From 325096042341325b2eb57dd9c994499a1223a32c Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 3 Jun 2022 13:44:31 +0200 Subject: add upstream patch ti use more sha256 in openssl tests --- php-openssl.patch | 317 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php.spec | 5 +- 2 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 php-openssl.patch diff --git a/php-openssl.patch b/php-openssl.patch new file mode 100644 index 0000000..403f979 --- /dev/null +++ b/php-openssl.patch @@ -0,0 +1,317 @@ +From 03a4ccd9120e5816e5f9f134f63b76e89558658f Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 31 May 2022 09:59:58 +0200 +Subject: [PATCH] use sha256 in openssl test suite + +--- + ext/openssl/tests/bug41033.phpt | 4 ++-- + ext/openssl/tests/bug61930.phpt | 11 ++++++----- + ext/openssl/tests/bug66501.phpt | 2 +- + ext/openssl/tests/ecc.phpt | 2 +- + ext/openssl/tests/openssl.cnf | 1 + + ext/openssl/tests/openssl_csr_export_basic.phpt | 2 +- + .../tests/openssl_csr_export_to_file_basic.phpt | 14 +++++++------- + .../tests/openssl_csr_get_public_key_basic.phpt | 2 +- + .../tests/openssl_csr_get_subject_basic.phpt | 2 +- + ext/openssl/tests/openssl_csr_sign_basic.phpt | 2 +- + ext/openssl/tests/openssl_sign_basic.phpt | 2 +- + .../tests/openssl_spki_export_challenge_basic.phpt | 14 -------------- + ext/openssl/tests/openssl_spki_new_basic.phpt | 8 -------- + ext/openssl/tests/openssl_spki_verify_basic.phpt | 14 -------------- + ext/openssl/tests/openssl_verify_basic.phpt | 12 ++++++------ + 15 files changed, 29 insertions(+), 63 deletions(-) + +diff --git a/ext/openssl/tests/bug41033.phpt b/ext/openssl/tests/bug41033.phpt +index ff30d8b266d0..73cca19506af 100644 +--- a/ext/openssl/tests/bug41033.phpt ++++ b/ext/openssl/tests/bug41033.phpt +@@ -10,11 +10,11 @@ $pub = 'file://' . __DIR__ . '/' . 'bug41033pub.pem'; + + $prkeyid = openssl_get_privatekey($prv, "1234"); + $ct = "Hello I am some text!"; +-openssl_sign($ct, $signature, $prkeyid, OPENSSL_ALGO_SHA1); ++openssl_sign($ct, $signature, $prkeyid, OPENSSL_ALGO_SHA256); + echo "Signature: ".base64_encode($signature) . "\n"; + + $pukeyid = openssl_get_publickey($pub); +-$valid = openssl_verify($ct, $signature, $pukeyid, OPENSSL_ALGO_SHA1); ++$valid = openssl_verify($ct, $signature, $pukeyid, OPENSSL_ALGO_SHA256); + echo "Signature validity: " . $valid . "\n"; + + +diff --git a/ext/openssl/tests/bug61930.phpt b/ext/openssl/tests/bug61930.phpt +index 862c6a07bfd0..d97f4990173a 100644 +--- a/ext/openssl/tests/bug61930.phpt ++++ b/ext/openssl/tests/bug61930.phpt +@@ -4,19 +4,20 @@ Bug #61930: openssl corrupts ssl key resource when using openssl_get_publickey() + openssl + --FILE-- + + --EXPECTF-- + object(OpenSSLAsymmetricKey)#%d (0) { +diff --git a/ext/openssl/tests/bug66501.phpt b/ext/openssl/tests/bug66501.phpt +index 4a7bfbf1361b..56d391032f7e 100644 +--- a/ext/openssl/tests/bug66501.phpt ++++ b/ext/openssl/tests/bug66501.phpt +@@ -18,7 +18,7 @@ AwEHoUQDQgAEPq4hbIWHvB51rdWr8ejrjWo4qVNWVugYFtPg/xLQw0mHkIPZ4DvK + sqOTOnMoezkbSmVVMuwz9flvnqHGmQvmug== + -----END EC PRIVATE KEY-----'; + $key = openssl_pkey_get_private($pkey); +-$res = openssl_sign($data ='alpha', $sign, $key, 'SHA1'); ++$res = openssl_sign($data ='alpha', $sign, $key, 'SHA256'); + var_dump($res); + ?> + --EXPECT-- +diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt +index a18651dc5e4b..297af1dccd0c 100644 +--- a/ext/openssl/tests/ecc.phpt ++++ b/ext/openssl/tests/ecc.phpt +@@ -64,7 +64,7 @@ $csr = openssl_csr_new($dn, $keyGenerate, $args); + + var_dump($keyGenerate); + +-$args["digest_alg"] = "sha1"; ++$args["digest_alg"] = "sha256"; + echo "Testing openssl_csr_new with existing ecc key\n"; + $csr = openssl_csr_new($dn, $key1, $args); + var_dump($csr); +diff --git a/ext/openssl/tests/openssl.cnf b/ext/openssl/tests/openssl.cnf +index f3025aeb5caa..6146b93142cc 100644 +--- a/ext/openssl/tests/openssl.cnf ++++ b/ext/openssl/tests/openssl.cnf +@@ -7,6 +7,7 @@ tsa_policy2 = 1.2.3.4.5.6 + + [ req ] + default_bits = 1024 ++default_md = sha256 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/ext/openssl/tests/openssl_csr_export_basic.phpt b/ext/openssl/tests/openssl_csr_export_basic.phpt +index 559befe23c92..95bf741e9ec1 100644 +--- a/ext/openssl/tests/openssl_csr_export_basic.phpt ++++ b/ext/openssl/tests/openssl_csr_export_basic.phpt +@@ -17,7 +17,7 @@ $dn = array( + ); + + $args = array( +- "digest_alg" => "sha1", ++ "digest_alg" => "sha256", + "private_key_bits" => 2048, + "private_key_type" => OPENSSL_KEYTYPE_DSA, + "encrypt_key" => true, +diff --git a/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt b/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt +index dfa533b729cb..5b0920888163 100644 +--- a/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt ++++ b/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt +@@ -25,7 +25,7 @@ $dn = array( + ); + + $args = array( +- "digest_alg" => "sha1", ++ "digest_alg" => "sha256", + "private_key_bits" => 2048, + "private_key_type" => OPENSSL_KEYTYPE_DSA, + "encrypt_key" => true, +@@ -66,12 +66,12 @@ BggTncBh9ozkVQGS/P1m0zn/SKSgDO+6DdeLHLMjpUASaoYfsay4PJLAdnTqLOeM + g6qNE6u0ebZXVfmpSmV1pSZ6kQnxbsb6rX1iOZxkwHnVWYb40Hy0EILo31x6BVqB + m159m7s38ChiRHqlj20DmRfxXjiT5YDgYYQ29wQBTVQrTN5O9UW5Y+eKTXd8r6te + dsbIBXdKN7NeX7ksGYHq1I3hLsP8EyvZO78qfjKyEB0Jj3UCAwEAAaAAMA0GCSqG +-SIb3DQEBBQUAA4IBAQCamzVmIbElkiDQKzQpkfU5tHjrWPrHDSB186NI0sQ8i6GQ +-1YT6yPAXBPTQ1aER/6uAZJL5HfWEX8V1rKbe8GkPAPCHHQzmHyWlaO2EHS57zJhk +-sRrhqkhhkSNiDg4OrsguhRtbB2VMGeDbqHGI89uGqqGHUiZc/Bh8N7WFXZkUU/A0 +-sfBgVeqg0P4SWez5fHXqBNcjMdMI5f0bikcDZSIfTHS8FX+PMurLBC8UPB0YNIOl +-1r2Lvo+6YUHOziG1OwQd3K0xxu/JzzOE+lMB73ynz4V6DY5Qv3qVno1GpupvgmQA +-JViHkCA9x6m8RJXAFvqmgLlWlUzbDv/cRrDfjWjR ++SIb3DQEBCwUAA4IBAQCNtCIfMHBDRvNqHmrDfR/+A7ZJ+n/XzA2uQhvjEq91DeT8 ++IE7gjUtmj2sqKmHGIDO4uN4F9ZHYzcNk23n6CMljYqJLbB2dHC0V6vkDB7qod1TH ++/SK39Yj0ji2AT45LD5rLH3vd1bjxdwwhyPyGhshKOIdnmBv4mwTRANIsiISMQV4Y ++ZPAXJ5DTKkgdsY14hqhyWct1bWMPpj2MCLQGjKxK8vmbiKaNL1XxAS7chTXoy7un ++NvBKc82Wy3XEuC9AkNFEytD6kA9gu8nFydvYTOvvhaQrf9RzwSitgi9Vj3mbujsN ++f1JMPX0/eHrKvG9wBZu28FdS54xoWGeD1NGraW24 + -----END CERTIFICATE REQUEST----- + " + +diff --git a/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt b/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt +index 7faaf2f23454..9f128c200bea 100644 +--- a/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt ++++ b/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt +@@ -23,7 +23,7 @@ $dn = array( + ); + + $args = array( +- "digest_alg" => "sha1", ++ "digest_alg" => "sha256", + "private_key_bits" => 2048, + "private_key_type" => OPENSSL_KEYTYPE_DSA, + "encrypt_key" => true, +diff --git a/ext/openssl/tests/openssl_csr_get_subject_basic.phpt b/ext/openssl/tests/openssl_csr_get_subject_basic.phpt +index 6fe63e971775..79baeb65b8a5 100644 +--- a/ext/openssl/tests/openssl_csr_get_subject_basic.phpt ++++ b/ext/openssl/tests/openssl_csr_get_subject_basic.phpt +@@ -23,7 +23,7 @@ $dn = array( + ); + + $args = array( +- "digest_alg" => "sha1", ++ "digest_alg" => "sha256", + "private_key_bits" => 2048, + "private_key_type" => OPENSSL_KEYTYPE_DSA, + "encrypt_key" => true, +diff --git a/ext/openssl/tests/openssl_csr_sign_basic.phpt b/ext/openssl/tests/openssl_csr_sign_basic.phpt +index a7030b392145..0cf678cc2944 100644 +--- a/ext/openssl/tests/openssl_csr_sign_basic.phpt ++++ b/ext/openssl/tests/openssl_csr_sign_basic.phpt +@@ -20,7 +20,7 @@ $dn = array( + ); + + $args = array( +- "digest_alg" => "sha1", ++ "digest_alg" => "sha256", + "private_key_bits" => 2048, + "private_key_type" => OPENSSL_KEYTYPE_DSA, + "encrypt_key" => true, +diff --git a/ext/openssl/tests/openssl_sign_basic.phpt b/ext/openssl/tests/openssl_sign_basic.phpt +index 48deac9337c1..047028101893 100644 +--- a/ext/openssl/tests/openssl_sign_basic.phpt ++++ b/ext/openssl/tests/openssl_sign_basic.phpt +@@ -8,7 +8,7 @@ $data = "Testing openssl_sign()"; + $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; + $wrong = "wrong"; + +-var_dump(openssl_sign($data, $sign, $privkey)); // no output ++var_dump(openssl_sign($data, $sign, $privkey, OPENSSL_ALGO_SHA256)); // no output + var_dump(openssl_sign($data, $sign, $wrong)); + ?