summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2021-11-18 15:25:07 +0100
committerRemi Collet <remi@php.net>2021-11-18 15:25:07 +0100
commit2fa8ba847d38f069df5b26afe1da68b911b66e7a (patch)
treed627eb7a45e8e32ad22ccc617d1ae2ff237970a5
parent18c1269a8341ed3989769f4af5cd4b7dbec6d385 (diff)
improve openssl 3 patchHEADmaster
-rw-r--r--php-7.4.26-openssl3.patch151
1 files changed, 127 insertions, 24 deletions
diff --git a/php-7.4.26-openssl3.patch b/php-7.4.26-openssl3.patch
index c946f77..9952f34 100644
--- a/php-7.4.26-openssl3.patch
+++ b/php-7.4.26-openssl3.patch
@@ -1,7 +1,7 @@
From f7da6fd2d5d2160ef67e0bee3ad76f28d7b71983 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Sun, 8 Aug 2021 17:38:30 +0200
-Subject: [PATCH 01/24] minimal fix for openssl 3.0 (#7002)
+Subject: [PATCH 01/26] minimal fix for openssl 3.0 (#7002)
(cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51)
---
@@ -28,7 +28,7 @@ index aa819be422..9cb643601c 100644
From 557f613efc86158ef65200f2c994c28bad257850 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 09:41:39 +0200
-Subject: [PATCH 02/24] ignore deprecated
+Subject: [PATCH 02/26] ignore deprecated
---
ext/openssl/openssl.c | 2 ++
@@ -78,7 +78,7 @@ index 348831189b..b2cb6164bd 100644
From c83d7444d35e4b246f84c1adc1353f75fbd4b44c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 09:46:07 +0200
-Subject: [PATCH 03/24] Reduce security level in some OpenSSL tests
+Subject: [PATCH 03/26] Reduce security level in some OpenSSL tests
This allows tests using older protocols and algorithms to work
under OpenSSL 3.
@@ -350,7 +350,7 @@ index c1aaa04919..84a137b5f4 100644
From c9a9ef0d62c19bd2b3f89772c5a800781b88d53c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 09:57:40 +0200
-Subject: [PATCH 04/24] Adjust some tests for whitespace differences in OpenSSL
+Subject: [PATCH 04/26] Adjust some tests for whitespace differences in OpenSSL
3
A trailing newline is no longer present in OpenSSL 3.
@@ -458,7 +458,7 @@ index b80c1f71f1..38915157f3 100644
From dabea364207985e67e138e70106b6977952c2729 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 11:55:47 +0200
-Subject: [PATCH 05/24] Use different cipher in openssl_seal() test
+Subject: [PATCH 05/26] Use different cipher in openssl_seal() test
RC4 is insecure and not supported in newer versions.
@@ -523,7 +523,7 @@ index 111bf6f094..588efa707b 100644
From 55123a11413921e991929fdd3cdab3b855617d11 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 11:58:46 +0200
-Subject: [PATCH 06/24] Don't test legacy algorithms in SPKI tests
+Subject: [PATCH 06/26] Don't test legacy algorithms in SPKI tests
MD4 and RMD160 may not be available on newer OpenSSL versions.
@@ -664,7 +664,7 @@ index c760d0cb83..35badcda37 100644
From dace8e9ff28889d110cc4617b91caca0d722238f Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 12:48:02 +0200
-Subject: [PATCH 07/24] Only report provided ciphers in
+Subject: [PATCH 07/26] Only report provided ciphers in
openssl_get_cipher_methods()
With OpenSSL 3 ciphers may be registered, but not provided. Make
@@ -754,7 +754,7 @@ index 7926b475e7..29d64171d9 100644
From 514a7e50e1bdc5d409c3d66c1593f0ce1a859b8e Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 12:05:02 +0200
-Subject: [PATCH 08/24] Avoid RC4 use in another test
+Subject: [PATCH 08/26] Avoid RC4 use in another test
(cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66)
---
@@ -793,7 +793,7 @@ index d564bcf8e8..e19f07e7b1 100644
From bcc416e4449c78361eefec90c6339839cc198bde Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 11:50:11 +0200
-Subject: [PATCH 09/24] Relax error check
+Subject: [PATCH 09/26] Relax error check
The precise error is version-dependent, just check that there
is some kind of error reported.
