From 2fa8ba847d38f069df5b26afe1da68b911b66e7a Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 18 Nov 2021 15:25:07 +0100 Subject: improve openssl 3 patch --- php-7.4.26-openssl3.patch | 151 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 127 insertions(+), 24 deletions(-) diff --git a/php-7.4.26-openssl3.patch b/php-7.4.26-openssl3.patch index c946f77..9952f34 100644 --- a/php-7.4.26-openssl3.patch +++ b/php-7.4.26-openssl3.patch @@ -1,7 +1,7 @@ From f7da6fd2d5d2160ef67e0bee3ad76f28d7b71983 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sun, 8 Aug 2021 17:38:30 +0200 -Subject: [PATCH 01/24] minimal fix for openssl 3.0 (#7002) +Subject: [PATCH 01/26] minimal fix for openssl 3.0 (#7002) (cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51) --- @@ -28,7 +28,7 @@ index aa819be422..9cb643601c 100644 From 557f613efc86158ef65200f2c994c28bad257850 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 09:41:39 +0200 -Subject: [PATCH 02/24] ignore deprecated +Subject: [PATCH 02/26] ignore deprecated --- ext/openssl/openssl.c | 2 ++ @@ -78,7 +78,7 @@ index 348831189b..b2cb6164bd 100644 From c83d7444d35e4b246f84c1adc1353f75fbd4b44c Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 09:46:07 +0200 -Subject: [PATCH 03/24] Reduce security level in some OpenSSL tests +Subject: [PATCH 03/26] Reduce security level in some OpenSSL tests This allows tests using older protocols and algorithms to work under OpenSSL 3. @@ -350,7 +350,7 @@ index c1aaa04919..84a137b5f4 100644 From c9a9ef0d62c19bd2b3f89772c5a800781b88d53c Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 09:57:40 +0200 -Subject: [PATCH 04/24] Adjust some tests for whitespace differences in OpenSSL +Subject: [PATCH 04/26] Adjust some tests for whitespace differences in OpenSSL 3 A trailing newline is no longer present in OpenSSL 3. @@ -458,7 +458,7 @@ index b80c1f71f1..38915157f3 100644 From dabea364207985e67e138e70106b6977952c2729 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 11:55:47 +0200 -Subject: [PATCH 05/24] Use different cipher in openssl_seal() test +Subject: [PATCH 05/26] Use different cipher in openssl_seal() test RC4 is insecure and not supported in newer versions. @@ -523,7 +523,7 @@ index 111bf6f094..588efa707b 100644 From 55123a11413921e991929fdd3cdab3b855617d11 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 11:58:46 +0200 -Subject: [PATCH 06/24] Don't test legacy algorithms in SPKI tests +Subject: [PATCH 06/26] Don't test legacy algorithms in SPKI tests MD4 and RMD160 may not be available on newer OpenSSL versions. @@ -664,7 +664,7 @@ index c760d0cb83..35badcda37 100644 From dace8e9ff28889d110cc4617b91caca0d722238f Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 12:48:02 +0200 -Subject: [PATCH 07/24] Only report provided ciphers in +Subject: [PATCH 07/26] Only report provided ciphers in openssl_get_cipher_methods() With OpenSSL 3 ciphers may be registered, but not provided. Make @@ -754,7 +754,7 @@ index 7926b475e7..29d64171d9 100644 From 514a7e50e1bdc5d409c3d66c1593f0ce1a859b8e Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 12:05:02 +0200 -Subject: [PATCH 08/24] Avoid RC4 use in another test +Subject: [PATCH 08/26] Avoid RC4 use in another test (cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66) --- @@ -793,7 +793,7 @@ index d564bcf8e8..e19f07e7b1 100644 From bcc416e4449c78361eefec90c6339839cc198bde Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 5 Aug 2021 11:50:11 +0200 -Subject: [PATCH 09/24] Relax error check +Subject: [PATCH 09/26] Relax error check The precise error is version-dependent, just check that there is some kind of error reported. @@ -828,7 +828,7 @@ index 327c916688..3f319b4b24 100644 From 269c9b3cff4808d7cb62dde957429c26b7d2ac46 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 5 Aug 2021 14:59:16 +0200 -Subject: [PATCH 10/24] Add test for openssl_dh_compute_key() +Subject: [PATCH 10/26] Add test for openssl_dh_compute_key() This function was not tested at all :( @@ -879,7 +879,7 @@ index 0000000000..8730f4b57d From 6f81d18232ee8e17c2f299dc3008727b420ce114 