From 719da60e09e3330ee7789e0ff1775f106dcc7568 Mon Sep 17 00:00:00 2001
From: Peter Kokot <peterkokot@gmail.com>
Date: Sun, 25 Aug 2024 17:40:19 +0200
Subject: [PATCH] Remove native SSL support in phar extension

SSL support in phar extension is enabled when the PHP openssl extension
is loaded, so there isn't any reason to have a separate native SSL
support in phar extension.

This removes the PHAR_HAVE_OPENSSL preprocessor macro from the PHP
configuration header and the configure option --enable-phar-native-ssl
on Windows. Also, the static libeay32 is not present in Windows OpenSSL
builds anymore.

The duplicate COMPILE_DL_PHAR compile definition is also removed as is
already automatically defined in win32/build/confutils.js by the
EXTENSION() function.

Supersedes and closes GH-14578
---
 UPGRADING              |   4 +
 UPGRADING.INTERNALS    |   3 +-
 ext/phar/config.m4     |   9 --
 ext/phar/config.w32    |  31 +------
 ext/phar/phar.c        |   6 +-
 ext/phar/phar_object.c |   7 +-
 ext/phar/util.c        | 188 +----------------------------------------
 7 files changed, 14 insertions(+), 234 deletions(-)

diff --git a/UPGRADING b/UPGRADING
index 88d022c2421d..a297bb022afb 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -907,6 +907,10 @@ PHP 8.4 UPGRADE NOTES
 - PgSQL:
   . The pgsql extension now requires at least libpq 10.0.
 
+- Phar:
+  . Native SSL support in phar extension has been removed in favor of phar SSL
+    support through the PHP openssl extension.
+
 - Reflection:
   . The class constants are typed now.
 
diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS
index 85b0da4cf00c..cc5e25f9e54a 100644
--- a/UPGRADING.INTERNALS
+++ b/UPGRADING.INTERNALS
@@ -119,6 +119,7 @@ PHP 8.4 INTERNALS UPGRADE NOTES
    - Symbol HAVE_LIBM has been removed.
    - Symbol HAVE_INET_ATON has been removed.
    - Symbol HAVE_SIGSETJMP has been removed.
+   - Symbol PHAR_HAVE_OPENSSL has been removed.
    - The Zend/zend_istdiostream.h header has been removed.
 
  b. Unix build system changes
@@ -213,7 +214,7 @@ PHP 8.4 INTERNALS UPGRADE NOTES
 
  c. Windows build system changes
    - The configure options --with-oci8-11g, --with-oci8-12c, --with-oci8-19,
-     --enable-apache2-2handler have been removed.
+     --enable-apache2-2handler, --enable-phar-native-ssl have been removed.
    - The configure option --enable-apache2-4handler is now an alias for the
      preferred --enable-apache2handler.
    - Added Bison flag '-Wall' when generating lexer files as done in *nix build
diff --git a/ext/phar/config.m4 b/ext/phar/config.m4
index 66b4b318e92a..c9c411c5ec08 100644
--- a/ext/phar/config.m4
+++ b/ext/phar/config.m4
@@ -19,15 +19,6 @@ if test "$PHP_PHAR" != "no"; then
     [$ext_shared],,
     [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
 
-  AC_MSG_CHECKING([for phar openssl support])
-  AS_VAR_IF([PHP_OPENSSL_SHARED], [yes],
-    [AC_MSG_RESULT([no (shared openssl)])],
-    [AS_VAR_IF([PHP_OPENSSL], [yes], [
-      AC_MSG_RESULT([yes])
-      AC_DEFINE([PHAR_HAVE_OPENSSL], [1],
-        [Define to 1 if phar extension has native OpenSSL support.])
-    ], [AC_MSG_RESULT([no])])])
-
   PHP_ADD_EXTENSION_DEP(phar, hash)
   PHP_ADD_EXTENSION_DEP(phar, spl)
   PHP_ADD_MAKEFILE_FRAGMENT
diff --git a/ext/phar/config.w32 b/ext/phar/config.w32
index 3f935eab235f..ec2161868d21 100644
--- a/ext/phar/config.w32
+++ b/ext/phar/config.w32
@@ -1,39 +1,10 @@
 // vim:ft=javascript
 