@@ -828,7 +828,7 @@ index 327c916688..3f319b4b24 100644
From 269c9b3cff4808d7cb62dde957429c26b7d2ac46 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 14:59:16 +0200
-Subject: [PATCH 10/24] Add test for openssl_dh_compute_key()
+Subject: [PATCH 10/26] Add test for openssl_dh_compute_key()
This function was not tested at all :(
@@ -879,7 +879,7 @@ index 0000000000..8730f4b57d
From 6f81d18232ee8e17c2f299dc3008727b420ce114 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 14:54:59 +0200
-Subject: [PATCH 11/24] Use different algorithm in pkcs7 tests
+Subject: [PATCH 11/26] Use different algorithm in pkcs7 tests
The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy)
supported in OpenSSL 3, specify a newer cipher instead.
@@ -970,7 +970,7 @@ index f823462f9e..e38a006d0c 100644
From 9f9df4446699cd09cd70046f8bee66272aca2dac Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 17:07:44 +0200
-Subject: [PATCH 12/24] Use larger key size for DSA/DH tests
+Subject: [PATCH 12/26] Use larger key size for DSA/DH tests
OpenSSL 3 validates allowed sizes strictly, pick minimum sizes
that are supported.
@@ -1019,7 +1019,7 @@ index c5f5575e2c..7beb020a4c 100644
From 261db4fde8b2de3d0b39cac5d376ef425aad7ef2 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 13:54:26 +0200
-Subject: [PATCH 13/24] Skip some tests if cipher not available
+Subject: [PATCH 13/26] Skip some tests if cipher not available
(cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10)
---
@@ -1089,7 +1089,7 @@ index 4175e703d2..e846b42e78 100644
From 93c0873333a8b257edb082d3f106fdef67495c44 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 10:35:49 +0200
-Subject: [PATCH 14/24] Generate pkcs12_read test inputs on the fly
+Subject: [PATCH 14/26] Generate pkcs12_read test inputs on the fly
The old p12_with_extra_certs.p12 file uses an unsupported something.
@@ -1195,7 +1195,7 @@ index b81b4d9dac..8cb2b41fd7 100644
From 64bedf19c7caa47193c22f6fbb134574eb0cf2dd Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 8 Aug 2021 20:54:46 +0100
-Subject: [PATCH 15/24] Make CertificateGenerator not dependent on external
+Subject: [PATCH 15/26] Make CertificateGenerator not dependent on external
config in OpenSSL 3.0
(cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744)
@@ -1253,7 +1253,7 @@ index b409376058..6fe9b4e9a8 100644
From f2c252b9a083c01eff3f665a406efe5b44f323a3 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 10 Aug 2021 11:50:18 +0200
-Subject: [PATCH 16/24] Fork openssl_error_string() test for OpenSSL
+Subject: [PATCH 16/26] Fork openssl_error_string() test for OpenSSL
The used error code differ signficantly, so use a separate test
file.
@@ -1289,7 +1289,7 @@ index cdf558e9a5..f9f0e7062f 100644
From dc1751ad95ebb04e756809e837feb9aac7a2fefe Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Sun, 8 Aug 2021 17:39:06 +0200
-Subject: [PATCH 17/24] Use OpenSSL NCONF APIs (#7337)
+Subject: [PATCH 17/26] Use OpenSSL NCONF APIs (#7337)
(cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08)
---
@@ -1467,7 +1467,7 @@ index e0b3772a29..666616e7c5 100644
From df4e7dcc8121c444ff315e31d06182f164e686ed Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 12 Sep 2021 20:30:02 +0100
-Subject: [PATCH 18/24] Make OpenSSL tests less dependent on system config
+Subject: [PATCH 18/26] Make OpenSSL tests less dependent on system config
It fixes dependencies on system config if running tests with OpenSSL 3.0
@@ -1564,7 +1564,7 @@ index 41567e9b32..6c09238003 100644
From 03f65a015256933426d2c87b399a4c4620b4c85c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 11:15:18 +0200
-Subject: [PATCH 19/24] Do not special case export of EC keys
+Subject: [PATCH 19/26] Do not special case export of EC keys
All other private keys are exported in PKCS#8 format, while EC
keys use traditional format. Switch them to use PKCS#8 format as
@@ -1660,7 +1660,7 @@ index d71f8da9a3..47a82d7873 100644
From 038c33feab7e6138f7977224897118dbb8059a55 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 10:29:50 +0200
-Subject: [PATCH 20/24] Use EVP_PKEY APIs for key generation
+Subject: [PATCH 20/26] Use EVP_PKEY APIs for key generation
Use high level API instead of deprecated low level API.
