Never return private part of the key from openssl_csr_get_public_key

This fixes ecc.phpt test when OpenSSL 1.1 linked.

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 4bfc03fa96ca75fe6c54c8e3ef3f89fb76a6c40a..528d8235a570a6418dd80e412ba2f8ec67c43a74 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -3564,7 +3564,22 @@ PHP_FUNCTION(openssl_csr_get_public_key)
                RETURN_FALSE;
        }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+       /* Due to changes in OpenSSL 1.1 related to locking when decoding CSR,
+        * the pub key is not changed after assigning. It means if we pass
+        * a private key, it will be returned including the private part.
+        * If we duplicate it, then we get just the public part which is
+        * the same behavior as for OpenSSL 1.0 */
+       csr = X509_REQ_dup(csr);
+#endif
+       /* Retrieve the public key from the CSR */
        tpubkey = X509_REQ_get_pubkey(csr);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+       /* We need to free the CSR as it was duplicated */
+       X509_REQ_free(csr);
+#endif
+
        if (tpubkey == NULL) {
                php_openssl_store_errors();
                RETURN_FALSE;