Req #61421 [Asn->]: OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512
Edit report at https://bugs.php.net/bug.php?id=61421&edit=1 ID: 61421 Updated by: s...@php.net Reported by:mark at zedwood dot com Summary:OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512 -Status: Assigned +Status: To be documented Type: Feature/Change Request Package:OpenSSL related Operating System: Ubuntu Linux PHP Version:5.4.5 Assigned To:pajoye Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: [2012-09-14 17:56:53] mark at zedwood dot com PHP 5.4 release manager stas had me create a pull request for this bug. https://github.com/php/php-src/pull/196 [2012-07-20 00:05:02] mark at zedwood dot com updated version to php 5.4.5 [2012-06-27 06:21:58] paj...@php.net Patch compiles fine, I asked the RMs if it is fine to merge into 5.3/4. Will commit all at once once I got an answer. Thanks for your work and patience! [2012-06-21 20:14:04] mark at zedwood dot com This issue is an important feature to add to PHP, considering "SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures; at the publication of this Recommendation, the security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. (SHA-224, SHA-256, SHA-384 and SHA-512)" https://wiki.mozilla.org/CA:MD5and1024 [2012-06-19 13:43:53] mark at zedwood dot com Those new examples are also all be in the openssl-add-sig-algs.txt patch file I uploaded yesterday. So we should be good to go. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61421 -- Edit this bug report at https://bugs.php.net/bug.php?id=61421&edit=1
Req #61421 [Asn]: OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512
Edit report at https://bugs.php.net/bug.php?id=61421&edit=1 ID: 61421 User updated by:mark at zedwood dot com Reported by:mark at zedwood dot com Summary:OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512 Status: Assigned Type: Feature/Change Request Package:OpenSSL related Operating System: Ubuntu Linux -PHP Version:5.4.4 +PHP Version:5.4.5 Assigned To:pajoye Block user comment: N Private report: N New Comment: updated version to php 5.4.5 Previous Comments: [2012-06-27 06:21:58] paj...@php.net Patch compiles fine, I asked the RMs if it is fine to merge into 5.3/4. Will commit all at once once I got an answer. Thanks for your work and patience! [2012-06-21 20:14:04] mark at zedwood dot com This issue is an important feature to add to PHP, considering "SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures; at the publication of this Recommendation, the security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. (SHA-224, SHA-256, SHA-384 and SHA-512)" https://wiki.mozilla.org/CA:MD5and1024 [2012-06-19 13:43:53] mark at zedwood dot com Those new examples are also all be in the openssl-add-sig-algs.txt patch file I uploaded yesterday. So we should be good to go. [2012-06-19 07:55:30] paj...@php.net hi! that looks good now! Thanks! Could you add the latest examples as extra tests as well please? I will commit it to master this week. [2012-06-18 20:48:28] mark at zedwood dot com I just added a patch, updated to php 5.4.4. Hopefully this can make it into php 5.4.5. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61421 -- Edit this bug report at https://bugs.php.net/bug.php?id=61421&edit=1
Req #61421 [Asn]: OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512
Edit report at https://bugs.php.net/bug.php?id=61421&edit=1 ID: 61421 Updated by: paj...@php.net Reported by:mark at zedwood dot com Summary:OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512 Status: Assigned Type: Feature/Change Request Package:OpenSSL related Operating System: Ubuntu Linux PHP Version:5.4.4 Assigned To:pajoye Block user comment: N Private report: N New Comment: Patch compiles fine, I asked the RMs if it is fine to merge into 5.3/4. Will commit all at once once I got an answer. Thanks for your work and patience! Previous Comments: [2012-06-21 20:14:04] mark at zedwood dot com This issue is an important feature to add to PHP, considering "SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures; at the publication of this Recommendation, the security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. (SHA-224, SHA-256, SHA-384 and SHA-512)" https://wiki.mozilla.org/CA:MD5and1024 [2012-06-19 13:43:53] mark at zedwood dot com Those new examples are also all be in the openssl-add-sig-algs.txt patch file I uploaded yesterday. So we should be good to go. [2012-06-19 07:55:30] paj...