593a4b
Backported for 8.0 from
593a4b
593a4b
593a4b
From 8bb0c74e24359a11216824117ac3adf3d5ef7b71 Mon Sep 17 00:00:00 2001
593a4b
From: Remi Collet <remi@remirepo.net>
593a4b
Date: Thu, 5 Aug 2021 11:10:15 +0200
593a4b
Subject: [PATCH] switch phar to use sha256 signature by default
593a4b
593a4b
---
593a4b
 ext/phar/phar/pharcommand.inc                  | 2 +-
593a4b
 ext/phar/tests/create_new_and_modify.phpt      | 4 ++--
593a4b
 ext/phar/tests/create_new_phar_c.phpt          | 4 ++--
593a4b
 ext/phar/tests/phar_setsignaturealgo2.phpt     | 2 +-
593a4b
 ext/phar/tests/tar/phar_setsignaturealgo2.phpt | 2 +-
593a4b
 ext/phar/tests/zip/phar_setsignaturealgo2.phpt | 2 +-
593a4b
 ext/phar/util.c                                | 6 +++---
593a4b
 ext/phar/zip.c                                 | 2 +-
593a4b
 8 files changed, 12 insertions(+), 12 deletions(-)
593a4b
593a4b
diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc
593a4b
index a31290eee75fe..5f698b4bec26b 100644
593a4b
--- a/ext/phar/phar/pharcommand.inc
593a4b
+++ b/ext/phar/phar/pharcommand.inc
593a4b
@@ -92,7 +92,7 @@ class PharCommand extends CLICommand
593a4b
                 'typ' => 'select',
593a4b
                 'val' => NULL,
593a4b
                 'inf' => '<method> Selects the hash algorithm.',
593a4b
-                'select' => array('md5' => 'MD5','sha1' => 'SHA1')
593a4b
+                'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL')
593a4b
             ),
593a4b
             'i' => array(
593a4b
                 'typ' => 'regex',
593a4b
diff --git a/ext/phar/tests/create_new_and_modify.phpt b/ext/phar/tests/create_new_and_modify.phpt
593a4b
index 02e36c6cea2fe..32defcae8a639 100644
593a4b
--- a/ext/phar/tests/create_new_and_modify.phpt
593a4b
+++ b/ext/phar/tests/create_new_and_modify.phpt
593a4b
@@ -49,8 +49,8 @@ include $pname . '/b.php';
593a4b
 