 ARG_ENABLE("phar", "disable phar support", "yes");
-ARG_ENABLE("phar-native-ssl", "enable phar with native OpenSSL support", "no");
-
-if (PHP_PHAR_NATIVE_SSL != "no") {
-	PHP_PHAR = PHP_PHAR_NATIVE_SSL;
-}
 
 if (PHP_PHAR != "no") {
 	EXTENSION("phar", "dirstream.c func_interceptors.c phar.c phar_object.c phar_path_check.c stream.c tar.c util.c zip.c", PHP_PHAR_SHARED, "/DZEND_ENABLE_STATIC_TSRMLS_CACHE=1");
-	if (PHP_PHAR_SHARED || (PHP_PHAR_NATIVE_SSL_SHARED && PHP_SNAPSHOT_BUILD == "no")) {
-		ADD_FLAG("CFLAGS_PHAR", "/D COMPILE_DL_PHAR ");
-	}
-	if (PHP_PHAR_NATIVE_SSL != "no") {
-		if (CHECK_LIB("libeay32st.lib", "phar")) {
-			/* We don't really need GDI for this, but there's no
-			way to avoid linking it in the static openssl build */
-			ADD_FLAG("LIBS_PHAR", "libeay32st.lib gdi32.lib");
-			if (PHP_DEBUG == "no") {
-				/* Silence irrelevant-to-us warning in release builds */
-				ADD_FLAG("LDFLAGS_PHAR", "/IGNORE:4089 ");
-			}
-			AC_DEFINE('PHAR_HAVE_OPENSSL', 1);
-			STDOUT.WriteLine('        Native OpenSSL support in Phar enabled');
-		} else {
-			WARNING('Could not enable native OpenSSL support in Phar');
-		}
-	} else {
-		if (PHP_OPENSSL != "no" && !PHP_OPENSSL_SHARED && !PHP_PHAR_SHARED) {
-			AC_DEFINE('PHAR_HAVE_OPENSSL', 1);
-			STDOUT.WriteLine('        Native OpenSSL support in Phar enabled');
-		} else {
-			STDOUT.WriteLine('        Native OpenSSL support in Phar disabled');
-		}
-	}
+
 	ADD_EXTENSION_DEP('phar', 'hash');
 	ADD_EXTENSION_DEP('phar', 'spl');
 	PHP_INSTALL_HEADERS("ext/phar", "php_phar.h");
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 99767468ee71..b5f76b1063ca 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -3585,15 +3585,13 @@ PHP_MINFO_FUNCTION(phar) /* {{{ */
 	} else {
 		php_info_print_table_row(2, "bzip2 compression", "disabled (install ext/bz2)");
 	}
-#ifdef PHAR_HAVE_OPENSSL
-	php_info_print_table_row(2, "Native OpenSSL support", "enabled");
-#else
+
 	if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
 		php_info_print_table_row(2, "OpenSSL support", "enabled");
 	} else {
 		php_info_print_table_row(2, "OpenSSL support", "disabled (install ext/openssl)");
 	}
-#endif
+
 	php_info_print_table_end();
 
 	php_info_print_box_start(0);
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 0d992a6dd7f6..8bf418c75ff2 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1255,17 +1255,12 @@ PHP_METHOD(Phar, getSupportedSignatures)
 	add_next_index_stringl(return_value, "SHA-1", 5);
 	add_next_index_stringl(return_value, "SHA-256", 7);
 	add_next_index_stringl(return_value, "SHA-512", 7);
-#ifdef PHAR_HAVE_OPENSSL
-	add_next_index_stringl(return_value, "OpenSSL", 7);
-	add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
-	add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
-#else
+
 	if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
 		add_next_index_stringl(return_value, "OpenSSL", 7);
 		add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
 		add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
 	}
-#endif
 }
 /* }}} */
 
diff --git a/ext/phar/util.c b/ext/phar/util.c
index e49e15aee9cc..3e1a885a5fea 100644
--- a/ext/phar/util.c
+++ b/ext/phar/util.c
@@ -24,21 +24,7 @@
 #include "ext/hash/php_hash_sha.h"
 #include "ext/standard/md5.h"
 
