From e0207bffba58a0b7ed40b529debc0d46d896e7a7 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 28 Sep 2024 14:32:36 +0200 Subject: [PATCH 1/4] Update Windows CI to use php-sdk-2.3.0 php-sdk-2.2.0 still fetches dependencies from the no longer up to date , and as such won't be tested with any security updates we provide for Windows. Given that PHP 8.1 is going to receive security updates for further 15 months, we should should not ignore these dependency updates. We also fix failing OpenSSL tests, which are no longer failing, at least on Windows, because we have back-ported the fix for the Marvin Attack[1]. So we fix the test cases accordingly. [1] --- .github/workflows/push.yml | 2 +- ext/openssl/tests/openssl_error_string_basic.phpt | 2 +- ext/openssl/tests/openssl_private_decrypt_basic.phpt | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index ddb4ee0aaf172..966bdea59371f 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -135,7 +135,7 @@ jobs: PHP_BUILD_CACHE_BASE_DIR: C:\build-cache PHP_BUILD_OBJ_DIR: C:\obj PHP_BUILD_CACHE_SDK_DIR: C:\build-cache\sdk - PHP_BUILD_SDK_BRANCH: php-sdk-2.2.0 + PHP_BUILD_SDK_BRANCH: php-sdk-2.3.0 PHP_BUILD_CRT: vs16 PLATFORM: x64 THREAD_SAFE: "1" diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt index e4ea264b3bf1f..aabf0b8b4738d 100644 --- a/ext/openssl/tests/openssl_error_string_basic.phpt +++ b/ext/openssl/tests/openssl_error_string_basic.phpt @@ -119,7 +119,7 @@ expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); expect_openssl_errors('openssl_private_encrypt', ['0408F090']); // private decrypt with failed padding check @openssl_private_decrypt("data", $crypted, $private_key_file); -expect_openssl_errors('openssl_private_decrypt', ['04065072']); +expect_openssl_errors('openssl_private_decrypt', []); // public encrypt and decrypt with failed padding check and padding @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); @openssl_public_decrypt("data", $crypted, $public_key_file); diff --git a/ext/openssl/tests/openssl_private_decrypt_basic.phpt b/ext/openssl/tests/openssl_private_decrypt_basic.phpt index ec37aea1614b3..4540d3a239b22 100644 --- a/ext/openssl/tests/openssl_private_decrypt_basic.phpt +++ b/ext/openssl/tests/openssl_private_decrypt_basic.phpt @@ -34,8 +34,8 @@ string(32) "Testing openssl_public_decrypt()" Warning: openssl_private_decrypt(): key parameter is not a valid private key in %s on line %d bool(false) NULL -bool(false) -NULL +bool(true) +string(%d) "%a" Key array must be of the form array(0 => key, 1 => phrase) bool(true) string(32) "Testing openssl_public_decrypt()" From d384e3f05b7dc319f13b8ff87738a03eacb6c549 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 28 Sep 2024 19:52:14 +0200 Subject: [PATCH 2/4] Split test for OpenSSL 1 and 3 We use the same naming scheme as with openssl_error_string_basic.phpt. --- .../tests/openssl_private_decrypt_basic.phpt | 10 +++-- ...penssl_private_decrypt_basic_openssl3.phpt | 45 +++++++++++++++++++ 2 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 ext/openssl/tests/openssl_private_decrypt_basic_openssl3.phpt diff --git a/ext/openssl/tests/openssl_private_decrypt_basic.phpt b/ext/openssl/tests/openssl_private_decrypt_basic.phpt index 4540d3a239b22..c68320a64ca09 100644 --- a/ext/openssl/tests/openssl_private_decrypt_basic.phpt +++ b/ext/openssl/tests/openssl_private_decrypt_basic.phpt @@ -1,7 +1,11 @@ --TEST-- -openssl_private_decrypt() tests +openssl_private_decrypt() tests (OpenSSL < 3.0) --EXTENSIONS-- openssl +--SKIPIF-- += 0x30000000) die('skip For OpenSSL < 3.0'); +?