New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a case insenstive method to check that SHA384 is a supported openssl algorithm #128

Merged
merged 1 commit into from Sep 24, 2018

Conversation

Projects
None yet
5 participants
@aragon999
Copy link
Contributor

aragon999 commented Sep 16, 2018

Currently downloading the installer from https://getcomposer.org/installer and executing it, fails for my system (Arch Linux):
php 7.2.10
openssl 1.1.1

The problem is, that openssl_get_md_methods() only returns the supported algorithms in lowercase, at least in my setup. In earlier versions they seem to return both, i.e. SHA384 and sha384.
To fix this issue I implemented a case insensitive method to detect the algorithm.

openssl_verify() currently does not seem to care about the case at the moment, so I left that part unchanged.

If this fix is accepted, I will also be happy to create a pull request for the self updater, where the same issue can be found: https://github.com/composer/composer/blob/158e1c95da02cc0b932de74f9a09a1c7b6cf654f/src/Composer/Command/SelfUpdateCommand.php#L223

@alcohol

This comment has been minimized.

Copy link
Member

alcohol commented Sep 17, 2018

I tried with 7.2.9 and 7.2.10, but both still return all values as far as I can see. Are you sure this is not related to something specifically in Arch?

7.2.9

rob@galaga ~/Code $ docker run --rm -it php:7.2.9-cli-alpine -r "print_r(openssl_get_md_methods());"
Array
(
    [0] => DSA
    [1] => DSA-SHA
    [2] => GOST 28147-89 MAC
    [3] => GOST R 34-11-2012 (512 bit)
    [4] => GOST R 34.11-2012 (256 bit)
    [5] => GOST R 34.11-94
    [6] => MD4
    [7] => MD5
    [8] => MD5-SHA1
    [9] => RIPEMD160
    [10] => SHA1
    [11] => SHA224
    [12] => SHA256
    [13] => SHA384
    [14] => SHA512
    [15] => dsaEncryption
    [16] => dsaWithSHA
    [17] => ecdsa-with-SHA1
    [18] => gost-mac
    [19] => md4
    [20] => md5
    [21] => md5-sha1
    [22] => md_gost94
    [23] => ripemd160
    [24] => sha1
    [25] => sha224
    [26] => sha256
    [27] => sha384
    [28] => sha512
    [29] => streebog256
    [30] => streebog512
    [31] => whirlpool
)

7.2.10

rob@galaga ~/Code $ docker run --rm -it php:7.2.10-cli-alpine -r "print_r(openssl_get_md_methods());"
Array
(
    [0] => DSA
    [1] => DSA-SHA
    [2] => GOST 28147-89 MAC
    [3] => GOST R 34-11-2012 (512 bit)
    [4] => GOST R 34.11-2012 (256 bit)
    [5] => GOST R 34.11-94
    [6] => MD4
    [7] => MD5
    [8] => MD5-SHA1
    [9] => RIPEMD160
    [10] => SHA1
    [11] => SHA224
    [12] => SHA256
    [13] => SHA384
    [14] => SHA512
    [15] => dsaEncryption
    [16] => dsaWithSHA
    [17] => ecdsa-with-SHA1
    [18] => gost-mac
    [19] => md4
    [20] => md5
    [21] => md5-sha1
    [22] => md_gost94
    [23] => ripemd160
    [24] => sha1
    [25] => sha224
    [26] => sha256
    [27] => sha384
    [28] => sha512
    [29] => streebog256
    [30] => streebog512
    [31] => whirlpool
)
@alcohol

This comment has been minimized.

Copy link
Member

alcohol commented Sep 17, 2018

But making this check not case-sensitive does not hurt anyone I imagine. @Seldaek can decide what to do with this I reckon :-)

@aragon999

This comment has been minimized.

