From 727408cc9aadfdc275d97ce67291e1df507b408f Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Wed, 24 Jun 2026 18:33:30 +0530
Subject: [PATCH 1/2] ext/openssl: Use zend_string_equals_literal() for argon2
 algorithm validation

---
 ext/openssl/openssl_pwhash.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/openssl/openssl_pwhash.c b/ext/openssl/openssl_pwhash.c
index 0b439a731d1c..01f7f0124135 100644
--- a/ext/openssl/openssl_pwhash.c
+++ b/ext/openssl/openssl_pwhash.c
@@ -329,7 +329,7 @@ PHP_FUNCTION(openssl_password_hash)
 		Z_PARAM_ARRAY_HT(options)
 	ZEND_PARSE_PARAMETERS_END();
 
-	if (strcmp(ZSTR_VAL(algo), "argon2i") && strcmp(ZSTR_VAL(algo), "argon2id")) {
+	if (!zend_string_equals_literal(algo, "argon2i") && !zend_string_equals_literal(algo, "argon2id")) {
 		zend_argument_value_error(1, "must be a valid password openssl hashing algorithm");
 		RETURN_THROWS();
 	}
@@ -355,7 +355,7 @@ PHP_FUNCTION(openssl_password_verify)
 		Z_PARAM_STR(digest)
 	ZEND_PARSE_PARAMETERS_END();
 
-	if (strcmp(ZSTR_VAL(algo), "argon2i") && strcmp(ZSTR_VAL(algo), "argon2id")) {
+	if (!zend_string_equals_literal(algo, "argon2i") && !zend_string_equals_literal(algo, "argon2id")) {
 		zend_argument_value_error(1, "must be a valid password openssl hashing algorithm");
 		RETURN_THROWS();
 	}

From 1b75dcbda9600b1e0f63ba0d8f26878d4aaa0f18 Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Thu, 25 Jun 2026 08:15:21 +0530
Subject: [PATCH 2/2] ext/openssl: openssl: use zend_string_equals_literal()
 for Argon2 checks

---
 .../tests/password_algo_null_bytes.phpt       | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 ext/openssl/tests/password_algo_null_bytes.phpt

diff --git a/ext/openssl/tests/password_algo_null_bytes.phpt b/ext/openssl/tests/password_algo_null_bytes.phpt
new file mode 100644
index 000000000000..df5d96c4114f
--- /dev/null
+++ b/ext/openssl/tests/password_algo_null_bytes.phpt
@@ -0,0 +1,33 @@
+--TEST--
+OpenSSL password functions reject algorithm names containing NUL bytes
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (!function_exists('openssl_password_hash')) {
+    die('skip OpenSSL Argon2 support not available');
+}
+?>
+--FILE--
+<?php
+
+foreach (["argon2i\0foo", "argon2id\0foo"] as $algo) {
+    try {
+        openssl_password_hash($algo, "secret");
+    } catch (ValueError $e) {
+        echo $e->getMessage(), PHP_EOL;
+    }
+
+    try {
+        openssl_password_verify($algo, "secret", "digest");
+    } catch (ValueError $e) {
+        echo $e->getMessage(), PHP_EOL;
+    }
+}
+
+?>
+--EXPECT--
+openssl_password_hash(): Argument #1 ($algo) must be a valid password openssl hashing algorithm
+openssl_password_verify(): Argument #1 ($algo) must be a valid password openssl hashing algorithm
+openssl_password_hash(): Argument #1 ($algo) must be a valid password openssl hashing algorithm
+openssl_password_verify(): Argument #1 ($algo) must be a valid password openssl hashing algorithm