593a4b
 --EXPECTF--
593a4b
 brand new!
593a4b
-string(40) "%s"
593a4b
-string(40) "%s"
593a4b
+string(%d) "%s"
593a4b
+string(%d) "%s"
593a4b
 bool(true)
593a4b
 modified!
593a4b
 another!
593a4b
diff --git a/ext/phar/tests/create_new_phar_c.phpt b/ext/phar/tests/create_new_phar_c.phpt
593a4b
index 566d3c4d5f8ad..bf6d740fd1d10 100644
593a4b
--- a/ext/phar/tests/create_new_phar_c.phpt
593a4b
+++ b/ext/phar/tests/create_new_phar_c.phpt
593a4b
@@ -20,7 +20,7 @@ var_dump($phar->getSignature());
593a4b
 --EXPECTF--
593a4b
 array(2) {
593a4b
   ["hash"]=>
593a4b
-  string(40) "%s"
593a4b
+  string(64) "%s"
593a4b
   ["hash_type"]=>
593a4b
-  string(5) "SHA-1"
593a4b
+  string(7) "SHA-256"
593a4b
 }
593a4b
diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt
593a4b
index 293d3196713d8..4f31836fbbbcc 100644
593a4b
--- a/ext/phar/tests/phar_setsignaturealgo2.phpt
593a4b
+++ b/ext/phar/tests/phar_setsignaturealgo2.phpt
593a4b
@@ -52,7 +52,7 @@ array(2) {
593a4b
   ["hash"]=>
593a4b
   string(%d) "%s"
593a4b
   ["hash_type"]=>
593a4b
-  string(5) "SHA-1"
593a4b
+  string(7) "SHA-256"
593a4b
 }
593a4b
 array(2) {
593a4b
   ["hash"]=>
593a4b
diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
593a4b
index 9923ac5c88476..cc10a241d739b 100644
593a4b
--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
593a4b
+++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
593a4b
@@ -51,7 +51,7 @@ array(2) {
593a4b
   ["hash"]=>
593a4b
   string(%d) "%s"
593a4b
   ["hash_type"]=>
593a4b
-  string(5) "SHA-1"
593a4b
+  string(7) "SHA-256"
593a4b
 }
593a4b
 array(2) {
593a4b
   ["hash"]=>
593a4b
diff --git a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt
593a4b
index 8de77479d7825..60fec578ee894 100644
593a4b
--- a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt
593a4b
+++ b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt
593a4b
@@ -78,7 +78,7 @@ array(2) {
593a4b
   ["hash"]=>
593a4b
   string(%d) "%s"
593a4b
   ["hash_type"]=>
593a4b
-  string(5) "SHA-1"
593a4b
+  string(7) "SHA-256"
593a4b
 }
593a4b
 array(2) {
593a4b
   ["hash"]=>
593a4b
diff --git a/ext/phar/util.c b/ext/phar/util.c
593a4b
index 314acfe81a788..8d2db03b69601 100644
593a4b
--- a/ext/phar/util.c
593a4b
+++ b/ext/phar/util.c
593a4b
@@ -1798,6 +1798,8 @@ int phar_create_signature(phar_archive_d
593a4b
 			*signature_length = 64;
593a4b
 			break;
593a4b
 		}
593a4b
+		default:
593a4b
+			phar->sig_flags = PHAR_SIG_SHA256;
593a4b
 		case PHAR_SIG_SHA256: {
593a4b
 			unsigned char digest[32];
593a4b
 			PHP_SHA256_CTX  context;
593a4b
@@ -1894,8 +1896,6 @@ int phar_create_signature(phar_archive_d
593a4b
 			*signature_length = siglen;
593a4b
 		}
593a4b
 		break;
593a4b
-		default:
593a4b
-			phar->sig_flags = PHAR_SIG_SHA1;
593a4b
 		case PHAR_SIG_SHA1: {
593a4b
 			unsigned char digest[20];
593a4b
 			PHP_SHA1_CTX  context;
593a4b
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
593a4b
index 31d4bd2998215..c5e38cabf7b87 100644
593a4b
--- a/ext/phar/zip.c
593a4b
+++ b/ext/phar/zip.c
593a4b
@@ -1423,7 +1423,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
593a4b
 