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 14:54:59 +0200 -Subject: [PATCH 11/24] Use different algorithm in pkcs7 tests +Subject: [PATCH 11/26] Use different algorithm in pkcs7 tests The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy) supported in OpenSSL 3, specify a newer cipher instead. @@ -970,7 +970,7 @@ index f823462f9e..e38a006d0c 100644 From 9f9df4446699cd09cd70046f8bee66272aca2dac Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 5 Aug 2021 17:07:44 +0200 -Subject: [PATCH 12/24] Use larger key size for DSA/DH tests +Subject: [PATCH 12/26] Use larger key size for DSA/DH tests OpenSSL 3 validates allowed sizes strictly, pick minimum sizes that are supported. @@ -1019,7 +1019,7 @@ index c5f5575e2c..7beb020a4c 100644 From 261db4fde8b2de3d0b39cac5d376ef425aad7ef2 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 4 Aug 2021 13:54:26 +0200 -Subject: [PATCH 13/24] Skip some tests if cipher not available +Subject: [PATCH 13/26] Skip some tests if cipher not available (cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10) --- @@ -1089,7 +1089,7 @@ index 4175e703d2..e846b42e78 100644 From 93c0873333a8b257edb082d3f106fdef67495c44 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Fri, 6 Aug 2021 10:35:49 +0200 -Subject: [PATCH 14/24] Generate pkcs12_read test inputs on the fly +Subject: [PATCH 14/26] Generate pkcs12_read test inputs on the fly The old p12_with_extra_certs.p12 file uses an unsupported something. @@ -1195,7 +1195,7 @@ index b81b4d9dac..8cb2b41fd7 100644 From 64bedf19c7caa47193c22f6fbb134574eb0cf2dd Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 8 Aug 2021 20:54:46 +0100 -Subject: [PATCH 15/24] Make CertificateGenerator not dependent on external +Subject: [PATCH 15/26] Make CertificateGenerator not dependent on external config in OpenSSL 3.0 (cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744) @@ -1253,7 +1253,7 @@ index b409376058..6fe9b4e9a8 100644 From f2c252b9a083c01eff3f665a406efe5b44f323a3 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Tue, 10 Aug 2021 11:50:18 +0200 -Subject: [PATCH 16/24] Fork openssl_error_string() test for OpenSSL +Subject: [PATCH 16/26] Fork openssl_error_string() test for OpenSSL The used error code differ signficantly, so use a separate test file. @@ -1289,7 +1289,7 @@ index cdf558e9a5..f9f0e7062f 100644 From dc1751ad95ebb04e756809e837feb9aac7a2fefe Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Sun, 8 Aug 2021 17:39:06 +0200 -Subject: [PATCH 17/24] Use OpenSSL NCONF APIs (#7337) +Subject: [PATCH 17/26] Use OpenSSL NCONF APIs (#7337) (cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08) --- @@ -1467,7 +1467,7 @@ index e0b3772a29..666616e7c5 100644 From df4e7dcc8121c444ff315e31d06182f164e686ed Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 12 Sep 2021 20:30:02 +0100 -Subject: [PATCH 18/24] Make OpenSSL tests less dependent on system config +Subject: [PATCH 18/26] Make OpenSSL tests less dependent on system config It fixes dependencies on system config if running tests with OpenSSL 3.0 @@ -1564,7 +1564,7 @@ index 41567e9b32..6c09238003 100644 From 03f65a015256933426d2c87b399a4c4620b4c85c Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Fri, 6 Aug 2021 11:15:18 +0200 -Subject: [PATCH 19/24] Do not special case export of EC keys +Subject: [PATCH 19/26] Do not special case export of EC keys All other private keys are exported in PKCS#8 format, while EC keys use traditional format. Switch them to use PKCS#8 format as @@ -1660,7 +1660,7 @@ index d71f8da9a3..47a82d7873 100644 From 038c33feab7e6138f7977224897118dbb8059a55 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 5 Aug 2021 10:29:50 +0200 -Subject: [PATCH 20/24] Use EVP_PKEY APIs for key generation +Subject: [PATCH 20/26] Use EVP_PKEY APIs for key generation Use high level API instead of deprecated low level API. @@ -1920,7 +1920,7 @@ index 4af0942209..588aa3902f 100644 From cc5ad532e6672ac74007caa83f2fb7796f69510b Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Mon, 9 Aug 2021 10:26:12 +0200 -Subject: [PATCH 21/24] Extract EC key initialization +Subject: [PATCH 