From 44a8cf087c489aa0f09e1c44329e5c8de98cf8d1 Mon Sep 17 00:00:00 2001 From: Peter Kokot Date: Sun, 11 Aug 2024 19:38:34 +0200 Subject: [PATCH 1/3] Enable native SSL support in ext/phar SSL support in ext/phar is enabled either as native (using the system's OpenSSL and its Crypto library linked directly) or as a wrapper provided by ext/openssl. Native OpenSSL support previously couldn't be enabled when building with shared openssl extension: ./configure --with-openssl=shared --enable-phar=shared or: ./configure --with-openssl=shared --enable-phar Some PHP packages build both of these extensions as shared and it makes sense to provide native OpenSSL support in phar extension also when the openssl extension is built as shared. Shared phar extension with native OpenSSL enabled now gets libcrypto linked directly: ldd modules/phar.so linux-vdso.so.1 libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 /lib64/ld-linux-x86-64.so.2 The new --with-phar-ssl Autotools configure option enables the SSL support in phar when building without openssl extension or in edge cases when building with phpize: ./configure --with-phar --with-phar-ssl --without-openssl Windows already includes similar option (--enable-phar-native-ssl). This links phar extension with the OpenSSL library on Windows instead of the static libeay32, which is not present in Windows OpenSSL builds anymore. Changed tests: - ext/phar/tests/**/phar_setsignaturealgo2.phpt - needs ext/openssl enabled due to openssl_get_privatekey(). - ext/phar/tests/phar_setsignaturealgo.phpt - test for ext/phar with native OpenSSL support and ext/openssl disabled. --- UPGRADING.INTERNALS | 3 + ext/phar/config.m4 | 32 +++--- ext/phar/config.w32 | 11 +-- ext/phar/tests/phar_setsignaturealgo.phpt | 99 +++++++++++++++++++ ext/phar/tests/phar_setsignaturealgo2.phpt | 3 +- .../tests/tar/phar_setsignaturealgo2.phpt | 3 +- .../tests/zip/phar_setsignaturealgo2.phpt | 3 +- 7 files changed, 132 insertions(+), 22 deletions(-) create mode 100644 ext/phar/tests/phar_setsignaturealgo.phpt diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS index a23cdcf401c9..0cfb933cc7c7 100644 --- a/UPGRADING.INTERNALS +++ b/UPGRADING.INTERNALS @@ -132,6 +132,9 @@ PHP 8.4 INTERNALS UPGRADE NOTES --with-ftp-ssl and --with-mysqlnd-ssl. - New configure option --with-openssl-legacy-provider to enable OpenSSL legacy provider. + - New configure option --with-phar-ssl to explicitly enable SSL support in + phar extension when building without openssl extension. When building with + openssl extension (shared or static), SSL support is enabled implicitly. - COOKIE_IO_FUNCTIONS_T symbol has been removed (use cookie_io_functions_t). - HAVE_SOCKADDR_UN_SUN_LEN symbol renamed to HAVE_STRUCT_SOCKADDR_UN_SUN_LEN. - HAVE_UTSNAME_DOMAINNAME symbol renamed to HAVE_STRUCT_UTSNAME_DOMAINNAME. diff --git a/ext/phar/config.m4 b/ext/phar/config.m4 index bd5f59d37e95..e671fca2d105 100644 --- a/ext/phar/config.m4 +++ b/ext/phar/config.m4 @@ -4,6 +4,19 @@ PHP_ARG_ENABLE([phar], [Disable phar support])], [yes]) +dnl Empty variable means 'no' (for phpize builds). +AS_VAR_IF([PHP_OPENSSL],, [PHP_OPENSSL=no]) + +PHP_ARG_WITH([phar-ssl], + [whether to enable native OpenSSL support for phar], + [AS_HELP_STRING([--with-phar-ssl], + [Explicitly enable SSL support in phar extension through the OpenSSL library + when building without openssl extension or when using phpize. If the openssl + extension is enabled at the configure step (--with-openssl), SSL