593a4b
 	memcpy(eocd.signature, "PK\5\6", 4);
593a4b
 	if (!phar->is_data && !phar->sig_flags) {
593a4b
-		phar->sig_flags = PHAR_SIG_SHA1;
593a4b
+		phar->sig_flags = PHAR_SIG_SHA256;
593a4b
 	}
593a4b
 	if (phar->sig_flags) {
593a4b
 		PHAR_SET_16(eocd.counthere, zend_hash_num_elements(&phar->manifest) + 1);
593a4b
593a4b
From c51af22fef988c1b2f92b7b9e3a9d745f7084815 Mon Sep 17 00:00:00 2001
593a4b
From: Remi Collet <remi@remirepo.net>
593a4b
Date: Thu, 5 Aug 2021 16:49:48 +0200
593a4b
Subject: [PATCH] implement openssl_256 and openssl_512 for phar singatures
593a4b
593a4b
---
593a4b
 ext/openssl/openssl.c                         |   1 +
593a4b
 ext/phar/phar.1.in                            |  10 +++-
593a4b
 ext/phar/phar.c                               |   8 +++-
593a4b
 ext/phar/phar/pharcommand.inc                 |  14 +++++-
593a4b
 ext/phar/phar_internal.h                      |   2 +
593a4b
 ext/phar/phar_object.c                        |  24 ++++++++--
593a4b
 ext/phar/tests/files/openssl256.phar          | Bin 0 -> 7129 bytes
593a4b
 ext/phar/tests/files/openssl256.phar.pubkey   |   6 +++
593a4b
 ext/phar/tests/files/openssl512.phar          | Bin 0 -> 7129 bytes
593a4b
 ext/phar/tests/files/openssl512.phar.pubkey   |   6 +++
593a4b
 .../phar_get_supported_signatures_002a.phpt   |   6 ++-
593a4b
 .../tests/tar/phar_setsignaturealgo2.phpt     |  16 +++++++
593a4b
 ext/phar/tests/test_signaturealgos.phpt       |   8 ++++
593a4b
 ext/phar/util.c                               |  45 ++++++++++++++----
593a4b
 14 files changed, 128 insertions(+), 18 deletions(-)
593a4b
 create mode 100644 ext/phar/tests/files/openssl256.phar
593a4b
 create mode 100644 ext/phar/tests/files/openssl256.phar.pubkey
593a4b
 create mode 100644 ext/phar/tests/files/openssl512.phar
593a4b
 create mode 100644 ext/phar/tests/files/openssl512.phar.pubkey
593a4b
593a4b
diff --git a/ext/phar/phar.1.in b/ext/phar/phar.1.in
593a4b
index 77912b241dfd5..323e77b0e2a3b 100644
593a4b
--- a/ext/phar/phar.1.in
593a4b
+++ b/ext/phar/phar.1.in
593a4b
@@ -475,7 +475,15 @@ SHA512
593a4b
 .TP
593a4b
 .PD
593a4b
 .B openssl
593a4b
-OpenSSL
593a4b
+OpenSSL using SHA-1
593a4b
+.TP
593a4b
+.PD
593a4b
+.B openssl_sha256
593a4b
+OpenSSL using SHA-256
593a4b
+.TP
593a4b
+.PD
593a4b
+.B openssl_sha512
593a4b
+OpenSSL using SHA-512
593a4b
 
593a4b
 .SH SEE ALSO
593a4b
 For a more or less complete description of PHAR look here:
593a4b
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
593a4b
index 77f21cef9da53..bc08e4edde05d 100644
593a4b
--- a/ext/phar/phar.c
593a4b
+++ b/ext/phar/phar.c
593a4b
@@ -869,6 +869,8 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch
593a4b
 		PHAR_GET_32(sig_ptr, sig_flags);
593a4b
 
593a4b
 		switch(sig_flags) {
593a4b
+			case PHAR_SIG_OPENSSL_SHA512:
593a4b
+			case PHAR_SIG_OPENSSL_SHA256:
593a4b
 			case PHAR_SIG_OPENSSL: {
593a4b
 				uint32_t signature_len;
593a4b
 				char *sig;
593a4b
@@ -903,7 +905,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch
593a4b
 					return FAILURE;
593a4b
 				}
593a4b
 
593a4b
-				if (FAILURE == phar_verify_signature(fp, end_of_phar, PHAR_SIG_OPENSSL, sig, signature_len, fname, &signature, &sig_len, error)) {
593a4b
+				if (FAILURE == phar_verify_signature(fp, end_of_phar, sig_flags, sig, signature_len, fname, &signature, &sig_len, error)) {
593a4b
 					efree(savebuf);
593a4b
 					efree(sig);
593a4b
 					php_stream_close(fp);
593a4b
@@ -3162,7 +3164,9 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv
593a4b
 
