3 files changed, 27 insertions, 6 deletions

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index a9eec2d7e0..cc2506165f 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -5329,10 +5329,13 @@ static int php_openssl_cipher_init(const EVP_CIPHER *cipher_type,
 	}
 	if (mode->is_single_run_aead && enc) {
 		EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, NULL);
-	} else if (!enc && mode->is_aead && tag &&
-			!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, (unsigned char *) tag)) {
-		php_error_docref(NULL, E_WARNING, "Setting tag for AEAD cipher encryption failed");
-		return FAILURE;
+	} else if (!enc && tag && tag_len > 0) {
+		if (!mode->is_aead) {
+			php_error_docref(NULL, E_WARNING, "The tag cannot be used because the cipher method does not support AEAD");
+		} else if (!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, (unsigned char *) tag)) {
+			php_error_docref(NULL, E_WARNING, "Setting tag for AEAD cipher decryption failed");
+			return FAILURE;
+		}
 	}
 	if (password_len > key_len) {
 		EVP_CIPHER_CTX_set_key_length(cipher_ctx, password_len);
@@ -5394,7 +5397,7 @@ PHP_FUNCTION(openssl_encrypt)
 	zend_long options = 0, tag_len = 16;
 	char *data, *method, *password, *iv = "", *aad = "";
 	size_t data_len, method_len, password_len, iv_len = 0, aad_len = 0;
-	zval *tag;
+	zval *tag = NULL;
 	const EVP_CIPHER *cipher_type;
 	EVP_CIPHER_CTX *cipher_ctx;
 	struct php_openssl_cipher_mode mode;
@@ -5445,7 +5448,7 @@ PHP_FUNCTION(openssl_encrypt)
 			zend_string_release(outbuf);
 			RETVAL_STR(base64_str);
 		}
-		if (mode.is_aead) {
+		if (mode.is_aead && tag) {
 			zend_string *tag_str = zend_string_alloc(tag_len, 0);
 
 			if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode.aead_get_tag_flag, tag_len, ZSTR_VAL(tag_str)) == 1) {
@@ -5457,6 +5460,11 @@ PHP_FUNCTION(openssl_encrypt)
 				zend_string_release(tag_str);
 				php_error_docref(NULL, E_WARNING, "Retrieving verification tag failed");
 			}
+		} else if (tag) {
+			zval_dtor(tag);
+			ZVAL_NULL(tag);
+			php_error_docref(NULL, E_WARNING,
+					"The authenticated tag cannot be provided for cipher that doesn not support AEAD");
 		}
 	} else {
 		zend_string_release(outbuf);
diff --git a/ext/openssl/tests/openssl_decrypt_error.phpt b/ext/openssl/tests/openssl_decrypt_error.phpt
index 40debbd04f..44c2cd473d 100644
--- a/ext/openssl/tests/openssl_decrypt_error.phpt
+++ b/ext/openssl/tests/openssl_decrypt_error.phpt
@@ -22,6 +22,9 @@ var_dump(openssl_decrypt($wrong, $wrong, $wrong));
 var_dump(openssl_decrypt(array(), $method, $password));
 var_dump(openssl_decrypt($encrypted, array(), $password));
 var_dump(openssl_decrypt($encrypted, $method, array()));
+
+// invalid using of an authentication tag
+var_dump(openssl_encrypt($data, $method, $password, 0, $iv, $wrong));
 ?>
 --EXPECTF--
 
@@ -51,3 +54,6 @@ NULL
 
 Warning: openssl_decrypt() expects parameter 3 to be string, array given in %s on line %d
 NULL
+
+Warning: openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in %s on line %d
+string(44) "yof6cPPH4mLee6TOc0YQSrh4dvywMqxGUyjp0lV6+aM="
diff --git a/ext/openssl/tests/openssl_encrypt_error.phpt b/ext/openssl/tests/openssl_encrypt_error.phpt
index 7376f48708..791c431211 100644
--- a/ext/openssl/tests/openssl_encrypt_error.phpt
+++ b/ext/openssl/tests/openssl_encrypt_error.phpt
@@ -7,10 +7,12 @@ openssl_encrypt() error tests
 $data = "openssl_encrypt() tests";
 $method = "AES-128-CBC";
 $password = "openssl";
+$iv = str_repeat("\0", openssl_cipher_iv_length($method));
 $wrong = "wrong";
 $object = new stdclass;
 $arr = array(1);
 
+// wrong paramters tests
 var_dump(openssl_encrypt($data, $wrong, $password));
 var_dump(openssl_encrypt($object, $method, $password));
 var_dump(openssl_encrypt($data, $object, $password));
@@ -18,6 +20,9 @@ var_dump(openssl_encrypt($data, $method, $object));
 var_dump(openssl_encrypt($arr, $method, $object));
 var_dump(openssl_encrypt($data, $arr, $object));
 var_dump(openssl_encrypt($data, $method, $arr));
+
+// invalid using of an authentication tag
+var_dump(openssl_encrypt($data, $method, $password, 0, $iv, $wrong));
 ?>
 --EXPECTF--
 Warning: openssl_encrypt(): Unknown cipher algorithm in %s on line %d
@@ -41,3 +46,5 @@ NULL
 Warning: openssl_encrypt() expects parameter 3 to be string, array given in %s on line %d
 NULL
 
+Warning: openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in %s on line %d
+string(44) "iPR4HulskuaP5Z6me5uImk6BqVyJG73+63tkPauVZYk="