php-groups.com | Post Question | Search | About | Groups | Contact | Register | Login


New in This Group

PHP 5.3.2RC1 Testing
12/22/2009 11:48:06 PM

Towards 5.3.2
12/7/2009 1:37:49 PM

Persistent cURL handles.
12/5/2009 6:21:30 PM

Stream: Cast and Seek
12/4/2009 11:01:13 PM

accessing PHPs AST
12/2/2009 5:35:05 PM

An SSH shell like a stream
12/1/2009 9:19:39 PM

Using a stream function into another module
11/27/2009 5:53:52 PM

bug-id ID: 50275
11/24/2009 4:55:30 PM

Bug tracker cannot connect to database
11/20/2009 7:38:07 AM

Proposed 5.3.1 Release announcement
11/19/2009 11:24:43 PM

openssl supported algorithms Reply

Group: php.internals Subscribe Posted:11/24/2009 5:27:22 PM Replies:3 Views:18 Items(3)
--------------090302030801020501040901
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

The openssl extension is way to restrictive in the algorithms it
supports, i.e. no support for SHA265 which is starting to become the
standard algo to use, etc.. Rather than having to always add more
constants and additional logic for any new algorithms, I'd like to
change the sign and verify functions to not only accept the current
integers, but also a string so the EVP_get_digestbyname function can be
used.

So while still supporting something list:
openssl_sign($data, $signature, $priv_key_id, OPENSSL_ALGO_SHA1)

It can also be called using:
openssl_sign($data, $signature, $priv_key_id, "SHA1")
openssl_sign($data, $signature, $priv_key_id, "SHA256")

Attached is a patch to illustrate the change made to the PHP_5_2 branch
(only to the sign function but same change would be made to verify as well).
I'd really like to be able to support the string based algorithm rather
than always having to add constants just for the added flexibility but
in any case we really need to add support for more than what we have
now. Personally I'd also like to see this in 5.2.12 but know that might
be pushing it.

Rob



--------------090302030801020501040901
Content-Type: text/plain;
name="openssl.c.diff.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="openssl.c.diff.txt"

Index: openssl.c
===================================================================
--- openssl.c (revision 291215)
+++ openssl.c (working copy)
@@ -3504,11 +3504,11 @@
}
/* }}} */

-/* {{{ proto bool openssl_sign(string data, &string signature, mixed key[, int signature_alg])
+/* {{{ proto bool openssl_sign(string data, &string signature, mixed key[, mixed signature_alg])
Signs data */
PHP_FUNCTION(openssl_sign)
{
- zval **key, *signature;
+ zval **key, *signature, *digest_algo;
EVP_PKEY *pkey;
int siglen;
unsigned char *sigbuf;
@@ -3516,10 +3516,9 @@
char * data;
int data_len;
EVP_MD_CTX md_ctx;
- long signature_algo = OPENSSL_ALGO_SHA1;
- EVP_MD *mdtype;
+ EVP_MD *mdtype = NULL;

- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szZ|l", &data, &data_len, &signature, &key, &signature_algo) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szZ|z!", &data, &data_len, &signature, &key, &digest_algo) == FAILURE) {
return;
}
pkey = php_openssl_evp_from_zval(key, 0, "", 0, &keyresource TSRMLS_CC);
@@ -3528,7 +3527,17 @@
RETURN_FALSE;
}

- mdtype = php_openssl_get_evp_md_from_algo(signature_algo);
+ if ((digest_algo != NULL) && (Z_TYPE_P(digest_algo) == IS_STRING)) {
+ mdtype = EVP_get_digestbyname(Z_STRVAL_P(digest_algo));
+ } else {
+ long signature_algo = OPENSSL_ALGO_SHA1;
+ if ((digest_algo != NULL)) {
+ convert_to_long(digest_algo);
+ signature_algo = Z_LVAL_P(digest_algo);
+ }
+ mdtype = php_openssl_get_evp_md_from_algo(signature_algo);
+ }
+
if (!mdtype) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm.");
RETURN_FALSE;

--------------090302030801020501040901--
rricha...@cdatazone.org (Rob Richards)
11/24/2009 5:27:22 PM




Seems like a no-brainer for 5.3 and trunk. You will have to discuss
with Ilia for 5.2. It seems a bit late in the game for that branch to
get this.