593a4b
 				php_stream_write(newfile, digest, digest_len);
593a4b
 				efree(digest);
593a4b
-				if (phar->sig_flags == PHAR_SIG_OPENSSL) {
593a4b
+				if (phar->sig_flags == PHAR_SIG_OPENSSL ||
593a4b
+					phar->sig_flags == PHAR_SIG_OPENSSL_SHA256 ||
593a4b
+					phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) {
593a4b
 					phar_set_32(sig_buf, digest_len);
593a4b
 					php_stream_write(newfile, sig_buf, 4);
593a4b
 				}
593a4b
diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc
593a4b
index 5f698b4bec26b..1b1eeca59c560 100644
593a4b
--- a/ext/phar/phar/pharcommand.inc
593a4b
+++ b/ext/phar/phar/pharcommand.inc
593a4b
@@ -92,7 +92,7 @@ class PharCommand extends CLICommand
593a4b
                 'typ' => 'select',
593a4b
                 'val' => NULL,
593a4b
                 'inf' => '<method> Selects the hash algorithm.',
593a4b
-                'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL')
593a4b
+                'select' => ['md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL', 'openssl_sha256' => 'OPENSSL_SHA256', 'openssl_sha512' => 'OPENSSL_SHA512']
593a4b
             ),
593a4b
             'i' => array(
593a4b
                 'typ' => 'regex',
593a4b
@@ -156,6 +156,8 @@ class PharCommand extends CLICommand
593a4b
         $hash_avail = Phar::getSupportedSignatures();
593a4b
         $hash_optional = array('SHA-256' => 'SHA256',
593a4b
                                'SHA-512' => 'SHA512',
593a4b
+                               'OpenSSL_sha256' => 'OpenSSL_SHA256',
593a4b
+                               'OpenSSL_sha512' => 'OpenSSL_SHA512',
593a4b
                                'OpenSSL' => 'OpenSSL');
593a4b
         if (!in_array('OpenSSL', $hash_avail)) {
593a4b
             unset($phar_args['y']);
593a4b
@@ -429,6 +431,16 @@ class PharCommand extends CLICommand
593a4b
                     self::error("Cannot use OpenSSL signing without key.\n");
593a4b
                 }
593a4b
                 return Phar::OPENSSL;
593a4b
+            case 'openssl_sha256':
593a4b
+                if (!$privkey) {
593a4b
+                    self::error("Cannot use OpenSSL signing without key.\n");
593a4b
+                }
593a4b
+                return Phar::OPENSSL_SHA256;
593a4b
+            case 'openssl_sha512':
593a4b
+                if (!$privkey) {
593a4b
+                    self::error("Cannot use OpenSSL signing without key.\n");
593a4b
+                }
593a4b
+                return Phar::OPENSSL_SHA512;
593a4b
         }
593a4b
     }
593a4b
     // }}}
593a4b
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
593a4b
index a9f81e2ab994a..30b408a8c4462 100644
593a4b
--- a/ext/phar/phar_internal.h
593a4b
+++ b/ext/phar/phar_internal.h
593a4b
@@ -88,6 +88,8 @@
593a4b
 #define PHAR_SIG_SHA256           0x0003
593a4b
 #define PHAR_SIG_SHA512           0x0004
593a4b
 #define PHAR_SIG_OPENSSL          0x0010
593a4b
+#define PHAR_SIG_OPENSSL_SHA256   0x0011
593a4b
+#define PHAR_SIG_OPENSSL_SHA512   0x0012
593a4b
 