> + --EXPECTF-- +diff --git a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt +index ab9076791be4..2fadc30e6810 100644 +--- a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt +@@ -22,8 +22,6 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD5, +- OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, +@@ -76,15 +74,3 @@ string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" + bool\(false\) + string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" + bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +diff --git a/ext/openssl/tests/openssl_spki_new_basic.phpt b/ext/openssl/tests/openssl_spki_new_basic.phpt +index 1d29fe05bd81..6b661afde36f 100644 +--- a/ext/openssl/tests/openssl_spki_new_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_new_basic.phpt +@@ -16,8 +16,6 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD5, +- OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, +@@ -47,16 +45,10 @@ string(478) "%s" + string(478) "%s" + string(478) "%s" + string(478) "%s" +-string(478) "%s" +-string(478) "%s" +-string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" +-string(830) "%s" +-string(1510) "%s" +-string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" +diff --git a/ext/openssl/tests/openssl_spki_verify_basic.phpt b/ext/openssl/tests/openssl_spki_verify_basic.phpt +index 9b624a7a5f72..19704b4a4fa8 100644 +--- a/ext/openssl/tests/openssl_spki_verify_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_verify_basic.phpt +@@ -18,8 +18,6 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_SHA1, +- OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +@@ -65,15 +63,3 @@ bool(true) + bool(false) + bool(true) + bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +diff --git a/ext/openssl/tests/openssl_verify_basic.phpt b/ext/openssl/tests/openssl_verify_basic.phpt +index 0e93a21319d9..674a3c58a9ea 100644 +--- a/ext/openssl/tests/openssl_verify_basic.phpt ++++ b/ext/openssl/tests/openssl_verify_basic.phpt +@@ -9,12 +9,12 @@ $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; + $pubkey = "file://" . __DIR__ . "/public.key"; + $wrong = "wrong"; + +-openssl_sign($data, $sign, $privkey); +-var_dump(openssl_verify($data, $sign, $pubkey)); +-var_dump(openssl_verify($data, $sign, $privkey)); +-var_dump(openssl_verify($data, $sign, $wrong)); +-var_dump(openssl_verify($data, $wrong, $pubkey)); +-var_dump(openssl_verify($wrong, $sign, $pubkey)); ++openssl_sign($data, $sign, $privkey, OPENSSL_ALGO_SHA256); ++var_dump(openssl_verify($data, $sign, $pubkey, OPENSSL_ALGO_SHA256)); ++var_dump(openssl_verify($data, $sign, $privkey, OPENSSL_ALGO_SHA256)); ++var_dump(openssl_verify($data, $sign, $wrong, OPENSSL_ALGO_SHA256)); ++var_dump(openssl_verify($data, $wrong, $pubkey, OPENSSL_ALGO_SHA256)); ++var_dump(openssl_verify($wrong, $sign, $pubkey, OPENSSL_ALGO_SHA256)); + ?> + --EXPECTF-- + int(1) diff --git a/php.spec b/php.spec index a7c50ea..fa629b3 100644 --- a/php.spec +++ b/php.spec @@ -193,6 +193,7 @@ Patch91: php-7.2.0-oci8conf.patch # Upstream fixes (100+) Patch100: php-mbstring.patch +Patch101: php-openssl.patch # Security fixes (200+) @@ -966,7 +967,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch91 -p1 -b .remi-oci8 # upstream patches -%patch100 -p1 -b .up +%patch100 -p1 -b .pcre +%patch101 -p1 -b .sha # security patches @@ -1844,6 +1846,7 @@ fi %changelog * Fri Jun 3 2022 Remi Collet - 8.1.7~RC1-2 - add upstream patch to initialize pcre before mbstring +- add upstream patch ti use more sha256 in openssl tests * Wed May 25 2022 Remi Collet - 8.1.7~RC1-1 - update to 8.1.7RC1 -- cgit