OpenSSL: Use custom libctx for each thread in ZTS

[bukka]

Description

The idea is to use custom libctx stored globally - initialized in GINIT.

The reason for that is that currently the default libctx is used. This might not be optimal for some settings that are global like setting of max number of threads in the incoming Argon password support: #13635

In addition there is an issue in ZTS build when used on some platforms under load (more threads running together). This might potentially resolve such issues.

After investigation of code, those are the needed changes:

• php_openssl_parse_config
  • encrypt_key_cipher fetching
  • default_md fetching
  • consider named alternatives for encrypt_key_cipher and private_key_type constants (support string names as well)
  • check if we should really convert curve name
  • php_openssl_get_evp_md_from_algo should do proper fetching
  • php_openssl_get_evp_cipher_from_algo should proper fetching
  • PHP_GINIT_FUNCTION initialize libctx
  • PHP_GSHUTDOWN_FUNCTION - destroy libctx
  • php_openssl_x509_from_str - use empty libctx variants before loading: https://www.openssl.org/docs/man3.1/man3/PEM_read_bio_X509.html#EXAMPLES
  • php_openssl_x509_fingerprint - replace EVP_get_digestbyname with fetch
  • php_openssl_load_all_certs_from_file - Use PEM_X509_INFO_read_bio_ex instead of PEM_X509_INFO_read_bio
  • php_openssl_setup_verify - Use X509_LOOKUP_load_file_ex instead of X509_LOOKUP_load_file and check libctx variant for X509_LOOKUP_add_dir
  • openssl_pkcs12_export_to_file and openssl_pkcs12_export - use PKCS12_create_ex
  • openssl_pkcs12_read - prepare p12 for d2i_PKCS12_bio
  • php_openssl_csr_from_str - prepare X509_REQ for PEM_read_bio_X509_REQ
  • openssl_csr_sign - use libctx for new_cert
  • openssl_csr_new - use libctx for CSR created using X509_REQ_new
  • php_openssl_extract_public_key - use PEM_read_bio_PUBKEY_ex instead of PEM_read_bio_PUBKEY
  • php_openssl_pkey_from_zval
    • use PEM_read_bio_PUBKEY_ex instead of PEM_read_bio_PUBKEY
    • use PEM_read_bio_PrivateKey_ex instead of PEM_read_bio_PrivateKey
  • php_openssl_generate_private_key - Replace EVP_PKEY_CTX_new and EVP_PKEY_CTX_new_id with EVP_PKEY_CTX_new_from_name
  • php_openssl_pkey_init_rsa - Replace EVP_PKEY_CTX_new_id with EVP_PKEY_CTX_new_from_name
  • php_openssl_pkey_init_dsa - Replace EVP_PKEY_CTX_new_id with EVP_PKEY_CTX_new_from_name
  • php_openssl_pkey_init_dh - Replace EVP_PKEY_CTX_new_id with EVP_PKEY_CTX_new_from_name
  • php_openssl_pkey_init_ec - Replace EVP_PKEY_CTX_new_id with EVP_PKEY_CTX_new_from_name
  • php_openssl_pkey_object_curve_25519_448 - Replace EVP_PKEY_CTX_new_id with EVP_PKEY_CTX_new_from_name
  • openssl_pkey_export - passphrase default md EVP_des_ede3_cbc should be fetched
  • openssl_pbkdf2
    • digest should be fetched
    • replace implementation with KDF using EVP_KDF_fetch as implemented in ossl_pkcs5_pbkdf2_hmac_ex
  • openssl_pkcs7_verify - use SMIME_read_PKCS7_ex variant with pre-initialized with PKCS7_new_ex
  • openssl_pkcs7_encrypt - replace PKCS7_encrypt with PKCS7_encrypt_ex
  • openssl_pkcs7_read - Use PEM_read_bio_PKCS7_ex instead of PEM_read_bio_PKCS7 (check if it's defined)
  • openssl_pkcs7_sign - Use PKCS7_sign_ex instead of PKCS7_sign
  • openssl_pkcs7_decrypt - use SMIME_read_PKCS7_ex variant with pre-initialized with PKCS7_new_ex
  • openssl_cms_verify - prepare cms for SMIME_read_CMS, d2i_CMS_bio, PEM_read_bio_CMS
  • openssl_cms_encrypt - usage php_openssl_get_evp_cipher_from_algo will need to name if cipher so it can be fetched
  • openssl_cms_read - prepare cms PEM_read_bio_CMS (should there be PEM_read_bio_CMS_ex like PEM_read_bio_PKCS7_ex?)
  • openssl_cms_sign - use CMS_sign_ex instead of CMS_sign
  • openssl_cms_decrypt - prepare cms for SMIME_read_CMS, d2i_CMS_bio, PEM_read_bio_CMS
  • openssl_private_encrypt - replace EVP_PKEY_CTX_new with EVP_PKEY_CTX_new_from_pkey
  • openssl_private_decrypt - replace EVP_PKEY_CTX_new with EVP_PKEY_CTX_new_from_pkey
  • openssl_public_encrypt - replace EVP_PKEY_CTX_new with EVP_PKEY_CTX_new_from_pkey
  • openssl_public_decrypt - replace EVP_PKEY_CTX_new with EVP_PKEY_CTX_new_from_pkey
  • openssl_sign - fetch digest instead of EVP_get_digestbyname (merge it with php_openssl_get_evp_md_from_algo)
  • openssl_verify - fetch digest instead of EVP_get_digestbyname (merge it with php_openssl_get_evp_md_from_algo)
  • openssl_seal - fetch cipher instead of EVP_get_cipherbyname
  • openssl_open - fetch cipher instead of EVP_get_cipherbyname
  • openssl_get_md_methods - investigate if there's a variant for OBJ_NAME_do_all_sorted running on libctx
  • openssl_get_cipher_methods - investigate if there's a variant for OBJ_NAME_do_all_sorted running on libctx
  • openssl_get_curve_names - check if curves can be provider specific and there is anything to do with that
  • openssl_digest - fetch digest instead of EVP_get_digestbyname
  • php_openssl_encrypt - fetch cipher instead of EVP_get_cipherbyname
  • php_openssl_decrypt - fetch cipher instead of EVP_get_cipherbyname
  • php_openssl_get_evp_cipher_by_name - fetch cipher instead of EVP_get_cipherbyname
  • php_openssl_random_pseudo_bytes - use RAND_bytes_ex instead of RAND_bytes