Skip to content

Commit 956c3c2

Browse files
adsrbukka
adsr
authored and
bukka
committed
ext/openssl: Add option to load legacy algorithm provider
OpenSSL 3.x relegated a set of insecure algorithms to a "legacy" provider which is not loaded by default. Some of these algorithms have utility beyond encryption such as for hashing, e.g., DES[1] Add a compile-time option to load the legacy provider in 3.x. When enabled, also load the default provider because loading any provider explicitly disables auto-loading the default provider. [1] https://github.com/vitessio/vitess/blob/9e40015748ede158357bd7291f583db138abc3df/go/vt/vtgate/vindexes/hash.go#L157 Closes GH-13951
1 parent afd91fb commit 956c3c2

File tree

3 files changed

+18
-0
lines changed

3 files changed

+18
-0
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,8 @@ PHP NEWS
123123
. Added X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants.
124124
(Vincent Jardin)
125125
. Bumped minimum required OpenSSL version to 1.1.1. (Ayesh Karunaratne)
126+
. Added compile-time option --with-openssl-legacy-provider to enable legacy
127+
provider. (Adam Saponara)
126128

127129
- Output:
128130
. Clear output handler status flags during handler initialization. (haszi)

ext/openssl/config0.m4

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,13 @@ PHP_ARG_WITH([system-ciphers],
1010
[no],
1111
[no])
1212

13+
PHP_ARG_WITH([openssl-legacy-provider],
14+
[whether to load legacy algorithm provider],
15+
[AS_HELP_STRING([--with-openssl-legacy-provider],
16+
[OPENSSL: Load legacy algorithm provider in addition to default provider])],
17+
[no],
18+
[no])
19+
1320
if test "$PHP_OPENSSL" != "no"; then
1421
PHP_NEW_EXTENSION(openssl, openssl.c xp_ssl.c, $ext_shared)
1522
PHP_SUBST(OPENSSL_SHARED_LIBADD)
@@ -25,4 +32,8 @@ if test "$PHP_OPENSSL" != "no"; then
2532
if test "$PHP_SYSTEM_CIPHERS" != "no"; then
2633
AC_DEFINE(USE_OPENSSL_SYSTEM_CIPHERS,1,[ Use system default cipher list instead of hardcoded value ])
2734
fi
35+
36+
if test "$PHP_OPENSSL_LEGACY_PROVIDER" != "no"; then
37+
AC_DEFINE(LOAD_OPENSSL_LEGACY_PROVIDER,1,[ Load legacy algorithm provider in addition to default provider ])
38+
fi
2839
fi

ext/openssl/openssl.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@
5959
#if PHP_OPENSSL_API_VERSION >= 0x30000
6060
#include <openssl/core_names.h>
6161
#include <openssl/param_build.h>
62+
#include <openssl/provider.h>
6263
#endif
6364

6465
#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ENGINE)
@@ -1277,6 +1278,10 @@ PHP_MINIT_FUNCTION(openssl)
12771278
OpenSSL_add_all_algorithms();
12781279
SSL_load_error_strings();
12791280
#else
1281+
#if PHP_OPENSSL_API_VERSION >= 0x30000 && defined(LOAD_OPENSSL_LEGACY_PROVIDER)
1282+
OSSL_PROVIDER_load(NULL, "legacy");
1283+
OSSL_PROVIDER_load(NULL, "default");
1284+
#endif
12801285
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
12811286
#endif
12821287

0 commit comments

Comments
 (0)