is enabled + implicitly regardless of this option.])], + [$PHP_OPENSSL], + [no]) + if test "$PHP_PHAR" != "no"; then PHP_NEW_EXTENSION([phar], m4_normalize([ dirstream.c @@ -18,17 +31,14 @@ if test "$PHP_PHAR" != "no"; then ]), [$ext_shared],, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1]) - AC_MSG_CHECKING([for phar openssl support]) - if test "$PHP_OPENSSL_SHARED" = "yes"; then - AC_MSG_RESULT([no (shared openssl)]) - else - if test "$PHP_OPENSSL" = "yes"; then - AC_MSG_RESULT([yes]) - AC_DEFINE(PHAR_HAVE_OPENSSL,1,[ ]) - else - AC_MSG_RESULT([no]) - fi - fi + + AS_VAR_IF([PHP_PHAR_SSL], [no],, [ + PHP_SETUP_OPENSSL([PHAR_SHARED_LIBADD], + [AC_DEFINE([PHAR_HAVE_OPENSSL], [1], + [Define to 1 if phar extension has native OpenSSL support.])]) + PHP_SUBST([PHAR_SHARED_LIBADD]) + ]) + PHP_ADD_EXTENSION_DEP(phar, hash) PHP_ADD_EXTENSION_DEP(phar, spl) PHP_ADD_MAKEFILE_FRAGMENT diff --git a/ext/phar/config.w32 b/ext/phar/config.w32 index 3f935eab235f..0d5fb768daed 100644 --- a/ext/phar/config.w32 +++ b/ext/phar/config.w32 @@ -13,14 +13,9 @@ if (PHP_PHAR != "no") { ADD_FLAG("CFLAGS_PHAR", "/D COMPILE_DL_PHAR "); } if (PHP_PHAR_NATIVE_SSL != "no") { - if (CHECK_LIB("libeay32st.lib", "phar")) { - /* We don't really need GDI for this, but there's no - way to avoid linking it in the static openssl build */ - ADD_FLAG("LIBS_PHAR", "libeay32st.lib gdi32.lib"); - if (PHP_DEBUG == "no") { - /* Silence irrelevant-to-us warning in release builds */ - ADD_FLAG("LDFLAGS_PHAR", "/IGNORE:4089 "); - } + var ret = SETUP_OPENSSL("phar", PHP_PHAR); + + if (ret >= 2) { AC_DEFINE('PHAR_HAVE_OPENSSL', 1); STDOUT.WriteLine(' Native OpenSSL support in Phar enabled'); } else { diff --git a/ext/phar/tests/phar_setsignaturealgo.phpt b/ext/phar/tests/phar_setsignaturealgo.phpt new file mode 100644 index 000000000000..6ce84364ecff --- /dev/null +++ b/ext/phar/tests/phar_setsignaturealgo.phpt @@ -0,0 +1,99 @@ +--TEST-- +Phar::setSignatureAlgorithm() with native OpenSSL and without ext/openssl +--EXTENSIONS-- +phar +--SKIPIF-- + +--INI-- +phar.require_hash=0 +phar.readonly=0 +--FILE-- +getSignature()); +$p->setSignatureAlgorithm(Phar::MD5); +var_dump($p->getSignature()); +$p->setSignatureAlgorithm(Phar::SHA1); +var_dump($p->getSignature()); +try { +$p->setSignatureAlgorithm(Phar::SHA256); +var_dump($p->getSignature()); +} catch (Exception $e) { +echo $e->getMessage(); +} +try { +$p->setSignatureAlgorithm(Phar::SHA512); +var_dump($p->getSignature()); +} catch (Exception $e) { +echo $e->getMessage(); +} +try { +$pkey = '-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMDcANSIpkgSF6Rh +KHM8JncsVuCsO5XjiMf3g50lB+poJAG9leoygbVtY55h9tzeI7SAdZbdIoHbtJ/V +kGdzlzX5jMGbH1sWKk5fZbai4pLZigd4ihH2V4M27jKrAGy6CAU8ZU/Ez2KQQj5g +A4ZVMJ3iZXlqCmRWwcs0lZvP+c9XAgMBAAECgYAaJLioFu4TjwBNdC47kMfWF9if +FDnvk6yTDuZ0gvSTvhJDeiO8X6Rdp7p9WeJRBnvomBFYphlraREPKbAtlenFVuIY +v10O9BjxkQ0O1Y7L2ztMO3E2LFtmWgoGimAnsbUHTkuB61Hd2AWdA7C357eQ67vZ +GlLu2HIFpSbzMcJFIQJBAPD6Hm7ETuL0ILwofImXAahHbwpmCtKmjvjJaFD5vWXP +FD6uTbBOgUP+n5Y17+d/vxhSX9yrQueAIodju3bbxUsCQQDM4fMCO4OUYbMroql7 +ruIqBd34akrA+v2JoV+bMAE6RHBC6DgsI3uySbMJfmnPGoxlbXE0gKN4ONawwDd3 +gTKlAkEAnJc8DWidhpdzajG488Pf/NUmkBBNOiOnxn1Cv1P6Ql01X6HutAHfuCqO +05KLKdj2ebyVtJTJrhuy1F33pL4dTwJBAKnIEB3ofahnshdV64cALJFQXVpvktUK +6TG1Vcn/ZPUJI9J+J5aELQxYwJH8fOhQAspGgEpW06Bb0aWVFCHnIbUCQBFVhu+P +RcHLpdSl7lZmws1bCnDUmt5GzKBw9diHxuyfGEJ0c0clDTWVEMyO80u0jxrliMkT +8h5bvpPaY8KIlkg= +-----END PRIVATE KEY-----'; +$p->setSignatureAlgorithm(Phar::OPENSSL, $pkey); +var_dump($p->getSignature()); +} catch (Exception $e) { +echo $e->getMessage(); +} +?