ext/curl: Add CURLOPT_SSL_SIGNATURE_ALGORITHMS option

Adds support for `CURLOPT_SSL_SIGNATURE_ALGORITHMS`[^1], supported
since Curl version 8.14.0.

[^1]: https://curl.se/libcurl/c/CURLOPT_SSL_SIGNATURE_ALGORITHMS.html

Closes GH-18692

Author: Ayesh

NEWS

@@ -10,6 +10,7 @@ PHP                                                                        NEWS
 - Curl:
   . Add support for CURLINFO_CONN_ID in curl_getinfo() (thecaliskan)
   . Add support for CURLINFO_QUEUE_TIME_T in curl_getinfo() (thecaliskan)
+  . Add support for CURLOPT_SSL_SIGNATURE_ALGORITHMS. (Ayesh Karunaratne)
 
 - OPcache:
   . Disallow changing opcache.memory_consumption when SHM is already set up.

UPGRADING

@@ -198,6 +198,8 @@ PHP 8.5 UPGRADE NOTES
     request spent in libcurl’s connection queue before it was sent.
     This value can also be retrieved by passing CURLINFO_QUEUE_TIME_T to the
     curl_getinfo() $option parameter.
+  . Added support for CURLOPT_SSL_SIGNATURE_ALGORITHMS to specify the signature
+    algorithms to use for TLS.
 
 - DOM:
   . Added Dom\Element::$outerHTML.

ext/curl/curl.stub.php

@@ -3339,6 +3339,13 @@
  * @cvalue CURLOPT_SSL_EC_CURVES
  */
 const CURLOPT_SSL_EC_CURVES = UNKNOWN;
+#if LIBCURL_VERSION_NUM >= 0x080e00 /* Available since 8.14.0 */
+/**
+ * @var int
+ * @cvalue CURLOPT_SSL_SIGNATURE_ALGORITHMS
+ */
+const CURLOPT_SSL_SIGNATURE_ALGORITHMS = UNKNOWN;
+#endif
 /**
  * @var int
  * @cvalue CURLPX_BAD_ADDRESS_TYPE

ext/curl/curl_arginfo.h

@@ -1944,6 +1944,9 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_USERPWD:
 		case CURLOPT_USERNAME:
 		case CURLOPT_PASSWORD:
+#if LIBCURL_VERSION_NUM >= 0x080e00 /* Available since 8.14.0 */
+		case CURLOPT_SSL_SIGNATURE_ALGORITHMS:
+#endif
 		{
 			if (Z_ISNULL_P(zvalue)) {
 				error = curl_easy_setopt(ch->cp, option, NULL);

ext/curl/interface.c

@@ -21,3 +21,8 @@ basic_auth /http-basic-auth {
 	# bcrypt password hash for "password", calculated with 'caddy hash-password'
 	user $2a$14$yUKl9SGqVTAAqPTzLup.DefsbXXx3kfreNnzpJOUHcIrKnr5lgef2
 }
+
+route /ping {
+	templates
+	respond `pong`
+}

ext/curl/tests/Caddyfile

@@ -0,0 +1,40 @@
+--TEST--
+Curl option CURLOPT_SSL_SIGNATURE_ALGORITHMS
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x080e00) die("skip: test works only with curl >= 8.14.0");
+
+include 'skipif-nocaddy.inc';
+?>
+--FILE--
+<?php
+
+$ch = curl_init('https://localhost/ping');
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+
+var_dump(curl_exec($ch));
+
+var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, 'invalid-value'));
+var_dump(curl_exec($ch));
+var_dump(curl_error($ch));
+
+var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, 'ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ed25519'));
+var_dump(curl_exec($ch));
+
+var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, null));
+var_dump(curl_exec($ch));
+
+?>
+--EXPECT--
+string(4) "pong"
+bool(true)
+bool(false)
+string(52) "failed setting signature algorithms: 'invalid-value'"
+bool(true)
+string(4) "pong"
+bool(true)
+string(4) "pong"