> --FILE-- key, 1 => phrase) bool(true) string(32) "Testing openssl_public_decrypt()" diff --git a/ext/openssl/tests/openssl_private_decrypt_basic_openssl3.phpt b/ext/openssl/tests/openssl_private_decrypt_basic_openssl3.phpt new file mode 100644 index 0000000000000..f259b644e77b4 --- /dev/null +++ b/ext/openssl/tests/openssl_private_decrypt_basic_openssl3.phpt @@ -0,0 +1,45 @@ +--TEST-- +openssl_private_decrypt() tests (OpenSSL >= 3.0) +--EXTENSIONS-- +openssl +--SKIPIF-- += 3.0'); +?> +--FILE-- +getMessage() . \PHP_EOL; +} + +var_dump(openssl_private_decrypt($encrypted, $output5, array($privkey, ""))); +var_dump($output5); +?> +--EXPECTF-- +bool(true) +string(32) "Testing openssl_public_decrypt()" + +Warning: openssl_private_decrypt(): key parameter is not a valid private key in %s on line %d +bool(false) +NULL +bool(true) +string(%d) "%a" +Key array must be of the form array(0 => key, 1 => phrase) +bool(true) +string(32) "Testing openssl_public_decrypt()" From d8a46e7e2a99c9762c37b5f329bff96243ba9494 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 28 Sep 2024 20:51:05 +0200 Subject: [PATCH 3/4] Revert changes to test cases --- .../tests/openssl_error_string_basic.phpt | 2 +- .../tests/openssl_private_decrypt_basic.phpt | 6 +-- ...penssl_private_decrypt_basic_openssl3.phpt | 45 ------------------- 3 files changed, 2 insertions(+), 51 deletions(-) delete mode 100644 ext/openssl/tests/openssl_private_decrypt_basic_openssl3.phpt diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt index aabf0b8b4738d..e4ea264b3bf1f 100644 --- a/ext/openssl/tests/openssl_error_string_basic.phpt +++ b/ext/openssl/tests/openssl_error_string_basic.phpt @@ -119,7 +119,7 @@ expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); expect_openssl_errors('openssl_private_encrypt', ['0408F090']); // private decrypt with failed padding check @openssl_private_decrypt("data", $crypted, $private_key_file); -expect_openssl_errors('openssl_private_decrypt', []); +expect_openssl_errors('openssl_private_decrypt', ['04065072']); // public encrypt and decrypt with failed padding check and padding @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); @openssl_public_decrypt("data", $crypted, $public_key_file); diff --git a/ext/openssl/tests/openssl_private_decrypt_basic.phpt b/ext/openssl/tests/openssl_private_decrypt_basic.phpt index c68320a64ca09..ec37aea1614b3 100644 --- a/ext/openssl/tests/openssl_private_decrypt_basic.phpt +++ b/ext/openssl/tests/openssl_private_decrypt_basic.phpt @@ -1,11 +1,7 @@ --TEST-- -openssl_private_decrypt() tests (OpenSSL < 3.0) +openssl_private_decrypt() tests --EXTENSIONS-- openssl ---SKIPIF-- -= 0x30000000) die('skip For OpenSSL < 3.0'); -?> --FILE-- = 3.0) ---EXTENSIONS-- -openssl ---SKIPIF-- -= 3.0'); -?> ---FILE-- -getMessage() . \PHP_EOL; -} - -var_dump(openssl_private_decrypt($encrypted, $output5, array($privkey, ""))); -var_dump($output5); -?> ---EXPECTF-- -bool(true) -string(32) "Testing openssl_public_decrypt()" - -Warning: openssl_private_decrypt(): key parameter is not a valid private key in %s on line %d -bool(false) -NULL -bool(true) -string(%d) "%a" -Key array must be of the form array(0 => key, 1 => phrase) -bool(true) -string(32) "Testing openssl_public_decrypt()" From 564e707a6fe6947c2d9ca98e80b499357b333fc9 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 10 Mar 2024 20:51:22 +0000 Subject: [PATCH 4/4] Fix GH-13620: Failing openssl_private_decrypt tests Use OPENSSL_PKCS1_OAEP_PADDING padding in tests (cherry picked from commit 11caf094f1af6b47ea2138c5fa907838911ebe01) --- ext/openssl/tests/openssl_error_string_basic.phpt | 8 ++++---- .../tests/openssl_error_string_basic_openssl3.phpt | 8 ++++---- ext/openssl/tests/openssl_private_decrypt_basic.phpt | 12 ++++++------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt index e4ea264b3bf1f..4b5ca9fd9c042 100644 --- a/ext/openssl/tests/openssl_error_string_basic.phpt +++ b/ext/openssl/tests/openssl_error_string_basic.phpt @@ -118,12 +118,12 @@ expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); @openssl_private_encrypt("data", $crypted, $private_key_file, 1000); expect_openssl_errors('openssl_private_encrypt', ['0408F090']); // private decrypt with failed padding check -@openssl_private_decrypt("data", $crypted, $private_key_file); -expect_openssl_errors('openssl_private_decrypt', ['04065072']); +@openssl_private_decrypt("data", $crypted, $private_key_file, OPENSSL_PKCS1_OAEP_PADDING); +expect_openssl_errors('openssl_private_decrypt', ['04099079']); // public encrypt and decrypt with failed padding check and padding @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); -@openssl_public_decrypt("data", $crypted, $public_key_file); -expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '0408F090', '04067072']); +@openssl_public_decrypt("data", $crypted, $public_key_file, OPENSSL_PKCS1_OAEP_PADDING); +expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '0408F090', '06089093']); // X509 echo "X509 errors\n"; diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt index d435a53e3047f..2de36d6af0606 100644 --- a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt @@ -121,12 +121,12 @@ expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); @openssl_private_encrypt("data", $crypted, $private_key_file, 1000); expect_openssl_errors('openssl_private_encrypt', ['1C8000A5']); // private decrypt with failed padding check -@openssl_private_decrypt("data", $crypted, $private_key_file); -expect_openssl_errors('openssl_private_decrypt', ['0200009F', '02000072']); +@openssl_private_decrypt("data", $crypted, $private_key_file, OPENSSL_PKCS1_OAEP_PADDING); +expect_openssl_errors('openssl_private_decrypt', ['02000079']); // public encrypt and decrypt with failed padding check and padding @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); -@openssl_public_decrypt("data", $crypted, $public_key_file); -expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '02000076', '0200008A', '02000072', '1C880004']); +@openssl_public_decrypt("data", $crypted, $public_key_file, OPENSSL_PKCS1_OAEP_PADDING); +expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '1C8000A5']); // X509 echo "X509 errors\n"; diff --git a/ext/openssl/tests/openssl_private_decrypt_basic.phpt b/ext/openssl/tests/openssl_private_decrypt_basic.phpt index ec37aea1614b3..44101d580c02f 100644 --- a/ext/openssl/tests/openssl_private_decrypt_basic.phpt +++ b/ext/openssl/tests/openssl_private_decrypt_basic.phpt @@ -9,22 +9,22 @@ $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; $pubkey = "file://" . __DIR__ . "/public.key"; $wrong = "wrong"; -openssl_public_encrypt($data, $encrypted, $pubkey); -var_dump(openssl_private_decrypt($encrypted, $output, $privkey)); +openssl_public_encrypt($data, $encrypted, $pubkey, OPENSSL_PKCS1_OAEP_PADDING); +var_dump(openssl_private_decrypt($encrypted, $output, $privkey, OPENSSL_PKCS1_OAEP_PADDING)); var_dump($output); -var_dump(openssl_private_decrypt($encrypted, $output2, $wrong)); +var_dump(openssl_private_decrypt($encrypted, $output2, $wrong, OPENSSL_PKCS1_OAEP_PADDING)); var_dump($output2); -var_dump(openssl_private_decrypt($wrong, $output3, $privkey)); +var_dump(openssl_private_decrypt($wrong, $output3, $privkey, OPENSSL_PKCS1_OAEP_PADDING)); var_dump($output3); try { - var_dump(openssl_private_decrypt($encrypted, $output4, array($privkey))); + var_dump(openssl_private_decrypt($encrypted, $output4, array($privkey), OPENSSL_PKCS1_OAEP_PADDING)); var_dump($output4); } catch (\ValueError $e) { echo $e->getMessage() . \PHP_EOL; } -var_dump(openssl_private_decrypt($encrypted, $output5, array($privkey, ""))); +var_dump(openssl_private_decrypt($encrypted, $output5, array($privkey, ""), OPENSSL_PKCS1_OAEP_PADDING)); var_dump($output5); ?> --EXPECTF--