593a4b
 /* flags byte for each file adheres to these bitmasks.
593a4b
    All unused values are reserved */
593a4b
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
593a4b
index 9c1e5f2fa1eef..c05970e657f18 100644
593a4b
--- a/ext/phar/phar_object.c
593a4b
+++ b/ext/phar/phar_object.c
593a4b
@@ -1246,9 +1246,13 @@ PHP_METHOD(Phar, getSupportedSignatures)
593a4b
 	add_next_index_stringl(return_value, "SHA-512", 7);
593a4b
 #ifdef PHAR_HAVE_OPENSSL
593a4b
 	add_next_index_stringl(return_value, "OpenSSL", 7);
593a4b
+	add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
593a4b
+	add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
593a4b
 #else
593a4b
 	if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
593a4b
 		add_next_index_stringl(return_value, "OpenSSL", 7);
593a4b
+		add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
593a4b
+		add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
593a4b
 	}
593a4b
 #endif
593a4b
 }
593a4b
@@ -3028,6 +3032,8 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
593a4b
 		case PHAR_SIG_MD5:
593a4b
 		case PHAR_SIG_SHA1:
593a4b
 		case PHAR_SIG_OPENSSL:
593a4b
+		case PHAR_SIG_OPENSSL_SHA256:
593a4b
+		case PHAR_SIG_OPENSSL_SHA512:
593a4b
 			if (phar_obj->archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->archive))) {
593a4b
 				zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname);
593a4b
 				RETURN_THROWS();
593a4b
@@ -3066,19 +3072,25 @@ PHP_METHOD(Phar, getSignature)
593a4b
 		add_assoc_stringl(return_value, "hash", phar_obj->archive->signature, phar_obj->archive->sig_len);
593a4b
 		switch(phar_obj->archive->sig_flags) {
593a4b
 			case PHAR_SIG_MD5:
593a4b
-				add_assoc_stringl(return_value, "hash_type", "MD5", 3);
593a4b
+				add_assoc_string(return_value, "hash_type", "MD5");
593a4b
 				break;
593a4b
 			case PHAR_SIG_SHA1:
593a4b
-				add_assoc_stringl(return_value, "hash_type", "SHA-1", 5);
593a4b
+				add_assoc_string(return_value, "hash_type", "SHA-1");
593a4b
 				break;
593a4b
 			case PHAR_SIG_SHA256:
593a4b
-				add_assoc_stringl(return_value, "hash_type", "SHA-256", 7);
593a4b
+				add_assoc_string(return_value, "hash_type", "SHA-256");
593a4b
 				break;
593a4b
 			case PHAR_SIG_SHA512:
593a4b
-				add_assoc_stringl(return_value, "hash_type", "SHA-512", 7);
593a4b
+				add_assoc_string(return_value, "hash_type", "SHA-512");
593a4b
 				break;
593a4b
 			case PHAR_SIG_OPENSSL:
593a4b
-				add_assoc_stringl(return_value, "hash_type", "OpenSSL", 7);
593a4b
+				add_assoc_string(return_value, "hash_type", "OpenSSL");
593a4b
+				break;
593a4b
+			case PHAR_SIG_OPENSSL_SHA256:
593a4b
+				add_assoc_string(return_value, "hash_type", "OpenSSL_SHA256");
593a4b
+				break;
593a4b
+			case PHAR_SIG_OPENSSL_SHA512:
593a4b
+				add_assoc_string(return_value, "hash_type", "OpenSSL_SHA512");
593a4b
 				break;
593a4b
 			default:
593a4b
 				unknown = strpprintf(0, "Unknown (%u)", phar_obj->archive->sig_flags);
593a4b
@@ -5103,6 +5115,8 @@ void phar_object_init(void) /* {{{ */
593a4b
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHPS", PHAR_MIME_PHPS)
593a4b
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "MD5", PHAR_SIG_MD5)
593a4b
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL", PHAR_SIG_OPENSSL)
593a4b
+	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA256", PHAR_SIG_OPENSSL_SHA256)
593a4b
+	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA512", PHAR_SIG_OPENSSL_SHA512)
593a4b
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA1", PHAR_SIG_SHA1)
593a4b
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA256", PHAR_SIG_SHA256)
593a4b
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA512", PHAR_SIG_SHA512)
593a4b
diff --git a/ext/phar/tests/phar_get_supported_signatures_002a.phpt b/ext/phar/tests/phar_get_supported_signatures_002a.phpt
593a4b
index 06d811f2c35c2..639143b3d2c90 100644
593a4b
--- a/ext/phar/tests/phar_get_supported_signatures_002a.phpt
593a4b
+++ b/ext/phar/tests/phar_get_supported_signatures_002a.phpt
593a4b
@@ -14,7 +14,7 @@ phar.readonly=0
593a4b
 var_dump(Phar::getSupportedSignatures());
593a4b
 ?>
593a4b
 --EXPECT--
593a4b
-array(5) {
593a4b
+array(7) {
593a4b
   [0]=>
593a4b
   string(3) "MD5"
593a4b
   [1]=>
593a4b
@@ -25,4 +25,8 @@ array(5) {
593a4b
   string(7) "SHA-512"
593a4b
   [4]=>
593a4b
   string(7) "OpenSSL"
593a4b
+  [5]=>
593a4b
+  string(14) "OpenSSL_SHA256"
593a4b
+  [6]=>
593a4b
+  string(14) "OpenSSL_SHA512"
593a4b
 }
593a4b
diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
593a4b
index cc10a241d739b..c2eb5d77a5bf0 100644
593a4b
--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
593a4b
+++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
593a4b
@@ -38,6 +38,10 @@ $pkey = '';
593a4b
 openssl_pkey_export($private, $pkey, NULL, $config_arg);
593a4b
 $p->setSignatureAlgorithm(Phar::OPENSSL, $pkey);
593a4b
 var_dump($p->getSignature());
593a4b
+$p->setSignatureAlgorithm(Phar::OPENSSL_SHA512, $pkey);
593a4b
+var_dump($p->getSignature());
593a4b
+$p->setSignatureAlgorithm(Phar::OPENSSL_SHA256, $pkey);
593a4b
+var_dump($p->getSignature());
593a4b
 } catch (Exception $e) {
593a4b
 echo $e->getMessage();
593a4b
 }
593a4b
@@ -83,3 +87,15 @@ array(2) {
593a4b
   ["hash_type"]=>
593a4b
   string(7) "OpenSSL"
593a4b
 }
593a4b
+array(2) {
593a4b
+  ["hash"]=>
593a4b
+  string(%d) "%s"
593a4b
+  ["hash_type"]=>
593a4b
+  string(14) "OpenSSL_SHA512"
593a4b
+}
593a4b
+array(2) {
593a4b
+  ["hash"]=>
593a4b
+  string(%d) "%s"
593a4b
+  ["hash_type"]=>
593a4b
+  string(14) "OpenSSL_SHA256"
593a4b
+}
593a4b
diff --git a/ext/phar/util.c b/ext/phar/util.c
593a4b
index 8d2db03b69601..515830bf2c70a 100644
593a4b
--- a/ext/phar/util.c
593a4b
+++ b/ext/phar/util.c
593a4b
@@ -34,7 +34,7 @@
593a4b
 #include <openssl/ssl.h>
593a4b
 #include <openssl/pkcs12.h>
593a4b
 #else
593a4b
-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len);
593a4b
+static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type);
593a4b
 #endif
593a4b
 