Copy link
Contributor Author

aragon999 commented Sep 17, 2018

Afaik the PHP function openssl_get_md_methods() is only a proxy function to openssl itself.
I just ran a test, where I used openssl 1.1.0 where I get a similar output as you do (at least SHA384 is still present).
Upgrading to openssl 1.1.1 only the lowercase methods are returned.

openssl 1.1.0:

array(25) {                                                
  [0] =>                                                   
  string(10) "BLAKE2b512"                                  
  [1] =>                                                   
  string(10) "BLAKE2s256"                                  
  [2] =>                                                   
  string(3) "MD4"                                          
  [3] =>                                                   
  string(3) "MD5"                                          
  [4] =>                                                   
  string(8) "MD5-SHA1"                                     
  [5] =>                                                   
  string(4) "MDC2"                                         
  [6] =>                                                   
  string(9) "RIPEMD160"                                    
  [7] =>                                                   
  string(4) "SHA1"                                         
  [8] =>                                                   
  string(6) "SHA224"                                       
  [9] =>                                                   
  string(6) "SHA256"                                       
  [10] =>                                                  
  string(6) "SHA384"                                       
  [11] =>                                                  
  string(6) "SHA512"                                       
  [12] =>                                                  
  string(10) "blake2b512"                                  
  [13] =>                                                  
  string(10) "blake2s256"                                  
  [14] =>                                                  
  string(3) "md4"                                          
  [15] =>                                                  
  string(3) "md5"                                          
  [16] =>                                                  
  string(8) "md5-sha1"                                     
  [17] =>                                                  
  string(4) "mdc2"                                         
  [18] =>                                                  
  string(9) "ripemd160"                                    
  [19] =>                                                  
  string(4) "sha1"                                         
  [20] =>                                                  
  string(6) "sha224"                                       
  [21] =>                                                  
  string(6) "sha256"                                       
  [22] =>                                                  
  string(6) "sha384"                                       
  [23] =>                                                  
  string(6) "sha512"                                       
  [24] =>                                                  
  string(9) "whirlpool"                                    
}                                                         

openssl 1.1.1:

array(22) {                                                
  [0] =>                                                   
  string(10) "blake2b512"                                  
  [1] =>                                                   
  string(10) "blake2s256"                                  
  [2] =>                                                   
  string(3) "md4"                                          
  [3] =>                                                   
  string(3) "md5"                                          
  [4] =>                                                   
  string(8) "md5-sha1"                                     
  [5] =>                                                   
  string(4) "mdc2"                                         
  [6] =>                                                   
  string(9) "ripemd160"                                    
  [7] =>                                                   
  string(4) "sha1"                                         
  [8] =>                                                   
  string(6) "sha224"                                       
  [9] =>                                                   
  string(6) "sha256"                                       
  [10] =>                                                  
  string(8) "sha3-224"                                     
  [11] =>                                                  
  string(8) "sha3-256"                                     
  [12] =>                                                  
  string(8) "sha3-384"                                     
  [13] =>                                                  
  string(8) "sha3-512"                                     
  [14] =>                                                  
  string(6) "sha384"                                       
  [15] =>                                                  
  string(6) "sha512"                                       
  [16] =>                                                  
  string(10) "sha512-224"                                  
  [17] =>                                                  
  string(10) "sha512-256"                                  
  [18] =>                                                  
  string(8) "shake128"                                     
  [19] =>                                                  
  string(8) "shake256"                                     
  [20] =>                                                  
  string(3) "sm3"                                          
  [21] =>                                                  
  string(9) "whirlpool"                                    
}                                                          

Besides from the version not that much should have been changed, see the change in the PKGBUILD script for openssl: https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/openssl&id=52bb8ba2e4b0b4171f4a6e70e0b4ab5a1140a466
Doing a quick search in the source code for the compile option enable-ec_nistp_64_gcc_128 it did not show any thing related to the issue: https://github.com/openssl/openssl/search?p=1&q=ec.nistp.64.gcc&type=&utf8=%E2%9C%93

@dmontalvo51

This comment has been minimized.

Copy link

dmontalvo51 commented Sep 21, 2018

I just had the same problem installing composer in Fedora 29 using Openssl 1.1.1. I did a similar change as @aragon999 in the Installer script to make it work.
I vote for this request to be accepted :D

@Seldaek

This comment has been minimized.

Copy link
Member

Seldaek commented Sep 21, 2018

It looks good and I'll try to get this in ASAP but installer changes need to update the installer signature and a few more things so it's not as simple as merging on github. Hopefully find time for this over the weekend.

@Seldaek Seldaek merged commit 572188d into composer:master Sep 24, 2018

@aragon999 aragon999 deleted the aragon999:bugix/fix-installer-script branch Sep 24, 2018

@gm-olivier

This comment has been minimized.

Copy link

gm-olivier commented Nov 13, 2018

That’s awesome, thanks. What would be even more awesome would be if Infomaniak would stop serving me an older version. I’m ready to jump out of the window (not your fault, you’re awesome).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment