b878ec 100644
--- a/ext/openssl/tests/openssl_decrypt_error.phpt
+++ b/ext/openssl/tests/openssl_decrypt_error.phpt
@@ -20,8 +20,6 @@ var_dump(openssl_decrypt($wrong, $wrong, $password));
 var_dump(openssl_decrypt($encrypted, $wrong, $wrong));
 var_dump(openssl_decrypt($wrong, $wrong, $wrong));
 
-// invalid using of an authentication tag
-var_dump(openssl_encrypt($data, $method, $password, 0, $iv, $wrong));
 ?>
 --EXPECTF--
 Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended in %s on line %d
@@ -41,6 +39,3 @@ bool(false)
 
 Warning: openssl_decrypt(): Unknown cipher algorithm in %s on line %d
 bool(false)
-
-Warning: openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in %s on line %d
-string(44) "yof6cPPH4mLee6TOc0YQSrh4dvywMqxGUyjp0lV6+aM="
diff --git a/ext/openssl/tests/openssl_encrypt_error.phpt b/ext/openssl/tests/openssl_encrypt_error.phpt
index 0b1bc662f7..81a5bebff3 100644
--- a/ext/openssl/tests/openssl_encrypt_error.phpt
+++ b/ext/openssl/tests/openssl_encrypt_error.phpt
@@ -15,9 +15,6 @@ $arr = array(1);
 // wrong parameters tests
 var_dump(openssl_encrypt($data, $wrong, $password));
 
-// invalid using of an authentication tag
-var_dump(openssl_encrypt($data, $method, $password, 0, $iv, $wrong));
-
 // padding of the key is disabled
 var_dump(openssl_encrypt($data, $method, $password, OPENSSL_DONT_ZERO_PAD_KEY, $iv));
 ?>
@@ -25,8 +22,5 @@ var_dump(openssl_encrypt($data, $method, $password, OPENSSL_DONT_ZERO_PAD_KEY, $
 Warning: openssl_encrypt(): Unknown cipher algorithm in %s on line %d
 bool(false)
 
-Warning: openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in %s on line %d
-string(44) "iPR4HulskuaP5Z6me5uImk6BqVyJG73+63tkPauVZYk="
-
 Warning: openssl_encrypt(): Key length cannot be set for the cipher algorithm in %s on line %d
 bool(false)