Edit report at http://bugs.php.net/bug.php?id=48632&edit=1
ID: 48632 Updated by: paj...@php.net Reported by: yonas dot y at gmail dot com Summary: OpenSSL extension should support AES -Status: Assigned +Status: Closed Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: Ubuntu Jaunty PHP Version: 6* Assigned To: pajoye New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2009-10-30 05:29:21] yonas dot y at gmail dot com Can you please commit this patch, thanks! Cheers, Yonas ------------------------------------------------------------------------ [2009-06-22 12:49:45] paj...@php.net Not a single chance to get it in 5.3.0 :) ------------------------------------------------------------------------ [2009-06-22 12:45:04] yonas dot y at gmail dot com Thanks! :) Hmmm, seeing how this is a small patch, could we sneak it into 5.3.0? :) ------------------------------------------------------------------------ [2009-06-22 12:32:08] paj...@php.net Will test and apply to HEAD this week. 5.3.0 is in commit freeze and about to be released. ------------------------------------------------------------------------ [2009-06-22 12:20:02] yonas dot y at gmail dot com This patch allows users to encrypt their private key using the following ciphers: PHP_OPENSSL_CIPHER_RC2_40, PHP_OPENSSL_CIPHER_RC2_128, PHP_OPENSSL_CIPHER_RC2_64, PHP_OPENSSL_CIPHER_DES, PHP_OPENSSL_CIPHER_3DES, PHP_OPENSSL_CIPHER_AES_128_CBC, PHP_OPENSSL_CIPHER_AES_192_CBC, PHP_OPENSSL_CIPHER_AES_256_CBC Example: <?php // Create the keypair $res=openssl_pkey_new(); $configargs = array( 'private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true, 'encrypt_key_cipher' => OPENSSL_CIPHER_AES_256_CBC ); // Get private key openssl_pkey_export($res, $privkey, "PassPhrase number 1", $configargs); var_dump( $privkey ); ?> --- ext/openssl/openssl.c.orig 2009-06-22 06:39:35.000000000 -0400 +++ ext/openssl/openssl.c 2009-06-22 08:13:39.000000000 -0400 @@ -83,6 +83,9 @@ PHP_OPENSSL_CIPHER_RC2_64, PHP_OPENSSL_CIPHER_DES, PHP_OPENSSL_CIPHER_3DES, + PHP_OPENSSL_CIPHER_AES_128_CBC, + PHP_OPENSSL_CIPHER_AES_192_CBC, + PHP_OPENSSL_CIPHER_AES_256_CBC, PHP_OPENSSL_CIPHER_DEFAULT = PHP_OPENSSL_CIPHER_RC2_40 }; @@ -517,6 +520,7 @@ int priv_key_encrypt; EVP_PKEY * priv_key; + const EVP_CIPHER * priv_key_encrypt_cipher; }; /* }}} */ @@ -743,6 +747,9 @@ else \ varname = defval + +static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(long algo); + static int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args TSRMLS_DC) /* {{{ */ { char * str; @@ -794,6 +801,19 @@ } } + if (req->priv_key_encrypt && optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS) { + long cipher_algo = Z_LVAL_PP(item); + const EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo); + if (cipher == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown cipher algorithm for private key."); + return FAILURE; + } else { + req->priv_key_encrypt_cipher = cipher; + } + } else { + req->priv_key_encrypt_cipher = NULL; + } + /* digest alg */ if (req->digest_name == NULL) { req->digest_name = CONF_get_string(req->req_config, req->section_name, "default_md"); @@ -940,6 +960,17 @@ return EVP_des_ede3_cbc(); break; #endif +#ifndef OPENSSL_NO_AES + case PHP_OPENSSL_CIPHER_AES_128_CBC: + return EVP_aes_128_cbc(); + break; + case PHP_OPENSSL_CIPHER_AES_192_CBC: + return EVP_aes_192_cbc(); + break; + case PHP_OPENSSL_CIPHER_AES_256_CBC: + return EVP_aes_256_cbc(); + break; +#endif default: return NULL; break; @@ -1017,6 +1048,11 @@ REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_DES", PHP_OPENSSL_CIPHER_DES, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_3DES", PHP_OPENSSL_CIPHER_3DES, CONST_CS|CONST_PERSISTENT); #endif +#ifndef OPENSSL_NO_AES + REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_128_CBC", PHP_OPENSSL_CIPHER_AES_128_CBC, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_192_CBC", PHP_OPENSSL_CIPHER_AES_192_CBC, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_256_CBC", PHP_OPENSSL_CIPHER_AES_256_CBC, CONST_CS|CONST_PERSISTENT); +#endif /* Values for key types */ REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_RSA", OPENSSL_KEYTYPE_RSA, CONST_CS|CONST_PERSISTENT); @@ -2984,7 +3020,11 @@ bio_out = BIO_new_file(filename, "w"); if (passphrase && req.priv_key_encrypt) { + if (req.priv_key_encrypt_cipher) { + cipher = req.priv_key_encrypt_cipher; + } else { cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); + } } else { cipher = NULL; } @@ -3035,7 +3076,11 @@ bio_out = BIO_new(BIO_s_mem()); if (passphrase && req.priv_key_encrypt) { + if (req.priv_key_encrypt_cipher) { + cipher = req.priv_key_encrypt_cipher; + } else { cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); + } } else { cipher = NULL; } ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=48632 -- Edit this bug report at http://bugs.php.net/bug.php?id=48632&edit=1
