Remove native SSL support in phar extension

UPGRADING

@@ -907,6 +907,10 @@ PHP 8.4 UPGRADE NOTES
 - PgSQL:
   . The pgsql extension now requires at least libpq 10.0.
 
+- Phar:
+  . Native SSL support in phar extension has been removed in favor of phar SSL
+    support through the PHP openssl extension.
+
 - Reflection:
   . The class constants are typed now.
 

UPGRADING.INTERNALS

@@ -119,6 +119,7 @@ PHP 8.4 INTERNALS UPGRADE NOTES
    - Symbol HAVE_LIBM has been removed.
    - Symbol HAVE_INET_ATON has been removed.
    - Symbol HAVE_SIGSETJMP has been removed.
+   - Symbol PHAR_HAVE_OPENSSL has been removed.
    - The Zend/zend_istdiostream.h header has been removed.
 
  b. Unix build system changes
@@ -213,7 +214,7 @@ PHP 8.4 INTERNALS UPGRADE NOTES
 
  c. Windows build system changes
    - The configure options --with-oci8-11g, --with-oci8-12c, --with-oci8-19,
-     --enable-apache2-2handler have been removed.
+     --enable-apache2-2handler, --enable-phar-native-ssl have been removed.
    - The configure option --enable-apache2-4handler is now an alias for the
      preferred --enable-apache2handler.
    - Added Bison flag '-Wall' when generating lexer files as done in *nix build

ext/phar/config.m4

@@ -19,15 +19,6 @@ if test "$PHP_PHAR" != "no"; then
     [$ext_shared],,
     [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
 
-  AC_MSG_CHECKING([for phar openssl support])
-  AS_VAR_IF([PHP_OPENSSL_SHARED], [yes],
-    [AC_MSG_RESULT([no (shared openssl)])],
-    [AS_VAR_IF([PHP_OPENSSL], [yes], [
-      AC_MSG_RESULT([yes])
-      AC_DEFINE([PHAR_HAVE_OPENSSL], [1],
-        [Define to 1 if phar extension has native OpenSSL support.])
-    ], [AC_MSG_RESULT([no])])])
-
   PHP_ADD_EXTENSION_DEP(phar, hash)
   PHP_ADD_EXTENSION_DEP(phar, spl)
   PHP_ADD_MAKEFILE_FRAGMENT

ext/phar/config.w32

@@ -1,39 +1,10 @@
 // vim:ft=javascript
 
 ARG_ENABLE("phar", "disable phar support", "yes");
-ARG_ENABLE("phar-native-ssl", "enable phar with native OpenSSL support", "no");
-
-if (PHP_PHAR_NATIVE_SSL != "no") {
-	PHP_PHAR = PHP_PHAR_NATIVE_SSL;
-}
 
 if (PHP_PHAR != "no") {
 	EXTENSION("phar", "dirstream.c func_interceptors.c phar.c phar_object.c phar_path_check.c stream.c tar.c util.c zip.c", PHP_PHAR_SHARED, "/DZEND_ENABLE_STATIC_TSRMLS_CACHE=1");
-	if (PHP_PHAR_SHARED || (PHP_PHAR_NATIVE_SSL_SHARED && PHP_SNAPSHOT_BUILD == "no")) {
-		ADD_FLAG("CFLAGS_PHAR", "/D COMPILE_DL_PHAR ");
-	}
-	if (PHP_PHAR_NATIVE_SSL != "no") {
-		if (CHECK_LIB("libeay32st.lib", "phar")) {
-			/* We don't really need GDI for this, but there's no
-			way to avoid linking it in the static openssl build */
-			ADD_FLAG("LIBS_PHAR", "libeay32st.lib gdi32.lib");
-			if (PHP_DEBUG == "no") {
-				/* Silence irrelevant-to-us warning in release builds */
-				ADD_FLAG("LDFLAGS_PHAR", "/IGNORE:4089 ");
-			}
-			AC_DEFINE('PHAR_HAVE_OPENSSL', 1);
-			STDOUT.WriteLine('        Native OpenSSL support in Phar enabled');
-		} else {
-			WARNING('Could not enable native OpenSSL support in Phar');
-		}
-	} else {
-		if (PHP_OPENSSL != "no" && !PHP_OPENSSL_SHARED && !PHP_PHAR_SHARED) {
-			AC_DEFINE('PHAR_HAVE_OPENSSL', 1);
-			STDOUT.WriteLine('        Native OpenSSL support in Phar enabled');
-		} else {
-			STDOUT.WriteLine('        Native OpenSSL support in Phar disabled');
-		}
-	}
+
 	ADD_EXTENSION_DEP('phar', 'hash');
 	ADD_EXTENSION_DEP('phar', 'spl');
 	PHP_INSTALL_HEADERS("ext/phar", "php_phar.h");

