When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original array entry.
The test originally outputted:
```
array(2) {
[0]=>
string(...) => ...
[1]=>
string(0) ""
}
```
This is unexpected. Use zval_try_get_string() to prevent this behaviour.
Closes GH-16693.
The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.
Closes GH-16437.
We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.
Closes GH-16370.
Port 64325 is already used in ext/standard/tests/streams/gh11418.phpt. The test
randomly times out, and it's unclear whether it might be related to the
conflicting port.
php_socket_errno() may return a stale value when recv returns a
value >= 0. As such, the liveness check is wrong.
This is the same bug as #70198 (fixed in GH-1456). So we fix it in the
same way.
Closes GH-13895.
This fixes the issue with unbounded waiting on SSL_peek which can happen
when only part of the record is fetched. It makes socket non blocking so
it is possible to verify if OpenSSL is expecting some more data or if
there is an error.
This also fixes bug #79501
Closes GH-13487
This also fixes skipped tests due to different naming "zend-test"
instead of "zend_test" and "PDO" instead of "pdo":
- ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/zend_test/tests/observer_sqlite_create_function.phpt
EXTENSIONS section is used for the Windows build to load the non-static
extensions.
Closes GH-13276
This pulls only the changes made to CertificateGenerator.inc in the PHP-8.2
branch from commit 505e8d2a04.
Co-authored-by: Jakub Zelenka <bukka@php.net>
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses except
if they fall within addresses in the RFC 4193 range. Google and
CloudFlare provide IPv6 addresses in their DNS over HTTPS services.
Internal CAs do not have those restrictions and can issue Unique
local addresses in certificates.
Closes GH-11145
This function works in exactly the same way as openssl_cipher_iv_length
but for a key length. This is especially useful to make sure that the
right key length is provided to openssl_encrypt and openssl_decrypt.
In addtion the change also updates implementation of
openssl_cipher_iv_length and adds a test for it.
This adds support for ChaCha20-Poly1305 AEAD algorithm so it is possible
to use it in the same way as AES GCM and other AEAD algorithms. This is
available in OpenSSL 1.1.0+.
Jakub Zelenka