593a4b
 /* for links to relative location, prepend cwd of the entry */
593a4b
@@ -1381,11 +1381,11 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature)
593a4b
 /* }}} */
593a4b
 
593a4b
 #ifndef PHAR_HAVE_OPENSSL
593a4b
-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len) /* {{{ */
593a4b
+static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type) /* {{{ */
593a4b
 {
593a4b
 	zend_fcall_info fci;
593a4b
 	zend_fcall_info_cache fcc;
593a4b
-	zval retval, zp[3], openssl;
593a4b
+	zval retval, zp[4], openssl;
593a4b
 	zend_string *str;
593a4b
 
593a4b
 	ZVAL_STRINGL(&openssl, is_sign ? "openssl_sign" : "openssl_verify", is_sign ? sizeof("openssl_sign")-1 : sizeof("openssl_verify")-1);
593a4b
@@ -1402,6 +1402,14 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
593a4b
 	} else {
593a4b
 		ZVAL_EMPTY_STRING(&zp[0]);
593a4b
 	}
593a4b
+	if (sig_type == PHAR_SIG_OPENSSL_SHA512) {
593a4b
+		ZVAL_LONG(&zp[3], 9); /* value from openssl.c #define OPENSSL_ALGO_SHA512 9 */
593a4b
+	} else if (sig_type == PHAR_SIG_OPENSSL_SHA256) {
593a4b
+		ZVAL_LONG(&zp[3], 7); /* value from openssl.c #define OPENSSL_ALGO_SHA256 7 */
593a4b
+	} else {
593a4b
+		/* don't rely on default value which may change in the future */
593a4b
+		ZVAL_LONG(&zp[3], 1); /* value from openssl.c #define OPENSSL_ALGO_SHA1   1 */
593a4b
+	}
593a4b
 
