Only report provided ciphers in openssl_get_cipher_methods()

nikic · nikic · commit a80ae97d3176 · 2021-08-04T12:56:32.000+02:00
With OpenSSL 3 ciphers may be registered, but not provided. Make
sure that openssl_get_cipher_methods() only returns provided
ciphers, so that "in_array openssl_get_cipher_methods" style
checks continue working as expected.
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
@@ -6765,6 +6765,31 @@ PHP_FUNCTION(openssl_get_md_methods)
 }
 /* }}} */
 
+#if PHP_OPENSSL_API_VERSION >= 0x30000
+static void php_openssl_add_cipher_name(const char *name, void *arg)
+{
+	size_t len = strlen(name);
+	zend_string *str = zend_string_alloc(len, 0);
+	zend_str_tolower_copy(ZSTR_VAL(str), name, len);
+	add_next_index_str((zval*)arg, str);
+}
+
+static void php_openssl_add_cipher_or_alias(EVP_CIPHER *cipher, void *arg)
+{
+	EVP_CIPHER_names_do_all(cipher, php_openssl_add_cipher_name, arg);
+}
+
+static void php_openssl_add_cipher(EVP_CIPHER *cipher, void *arg)
+{
+	php_openssl_add_cipher_name(EVP_CIPHER_get0_name(cipher), arg);
+}
+
+static int php_openssl_compare_func(Bucket *a, Bucket *b)
+{
+	return string_compare_function(&a->val, &b->val);
+}
+#endif
+
 /* {{{ Return array of available cipher algorithms */
 PHP_FUNCTION(openssl_get_cipher_methods)
 {
@@ -6774,9 +6799,16 @@ PHP_FUNCTION(openssl_get_cipher_methods)
 		RETURN_THROWS();
 	}
 	array_init(return_value);
+#if PHP_OPENSSL_API_VERSION >= 0x30000
+	EVP_CIPHER_do_all_provided(NULL,
+		aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher,
+		return_value);
+	zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1);
+#else
 	OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
-		aliases ? php_openssl_add_method_or_alias: php_openssl_add_method,
+		aliases ? php_openssl_add_method_or_alias : php_openssl_add_method,
 		return_value);
+#endif
 }
 /* }}} */
 
diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
@@ -37,8 +37,10 @@ extern zend_module_entry openssl_module_entry;
 /* OpenSSL version check */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define PHP_OPENSSL_API_VERSION 0x10002
-#else
+#elif OPENSSL_VERSION_NUMBER < 0x30000000L
 #define PHP_OPENSSL_API_VERSION 0x10100
+#else
+#define PHP_OPENSSL_API_VERSION 0x30000
 #endif
 #endif
 