21/26] Extract EC key initialization (cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618) --- @@ -2191,7 +2191,7 @@ index 588aa3902f..5671311508 100644 From 7c3f98fb5000b95419848b3b2519b677e8852f3f Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Mon, 9 Aug 2021 12:01:35 +0200 -Subject: [PATCH 22/24] Test calculation of EC public key from private key +Subject: [PATCH 22/26] Test calculation of EC public key from private key (cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1) --- @@ -2234,7 +2234,7 @@ index 6c09238003..ecc34a3330 100644 From 3b17fa3a6a34fd169c34e3d1dbb315c4c691c649 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Mon, 9 Aug 2021 11:12:20 +0200 -Subject: [PATCH 23/24] Use param API for creating EC keys +Subject: [PATCH 23/26] Use param API for creating EC keys Rather than the deprecated low level APIs. @@ -2391,7 +2391,7 @@ index 5671311508..5a76057c5f 100644 From 76efdaf49ccfb4462ce9493c04b5542570f72907 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Mon, 9 Aug 2021 14:19:33 +0200 -Subject: [PATCH 24/24] Extract public key portion via PEM roundtrip +Subject: [PATCH 24/26] Extract public key portion via PEM roundtrip The workaround with cloning the X509_REQ no longer works in OpenSSL 3. Instead extract the public key portion by round @@ -2478,3 +2478,106 @@ index 5a76057c5f..00ab6dc73a 100644 -- 2.31.1 +From 134c4303f6ddca2553dadfe4e56808ef00ba39dd Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Tue, 10 Aug 2021 12:17:17 +0200 +Subject: [PATCH 25/26] Switch dh_param handling to EVP_PKEY API + +(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59) +--- + ext/openssl/xp_ssl.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c +index 9710e44a07..f130bdee66 100644 +--- a/ext/openssl/xp_ssl.c ++++ b/ext/openssl/xp_ssl.c +@@ -1200,11 +1200,7 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength) + + static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */ + { +- DH *dh; +- BIO* bio; +- zval *zdhpath; +- +- zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); ++ zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); + if (zdhpath == NULL) { + #if 0 + /* Coming in OpenSSL 1.1 ... eventually we'll want to enable this +@@ -1219,14 +1215,29 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* + return FAILURE; + } + +- bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); ++ BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); + + if (bio == NULL) { + php_error_docref(NULL, E_WARNING, "invalid dh_param"); + return FAILURE; + } + +- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_PKEY *pkey = PEM_read_bio_Parameters(bio, NULL); ++ BIO_free(bio); ++ ++ if (pkey == NULL) { ++ php_error_docref(NULL, E_WARNING, "Failed reading DH params"); ++ return FAILURE; ++ } ++ ++ if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) { ++ php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); ++ EVP_PKEY_free(pkey); ++ return FAILURE; ++ } ++#else ++ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + + if (dh == NULL) { +@@ -1241,6 +1252,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* + } + + DH_free(dh); ++#endif + + return SUCCESS; + } +-- +2.31.1 + +From 7557896fc206bd318851b3810b55bb51dc43336f Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 18 Nov 2021 15:08:19 +0100 +Subject: [PATCH 26/26] ignore remaining warnings + +--- + ext/openssl/openssl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 00ab6dc73a..b136729cb5 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -26,6 +26,7 @@ + #endif + + # pragma GCC diagnostic ignored "-Wdeprecated-declarations" ++# pragma GCC diagnostic ignored "-Wdiscarded-qualifiers" + + #include "php.h" + #include "php_ini.h" +@@ -4477,7 +4478,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, int *is_private) { + BIGNUM *d = NULL, *x = NULL, *y = NULL; + EC_GROUP *group = NULL; + EC_POINT *pnt = NULL; +- char *pnt_oct = NULL; ++ unsigned char *pnt_oct = NULL; + EVP_PKEY *param_key = NULL, *pkey = NULL; + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + OSSL_PARAM *params = NULL; +-- +2.31.1 + -- cgit