php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73271 Incorrect resp. unneeded OpenSSL feature check
Submitted: 2016-10-09 12:03 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: rainer dot jung at kippdata dot de Assigned:
Status: Open Package: *Compile Issues
PHP Version: 7.1.0RC3 OS: Solaris, Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-10-09 12:03 UTC] rainer dot jung at kippdata dot de
Description:
------------
I stumbled over an invalid OpenSSL feature check. File ext/mysqlnd/config9.m4 contains:

AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))

In the first check, it must be "crypto" not "ssl". The symbol DSA_get_default_method is defined in OpenSSL libcrypto, not libssl. The test against the wrong library often fails, but sometimes coincidentally succeeds if due to some other previous check libcrypto was already put into LIBS.

Furthermore the second check checks another function, but then sets the same HAVE_DSA_DEFAULT_METHOD define.

Now the situation is:

- PHP 7.0 and 7.1 already demand OpenSSL 0.9.8 which always has these features. Therefore the same check in ext/openssl/config0.m4 was removed by

https://github.com/php/php-src/commit/6a813634052710f3f4bf6e2e03ca1b6c7be3bcee#diff-69bad938d17f4283faa5f7fea17fa627 

when the requirement for OpenSSL 0.9.8 was introduced. The same commit also removed the only usage of the define HAVE_DSA_DEFAULT_METHOD (in ext/openssl/openssl.c). So as a followup to this commit I suggest removing the above two lines from ext/mysqlnd/config9.m4 for 7.0 and 7.1:

--- ext/mysqlnd/config9.m4    2016-09-29 04:15:39.000000000 +0200
+++ ext/mysqlnd/config9.m4    2016-10-09 13:56:18.351155000 +0200
@@ -34,9 +34,6 @@
   test -z "$PHP_OPENSSL" && PHP_OPENSSL=no

   if test "$PHP_OPENSSL" != "no" || test "$PHP_OPENSSL_DIR" != "no"; then
-    AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
-    AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
-
     PHP_SETUP_OPENSSL(MYSQLND_SHARED_LIBADD, [AC_DEFINE(MYSQLND_HAVE_SSL,1,[Enable mysqlnd code that uses OpenSSL directly])])
   fi


In 5.6 the situation is different. Here the check still makes sense, but should be corrected in ext/mysqlnd/config9.m4 and ext/openssl/config0.m4 to check the right library "crypto" and not "ssl":

--- ext/openssl/config0.m4    2016-08-18 13:07:46.000000000 +0200
+++ ext/openssl/config0.m4    2016-10-09 13:58:49.428676000 +0200
@@ -19,7 +19,7 @@
     PHP_SETUP_KERBEROS(OPENSSL_SHARED_LIBADD)
   fi

-  AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
+  AC_CHECK_LIB(crypto, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
   AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
   AC_CHECK_FUNCS([RAND_egd])

--- ext/mysqlnd/config9.m4    2016-08-18 13:07:46.000000000 +0200
+++ ext/mysqlnd/config9.m4    2016-10-09 13:58:53.198828000 +0200
@@ -34,7 +34,7 @@
   test -z "$PHP_OPENSSL" && PHP_OPENSSL=no

   if test "$PHP_OPENSSL" != "no" || test "$PHP_OPENSSL_DIR" != "no"; then
-    AC_CHECK_LIB(ssl, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
+    AC_CHECK_LIB(crypto, DSA_get_default_method, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))
     AC_CHECK_LIB(crypto, X509_free, AC_DEFINE(HAVE_DSA_DEFAULT_METHOD, 1, [OpenSSL 0.9.7 or later]))

     PHP_SETUP_OPENSSL(MYSQLND_SHARED_LIBADD, [AC_DEFINE(MYSQLND_HAVE_SSL,1,[Enable mysqlnd code that uses OpenSSL directly])])


Regards,

Rainer



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-09 12:08 UTC] rainer dot jung at kippdata dot de
Two more files can be cleanup up in 87.0 and 7.1:

--- main/php_config.h.in        2016-09-29 04:15:35.000000000 +0200
+++ main/php_config.h.in        2016-10-09 14:06:14.410066000 +0200
@@ -604,9 +604,6 @@
 /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
 #undef HAVE_DOPRNT

-/* OpenSSL 0.9.7 or later */
-#undef HAVE_DSA_DEFAULT_METHOD
-
 /* Whether to enable DTrace support */
 #undef HAVE_DTRACE

--- ext/openssl/config.w32      2016-09-29 04:15:39.000000000 +0200
+++ ext/openssl/config.w32      2016-10-09 14:06:09.410396000 +0200
@@ -12,7 +12,6 @@

                AC_DEFINE("HAVE_OPENSSL_EXT", PHP_OPENSSL_SHARED ? 0 : 1, "Have openssl");
                AC_DEFINE("HAVE_OPENSSL", 1);
-               AC_DEFINE("HAVE_DSA_DEFAULT_METHOD", 1);
        }
 }
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Aug 24 03:01:27 2019 UTC