-#ifdef PHAR_HAVE_OPENSSL
-/* OpenSSL includes */
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/crypto.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include <openssl/conf.h>
-#include <openssl/rand.h>
-#include <openssl/ssl.h>
-#include <openssl/pkcs12.h>
-#else
 static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, uint32_t sig_type);
-#endif
 
 /* for links to relative location, prepend cwd of the entry */
 static char *phar_get_link_location(phar_entry_info *entry) /* {{{ */
@@ -1439,7 +1425,6 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature)
 }
 /* }}} */
 
-#ifndef PHAR_HAVE_OPENSSL
 static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, uint32_t sig_type) /* {{{ */
 {
 	zend_fcall_info fci;
@@ -1538,7 +1523,6 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
 	}
 }
 /* }}} */
-#endif /* #ifndef PHAR_HAVE_OPENSSL */
 
 zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, char *sig, size_t sig_len, char *fname, char **signature, size_t *signature_len, char **error) /* {{{ */
 {
@@ -1552,33 +1536,18 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 		case PHAR_SIG_OPENSSL_SHA512:
 		case PHAR_SIG_OPENSSL_SHA256:
 		case PHAR_SIG_OPENSSL: {
-#ifdef PHAR_HAVE_OPENSSL
-			BIO *in;
-			EVP_PKEY *key;
-			const EVP_MD *mdtype;
-			EVP_MD_CTX *md_ctx;
-
-			if (sig_type == PHAR_SIG_OPENSSL_SHA512) {
-				mdtype = EVP_sha512();
-			} else if (sig_type == PHAR_SIG_OPENSSL_SHA256) {
-				mdtype = EVP_sha256();
-			} else {
-				mdtype = EVP_sha1();
-			}
-#else
 			size_t tempsig;
-#endif
 			zend_string *pubkey = NULL;
 			char *pfile;
 			php_stream *pfp;
-#ifndef PHAR_HAVE_OPENSSL
+
 			if (!zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
 				if (error) {
 					spprintf(error, 0, "openssl not loaded");
 				}
 				return FAILURE;
 			}
-#endif
+
 			/* use __FILE__ . '.pubkey' for public key file */
 			spprintf(&pfile, 0, "%s.pubkey", fname);
 			pfp = php_stream_open_wrapper(pfile, "rb", 0, NULL);
@@ -1595,7 +1564,7 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 			}
 
 			php_stream_close(pfp);
-#ifndef PHAR_HAVE_OPENSSL
+
 			tempsig = sig_len;
 
 			if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, ZSTR_VAL(pubkey), ZSTR_LEN(pubkey), &sig, &tempsig, sig_type)) {
@@ -1611,76 +1580,6 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 			zend_string_release_ex(pubkey, 0);
 
