Fix GH-18988: Check unchecked error-prone calls in ext/ssl

alexandre-daubois · alexandre-daubois · commit ad1f4e13967b · 2026-03-26T08:15:45.000+01:00
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.21
 
+- OpenSSL:
+  . Fixed bug GH-18988 (Check various unchecked error-prone OpenSSL function
+    return values). (alexandre-daubois)
 
 09 Apr 2026, PHP 8.4.20
 
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
@@ -971,7 +971,9 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
 	if (str != NULL && php_openssl_check_path_ex(str, strlen(str), path, 0, false, false, "oid_file")) {
 		BIO *oid_bio = BIO_new_file(path, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
 		if (oid_bio) {
-			OBJ_create_objects(oid_bio);
+			if (OBJ_create_objects(oid_bio) == 0) {
+				php_openssl_store_errors();
+			}
 			BIO_free(oid_bio);
 			php_openssl_store_errors();
 		}
@@ -1299,7 +1301,10 @@ PHP_MINIT_FUNCTION(openssl)
 	OSSL_PROVIDER_load(NULL, "legacy");
 	OSSL_PROVIDER_load(NULL, "default");
 #endif
-	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
+	if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
+		php_error_docref(NULL, E_WARNING, "Failed to initialize OpenSSL");
+		return FAILURE;
+	}
 #endif
 
 	/* register a resource id number with OpenSSL so that we can map SSL -> stream structures in
@@ -2064,22 +2069,34 @@ static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
 		name = sk_GENERAL_NAME_value(names, i);
 		switch (name->type) {
 			case GEN_EMAIL:
-				BIO_puts(bio, "email:");
+				if (BIO_puts(bio, "email:") < 0) {
+					php_openssl_store_errors();
+				}
 				as = name->d.rfc822Name;
-				BIO_write(bio, ASN1_STRING_get0_data(as),
-					ASN1_STRING_length(as));
+				if (BIO_write(bio, ASN1_STRING_get0_data(as),
+					ASN1_STRING_length(as)) < 0) {
+					php_openssl_store_errors();
+				}
 				break;
 			case GEN_DNS:
-				BIO_puts(bio, "DNS:");
+				if (BIO_puts(bio, "DNS:") < 0) {
+					php_openssl_store_errors();
+				}
 				as = name->d.dNSName;
-				BIO_write(bio, ASN1_STRING_get0_data(as),
-					ASN1_STRING_length(as));
+				if (BIO_write(bio, ASN1_STRING_get0_data(as),
+					ASN1_STRING_length(as)) < 0) {
+					php_openssl_store_errors();
+				}
 				break;
 			case GEN_URI:
-				BIO_puts(bio, "URI:");
+				if (BIO_puts(bio, "URI:") < 0) {
+					php_openssl_store_errors();
+				}
 				as = name->d.uniformResourceIdentifier;
-				BIO_write(bio, ASN1_STRING_get0_data(as),
-					ASN1_STRING_length(as));
+				if (BIO_write(bio, ASN1_STRING_get0_data(as),
+					ASN1_STRING_length(as)) < 0) {
+					php_openssl_store_errors();
+				}
 				break;
 			default:
 				/* use builtin print for GEN_OTHERNAME, GEN_X400,
@@ -2317,7 +2334,10 @@ static STACK_OF(X509) *php_openssl_load_all_certs_from_file(
 	while (sk_X509_INFO_num(sk)) {
 		xi=sk_X509_INFO_shift(sk);
 		if (xi->x509 != NULL) {
-			sk_X509_push(stack,xi->x509);
+			if (sk_X509_push(stack,xi->x509) == 0) {
+				php_openssl_store_errors();
+				X509_free(xi->x509);
+			}
 			xi->x509=NULL;
 		}
 		X509_INFO_free(xi);
@@ -2582,6 +2602,7 @@ static STACK_OF(X509) *php_array_to_X509_sk(zval * zcerts, uint32_t arg_num, con
 
 			}
 			if (sk_X509_push(sk, cert) <= 0) {
+				php_openssl_store_errors();
 				X509_free(cert);
 				goto push_fail_exit;
 			}
@@ -2603,6 +2624,7 @@ static STACK_OF(X509) *php_array_to_X509_sk(zval * zcerts, uint32_t arg_num, con
 			}
 		}
 		if (sk_X509_push(sk, cert) <= 0) {
+			php_openssl_store_errors();
 			X509_free(cert);
 			goto push_fail_exit;
 		}
@@ -3381,7 +3403,10 @@ PHP_FUNCTION(openssl_csr_sign)
 		PHP_OPENSSL_ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial);
 	}
 
-	X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr));
+	if (!X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr))) {
+		php_openssl_store_errors();
+		goto cleanup;
+	}
 
 	if (cert == NULL) {
 		cert = new_cert;
@@ -5853,6 +5878,7 @@ PHP_FUNCTION(openssl_pkcs7_encrypt)
 				}
 			}
 			if (sk_X509_push(recipcerts, cert) <= 0) {
+				php_openssl_store_errors();
 				X509_free(cert);
 				goto clean_exit;
 			}
@@ -5877,6 +5903,7 @@ PHP_FUNCTION(openssl_pkcs7_encrypt)
 			}
 		}
 		if (sk_X509_push(recipcerts, cert) <= 0) {
+			php_openssl_store_errors();
 			X509_free(cert);
 			goto clean_exit;
 		}
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
@@ -1771,7 +1771,9 @@ static zend_result php_openssl_setup_crypto(php_stream *stream,
 				return FAILURE;
 			}
 			if (sslsock->is_client) {
-				SSL_CTX_set_alpn_protos(sslsock->ctx, alpn, alpn_len);
+				if (SSL_CTX_set_alpn_protos(sslsock->ctx, alpn, alpn_len) != 0) {
+					php_openssl_store_errors();
+				}
 			} else {
 				sslsock->alpn_ctx.data = (unsigned char *) pestrndup((const char*)alpn, alpn_len, php_stream_is_persistent(stream));
 				sslsock->alpn_ctx.len = alpn_len;
@@ -1846,8 +1848,9 @@ static zend_result php_openssl_setup_crypto(php_stream *stream,
 			php_error_docref(NULL, E_WARNING, "Supplied session stream must be an SSL enabled stream");
 		} else if (((php_openssl_netstream_data_t*)cparam->inputs.session->abstract)->ssl_handle == NULL) {
 			php_error_docref(NULL, E_WARNING, "Supplied SSL session stream is not initialized");
-		} else {
-			SSL_copy_session_id(sslsock->ssl_handle, ((php_openssl_netstream_data_t*)cparam->inputs.session->abstract)->ssl_handle);
+		} else if (SSL_copy_session_id(sslsock->ssl_handle, ((php_openssl_netstream_data_t*)cparam->inputs.session->abstract)->ssl_handle) != 1) {
+			php_openssl_store_errors();
+			php_error_docref(NULL, E_WARNING, "Failed to copy SSL session");
 		}
 	}
 
