PHP :: Bug #73271 :: Incorrect resp. unneeded OpenSSL feature check

Bug #73271

Incorrect resp. unneeded OpenSSL feature check

Submitted:

2016-10-09 12:03 UTC

Modified:

2020-10-14 10:36 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

rainer dot jung at kippdata dot de

Assigned:

nikic (profile)

Status:

Closed

Package:

*Compile Issues

PHP Version:

7.1.0RC3

OS:

Solaris, Linux

Private report:

CVE-ID:

None

View Developer Edit

[2016-10-09 12:03 UTC] rainer dot jung at kippdata dot de

Description:
------------
I stumbled over an invalid OpenSSL feature check. File ext/mysqlnd/config9.m4 contains:

AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))

In the first check, it must be "crypto" not "ssl". The symbol DSA_get_default_method is defined in OpenSSL libcrypto, not libssl. The test against the wrong library often fails, but sometimes coincidentally succeeds if due to some other previous check libcrypto was already put into LIBS.

Furthermore the second check checks another function, but then sets the same HAVE_DSA_DEFAULT_METHOD define.

Now the situation is:

- PHP 7.0 and 7.1 already demand OpenSSL 0.9.8 which always has these features. Therefore the same check in ext/openssl/config0.m4 was removed by

https://github.com/php/php-src/commit/6a813634052710f3f4bf6e2e03ca1b6c7be3bcee#diff-69bad938d17f4283faa5f7fea17fa627 

when the requirement for OpenSSL 0.9.8 was introduced. The same commit also removed the only usage of the define HAVE_DSA_DEFAULT_METHOD (in ext/openssl/openssl.c). So as a followup to this commit I suggest removing the above two lines from ext/mysqlnd/config9.m4 for 7.0 and 7.1:

--- ext/mysqlnd/config9.m4    2016-09-29 04:15:39.000000000 +0200
+++ ext/mysqlnd/config9.m4    2016-10-09 13:56:18.351155000 +0200
@@ -34,9 +34,6 @@
   test -z "$PHP_OPENSSL" && PHP_OPENSSL=no

   if test "$PHP_OPENSSL" != "no" || test "$PHP_OPENSSL_DIR" != "no"; then
-    AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
-    AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
-
     PHP_SETUP_OPENSSL(MYSQLND_SHARED_LIBADD, [AC_DEFINE(MYSQLND_HAVE_SSL,1,[Enable mysqlnd code that uses OpenSSL directly])])
   fi


In 5.6 the situation is different. Here the check still makes sense, but should be corrected in ext/mysqlnd/config9.m4 and ext/openssl/config0.m4 to check the right library "crypto" and not "ssl":

--- ext/openssl/config0.m4    2016-08-18 13:07:46.000000000 +0200
+++ ext/openssl/config0.m4    2016-10-09 13:58:49.428676000 +0200
@@ -19,7 +19,7 @@
     PHP_SETUP_KERBEROS(OPENSSL_SHARED_LIBADD)
   fi

-  AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
+  AC_CHECK_LIB(crypto, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
   AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
   AC_CHECK_FUNCS([RAND_egd])

--- ext/mysqlnd/config9.m4    2016-08-18 13:07:46.000000000 +0200
+++ ext/mysqlnd/config9.m4    2016-10-09 13:58:53.198828000 +0200
@@ -34,7 +34,7 @@
   test -z "$PHP_OPENSSL" && PHP_OPENSSL=no

   if test "$PHP_OPENSSL" != "no" || test "$PHP_OPENSSL_DIR" != "no"; then
-    AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
+    AC_CHECK_LIB(crypto, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
     AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))

     PHP_SETUP_OPENSSL(MYSQLND_SHARED_LIBADD, [AC_DEFINE(MYSQLND_HAVE_SSL,1,[Enable mysqlnd code that uses OpenSSL directly])])


Regards,

Rainer

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-10-09 12:08 UTC] rainer dot jung at kippdata dot de

Two more files can be cleanup up in 87.0 and 7.1:

--- main/php_config.h.in        2016-09-29 04:15:35.000000000 +0200
+++ main/php_config.h.in        2016-10-09 14:06:14.410066000 +0200
@@ -604,9 +604,6 @@
 /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
 #undef HAVE_DOPRNT

-/* OpenSSL 0.9.7 or later */
-#undef HAVE_DSA_DEFAULT_METHOD
-
 /* Whether to enable DTrace support */
 #undef HAVE_DTRACE

--- ext/openssl/config.w32      2016-09-29 04:15:39.000000000 +0200
+++ ext/openssl/config.w32      2016-10-09 14:06:09.410396000 +0200
@@ -12,7 +12,6 @@

                AC_DEFINE("HAVE_OPENSSL_EXT", PHP_OPENSSL_SHARED ? 0 : 1, "Have openssl");
                AC_DEFINE("HAVE_OPENSSL", 1);
-               AC_DEFINE("HAVE_DSA_DEFAULT_METHOD", 1);
        }
 }

[2020-10-14 10:36 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2020-10-14 10:36 UTC] nikic@php.net

Looks like these checks have been removed in https://github.com/php/php-src/commit/4b03e102c58f56cbf5f794f21face56abd662e90.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 06:00:02 2025 UTC