> +--CLEAN-- + +--EXPECTF-- +array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> + string(7) "SHA-256" +} +array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> + string(3) "MD5" +} +array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> + string(5) "SHA-1" +} +array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> + string(7) "SHA-256" +} +array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> + string(7) "SHA-512" +} +array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> + string(7) "OpenSSL" +} diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt index 4f31836fbbbc..de868c2a47ca 100644 --- a/ext/phar/tests/phar_setsignaturealgo2.phpt +++ b/ext/phar/tests/phar_setsignaturealgo2.phpt @@ -1,6 +1,7 @@ --TEST-- -Phar::setSupportedSignatures() with hash +Phar::setSignatureAlgorithm() with hash --EXTENSIONS-- +openssl phar --SKIPIF-- Date: Mon, 12 Aug 2024 15:38:45 +0200 Subject: [PATCH 2/3] Adjust CS in phar_setsignaturealgo.phpt - try/catch blocks indented - $pkey variable assignment moved outside of the try body --- ext/phar/tests/phar_setsignaturealgo.phpt | 24 +++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/ext/phar/tests/phar_setsignaturealgo.phpt b/ext/phar/tests/phar_setsignaturealgo.phpt index 6ce84364ecff..7aa0d093d5a6 100644 --- a/ext/phar/tests/phar_setsignaturealgo.phpt +++ b/ext/phar/tests/phar_setsignaturealgo.phpt @@ -21,19 +21,21 @@ $p->setSignatureAlgorithm(Phar::MD5); var_dump($p->getSignature()); $p->setSignatureAlgorithm(Phar::SHA1); var_dump($p->getSignature()); + try { -$p->setSignatureAlgorithm(Phar::SHA256); -var_dump($p->getSignature()); + $p->setSignatureAlgorithm(Phar::SHA256); + var_dump($p->getSignature()); } catch (Exception $e) { -echo $e->getMessage(); + echo $e->getMessage(); } + try { -$p->setSignatureAlgorithm(Phar::SHA512); -var_dump($p->getSignature()); + $p->setSignatureAlgorithm(Phar::SHA512); + var_dump($p->getSignature()); } catch (Exception $e) { -echo $e->getMessage(); + echo $e->getMessage(); } -try { + $pkey = '-----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMDcANSIpkgSF6Rh KHM8JncsVuCsO5XjiMf3g50lB+poJAG9leoygbVtY55h9tzeI7SAdZbdIoHbtJ/V @@ -50,10 +52,12 @@ gTKlAkEAnJc8DWidhpdzajG488Pf/NUmkBBNOiOnxn1Cv1P6Ql01X6HutAHfuCqO RcHLpdSl7lZmws1bCnDUmt5GzKBw9diHxuyfGEJ0c0clDTWVEMyO80u0jxrliMkT 8h5bvpPaY8KIlkg= -----END PRIVATE KEY-----'; -$p->setSignatureAlgorithm(Phar::OPENSSL, $pkey); -var_dump($p->getSignature()); + +try { + $p->setSignatureAlgorithm(Phar::OPENSSL, $pkey); + var_dump($p->getSignature()); } catch (Exception $e) { -echo $e->getMessage(); + echo $e->getMessage(); } ?> --CLEAN-- From 2b8a6ae27f3d14e7c079fc6780b14968e4c4da54 Mon Sep 17 00:00:00 2001 From: Peter Kokot Date: Fri, 23 Aug 2024 23:01:27 +0200 Subject: [PATCH 3/3] Exclude --phar-native-ssl from snapshot builds --- ext/phar/config.w32 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/phar/config.w32 b/ext/phar/config.w32 index 0d5fb768daed..05b50acaa1fa 100644 --- a/ext/phar/config.w32 +++ b/ext/phar/config.w32 @@ -12,7 +12,7 @@ if (PHP_PHAR != "no") { if (PHP_PHAR_SHARED || (PHP_PHAR_NATIVE_SSL_SHARED && PHP_SNAPSHOT_BUILD == "no")) { ADD_FLAG("CFLAGS_PHAR", "/D COMPILE_DL_PHAR "); } - if (PHP_PHAR_NATIVE_SSL != "no") { + if (PHP_PHAR_NATIVE_SSL != "no" && PHP_SNAPSHOT_BUILD == "no") { var ret = SETUP_OPENSSL("phar", PHP_PHAR); if (ret >= 2) {