Skip to content

Commit bf8cd61

Browse files
bukkabukka
committed
Add $salt_length param to openssl_sign and related constants
This is needed for some application. Custom TLS implementation is one example
1 parent f16ef85 commit bf8cd61

File tree

4 files changed

+56
-4
lines changed

4 files changed

+56
-4
lines changed

ext/openssl/openssl.c

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4026,6 +4026,27 @@ static zend_result php_openssl_setup_rsa_padding(EVP_PKEY_CTX *pctx, EVP_PKEY *p
40264026
return SUCCESS;
40274027
}
40284028

4029+
static int php_openssl_setup_rsa_pss_salt_length(EVP_PKEY_CTX *pctx, EVP_PKEY *pkey, zend_long padding, zend_long salt_length)
4030+
{
4031+
/* Only apply if using PSS padding */
4032+
if (padding != RSA_PKCS1_PSS_PADDING) {
4033+
return SUCCESS;
4034+
}
4035+
4036+
/* Only apply to RSA keys */
4037+
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA && EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA_PSS) {
4038+
return SUCCESS;
4039+
}
4040+
4041+
if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, (int)salt_length) <= 0) {
4042+
php_openssl_store_errors();
4043+
php_error_docref(NULL, E_WARNING, "Could not set RSA-PSS salt length");
4044+
return FAILURE;
4045+
}
4046+
4047+
return SUCCESS;
4048+
}
4049+
40294050
/* {{{ Signs data */
40304051
PHP_FUNCTION(openssl_sign)
40314052
{
@@ -4039,16 +4060,18 @@ PHP_FUNCTION(openssl_sign)
40394060
zend_long method_long = OPENSSL_ALGO_SHA1;
40404061
const EVP_MD *mdtype;
40414062
zend_long padding = 0;
4063+
zend_long salt_length = RSA_PSS_SALTLEN_AUTO;
40424064
EVP_PKEY_CTX *pctx;
40434065
bool can_default_digest = ZEND_THREEWAY_COMPARE(PHP_OPENSSL_API_VERSION, 0x30000) >= 0;
40444066

4045-
ZEND_PARSE_PARAMETERS_START(3, 5)
4067+
ZEND_PARSE_PARAMETERS_START(3, 6)
40464068
Z_PARAM_STRING(data, data_len)
40474069
Z_PARAM_ZVAL(signature)
40484070
Z_PARAM_ZVAL(key)
40494071
Z_PARAM_OPTIONAL
40504072
Z_PARAM_STR_OR_LONG(method_str, method_long)
40514073
Z_PARAM_LONG(padding)
4074+
Z_PARAM_LONG(salt_length)
40524075
ZEND_PARSE_PARAMETERS_END();
40534076

40544077
pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3);
@@ -4069,12 +4092,14 @@ PHP_FUNCTION(openssl_sign)
40694092
php_error_docref(NULL, E_WARNING, "Unknown digest algorithm");
40704093
RETURN_FALSE;
40714094
}
4095+
PHP_OPENSSL_CHECK_LONG_TO_INT(salt_length, salt_length, 6);
40724096

40734097
md_ctx = EVP_MD_CTX_create();
40744098
size_t siglen;
40754099
if (md_ctx != NULL &&
40764100
EVP_DigestSignInit(md_ctx, &pctx, mdtype, NULL, pkey) &&
40774101
php_openssl_setup_rsa_padding(pctx, pkey, padding) == SUCCESS &&
4102+
php_openssl_setup_rsa_pss_salt_length(pctx, pkey, padding, salt_length) == SUCCESS &&
40784103
EVP_DigestSign(md_ctx, NULL, &siglen, (unsigned char*)data, data_len) &&
40794104
(sigbuf = zend_string_alloc(siglen, 0)) != NULL &&
40804105
EVP_DigestSign(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), &siglen, (unsigned char*)data, data_len)) {

ext/openssl/openssl.stub.php

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -262,6 +262,22 @@
262262
*/
263263
const OPENSSL_PKCS1_PSS_PADDING = UNKNOWN;
264264

265+
/**
266+
* @var int
267+
* @cvalue RSA_PSS_SALTLEN_DIGEST
268+
*/
269+
const OPENSSL_RSA_PSS_SALTLEN_DIGEST = UNKNOWN;
270+
/**
271+
* @var int
272+
* @cvalue RSA_PSS_SALTLEN_AUTO
273+
*/
274+
const OPENSSL_RSA_PSS_SALTLEN_AUTO = UNKNOWN;
275+
/**
276+
* @var int
277+
* @cvalue RSA_PSS_SALTLEN_MAX
278+
*/
279+
const OPENSSL_RSA_PSS_SALTLEN_MAX = UNKNOWN;
280+
265281
/* Informational stream wrapper constants */
266282

267283
/**
@@ -619,7 +635,7 @@ function openssl_error_string(): string|false {}
619635
* @param string $signature
620636
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
621637
*/
622-
function openssl_sign(string $data, &$signature, #[\SensitiveParameter] $private_key, string|int $algorithm = OPENSSL_ALGO_SHA1, int $padding = 0): bool {}
638+
function openssl_sign(string $data, &$signature, #[\SensitiveParameter] $private_key, string|int $algorithm = OPENSSL_ALGO_SHA1, int $padding = 0, int $salt_length = OPENSSL_RSA_PSS_SALTLEN_AUTO): bool {}
623639

624640
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key */
625641
function openssl_verify(string $data, string $signature, $public_key, string|int $algorithm = OPENSSL_ALGO_SHA1, int $padding = 0): int|false {}

ext/openssl/openssl_arginfo.h

Lines changed: 5 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ext/openssl/tests/openssl_sign_basic.phpt

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ openssl
77
$data = "Testing openssl_sign()";
88
$privkey = "file://" . __DIR__ . "/private_rsa_1024.key";
99
$wrong = "wrong";
10-
1110
var_dump(openssl_sign($data, $sign1, $privkey, OPENSSL_ALGO_SHA256));
1211
var_dump(bin2hex($sign1));
1312
var_dump(openssl_sign($data, $sign2, $privkey, OPENSSL_ALGO_SHA256));
@@ -17,6 +16,10 @@ var_dump(strlen($sign1));
1716
var_dump(openssl_sign($data, $sign2, $privkey, OPENSSL_ALGO_SHA256, OPENSSL_PKCS1_PSS_PADDING));
1817
var_dump(strlen($sign2));
1918
var_dump($sign1 === $sign2);
19+
var_dump(openssl_sign($data, $sign3, $privkey, OPENSSL_ALGO_SHA256, OPENSSL_PKCS1_PSS_PADDING, OPENSSL_RSA_PSS_SALTLEN_DIGEST));
20+
var_dump(strlen($sign3));
21+
var_dump(openssl_sign($data, $sign4, $privkey, OPENSSL_ALGO_SHA256, OPENSSL_PKCS1_PSS_PADDING, 32));
22+
var_dump(strlen($sign4));
2023
var_dump(openssl_sign($data, $sign, $wrong));
2124
?>
2225
--EXPECTF--
@@ -29,6 +32,10 @@ int(128)
2932
bool(true)
3033
int(128)
3134
bool(false)
35+
bool(true)
36+
int(128)
37+
bool(true)
38+
int(128)
3239

3340
Warning: openssl_sign(): Supplied key param cannot be coerced into a private key in %s on line %d
3441
bool(false)

0 commit comments

Comments
 (0)