593a4b
 	if ((size_t)end != Z_STRLEN(zp[0])) {
593a4b
 		zval_ptr_dtor_str(&zp[0]);
593a4b
@@ -1419,7 +1427,7 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
593a4b
 		return FAILURE;
593a4b
 	}
593a4b
 
593a4b
-	fci.param_count = 3;
593a4b
+	fci.param_count = 4;
593a4b
 	fci.params = zp;
593a4b
 	Z_ADDREF(zp[0]);
593a4b
 	if (is_sign) {
593a4b
@@ -1482,12 +1490,22 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
593a4b
 	php_stream_rewind(fp);
593a4b
 
593a4b
 	switch (sig_type) {
593a4b
+		case PHAR_SIG_OPENSSL_SHA512:
593a4b
+		case PHAR_SIG_OPENSSL_SHA256:
593a4b
 		case PHAR_SIG_OPENSSL: {
593a4b
 #ifdef PHAR_HAVE_OPENSSL
593a4b
 			BIO *in;
593a4b
 			EVP_PKEY *key;
593a4b
-			EVP_MD *mdtype = (EVP_MD *) EVP_sha1();
593a4b
+			const EVP_MD *mdtype;
593a4b
 			EVP_MD_CTX *md_ctx;
593a4b
+
593a4b
+			if (sig_type == PHAR_SIG_OPENSSL_SHA512) {
593a4b
+				mdtype = EVP_sha512();
593a4b
+			} else if (sig_type == PHAR_SIG_OPENSSL_SHA256) {
593a4b
+				mdtype = EVP_sha256();
593a4b
+			} else {
593a4b
+				mdtype = EVP_sha1();
593a4b
+			}
593a4b
 #else
593a4b
 			size_t tempsig;
593a4b
 #endif
593a4b
@@ -1521,7 +1539,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
593a4b
 #ifndef PHAR_HAVE_OPENSSL
593a4b
 			tempsig = sig_len;
593a4b
 
593a4b
-			if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig)) {
593a4b
+			if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig, sig_type)) {
593a4b
 				if (pubkey) {
593a4b
 					zend_string_release_ex(pubkey, 0);
593a4b
 				}
593a4b
@@ -1815,6 +1833,8 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
593a4b
 			*signature_length = 32;
593a4b
 			break;
593a4b
 		}
593a4b
+		case PHAR_SIG_OPENSSL_SHA512:
593a4b
+		case PHAR_SIG_OPENSSL_SHA256:
593a4b
 		case PHAR_SIG_OPENSSL: {
593a4b
 			unsigned char *sigbuf;
593a4b
 #ifdef PHAR_HAVE_OPENSSL
593a4b
@@ -1822,6 +1842,15 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
593a4b
 			BIO *in;
593a4b
 			EVP_PKEY *key;
593a4b
 			EVP_MD_CTX *md_ctx;
593a4b
+			const EVP_MD *mdtype;
593a4b
+
593a4b
+			if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) {
593a4b
+				mdtype = EVP_sha512();
593a4b
+			} else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) {
593a4b
+				mdtype = EVP_sha256();
593a4b
+			} else {
593a4b
+				mdtype = EVP_sha1();
593a4b
+			}
593a4b
 
593a4b
 			in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len));
593a4b
 
593a4b
@@ -1847,7 +1876,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
593a4b
 			siglen = EVP_PKEY_size(key);
593a4b
 			sigbuf = emalloc(siglen + 1);
593a4b
 
593a4b
-			if (!EVP_SignInit(md_ctx, EVP_sha1())) {
593a4b
+			if (!EVP_SignInit(md_ctx, mdtype)) {
593a4b
 				EVP_PKEY_free(key);
593a4b
 				efree(sigbuf);
593a4b
 				if (error) {
593a4b
@@ -1885,7 +1914,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
593a4b
 			siglen = 0;
593a4b
 			php_stream_seek(fp, 0, SEEK_END);
593a4b
 
593a4b
-			if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen)) {
593a4b
+			if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen, phar->sig_flags)) {
593a4b
 				if (error) {
593a4b
 					spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
593a4b
 				}