ext/phar/phar.c

@@ -3585,15 +3585,13 @@ PHP_MINFO_FUNCTION(phar) /* {{{ */
 	} else {
 		php_info_print_table_row(2, "bzip2 compression", "disabled (install ext/bz2)");
 	}
-#ifdef PHAR_HAVE_OPENSSL
-	php_info_print_table_row(2, "Native OpenSSL support", "enabled");
-#else
+
 	if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
 		php_info_print_table_row(2, "OpenSSL support", "enabled");
 	} else {
 		php_info_print_table_row(2, "OpenSSL support", "disabled (install ext/openssl)");
 	}
-#endif
+
 	php_info_print_table_end();
 
 	php_info_print_box_start(0);

ext/phar/phar_object.c

@@ -1255,17 +1255,12 @@ PHP_METHOD(Phar, getSupportedSignatures)
 	add_next_index_stringl(return_value, "SHA-1", 5);
 	add_next_index_stringl(return_value, "SHA-256", 7);
 	add_next_index_stringl(return_value, "SHA-512", 7);
-#ifdef PHAR_HAVE_OPENSSL
-	add_next_index_stringl(return_value, "OpenSSL", 7);
-	add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
-	add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
-#else
+
 	if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
 		add_next_index_stringl(return_value, "OpenSSL", 7);
 		add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
 		add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
 	}
-#endif
 }
 /* }}} */
 

ext/phar/util.c

@@ -24,21 +24,7 @@
 #include "ext/hash/php_hash_sha.h"
 #include "ext/standard/md5.h"
 
-#ifdef PHAR_HAVE_OPENSSL
-/* OpenSSL includes */
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/crypto.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include <openssl/conf.h>
-#include <openssl/rand.h>
-#include <openssl/ssl.h>
-#include <openssl/pkcs12.h>
-#else
 static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, uint32_t sig_type);
-#endif
 
 /* for links to relative location, prepend cwd of the entry */
 static char *phar_get_link_location(phar_entry_info *entry) /* {{{ */
@@ -1439,7 +1425,6 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature)
 }
 /* }}} */
 
-#ifndef PHAR_HAVE_OPENSSL
 static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, uint32_t sig_type) /* {{{ */
 {
 	zend_fcall_info fci;
@@ -1538,7 +1523,6 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
 	}
 }
 /* }}} */
-#endif /* #ifndef PHAR_HAVE_OPENSSL */
 
 zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, char *sig, size_t sig_len, char *fname, char **signature, size_t *signature_len, char **error) /* {{{ */
 {
@@ -1552,33 +1536,18 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 		case PHAR_SIG_OPENSSL_SHA512:
 		case PHAR_SIG_OPENSSL_SHA256:
 		case PHAR_SIG_OPENSSL: {
-#ifdef PHAR_HAVE_OPENSSL
-			BIO *in;
-			EVP_PKEY *key;
-			const EVP_MD *mdtype;
-			EVP_MD_CTX *md_ctx;
-
-			if (sig_type == PHAR_SIG_OPENSSL_SHA512) {
-				mdtype = EVP_sha512();
-			} else if (sig_type == PHAR_SIG_OPENSSL_SHA256) {
-				mdtype = EVP_sha256();
-			} else {
-				mdtype = EVP_sha1();
-			}
-#else
 			size_t tempsig;
-#endif
 			zend_string *pubkey = NULL;
 			char *pfile;
 			php_stream *pfp;
-#ifndef PHAR_HAVE_OPENSSL
+
 			if (!zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
 				if (error) {
 					spprintf(error, 0, "openssl not loaded");
 				}
 				return FAILURE;
 			}
-#endif
+
 			/* use __FILE__ . '.pubkey' for public key file */
 			spprintf(&pfile, 0, "%s.pubkey", fname);
 			pfp = php_stream_open_wrapper(pfile, "rb", 0, NULL);
@@ -1595,7 +1564,7 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 			}
 
 			php_stream_close(pfp);
-#ifndef PHAR_HAVE_OPENSSL
+
 			tempsig = sig_len;
 
 			if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, ZSTR_VAL(pubkey), ZSTR_LEN(pubkey), &sig, &tempsig, sig_type)) {
@@ -1611,76 +1580,6 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 			zend_string_release_ex(pubkey, 0);
 
