Filter unsupported OpenSSL cipher methods on PHP 8.0-8.4#4982
Merged
VincentLanglet merged 3 commits intophpstan:2.1.xfrom Feb 18, 2026
Merged
Filter unsupported OpenSSL cipher methods on PHP 8.0-8.4#4982VincentLanglet merged 3 commits intophpstan:2.1.xfrom
VincentLanglet merged 3 commits intophpstan:2.1.xfrom
Conversation
- openssl_get_cipher_methods() reports algorithms not actually supported on PHP 8.0-8.4 due to php/php-src#19994, causing incorrect type refinement (e.g. aes-128-cbc-cts narrowed to int instead of false) - Added OpenSslCipherMethodsProvider that filters cipher methods by testing each with openssl_cipher_iv_length() to exclude broken ones - Updated OpensslCipherFunctionsReturnTypeExtension and OpenSslEncryptParameterOutTypeExtension to use the shared provider - New regression test in tests/PHPStan/Analyser/nsrt/bug-13692.php Closes phpstan/phpstan#13692
Collaborator
|
You've opened the pull request against the latest branch 2.2.x. PHPStan 2.2 is not going to be released for months. If your code is relevant on 2.1.x and you want it to be released sooner, please rebase your pull request and change its target to 2.1.x. |
staabm
reviewed
Feb 18, 2026
Comment on lines
+42
to
+44
| if (PHP_VERSION_ID >= 80000 && PHP_VERSION_ID < 80500) { | ||
| yield __DIR__ . '/data/bug-13692.php'; | ||
| } |
Contributor
There was a problem hiding this comment.
do we need separate assertions for this test for other php versions?
staabm
approved these changes
Feb 18, 2026
VincentLanglet
force-pushed
the
fix/13692
branch
from
fa80622 to
597cc7c
Compare
staabm
approved these changes
Feb 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
On PHP 8.0-8.4,
openssl_get_cipher_methods()reports cipher algorithms that are not actually supported by OpenSSL functions likeopenssl_cipher_iv_length()andopenssl_cipher_key_length(). This is due to a PHP bug (php/php-src#19994) whereopenssl_get_cipher_methods()uses a different source of algorithms than the actual cipher functions, causing it to list algorithms that OpenSSL 3.0 has disabled by default.This caused PHPStan to incorrectly refine the return type of these functions — for example,
openssl_cipher_iv_length('aes-128-cbc-cts')was narrowed tointwhen it actually returnsfalseon PHP 8.0-8.4.Changes
src/Type/Php/OpenSslCipherMethodsProvider.php— a shared service that filters the cipher methods list by actually testing each algorithm withopenssl_cipher_iv_length(), excluding those that returnfalse(i.e. are not truly supported)src/Type/Php/OpensslCipherFunctionsReturnTypeExtension.phpto use the new shared provider instead of directly queryingopenssl_get_cipher_methods()src/Type/Php/OpenSslEncryptParameterOutTypeExtension.phpto use the same shared provider for consistent behaviorRoot cause
openssl_get_cipher_methods()on PHP 8.0-8.4 usesEVP_CIPHER_do_all_sorted()to enumerate algorithms, while functions likeopenssl_cipher_iv_length()useEVP_get_cipherbyname()to resolve them. With OpenSSL 3.0+, the former returns algorithms from all providers (including disabled ones), while the latter only returns algorithms from loaded providers. This discrepancy was fixed in PHP 8.5 via a refactoring of the OpenSSL implementation.The fix filters the algorithm list at PHPStan's analysis time by calling
openssl_cipher_iv_length()for each algorithm and removing those that fail, ensuring only truly supported algorithms are used for type refinement.Test
Added
tests/PHPStan/Analyser/nsrt/bug-13692.php— verifies thatopenssl_cipher_iv_length('aes-128-cbc-cts')is correctly refined tofalse(notint) on PHP 8.4, whileaes-128-cbcstill correctly refines toint.Fixes phpstan/phpstan#13692