-Rasmus

Rob Richards wrote:
> The openssl extension is way to restrictive in the algorithms it
> supports, i.e. no support for SHA265 which is starting to become the
> standard algo to use, etc.. Rather than having to always add more
> constants and additional logic for any new algorithms, I'd like to
> change the sign and verify functions to not only accept the current
> integers, but also a string so the EVP_get_digestbyname function can be
> used.
>
> So while still supporting something list:
> openssl_sign($data, $signature, $priv_key_id, OPENSSL_ALGO_SHA1)
>
> It can also be called using:
> openssl_sign($data, $signature, $priv_key_id, "SHA1")
> openssl_sign($data, $signature, $priv_key_id, "SHA256")
>
> Attached is a patch to illustrate the change made to the PHP_5_2 branch
> (only to the sign function but same change would be made to verify as
> well).
> I'd really like to be able to support the string based algorithm rather
> than always having to add constants just for the added flexibility but
> in any case we really need to add support for more than what we have
> now. Personally I'd also like to see this in 5.2.12 but know that might
> be pushing it.
>
> Rob
>
>

ras...@lerdorf.com (Rasmus Lerdorf)
11/24/2009 5:40:12 PM

If I had only checked... Appears its been in trunk (and 5_3) for over 2
years now :)

Rob

Rasmus Lerdorf wrote:
> Seems like a no-brainer for 5.3 and trunk. You will have to discuss
> with Ilia for 5.2. It seems a bit late in the game for that branch to
> get this.
>
> -Rasmus
>
> Rob Richards wrote:
>
>> The openssl extension is way to restrictive in the algorithms it
>> supports, i.e. no support for SHA265 which is starting to become the
>> standard algo to use, etc.. Rather than having to always add more
>> constants and additional logic for any new algorithms, I'd like to
>> change the sign and verify functions to not only accept the current
>> integers, but also a string so the EVP_get_digestbyname function can be
>> used.
>>
>> So while still supporting something list:
>> openssl_sign($data, $signature, $priv_key_id, OPENSSL_ALGO_SHA1)
>>
>> It can also be called using:
>> openssl_sign($data, $signature, $priv_key_id, "SHA1")
>> openssl_sign($data, $signature, $priv_key_id, "SHA256")
>>
>> Attached is a patch to illustrate the change made to the PHP_5_2 branch
>> (only to the sign function but same change would be made to verify as
>> well).
>> I'd really like to be able to support the string based algorithm rather
>> than always having to add constants just for the added flexibility but
>> in any case we really need to add support for more than what we have
>> now. Personally I'd also like to see this in 5.2.12 but know that might
>> be pushing it.
>>
>> Rob
>>
>>
>>
>
>
>

rricha...@cdatazone.org (Rob Richards)
11/24/2009 9:51:26 PM

Heh, I think given that we have 5.3 out there (with the code) there is =
little reason to introduce new features into a bug fix release which is =
5.2.

On 2009-11-24, at 4:51 PM, Rob Richards wrote:

> If I had only checked... Appears its been in trunk (and 5_3) for over =
2 years now :)
>=20
> Rob
>=20
> Rasmus Lerdorf wrote:
>> Seems like a no-brainer for 5.3 and trunk. You will have to discuss
>> with Ilia for 5.2. It seems a bit late in the game for that branch =
to
>> get this.
>>=20
>> -Rasmus
>>=20
>> Rob Richards wrote:
>> =20
>>> The openssl extension is way to restrictive in the algorithms it
>>> supports, i.e. no support for SHA265 which is starting to become the
>>> standard algo to use, etc.. Rather than having to always add more
>>> constants and additional logic for any new algorithms, I'd like to
>>> change the sign and verify functions to not only accept the current
>>> integers, but also a string so the EVP_get_digestbyname function can =
be
>>> used.
>>>=20
>>> So while still supporting something list:
>>> openssl_sign($data, $signature, $priv_key_id, OPENSSL_ALGO_SHA1)
>>>=20
>>> It can also be called using:
>>> openssl_sign($data, $signature, $priv_key_id, "SHA1")
>>> openssl_sign($data, $signature, $priv_key_id, "SHA256")
>>>=20
>>> Attached is a patch to illustrate the change made to the PHP_5_2 =
branch
>>> (only to the sign function but same change would be made to verify =
as
>>> well).
>>> I'd really like to be able to support the string based algorithm =
rather
>>> than always having to add constants just for the added flexibility =
but
>>> in any case we really need to add support for more than what we have
>>> now. Personally I'd also like to see this in 5.2.12 but know that =
might
>>> be pushing it.
>>>=20
>>> Rob
>>>=20
>>>=20
>>> =20
>>=20
>>=20
>> =20
>=20
>=20
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20

i...@prohost.org (Ilia Alshanetsky)
11/24/2009 10:01:14 PM


Reply:
| or Email(not shown): Name: | Register | Login

Alert me when someone responds to this posting.








Newest Articles

note 97095 added to soapclient.soapclient
4/1/2010 5:58:19 AM

note 97094 added to function.sqlite-changes
4/1/2010 5:06:46 AM

note 97093 added to function.sqlite-changes
4/1/2010 5:06:21 AM

note 97092 added to ref.xmlrpc
4/1/2010 4:52:18 AM

note 97091 added to function.var-export
4/1/2010 3:32:03 AM