@@ -1920,7 +1920,7 @@ index 4af0942209..588aa3902f 100644
From cc5ad532e6672ac74007caa83f2fb7796f69510b Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 10:26:12 +0200
-Subject: [PATCH 21/24] Extract EC key initialization
+Subject: [PATCH 21/26] Extract EC key initialization
(cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618)
---
@@ -2191,7 +2191,7 @@ index 588aa3902f..5671311508 100644
From 7c3f98fb5000b95419848b3b2519b677e8852f3f Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 12:01:35 +0200
-Subject: [PATCH 22/24] Test calculation of EC public key from private key
+Subject: [PATCH 22/26] Test calculation of EC public key from private key
(cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1)
---
@@ -2234,7 +2234,7 @@ index 6c09238003..ecc34a3330 100644
From 3b17fa3a6a34fd169c34e3d1dbb315c4c691c649 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 11:12:20 +0200
-Subject: [PATCH 23/24] Use param API for creating EC keys
+Subject: [PATCH 23/26] Use param API for creating EC keys
Rather than the deprecated low level APIs.
@@ -2391,7 +2391,7 @@ index 5671311508..5a76057c5f 100644
From 76efdaf49ccfb4462ce9493c04b5542570f72907 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 14:19:33 +0200
-Subject: [PATCH 24/24] Extract public key portion via PEM roundtrip
+Subject: [PATCH 24/26] Extract public key portion via PEM roundtrip
The workaround with cloning the X509_REQ no longer works in
OpenSSL 3. Instead extract the public key portion by round
@@ -2478,3 +2478,106 @@ index 5a76057c5f..00ab6dc73a 100644
--
2.31.1
+From 134c4303f6ddca2553dadfe4e56808ef00ba39dd Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Tue, 10 Aug 2021 12:17:17 +0200
+Subject: [PATCH 25/26] Switch dh_param handling to EVP_PKEY API
+
+(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59)
+---
+ ext/openssl/xp_ssl.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
+index 9710e44a07..f130bdee66 100644
+--- a/ext/openssl/xp_ssl.c
++++ b/ext/openssl/xp_ssl.c
+@@ -1200,11 +1200,7 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength)
+
+ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */
+ {
+- DH *dh;
+- BIO* bio;
+- zval *zdhpath;
+-
+- zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param");
++ zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param");
+ if (zdhpath == NULL) {
+ #if 0
+ /* Coming in OpenSSL 1.1 ... eventually we'll want to enable this
+@@ -1219,14 +1215,29 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /*
+ return FAILURE;
+ }
+
+- bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
++ BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
+
+ if (bio == NULL) {
+ php_error_docref(NULL, E_WARNING, "invalid dh_param");
+ return FAILURE;
+ }
+
+- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ EVP_PKEY *pkey = PEM_read_bio_Parameters(bio, NULL);
++ BIO_free(bio);
++
++ if (pkey == NULL) {
++ php_error_docref(NULL, E_WARNING, "Failed reading DH params");
++ return FAILURE;
++ }
++
++ if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) {
++ php_error_docref(NULL, E_WARNING, "Failed assigning DH params");
++ EVP_PKEY_free(pkey);
++ return FAILURE;
++ }
++#else
++ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+
+ if (dh == NULL) {
+@@ -1241,6 +1252,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /*
+ }
+
+ DH_free(dh);
++#endif
+
+ return SUCCESS;
+ }
+--
+2.31.1
+
+From 7557896fc206bd318851b3810b55bb51dc43336f Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 18 Nov 2021 15:08:19 +0100
+Subject: [PATCH 26/26] ignore remaining warnings
+
+---
+ ext/openssl/openssl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 00ab6dc73a..b136729cb5 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -26,6 +26,7 @@
+ #endif
+
+ # pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++# pragma GCC diagnostic ignored "-Wdiscarded-qualifiers"
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -4477,7 +4478,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, int *is_private) {
+ BIGNUM *d = NULL, *x = NULL, *y = NULL;
+ EC_GROUP *group = NULL;
+ EC_POINT *pnt = NULL;
+- char *pnt_oct = NULL;
++ unsigned char *pnt_oct = NULL;
+ EVP_PKEY *param_key = NULL, *pkey = NULL;
+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
+ OSSL_PARAM *params = NULL;
+--
+2.31.1
+