| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
OCB mode ciphers were already exposed to openssl_encrypt/decrypt,
but misbehaved, because they were not treated as AEAD ciphers.
From that perspective, OCB should be treated the same way as GCM.
In OpenSSL 1.1 the necessary controls were unified under
EVP_CTRL_AEAD_* (and OCB is only supported since OpenSSL 1.1).
Closes GH-6337.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl_encrypt() currently throws a warning if the $tag out
parameter is passed for a non-authenticated cipher. This violates
the principle that a function should behave the same if a parameter
is not passed, and if the default value is passed for the parameter.
I believe this warning should simply be dropped and the $tag be
populated with null, as is already the case. Otherwise, it is not
possible to use openssl_encrypt() in generic wrapper APIs, that are
compatible with both authenticated and non-authenticated encryption.
Closes GH-6333.
|
| |
|
|
|
|
| |
This reverts commit 1e53e14bc31aec98a408e517c7c8493ef4bf80cd.
This fails on Travis.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
X509_PURPOSE_OCSP_HELPER, X509_PURPOSE_TIMESTAMP_SIGN are available
from OpenSSL for many years:
- X509_PURPOSE_OCSP_HELPER, since 2001
- X509_PURPOSE_TIMESTAMP_SIGN, since 2006
Also drop the ifdef check for X509_PURPOSE_ANY, as it is always
available in supported OpenSSL versions.
Closes GH-6312.
|
| |\
| |
| |
| |
| |
| |
| |
| | |
* PHP-7.3:
Update UPGRADING
Update NEWS & UPGRADING
Do not decode cookie names anymore
Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | | |
* PHP-7.2:
Update NEWS & UPGRADING
Do not decode cookie names anymore
Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
The putenv trick doesn't work on ZTS Windows, so generate a new
openssl config every time.
|
| | | |
| | |
| | |
| | |
| | | |
We want to test the client side error here, so make sure the
server side can start up successfully.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
And switch tests using SAN certificates to the generator.
This is ugly, but there doesn't seem to be a more direct way
to privide SAN in PHP.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
The certificate really doesn't matter here, but it still needs to
comply with security level...
|
| | | |
| | |
| | |
| | | |
Make this test pass under security level 2.
|
| | | |
| | |
| | |
| | | |
This reverts commit b281493503401a2b5c45c11fcd0498d8448998c2.
|
| | | |
| | |
| | |
| | |
| | | |
People should not have to worry about the used openssl version
when downgrading security_level.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The `security_level` stream option is only available as of OpenSSL
1.1.0, so we only set it for these versions. Older OpenSSL versions
do not have security levels at all.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This migrates all the tests using ext/openssl/tests/streams_crypto_method.pem
to the certificate generator, so we can easily adjust needed parameters.
In particular, this makes the cert security level 2 compatible.
However, we still need to downgrade security_level to 1 in a number
of tests, because they are testing TLS < 1.2 connections.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes the generated certificates compatible with security
level 2, which is apparently the default on Ubuntu 20.04.
Unfortunately this does not fix all tests, because some are using
pre-generated certificates.
|
| |\ \ \
| |/ /
| | |
| | |
| | | |
* PHP-7.3:
Fix #62890: default_socket_timeout=-1 causes connection to timeout
|
| | | |
| | |
| | |
| | |
| | |
| | | |
While unencrypted connections ignore negative timeouts, SSL/TLS
connections did not special case that, and so always failed due to
timeout.
|
| |\ \ \
| |/ /
| | |
| | |
| | | |
* PHP-7.3:
Fix #79497: Fix php_openssl_subtract_timeval()
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I stumbled upon this while debugging a strange issue with
stream_socket_client() where it randomly throws out errors when
the connection timeout is set to below 1s. The logic to calculate
time difference in php_openssl_subtract_timeval() is wrong when
a.tv_usec < b.tv_usec, causing connection errors before the timeout
is reached.
|
| | | |
| | |
| | |
| | |
| | | |
Otherwise we have no clue why the test failed, if the regex didn't
match.
|
| |\ \ \
| |/ /
| | |
| | |
| | | |
* PHP-7.3:
Fix #79145: openssl memory leak
|
| | | |
| | |
| | |
| | |
| | |
| | | |
We must increase the refcount of `return_value` only if `cert` is a
resource; this is already done in `php_openssl_evp_from_zval()`,
though.
|
| |\ \ \
| |/ /
| | |
| | |
| | | |
* PHP-7.3:
Fixed bug #78775
|
| | |\ \
| | |/
| | |
| | |
| | | |
* PHP-7.2:
Fixed bug #78775
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Clear the OpenSSL error queue before performing SSL stream operations.
As we don't control all code that could possibly be using OpenSSL,
we can't rely on the error queue being empty.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Co-Authored-By: Gabriel Caruso <carusogabriel34@gmail.com>
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This was added in 7.1 when add_assoc_string mistakenly accepted
a char* rather than const char* parameter and is no longer needed.
We can use SSL_CIPHER_get_version() directly.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Functions
like fread() and fwrite() will return false in that case.
As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams
should not be regarded as error conditions, and be reported as
successful zero-length reads/writes instead. The handling of EINTR
remains unclear and is internally inconsistent (e.g. some code-paths
will automatically retry on EINTR, while some won't).
I'm landing this now to make sure the stream wrapper ops API changes
make it into 7.4 -- however, if the user-facing changes turn out to
be problematic we have the option of clamping negative returns to
zero in php_stream_read() and php_stream_write() to restore the
old behavior in a relatively non-intrusive manner.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Last usage removed via 6a813634052710f3f4bf6e2e03ca1b6c7be3bcee.
Closes GH-4455
|
| |\ \ \
| |/ / |
|
| | |\ \
| | |/ |
|
| | | | |
|
| |\ \ \
| |/ / |
|
| | |\ \
| | |/ |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
X509_STORE_add_cert() increments the refcount of the cert, so we
should free it here.
|
| |\ \ \
| |/ / |
|
| | |\ \
| | |/ |
|
| | | | |
|
| | | | |
|