 			sig_len = tempsig;
-#else
-			in = BIO_new_mem_buf(ZSTR_VAL(pubkey), ZSTR_LEN(pubkey));
-
-			if (NULL == in) {
-				zend_string_release_ex(pubkey, 0);
-				if (error) {
-					spprintf(error, 0, "openssl signature could not be processed");
-				}
-				return FAILURE;
-			}
-
-			key = PEM_read_bio_PUBKEY(in, NULL, NULL, NULL);
-			BIO_free(in);
-			zend_string_release_ex(pubkey, 0);
-
-			if (NULL == key) {
-				if (error) {
-					spprintf(error, 0, "openssl signature could not be processed");
-				}
-				return FAILURE;
-			}
-
-			md_ctx = EVP_MD_CTX_create();
-			if (!md_ctx || !EVP_VerifyInit(md_ctx, mdtype)) {
-				if (md_ctx) {
-					EVP_MD_CTX_destroy(md_ctx);
-				}
-				if (error) {
-					spprintf(error, 0, "openssl signature could not be verified");
-				}
-				return FAILURE;
-			}
-			read_len = end_of_phar;
-
-			if ((size_t)read_len > sizeof(buf)) {
-				read_size = sizeof(buf);
-			} else {
-				read_size = (size_t)read_len;
-			}
-
-			php_stream_seek(fp, 0, SEEK_SET);
-
-			while (read_size && (len = php_stream_read(fp, (char*)buf, read_size)) > 0) {
-				if (UNEXPECTED(EVP_VerifyUpdate (md_ctx, buf, len) == 0)) {
-					goto failure;
-				}
-				read_len -= (zend_off_t)len;
-
-				if (read_len < read_size) {
-					read_size = (size_t)read_len;
-				}
-			}
-
-			if (EVP_VerifyFinal(md_ctx, (unsigned char *)sig, sig_len, key) != 1) {
-				failure:
-				/* 1: signature verified, 0: signature does not match, -1: failed signature operation */
-				EVP_PKEY_free(key);
-				EVP_MD_CTX_destroy(md_ctx);
-
-				if (error) {
-					spprintf(error, 0, "broken openssl signature");
-				}
-
-				return FAILURE;
-			}
-
-			EVP_PKEY_free(key);
-			EVP_MD_CTX_destroy(md_ctx);
-#endif
-
 			*signature_len = phar_hex_str((const char*)sig, sig_len, signature);
 		}
 		break;
@@ -1904,85 +1803,6 @@ zend_result phar_create_signature(phar_archive_data *phar, php_stream *fp, char
 		case PHAR_SIG_OPENSSL_SHA256:
 		case PHAR_SIG_OPENSSL: {
 			unsigned char *sigbuf;
-#ifdef PHAR_HAVE_OPENSSL
-			unsigned int siglen;
-			BIO *in;
-			EVP_PKEY *key;
-			EVP_MD_CTX *md_ctx;
-			const EVP_MD *mdtype;
-
-			if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) {
-				mdtype = EVP_sha512();
-			} else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) {
-				mdtype = EVP_sha256();
-			} else {
-				mdtype = EVP_sha1();
-			}
-
-			in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len));
-
-			if (in == NULL) {
-				if (error) {
-					spprintf(error, 0, "unable to write to phar \"%s\" with requested openssl signature", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			key = PEM_read_bio_PrivateKey(in, NULL,NULL, "");
-			BIO_free(in);
-
-			if (!key) {
-				if (error) {
-					spprintf(error, 0, "unable to process private key");
-				}
-				return FAILURE;
-			}
-
-			md_ctx = EVP_MD_CTX_create();
-			if (md_ctx == NULL) {
-				EVP_PKEY_free(key);
-				if (error) {
-					spprintf(error, 0, "unable to initialize openssl signature for phar \"%s\"", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			siglen = EVP_PKEY_size(key);
-			sigbuf = emalloc(siglen + 1);
-
-			if (!EVP_SignInit(md_ctx, mdtype)) {
-				EVP_PKEY_free(key);
-				efree(sigbuf);
-				if (error) {
-					spprintf(error, 0, "unable to initialize openssl signature for phar \"%s\"", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			while ((sig_len = php_stream_read(fp, (char*)buf, sizeof(buf))) > 0) {
-				if (!EVP_SignUpdate(md_ctx, buf, sig_len)) {
-					EVP_PKEY_free(key);
-					efree(sigbuf);
-					if (error) {
-						spprintf(error, 0, "unable to update the openssl signature for phar \"%s\"", phar->fname);
-					}
-					return FAILURE;
-				}
-			}
-
-			if (!EVP_SignFinal (md_ctx, sigbuf, &siglen, key)) {
-				EVP_PKEY_free(key);
-				efree(sigbuf);
-				if (error) {
-					spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
-				}
-				return FAILURE;
-			}
-
-			sigbuf[siglen] = '\0';
-			EVP_PKEY_free(key);
-			EVP_MD_CTX_destroy(md_ctx);
-#else
 			size_t siglen;
 			sigbuf = NULL;
 			siglen = 0;
@@ -1994,7 +1814,7 @@ zend_result phar_create_signature(phar_archive_data *phar, php_stream *fp, char
 				}
 				return FAILURE;
 			}
-#endif
+
 			*signature = (char *) sigbuf;
 			*signature_length = siglen;
 		}