@php.net hi! that looks good now! Thanks! Could you add the latest examples as extra tests as well please? I will commit it to master this week. [2012-06-18 20:48:28] mark at zedwood dot com I just added a patch, updated to php 5.4.4. Hopefully this can make it into php 5.4.5. [2012-06-18 20:12:52] mark at zedwood dot com Modified pastebin example to show simpler test case: http://pastebin.com/qdCyC0Pe older pastebin example now available at: http://pastebin.com/4LQDqMD5 The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61421 -- Edit this bug report at https://bugs.php.net/bug.php?id=61421&edit=1
Req #61421 [Asn]: OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512
Edit report at https://bugs.php.net/bug.php?id=61421&edit=1 ID: 61421 Updated by: paj...@php.net Reported by:mark at zedwood dot com Summary:OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512 Status: Assigned Type: Feature/Change Request Package:OpenSSL related Operating System: Ubuntu Linux PHP Version:5.4.4 Assigned To:pajoye Block user comment: N Private report: N New Comment: hi! that looks good now! Thanks! Could you add the latest examples as extra tests as well please? I will commit it to master this week. Previous Comments: [2012-06-18 20:48:28] mark at zedwood dot com I just added a patch, updated to php 5.4.4. Hopefully this can make it into php 5.4.5. [2012-06-18 20:12:52] mark at zedwood dot com Modified pastebin example to show simpler test case: http://pastebin.com/qdCyC0Pe older pastebin example now available at: http://pastebin.com/4LQDqMD5 [2012-05-30 19:10:50] mark at zedwood dot com Is there anything preventing this bugfix/patch from being committed into git? [2012-04-05 22:10:00] mark at zedwood dot com Changed name of const to OPENSSL_ALGO_RMD160 instead of OPENSSL_ALGO_RIPEMD160 [2012-04-02 18:21:17] mark at zedwood dot com added openssl version check, added new patch with .phpt test The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61421 -- Edit this bug report at https://bugs.php.net/bug.php?id=61421&edit=1
Req #61421 [Asn]: OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512
Edit report at https://bugs.php.net/bug.php?id=61421&edit=1 ID: 61421 User updated by:mark at zedwood dot com Reported by:mark at zedwood dot com -Summary:Missing SHA256,SHA512 families of signature algorithms +Summary:OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512 Status: Assigned Type: Feature/Change Request Package:OpenSSL related Operating System: Ubuntu Linux -PHP Version:5.4.0 +PHP Version:5.4.4 Assigned To:pajoye Block user comment: N Private report: N New Comment: Modified pastebin example to show simpler test case: http://pastebin.com/qdCyC0Pe older pastebin example now available at: http://pastebin.com/4LQDqMD5 Previous Comments: [2012-05-30 19:10:50] mark at zedwood dot com Is there anything preventing this bugfix/patch from being committed into git? [2012-04-05 22:10:00] mark at zedwood dot com Changed name of const to OPENSSL_ALGO_RMD160 instead of OPENSSL_ALGO_RIPEMD160 [2012-04-02 18:21:17] mark at zedwood dot com added openssl version check, added new patch with .phpt test [2012-04-02 09:36:07] paj...@php.net hi, Thanks for the patch, I will apply it asap but it won't make it for the next releases of 5.3 or 5.4 as we are already in release phases. Btw, can you add some tests too please? About the patch, yes, please use the openssl version check instead. As what is done now won't work smoothly with older versions. As of getting a svn account (asked per email but adding answer here too), we usually give one after that one has provided a couple of patches :) Thanks for your work! [2012-04-02 09:21:11] der...@php.net Mark, yes, you probably should. It will also help a lot if you include test cases for the new functionality. Make sure those tests also run with older versions of openssl though! cheers, Derick The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61421 -- Edit this bug report at https://bugs.php.net/bug.php?id=61421&edit=1