 			sig_len = tempsig;
-#else
-			in = BIO_new_mem_buf(ZSTR_VAL(pubkey), ZSTR_LEN(pubkey));
-
-			if (NULL == in) {
-				zend_string_release_ex(pubkey, 0);
-				if (error) {
-					spprintf(error, 0, "openssl signature could not be processed");
-				}
-				return FAILURE;
-			}
-
-			key = PEM_read_bio_PUBKEY(in, NULL, NULL, NULL);
-			BIO_free(in);
-			zend_string_release_ex(pubkey, 0);
-
-			if (NULL == key) {
-				if (error) {
-					spprintf(error, 0, "openssl signature could not be processed");
-				}
-				return FAILURE;
-			}
-
-			md_ctx = EVP_MD_CTX_create();
-			if (!md_ctx || !EVP_VerifyInit(md_ctx, mdtype)) {
-				if (md_ctx) {
-					EVP_MD_CTX_destroy(md_ctx);
-				}
-				if (error) {
-					spprintf(error, 0, "openssl signature could not be verified");
-				}
-				return FAILURE;
-			}
-			read_len = end_of_phar;
-
-			if ((size_t)read_len > sizeof(buf)) {
-				read_size = sizeof(buf);
-			} else {
-				read_size = (size_t)read_len;
-			}
-
-			php_stream_seek(fp, 0, SEEK_SET);
-
-			while (read_size && (len = php_stream_read(fp, (char*)buf, read_size)) > 0) {
-				if (UNEXPECTED(EVP_VerifyUpdate (md_ctx, buf, len) == 0)) {
-					goto failure;
-				}
-				read_len -= (zend_off_t)len;
-
-				if (read_len < read_size) {
-					read_size = (size_t)read_len;
-				}
-			}
-
-			if (EVP_VerifyFinal(md_ctx, (unsigned char *)sig, sig_len, key) != 1) {
-				failure:
-				/* 1: signature verified, 0: signature does not match, -1: failed signature operation */
-				EVP_PKEY_free(key);
-				EVP_MD_CTX_destroy(md_ctx);
-
-				if (error) {
-					spprintf(error, 0, "broken openssl signature");
-				}
-
-				return FAILURE;
-			}
-
-			EVP_PKEY_free(key);
-			EVP_MD_CTX_destroy(md_ctx);
-#endif
-
 			*signature_len = phar_hex_str((const char*)sig, sig_len, signature);
 		}
 		break;
@@ -1904,85 +1803,6 @@ zend_result phar_create_signature(phar_archive_data *phar, php_stream *fp, char
 		case PHAR_SIG_OPENSSL_SHA256:
 		case PHAR_SIG_OPENSSL: {
 			unsigned char *sigbuf;
-#ifdef PHAR_HAVE_OPENSSL
-			unsigned int siglen;
-			BIO *in;
-			EVP_PKEY *key;
-			EVP_MD_CTX *md_ctx;
-			const EVP_MD *mdtype;
-
-			if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) {
-				mdtype = EVP_sha512();
-			} else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) {
-				mdtype = EVP_sha256();
-			} else {
-				mdtype = EVP_sha1();
-			}
-
-			in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len));
-
-			if (in == NULL) {
-				if (error) {
-					spprintf(error, 0, "unable to write to phar \"%s\" with requested openssl signature", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			key = PEM_read_bio_PrivateKey(in, NULL,NULL, "");
-			BIO_free(in);
-
-			if (!key) {
-				if (error) {
-					spprintf(error, 0, "unable to process private key");
-				}
-				return FAILURE;
-			}
-
-			md_ctx = EVP_MD_CTX_create();
-			if (md_ctx == NULL) {
-				EVP_PKEY_free(key);
-				if (error) {
-					spprintf(error, 0, "unable to initialize openssl signature for phar \"%s\"", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			siglen = EVP_PKEY_size(key);
-			sigbuf = emalloc(siglen + 1);
-
-			if (!EVP_SignInit(md_ctx, mdtype)) {
-				EVP_PKEY_free(key);
-				efree(sigbuf);
-				if (error) {
-					spprintf(error, 0, "unable to initialize openssl signature for phar \"%s\"", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			while ((sig_len = php_stream_read(fp, (char*)buf, sizeof(buf))) > 0) {
-				if (!EVP_SignUpdate(md_ctx, buf, sig_len)) {
-					EVP_PKEY_free(key);
-					efree(sigbuf);
-					if (error) {
-						spprintf(error, 0, "unable to update the openssl signature for phar \"%s\"", phar->fname);
-					}
-					return FAILURE;
-				}
-			}
-
-			if (!EVP_SignFinal (md_ctx, sigbuf, &siglen, key)) {
-				EVP_PKEY_free(key);
-				efree(sigbuf);
-				if (error) {
-					spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			sigbuf[siglen] = '\0';
-			EVP_PKEY_free(key);
-			EVP_MD_CTX_destroy(md_ctx);
-#else
 			size_t siglen;
 			sigbuf = NULL;
 			siglen = 0;
@@ -1994,7 +1814,7 @@ zend_result phar_create_signature(phar_archive_data *phar, php_stream *fp, char
 				}
 				return FAILURE;
 			}
-#endif
+
 			*signature = (char *) sigbuf;
 			*signature_length = siglen;
 		}